「非授權使用」的資安危害經常都在事後才被發現,而且造成將近三成企業一半的財務損失,而僅次於「電腦病毒」所造成的破壞。由於目前微軟作業系統是市佔率最高的作業系統,故在這樣的環境下,本研究針對在微軟作業系統上「異常行為偵測」的相關文獻做探討。在探討後,本研究提出其用來建立正常使用者行為的資料來源,皆有『過於龐大』、『含有過多系統資訊』的缺點,造成資安人員分析上的不便,並且使得建立微軟作業系統上的有效使用者行為模型十分困難。而後參考相關文獻中有關「視窗標題」的概念,提出一種『資料量較少』但也能夠『分辨原先使者與非原先使用者』的資料來源,最後在實驗中以支援向量機(優秀的分類器)來驗證其有效性,並且和不同的搜集資料方式比較,說明資安分析人員可以花費較少的時間精力在建立使用者模型上。 Security damage about “Unauthorized use” are usually be discovered after it happened. And it costs about 50% financial loss in 30% respondents in 2006, CSI/FBI. Because of the popularity of Microsoft Window operation system, we discuss the “anomaly user behavior” in recent papers. After that we propose a view about “too large”, “include too many system information” in dataset that used for building normal user behavior model. It brings information security analyzer a lot of inconvenient in Microsoft Window OS environment.Then, we reference the thought, “Window Title”, and recommend a kind of dataset. The proposed dataset takes advantage of “few dataset”, “distinguish anomaly user behavior”.Finally, we use “Support Vector Machine” to verify the effect, and give some experimental results to explain the cuts of the dataset in our proposed system.
