「非授權使用」的資安危害經常都在事後才被發現，而且造成將近三成企業一半的財務損失，而僅次於「電腦病毒」所造成的破壞。由於目前微軟作業系統是市佔率最高的作業系統，故在這樣的環境下，本研究針對在微軟作業系統上「異常行為偵測」的相關文獻做探討。在探討後，本研究提出其用來建立正常使用者行為的資料來源，皆有『過於龐大』、『含有過多系統資訊』的缺點，造成資安人員分析上的不便，並且使得建立微軟作業系統上的有效使用者行為模型十分困難。而後參考相關文獻中有關「視窗標題」的概念，提出一種『資料量較少』但也能夠『分辨原先使者與非原先使用者』的資料來源，最後在實驗中以支援向量機(優秀的分類器)來驗證其有效性，並且和不同的搜集資料方式比較，說明資安分析人員可以花費較少的時間精力在建立使用者模型上。

Security damage about “Unauthorized use” are usually be discovered after it happened. And it costs about 50% financial loss in 30% respondents in 2006, CSI/FBI. Because of the popularity of Microsoft Window operation system, we discuss the “anomaly user behavior” in recent papers. After that we propose a view about “too large”, “include too many system information” in dataset that used for building normal user behavior model. It brings information security analyzer a lot of inconvenient in Microsoft Window OS environment.Then, we reference the thought, “Window Title”, and recommend a kind of dataset. The proposed dataset takes advantage of “few dataset”, “distinguish anomaly user behavior”.Finally, we use “Support Vector Machine” to verify the effect, and give some experimental results to explain the cuts of the dataset in our proposed system.

[1]. 王子彥。『基於資料探勘技術之監視型間諜程式偵測系統』，台灣科技大學資訊工程系，碩士論文。(2005)
[2]. 江其峰。『支持向量機的特性篩選方法』，東海大學數學系，碩士論文，民國90年。 (2001)
[3]. 李冠儀。『以Windows Registry為基礎之使用者行為異常偵測方法』，中央大學資訊管理系，碩士論文。 (2006)
[4]. 黃建榮。『使用支援向量機分類變異特徵之影像查詢』，朝陽科技大學資訊管理系，碩士論文，民國93年。 (2004)
[5]. 謝佳奮、陳榮靜。『使用支援向量機降低入侵偵測與防禦系統誤判率』，第十六屆資訊安全會議，民國95年。 (2006)
[6]. A. Garg, S. Vidyaraman, S. Upadhyaya, K. Kwiat. “USim A User Behavior Simulation Framework for Training and Testing IDSes in GUI Based Systems”, Annual Simulation Symposium, Proceedings of the 39th annual Symposium on Simulation, Pages: 196-203, 2006. (2006)
[7]. B. Schlkopf, C. J. C. Burges, A. J. Smola. “Introduction to support vector learning, advances in kernel methods-support vector learning”, Cambridge, 1999. (1999)
[8]. C. J. C. Burges. “A tutorial on support vector machines for pattern recognition”, Data Mining and Knowledge Discovery, vol. 2, no. 2, 1998. (1998)
[9]. C. Warrender, S. Forrest, B. Pearlmutter, “Detecting intrusions using system calls: alternative data models”, In Proceedings of the 1999 IEEE Symposium onSecutiry and Privacy, pages 133-152, Oakland , California, 1999. (1999)
[10]. C. W. Hsu, C. C. Chang , C. J. Lin. “A practical guide to support vector classification” http://www.csie.ntu.edu.tw/~cjlin/papers/guide/guide.pdf.
[11]. David M. Hilbert, David F. Redmiles. “Extracting usability information from user interface events”, ACM Computing Surveys (CSUR) Volume 32, Issue 4(December 2000), Pages: 384-421, 2000. (2000)
[12]. F. Apap, A. Honig, S. Hershkop, E. Eskin, S. J. Stolfo. “Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses”, In Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection, 2002. (2002)
[13]. Goldring Tom. “User Profiling for Intrusion Detection in Windows NT”, In Proceedings of the 35th Symposium on the Interface, 2003. (2003)
[14]. 2006 CSI/FBI Computer Crime and Security Survey : http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf
access on April 1, 2007.
[15]. Capture_BAT：
http://www.nz-honeynet.org/cbatabout.html
access on May 1, 2007.
[16]. MSDN-Hook: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/windowsuserinterface/windowing/hooks.asp
access on May 1, 2007.
[17]. Libsvm:
http://www.csie.ntu.edu.tw/~cjlin/libsvm/
access on March 1, 2007.
[18]. Process Explorer for Windows v10.21
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
access on March 1, 2007.
[19]. Web Browser Forensics, Part 1:
http://www.securityfocus.com/infocus/1827
access on March 1, 2007.
[20]. Web Browser Forensics, Part 2:
http://www.securityfocus.com/infocus/1832
access on March 1, 2007.
[21]. Karen Renaud, Phil Gray, “Making Sense of Low-Level Usage Data to Understand User Activities”, In Proceedings of the 2004 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries SAICSIT ''04. (2004)
[22]. Karlton Sequeira, Mohammed Zaki. “ADMIT:anomaly-based data mining for intrusions”, Conference on Knowledge Discovery in Data Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. (2002)
[23]. Nong Ye. “A Markov Chain Model of Temporal Behavior for Anomaly Detection”, In Proceedings of the 2000 IEEE Systems, Man, and Cybernetics Information Assurance and Security Workshop, 2000, pages 171—174, IEEE Computer Society Press. (2000)
[24]. Sang Hyun Oh and Won Suk Lee. “An anomaly intrusion detection method by clustering normal user behavior”, Computers & Security Vol 22, No 7, pages 596-612, 2003. (2003)
[25]. Shi-Jinn Horng, Ming-Yang Su, Tzu-Yen Wang, & Chan-Wei Chen. “Malicious Code Detection Using Smooth Support Vector Machines”, In Conference of 16th Information Security, Taiwan, June 2006. (2006)
[26]. Terran Lane and Carla E. Brodley. “An Application of Machine Learning to Anomaly Detection”, In Proc. 20th National Information Systems Security Conference, pages 366-380, New York, NY, ACM Press. (1997)
[27]. Terran Lane and Carla E. Brodley. “Temporal sequence learning and data reduction for anomaly detection”, In Proceedings of the 5th ACM conference on Computer and communications security. pages 150-158, New York, NY, USA. ACM Press. (1998)
[28]. Weidong Cuiy, Randy H. Katzy, Wai-tian Tanz , “BINDER: An Extrusion-based Break-In Detector for Personal Computers”, In Proceedings of 2005 USENIX Annual Technical Conference, April 2005. (2005)
[29]. Weidong Cuiy, Randy H. Katzy, Wai-tian Tanz , “Design and Implementation of an Extrusion-based Break-In Detector for Personal Computers” , In ACSAC, Proceedings of the 21st Annual Computer Security Applications Conference, Pages: 361 - 370, 2005. (2005)