隨著網際網路技術的快速發展，以及寬頻網路的大量使用，相對產生的網路安全問題也愈來愈多。為了應付這些錯綜複雜的問題，系統管理者及網管人員除了採用防火牆、入侵偵測系統、入侵防禦系統等網路安全防護工具外，對於系統本身日誌檔的收集與分析也很重要。可以藉此了解系統本身所產生的錯誤訊息以及外部連線的異常行為，以便制定相對應的防禦安全規則於系統防護工具上。目前協助管理者做日誌檔收集與分析的工具，除了預設的規則外，管理者想要為自己的系統量身訂作其他規則時，都要先花費時間詳細檢視完系統所有的日誌檔後，才能訂定相對應的規則，而且每套工具都有其獨特的規則定義方式。本研究的目的在於透過智慧型的系統判斷而非人工檢視，將數萬筆的日誌檔資料簡化成少數有價值的樣式(patterns)，因此管理者不需再去自行定義規則。透過本研究的系統分析出日誌檔中的所有樣式，並將樣式做異常與正常的分類，也將符合個別樣式的記錄次數做加總，方便管理者檢視。本研究採用字串相似度比對的概念，對每筆日誌做相似性的比較，找出各種可能性的樣式，並透過正規表示式呈現每種樣式，讓管理者可以直接採用這些日誌檔樣式於系統防護工具上。經過實驗評估後，本研究的確可以透過自動分析產生日誌檔中所有的樣式，而且這些樣式也能被實際應用至系統防護工具上。

With the rapid development of Internet technology, as well as extensive use of broadband networks, the issues of network security are increasing. In order to deal with these complex issues, network adminstrators adopt firewalls, intrusion detection systems, intrusion prevention systems to prevent them, in addition, the collection and analysis of log are also very important. By the log analysis, administrators can understand the error messages generated by system and the abnormal behavior of external connections, and develop the corresponding security policy on the use of the security tools. The current log analyzer, besides default rules, administrators have to spend much time reviewing the syslog of their system in detail to set the corresponding rules for their system, and each analyzer has its own unique rules of definitions. The purpose of this study is to transform tens of thounds of logs into a small number of valuable patterns, classify these patterns into abnormal ones and normal ones, and sum up the logs corresponding with listed patterns to assist administrator to review. In this study, we adopt the concept of string similarity comparison, and do similarity comparison for each log to find out all patterns which presented by regular expression. After experimental evaluation, this study can indeed analyze and generate all patterns of logs automatically, and these patterns can be applies to a practical tool of network security.

致謝 II
摘要 IV
Abstract V
目錄 VI
表目錄 VIII
圖目錄 IX
第一章 緒論 1
第一節 研究背景 1
第二節 研究動機 5
第二章 相關研究 8
第一節 日誌檔介紹 8
一、 日誌檔產生方式 8
二、 日誌檔記錄訊息等級 9
三、 日誌檔重要性 10
第二節 日誌檔分析器 11
一、 Colorlogs介紹 11
二、 Checksyslog介紹 13
三、 Log_analysis介紹 14
四、 LogDog介紹 14
五、 LogSurfer介紹 16
六、 Tklogger介紹 16
七、 Xlogmaster介紹 17
八、 Logwatch介紹 18
九、 Syslog-ng介紹 19
第三章 系統設計 22
第一節 日誌檔預處理模組 23
第二節 相似度比對模組 26
第三節 樣式管理模組 30
第四章 實驗分析與結果 31
第一節 系統通用可行性分析 31
第二節 環境通用可行性分析 38
第三節 系統測試 46
第四節 樣式可用性分析 50
第五章 結論 52
第一節 研究貢獻 52
第二節 未來發展 52
參考文獻 53

Bruter, 2008, “Paralle Network Login Brute Forcing Tool”, Available: http://www.darknet.org.uk/2010/05/bruter-v1-0-final-released-parallel-network-login-brute-forcing-tool/
Checksyslog, 2001, Available: http://www.jammed.com/~jwa/hacks/security/checksyslog/checksyslog-doc.html
Colorlogs, 1994, Available: http://www.resentment.org/projects/colorlogs/
CentOS, 2004, Available: http://www.centos.org/
David Carasso, 2007, “Semi-Automatic Discovery of Extraction Patterns for Log Analysis”, Splunk Inc. San Francisci, CA
Debian, 1993, Available: http://www.debian.org/
Fedora, 2003, Available: http://fedoraproject.org/
FreeBSD, 1993, Available: http://www.freebsd.org/
J. Stearley, 2004, “Towards informatic analysis of syslogs”, Proceedings of the 2004 IEEE International Conference on Cluster Computing, p.309-318, September 20-23
KrCERT, 2008, “Korea Phishing Activity Trends Report”, technical report, Available: http://www.krcert.or.kr/english_www/inc/download.jsp?filename=0805_KoreaPhishingActivityReport.pdf
Log_analysis, 1999, Available: http://userpages.umbc.edu/~mabzug1///log_analysis.html
LogDog, 2002, Available: http://caspian.dotconf.net/menu/Software/LogDog/
LogSurfer, 2004, Available: http://www.crypt.gen.nz/logsurfer/
Logwatch, 2001, Available: http://www.logwatch.org/index.html
C. Di Martino, D. Cotroneo, Z. Kalbarczyk, and R. K. Iyer, 2008, “A Framework for Assessing the Dependability of Supercomputers via Automatic Log Analysis,” Fast Abstract, Int’l Conference on Dependable Systems and Networks, DSN08
Nawyn, K. E. 2003, “A security analysis of system event logging with syslog”, SANS
Institute
OpenBSD, 1996, Available: http://www.openbsd.org/
P. Jackson, 1986, Introduction to Expert Systems. International Computer Science Series, Addison Wesley
Postfix, 1997, Available: http://www.postfix.org/
Perl, 1987, Available: http://www.perl.org/
Qpopper, 1993, Available: http://www.eudora.com/products/unsupported/qpopper/index.html
Symantec, 2010, “Symantec Global Internet Security Threat Report”, technical report, Available: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
Syslog-ng, 1998, Available: http://www.balabit.com/network-security/syslog-ng/
Shadowserver Fundation , DDoS Historical, December 04, 2008, from the World Wild Web:http://www.shadowserver.org/wiki/pmwiki.php/Stats/DDoSHistorical
Sendmail, 1980, Available: http://www.sendmail.org/
S. D. S. Monteiro and R. F. Erbacher, 2008, “Exemplifying attack identification and analysis in a novel forensically viable Syslog model,” in Workshop on Systematic Approaches to Digital Forensic Engineering, (Oakland, CA), pp. 57–68
TkLogger, 2001, Available: http://www2.keck.hawaii.edu/inst/lris/tklogger.html
Tcpdump, 1987, Available: http://www.tcpdump.org/
T. Takada and H. Koide, .Mielog, 2002, “A highly interactive visual log browser using information visualization and statistical analysis”, in USENIX LISA'02 Conference Proceedings
Tcpdump, 1987, Available: http://www.tcpdump.org/
Ubuntu, 2004, Available: http://www.ubuntu.com/
Verizon Business, 2009, “2009 Data Breach Investigations Report”, technical report, Avaliable: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Xlogmaster, 1996, http://www.gnu.org/software/xlogmaster/