隨著網際網路技術進步，現代人對於網路的依賴亦日趨嚴重。在享受便利的網路同時，攻擊者也藉由網路，不留痕跡地進行犯罪。攻擊者的攻擊手法日益推陳出新，為了達到目的攻擊者往往會不擇手段，大到近年知名的勒索病毒 WannaCry加密使用者資料求取贖金，小到網站遭駭個資外洩等，攻擊方式讓人防不勝防。現在的攻擊已跳脫鎖定單一目標的入侵行為轉變並升級為多層次多目標的攻擊，因此大多數網路攻擊無法使用單一防禦方式進行防範。
此外在描述同一網路攻擊事件時，各個廠商往往根據公司不同之經驗與作業流程而有產生不同之解讀方式，造成在同一事件的描述時，無法取得共識。因此MITRE提出ATT&CK Framework，使用同一個Framework讓廠商在交換/討論同一攻擊事件，可以有一共通語言，以減少溝通上之誤差。
本論文提出利用事件關聯性分析的方式找出有關聯之攻擊以進行整合並找尋潛在性的威脅。本研究結合網路型入侵偵測(INTH)及主機型入侵偵測(HEAS)之風險評估系統，並利用MITRE ATT&CK所提供之攻擊矩陣描述系統目前所遭受之攻擊。最後使用視覺化呈現讓系統管理者可更容易管理所屬之網路，提升整體網路安全之能量。

With the advancement of the Internet technology, people's dependence on the Internet has become more and more serious. While enjoying the convenience of Internet, the attackers also use the Internet to commit crimes without leaving a trace. Attack methods are becoming more and more innovative. In order to achieve the hacking, attackers often take unscrupulous actions, ranging from the well-known ransomware, WannaCry, encrypted user data, to the websites being hacked and leaked. The attack methods are unpredictable. The original simple single target intrusions have been upgraded to multi-layer and multi-target attacks. Therefore, most network attacks cannot be prevented with a single defense method. In addition, since various vendors often have different
views when facing a cyber attack, it is hard to reach a consensus when facing the same event. Therefore, MITRE proposes the ATT&CK Framework, which uses the same Matrix to allow vendors to exchange/discuss the same attack event, which can have a common language.

This thesis proposes an event correlation analysis system to find related events and looks for potential threats. The proposed system combines the IP risk assessment system of the network-based intelligent network threat hunting (INTH) and the host-based event analysis system (HEAS). And attack matrix provided by MITRE is used to describe the current attacks on the system. Finally, the use of visualization makes it easier for the network manager to manage the network and enhances the overall network security.

[1] S. Mohurle and M. Patil, "A Brief Study ofWannacry Threat: Ransomware Attack 2017," International Journal of Advanced Research in Computer Science, vol. 8, no. 5, pp. 1938-1940, 2017.
[2] EC-Council, "Certiffed Ethical Hacker | CEH Certiffication | CEH v11 | ECCouncil," https://www.eccouncil.org/programs/certiffied-ethical-hacker-ceh/, accessed 2021-03-01.
[3] L. Caviglione, S. Wendzel, and W. Mazurczyk, "The Future of Digital Forensics:Challenges and The Road Ahead," IEEE Security & Privacy, vol. 15, no. 6, pp. 12-17, 2017.
[4] K. K. R. Kendall, "A Database of Computer Attacks for The Evaluation of Intrusion Detection Systems," Ph.D. dissertation, Massachusetts Institute of Technology,1999.
[5] M. Ahmed, A. N. Mahmood, and J. Hu, "A Survey of Network Anomaly Detection Techniques," Journal of Network and Computer Applications, vol. 60, pp. 19-31,2016.
[6] V. Yegneswaran, P. Barford, and J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," ACM SIGMETRICS Performance Evaluation Review, vol. 31, no. 1, pp. 138-147, 2003.
[7] S. Staniford, J. A. Hoagland, and J. M. McAlerney, "Practical Automated Detection of Stealthy Portscans," Journal of Computer Security, vol. 10, no. 1-2, pp.105{136, 2002.
[8] N. Hoque, M. H. Bhuyan, R. C. Baishya, D. K. Bhattacharyya, and J. K. Kalita, "Network Attacks: Taxonomy, Tools and Systems," Journal of Network and Computer Applications, vol. 40, pp. 307-324, 2014.
[9] O. Al-Jarrah and A. Arafat, "Network Intrusion Detection System Using Neural Network Classiffication of Attack Behavior," Journal of Advances in Information Technology Vol, vol. 6, no. 1, 2015.
[10] D. Beres, "Google Study Finds Email Scams Are More Effective Than You'd Expect," Huffington Post, 2014.
[11] Y. Zhang, J. I. Hong, and L. F. Cranor, "Cantina: A Content-based Approach to Detecting Phishing Web Sites," in Proceedings of International Conference on World Wide Web, 2007, pp. 639-648.
[12] G. Xiang, J. Hong, C. P. Rose, and L. Cranor, "Cantina+ a Feature-rich Machine Learning Framework for Detecting Phishing Web Sites," ACM Transactions on Information and System Security (TISSEC), vol. 14, no. 2, pp. 1-28, 2011.
[13] M. Dunlop, S. Groat, and D. Shelly, "Goldphish: Using Images for Contentbased Phishing Analysis," in International Conference on Internet Monitoring and Protection. IEEE, 2010, pp. 123-128.
[14] C. L. Tan, K. L. Chiew et al., "Phishing Webpage Detection Using Weighted URL Tokens for Identity Keywords Retrieval," in International Conference on Robotic, Vision, Signal Processing and Power Applications. Springer, 2017, pp. 133-139.
[15] S. Marchal, G. Armano, T. Grondahl, K. Saari, N. Singh, and N. Asokan, "On the-hook: An Effecient and Usable Client-side Phishing Prevention Application," IEEE Transactions on Computers, vol. 66, no. 10, pp. 1717-1733, 2017.
[16] L.Wu, X. Du, and J.Wu, "Effective Defense Schemes for Phishing Attacks on Mobile Computing Platforms," IEEE Transactions on Vehicular Technology, vol. 65, no. 8, pp. 6678-6691, 2015.
[17] C. M. R. da Silva, E. L. Feitosa, and V. C. Garcia, "Heuristic-based Strategy for Phishing Prediction: A Survey of URL-based Approach," Computers & Security,vol. 88, p. 101613, 2020.
[18] M. N. Feroz and S. Mengel, "Phishing URL Detection Using URL Ranking," in International Congress on Big Data. IEEE, 2015, pp. 635-638.
[19] R. M. Mohammad, F. Thabtah, and L. McCluskey, "An Assessment of Features Related to Phishing Websites Using An Automated Technique," in International Conference for Internet Technology and Secured Transactions. IEEE, 2012, pp.492-497.
[20] C. Pham, L. A. Nguyen, N. H. Tran, E.-N. Huh, and C. S. Hong, "Phishing-aware: A Neuro-fuzzy Approach for Anti-phishing on Fog Networks," IEEE Transactions on Network and Service Management, vol. 15, no. 3, pp. 1076-1089, 2018.
[21] M. Khonji, Y. Iraqi, and A. Jones, "Phishing Detection: A Literature Survey," IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2091-2121, 2013.
[22] E. Benavides, W. Fuertes, S. Sanchez, and M. Sanchez, "Classiffication of Phishing Attack Solutions by Employing Deep Learning Techniques: A Systematic literature Review," Developments and Advances in Defense and Security, pp. 51-64,
2020.
[23] P. Singh, Y. P. Maravi, and S. Sharma, "Phishing Websites Detection through Supervised Learning Networks," in International Conference on Computing and Communications Technologies (ICCCT). IEEE, 2015, pp. 61-65.
[24] M. KAYTAN and D. HANBAY, "Effective Classiffication of Phishing Web Pages Based on New Rules by Using Extreme Learning Machines," Computer Science, vol. 2, no. 1, pp. 15-36, 2017.
[25] R. S. Rao and A. R. Pais, "Detection of Phishing Websites Using an Effcient Feature-based Machine Learning Framework," Neural Computing and Applications, vol. 31, no. 8, pp. 3851-3873, 2019.
[26] M. Pereira, S. Coleman, B. Yu, M. DeCock, and A. Nascimento, "Dictionary Extraction and Detection of Algorithmically Generated Domain Names in Passive DNS Traffc," in International Symposium on Research in Attacks, Intrusions, and
Defenses. Springer, 2018, pp. 295-314.
[27] M. M. Yadollahi, F. Shoeleh, E. Serkani, A. Madani, and H. Gharaee, "An AdaptiveMachine Learning Based Approach for Phishing Detection Using Hybrid Features," in International Conference on Web Research (ICWR). IEEE, 2019, pp. 281-286.
[28] S. W. Wilson, "Classifier Fitness Based on Accuracy," Evolutionary computation, vol. 3, no. 2, pp. 149-175, 1995.
[29] E. H. Spafford, "Computer Viruses as Artificial Life," Artificial life, vol. 1, no. 3, pp. 249-265, 1994.
[30] YARA, "Sysmon - Windows Sysinternals," http://virustotal.github.io/yara/, accessed 2021-09-01.
[31] R. Lyda and J. Hamrock, "Using Entropy Analysis to Find Encrypted and Packed Malware," IEEE Security & Privacy, vol. 5, no. 2, pp. 40-45, 2007.
[32] I. Santos, F. Brezo, J. Nieves, Y. K. Penya, B. Sanz, C. Laorden, and P. G. Bringas, "Idea: Opcode-sequence-based Malware Detection," in International Symposium on Engineering Secure Software and Systems. Springer, 2010, pp. 35-43.
[33] D. K. S. Reddy and A. K. Pujari, "N-gram Analysis for Computer Virus Detection," Journal in Computer Virology, vol. 2, no. 3, pp. 231-239, 2006.
[34] I. Santos, Y. K. Penya, J. Devesa, and P. G. Bringas, "N-grams-based File Signatures for Malware Detection," ICEIS, vol. 9, pp. 317-320, 2009.
[35] K. S. Han, B. Kang, and E. G. Im, "Malware Classiffication Using Instruction Frequencies," in Proceedings of ACM Symposium on Research in Applied Computation, 2011, pp. 298-300.
[36] M. K. Shankarapani, S. Ramamoorthy, R. S. Movva, and S. Mukkamala, "Malware Detection Using Assembly and API Call Sequences," Journal in Computer Virology, vol. 7, no. 2, pp. 107-119, 2011.
[37] X. Wang and S. M. Yiu, "A Multi-task Learning Model for Malware Classiffication with Useful File Access Pattern from API Call Sequence," arXiv preprintarXiv:1610.05945, 2016.
[38] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, "A Survey on Automated Dynamic Malware-analysis Techniques and Tools," ACM computing surveys (CSUR),vol. 44, no. 2, pp. 1-42, 2008.
[39] Vmware, "VMware - Delivering a Digital Foundation For Businesses," https://vmware.com/, accessed 2021-09-01.
[40] O. Corporation, "Oracle VM VirtualBox," https://www.virtualbox.org/, accessed2021-09-01.
[41] Cuckoo, "Cuckoo Sandbox - Automated Malware Analysis," https://cuckoosandbox.org/, accessed 2021-09-01.
[42] C. Willems, T. Holz, and F. Freiling, "Toward Automated Dynamic Malware Analysis Using Cwsandbox," IEEE Security & Privacy, vol. 5, no. 2, pp. 32-39, 2007.
[43] K. Ingham and S. Forrest, "A History and Survey of Network Firewalls," University of New Mexico, Tech. Rep, 2002.
[44] F. Avolio, "Firewalls and Internet Security, the Second Hundred (Internet) Years," The Internet Protocol Journal, vol. 2, no. 2, pp. 24-32, 1999.
[45] M. G. Gouda and A. X. Liu, "A Model of Stateful Firewalls and its Properties," in International Conference on Dependable Systems and Networks. IEEE, 2005,pp. 128-137.
[46] S. Dharmapurikar, P. Krishnamurthy, T. Sproull, and J. Lockwood, "Deep Packet Inspection using Parallel Bloom Filters," in 11th Symposium on High Performance Interconnects. IEEE, 2003, pp. 44-51.
[47] Snort, "Snort - Network Intrusion Detection & Prevention System," https://www.snort.org/, accessed 2021-03-01.
[48] N. Cascarano, L. Ciminiera, and F. Risso, "Improving Cost and Accuracy of DPI Traffic Classiffiers," in Proceedings of ACM Symposium on Applied Computing. ACM, 2010, pp. 641-646.
[49] W. Jiang, Y.-H. E. Yang, and V. K. Prasanna, "Scalable Multi-pipeline Architecture for High Performance Multi-pattern String Matching," in IEEE International Symposium on Parallel & Distributed Processing (IPDPS). IEEE, 2010, pp. 1-12.
[50] E. Gandotra, D. Bansal, and S. Sofat, "Malware Analysis and Classiffcation: A Survey," Journal of Information Security, vol. 5, no. 02, p. 56, 2014.
[51] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez, and E. Vazquez, "Anomaly-based Network Intrusion Detection: Techniques, Systems and Challenges," Computers & Security, vol. 28, no. 1-2, pp. 18-28, 2009.
[52] P. De Boer and M. Pels, "Host-based Intrusion Detection Systems," Amsterdam University, 2005.
[53] G. H. Kim and E. H. Spafford, "The Design and Implementation of Tripwire: A File System Integrity Checker," in Proceedings of ACM Conference on Computerand Communications Security, 1994, pp. 18-29.
[54] O. P. TEAM, "OSSEC - World's Most Widely Used Host Intrusion Detection System - HIDS," https://www.ossec.net/, accessed 2021-09-01.
[55] SAMHAIN, "THE SAMHAIN FILE INTEGRITY / HOST-BASED INTRUSION DETECTION SYSTEM," https://www.la-samhna.de/samhain/, accessed 2021-09-01.
[56] H. Altwaijry, "Bayesian Based Intrusion Detection System," in IAENG Transactions on Engineering Technologies. Springer, 2013, pp. 29-44.
[57] J. Francois, C. Wagner, R. State, and T. Engel, "SAFEM: Scalable Analysis of Flows with Entropic Measures and SVM," in IEEE Network Operations and Management Symposium. IEEE, 2012, pp. 510-513.
[58] M. M. Najafabadi, T. M. Khoshgoftaar, C. Calvert, and C. Kemp, "Detection of SSH Brute Force Attacks Using Aggregated Netflow Data," in International Conference on Machine Learning and Applications (ICMLA). IEEE, 2015, pp. 283-288.
[59] T. Diibendorfer and B. Plattner, "Host behaviour Based Early Detection of Worm Outbreaks in Internet Backbones," in International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05). IEEE, pp. 166-171. 2005
[60] T. Dubendorfer, A. Wagner, and B. Plattner, "A Framework for Real-time Worm Attack Detection and Backbone Monitoring," in International Workshop on Critical Infrastructure Protection (IWCIP'05). IEEE, 2005, pp. 10-19
[61] F. Dressler, W. Jaegers, and R. German, "Flow-based Worm Detection Using Correlated Honeypot Logs," in Communication in Distributed Systems-15. ITG/GI Symposium. VDE, 2007, pp. 1-6.
[62] A. Karasaridis, B. Rexroad, D. A. Hoein et al., "Wide-Scale Botnet Detection and Characterization," HotBots, vol. 7, pp. 7, 2007.
[63] C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer, "Using Machine Learning Technologies to Identify Botnet Traffic," in Proceedings on Local Computer Networks. IEEE, 2006, pp. 967-974.
[64] IBM, "IBM QRadar SIEM," https://www.microfocus.com/zh-tw/products/siem-security-information-event-management/overview, accessed 2021-09-01.
[65] M. Focus, "ArcSight Logger - SIEM | Micro Focus," https://www.microfocus.com/zh-tw/products/siem-security-information-event-management/overview, accessed 2021-09-01.
[66] Splunk, "Splink | Turn Data into Doing," https://www.splunk.com/, accessed 2021-09-01.
[67] M. ATT&CK, "MITRE ATT&CK," https://attack.mitre.org/, accessed 2021-03-01.
[68] B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, "MITRE ATT&CK: Design and Philosophy," Technical report, 2018.
[69] D. Bianco, "The Pyramid of Pain," Enterprise Detection & Response, 2013.
[70] S. Hasham, S. Joshi, and D. Mikkelsen, "Financial Crime and Fraud in the Age of Cybersecurity," McKinsey & Company, 2019.
[71] U. Noor, Z. Anwar, T. Amjad, and K.-K. R. Choo, "A Machine Learning-based
FinTech Cyber Threat Attribution Framework using High-level Indicators of Compromise," Future Generation Computer Systems, vol. 96, pp. 227-242, 2019.
[72] M. Soft, "The Pattern Matching Swiss Knife for Malware Researchers (and Everyone Else)," https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon, accessed 2021-09-01.
[73] Alexa, "ALEXA - KEYWORD RESEARCH, COMPETITIVE ANALYSIS, WEBSITE RANKING," https://www.alexa.com/, accessed 2021-09-01.
[74] Curlie, "The Collector of URLs," https://curlie.org/, accessed 2021-09-01.
[75] PhishTank, "Join the Fight Against Phishing," https://www.phishtank.com/, accessed 2021-09-01.
[76] H. Bo, W. Wei, W. Liming, G. Guanggang, X. Yali, L. Xiaodong, and M. Wei, "A Hybrid System to Find & Fight Phishing Attacks Actively," in International Conferences on Web Intelligence and Intelligent Agent Technology, vol. 1. IEEE,
2011, pp. 506-509.
[77] V. I. Levenshtein, "Binary Codes Capable of Correcting Deletions, Insertions, and Reversals," in Soviet Physics Doklady, vol. 10, no. 8. Soviet Union, 1966, pp. 707-710.
[78] Elastic, "Free and Open Search: The Creators of Elasticsearch, ELK & Kibana| Elastic," https://www.elastic.co/, accessed 2021-03-01.
[79] Logstash, "Logstash: Collect, Parse, Transform Logs | Elastic," https://www.elastic.co/logstash, accessed 2021-03-01.
[80] Kibana, "Kibana: Explore, Visualize, Discover Data | Elastic," https://www.elastic.co/kibana, accessed 2021-03-01.
[81] NMAP, "Nmap: the Network Mapper - Free Security Scanner," https://nmap.org/, accessed 2021-03-01.
[82] R. J. Barnett and B. Irwin, "Towards a Taxonomy of Network Scanning Techniques," in Proceedings of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: Riding the
Wave of Technology, 2008, pp. 1-7.
[83] Hydra, "Hydra Packaging for Kali Linux," https://gitlab.com/kalilinux/packages/hydra, accessed 2021-03-01.
[84] M. D. Hossain, H. Ochiai, F. Doudou, and Y. Kadobayashi, "SSH and FTP Bruteforce Attacks Detection in Computer Networks: LSTM and Machine Learning Approaches," in International Conference on Computer and Communication Systems
(ICCCS). IEEE, 2020, pp. 491-497.
[85] Burp, "Burp Suite - Application Security Testing Software - PortSwigger," https://portswigger.net/burp, accessed 2021-03-01.
[86] Hping, "Hping - Active Network Security Tool," http://www.hping.org/, accessed 2021-03-01.
[87] K. Borisenko, A. Smirnov, E. Novikova, and A. Shorov, "DDoS Attacks Detection in Cloud Computing Using Data Mining Techniques," in Industrial Conference on Data Mining. Springer, 2016, pp. 197-211.
[88] Protected.net, "Total WebShield: Chrome Antivirus Protection," https://chrome.google.com/webstore/detail/total-webshield-chrome-an/, accessed 2021-09-01.
[89] moghimi.net, "Surf Your Online Banking Webpages with High Reliability!" https://www.moghimi.net/phishdetector, accessed 2021-09-01.