官振傑Guan, Albert李永豐Lee, Yung-Feng2025-12-092025-08-122025https://etds.lib.ntnu.edu.tw/thesis/detail/27c8a1e65e6275ab65ff9f10dd2e3876/http://rportal.lib.ntnu.edu.tw/handle/20.500.12235/125836隨著資訊安全防護日益重要，系統日誌的分析扮演關鍵角色，能協助即時偵測異常行為與追蹤潛在攻擊路徑。本研究旨在透過 Auditbeat 蒐集 Linux 系統的審計日誌（Audit Log），並結合 Elasticsearch 與 Kibana 建立可視化分析環境，進一步使用 Python 與 Graphistry 建構 Provenance Graph（溯源圖），以圖形化方式揭示系統中事件間的因果關係。本研究以實際攻擊模擬方式，結合資安事件進行溯源分析。首先透過 Auditbeat 收集檔案操作、程序建立與網路連線等系統層級事件，將資料傳送至 Elasticsearch 並以 Kibana 進行初步視覺化。為強化分析效率，進一步使用 Python 與 Pandas 擷取關鍵欄位，並透過 Graphistry 建構事件溯源圖，呈現節點間的因果關係與行為路徑。此外，研究亦模擬 Subrion CMS 中 CVE-2018-19422 漏洞，攻擊者上傳惡意 .phar 檔案取得 reverse shell，Auditbeat 可偵測其檔案異動與非預期連線行為，並於溯源圖中呈現 apache2 觸發 shell 的完整路徑。本研究亦納入釣魚攻擊模擬場景，誘導使用者輸入帳密並下載含有反向連線功能的惡意 ELF 檔案。受害者執行該檔後成功建立 Meterpreter 控制連線，進而進行檔案操作與系統控制。相關行為全程被 Auditbeat 紀錄，並以溯源圖方式具體呈現從網頁誘騙到系統被控的完整流程，驗證本方法於異常行為還原與關鍵節點追蹤之可行性。總結而言，本研究提出一套自動化、可視化的系統日誌分析流程，不僅能有效提取安全關鍵事件，亦能協助資安人員以溯源圖方式掌握攻擊者行為軌跡。此方法可應用於入侵偵測與安全監控領域，為企業與研究機構提供具實用性的日誌分析與威脅溯源工具。As information security becomes increasingly critical, system log analysis plays a pivotal role in detecting abnormal behavior and tracing potential attack paths in real time. This study proposes a methodology for analyzing Linux audit logs by leveraging Auditbeat to collect system events and integrating Elasticsearch and Kibana to construct a visualized analysis environment. Furthermore, Python and Graphistry are utilized to build provenance graphs, which reveal causal relationships between system events in a graphical manner.This study conducts provenance analysis through simulated real-world cyberattacks. Auditbeat is utilized to collect system-level events, including file operations, process creation, and network connections. The data is then transmitted to Elasticsearch and initially visualized using Kibana. To enhance analytical efficiency, key fields are extracted using Python and Pandas, and a provenance graph is constructed with Graphistry to illustrate the causal relationships and behavioral paths between entities. In addition, the study simulates an exploitation of the CVE-2018-19422 vulnerability in Subrion CMS, wherein the attacker uploads a malicious .phar file to obtain a reverse shell. Auditbeat effectively detects the related file modifications and unexpected outbound connections, while the provenance graph clearly visualizes the process path in which Apache2 triggers the shell execution.The study also incorporates a phishing attack scenario, deceiving the user into submitting credentials and downloading a malicious ELF file with reverse shell capabilities. Upon execution, the backdoor establishes a Meterpreter session, granting the attacker control over the victim’s system, including file manipulation and command execution. All related activities are captured by Auditbeat and represented in the provenance graph, successfully demonstrating the feasibility of the proposed approach in reconstructing abnormal behavior and identifying key attack nodes.In conclusion, this research presents an automated and visualized system log analysis pipeline capable of extracting security-critical events and facilitating the tracing of attacker behavior through provenance graphs. The proposed method demonstrates practical value in the domains of intrusion detection and security monitoring, offering a valuable tool for enterprises and research institutions in log analysis and threat attribution.AuditdAuditbeat日誌分析Provenance graphAuditdAuditbeatLog AnalysisProvenance graph學術論文