臺灣博碩士論文加值系統

近年來有許多不同的橫向動偵測方法被提出，但多受到環境因素的限制。 在我們的研究中，我們將重點放在擁有高環境變動容忍性的偵測憑證型橫向移 動。
我們提出了偵測憑證型橫向移動的偵測機制稱為DCLM-LABM，以隱性使 用者認證行為塑模來偵測惡意的登入。透過登入相關紀錄轉換成使用者登入事 件，再進以多維標度法演算法取出隱性認證行為。透過此演算法去除不相關的 登入及分群高相關的登入。
實驗結果顯示此系統能過濾大部分的正常登入(98%)，同時擁有高召回 率(86%)和低誤報率(2.1%)。此研究的主要貢獻如下: (1)單純使用較容易更新 及維護的電腦紀錄;(2)開發具有高環境變動容忍性的系統;(3)偵測出利用竊取 憑證的攻擊者

In recent years, many kind of lateral movement detections were proposed and lim- ited by the environment. In our study, we focus on detecting credential-based lateral movement with high environmental variation tolerance.
We propose a credential-based lateral movement detection mechanism called DCL M-LABM to detect malicious logins by using latent user-based authentication behav- ior modeling. User-based login events are converted from login-related logs. Latent authentication behavior is extracted from user-based login events by Multidimensional Scaling. Through this algorithm, irrelevant logins are removed and correlated logins are clustered.
The experiments result shows that our system can filter most of logins(98%) with high recall rate(86%) and low positive rate(2.1%) with latent user-based authentication behavior modeling. The main contributions of the study are as follows: (1) Extracting logs only from computers which is simpler to be maintained and updated; (2) Devel- oping a system with high environmental variation tolerance; (3) Detection of attackers who use stolen credentials to roam within a network.

Contents
中文摘要 i
ABSTRACT ii
1 Introduction 1
1.1 Motivation................................ 2
1.2 ChallengesandGoals.......................... 3
1.3 Contribution............................... 5
1.4 TheOutlineofThesis.......................... 6
2 Background and Related Work 7
2.1 APTRealCase ............................. 7
2.2 AdvancedPersistentThreats(APT)................... 8 2.2.1 CyberKillChain ........................ 10
2.3 LateralMovement............................ 12 2.3.1 Credential-based ........................ 13 2.3.2 Share-based........................... 14 2.3.3 Exploitation-based ....................... 14 2.3.4 Physical-based ......................... 15
2.4 NetworkIntrusionDetectionSystem.................. 15
2.5 RelatedWork .............................. 16
3 System Description and Architecture 17
iii
CONTENTS iv
3.1 Observation............................... 19
3.2 User-basedLoginEventsConversion.................. 20
3.3 User-basedLoginEventsIntegration.................. 22
3.4 Latent User-based Authentication Behavior Model Construction . . . 25
3.5 Credential-basedLateralMovementTrainer . . . . . . . . . . . . . . 29
3.6 Discussion................................ 30
3.6.1 Characteristics ......................... 30 3.6.2 Limitations ........................... 31
4 Experiments and Results 33
4.1 ExperimentDesignandDataset..................... 34 4.1.1 ExperimentDesign....................... 34 4.1.2 Dataset ............................. 35
4.2 EvaluationMetrics ........................... 36
4.3 EffectivenessAnalysis ......................... 38
4.3.1 Performance of Latent User-based Authentication Behavior Model Construction .......................... 39
4.3.2 Performance of Detector with Different Time Periods . . . . . 42
4.3.3 Effectiveness of The Baseline Comparison . . . . . . . . . . 43
4.4 Discussion................................ 45
4.4.1 Latent User-based Authentication Behavior Model Construction 46
4.4.2 TimePeriod........................... 47
4.4.3 CaseStudies .......................... 47
5 Conclusion and Further Work 49
5.1 Conclusion ............................... 49 5.2 FurtherWork .............................. 50

[1] Jeslin Thomas John. State of the art analysis of defense techniques against ad- vanced persistent threats. Future Internet (FI) and Innovative Internet Tech- nologies and Mobile Communication (IITM) Focal Topic: Advanced Persistent Threats, 2017.
[2] Marcello Cinque, Domenico Cotroneo, and Antonio Pecchia. Event logs for the analysis of software failures: A rule-based approach. IEEE Transactions on Software Engineering, pages 806–821, 2013.
[3] Sudip Roy, Arnd Christian Ko ̈nig, Igor Dvorkin, and Manish Kumar. Perfaugur: Robust diagnostics for performance anomalies in cloud services. In 2015 IEEE 31st International Conference on Data Engineering (ICDE), pages 1167–1178. IEEE, 2015.
[4] MohammadANoureddine,AhmedFawaz,WilliamHSanders,andTamerBas ̧ar. A game-theoretic approach to respond to attacker lateral movement. In Interna- tional Conference on Decision and Game Theory for Security, pages 294–313. Springer, 2016.
[5] Quanyan Zhu and Stefan Rass. On multi-phase and multi-stage game-theoretic
52
REFERENCES 53
modeling of advanced persistent threats. IEEE Access, pages 13958–13971, 2018.
[6] AtulBohara,MohammadANoureddine,AhmedFawaz,andWilliamHSanders. An unsupervised multi-detector approach for identifying malicious lateral move- ment. In 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), pages 224–233. IEEE, 2017.
[7] Pradip Kumar Sharma, Seo Yeon Moon, Daesung Moon, and Jong Hyuk Park. Dfa-ad: a distributed framework architecture for the detection of advanced per- sistent threats. Cluster Computing, pages 597–609, 2017.
[8] Hossein Siadati and Nasir Memon. Detecting structurally anomalous logins within enterprise networks. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1273–1284. ACM, 2017.
[9] Seyedhossein Siadati and Nasir Memon. Classifying logins, for example as be- nign or malicious logins, in private networks such as enterprise networks for ex- ample, May 3 2018. US Patent App. 15/789,951.
[10] Ahmed Fawaz, Atul Bohara, Carmen Cheh, and William H Sanders. Lateral movement detection using distributed data fusion. In 2016 IEEE 35th Symposium on Reliable Distributed Systems (SRDS), pages 21–30. IEEE, 2016.
[11] Hossein Siadati, Bahador Saket, and Nasir Memon. Detecting malicious logins in enterprise networks using visualization. In 2016 IEEE Symposium on Visual- ization for Cyber Security (VizSec), pages 1–8. IEEE, 2016.

REFERENCES 54
[12] TrendMicro. Cashing in on atm malware: A comprehensive look at various at- tack types. https://documents.trendmicro.com/assets/white_ papers/wp-cashing-in-on-atm-malware.pdf, 2016.
[13] Symantec. Advanced persistent threats: A symantec perspective. 2011.
[14] Bryant Rossil. Advanced persistent threats: What are they and why do i care? http://www.infosecwriters.com/Papers/BRossil_APT. pdf, 2016.
[15] Richard Bejtlich. What is apt and what does it want? TaoSecurity Blog, January, 2010.
[16] Ronald S Ross. Managing information security risk: Organization, mission, and information system view. Technical report, 2011.
[17] InstituteInformationIndustry.Simulationscenariosofadvancedpersistentthreat, 2018.
[18] Eric Cole. Advanced persistent threat: understanding the danger and how to protect your organization. Newnes, 2012.
[19] Ping Chen, Lieven Desmet, and Christophe Huygens. A study on advanced per- sistent threats. In IFIP International Conference on Communications and Multi- media Security, pages 63–72. Springer, 2014.
[20] Thoufique Haq, Jinjian Zhai, and Vinay K Pidathala. Advanced persistent threat (apt) detection center. https://patents.google.com/patent/ US9628507, 2017.

REFERENCES 55
[21] Colin Tankard. Advanced persistent threats and how to monitor and deter them.
Network security, pages 16–19, 2011.
[22] Tamas Abraham, Olivier de Vel, and Paul Montague. Adversarial machine learn-
ing for cyber-security: Ngtf project scoping study. 2018.
[23] Frankie Li, Anthony Lai, and Ddl Ddl. Evidence of advanced persistent threat: A case study of malware for political espionage. In 2011 6th International Confer- ence on Malicious and Unwanted Software (MALWARE), pages 102–109. IEEE, 2011.
[24] TechNews. Fireeye research: Taiwanese enterprise organization are the main target of global apt attacks. Technical report, TechNews, 2016.
[25] Robert Luh, Stefan Marschalek, Manfred Kaiser, Helge Janicke, and Sebastian Schrittwieser. Semantics-aware detection of targeted attacks: a survey. Journal of Computer Virology and Hacking Techniques, pages 47–85, 2017.
[26] SANS. Killing advanced threats in their tracks: An intelligent ap- proach to attack prevention. https://www.sans.org/reading-room/ whitepapers/analyst/, 2014.
[27] LockheedMartin. Cyber kill chain⃝R . URL: http://cyber. lockheedmartin. com/hubfs/Gaining the Advantage Cyber Kill Chain. pdf, 2014.
[28] Muhammad Salman Khan, Sana Siddiqui, and Ken Ferens. A cognitive and con- current cyber kill chain model. In Computer and Network Security Essentials, pages 585–602. Springer, 2018.

REFERENCES 56
[29] Tarun Yadav and Arvind Mallari Rao. Technical aspects of cyber kill chain. In International Symposium on Security in Computing and Communication, pages 438–452. Springer, 2015.
[30] HP Yao, YQ Liu, and Chao Fang. An abnormal network traffic detection algo- rithm based on big data analysis. International Journal of Computers, Commu- nications & Control, 2016.
[31] Ping Wang and Yu-Shih Wang. Malware behavioural detection and vaccine de- velopment by using a support vector model classifier. Journal of Computer and System Sciences, pages 1012–1026, 2015.
[32] Ahmed A Alabdel Abass, Liang Xiao, Narayan B Mandayam, and Zoran Gajic. Evolutionary game theoretic analysis of advanced persistent threats against cloud storage. IEEE Access, pages 8482–8491, 2017.
[33] M Soria-Machado, D Abolins, and C Boldea. Detecting lateral move- ments in windows infrastructure. http://cert.europa.eu/static/ WhitePapers/CERT-EU_SWP_17-002_Lateral_Movements.pdf, 2017.
[34] TrendMicro. How do threat actors move deeper into your network?
http://about-threats.trendmicro.com/cloud-content/ us/ent-primers/pdf/tlp_lateral_movement.pdf, 2013.
[35] Qosmos. Deep packet inspection for lateral movement detection.
http://www.qosmos.com/wp-content/uploads/2017/10/

REFERENCES 57
DPI-for-Lateral-Movement-Detection_White-Paper_ Qosmos-Enea_171011.pdf, 2017.
[36] ATT&CK. Adversarial tactics, techniques and common knowledge. https: //attack.mitre.org/, 2018.
[37] Bashar Ewaida. Pass-the-hash attacks: Tools and mitigation. https: //www.sans.org/reading-room/whitepapers/testing/ pass-the-hash-attacks-tools-mitigation-33283, 2013.
[38] Jennifer G Steiner, B Clifford Neuman, and Jeffrey I Schiller. Kerberos: An authentication service for open network systems. In Usenix Winter, pages 191– 202, 1988.
[39] Charles P Jefferies. Webroot antivirus 2010 with spy sweeper review. Notebook Review, available at http://www. notebookreview. com/default. asp, 2010.
[40] Rung-Ching Chen, Chia-Fen Hsieh, and Yung-Fa Huang. A new method for intrusion detection on hierarchical wireless sensor networks. In Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, pages 238–245. ACM, 2009.
[41] Fenye Bao, Ray Chen, MoonJeong Chang, and Jin-Hee Cho. Hierarchical trust management for wireless sensor networks and its applications to trust-based rout- ing and intrusion detection. IEEE transactions on network and service manage- ment, pages 169–183, 2012.
[42] Chuang Wang, Taiming Feng, Jinsook Kim, Guiling Wang, and Wensheng Zhang. Catching packet droppers and modifiers in wireless sensor networks. In

REFERENCES 58
2009. SECON’09. 6th Annual IEEE Communications Society Conference on Sen- sor, Mesh and Ad Hoc Communications and Networks, pages 1–9. IEEE, 2009.
[43] MMazharRathore,AwaisAhmad,andAnandPaul.Realtimeintrusiondetection system for ultra-high-speed big data environments. The Journal of Supercomput- ing, pages 3489–3510, 2016.
[44] Bin Jia, Yan Ma, Xiaohong Huang, Zhaowen Lin, and Yi Sun. A novel real-time ddos attack detection mechanism based on mdra algorithm in big data. Mathe- matical Problems in Engineering, 2016.
[45] Baojiang Cui and Shanshan He. Anomaly detection model based on hadoop platform and weka interface. In 2016 10th International Conference on Innova- tive Mobile and Internet Services in Ubiquitous Computing (IMIS), pages 84–89. IEEE, 2016.
[46] Ivo Friedberg, Florian Skopik, Giuseppe Settanni, and Roman Fiedler. Com- bating advanced persistent threats: From network event correlation to incident detection. Computers & Security, pages 35–57, 2015.
[47] Kevin L Priddy and Paul E Keller. Artificial neural networks: an introduction. SPIE press, 2005.
[48] Alexander D Kent. Cyber security data sources for dynamic network research. In Dynamic Networks and Cyber-Security, pages 37–65. World Scientific, 2016.
[49] Alexander D Kent. Comprehensive, multi-source cyber-security events data set. Technical report, Los Alamos National Lab.(LANL), Los Alamos, NM (United States), 2015.

REFERENCES 59
[50] Tianqi Chen and Carlos Guestrin. Xgboost: A scalable tree boosting system. In Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, pages 785–794. ACM, 2016.
[51] DMLC. Xgboost - machine learning winning solutions (incomplete list). https://github.com/dmlc/xgboost/tree/master/demo# machine-learning-challenge-winning-solutions, 2017.