Responsive image
博碩士論文 etd-0713113-145205 詳細資訊
Title page for etd-0713113-145205
Persistent Threat Detection Using Hidden Markov Model
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
Intrusion Detection System, Social Engineering, Hidden Markov Model, Advanced Persistent Threat, BotHunter
本論文已被瀏覽 5828 次,被下載 0
The thesis/dissertation has been browsed 5828 times, has been downloaded 0 times.
In recent years the types of attack has apparently moved from single attack behavior to more phased attack behavior, new attack type called Advanced Persistent Threat (APT) has increasingly been the object of study. Most hackers possess high knowledge and rich resource about attacked target such as important department of government or companies, and the major object is steal sensitive information. Such attack type usually accompanies Social Engineering or zero-day exploits attacks, and the intrude period may arrive several years.
In order to detect APT, this paper proposed a conceptual framework for observing the steps of APT and through these steps constructed a HMM-based (Hidden Markov Model) detection model. This paper collected e-mail records from Intrusion Detection System (IDS) to enhance the accuracy of detection. The experimental results show that the proposed model could recognize APT and provide the suspicious IP to administrator to enable them to carry out the digital security forensics and reduce the chances of data theft. This paper also compares with BotHunter to valuate accuracy of the proposed model.
目次 Table of Contents
論文審定書 ii
誌謝 iii
摘要 iv
Abstract v
第一章 緒論 1
第一節 研究背景 1
第二節 研究動機 7
第三節 研究目的 11
第二章 文獻探討 12
第一節 進階持續性滲透攻擊 12
第二節 殭屍網路偵測 17
第三節 入侵偵測系統(Intrusion Detection System) 20
第四節 隱藏馬可夫模型(Hidden Markov Model) 22
第三章 研究方法 26
第一節 進階持續性滲透攻擊階段 27
第二節 系統架構 31
第三節 隱藏馬可夫偵測模型 35
第四章 系統評估 39
第一節 模擬實驗 41
第二節 門檻值驗證 50
第三節 系統驗證 59
第四節 與BotHunter之比較 64
第五章 結論與未來展望 68
參考文獻 70
參考文獻 References
[1] D. Alperovitch, McAfee, “Revealed: Operation Shady RAT”, Available at:, 2011.
[2] Symantec,” Symantec Intelligence Report: November 2011”, Available at:, 2011.
[3] Kaspersky,” The NeTTraveler”, Available at:, 2011.
[4] K. Sood and R. J. Enbody, “Targeted Cyber Attacks: A Superset of Advanced Persistent Threats”, Published in Security & Privacy, IEEE, Volume: 11, 2012.
[5] “對抗APT進階持續性滲透攻擊”,Available at:
[6] H. R. Zeidanloo and A. A. Manaf, "Botnet Command and Control Mechanisms”, Published in Computer and Electrical Engineering, ICCEE '09, Volume: 1, 2009.
[7] J. Goebel and T. Holz,”Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation”, Published in HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007.
[8] W. Wang, B. Fang, Z. Zhang and C. Li, “A Novel Approach to Detect IRC-Based Botnets”, Published in Networks Security, Wireless Communications and Trusted Computing, NSWCTC '09, 2009.

[9] J.-S. Lee, H. Jeong, J.-H. Park, M. Kim and B.-N Noh, “The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability”, Published in Security Technology, SECTECH '08, 2008.
[10] R. F. Munir, N. A., A. Razzaq, A. Hur and F. Ahmad, “Detect HTTP Specification Attacks using Ontology”, Published in Frontiers of Information Technology (FIT), 2011.
[11] R. Ross, “Managing Information Security Risk: Organization, Mission, and Information System View”, Published in NIST Special Publication 800-39, 2011.
[12] MANDIANT, “Read M-Trends™ 2010: The Advanced Persistent Threat”, 2010.
[13] J. Andress,”Advanced Persistent Threat: Attacker Sophistication Continues to Grow? “, Published in Information Systems Security Association (ISSA) Journal, 2011.
[14] D. Zhaoa, I. Traore, B. Sayeda, W. Lub, S. Saada, A. Ghorbanic and D. Garantb,”Botnet detection based on traffic behavior analysis and flow intervals”, Published in Computers & Security, 2013.
[15] ISOT Research Lab, “ISOT Botnet Dataset”, Available at:, 2010.
[16] G. Gu, P. Porras, V. Yegneswaran, M. Fong and W. Lee,”BotHunter: Detecting Malware Infection through IDS-Driven Dialog Correlation”, In Proceedings of the 16th USENIX Security Symposium Security'07, 2007.
[17] H. R. Zeidanloo, M. J. Z. Shooshtari, P. V. Amoli, M. Safari and M. Zamani, ”A taxonomy of Botnet detection techniques”, Published in Computer Science and Information Technology (ICCSIT), Volume: 2, 2010.

[18] Y.-L. Ding, L. Li and H.-Q. Luo,”A novel signature searching for Intrusion Detection System using data mining”, Published in Machine Learning and Cybernetics, Volume: 1, 2009.
[19] A Websense White Paper, “Advanced Persistent Threats and Other Advanced Attacks: Threat Analysis and Defense Strategies for SMB, Mid-size, and Enterprise Organizations”, Available at:, 2011.
[20] Z. Anming and J. Chunfu,”Study on the Applications of Hidden Markov Models to Computer Intrusion Detection”, Published in World Congress Intelligent Control and Automation, WCICA 2004, 2004.
[21] L. R. Rabiner and B. H. Juang,”An introduction to Hidden Markov Models”, Published in ASSP Magazine, IEEE, 1986.
[22] P. Wang, L. Shi, B. Wang, Y. Liu and Y. Wu,” A method for HMM-based system calls intrusion detection based on hybrid training algorithm”, Published in Information and Automation (ICIA), 2011.
[23] A. H. Tai, W.-K. Ching and L.Y. Chan, “Detection of machine failure: Hidden Markov Model approach”, Published in Computers and Industrial Engineering, Volume: 57, 2009.
[24] S. Zhicai and X. Yongxiang, “A Novel Hidden Markov Model for Detecting Complicate Network Attacks”, Published in Wireless Communications, Networking and Information Security (WCNIS), 2010.
[25] X. D. Hoang, J. Hu and P. Bertok, “A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference”, Published in Journal of Network and Computer Applications, Volume: 32, 2009.

[26] RSA FraudAction Research labs, “Anatomy of an Attack”, Available at:, 2011.
[27] 臺灣學術網路危機處理中心團隊, “個案分析-C 大學的 C&C 分析報告”, Available at:, 2012.
[28] 臺灣學術網路危機處理中心團隊, “個案分析-C&C 分析報告”, Available at:, 2013.
電子全文 Fulltext
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是
論文開放下載的時間是 校外不公開

Your IP address is
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
開放時間 available 永不公開 not available

QR Code