近年來，網路普及化衍生網路攻擊的議題日益成為研究的主題，人類對網路的依賴程度越來越強烈，更讓駭客見獵心喜。網路攻擊形式已經漸漸從隨機攻擊轉變成目標式攻擊。以DDoS攻擊、APT攻擊、勒索軟體攻擊為例，都算是目標式攻擊的形式之一。駭客透過長時間探索有弱點的電腦，利用社群工具、惡意網頁、C&C連結等方式引誘目標，然後藉由植入惡意程式入侵組織的重要系統，達到癱瘓服務或是竊取機密資料等攻擊行為。
不論生活方面、工作方面、休閒娛樂方面，網路建立並維繫人與人之間的關係，成為日常生活上不可或缺的重要工具，因此造就網路資料迅速增加。要落實快速處理這些迅速增加的大量資料並不是件容易的事，在偵測網路攻擊上，要準確分析異常行為追蹤攻擊更是個很具有挑戰的工作，尤其是需要長時間追蹤觀察的目標式攻擊。要即時掌握目標式攻擊不可以再像以往的相關研究等攻擊程序完整再定奪是否遭受到攻擊，本研究強調的是攻擊不再是固定的模式，因此，提出利用風險評估法將攻擊的微小徵兆視作一個攻擊的潛伏分數，逐步計算可能發生攻擊的風險值，藉以提早發現攻擊。相較以往相關研究定義攻擊步驟作為偵測的程序，本研究發現多數的目標式攻擊在被發現攻擊現象前已經出現高風險的異常行為，若能及早阻止攻擊的發生，必能減少攻擊造成的損失。，實驗結果顯示本研究所提出的風險評估法確實可以利用高風險分數提早找出可疑的目標式攻擊。也證明部分高風險的主機確實在後來發現攻擊的現象。

More recently, the problems of targeted attack have been the major subject of study in the fields of network attack research due to the increase of network usage. In the past few years, study in network attacks analysis has shifted its focus from random attack to targeted attack, such as DDoS, APT, and Ransomware. The features of targeted attack are probing the vulnerable hosts of targeted enterprises for a long-term period, entice someone by several methods such as social network, malicious websites, C&C then execute attack behaviors such as intrusion of important system by malware to paralyze the service or steal secret data.
Computers are becoming a part of our everyday life, thus the internet data are becoming larger day by day, which makes administering such gigantic data a challenging task. It is becoming more difficult to analyze the malicious behaviors in a long-term period. Accordingly, this study associated multiple data source to assemble gigantic log data before filtering malicious features to recognize the behavior module when hackers attack the vulnerable systems. First by extracting the correct feature sets by two-stage feature reduction. The first stage, rough set theory is utilized to extract the critical characteristics to find out the feature sets of targeted attacks. The second stage, the chi-square test is employed to confirm the applicable to judge the targeted attack. Then, risk values of each stage are calculated to early alert the administrator to estimate the hazardous IP address. The experiment shows that two-stage feature reduction improves the effect of filtering to enhance the detection rate. By accurately measuring risk for enterprise networks, our system allows network defenders to discover the most critical threats and select the most effective countermeasure.

目 錄
論文審定書…………………………………………………………………………………………………………..i
中文摘要 ii
Abstract iii
第一章 緒論 1
1.1 研究動機 2
1.2 研究目的 3
第二章 相關文獻 5
2.1 目標式攻擊 5
2.2 約略集合理論 8
2.3 卡方檢定 11
2.4 風險評估 11
2.5. 屬性折減 12
第三章 研究方法 13
3.1擷取特徵 14
3.2 驗證特徵集合 16
3.3 風險值計算 19
3.4總風險值 23
第四章 實驗與結果 25
4.1 Experiment 1: 約略集合理論 25
4.1.1 實驗結果分析 26
1.2 Experiment 2:卡方檢定 27
4.2.1. 實驗結果分析 31
1.3 Experiment 3: 利用風險值計算作為可疑名單的基礎 31
4.3.1 Experiment 3A: 單一特徵集合偵測率 31
4.3.2 Experiment 3B: 特徵集合組合後的偵測率 36
4.3.3 Experiment 3C: Test data 偵測率 40
4.4 Experiment4: 驗證新攻擊 45
4.5 對照SVM分類器的比較 46
第五章 結論 50
參考文獻 51

[1] DIGITIMES, ”目標式攻擊日增 網路安全風險加大”, Retrieved from: http://www.digitimes.com.tw/tw/dt/n/shwnws.asp?CnlID=13&packageid=6317&id=0000297255_V0V1AA166L1WDR4ENXV2Y&cat=60&ct=1#ixzz3zyzqsWN0, 2015.
[2] TREND LABS, “《APT 攻擊》南韓爆發史上最大駭客攻擊 企業及個人用戶電腦皆停擺”, TREND Micro, Retrieved from: http://blog.trendmicro.com.tw/?p=4524, 2015.
[3] J. Scott, and D. Spaniel, “2016 Will be the Year Ransomware Holds America Hostage”, The ICIT Ransomware Report, 2016. Retrieved from: http://icitech.org/wp-content/uploads/2016/03/ICIT-Brief-The-Ransomware-Report2.pdf, 2016.
[4] TREND LABS, “Understand and combat advanced persistent threats and targeted attacks”, TREND Micro, Retrieved from: http://www.trendmicro.com/us/enterprise/challenges/advance-targeted-attacks/, 2016.
[5] TREND LABS, “ Lateral movement: How Do Threat Actors Move Deeper into Your Network?”, TREND Micro, Retrieved from: http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf , 2013.
[6] Fireeye, “Fireeye Reveals Rise in Advanced Threat Activities By Iranian-Linked Ajax Security Team in Post Stuxnet Era”, Fireeye 2014 Press Releases, 2014.
[7] C. M. Chen, H. W. Hsiao, P. Y. Yang, and Y. H. Ou, “Defending malicious attacks in Cyber Physical Systems”, Cyber-Physical Systems, Networks, and Applications (CPSNA), 2013 IEEE 1st International Conference, pp. 13-18, 2013.
[8] M. Sato, A. Sugimoto, N. Hayashi, Y. Isobe, and R. Sasaki,, “Proposal of a Method for Identifying the Infection Route for Targeted Attacks Based on Malware Behavior in a Network”, 2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic, pp.40-45, 2015.
[9] A. Lai, B. Wu and M. C. Chiu. “Apt Secrets in Asia “,2011HITCON: Apt Secrets in Asia, 2011 Hacks in Taiwan Conference. Retrieved from: http://hitcon.org/hit2011/downloads/06_APT_Secrets_In_Asia.pdf, 2011.
[10] Y. F. Huang, “M-Trends 2016”, Taiwan InfoSec Conference 2016, Retrieved from: http://www.ithome.com.tw/news/104529, 2016.
[11] A. Botta, W. Donato, V. Persico, and A. Pescapé, “Integration of Cloud computing and Internet of Things: A survey”, International Journal of Future Generation Computer Systems, vol.56, pp.684-700, 2016.
[12] 盧沛樺,“你有用銀行APP嗎？ 過半銀行APP有資安漏洞”, 天下雜誌，Retrieved from: http://news.ltn.com.tw/news/focus/paper/1012602, 2016.
[13] H. Holm, W. R. Flores, M. Nohlberg, and M. Ekstedt, “An Empirical Investigation of the Effect of Target-Related Information in Phishing Attacks” Published in: 2014 IEEE 18th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations, pp. 357-363, 2014.
[14] A. K. Sood, and R. J. Enbody, “Targeted cyber attacks: A superset of advanced persistent threats”. IEEE Security & Privacy Magazine 99, pp.54-61, 2012.
[15] C.Wu, “認識進階持續性滲透攻擊”, Retrieved from: https://blogs.technet.microsoft.com/twsecurity/2013/07/07/apt/, 2015.
[16] Z. Pawlak “Rough Set”, International Journal of Computer and Information Sciences, Vol. 11, No. 5, pp.341-356, 1982.
[17] 溫坤禮、永井正武、張廷政、溫惠筑, “粗糙集入門與應用”,五南出版社， 2008.
[18] T. F. Fan, D. R. Liu, and G. H. Tzeng, “Rough Set-based Logics for Multicriteria decision analysis”, European Journal of Operational Research, Vol. 182, no.1, pp.340-355, 2007.
[19] A. K. A. Salam, and A. V. Deorankar, “Assessment on Brain Tumor Detection using Rough Set Theory”, International Journal of Advance Research in Computer Science and Management Studies, Vol. 3(1), pp.240-244, 2015.
[20] G. H. Lai, C. W. Chou, C. M. Chen and Y. H. Ou, “Anti-Spam Filter Based on Data Mining and Statistical Test”, Studies in Computational Intelligence_Computer and Information Science 2009, Vol. 208, pp. 179-192, 2009.
[21] S. Thaseen, and C. A. Kumar, “Intrusion Detection Model Using Fusion of Chi-Square 4 Feature Selection and Multi Class SVM”, Journal of King Saud University - Computer and Information Sciences, 2016.
[22] Y. Li, X. B. Liu, and J. Yu, “A Bayesian Chi-squared Test for Hypothesis Testing”, Journal of Econometrics, Vol.189, pp.54-69, 2015.
[23] L. D. Prochazkova, and M. Hromada, “The Security Risks Associated with Attacks on Soft Targets of State”, Published in: Military Technologies (ICMT), 2015 International Conference on, pp.1-4, 2015.
[24] X. Kong, X. Liu, R. Shi, and K. Y. Lee, “Wind Speed Prediction Using Reduced Support Vector Machines With Feature Selection” Neurocomputing, Vol. 169, pp.449-456, 2015.
[25] N. Wang, S. Wang, and Q. Jia, “The Method to Reduce Identification Feature of Different Voltage Sag Disturbance Source Based on Principal Component Analysis” Published in: Transportation Electrification Asia-Pacific (ITEC Asia-Pacific), 2014 IEEE Conference, pp.1-6, 2014.
[26] TREND LABS 趨勢科技全球技術支援與研發中心，” APT 攻擊有何變化?政府機關依然是APT 攻擊最愛,台灣列入熱門目標”， Retrieved from: http://blog.trendmicro.com.tw/?p=12094.
[27] M. Rouse, “Watering Hole Attack”, TechTarget, Retrieved from: http://searchsecurity.techtarget.com/definition/watering-hole-attack,2015.
[28] J. Gardiner, M. Cova, and S. Nagaraja, “Command & Control: Understanding, Denying and Detecting”, Centre for the Protection of National Infrastructure, 2014.