Exploring Intruder Key Trace based on Complicated System Call Graph by Recursive Dominator Mechanism

• Main Authors: Chi-Yuan Hsieh, 謝奇元
• Other Authors: Hahn-Ming Lee
• Format: Others
• Language: en_US
• Published: 2018
• Online Access: http://ndltd.ncl.edu.tw/handle/4f28m3

碩士 === 國立臺灣科技大學 === 資訊工程系 === 107 === The existing security equipment detects attack by applying host-based intrusion detection system(HIDS), User and Entity Behavior Analytics(UEBA) and anti-virus software. Unfortunately, huge amounts of logs are generated by the equipment, and correlating all of the logs is a very time-consuming task. In the end, only fragments of information are obtained, such as unusual system login behaviors, suspicious Command-and-control(C&C) servers and malware, which are unable to describe the attack scenarios. As a result, forensics experts need to manually investigate the key intrusion of the attacks. In this study, our purpose is to reduce the costs of manual attack intrusion investigation. We propose a method that explores the intruder key trace by examining dominators of system-level logs and design a recursive dominator mechanism to identify whether the events are related to the attacks. The main contributions of the study are as follows: (1) Filtering 98.94% of normal behaviors; (2) Recovering the key trace of the attack with a 92.85% recall rate; (3) Constructing the attack chain with information fragments.