Responsive image
博碩士論文 etd-0507121-170029 詳細資訊
Title page for etd-0507121-170029
基於Active Directory事件紀錄偵測系統
Anomaly Detection Based on Active Directory Log Analysis System
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
Active Directory、特權帳號、Windows事件紀錄、分群、關聯規則分析
Active Directory, Privileged Account, Windows Event Log, Cluster, Association rules
本論文已被瀏覽 403 次,被下載 0
The thesis/dissertation has been browsed 403 times, has been downloaded 0 times.
為了提高事件紀錄分析效率和降低資安事件造成的危害,本研究提出一種識別關鍵警訊和事件紀錄的方法,以便資安人員進一步分析是否存在異常。Active Directory伺服器為攻擊者的首要目標,目的在於取得權限以控制企業內部資源並危及整個組織。因此本研究所提出的方法側重於識別特權帳號在企業Active Directory伺服器的異常事件。
Businesses are facing more challenging security risks than before as cyberattacks have shifted from random attacks to advanced persistent threat attacks performed by professional hackers with well-plan and customized attack tactics. To protect against cyberattacks, multiple defense mechanisms have deployed. A massive amount of security alerts and event logs are generated by the defense sensors and servers, where most of them record routine administrative tasks such as data backup or cleaning up. However, each alert and log record requires administrators further examine to verify if there is a breach. Such human examination is labor intensive and time consuming, while in most cases they are normal. With limited time per day, administrators might not be able to finish inspecting all the alerts produced in a day.
To improve work efficiency and reduce security risk, this study proposes an approach to identifying critical alerts and event logs for administrators to further inspect if there is a compromise. Active Directory, is one of the most targets by adversaries in order to take over the control of internal network. Therefore, the proposed method focuses on identify abnormal events of privilege users on active directory.
The proposed method adopts outlier detection approach and consists of two stages: the first stage categorizes the event logs into groups, where a group of event logs indicates a routine administrative task; the second stage mines the sequence of events in each group to construct normal behaviors of the privilege users. This study evaluates the proposed method by using the real dataset retrieved from an institute. The experimental results demonstrate that the proposed method efficiently reduces the amount of the log record and identifies anomaly log records and could flag the undetected attack events in advance before the defense sensor.
目次 Table of Contents
論文審定書 i
論文公開授權書 ii
摘要 iii
Abstract iv
目錄 v
圖次 vii
表次 viii
第1章 序論 1
1.1 研究背景 1
1.2 研究動機 2
第2章 文獻探討 5
2.1 異常偵測 5
2.3 WINDOWS事件紀錄 10
2.4 DBSCAN 12
2.5 關聯規則分析 13
第3章 研究方法 15
3.1 系統架構 16
3.2 事件紀錄收集模組 17
3.3 前處理模組 18
3.4 側寫模組 19
3.4.1 事件紀錄分群 20
3.4.2 關聯規則分析 20
3.5 偵測模組 22
第4章 系統評估 27
4.1 實驗1 評估排程事件紀錄分群成效 28
4.1.1 參數評估實驗 28
4.1.2 事件紀錄分群成效 29
4.1.3 比較不同演算法之分群結果 30
4.2 實驗2 序列模式比對和參數實驗 32
4.3 實驗3 模擬攻擊事件注入 33
4.4 實驗4 與委外SOC平台警訊比較 35
4.4.1 SOC平台比較 35
4.4.2 風險分數評估 40
4.4.3 既有安全系統比對攻擊事件 40
4.4.4 攻擊案例分析 42
4.4.5 高風險警訊案例分析 45
第5章 結論與未來展望 46
參考資料 47
附錄 A. 50

參考文獻 References
[1] NETSCOUT, "層層資安設備依舊發生資料外洩?結合「威脅情資攔截」方能力挽狂瀾!," Available:
[2] Trendmicro, "< 資安報告>勒索病毒專挑特定對象下手, 政府機關飽受針對性勒索病毒危害," 2020, Available:
[3] 奧義智慧, "三秒入侵 Windows AD:Zerologon 災難級漏洞的完整解析," 2020, Available:
[4] BleepComputer, "Eletrobras, Copel energy companies hit by ransomware attacks," 2021, Available:
[5] 周峻佑, "中油與台塑遭攻擊事件的受害規模,首度被媒體揭露," May. 18, 2020, Available:
[6] P. Institute, "2020 Cost of an Insider Breach Report," 2020, Available:
[7] P. Institute, "Ponemon Institute透露,安全團隊花費約25%的時間追逐誤報;響應時間," 2019.
[8] Gartner, "Gartner Top 10 Security Projects for 2019," June 18, 2019, Available:
[9] M. ATT&CK, "Enterprise Matrix," Available:
[10] M. Ahmed and A. N. Mahmood, "Network traffic pattern analysis using improved information theoretic co-clustering based collective anomaly detection," in International conference on security and privacy in communication networks, 2014, pp. 204-219: Springer.
[11] B. D. J. d. D. Newton, "Anomaly Detection in Network Traffic Traces Using Latent Dirichlet Allocation," vol. 31, 2012.
[12] M. S. Gill, D. Lindskog, and P. Zavarsky, "Profiling Network Traffic Behavior for the Purpose of Anomaly-Based Intrusion Detection," in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2018, pp. 885-890: IEEE.
[13] A. Ambre and N. J. P. C. S. Shekokar, "Insider threat detection using log analysis and event correlation," vol. 45, pp. 436-445, 2015.
[14] P. Chattopadhyay, L. Wang, and Y.-P. J. I. T. o. C. S. S. Tan, "Scenario-based insider threat detection from cyber activities," vol. 5, no. 3, pp. 660-675, 2018.
[15] P. A. Legg, O. Buckley, M. Goldsmith, and S. J. I. S. J. Creese, "Automated insider threat detection system using user and role-based profile assessment," vol. 11, no. 2, pp. 503-512, 2015.
[16] JPCERT/CC, "Detecting Lateral Movement in APTs "Analysis Approach on Windows Event Logs"," June 17, 2016, Available:
[17] CERT-EU, "Detecting Lateral Movements in Windows Infrastructure," February 27, 2017, Available:
[18] C.-H. Hsieh, C.-M. Lai, C.-H. Mao, T.-C. Kao, and K.-C. Lee, "AD2: Anomaly detection on active directory log data for insider threat monitoring," in 2015 International Carnahan Conference on Security Technology (ICCST), 2015, pp. 287-292: IEEE.
[19] S. Muthuraj, M. Sethumadhavan, P. Amritha, and R. Santhya, "Detection and Prevention of Attacks on Active Directory Using SIEM," in International Conference on Information and Communication Technology for Intelligent Systems, 2020, pp. 533-541: Springer.
[20] W. Matsuda, M. Fujimoto, and T. Mitsunaga, "Detecting APT Attacks Against Active Directory Using Machine Leaning," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018, pp. 60-65: IEEE.
[21] M. Fujimoto, W. Matsuda, and T. Mitsunaga, "Detecting Abuse of Domain Administrator Privilege Using Windows Event Log," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018, pp. 15-20: IEEE.
[22] "Spotting the Adversary with Windows Event Log Monitoring," Aug. 07 2015.
[23], "Detecting the Elusive Active Directory Threat Hunting," Apr. 04 2017, Available:
[24] microsoft, "基本安全性稽核原則設定," Available:
[25] Microsoft, "Monitoring Active Directory for Signs of Compromise," Available:
[26] M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, "A density-based algorithm for discovering clusters in large spatial databases with noise," in Kdd, 1996, vol. 96, no. 34, pp. 226-231.
[27] wikipedia. DBSCAN. Available:
[28] A. Borah, B. J. C. Nath, and I. Systems, "Rare pattern mining: challenges and future perspectives," vol. 5, no. 1, pp. 1-23, 2019.
[29] J. Wang and Z. J. P. c. s. Cheng, "FP-Growth based regular behaviors auditing in electric management information system," vol. 139, pp. 275-279, 2018.
[30] J. Han, J. Pei, and Y. J. A. s. r. Yin, "Mining frequent patterns without candidate generation," vol. 29, no. 2, pp. 1-12, 2000.
[31] S. Yan, Y. Chen, Y. Song, and M. Zhu, "Frequent attack sequences-based network log mining," in Journal of Physics: Conference Series, 2019, vol. 1176, no. 3, p. 032052: IOP Publishing.
[32] J. Pei et al., "Mining sequential patterns by pattern-growth: The prefixspan approach," vol. 16, no. 11, pp. 1424-1440, 2004.
[33] R. Agrawal and R. Srikant, "Fast algorithms for mining association rules," in Proc. 20th int. conf. very large data bases, VLDB, 1994, vol. 1215, pp. 487-499: Citeseer.
[34] cnblogs. PrefixSpan算法原理总结. Available:
[35] A. Rahman, Y. Xu, K. Radke, and E. Foo, "Finding anomalies in SCADA logs using rare sequential pattern mining," in International Conference on Network and System Security, 2016, pp. 499-506: Springer.
[36] C.-Y. Hsu, "基於側寫的雲端化異常偵測平台," 2020.
[37] FireEye, "FireEye:76%的勒索軟體攻擊發生在非上班時間," 2020, Available:
[38] A. G. Philippe Fournier-Viger, Ted Gueniche, Azadeh Soltani, Cheng-Wei Wu, Vincent S. Tseng. SPMF An Open-Source Data Mining Library. Available:
[39] Microsoft, "稽核與入侵原則," Available:
[40] iThome, "2019國家級資安事件:勒索軟體侵襲臺灣醫院," 2019, Available:

電子全文 Fulltext
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:開放下載的時間 available 2026-06-07
校外 Off-campus:開放下載的時間 available 2026-06-07

您的 IP(校外) 位址是
現在時間是 2024-04-16
論文校外開放下載的時間是 2026-06-07

Your IP address is
The current date is 2024-04-16
This thesis will be available to you on 2026-06-07.

紙本論文 Printed copies
開放時間 available 2026-06-07

QR Code