密碼猜測攻擊不但工具容易取得，且不需要高深技術能力就能夠實踐，是駭客常用攻擊手法。該攻擊常使資訊安全設備具有大量猜測紀錄，偵測系統也因此產生大量的警訊，但並非所有警訊都代表駭客攻擊的成功。真正攻擊成功警訊容易隱藏在大量攻擊失敗警訊中，令資訊安全人員無法及時發現，延誤處理攻擊時間，導致企業必須承擔後續攻擊的風險。
使用者帳號一直以來都是駭客的目標，透過取得帳號獲得進入企業網路的入口，以佈署後續攻擊策略。本研究目標對使用者帳號密碼猜測攻擊行為，以Active Directory的事件紀錄分析。事件紀錄包含使用者不同行為的紀錄，針對其中與使用者帳號密碼安全有關的登入失敗、票證索取失敗等事件，以兩階段方法找出密碼猜測攻擊事件，做為警訊提供處理。
本研究資料屬於無標籤資料，且通常正常事件數量遠大於異常事件。因此第一階段以離群值偵測方法找出異常事件，將相似的事件視為同一群，遠離群的事件則視為異常。第二階段以風險規則進一步將異常事件分成不同風險等級，使資訊安全人員能優先處理，減少延誤的時間。本研究以真實環境的資料分析，提供更真實的偵測結果。實驗結果證明相比規則產生的警訊數量，提供降低約88%的警訊；且模型偵測效能中CBLOF具有83.35%的F1-score，擁有最佳偵測效果。

Tools of password guessing attack are easy to obtain and use. It is a common attack technique. The attack makes a large number of records on the information security device. And a large number of alerts generated by detection system. However, not all alerts represent the success of hacker attacks. The success alerts are easily hidden in the large number of failure alerts. That prevent information security operator from detecting the attack in time and delay the processing. As a result, enterprises must bear the risk of subsequent attacks.
User accounts have always been the target of hackers. The accounts are used to gain access to the enterprises network and to deploy attack strategies. The objective of this study is to analyze password guessing attack by using the event logs of Active Directory. The event logs contain records of different user behaviors. For incidents such as login failure and ticket request failure, a two-stage approach is used to identify password guessing attack and provide alerts for processing.
The data in this study are unlabeled data, and the number of normal events is larger than the abnormal events. Therefore, the outlier detection method is used in the first stage to identify abnormal events. And similar events are considered as the same group. The events that far from the group are considered as abnormal. In the second stage, the abnormal events are further divided into different risk levels by risk rules, so that information security operator can prioritize and reduce the delay time.

目錄
論文審定書 i
摘要 ii
Abstract iii
目錄 v
圖次 vii
表次 viii
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 3
第二章 文獻探討 5
2.1 攻擊偵測 5
2.2 Windows事件紀錄檔 8
2.3 密碼猜測攻擊 10
2.3.1 Kerberoasting 11
第三章 研究方法 12
3.1 系統架構 12
3.2 資料蒐集模組 14
3.3 前處理模組 14
3.4 異常帳號行為偵測模組 16
3.5 結果關聯模組 20
第四章 系統評估 21
4.1 實驗一：攻擊偵測效能評估 24
4.1.1 分群群數挑選 25
4.1.2 攻擊偵測效能評估 27
4.2 實驗二：與既有安全系統效能比較 30
4.2.1 降低警訊誤報率 30
4.2.2 案例探討分析 33
第五章 結論與未來展望 37
參考文獻 38

參考文獻
[1] 郭憲誌. "駭客企業化時代來臨！政府、業界該如何協作，打造台灣「資安護國神山」？." 數聯資安. https://www.issdu.com.tw/perspective_detail.php?id=27 (accessed Sep. 4, 2021).
[2] 羅正漢. "【徹底揭露2019年臺灣最大規模病毒攻擊事件】勒索軟體衝擊！全臺醫療院所資安拉警報." https://www.ithome.com.tw/news/134108 (accessed Jun. 18, 2021).
[3] FireEye, "大呼狼來了的資安事件管理(SIEM)," 2019. Accessed: 2021 Sep. 4. [Online]. Available: https://www.fireeye.com/content/dam/fireeye-www/regional/zh_TW/products/pdfs/wp-one-helix-siem-that-cried-wolf-tc.pdf
[4] L. Martin, "Cyber Kill Chain." Accessed: 2021 Sep. 20. [Online]. Available: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
[5] 周峻佑, "中油與台塑遭攻擊事件的受害規模，首度被媒體揭露," May 18, 2020. Accessed: 2021 Aug. 4. [Online]. Available: https://www.ithome.com.tw/news/137685
[6] 黃嵩育, "基於Active Directory事件紀錄偵測系統," 碩士論文, 資訊管理學系, 國立中山大學, 2021.
[7] S. Ramaswamy, R. Rastogi, and K. Shim, "Efficient algorithms for mining outliers from large data sets," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, 2000, pp. 427-438.
[8] Z. He, X. Xu, and S. Deng, "Discovering cluster-based local outliers," Pattern Recognition Letters, vol. 24, no. 9-10, pp. 1641-1650, 2003.
[9] B. Wang, S. Ying, and Z. Yang, "A Log-Based Anomaly Detection Method with Efficient Neighbor Searching and Automatic K Neighbor Selection," Scientific Programming, vol. 2020, 2020.
[10] H. Benaddi, K. Ibrahimi, and A. Benslimane, "Improving the intrusion detection system for nsl-kdd dataset based on pca-fuzzy clustering-knn," in 2018 6th International Conference on Wireless Networks and Mobile Communications (WINCOM), 2018: IEEE, pp. 1-6.
[11] M. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, "LOF: identifying density-based local outliers," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, 2000, pp. 93-104.
[12] B. D. Newton, "Anomaly Detection in Network Traffic Traces Using Latent Dirichlet Allocation," dated Dec, vol. 31, 2012.
[13] D. M. Blei, A. Y. Ng, and M. I. Jordan, "Latent dirichlet allocation," the Journal of machine Learning research, vol. 3, pp. 993-1022, 2003.
[14] M. S. Gill, D. Lindskog, and P. Zavarsky, "Profiling Network Traffic Behavior for the Purpose of Anomaly-Based Intrusion Detection," in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2018: IEEE, pp. 885-890.
[15] R. Perdisci, G. Giacinto, and F. Roli, "Alarm clustering for intrusion detection systems in computer networks," Engineering Applications of Artificial Intelligence, vol. 19, no. 4, pp. 429-438, 2006.
[16] M. Goldstein, S. Asanger, M. Reif, and A. Hutchison, "Enhancing Security Event Management Systems with Unsupervised Anomaly Detection," in ICPRAM, 2013, pp. 530-538.
[17] S. S. Igorevich, "DETECTION OF MALICIOUS ACTIONS OF AN ATTACKER BASED ON EVENT LOGS WHEN INVESTIGATING AN ONGOING CYBER INCIDENT," Инновационные аспекты развития науки и техники, no. 4, pp. 22-28, 2021.
[18] A. S. Onashoga, O. E. Adeleye, O. O. Odewale, and A. A. Babablola, "An Event Management System For Detecting Brute Force Attack," 2018.
[19] M. Vizváry and J. Vykopal, "Flow-based detection of RDP brute-force attacks," in Proceedings of 7th International Conference on Security and Protection of Information, SPI, 2013, vol. 13, pp. 131-138.
[20] S. Asanger and A. Hutchison, "Experiences and challenges in enhancing security information and event management capability using unsupervised anomaly detection," in 2013 international conference on availability, reliability and security, 2013: IEEE, pp. 654-661.
[21] B. C. Neuman and T. Ts'o, "Kerberos: An authentication service for computer networks," IEEE Communications magazine, vol. 32, no. 9, pp. 33-38, 1994.
[22] T. Medin, "Attacking Microsoft Kerberos Kicking the Guard Dog of Hades.," 2014. [Online]. Available: https://www.redsiege.com/wp-content/uploads/2020/08/Kerberoastv4.pdf.
[23] L. Kotlaba, S. Buchovecká, and R. Lórencz, "Active Directory Kerberoasting Attack: Detection using Machine Learning Techniques," in ICISSP, 2021, pp. 376-383.
[24] 許智源, "基於側寫的雲端化異常偵測平台," 碩士論文, 資訊管理學系, 國立中山大學, 2020.
[25] M. J. Turcotte, A. D. Kent, and C. Hash, "Unified host and network data set," in Data Science for Cyber-Security: World Scientific, 2019, pp. 1-22.
[26] S. Muthuraj, M. Sethumadhavan, P. Amritha, and R. Santhya, "Detection and Prevention of Attacks on Active Directory Using SIEM," in International Conference on Information and Communication Technology for Intelligent Systems, 2020: Springer, pp. 533-541.
[27] JPCERT/CC, "Detecting Lateral Movement in APTs "Analysis Approach on Windows Event Logs"," June 17, 2016. Accessed: 2021 Sep. 10. [Online]. Available: https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf
[28] "Spotting the Adversary with Windows Event Log Monitoring," Aug. 7 2015.
[29] ADSecurity.org, "Detecting the Elusive Active Directory Threat Hunting," Apr. 4 2017. Accessed: 2021 Sep. 15. [Online]. Available: https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf
[30] W. Matsuda, M. Fujimoto, and T. Mitsunaga, "Detecting apt attacks against active directory using machine leaning," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018: IEEE, pp. 60-65.
[31] M. Fujimoto, W. Matsuda, and T. Mitsunaga, "Detecting Abuse of Domain Administrator Privilege Using Windows Event Log," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018: IEEE, pp. 15-20.
[32] P. J. Rousseeuw, "Silhouettes: a graphical aid to the interpretation and validation of cluster analysis," Journal of computational and applied mathematics, vol. 20, pp. 53-65, 1987.
[33] T. Caliński and J. Harabasz, "A dendrite method for cluster analysis," Communications in Statistics-theory and Methods, vol. 3, no. 1, pp. 1-27, 1974.
[34] D. L. Davies and D. W. Bouldin, "A cluster separation measure," IEEE transactions on pattern analysis and machine intelligence, no. 2, pp. 224-227, 1979.
[35] Microsoft. "Tutorial: Compromised credential alerts." Microsoft. https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts (accessed Aug. 20, 2021).
[36] M. ATT&CK. "MITER ATT&CK." https://attack.mitre.org/ (accessed Jul. 30, 2021).
[37] Y. Zhao, Z. Nasrullah, and Z. Li, "Pyod: A python toolbox for scalable outlier detection," arXiv preprint arXiv:1901.01588, 2019.
[38] "Word lists." https://www.outpost9.com/files/WordLists.html (accessed Sep. 20, 2021).