臺灣博碩士論文加值系統

摘要 III
ABSTRACT V
致謝 VII
目錄 VIII
圖目錄 XI
表目錄 XIII
第一章 、緒論 1
1.1 研究動機 1
1.2 系統架構與流程 2
1.3 論文架構 3
第二章 、習知相關技術 4
2.1 Honeypot 4
2.2 網頁爬蟲(Web Crawler) 6
2.2.1 網頁客戶端程式(HTTP Client) 7
2.2.2 瀏覽器自動化(Browser Automation) 7
2.3 虛擬化技術(Virtualization) 9
2.4 異常行為辨識(Behaviors Anomaly Detection) 12
2.5 機器學習(Machine Learning) 14
2.6 深度學習(Deep Learning) 15
2.6.1 監督式學習(Supervised Learning) 16
2.6.2 非監督式學習(Unsupervised Learning) 17
2.7 特徵選擇(Feature Selection) 17
2.8 機器學習開源軟體 18
2.9 循環類神經網路(Recurrent Neural Network, RNN) 20
2.10 長短期記憶網路(Long Short-Term Memory, LSTM) 21
2.11 卷積類神經網路(Convolutional Neural Network, CNN) 24
2.12 貝氏分類器(Bayes Classifier) 28
2.13 支持向量機(Support Vector Machine, SVM) 29
2.14 激勵函數(Activation Function) 31
第三章 、相關文獻探討 35
3.1 Honeypot特性與應用相關文獻 35
3.1.1網路資訊安全工具比較 35
3.1.2 Web Application Honeypot 39
3.2 應用層攻擊辨識相關文獻 42
3.2.1 基於删除SQL査詢屬性值的SQL Injection攻擊檢測方法 42
3.3 網路層異常流量分類相關文獻 46
3.3.1 基於循環類神經網路的入侵偵測深度學習方法 46
3.3.2 物聯網中真實僵屍網路(Botnet)資料集: Bot-IoT Dataset 49
第四章 、系統之研究 57
4.1 系統架構介紹 57
4.2 建立蜜罐誘捕模組 59
4.2.1 擷取網頁資源 59
4.2.2 模擬真實系統 61
4.2.3 建立誘捕機制 62
4.3 快速佈署模組 63
4.4 Web Honeypot 65
4.5 入侵行為辨識模組 66
4.5.1 異常行為辨識規則 67
4.5.2 異常流量辨識模型 68
4.6 辨識模型訓練模組 69
4.7 資料預處理 69
4.7.1資料載入 69
4.7.2特徵縮放 71
4.7.3特徵選取 71
4.8 網路模型訓練 73
4.8.1超參數設置 75
4.8.2計算損失函數 76
4.8.3模型評估 78
第五章 、實驗結果 81
5.1 實驗環境 81
5.2 訓練與測試資料集 82
5.3 實驗結果分析 85
5.3.1全流量特徵 85
5.3.2 Information Gain 87
5.3.3 Gain Ratio 88
5.3.4 Wrapper 90
5.4 相關方法比較 91
第六章 、結論與未來方向 94
6.1 結論 94
6.2 未來方向 95
參考文獻 96


圖2.1.1、Honeypot示意圖 5
圖2.2.1、Puppeteer執行流程示意圖 9
圖2.2.1、虛擬機器架構示意圖 10
圖2.3.2、Container架構示意圖 11
圖2.3.1、ANN架構示意圖 15
圖2.6.1.1、監督式學習示意圖 16
圖2.6.2.1、非監督式學習示意圖 17
圖2.8.1、Weka資料載入介面圖 19
圖2.8.2、Weka特徵選擇介面圖 19
圖2.9.1、RNN模型基礎架構圖 21
圖2.10.1、LSTM模型基礎架構圖 22
圖2.11.1、CNN模型基礎架構圖 25
圖2.11.2、卷積流程示意圖 25
圖2.11.3、步伐量為1示意圖 26
圖2.11.4、步伐量為2示意圖 26
圖2.11.5、Zero Padding示意圖 27
圖2.11.6、平均池化示意圖 27
圖2.11.7、最大池化示意圖 28
圖2.13.1、SVM分類器示意圖 30
圖2.14.1、Sigmoid激勵函數示意圖 32
圖2.14.2、Tanh激勵函數示意圖 33
圖2.14.3、ReLU激勵函數示意圖 33
圖3.1.2.1、文獻[37]提出之網路架構圖 40
圖3.1.2.2、文獻[37]提出之Honeypot架構圖 41
圖3.2.1.1、Web Application三層結構與用戶端之架構圖 43
圖3.2.1.2、正常Query與惡意Query執行流程圖 44
圖3.3.1.1 文獻[42]實驗流程圖 47
圖3.3.2.1、文獻[43]流量蒐集流程圖 50
圖3.3.2.2、文獻[43]擷取流量特徵流程圖 50
圖3.3.2.3、文獻[43]提出之評估參數比較圖 54
圖3.3.2.4、文獻[43] RNN模型架構圖 55
圖3.3.2.5、文獻[43] LSTM模型架構圖 55
圖4.1.1、融入深度學習於IoT Web Honeypot網路行為異常偵測系統流程圖 58
圖4.2.1.1、HTTP API Request資料示意圖 60
圖4.2.1.2、完成網頁爬蟲之檔案結構圖 60
圖4.2.2.1、模擬真實系統結果圖 61
圖4.2.3.1、Argus tool擷取系統設備網路流量 62
圖4.2.3.2、Argus tool演算輸出指定流量特徵 63
圖4.3.1、設定Honeypot環境參數 64
圖4.3.2、使用Docker工具執行Container佈署 64
圖4.4.1、智慧農業標的網站比對圖 65
圖4.4.2、智慧醫療標的網站比對圖 66
圖4.8.1、LeakyReLU函數圖形 74
圖4.8.2、多層神經網路之架構圖 75
圖4.8.2.1、梯度下降示意圖 77
圖5.3.1.1、全特徵之網路模型準確率與損失函數變化圖 87
圖5.3.2.1、結合Information Gain特徵選擇之網路模型準確率與損失函數變化圖 88
圖5.3.3.1、結合Gain Ratio特徵選擇之網路模型準確率與損失函數變化圖 90
圖5.3.4.1、結合Wrapper特徵選擇之網路模型準確率與損失函數變化圖 91


表2.1.1、高交互性蜜罐與低交互性蜜罐性能比較表 6
表2.2.2.1、瀏覽器自動化與網頁客戶端程式性能比較表 8
表2.3.1、Container與虛擬機器性能比較表 11
表3.2.1.1、文獻[39] 驗證其方法檢測率結果表 45
表3.3.1.1、文獻[42]之使用資料集分類表 48
表3.3.1.2、文獻[42]使用之NSL-KDD資料集特徵表 48
表3.3.1.3、文獻[42]傳統機器學習與RNN-IDS預測準確率比較表 49
表3.3.2.1、BoT-IoT資料集流量特徵及其描述 51
表3.3.2.2、BoT-IoT資料集演算特徵及其描述 52
表3.3.2.3、文獻[43]Full features模型評估結果表 56
表3.3.2.4、文獻[43]10-best features模型評估結果表 56
表4.7.1.1、流量基本特徵表 70
表4.7.1.2、本論文定義之演算特徵表 71
表4.8.1.1、超參數設置表 75
表4.8.3.1、混淆矩陣定義表 79
表5.1.1、硬體設備規格表 81
表5.1.2、軟體環境規格表 82
表5.2.1、各流量類別於資料集總筆數表 83
表5.2.2、測試集資料總筆數表 83
表5.2.3、訓練集資料總筆數表 84
表5.2.4、驗證集資料總筆數表 84
表5.2.5、特徵選擇結果表 85
表5.3.1.1、全流量特徵測試評估表 86
表5.3.1.2、全流量特徵各流量類別測試評估表 86
表5.3.2.1、Information Gain特徵選擇測試評估表 87
表5.3.2.2、Information Gain各流量類別測試評估表 88
表5.3.3.1、Gain Ratio特徵選擇測試評估表 89
表5.3.3.2、Gain Ratio各流量類別測試評估表 89
表5.3.4.1、Wrapper特徵選擇測試評估表 90
表5.3.4.2、Wrapper各流量類別測試評估表 91
表5.4.1、相關文獻模型比較表(1) 92
表5.4.2、相關文獻模型比較表(2) 92
表5.4.3、相關文獻模型比較表(3) 93

[1] Gartner.com, Analysts to Explore How IoT Will Accelerate Digital Transformation Initiatives, in Gartner IT Symposium/Xpo Barcelona, Spain, November 2019, [Online]. Available: https://www.gartner.com/en/newsroom/press-releases/2019-08-29-gartner-says-5-8-billion-enterprise-and-automotive-io.
[2] J.Z. You, Y.Y. Zhang, S.C. Lv, X. Chen, L.B. Yin and L.M. Sun, "Method of ICS Honeypot Identification Based on Packet-Sharding," Journal of Cyber Security, vol. 4, no. 3, pp. 83-92, 2019
[3] F. Cohen, "The deception toolkit," 1998, [Online]. Available: http://-all.net/journal/deception/deception.html.
[4] L. Spitzner, "To build a honeypot," Cryptogram Newsletter, pp.1-2, June 2001.
[5] Google.com, How search organizes information [Online]. Available: https://www.google.com/intl/en_us/search/howsearchworks/crawling-indexing/.
[6] Phantomjs.org, A headless web browser scriptable with JavaScript, [Online]. Available: https://phantomjs.org/.
[7] Selenium.dev, The story starts in 2004, [Online]. Available: https://www.-selenium.dev/history/.
[8] Pptr.dev, programmatically controlling Chrome from Node.js, [Online]. Available: https://pptr.dev/.
[9] Researcher.waston.ibm.com, Virtual Machine Monitors: The Original Execution Environment, [Online]. Available: https://researcher.watson.ibm.com/researcher-/files/us-hindm/Rosenblum.pdf.
[10] Docker.com, A tool designed to make it easier to create, deploy, and run applications by using containers, [Online]. Available: https://www.docker.com/.
[11] J.P. Anderson, "Computer Security Threat Monitoring and Surveillance," Technical Report, James P. Anderson Company, 1980.
[12] D.E. Denning, "An intrusion-detection model," IEEE Transactions on Software Engineering, vol. 13, no. 2, pp. 222-232, 1987.
[13] J.A. Anderson, "An introduction to neural networks," MIT press, 1995.
[14] O. Depren, M. Topallar, E. Anarim, and M.K. Ciliz, "An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks," Expert systems with Applications, vol. 29, no. 4, pp. 713-722, 2005.
[15] Trendmicro.com, First malware-driven power outage reported in Ukraine, [Online]. Available: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/first-malware-driven-power-outage-reported-in-ukraine.
[16] Oath.com, Yahoo provides notice to additional users affected by previously disclosed 2013 data theft, [Online]. Available: https://www.oath.com/press-/yahooprovides-notice-to-additional-users-affected-by-previously/.
[17] D. Khosrowshahi, 2016 Data Security Incident, [Online]. Available: https://www. uber.com/newsroom /2016-data-incident/.
[18] Symantec.com, ISTR: Internet Security Threat Report, [Online]. Available: https:// www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf.
[19] A.L. Samuel, "Some Studies in Machine Learning Using the Game of Checkers," 82 IBM Journal of Research and Development, vol. 3, no. 3, pp. 210-229, 1959.
[20] T.M. Cover, and P.E. Hart, "Nearest neighbor pattern classification," in IEEE Transactions on Information Theory, vol. 13, no. 1, pp. 21-27, 1967.
[21] P.J. Werbos, "Application of Advances in Nonlinear Sensitivity Analysis," in Proceedings of the 10th IFIP Conference, pp. 762-770, 1981.
[22] J. R. Quinlan, "Induction of Decision Trees," in Machine Learning 1 Reprinted in Shavlik, vol. 1, no. 1, pp 81–106, 1986.
[23] T.K. Ho, "Random decision forests," in Proceedings of 3rd International Conference on Document Analysis and Recognition, vol. 1, pp. 278-282, 1995.
[24] C.Cortes, and V. Vapnik, "Support-vector networks," Machine learning, vol. 20, no. 3, pp. 273-297, 1995.
[25] W. S. McCulloch, W. Pitts, “A logical calculus of the ideas immanent in nervous activity,” in The bulletin of mathematical biophysics, vol. 5, pp. 115–133, 1943.
[26] D. E. Rumelhart, G. E. Hinton and R. J. Williams, "Learning representations by back-propagating errors," Nature, vol. 323, pp. 533-536, 1986.
[27] R. Bellman, "Dynamic programming," Princeton University Press, Princeton, 1957.
[28] G. Hughes, "On the mean accuracy of statistical pattern recognizers," in IEEE Transactions on Information Theory, vol. 14, no. 1, pp. 55-63, 1968.
[29] Cs.waikato.ac.nz, Weka 3: Machine Learning Software in Java, [Online]. Available: https://www.cs.waikato.ac.nz/ml/weka/index.html.
[30] D. E. Rumelhart, G. E. Hinton and R. J. Williams, "Learning internal representations by error propagation," Parallel Distributed Processing: Explorations in the Microstructure of Cognition, vol. 1, pp. 318-362, 1986.
[31] S. Hochreiter and J. Schmidhuber, "Long short-term memory," Neural Computation, vol. 9, no. 8, pp. 1735-1780, 1997.
[32] K. Fukishima, "Neocognitron: A self-organizing neural network model for a mechanism of pattern recognition unaffected by shift in position," Biological Cybernetics, vol. 36, no. 4, pp. 193-202, 1980.
[33] Y. LeCun, B. Boser, J. S. Denker, D. Henderson, R. E. Howard, W. Hubbard and L. D. Jackel, "Backpropagation Applied to Handwritten Zip Code Recognition," Neural Computation, vol. 1, no. 4, pp. 541-551, 1989.
[34] Y. Lecun, L. Bottou, Y. Bengio and P. Haffner, "Gradient-Based Learning Applied to Document Recognition," Proceedings of the IEEE, vol. 86, no. 11, pp. 2278- 2324, 1998.
[35] A. Krizhevsky, I. Sutskever and G. E. Hinton, "ImageNet Classification with Deep Convolutional Neural Networks," in Proceedings of the 25th International Conference on Neural Information Processing Systems, Lake Tahoe, Nevada, pp. 1097-1105, 2012.
[36] T. Kaur, V. Malhotra and D. Singh, "Comparison of network security tools- Firewall, Intrusion Detection System and Honeypot," in International Journal of Enhanced Research in Science Technology & Engineering, vol. 3, no. 2, pp. 200-204, 2014.
[37] A. Pawar, K. Siddhabbati, S. Bhise and S. Tamhane, "Web Application Honeypot," in International Journal of Advance Research in Computer Science and Management Studies, vol. 2, no. 3, pp. 410-416, 2014.
[38] Owasp.org, The Open Web Application Security Project, [Online]. Available: https://owasp.org/.
[39] I. Lee, S. Jeong, S. Yeo and J. Moon, "A novel method for SQL injection attack detection based on removing SQL query attribute values," in Mathematical and Computer Modelling, vol. 55, no. 1-2, pp. 58-68, 2011.
[40] Owasp.org, OWASP Top 10 Web Application Security Risks, [Online]. Available: https://owasp.org/www-project-top-ten/.
[41] Parosproxy.org, An automatic tool for scanning web program vulnerabilities, [Online]. Available: http://www.parosproxy.org/.
[42] C.L. Yin, Y.F. Zhu, J.L. Fei and X.H. He, "A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks," IEEE Access, vol. 5, pp. 21954-21961, 2017.
[43] N.Koroniotis, N.Moustafa, E.Sitnikova and B.Turnbull, "Towards the develop-ment of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset," Future Generation Computer Systems, vol. 100, pp. 779-796, 2019.
[44] Ostinato.org, A packet generator and network traffic generator, [Online]. Available: https://ostinato.org/.
[45] wireshark.org, Tshark network analysis tool, [Online]. Available: https://www.-wireshark.org/
[46] Openargus.org, A network flow system, [Online]. Available: https://openargus.-org/.
[47] R.W. Emerson, "Causation and Pearson's Correlation Coefficient," in Journal of Visual Impairment & Blindness, vol. 109, no. 3, pp. 242, 2015.
[48] Checklyhq.com, Recording browser interaction and generating Puppeteer scripts, [Online]. Available: https://www.checklyhq.com/.
[49] D.P. Kingma and J.L. Ba, "ADAM: A Method for stochastic optimization,"at 3rd International Conference for Learning Representations(ICLR), 2015.
[50] N. Moustafa, and J. Slay, "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)," in Proceedings of Military Communications and Information Systems Conference(MilCIS), 2015.
[51] M.A. Ferrag, L. Maglaras and S. Member, "DeepCoin: A Novel Deep learning and Blockchain-based Energy Exchange Framework for Smart Grids," in IEEE Transactions on Engineering Management, pp. 1-13, 2019.
[52] M.A. Ferrag, L. Maglaras, S. Moschoyiannis and H. Janicke, "Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study," Journal of Information Security and Applications, vol. 50, 2020.