]lqe ’ınöu¯kÒ’noþvhnkx zv - openfoundry · 2 the three main results of the study were,...
TRANSCRIPT
-
1
NSC 95-3113-P-224-004
95 2 1 96 1 31
Email: [email protected]
8~10
Petri-Nets Protg2000 Petri-Nets
web-based
(1)(2)(3)
The widespread of Internet causescomputer security becomes an importantissue. Currently, anti-virus software is the
primary mechanism to prevent computersfrom the damage of virus. Such mechanismrelies on the update of virus pattern (orsignature) and scan engine to detect a newvirus. A serious security threat today ismalicious executables, especially new,unseen malicious executables often arrivingas email attachments. One of the primaryproblems faced by the virus community isto devise methods for detecting new virusthat have not yet been analyzed. Eight to tenviruses are created every day and mostcannot be accurately detected untilsignatures have been generated for them.During this time period, systems protectedby signature-based algorithms arevulnerable to attacks.
We propose a method that usesontology to support the behavior detectionand the knowledge management of emailvirus. It constructs the email virus ontologyin accords with the behavior characteristicsof the email virus. It then uses the ontologyto detect as well as manage the behavior ofmail virus.
This paper transforms the ontologyinto Petri-Nets to detect the email virus andtransforms it into Petri-Nets automatically.Finally, we use Protg 2000 to implementand manage the email virus behaviorontology.
We designed and implemented anintelligent email filter with embeddedsystem. It acts as an email gateway to filterinbound messages by enforcing an emailvirus rules policies. In the embeddedsystem, we also provided a web -basedadministrative interface for the systemadministrators to do the syst emconfiguration and to set up their email virusrule filtering policies.
[email protected] -
2
The three main results of the studywere, first, this study confers innovationdesign of embedded system, second, thedesign and Implementation issues of amulti-role and security function withmanage embedded system, and , third , theusability (Usefulness) and easy using aretwo major main cognition toward it .
OntologyPetri Net
[50] 2006 3
CSI/FBI 2006 [43]
[53]
2004 20
Web-baseOutlook Outlookexpress 87%
() [50] 2006 3 963
2-1 (2006)
2-1
1998
2-1
2-1
CSI/FBI 2006 [43] 2-2 2005
2-2 Dollar Amount Losses by Type(CSI/FBI 2006)
2.1
2.1.1
(Kienzle andElder,2003[23])[6] (Viruses)(Worm)Takeshi[40]
-
3
()
Kienzle and Elder[23]
API
SMTP
1.
(1).
(2).
HTML
HTML
SCRIPT MIMEJava applet
2.
[2]
(1).
( )(911)
(2).
(3). windows
XLS DOC MSOffice Office
VBSHTAREG BAT VBS Script HTA VBScript REG BAT
VBS HTA
-
4
EXE SCR PIFwindows
(1).
readme.txt.exe goldfish.doc.pif EXE Nimda
(2).
(WORM_MALDAL.C) Flash
3. [6]
(1).
(2).
(3).
W32.Navidad
windows winsock.dll
Happy99.Worm
2.1.2
Shear[33]
Cole[14]
Patterson[32]
HTML
Lioyd[25](Web)(Field Devices)
(IEE - TheInstitution of Electrical Engineers)[42]
1.
2.
-
5
CPU 8051 x86
3.
(Customize)Set-Top-BoxGPSPDA EmbeddedserverThin client
1971 Intel 4004
SoC
1.
2.
hard real-time embedded systems softreal-time embedded system
3.
4.
4G
TWNIC 2004 9 1.1
NET-Start-IXP! 32-bit Intel XScale
-
6
IXP420IPX420 RISC
PCI 8MB Flash 32MBSDRAMLAN port*4WAN port16MBNAND-FlashUSB
Linux BusyBoxApache+PHP Server
2.2
1987 [54]
(matching virus definition patterns)(check sum) I/O (realtime I/O scan) (Behavior-Based virus detection) (Agent-Based virus detection) [6]
1.
[13][26][6]
RetiCorporation[47]Proxy basevirus scan[48]
port proxybased port
2.
(check number)
Schultz Multi-Naive Bayes [28][20] Hexdump Byte Sequnces Bayes Bayes Bayes
(checksum)
[26]
-
7
3. /
I/O (I/O Stream)
[48][52] Stream-base HTTPHTTPSSMTPPOP3IMAP FTP
4.
Bloodhound [55]Bloodhound
(program region)
(program logic)
ScriptTrap [57]ScriptTrap JavaScript VBScript HTMLXML
J. H. Wang
(decision tree) (Bayesiannetwork)[27] Shih, D.H. NaiveBayes[36] [35] SOM K-Medoids[37]Schultz Multi-Naive Bayes[20]
5.
(intelligent virus)[26]
(agent)[26](Mobile)
[26][22]IBM [26] T.Okamoto (heterogeneousagents)[39]
-
8
2-2
2-2
(1)
(2)
(3)
3.1
(Ontology)
(Class)(Individual) (Property)(Petri Net)
(MemberFunction)
3.2 (Petri net)
Petri net PN 1962 Carl Adam Petris
(Murata,1989[29]) PN (Dynamicmodeling)
-
9
(Zhou & Jeng1998)PN
PN
(Zaytoon1996) Petri net
3.2.1 Petri Net
PN (1) (place) (2) (transition)(3)(arcs)(Lee& Hsu2003[24])PN 3-1(Murata,1989[29]Cassandras &Lafortune1999)
3-1 Petri net
PN
(enable)(fire) (fire) (enable) (transition) PN
(initial marking)M0 N PN N (place)(transition)(arcs)(place)(transition) (transition)(place) (arcs) () k (arcs)(place) k (arcs)(marking)(token)(place)(marking)
y (place) p p y(token) (Murata1989[29])
(node)(link) (Zhou &Jeng1998) PN (place)(transition)
(transition)PN (arcs) (place)(transition)(arcs) PN PN (Zhou & Jeng1998)(token) PN
3-2 (Murata[29][1])
3-2 Petri Net
3.3
andor
(Chenet al.[12],1990;Looney and Alfize,1987[11])
d1 d2 d1 d1 d2
-
10
3.4 Ontology
Ontology Bunge[10]
knowledgeengineering knowledgerepresentationqualitativemodeling languageengineering databasedesign informationmodeling informationintegrationobject-orientanalysisinformationretrieval and extraction knowledge management andorganization(Guarino[19])
3.4.1 Ontology
Ontology
Neches [30] ontology (terms)(relations)(vocabulary)
Swartout et al.[38] Ontology
Guarino[19] Ontology
Uschold & Jasper[41] Ontology
3.4.2 Ontology
Uschold and King[41] ontology TOVE (Gruninger and Fox, 1995)KACTUS (Bernaras, Laresgoiti &Corera,[9]) METHONOLOGY(Gomez-Perez, Fernandez &
Vicente,[17])SENSUS(Swarout, Ramesh,Knight & Russ [38]) On-To-Knowledge(Staab, Schnurr, Studer& Sure, 2001)
Fernandez-Lopez[17] 9 ontology
3.5
WWW
3.5.1 HTTPS
https HTTP HTTP HTTP SSL https SSL SSL
SSL Secure Socket Layer 1994 Netscape [44] 1996 11 3.0 IETF(Internet Engineering Task Force)1999 RFC2246 TLS(Transport Layer Security)[49]TLS SSL 1.0 SSL , Internet Netscape , IE SSL SSL
SSL SSL 40
128
-
11
SSL
4
SSL
1.
(Handshake Protocol)
2. SSL
3. (MAC)
(SHA1,MD5)[31]0
3.5.2 Base64
Base64 8
8 6 1/3 33%Base64 RFC2045[51]
Ontology PN
4.1
1999 04 2004 6 ( FTP )
4-1
4-1
4.2
[35][36][37][2]
4.2.1
4-2 82.8%
-
12
MIME SCRIPT
100%
4-2
Patterns Ontology
4-2 12 [34] 4-3
4-3
4.3 Ontology
Ontology
Ontology
SMIStandford medicalinformatics Protg2000[46]
Class
Property
Individual
Uschold King[41] Ontology
1.
4-3
2. ontology
(General concept)
3. OWL[45]
OWL 4-1
4. OWL Protg-2000
-
13
4-2
4-1 OWL
4-2
4.4 PN
Ontology Ontology 4-2Ontology Petri Net 4-4 (Rule) 4-5
4.4.1 Ontology Petri Net
4-4 Petri Net OWL Protg Ontology
4-4 Petri Net Ontology
ConceptA ConceptA1ConceptA2ConceptA3 Petri Net Place4
Place1Place2 Place3
Concept B ConceptB1ConceptB2ConceptB3 Petri Net Place1 Place2 Place3 (fire) Place4
ConceptA ConceptA1ConceptA1 ConceptA11 ConceptA11 ConceptA PetriNet Place1 Place2 Place3
ConceptA ConceptBConceptB ConceptA Petri Net Place2 Place4
4-4 Ontology Petri Net
Ontology Petri net Ontology 4-2 4-4 4-4 PN
Confidence
-
14
support confidence Support A B Confidence A B 60% 4-3 A B 60%
4-3
ConfidenceAB= PBA
4-3 Confidence formula
4-5
Ontology PetriNet 4-4 4-5 12 [0,1,,1]
Example
1. 12 [x1,x2,,x12] 1 0
12
[1,1,1,0,0,1,0,0,0,0,1,1] 4-5 R1R2R3R6R11R12
2. (R1R2R3)
X6=MAX(X1X6 X2X6 X3X6)=MAX(1*0.898 1*0.924 1*0.949)=0.949
3. R11 X11=0.949*0.898=0.836 X9 X10 X11 X11
4. R12 X12=0836*1=0.836
5. R13 X13=0.836*1=0.836
X13
X8
X6
X5
X4
X3
X2
X1
X7
X11
X10
X9
X12 X13
c16=0.898
c26=0.924
c36=0.949
c48=0.714
c58=0.285
c69=1.0
c6-12=1.0
c6-10=0.761
c7-10=0.40
c7-12=1.0c7-11=1.0
c8-10=1.0c8-11=1.0
c8-12=1.0
c9-12=1.0
c10-12=1.0
c11-12=1.0
c12-13=1.0
c6-11=0.898
4-4 PN
R1: IF dl or d2 or d3 THEN d6R2: IF d4 or d5 THEN d8R3: IF d6 THEN d9R4: IF d6 THEN d10R5: IF d6 THEN d11R6: IF d6 THEN d12R7: IF d7 THEN d10R8: IF d7 THEN d11
R9: IF d7 THEN d12R10: IF d8 THEN d10R11 :IF d8 THEN d11R12: IF d8 THEN d12R13: IF d9 THEN d12R14: IF d11 THEN d12R15: IF d10 THEN d12R16: IF d12 THEN d13
4-5
-
15
4.5
1. True Positive(TP)
2. True Negatives(TN)
3. False Positives(FP)
4. False Negatives(FN)
5. Detection RateTP/ TP + FN
6. False Positive RateFP/ TN + FP
7. Overall AccuracyTP + TN/ TP + TN +FN + FN
4-6
\
(TP) (FN)
(FP) (TN)
(1999 2004 )
TPTN99%FN0%FP2%
(Cross Validation)
2004 12
4-7 SOMNave Bayes Decisiontree[36]
4-7 (= detected)
5-1
Mail Server
Y
N
1.2.
5-1
-
16
1.
(1,1,1,1,0,0,0,1,0,1)
2.
Network-based)
5.1.1
1.
ID
2. (1).
(2).
(3).
ID ID
ID
3. (1).
IP
(2).
4. (1).
Web browser
WEB Mail
-
17
5-2
SMART
5-2 SMART
5.2
5.2.1
5-3
https
Base64
Mail Server
httpshttps
Security Server Expert
End User
NetworkManager
Sales Manager
IMAP
https
EEVF
5-3
5.3
NET-Start-IXP Intel Xscale IXP420 CPU IPX420 RSIC 32bit IPX420 NET-StartIXP
Embedded Linux
WebMail
-
18
Mail Server 5-1
5-1
5.4
1.
5-4
(1).
(2).
(3).
START
?
?
N
Y
Y
N
Logout
5-4
2.
5-5
Mail
(1).
(2).
-
19
(3). Mail
(4).
Mail
Start
?
?
Logout
N
Y
Y
N
? N
Y
5-5
5.5 UML
(Unified ModelingLanguage, UML)[18]
UML
;
5.5.1 UML
UML
UML
UML
UML [3] UML
5.5.2
Use Case
(Actor)Use Case Diagram
-
20
1.
ID ID
5-6
SystemProvider
Network Manager
Mail Server
Mail Server
Internet
Internet
LAN
LAN
EEVF
5-6
2. EEVF
EEVF 5-7
End User
EEVF
5-7
5.5.3
1.
5-8
SecurityServer
-
21
3.4.Password
11.Mail Server IP12.
1./
2./
10./Password
5.Password
6./Password
8.
9.Password
7.Password
NetworkManager
EEVFEnd UserMail
Server
SecurityServer
5-8
2.
5-9 Security Server
8.
7.
3.
1.
2.
6.
5./Password
4.
NetworkManager
EEVFEnd UserMail
Server
SecurityServer
5-9
3.
5-10
5.
6.
4.
1.
NetworkManager
EEVFEnd User MailServer
SecurityServer
2.
7.
3.
5-10
4.
5-11
1.
4.
2.
ExpertSecurityServer
3.
5-11
5.
5-12 Security Server
-
22
1.
3.2.
SalesManager
SecurityServer
5.6.
7.
8.
NetworkManager
9.
10.
4.
5-12
1.
2.
Server https
3. WEBMail
1. Shih, D. H., S. F. Hsu, H. S. Chiang and
C. P. Chang, 2005, Misuse Detection ofEmail Viruses base on SOM withk-medoids, Research on computerscience - Advances in AI applications,vol. 17, pp. 139-148.
2. Shih D. H. , H. S. Chiang and D. C. Yen,2005/06, Classification Methods in theDetection of New Malicious Emails,Information Sciences, Vol. 172, pp.241-261. (SCI, SSCI)
3. Shih, D.H., 2004, Detection of NewMalicious Emails Based onSelf-Organizing Maps And K-MedoidsClustering, J. of InformationManagement, Vol. 11, No. 2, pp.211-235. (TSSCI)
4. Shih, D. H., H. S. Chiang, C.Y. Chan,2004, Internet Security: MaliciousEmails Detection and Protection,Industrial Management and DataSystems, Vol. 104, No. 7, pp. 613623.(SCI)
5. Shih D. H. and H. S. Chiang, 2004,Email virus: How organizations canprotect their emails, Online InformationReview, Vol. 28, No.5, pp. 356 -366.(SSCI)
6. H. S. Chiang, J. C. Shen, D. H. Shih,2006/07, Ontology based Knowledge
-
23
Management of Email Viruses,Proceedings of International Conferenceon Pacific Rim Management 16thAnnual Meeting, 2006/07/27 ~2006/07/29, USA, Honolulu, Hawaii,pp455-460.
7. Shih D. H., S. F. Hsu, H. S. Chiang andC. P. Chang, 2005/11, Misuse Detectionof Email Viruses base on SOM withk-medoids, Mexican InternationalConference on Artificial Intelligence,2005/11/14 ~ 2005/11/18, MEXICO,Monterrey,, pp.10 pages.
[1] 2004 Petri net
[2] 2003
[3] UML 2002 5p117-p120
[4] 2004 ARM MP3
[5] 2002-
[6] 2001
[7] . , , Dec, 2000.
[8] 8. R.L. Rivest, 1992, The MD5 Message Digest
Algorithm, RFC 1321, April 1992.[9] Bernaras, A., Laresogiti, I. & Corera, J., 1996,
Building and reusing ontologies for electricalnetwork applications, In W. Wahlster (Ed.) EuropeanConference on Aritficial Intelligence, pp.298 -302.
[10] Bunge, M., 1977, Ontology I: The Furnitu re of theWorld. Treaties on Basic Philosophy, Vol. 3, Boston,Mass.: D. Reidel Publishing.
[11] C., G., Looney, and A., R., Alfize, "Logical controlsvia Boolean rule matrix transformations." IEEE Trans.Syst., Man, Cybern., vol. SMC-17, no. 6, pp.1077-1082, Nov./Dec. 1987.
[12] Chen .S, J. S. Ke and Chang J, "KnowledgeRepresentation Using Fuzzy Petri Nets ," IEEETransactions on Knowledge and Data Engineering,Vol. 2, No. 3, pp. 311-319, 1990.
[13] Cohen, F. Security Technology, 1991, Current bestpractice against computer viruses,25th Annual IEEEInternational Carnahan Conference on,Page(s):261-270.
[14] Cole, B., 2001, Microcontrollers craft a networkfuture, Electronic Engineering Times, May 21, Issue1167, p71-73.
[15] D. H. Shih, and H. S. Chiang and D. C. Yen, 2005,Classification Methods in the Detection of NewMalicious Emails, Information Sciences, Vol. 172,Issue: 1-2, June 9, pp241-261.
[16] Davis, R , 1988 ,Aerospace Computer Security
Applications Conference, Fourth , Page(s): 7/11.[17] Fernandez-Lopez, M., Gomez-Perez, A., Sierra, J.P.
& Sierra, A.P., 1999, Building a chemical ontologyusing Methontology and the Ontology DesignEnvironment, IEEE Intelligent Systems, Vol.14,No.1, pp.37-46.
[18] Grady Booch, James Rumbaugh, and Ivar Jacobson,1999,.The Unified Modeling Language User Guide,Reading MA: Addison-Wesley.
[19] Guarino, N. & Welty, C., 2000, A formal ontology ofproperties, In R.Dieng & O. Corby (eds),Proceedings of the 12th European Workshop onKnowledge Acquisition, Modeling and Management,London, Vol.1937, pp.97-112.
[20] J. H. Wang, P. S. Deng, et al., 2003 ,Virus DetectionUsing Data Mining Techniques, IEEE SecurityTechnology, Oct. , pp. 71-76.
[21] J. Han, and M., Kamber, 2001, Data mining conceptsand techniques. Morgan Kaufmann, pp. 226 -230,USA.
[22] Jieh-Sheng Lee, Jieh Hsiang, Po-Hao Tsang, 1997 ,AGeneric Virus Detection Agent on the Internet,System Sciences, Proceedings of the Thirtieth HwaiiInternational Conference on Volume: 4 , Page(s): 210-219 vol.4
[23] Kienzle, Darrell M., and Elder, Matthew C., 2003,Recent Worms: A Survey and Trends, the 2003ACM workshop on Rapid Malcode, Washington, DC,USA, October 27, pp1-10
[24] Lee, J. S. & Hsu, P. L., 2003, An IDEF0/Petri netapproach to the system integration in semiconductormanufacturing systems , IEEE InternationalConference Systems, Man and Cybernetics, Vol.5,pp.4910-4915.
[25] Lioyd, B. and Susnik, M., 2002, Web embeddedfield devices, IEEE Pulp and Paper IndustryTechnical Conference, p199-202.
[26] Luke, J.; Harris, C.J. 1999 ,The application ofCMAC based intelligent agents in the detection ofpreviously unseen computer viruses,Informatio nIntelligence and Systems, Proceedings. InternationalConference on, 1999 ,Page(s): 662 666.
[27] M. G. Schultz, E. Eskin, F. Zadok, S.J. Stolfo, Datamining methods for detection of new maliciousexecutables, IEEE Security and Privacy, pp. 38 -49.
[28] M. Sahami, S. Dumais, D. Heckerman, and E.Horvitz, "A Bayesian Approach to Filtering JunkE-Mail," in Proc. AAAI 1998, Jul. 1998.
[29] Murata, T. ,1989, Petri nets: Properties, analysis an dapplication. Proceedings of the IEEE, Vol. 77, No.4,pp.541-580.
[30] Neches, R., Fikes R. E., Finin T., Gruber T. R.,Senator, T. & Swartout W. R., 1991, Enablingtechnology for knowledge sharing. AI Magazine, Vol.12, No. 3, pp. 36-56.
[31] NIST FIPS PUB 180-1,1995, Secure HashStandard, National Institute of Standard andTechnology, U.S. Department of Commerce, Apri l.
[32] Patterson, S. K.,2000, Embedded Web server aidsmonitoring, Electronic Engineering Times, Feb. 28,Issue 1102, p112-113.
[33] Shear, D, 1997, Putting an Embedded System on theInternet, EDN, Sep. 12, pp.37 -46.
[34] Shih D. H. and H. S. Chiang, 2004, Email virus: Howorganizations can protect their emails, OnlineInformation Review, Vol. 28, No.5, pp. 356 -366.
[35] Shih, D. H., H. S. Chiang, C.Y. Chan, 200 4, InternetSecurity: Malicious Emails Detection and Protection,Industrial Management and Data Systems, Vol. 104,No. 7, pp. 613623.
-
24
[36] Shih, D.H. and Hwang Y. C., 2003, Analysis andstudy of web intrusion detection system, J. ofInformation Management, Vol . 9, No. 2, pp. 183-214.
[37] Shih, D.H., 2004, Detection of New Malicious EmailsBased on Self-Organizing Maps And K-MedoidsClustering, J. of Information Management, Vol. 11,No. 2, pp. 211-235.
[38] Swarout, B., Ramesh, P., Knight, K. & Russ, T., 1997,Toward distributed use of large-scale ontlolgy. In A.Farquhar, M. Gruninger, A. Gomez -Perez, M.Uschool & ven der Vet P (Eds.) AAAAI97 SpringSymposium on Ontological Engineering(pp.138 -148).California: Stanford University.
[39] T. Okamoto and Y. Ishida, A Distribu ted Approach toComputer Virus Detection and Neutralization byAutonomous and Heterogeneous Agents, The FourthInternational Symposium on Integration ofHeterogeneous Systems, March 1999, pp. 328 -331.
[40] Takeshi, Okanmoto and Yoshiteru, Ishida, 2002, AnAnalysis of a Model of Computer Viruses Spreadingvia Electronic Mail, Systems and computers in Japan,Vol. 33, No. 14.
[41] Uschold, M., King, M., Moralee, S. & Zorgios, Y.,1995, The enterprose ontology. The KnowledgeEngineering Review, Vol.13, No.1, pp.31 -89.
[42] IEE The Institution of Electrical Engineers,
Available online atwww.iee.org./policy/areas/Y2K/w-46.cfm.
[43] Lawrence A., 2006, CSI/FBI Computer Crime andSecurity Survey, Available online at, 2006:http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf
[44] Netscape Communications Corporation, Introductionto SSL, Available online at,2006http://developer.netscape.com/docs/manuals/security/sslin/index.htm.
[45] OWL Web Ontology Language Overview. Availableonline at: http://www.w3.org/2001/sw/WebOnt/ , 2005
[46] Protege 2000, Available online athttp://protege.stanford.edu/, 2006
[47] Reti Corporation, Available online at, 2006,http://tw.reticorp.com/
[48] Reti Corporation,, Available online at,2006, http://tw.reticorp.com/News/eDm0606.htm
[49] Win Treese, SSL/TLS , Available online at,http://www.ietf.org/html.charters/tls -charter.html.
[50] , Available online at, 2006http://www.find.org.tw/find/home.aspx?page=many&id=140
[51] , Available online at, 2006http://de.wikipedia.org/wiki/Base64
[52] , Available online at, 2006,http://www.issdu.com.tw/
[53] , Available online at, 2006http://survey.yam.com/survey2004/chart/index.php
[54] , Available online at, 2006http://www.Symantec.com/region/tw/enterprise/article/virus_protect.html
[55] ,Bloodhound, Available online at, 2006http://www.symantec.com/region/tw /avcenter/sarc_brief.html
[56] , Available online at, 2006http://www.trendmicro.com/download/zh -tw/
[57] ScriptTraphttp://fr.trendmicro-europe.com/global/products/collaterals/manual/man_01_pcc9_030818_en.pdf
www.iee.orghttp://www.cpppe.umd.edu/Bookstore/Documents/20http://developer.netscape.com/docs/manuals/secuhttp://www.w3.org/2001/sw/WebOnt/http://protege.stanford.edu/http://tw.reticorp.com/http://tw.reticorp.com/News/eDm0606.htmhttp://www.ietf.org/html.charters/http://www.find.org.tw/find/home.aspxhttp://de.wikipedia.org/wiki/Base64http://www.issdu.com.tw/http://survey.yam.com/survey2004/chart/index.phphttp://www.Symantec.com/region/tw/enterprise/articlhttp://www.symantec.com/region/tw/avcenter/sarc_brhttp://www.trendmicro.com/download/zh-tw/http://fr.trendmicro-europe.com/global/products/collat