On Construction of a Network Log System with Cyberattack Detection Using XGBoost on ELK Stack

• Main Authors: LAI, CING-HAN, 賴慶翰
• Other Authors: YANG, CHAO-TUNG
• Format: Others
• Language: en_US
• Published: 2019
• Online Access: http://ndltd.ncl.edu.tw/handle/y5axr7

碩士 === 東海大學 === 資訊工程學系 === 107 === With the development of artificial intelligence and machine learning technology, more and more cyber attacks have taken this as a development direction. According to statistics, the amount of data leaked and destroyed in the first half of 2018 increased by 72％compared with the same period in 2017. Of these events, most cases suffer from Advanced Progressive Penetration Attacks (APT). For the defense method of this type of attack, it is possible to detect and identify the attack event by observing the log data and analyzing whether it has abnormal behavior. This paper will be implemented as ELK Stack network log system (NetFlow Log) to visually analyze log data and present several kinds of network attack behavior characteristics for further analysis by managers. This paper will import historical log data, use ”extreme gradient enhancement” (XGBoost for machine learning), and use Keras for deep learning to build a model to detect whether the log has an attack event. The ultimate goal of this paper will be to find the best learning model through experiments in this case. Through experiments, it is confirmed that in this case, the XGBoost machine learning model has an accuracy rate of 96.01％for potential threats, and the full attack data set can achieve 100％ recognition, which is better than RNN and DNN models. And this article will further combine the experimental results with the network log platform. The administrator can compare the model judgment results with the ELK Stack network log system for risk assessment. The log data used in this paper is continuous data, and the current data has reached more than 2TB and continues to increase.