An Empirical Study on the Instant Analysis System of Privileged Account Login Behavior

• Main Authors: Chia-Liang Pan, 潘嘉良
• Other Authors: Shi-Jen Lin
• Format: Others
• Language: zh-TW
• Published: 2018
• Online Access: http://ndltd.ncl.edu.tw/handle/xstub2

碩士 === 國立中央大學 === 資訊管理學系在職專班 === 106 === Abstract With the rise in popularity of the Internet, the events of cyber attacks have also emerged endlessly, causing troubles and fears of society, enterprise organizations and the public. The continually evolving attack methods have also caused the losses of the organization to become more serious. However, many intrusions are related to privileged account management. If a privileged account is stolen, it is likely to cause internal threats to the organization. Therefore, proper management of privileged accounts is necessary. It is also need to monitor the usage behavior of their privileged accounts to avoid damage to the organization caused by abnormal use. This study is based on an organization's privileged account management mechanism. It strengthens its "privileged account management" operation mode and combines the functions of the " security information and event management (SIEM) " records and logs management and instant alarms to explore how to through the system integration to establish a mechanism for effective monitoring and real-time analysis of various privileged account login behaviors, and have an automatic alert function. When an abnormal login behavior occurs, the privileged account administrator can be notified immediately, so that the administrator can grasp the situation and take countermeasures in the first time to avoid or reduce the harm of the intrusion to the organization. Through the common privileged account login success behavior type, the correlation rules of twelve patterns are developed, which can be used by SIEM as the aforementioned abnormal behavior check in this study. It has been tested and verified that these twelve correlation rules can instantly detect abnormal login behavior of privileged accounts, so the application to enterprise organizations will strengthen their immediate defense capabilities. When an organization encounters information security attacks, it can achieve early detection through the instant monitoring mechanism of this research, and quickly respond to significantly reduce losses and injuries.