隨著電腦的普及以及網路技術的成熟，人們對於電腦與網路的依賴性可說是密不可分了。對於眾多使用者而言，最常接觸到的服務不外乎就是網頁服務了，像是購物交易、查詢資料、觀看影音、社交聊天等等，也因此網頁服務擁有大量的用戶數，使得網頁服務成為攻擊者最喜歡的佳餚之一。攻擊者可能利用網頁程式邏輯的弱點或是程式設計師的疏失而造成的弱點或是主機系統應用的弱點進行攻擊，雖然這些攻擊可以透過網路行為的分析能夠在攻擊初期時就能夠找出異常的行為，但是這樣的處理方式需要累積大量的資訊才能夠找出相關的行為模式，於是就有了主機型的入侵偵測系統需求，透過主機端的網路分析以及活動行為分析，能夠更加深入、微觀地找出異常的行為，讓整體分析效率提升。
有鑿於此，本研究針對網頁伺服器的主機設計專門的偵測及防禦系統，除了透過Port Monitoring來監控網路行為外，我們藉由Cryptojacking的個案分析，自行採集異常特徵並且建立State model來找出並追溯駭客攻擊手段(包含利用的弱點)或是異常活動行為。此外，我們還藉由檔案的監控可以找出被竄改的文件檔案來源，例如網頁掛馬等等。透過這一系列的監控與分析機制，我們的系統可以清楚地提供給管理人員或是資安人員受監控的主機目前所受到的威脅等級以及駭客所使用的攻擊手法，並且給予受害主機適當的建議與補救措施，讓數位鑑識能夠變得更自動化。

With the popularity of computers and network technologies, there are many services rely on Internet. For most people, the most frequently used services are web services like online shopping, online video, social media, searching and etc. For this reason, web services are one of the most often attacked targets by hackers. Hackers may exploit websites’ vulnerabilities like misconfigurations, logical design errors, or zero-days. Although these attacks can be analyzed by their behaviors to find the abnormal during the early stage, such processing methods need to accumulate a large amount of information in order to find relevant behavior patterns. Therefore, there is a need for host-based intrusion detection systems. Through network analysis and system activity analysis on hosts, we can figure out more deeply abnormal activities.

As a result, this research provides a way to analyze the malicious behaviors with malicious signatures on web servers. Malicious behaviors in our detection framework include abnormal port number changes, malicious attack logs, abnormal file modifications. We use Cryptojacking scenario to gather malicious signatures and build state model to identify and trace hackers' attack strategies including the vulnerabilities to exploit or anomaly activities. In this case, administrators can clearly realize which phase the host threat reaches and takes appropriate recommended remedies, and let digital forensics be more automatically.

[1] The ZMap Project [Online] https://zmap.io/
[2] SSH Scanning Activity [Online] https://isc.sans.org/ssh.html
[3] OWASP., “OWASP Top 10 Application Security Risks – 2017”, [Online] Retrieved Dec 15, 2017 from https://www.owasp.org/images/0/0a/OWASP_Top_10_2017_GM_%28en%29.pdf
[4] EC-Council. Certified Ethical Hacker (CEH) [Online] https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
[5] F.Sabahi, A.Movaghar., “Intrusion Detection: A Survey”, The Third International Conference on Systems and Networks Communications, 2008.
[6] De Boer, P., and Martin Pels., “Host-Based Intrusion Detection Systems”, Technical Report:1.10, Faculty of Science, Informatics Institute, University of Amsterdam, 2005.
[7] G. H. Kim and E. H. SpafEord., “The design and implementation of tripwire: a file system integrity checker”, Technical Report CSD-TR-93-071, Purdue University, Dept. of Cmputer Sciences, Purdue University, West Lafayette, IN 47907-1398, 1993.
[8] J. Kaczmarek and M. Wrobe., “Modern approaches to file system integrity checking”, In Proceedings of the 1st International Conference on Information Technology, 2008.
[9] X. Wang, H. Yu., “How to break MD5 and Other Hash Functions, Advances in Cryptology”, EURO CRYPT2005, volume 3494 of Lecture Notes in Computer Science. Springer-Verlag, Berlin, Germany, 2005.
[10] Google Security team., “Announcing the first SHA1 collision”, [Online] Retrieved Dec 15, 2017 from https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
[11] Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y., “The first collision for full SHA-1”, In: CRYPTO, 2017.
[12] AIDE [Online] http://aide.sourceforge.net/
[13] AFICK [Online] http://afick.sourceforge.net/
[14] Hudan Studiawan, Baskoro Adi Pratomo, Radityo Anggoro., “Clustering of SSH Brute-Force Attack Logs Using k-Clique Percolation”, International Conference on Information, Communication Technology and System (ICTS), 2016.
[15] A. Abdou, D. Barrera, and P. C. V. Oorschot., “What lies beneath? Analyzing automated SSH bruteforce attacks”, in Proceedings of the 8th International Conference on Passwords, pp. 72–91, 2015.
[16] J. Owens and J. Matthews., “A Study of Passwords and Methods Used in Brute-Force Ssh Attacks”, Technical Report, Department of Computer Science, Clarkson University, 2008.
[17] A. A. Makanju, A. N. Zincir-Heywood, and E. E. Milios., “Clustering event logs using iterative partitioning”, In Proceedings of KDD ’09, 2009.
[18] R. Vaarandi., “A data clustering algorithm for mining patterns from event logs”, In Proceedings of the 2003 IEEE Workshop on IP Operations and Management (IPOM), pages 119–126, 2003.
[19] R. Vaarandi., “A breadth-first algorithm for mining frequent patterns from event logs”, In Proceedings of the 2004 IFIP International Conference on Intelligence in Communication Systems (LNCS), volume 3283, pages 293–308, 2004.
[20] Teiresias: J. Stearley., “Towards informatic analysis of syslogs”, In Proceedings of the 2004 IEEE International Conference on Cluster Computing, pages 309–318, 2004.
[21] N. Taerat, J. Brandt, A. Gentile, M. Wong, and C. Leangsuksun., “Baler: deterministic, lossless log message clustering tool”, Computer Science - Research and Development, vol. 26, no. 3-4, pp. 285–295, 2011.
[22] Sachin Manpathak, Achal Augustine., “HIDS: HTTP Centric Intrusion Detection System For Web Servers”, [Online] Retrieved Dec 17, 2017 from https://pdfs.semanticscholar.org/186c/3d84ca6a4d1d9cf0c0c1fe5297ba0da22d28.pdf
[23] T.-F. Yen et al., “Beehive: LargeScale Log Analysis for Detecting Suspicious Activity in Enterprise Networks”, published in Proc. Ann. Computer Security Applications Conference (ACSAC 13), ACM, Dec. 2013.
[24] Sreenivas Sremath Tirumala, Hira Sathu, and Abdolhossein Sarrafzadeh., “Free and open source intrusion detection systems: A study”, 2015 International Conference on Machine Learning and Cybernetics (ICMLC), Volume: 1 Pages: 205 - 210, DOI: 10.1109/ICMLC.2015.7340923, 2015.
[25] Joe Schreiber., “Open Source Intrusion Detection Tools: A Quick Overview”, [Online] Retrieved Dec 7, 2017 from https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview/
[26] Anand Nayyar., “The Best Open Source Network Intrusion Detection Tools”, [Online] Retrieved Dec 7, 2017 from http://opensourceforu.com/2017/04/best-open-source-network-intrusion-detection-tools/
[27] Kolias, C.; Kambourakis, G.; Stavrou, A.; Voas, J., “DDoS in the ioT: Mirai and other botnets”, Computer 2017, 50, 80–84, 2017.
[28] OSSEC [Online] https://ossec.github.io/
[29] Samhain [Online] http://www.la-samhna.de/samhain/
[30] Toby Miller., “Analysis of the T0rn Rootkit”, [Online] Retrieved Dec 11, 2017 from https://www.symantec.com/connect/articles/analysis-t0rn-rootkit
[31] Chris Gates., “HackerDefender Rootkit for the Masses”, [Online] Retrieved Dec 11, 2017 from http://www.carnal0wnage.com/papers/rootkit_for_the_masses.pdf
[32] Jamie Butler., “DKOM (Direct Kernel Object Manipulation)”, [Online] Retrieved Dec 11, 2017 from https://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf
[33] S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau., “Vmmbased hidden process detection and identification using lycosid”, in VEE ’08: Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pp. 91–100, 2008.
[34] JIANG, X., WANG, X., AND XU, D., “Stealthy malware detection through vmm-based ”out-of-the-box” semantic view reconstruction”, In Proceedings of the 14th ACM conference on Computer and Communications Security (CCS’07), October 2007.
[35] 帝星捧月。「Mirai總結-從原始碼到反饋編」，[Online] Retrieved Nov 27, 2017 from https://paper.seebug.org/154/
[36] Syslog RFC 5424 [Online] https://tools.ietf.org/html/rfc5424/
[37] Common Log Format (CLF) [Online] https://httpd.apache.org/docs/trunk/en/logs.html
[38] Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, Tung, K.-Y., “Intrusion detection system : A comprehensive review”, Journal of Network and Computer Applications 36(1), 16–24, 2013.
[39] SANS Institute InfoSec Reading Room., “Anti-IDS Tools and Tactics” [Online] Retrieved Dec 23, 2017 https://www.sans.org/reading-room/whitepapers/detection/anti-ids-tools-tactics-339/
[40] R. Y. Zaghal and J. I. Khan., “EFSM/SDL modeling of the original tcp standard (RFC793) and the congestion control mechanism of TCP Reno”, Technical Report TR2005-07- 22, Internetworking and Media Communications Research Laboratories, Department of Computer Science, Kent State University, March 2005.
[41] 林季偉。「設計與實作基於埠號監控的殭屍網路惡意程式偵測框架」，國立成功大學電腦與通信工程學系碩士論文，2016。
[42] 行政院國家資通安全會報技術服務中心。「政府機關近期常見系統弱點與補強建議」，2016。
[43] Nmap [Online] https://nmap.org/
[44] Masscan [Online] https://github.com/robertdavidgraham/masscan/
[45] Hydra [Online] https://www.thc.org/thc-hydra/
[46] Shayan Eskandari, Andreas Leoutsarakos., “Troy Mursch, Jeremy Clark. A first look at browser-based Cryptojacking”, Department of Computer Science, Cornell University. March, 2018.
[47] Censys [Online] https://censys.io/
[48] AbuseIPDB [Online] https://www.abuseipdb.com/
[49] MxToolbox [Online] https://mxtoolbox.com/blacklists.aspx