Responsive image
博碩士論文 etd-1115121-162658 詳細資訊
Title page for etd-1115121-162658
Brute-Force Attack Detection Based on Clustering and Risk Analysis
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
Active Directory、密碼猜測攻擊、Windows事件紀錄、離群值偵測、風險規則
Active Directory, Password Guessing Attack, Windows Event Log, Outlier Detection, Risk rule
本論文已被瀏覽 378 次,被下載 0
The thesis/dissertation has been browsed 378 times, has been downloaded 0 times.
使用者帳號一直以來都是駭客的目標,透過取得帳號獲得進入企業網路的入口,以佈署後續攻擊策略。本研究目標對使用者帳號密碼猜測攻擊行為,以Active Directory的事件紀錄分析。事件紀錄包含使用者不同行為的紀錄,針對其中與使用者帳號密碼安全有關的登入失敗、票證索取失敗等事件,以兩階段方法找出密碼猜測攻擊事件,做為警訊提供處理。
Tools of password guessing attack are easy to obtain and use. It is a common attack technique. The attack makes a large number of records on the information security device. And a large number of alerts generated by detection system. However, not all alerts represent the success of hacker attacks. The success alerts are easily hidden in the large number of failure alerts. That prevent information security operator from detecting the attack in time and delay the processing. As a result, enterprises must bear the risk of subsequent attacks.
User accounts have always been the target of hackers. The accounts are used to gain access to the enterprises network and to deploy attack strategies. The objective of this study is to analyze password guessing attack by using the event logs of Active Directory. The event logs contain records of different user behaviors. For incidents such as login failure and ticket request failure, a two-stage approach is used to identify password guessing attack and provide alerts for processing.
The data in this study are unlabeled data, and the number of normal events is larger than the abnormal events. Therefore, the outlier detection method is used in the first stage to identify abnormal events. And similar events are considered as the same group. The events that far from the group are considered as abnormal. In the second stage, the abnormal events are further divided into different risk levels by risk rules, so that information security operator can prioritize and reduce the delay time.
目次 Table of Contents
論文審定書 i
摘要 ii
Abstract iii
目錄 v
圖次 vii
表次 viii
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 3
第二章 文獻探討 5
2.1 攻擊偵測 5
2.2 Windows事件紀錄檔 8
2.3 密碼猜測攻擊 10
2.3.1 Kerberoasting 11
第三章 研究方法 12
3.1 系統架構 12
3.2 資料蒐集模組 14
3.3 前處理模組 14
3.4 異常帳號行為偵測模組 16
3.5 結果關聯模組 20
第四章 系統評估 21
4.1 實驗一:攻擊偵測效能評估 24
4.1.1 分群群數挑選 25
4.1.2 攻擊偵測效能評估 27
4.2 實驗二:與既有安全系統效能比較 30
4.2.1 降低警訊誤報率 30
4.2.2 案例探討分析 33
第五章 結論與未來展望 37
參考文獻 38
參考文獻 References
[1] 郭憲誌. "駭客企業化時代來臨!政府、業界該如何協作,打造台灣「資安護國神山」?." 數聯資安. (accessed Sep. 4, 2021).
[2] 羅正漢. "【徹底揭露2019年臺灣最大規模病毒攻擊事件】勒索軟體衝擊!全臺醫療院所資安拉警報." (accessed Jun. 18, 2021).
[3] FireEye, "大呼狼來了的資安事件管理(SIEM)," 2019. Accessed: 2021 Sep. 4. [Online]. Available:
[4] L. Martin, "Cyber Kill Chain." Accessed: 2021 Sep. 20. [Online]. Available:
[5] 周峻佑, "中油與台塑遭攻擊事件的受害規模,首度被媒體揭露," May 18, 2020. Accessed: 2021 Aug. 4. [Online]. Available:
[6] 黃嵩育, "基於Active Directory事件紀錄偵測系統," 碩士論文, 資訊管理學系, 國立中山大學, 2021.
[7] S. Ramaswamy, R. Rastogi, and K. Shim, "Efficient algorithms for mining outliers from large data sets," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, 2000, pp. 427-438.
[8] Z. He, X. Xu, and S. Deng, "Discovering cluster-based local outliers," Pattern Recognition Letters, vol. 24, no. 9-10, pp. 1641-1650, 2003.
[9] B. Wang, S. Ying, and Z. Yang, "A Log-Based Anomaly Detection Method with Efficient Neighbor Searching and Automatic K Neighbor Selection," Scientific Programming, vol. 2020, 2020.
[10] H. Benaddi, K. Ibrahimi, and A. Benslimane, "Improving the intrusion detection system for nsl-kdd dataset based on pca-fuzzy clustering-knn," in 2018 6th International Conference on Wireless Networks and Mobile Communications (WINCOM), 2018: IEEE, pp. 1-6.
[11] M. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, "LOF: identifying density-based local outliers," in Proceedings of the 2000 ACM SIGMOD international conference on Management of data, 2000, pp. 93-104.
[12] B. D. Newton, "Anomaly Detection in Network Traffic Traces Using Latent Dirichlet Allocation," dated Dec, vol. 31, 2012.
[13] D. M. Blei, A. Y. Ng, and M. I. Jordan, "Latent dirichlet allocation," the Journal of machine Learning research, vol. 3, pp. 993-1022, 2003.
[14] M. S. Gill, D. Lindskog, and P. Zavarsky, "Profiling Network Traffic Behavior for the Purpose of Anomaly-Based Intrusion Detection," in 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2018: IEEE, pp. 885-890.
[15] R. Perdisci, G. Giacinto, and F. Roli, "Alarm clustering for intrusion detection systems in computer networks," Engineering Applications of Artificial Intelligence, vol. 19, no. 4, pp. 429-438, 2006.
[16] M. Goldstein, S. Asanger, M. Reif, and A. Hutchison, "Enhancing Security Event Management Systems with Unsupervised Anomaly Detection," in ICPRAM, 2013, pp. 530-538.
[17] S. S. Igorevich, "DETECTION OF MALICIOUS ACTIONS OF AN ATTACKER BASED ON EVENT LOGS WHEN INVESTIGATING AN ONGOING CYBER INCIDENT," Инновационные аспекты развития науки и техники, no. 4, pp. 22-28, 2021.
[18] A. S. Onashoga, O. E. Adeleye, O. O. Odewale, and A. A. Babablola, "An Event Management System For Detecting Brute Force Attack," 2018.
[19] M. Vizváry and J. Vykopal, "Flow-based detection of RDP brute-force attacks," in Proceedings of 7th International Conference on Security and Protection of Information, SPI, 2013, vol. 13, pp. 131-138.
[20] S. Asanger and A. Hutchison, "Experiences and challenges in enhancing security information and event management capability using unsupervised anomaly detection," in 2013 international conference on availability, reliability and security, 2013: IEEE, pp. 654-661.
[21] B. C. Neuman and T. Ts'o, "Kerberos: An authentication service for computer networks," IEEE Communications magazine, vol. 32, no. 9, pp. 33-38, 1994.
[22] T. Medin, "Attacking Microsoft Kerberos Kicking the Guard Dog of Hades.," 2014. [Online]. Available:
[23] L. Kotlaba, S. Buchovecká, and R. Lórencz, "Active Directory Kerberoasting Attack: Detection using Machine Learning Techniques," in ICISSP, 2021, pp. 376-383.
[24] 許智源, "基於側寫的雲端化異常偵測平台," 碩士論文, 資訊管理學系, 國立中山大學, 2020.
[25] M. J. Turcotte, A. D. Kent, and C. Hash, "Unified host and network data set," in Data Science for Cyber-Security: World Scientific, 2019, pp. 1-22.
[26] S. Muthuraj, M. Sethumadhavan, P. Amritha, and R. Santhya, "Detection and Prevention of Attacks on Active Directory Using SIEM," in International Conference on Information and Communication Technology for Intelligent Systems, 2020: Springer, pp. 533-541.
[27] JPCERT/CC, "Detecting Lateral Movement in APTs "Analysis Approach on Windows Event Logs"," June 17, 2016. Accessed: 2021 Sep. 10. [Online]. Available:
[28] "Spotting the Adversary with Windows Event Log Monitoring," Aug. 7 2015.
[29], "Detecting the Elusive Active Directory Threat Hunting," Apr. 4 2017. Accessed: 2021 Sep. 15. [Online]. Available:
[30] W. Matsuda, M. Fujimoto, and T. Mitsunaga, "Detecting apt attacks against active directory using machine leaning," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018: IEEE, pp. 60-65.
[31] M. Fujimoto, W. Matsuda, and T. Mitsunaga, "Detecting Abuse of Domain Administrator Privilege Using Windows Event Log," in 2018 IEEE Conference on Application, Information and Network Security (AINS), 2018: IEEE, pp. 15-20.
[32] P. J. Rousseeuw, "Silhouettes: a graphical aid to the interpretation and validation of cluster analysis," Journal of computational and applied mathematics, vol. 20, pp. 53-65, 1987.
[33] T. Caliński and J. Harabasz, "A dendrite method for cluster analysis," Communications in Statistics-theory and Methods, vol. 3, no. 1, pp. 1-27, 1974.
[34] D. L. Davies and D. W. Bouldin, "A cluster separation measure," IEEE transactions on pattern analysis and machine intelligence, no. 2, pp. 224-227, 1979.
[35] Microsoft. "Tutorial: Compromised credential alerts." Microsoft. (accessed Aug. 20, 2021).
[36] M. ATT&CK. "MITER ATT&CK." (accessed Jul. 30, 2021).
[37] Y. Zhao, Z. Nasrullah, and Z. Li, "Pyod: A python toolbox for scalable outlier detection," arXiv preprint arXiv:1901.01588, 2019.
[38] "Word lists." (accessed Sep. 20, 2021).
電子全文 Fulltext
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:開放下載的時間 available 2026-12-15
校外 Off-campus:開放下載的時間 available 2026-12-15

您的 IP(校外) 位址是
現在時間是 2024-04-16
論文校外開放下載的時間是 2026-12-15

Your IP address is
The current date is 2024-04-16
This thesis will be available to you on 2026-12-15.

紙本論文 Printed copies
開放時間 available 2026-12-15

QR Code