中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/98593
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 83776/83776 (100%)
Visitors : 58272911      Online Users : 11992
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
    •  Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: https://ir.lib.ncu.edu.tw/handle/987654321/98593


    Title: 結合大型語言模型之 Sysmon 系統事件日誌惡意行為偵測方法;LLM-based Malicious Behavior Detection from Sysmon Event Logs
    Authors: 楊代儒;Yang, Dai-Ru
    Contributors: 資訊工程學系
    Keywords: 事件日誌與大型語言模型;檢索增強生成技術;Windows 系統監控工具(Sysmon);system logs llm;large language model event logs;RAG;Windows Sysmon
    Date: 2025-08-19
    Issue Date: 2025-10-17 12:58:28 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 本研究提出一個整合大型語言模型(LLM)與流程樹解析的惡意行為偵測系統,專為Windows Sysmon 事件記錄進行設計。Sysmon 日誌記錄豐富的系統活動資訊,包含程序建立與命令執行等,然而其結構龐大且上下文複雜,傳統基於規則的分析方法難以應對新型態攻擊。本系統結合流程樹重建、向量語意比對、RAG(檢索增強生成)與語言模型推理,可自動偵測可疑事件流程,並以自然語言說明異常原因與建議因應措施。為驗證系統效能,本研究分別在有無使用RAG 的情況下進行比較,並測試三種不同規模與參數量的開源LLM(Mistral-7B、phi-2、TinyLlama-1.1B)。評估指標包含 Precision、F1-score 與誤判率,測試資料涵蓋開源攻擊樣本與模擬正常流程樹。實驗結果顯示,RAG 可在三種模型中平均提升Precision 與 F1-score 約14%~17%,並將誤判率降低10% 以上,其中對輕量模型的幫助尤為明顯。此結果證實本系統在多種運算資源條件下皆具備實用性與可解釋性。;This thesis presents an LLM-based system for malicious behavior detection from Windows Sysmon event logs. While Sysmon provides rich process-level telemetry, the complexity and context ambiguity of logs hinder traditional rule-based analysis. Our system integrates process tree reconstruction, semantic vector matching, Retrieval-Augmented Generation (RAG), and in-context LLM analysis. It automatically detects suspicious patterns, provides natural-language explanations, and recommends mitigation strategies. To evaluate the system, we conducted experiments comparing scenarios with and without RAG, using three open-source LLMs of different sizes and capacities (Mistral-7B, phi-2, TinyLlama-1.1B). The evaluation metrics included Precision, F1-score, and False Positive Rate, with test data comprising both open-
    source attack samples and simulated benign process trees. Results show that RAG improves Precision and F1-score by an average of 14%- 17% across all models, while reducing false positives by over 10%. The improvement is particularly significant for smaller models, demonstrating that our approach maintains practicality and explainability across diverse computational environments.
    Appears in Collections:[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML6View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明