論文使用權限 Thesis access permission:校內外都一年後公開 withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
論文名稱 Title |
以Linux系統為基礎之日誌檔樣式化之研究 A Study of Log Patternization for Linux-based Systems |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
65 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2010-04-13 |
繳交日期 Date of Submission |
2010-06-30 |
關鍵字 Keywords |
記錄檔分析器、記錄檔樣式化、字串相似度比對 Log analyzer, Log patternization, String Similarity Comparision |
||
統計 Statistics |
本論文已被瀏覽 5884 次,被下載 2533 次 The thesis/dissertation has been browsed 5884 times, has been downloaded 2533 times. |
中文摘要 |
隨著網際網路技術的快速發展,以及寬頻網路的大量使用,相對產生的網路安全問題也愈來愈多。為了應付這些錯綜複雜的問題,系統管理者及網管人員除了採用防火牆、入侵偵測系統、入侵防禦系統等網路安全防護工具外,對於系統本身日誌檔的收集與分析也很重要。可以藉此了解系統本身所產生的錯誤訊息以及外部連線的異常行為,以便制定相對應的防禦安全規則於系統防護工具上。目前協助管理者做日誌檔收集與分析的工具,除了預設的規則外,管理者想要為自己的系統量身訂作其他規則時,都要先花費時間詳細檢視完系統所有的日誌檔後,才能訂定相對應的規則,而且每套工具都有其獨特的規則定義方式。本研究的目的在於透過智慧型的系統判斷而非人工檢視,將數萬筆的日誌檔資料簡化成少數有價值的樣式(patterns),因此管理者不需再去自行定義規則。透過本研究的系統分析出日誌檔中的所有樣式,並將樣式做異常與正常的分類,也將符合個別樣式的記錄次數做加總,方便管理者檢視。本研究採用字串相似度比對的概念,對每筆日誌做相似性的比較,找出各種可能性的樣式,並透過正規表示式呈現每種樣式,讓管理者可以直接採用這些日誌檔樣式於系統防護工具上。經過實驗評估後,本研究的確可以透過自動分析產生日誌檔中所有的樣式,而且這些樣式也能被實際應用至系統防護工具上。 |
Abstract |
With the rapid development of Internet technology, as well as extensive use of broadband networks, the issues of network security are increasing. In order to deal with these complex issues, network adminstrators adopt firewalls, intrusion detection systems, intrusion prevention systems to prevent them, in addition, the collection and analysis of log are also very important. By the log analysis, administrators can understand the error messages generated by system and the abnormal behavior of external connections, and develop the corresponding security policy on the use of the security tools. The current log analyzer, besides default rules, administrators have to spend much time reviewing the syslog of their system in detail to set the corresponding rules for their system, and each analyzer has its own unique rules of definitions. The purpose of this study is to transform tens of thounds of logs into a small number of valuable patterns, classify these patterns into abnormal ones and normal ones, and sum up the logs corresponding with listed patterns to assist administrator to review. In this study, we adopt the concept of string similarity comparison, and do similarity comparison for each log to find out all patterns which presented by regular expression. After experimental evaluation, this study can indeed analyze and generate all patterns of logs automatically, and these patterns can be applies to a practical tool of network security. |
目次 Table of Contents |
致謝 II 摘要 IV Abstract V 目錄 VI 表目錄 VIII 圖目錄 IX 第一章 緒論 1 第一節 研究背景 1 第二節 研究動機 5 第二章 相關研究 8 第一節 日誌檔介紹 8 一、 日誌檔產生方式 8 二、 日誌檔記錄訊息等級 9 三、 日誌檔重要性 10 第二節 日誌檔分析器 11 一、 Colorlogs介紹 11 二、 Checksyslog介紹 13 三、 Log_analysis介紹 14 四、 LogDog介紹 14 五、 LogSurfer介紹 16 六、 Tklogger介紹 16 七、 Xlogmaster介紹 17 八、 Logwatch介紹 18 九、 Syslog-ng介紹 19 第三章 系統設計 22 第一節 日誌檔預處理模組 23 第二節 相似度比對模組 26 第三節 樣式管理模組 30 第四章 實驗分析與結果 31 第一節 系統通用可行性分析 31 第二節 環境通用可行性分析 38 第三節 系統測試 46 第四節 樣式可用性分析 50 第五章 結論 52 第一節 研究貢獻 52 第二節 未來發展 52 參考文獻 53 |
參考文獻 References |
Bruter, 2008, “Paralle Network Login Brute Forcing Tool”, Available: http://www.darknet.org.uk/2010/05/bruter-v1-0-final-released-parallel-network-login-brute-forcing-tool/ Checksyslog, 2001, Available: http://www.jammed.com/~jwa/hacks/security/checksyslog/checksyslog-doc.html Colorlogs, 1994, Available: http://www.resentment.org/projects/colorlogs/ CentOS, 2004, Available: http://www.centos.org/ David Carasso, 2007, “Semi-Automatic Discovery of Extraction Patterns for Log Analysis”, Splunk Inc. San Francisci, CA Debian, 1993, Available: http://www.debian.org/ Fedora, 2003, Available: http://fedoraproject.org/ FreeBSD, 1993, Available: http://www.freebsd.org/ J. Stearley, 2004, “Towards informatic analysis of syslogs”, Proceedings of the 2004 IEEE International Conference on Cluster Computing, p.309-318, September 20-23 KrCERT, 2008, “Korea Phishing Activity Trends Report”, technical report, Available: http://www.krcert.or.kr/english_www/inc/download.jsp?filename=0805_KoreaPhishingActivityReport.pdf Log_analysis, 1999, Available: http://userpages.umbc.edu/~mabzug1///log_analysis.html LogDog, 2002, Available: http://caspian.dotconf.net/menu/Software/LogDog/ LogSurfer, 2004, Available: http://www.crypt.gen.nz/logsurfer/ Logwatch, 2001, Available: http://www.logwatch.org/index.html C. Di Martino, D. Cotroneo, Z. Kalbarczyk, and R. K. Iyer, 2008, “A Framework for Assessing the Dependability of Supercomputers via Automatic Log Analysis,” Fast Abstract, Int’l Conference on Dependable Systems and Networks, DSN08 Nawyn, K. E. 2003, “A security analysis of system event logging with syslog”, SANS Institute OpenBSD, 1996, Available: http://www.openbsd.org/ P. Jackson, 1986, Introduction to Expert Systems. International Computer Science Series, Addison Wesley Postfix, 1997, Available: http://www.postfix.org/ Perl, 1987, Available: http://www.perl.org/ Qpopper, 1993, Available: http://www.eudora.com/products/unsupported/qpopper/index.html Symantec, 2010, “Symantec Global Internet Security Threat Report”, technical report, Available: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf Syslog-ng, 1998, Available: http://www.balabit.com/network-security/syslog-ng/ Shadowserver Fundation , DDoS Historical, December 04, 2008, from the World Wild Web:http://www.shadowserver.org/wiki/pmwiki.php/Stats/DDoSHistorical Sendmail, 1980, Available: http://www.sendmail.org/ S. D. S. Monteiro and R. F. Erbacher, 2008, “Exemplifying attack identification and analysis in a novel forensically viable Syslog model,” in Workshop on Systematic Approaches to Digital Forensic Engineering, (Oakland, CA), pp. 57–68 TkLogger, 2001, Available: http://www2.keck.hawaii.edu/inst/lris/tklogger.html Tcpdump, 1987, Available: http://www.tcpdump.org/ T. Takada and H. Koide, .Mielog, 2002, “A highly interactive visual log browser using information visualization and statistical analysis”, in USENIX LISA'02 Conference Proceedings Tcpdump, 1987, Available: http://www.tcpdump.org/ Ubuntu, 2004, Available: http://www.ubuntu.com/ Verizon Business, 2009, “2009 Data Breach Investigations Report”, technical report, Avaliable: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf Xlogmaster, 1996, http://www.gnu.org/software/xlogmaster/ |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 論文使用權限 Thesis access permission:校內外都一年後公開 withheld 開放時間 Available: 校內 Campus: 已公開 available 校外 Off-campus: 已公開 available |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |