論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:開放下載的時間 available 2026-12-15
校外 Off-campus:開放下載的時間 available 2026-12-15
論文名稱 Title |
以非監督式分群及風險分析偵測暴力破解攻擊 Brute-Force Attack Detection Based on Clustering and Risk Analysis |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
50 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2021-12-07 |
繳交日期 Date of Submission |
2021-12-15 |
關鍵字 Keywords |
Active Directory、密碼猜測攻擊、Windows事件紀錄、離群值偵測、風險規則 Active Directory, Password Guessing Attack, Windows Event Log, Outlier Detection, Risk rule |
||
統計 Statistics |
本論文已被瀏覽 530 次,被下載 0 次 The thesis/dissertation has been browsed 530 times, has been downloaded 0 times. |
中文摘要 |
密碼猜測攻擊不但工具容易取得,且不需要高深技術能力就能夠實踐,是駭客常用攻擊手法。該攻擊常使資訊安全設備具有大量猜測紀錄,偵測系統也因此產生大量的警訊,但並非所有警訊都代表駭客攻擊的成功。真正攻擊成功警訊容易隱藏在大量攻擊失敗警訊中,令資訊安全人員無法及時發現,延誤處理攻擊時間,導致企業必須承擔後續攻擊的風險。 使用者帳號一直以來都是駭客的目標,透過取得帳號獲得進入企業網路的入口,以佈署後續攻擊策略。本研究目標對使用者帳號密碼猜測攻擊行為,以Active Directory的事件紀錄分析。事件紀錄包含使用者不同行為的紀錄,針對其中與使用者帳號密碼安全有關的登入失敗、票證索取失敗等事件,以兩階段方法找出密碼猜測攻擊事件,做為警訊提供處理。 本研究資料屬於無標籤資料,且通常正常事件數量遠大於異常事件。因此第一階段以離群值偵測方法找出異常事件,將相似的事件視為同一群,遠離群的事件則視為異常。第二階段以風險規則進一步將異常事件分成不同風險等級,使資訊安全人員能優先處理,減少延誤的時間。本研究以真實環境的資料分析,提供更真實的偵測結果。實驗結果證明相比規則產生的警訊數量,提供降低約88%的警訊;且模型偵測效能中CBLOF具有83.35%的F1-score,擁有最佳偵測效果。 |
Abstract |
Tools of password guessing attack are easy to obtain and use. It is a common attack technique. The attack makes a large number of records on the information security device. And a large number of alerts generated by detection system. However, not all alerts represent the success of hacker attacks. The success alerts are easily hidden in the large number of failure alerts. That prevent information security operator from detecting the attack in time and delay the processing. As a result, enterprises must bear the risk of subsequent attacks. User accounts have always been the target of hackers. The accounts are used to gain access to the enterprises network and to deploy attack strategies. The objective of this study is to analyze password guessing attack by using the event logs of Active Directory. The event logs contain records of different user behaviors. For incidents such as login failure and ticket request failure, a two-stage approach is used to identify password guessing attack and provide alerts for processing. The data in this study are unlabeled data, and the number of normal events is larger than the abnormal events. Therefore, the outlier detection method is used in the first stage to identify abnormal events. And similar events are considered as the same group. The events that far from the group are considered as abnormal. In the second stage, the abnormal events are further divided into different risk levels by risk rules, so that information security operator can prioritize and reduce the delay time. |
目次 Table of Contents |
目錄 論文審定書 i 摘要 ii Abstract iii 目錄 v 圖次 vii 表次 viii 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機 3 第二章 文獻探討 5 2.1 攻擊偵測 5 2.2 Windows事件紀錄檔 8 2.3 密碼猜測攻擊 10 2.3.1 Kerberoasting 11 第三章 研究方法 12 3.1 系統架構 12 3.2 資料蒐集模組 14 3.3 前處理模組 14 3.4 異常帳號行為偵測模組 16 3.5 結果關聯模組 20 第四章 系統評估 21 4.1 實驗一:攻擊偵測效能評估 24 4.1.1 分群群數挑選 25 4.1.2 攻擊偵測效能評估 27 4.2 實驗二:與既有安全系統效能比較 30 4.2.1 降低警訊誤報率 30 4.2.2 案例探討分析 33 第五章 結論與未來展望 37 參考文獻 38 |
參考文獻 References |
參考文獻 [1] 郭憲誌. "駭客企業化時代來臨!政府、業界該如何協作,打造台灣「資安護國神山」?." 數聯資安. https://www.issdu.com.tw/perspective_detail.php?id=27 (accessed Sep. 4, 2021). [2] 羅正漢. "【徹底揭露2019年臺灣最大規模病毒攻擊事件】勒索軟體衝擊!全臺醫療院所資安拉警報." https://www.ithome.com.tw/news/134108 (accessed Jun. 18, 2021). [3] FireEye, "大呼狼來了的資安事件管理(SIEM)," 2019. Accessed: 2021 Sep. 4. [Online]. Available: https://www.fireeye.com/content/dam/fireeye-www/regional/zh_TW/products/pdfs/wp-one-helix-siem-that-cried-wolf-tc.pdf [4] L. Martin, "Cyber Kill Chain." Accessed: 2021 Sep. 20. [Online]. Available: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html [5] 周峻佑, "中油與台塑遭攻擊事件的受害規模,首度被媒體揭露," May 18, 2020. Accessed: 2021 Aug. 4. [Online]. Available: https://www.ithome.com.tw/news/137685 [6] 黃嵩育, "基於Active Directory事件紀錄偵測系統," 碩士論文, 資訊管理學系, 國立中山大學, 2021. [7] S. Ramaswamy, R. Rastogi, and K. Shim, "Efficient algorithms for mining outliers from large data sets," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, 2000, pp. 427-438. [8] Z. He, X. Xu, and S. Deng, "Discovering cluster-based local outliers," Pattern Recognition Letters, vol. 24, no. 9-10, pp. 1641-1650, 2003. [9] B. Wang, S. Ying, and Z. Yang, "A Log-Based Anomaly Detection Method with Efficient Neighbor Searching and Automatic K Neighbor Selection," Scientific Programming, vol. 2020, 2020. [10] H. Benaddi, K. Ibrahimi, and A. Benslimane, "Improving the intrusion detection system for nsl-kdd dataset based on pca-fuzzy clustering-knn," in 2018 6th International Conference on Wireless Networks and Mobile Communications (WINCOM), 2018: IEEE, pp. 1-6. [11] M. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, "LOF: identifying density-based local outliers," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, 2000, pp. 93-104. [12] B. D. Newton, "Anomaly Detection in Network Traffic Traces Using Latent Dirichlet Allocation," dated Dec, vol. 31, 2012. [13] D. M. Blei, A. Y. Ng, and M. I. Jordan, "Latent dirichlet allocation," the Journal of machine Learning research, vol. 3, pp. 993-1022, 2003. [14] M. S. Gill, D. Lindskog, and P. Zavarsky, "Profiling Network Traffic Behavior for the Purpose of Anomaly-Based Intrusion Detection," in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2018: IEEE, pp. 885-890. [15] R. Perdisci, G. Giacinto, and F. Roli, "Alarm clustering for intrusion detection systems in computer networks," Engineering Applications of Artificial Intelligence, vol. 19, no. 4, pp. 429-438, 2006. [16] M. Goldstein, S. Asanger, M. Reif, and A. Hutchison, "Enhancing Security Event Management Systems with Unsupervised Anomaly Detection," in ICPRAM, 2013, pp. 530-538. [17] S. S. Igorevich, "DETECTION OF MALICIOUS ACTIONS OF AN ATTACKER BASED ON EVENT LOGS WHEN INVESTIGATING AN ONGOING CYBER INCIDENT," Инновационные аспекты развития науки и техники, no. 4, pp. 22-28, 2021. [18] A. S. Onashoga, O. E. Adeleye, O. O. Odewale, and A. A. Babablola, "An Event Management System For Detecting Brute Force Attack," 2018. [19] M. Vizváry and J. Vykopal, "Flow-based detection of RDP brute-force attacks," in Proceedings of 7th International Conference on Security and Protection of Information, SPI, 2013, vol. 13, pp. 131-138. [20] S. Asanger and A. Hutchison, "Experiences and challenges in enhancing security information and event management capability using unsupervised anomaly detection," in 2013 international conference on availability, reliability and security, 2013: IEEE, pp. 654-661. [21] B. C. Neuman and T. Ts'o, "Kerberos: An authentication service for computer networks," IEEE Communications magazine, vol. 32, no. 9, pp. 33-38, 1994. [22] T. Medin, "Attacking Microsoft Kerberos Kicking the Guard Dog of Hades.," 2014. [Online]. Available: https://www.redsiege.com/wp-content/uploads/2020/08/Kerberoastv4.pdf. [23] L. Kotlaba, S. Buchovecká, and R. Lórencz, "Active Directory Kerberoasting Attack: Detection using Machine Learning Techniques," in ICISSP, 2021, pp. 376-383. [24] 許智源, "基於側寫的雲端化異常偵測平台," 碩士論文, 資訊管理學系, 國立中山大學, 2020. [25] M. J. Turcotte, A. D. Kent, and C. Hash, "Unified host and network data set," in Data Science for Cyber-Security: World Scientific, 2019, pp. 1-22. [26] S. Muthuraj, M. Sethumadhavan, P. Amritha, and R. Santhya, "Detection and Prevention of Attacks on Active Directory Using SIEM," in International Conference on Information and Communication Technology for Intelligent Systems, 2020: Springer, pp. 533-541. [27] JPCERT/CC, "Detecting Lateral Movement in APTs "Analysis Approach on Windows Event Logs"," June 17, 2016. Accessed: 2021 Sep. 10. [Online]. Available: https://www.first.org/resources/papers/conf2016/FIRST-2016-105.pdf [28] "Spotting the Adversary with Windows Event Log Monitoring," Aug. 7 2015. [29] ADSecurity.org, "Detecting the Elusive Active Directory Threat Hunting," Apr. 4 2017. Accessed: 2021 Sep. 15. [Online]. Available: https://adsecurity.org/wp-content/uploads/2017/04/2017-BSidesCharm-DetectingtheElusive-ActiveDirectoryThreatHunting-Final.pdf [30] W. Matsuda, M. Fujimoto, and T. Mitsunaga, "Detecting apt attacks against active directory using machine leaning," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018: IEEE, pp. 60-65. [31] M. Fujimoto, W. Matsuda, and T. Mitsunaga, "Detecting Abuse of Domain Administrator Privilege Using Windows Event Log," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018: IEEE, pp. 15-20. [32] P. J. Rousseeuw, "Silhouettes: a graphical aid to the interpretation and validation of cluster analysis," Journal of computational and applied mathematics, vol. 20, pp. 53-65, 1987. [33] T. Caliński and J. Harabasz, "A dendrite method for cluster analysis," Communications in Statistics-theory and Methods, vol. 3, no. 1, pp. 1-27, 1974. [34] D. L. Davies and D. W. Bouldin, "A cluster separation measure," IEEE transactions on pattern analysis and machine intelligence, no. 2, pp. 224-227, 1979. [35] Microsoft. "Tutorial: Compromised credential alerts." Microsoft. https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts (accessed Aug. 20, 2021). [36] M. ATT&CK. "MITER ATT&CK." https://attack.mitre.org/ (accessed Jul. 30, 2021). [37] Y. Zhao, Z. Nasrullah, and Z. Li, "Pyod: A python toolbox for scalable outlier detection," arXiv preprint arXiv:1901.01588, 2019. [38] "Word lists." https://www.outpost9.com/files/WordLists.html (accessed Sep. 20, 2021). |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 論文使用權限 Thesis access permission:自定論文開放時間 user define 開放時間 Available: 校內 Campus:開放下載的時間 available 2026-12-15 校外 Off-campus:開放下載的時間 available 2026-12-15 您的 IP(校外) 位址是 3.12.36.45 現在時間是 2024-11-21 論文校外開放下載的時間是 2026-12-15 Your IP address is 3.12.36.45 The current date is 2024-11-21 This thesis will be available to you on 2026-12-15. |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 2026-12-15 |
QR Code |