近年來隨著人工智慧與機器學習技術發展逐漸成熟,越來越多網路攻擊行為以此做為發展方向,企圖將其發展成迴避資訊安全偵察的新手段,這也因此大大增加了資訊安全防護的難度。根據統計 2018 上半年遭洩漏、損毀的數據量相較於 2017 年同期增加了 72%。但令人驚訝的是 2018 上半年獲報的資訊安全事件卻比 2017 年同期少 18%。在這些事件中,多數案例為遭受「進階持續性滲透攻擊」(簡稱 APT)。對於這類型攻擊的防禦方法,可藉由觀察日誌資料並從中分析是否具有異常行為,並以此進行檢測、辨識攻擊事件。本論文將實作 ELK Stack 網路日誌系統 (NetFlow Log),進行視覺化分析日誌數據,並呈現數種網路攻擊行為特徵,供管理者進一步分析。本論文將導入歷史日誌數據,運用「極限梯度提升」(簡稱 XGBoost) 進行機器學習,以及運用 Keras 進行深度學習,建置一個檢測日誌是否具有攻擊事件之模型。本文的最終目標將透過實驗,在此案例中,尋求最佳的學習模式。而透過實驗證實,在此案例中,XGBoost機器學習模型對潛在威脅判斷的準確率達 96.01%,全攻擊數據集可以達到100%辨識,優於 RNN、DNN 模型。並且本文將進一步的將實驗結果與網路日誌平台結合,管理者可根據模型判斷結果與 ELK Stack 網路日誌系統互相比對,進行風險評估。本文所運用之日誌資料為持續性數據,目前數據已達 2TB 以上並持續增加中。 With the development of artificial intelligence and machine learning technology, more and more cyber attacks have taken this as a development direction. According to statistics, the amount of data leaked and destroyed in the first half of 2018 increased by 72%compared with the same period in 2017. Of these events, most cases suffer from Advanced Progressive Penetration Attacks (APT). For the defense method of this type of attack, it is possible to detect and identify the attack event by observing the log data and analyzing whether it has abnormal behavior. This paper will be implemented as ELK Stack network log system (NetFlow Log) to visually analyze log data and present several kinds of network attack behavior characteristics for further analysis by managers. This paper will import historical log data, use ”extreme gradient enhancement” (XGBoost for machine learning), and use Keras for deep learning to build a model to detect whether the log has an attack event. The ultimate goal of this paper will be to find the best learning model through experiments in this case. Through experiments, it is confirmed that in this case, the XGBoost machine learning model has an accuracy rate of 96.01%for potential threats, and the full attack data set can achieve 100% recognition, which is better than RNN and DNN models. And this article will further combine the experimental results with the network log platform. The administrator can compare the model judgment results with the ELK Stack network log system for risk assessment. The log data used in this paper is continuous data, and the current data has reached more than 2TB and continues to increase.
