簡易檢索 / 詳目顯示
| 研究生: |
李冠儀 Guan-Yi Li |
|---|---|
| 論文名稱: |
以Windows Registry為基礎之使用者行為異常偵測方法 An Anomaly Detection System of User Behavior based on Windows Registry |
| 指導教授: |
陳奕明
Yi-Ming Chen |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 資訊管理學系 Department of Information Management |
| 畢業學年度: | 94 |
| 語文別: | 中文 |
| 論文頁數: | 54 |
| 中文關鍵詞: | 使用者行為 、異常偵測 、Windows registry ( 登錄檔 ) 、支援向量機 |
| 外文關鍵詞: | anomaly detection, support vector machine, User behavior, Windows registry |
| 相關次數: | 點閱:10 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年來由於電腦使用普及率日漸提升,電腦使用者越能感受到電腦安全的重要性。目前 Windows 系列系統是所有作業系統平台中最普遍被使用的作業系統,也由於它的普遍性,進而引發了許多對於此作業系統的安全疑慮。對於電腦使用者來說,若能了解電腦的正常或異常狀態,將能有效的防範可能存在的惡意行為。因此,為了能有效的判斷使用者的行為是處於正常或異常的狀態,本論文利用Windows Registry ( 登錄檔 ) 與支援向量機 ( Support Vector Machine, SVM ) 分類器來做使用者行為正常或異常的偵測方法。Windows Registry 是建置在 Windows 系列作業系統之中,存放許多用於設置系統、應用程式以及硬體的資訊,是以大部分系統相關活動皆會存取到 Windows Registry。本論文藉由記錄 Windows Registry 的活動,以取得使用者正常行為下的活動資料,再將這些活動資料視為訓練資料,投入 SVM 做正常模型的訓練。藉由載入測試資料與正常模型,加以判別使用者的行為是否有異常狀態產生。此外,我們對於 Windows Registry 與 SVM 的結合做適性的調整,以減少儲存資料的空間,與降低 SVM 所需的訓練時間。我們也成功的根據這些想法,開發出一套使用者行為異常偵測系統,並在最後透過情境模擬實驗,以證明我們的系統能確實的找出異常行為的發生。
As the number of computers is getting higher recently, the importance of computer security is recognized bye more and more computer users. Windows series are the most popular OS in the world, and their popularity triggers lots of security issues. If the user of a computer can understand the state of his/her computer, he/she may detect the malicious behavior and protect his/her computer. Our research takes use of Windows Registry and Support Vector Machine (SVM) to probe the state of a computer in order to determine whether the behavior of user is normal or abnormal.
In Windows series, configuration information is centrally stored in a single database called the registry. We take use of recording Windows Registry activity as training data to establish the normal model, then load this normal model and test data to decide whether the behavior is normal or not. Besides, we make some adjustment to adapt the combination of the Windows Registry and Support Vector Machine to reduce the spaces of data store, and decrease the training time of Support Vector Machine. Eventually, we succeed to develop an anomaly detection system of user behavior according to our considerations. Moreover, we prove the effectiveness of our system through simulating the scenario of general situation.
參考文獻
中文參考文獻
[官炳宏2004] 官炳宏,結合隱藏式馬可夫模型與彩色派翠網以關聯多步驟攻擊警訊
之方法,國立中央大學資訊管理學系碩士論文,6月,2005。
[邱銘彰2004] 邱銘彰,行為分析之惡意程式偵測,大同大學資訊工程研究所碩士論
文,6月,2004。
[何俊德2004] 何俊德,基於影像與文字特徵之網頁內容分類方法之研究,朝陽科技
大學資訊管理研究所碩士論文,6月,2004。
[李勁頤2000] 李勁頤,利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研
究,國立中央大學資訊管理學系碩士論文,6月,2000。
[程大器2001] 程大器,統計學理論與應用,智勝出版社,2001。
英文參考文獻
[AHHES2002] Frank Apap, Andrew Honig, Shlomo Hershkop, Eleazar Eskin,
Salvatore J. Stolfo. “Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses.”In Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection (RAID-2002). Zurich, 2002.
[CL2001] Chih-Chung Chang and Chih-Jen Lin, LIBSVM : a library for
support vector machines, 2001. Software available at
http://www.csie.ntu.edu.tw/~cjlin/libsvm
[CTTR2003] M.J. Carey, G.D. Tattersall, H. Lloyd-Thomas and M.J. Russell,
“Inferring identity from user behaviour”, Vision, Image and
Signal Processing, IEE Proceedings, 2003.
[DGM1999] Wenliang Du, Praerit Garg, Aditya P. Mathur, “Security
relevancy analysis on the registry of Windows NT 4.0”, Computer
Security Applications Conference, 1999. (ACSAC ''99) Proceedings.
15th Annual,1999.
[GOLDRING2003] Tom Goldring,”User Profiling for Intrusion Detection in
Windows NT”, National Security Agency, 2003.
[KSK2003] K. Heller, K. Svore, A. Keromytis, and S. Stolfo. “One class
support vector machines for detecting anomalous windows registry
accesses.” Proceedings of the Data Mining for Computer Security
Workshop at IEEE ICDM, 2003.
[LS2000] AD. D. Lee and H. S. Seung. “Algorithms for nonnegative matrix
factorization.”, Advances in Neural Information Processing
Systems 13. MIT Press: Cambridge, MA, 2000.
[SAEHHHK2005] Salvatore J. Stolfo, Frank Apap, Eleazar Eskin, Katherine
Heller, Shlomo Hershkop, Andrew Honig, and Krysta Svore, "A comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection". Journal of Computer Security, 2005
[WFP1999] Christina Warrender, Stephanie Forrest, and Barak Pearlmutter.
“Detecting intrusions using system calls: alternative data
models.” pages 133–145. IEEE Computer Society, 1999.
[WGZ2004] Wei Wang, Xiaohong Guan, Xiangliang Zhang, “Profiling program
and user behaviors for anomaly intrusion detection based on
non-negative matrix factorization”, CDC. 43rd IEEE Conference ,
Decision and Control 2004.
[WWM2004] Yanxin Wang, Johnny Wong, Andrew Miner, “Anomaly intrusion
detection using one class SVM”, In Proceedings from the Fifth
Annual IEEE SMC Information Assurance Workshop, 2004.
相關網站
[SNSI] SysInternals. Regmon for Windows NT/9x. Online publication, 2000.
http://www.sysinternals.com/ntw2k/source/regmon.shtml.
[PIAI] piaip''s Using (lib)SVM Tutorial.
http://ntu.csie.org/~piaip/svm/svm_tutorial.html
[LIBS] LibSVM software:http://www.csie.ntu.edu.tw/~cjlin/libsvm
[WIND] Windows NT Registry:
http://www.microsoft.com/resources/documentation/windowsnt/4/server/proddocs/en-us/concept/xcpaa.mspx?mfr=true
[資策會] 資訊工業策進會: http://www.iii.org.tw/index1.htm
