English  |  正體中文  |  简体中文  |  全文筆數/總筆數 : 80990/80990 (100%)
造訪人次 : 42793305      線上人數 : 1002
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋


    請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/74796


    題名: 非常駐型端點資安檢測系統之研究;The Research of Non-Resident Endpoint Security Detection System
    作者: 林柏宇;Lin, Po-Yu
    貢獻者: 資訊管理學系在職專班
    關鍵詞: 非常駐型;端點檢測;端點日誌分析;端點回應;Non Resident;Endpoint Detection;Endpoint Log Analysis;Endpoint response
    日期: 2017-07-26
    上傳時間: 2017-10-27 14:39:35 (UTC+8)
    出版者: 國立中央大學
    摘要: 近年來針對性惡意程式與入侵攻擊服務模式日趨成熟,攻擊者為達成攻擊目的會透過進階持續威脅(Advanced Persistent Threat , APT)盡一切方法規避組織端點安全軟體,以利長時間潛伏在組織內部進行入侵任務而不被發現最終達到攻擊目的。資安防禦最終的防線是端點,有鑒於此主流端點安全解決方案將以龐大特徵碼資料庫為基礎,搭配機器學習演算法來強化端點異常行為偵測成為主要發展方向。然而上述方案均需安裝常駐型代理程式以達到即時偵測、防禦之目的,但近年資安案例顯示,惡意程式除了能規避組織防毒軟體外,更能進一步置換並控制防毒軟體以達成合法掩飾非法之目的,組織也很難短時間發現異常跡象,此情況顯示常駐型代理程式確實有資安風險,同時端點為因應不同需求也被迫安裝不少代理程式造成效能瓶頸,上述問題導致組織無法完全放心常駐型代理程式的解決方案。然而端點安全檢測又是必要作為,為解決此問題,本研究提出非常駐型端點資安檢測系統(Non-Resident Endpoint Detection and Probe System,簡稱NonR-EDP系統),可降低端點效能影響與避免代理程式遭規避、置換、控制等風險,同時提出在NonR-EDP系統檢測空窗期間,透過Sysmon與微軟原生稽核日誌機制,完整記錄系統活動與偵測日誌是否遭偽造滅跡之方法。經過各種端點日誌滅跡手法測試,NonR-EDP系統能成功偵測出端點日誌是否遭偽造滅跡,也能在確保日誌在未遭偽造滅跡下可成功檢測出端點之異常行為。本研究期望能讓組織在評估端點檢測方案與平衡安全與效能風險問題時在常駐型代理程式之外能有另一種選擇。;In recent years Targeting-Malwares and intrusive attacks were refined as standard modules. The mainstream’s Final-Line of Defense is the endpoint security system. Current solution required a residing-agent to be installed on endpoints for immediate analysis, detection or self-defense. Recent studies reveal that malwares are not only capable to remain undetected by endpoint security system, some of them can even break through its mechanism and replace the agent as their own. Such scenario indicates possible risk of residing-agent might be replaced or controlled by malwares as security issue; another common scenario is that different solutions and its agent were applied on same endpoint for specified purposes respectively, causing performance bottleneck as management issue.
    This research is to use Non-Resident Endpoint Detection and Probe(NonR-EDP) Endpoint Security Detection System, reducing the risks of performance issue and preventing residing-agents being replaced or controlled. This research also develops a procedure that will utilize SYSMON with Microsoft native audit logs mechanism, recording entirely system activities and verify logs’ authenticity between NonR-EDP detecting windows. It has been proven in endpoint log erase tests that NonR-EDP system is capable to detect attack events on endpoint with authentic logs
    顯示於類別:[資訊管理學系碩士在職專班 ] 博碩士論文

    文件中的檔案:

    檔案 描述 大小格式瀏覽次數
    index.html0KbHTML434檢視/開啟


    在NCUIR中所有的資料項目都受到原著作權保護.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明