Open Access  Subscription Access

近年來攻擊型態開始逐漸轉變，不同以往傳統隨機的攻擊手法，現在多數攻擊型態是以針對特定攻擊目標的攻擊模式，常稱為目標式攻擊(Targeted Attack)或進階持續性滲透攻擊(Advanced Persistent Threat, APT)。此類攻擊者大多屬於具有高度知識與豐富資源的駭客組織，使用如社交工程技術、客製化惡意程式、零時差攻擊等進階手法來當成入侵的手段，通常具有針對性，會選擇政府或企業中重要的單位作為其攻擊目標。為了防禦日新月異的APT攻擊手法，以安全性資訊與事件管理(Security Information and Event Management, SIEM)為基礎並建置資訊安全維運中心(Security Operation Center, SOC)之解決方案應運而生。透過前端日誌收集器(Agents)將各種不同類型之資安設備如防火牆、入侵偵測系統、誘捕系統、防毒軟體與資料外洩防禦系統等所產出日誌正規化，並導入分析平台以進行關聯分析監控與產生即時告警。另這些資安設備拋送出的日誌，亦可透過大數據平台挖掘、深度分析與產出數據統計報表，進一步找出潛在的資訊安全風險危機。SIEM藉由整合以及分析組織內之資訊安全設備日誌以偵測APT攻擊，然而SOC在處理資訊安全的紀錄檔時面臨第一個挑戰即為如何將異質資料格式進行正規化，進而使後端的分析平台可以根據這些資訊分析、告警以及產出報表。有鑑於此，本研究開發一套智慧型記錄檔剖析系統(Intelligent Parsing System)透過該系統可以針對不同日誌快速產生高品質之正規表示式。透過本研究所開發的系統可以快速地將異質日誌檔整合至單一的SOC系統中。Conventionally, there is not specific targets when cyber attacks happen. However, increasing portion of attacks aim at specific targets in recent years. Emerging targeted attacks are referred to as Targeted Attack or Advanced Persistent Threat (APT). Such attacks typically aim at government agencies or critical departments in enterprises, and are usually implemented by knowledgeable and resourceful attackers by utilizing advanced invasive methods such as social engineering techniques, customized attacking programs, and zero-day attacks. To defend against rapid changing APT attacks, Security Operation Center (SOC) that is based on Security Information and Event Management (SIEM) is thus developed. Several log collection agents collect and normalize logs from different security devices like firewall, IDS, honeypot, anti-virus software, NDLP and so on. SIEM could use these log to perform correlation analysis to monitor and generate real-time warnings. Besides, log data collected from these security equipment is suitable for big data excavation, deep analyses for reports generation, thus unveil potential risk. SIEM can detect APT attacks by integrating and analyzing log in the organizations. However, one of the promptest challenge SOC faces is how to normalize data of heterogeneous formats so that back-end analytic platforms can analyze information, alarm and generate reports accordingly. Therefore, this research develops an intelligent parsing system to generate high quality normalization equations for different types of log. The proposed system could integrate heterogeneous log files into a central SOC system

進階持續性滲透攻擊; 安全性資訊與事件管理; 資訊安全維運中心; APT; SIEM; SOC