- 學位論文
以Windows Registry為基礎之使用者行為異常偵測方法
An Anomaly Detection System of User Behavior based on Windows Registry
摘要
近年來由於電腦使用普及率日漸提升,電腦使用者越能感受到電腦安全的重要性。目前 Windows 系列系統是所有作業系統平台中最普遍被使用的作業系統,也由於它的普遍性,進而引發了許多對於此作業系統的安全疑慮。對於電腦使用者來說,若能了解電腦的正常或異常狀態,將能有效的防範可能存在的惡意行為。因此,為了能有效的判斷使用者的行為是處於正常或異常的狀態,本論文利用Windows Registry ( 登錄檔 ) 與支援向量機 ( Support Vector Machine, SVM ) 分類器來做使用者行為正常或異常的偵測方法。Windows Registry 是建置在 Windows 系列作業系統之中,存放許多用於設置系統、應用程式以及硬體的資訊,是以大部分系統相關活動皆會存取到 Windows Registry。本論文藉由記錄 Windows Registry 的活動,以取得使用者正常行為下的活動資料,再將這些活動資料視為訓練資料,投入 SVM 做正常模型的訓練。藉由載入測試資料與正常模型,加以判別使用者的行為是否有異常狀態產生。此外,我們對於 Windows Registry 與 SVM 的結合做適性的調整,以減少儲存資料的空間,與降低 SVM 所需的訓練時間。我們也成功的根據這些想法,開發出一套使用者行為異常偵測系統,並在最後透過情境模擬實驗,以證明我們的系統能確實的找出異常行為的發生。
並列摘要
As the number of computers is getting higher recently, the importance of computer security is recognized bye more and more computer users. Windows series are the most popular OS in the world, and their popularity triggers lots of security issues. If the user of a computer can understand the state of his/her computer, he/she may detect the malicious behavior and protect his/her computer. Our research takes use of Windows Registry and Support Vector Machine (SVM) to probe the state of a computer in order to determine whether the behavior of user is normal or abnormal. In Windows series, configuration information is centrally stored in a single database called the registry. We take use of recording Windows Registry activity as training data to establish the normal model, then load this normal model and test data to decide whether the behavior is normal or not. Besides, we make some adjustment to adapt the combination of the Windows Registry and Support Vector Machine to reduce the spaces of data store, and decrease the training time of Support Vector Machine. Eventually, we succeed to develop an anomaly detection system of user behavior according to our considerations. Moreover, we prove the effectiveness of our system through simulating the scenario of general situation.