]LQe ’ıNöu¯kÒ’NoþVhNKx zv - OpenFoundry · 2 The three main results of the study were,...

1

NSC 95-3113-P-224-004

95 2 1 96 1 31

Email: [email protected]

8~10

Petri-Nets Protg2000 Petri-Nets

web-based

(1)(2)(3)

The widespread of Internet causescomputer security becomes an importantissue. Currently, anti-virus software is the

primary mechanism to prevent computersfrom the damage of virus. Such mechanismrelies on the update of virus pattern (orsignature) and scan engine to detect a newvirus. A serious security threat today ismalicious executables, especially new,unseen malicious executables often arrivingas email attachments. One of the primaryproblems faced by the virus community isto devise methods for detecting new virusthat have not yet been analyzed. Eight to tenviruses are created every day and mostcannot be accurately detected untilsignatures have been generated for them.During this time period, systems protectedby signature-based algorithms arevulnerable to attacks.

We propose a method that usesontology to support the behavior detectionand the knowledge management of emailvirus. It constructs the email virus ontologyin accords with the behavior characteristicsof the email virus. It then uses the ontologyto detect as well as manage the behavior ofmail virus.

This paper transforms the ontologyinto Petri-Nets to detect the email virus andtransforms it into Petri-Nets automatically.Finally, we use Protg 2000 to implementand manage the email virus behaviorontology.

We designed and implemented anintelligent email filter with embeddedsystem. It acts as an email gateway to filterinbound messages by enforcing an emailvirus rules policies. In the embeddedsystem, we also provided a web -basedadministrative interface for the systemadministrators to do the syst emconfiguration and to set up their email virusrule filtering policies.
[email protected]

2

The three main results of the studywere, first, this study confers innovationdesign of embedded system, second, thedesign and Implementation issues of amulti-role and security function withmanage embedded system, and , third , theusability (Usefulness) and easy using aretwo major main cognition toward it .

OntologyPetri Net

[50] 2006 3

CSI/FBI 2006 [43]

[53]

2004 20

Web-baseOutlook Outlookexpress 87%

() [50] 2006 3 963

2-1 (2006)

2-1

1998

2-1

2-1

CSI/FBI 2006 [43] 2-2 2005

2-2 Dollar Amount Losses by Type(CSI/FBI 2006)

2.1

2.1.1

(Kienzle andElder,2003[23])[6] (Viruses)(Worm)Takeshi[40]

3

()

Kienzle and Elder[23]

API

SMTP

1.

(1).

(2).

HTML

HTML

SCRIPT MIMEJava applet

2.

[2]

(1).

( )(911)

(2).

(3). windows

XLS DOC MSOffice Office

VBSHTAREG BAT VBS Script HTA VBScript REG BAT

VBS HTA

4

EXE SCR PIFwindows

(1).

readme.txt.exe goldfish.doc.pif EXE Nimda

(2).

(WORM_MALDAL.C) Flash

3. [6]

(1).

(2).

(3).

W32.Navidad

windows winsock.dll

Happy99.Worm

2.1.2

Shear[33]

Cole[14]

Patterson[32]

HTML

Lioyd[25](Web)(Field Devices)

(IEE - TheInstitution of Electrical Engineers)[42]

1.

2.

5

CPU 8051 x86

3.

(Customize)Set-Top-BoxGPSPDA EmbeddedserverThin client

1971 Intel 4004

SoC

1.

2.

hard real-time embedded systems softreal-time embedded system

3.

4.

4G

TWNIC 2004 9 1.1

NET-Start-IXP! 32-bit Intel XScale

6

IXP420IPX420 RISC

PCI 8MB Flash 32MBSDRAMLAN port*4WAN port16MBNAND-FlashUSB

Linux BusyBoxApache+PHP Server

2.2

1987 [54]

(matching virus definition patterns)(check sum) I/O (realtime I/O scan) (Behavior-Based virus detection) (Agent-Based virus detection) [6]

1.

[13][26][6]

RetiCorporation[47]Proxy basevirus scan[48]

port proxybased port

2.

(check number)

Schultz Multi-Naive Bayes [28][20] Hexdump Byte Sequnces Bayes Bayes Bayes

(checksum)

[26]

7

3. /

I/O (I/O Stream)

[48][52] Stream-base HTTPHTTPSSMTPPOP3IMAP FTP

4.

Bloodhound [55]Bloodhound

(program region)

(program logic)

ScriptTrap [57]ScriptTrap JavaScript VBScript HTMLXML

J. H. Wang

(decision tree) (Bayesiannetwork)[27] Shih, D.H. NaiveBayes[36] [35] SOM K-Medoids[37]Schultz Multi-Naive Bayes[20]

5.

(intelligent virus)[26]

(agent)[26](Mobile)

[26][22]IBM [26] T.Okamoto (heterogeneousagents)[39]

8

2-2

2-2

(1)

(2)

(3)

3.1

(Ontology)

(Class)(Individual) (Property)(Petri Net)

(MemberFunction)

3.2 (Petri net)

Petri net PN 1962 Carl Adam Petris

(Murata,1989[29]) PN (Dynamicmodeling)

9

(Zhou & Jeng1998)PN

PN

(Zaytoon1996) Petri net

3.2.1 Petri Net

PN (1) (place) (2) (transition)(3)(arcs)(Lee& Hsu2003[24])PN 3-1(Murata,1989[29]Cassandras &Lafortune1999)

3-1 Petri net

PN

(enable)(fire) (fire) (enable) (transition) PN

(initial marking)M0 N PN N (place)(transition)(arcs)(place)(transition) (transition)(place) (arcs) () k (arcs)(place) k (arcs)(marking)(token)(place)(marking)

y (place) p p y(token) (Murata1989[29])

(node)(link) (Zhou &Jeng1998) PN (place)(transition)

(transition)PN (arcs) (place)(transition)(arcs) PN PN (Zhou & Jeng1998)(token) PN

3-2 (Murata[29][1])

3-2 Petri Net

3.3

andor

(Chenet al.[12],1990;Looney and Alfize,1987[11])

d1 d2 d1 d1 d2

10

3.4 Ontology

Ontology Bunge[10]

knowledgeengineering knowledgerepresentationqualitativemodeling languageengineering databasedesign informationmodeling informationintegrationobject-orientanalysisinformationretrieval and extraction knowledge management andorganization(Guarino[19])

3.4.1 Ontology

Ontology

Neches [30] ontology (terms)(relations)(vocabulary)

Swartout et al.[38] Ontology

Guarino[19] Ontology

Uschold & Jasper[41] Ontology

3.4.2 Ontology

Uschold and King[41] ontology TOVE (Gruninger and Fox, 1995)KACTUS (Bernaras, Laresgoiti &Corera,[9]) METHONOLOGY(Gomez-Perez, Fernandez &

Vicente,[17])SENSUS(Swarout, Ramesh,Knight & Russ [38]) On-To-Knowledge(Staab, Schnurr, Studer& Sure, 2001)

Fernandez-Lopez[17] 9 ontology

3.5

WWW

3.5.1 HTTPS

https HTTP HTTP HTTP SSL https SSL SSL

SSL Secure Socket Layer 1994 Netscape [44] 1996 11 3.0 IETF(Internet Engineering Task Force)1999 RFC2246 TLS(Transport Layer Security)[49]TLS SSL 1.0 SSL , Internet Netscape , IE SSL SSL

SSL SSL 40

128

11

SSL

4

SSL

1.

(Handshake Protocol)

2. SSL

3. (MAC)

(SHA1,MD5)[31]0

3.5.2 Base64

Base64 8

8 6 1/3 33%Base64 RFC2045[51]

Ontology PN

4.1

1999 04 2004 6 ( FTP )

4-1

4-1

4.2

[35][36][37][2]

4.2.1

4-2 82.8%

12

MIME SCRIPT

100%

4-2

Patterns Ontology

4-2 12 [34] 4-3

4-3

4.3 Ontology

Ontology

Ontology

SMIStandford medicalinformatics Protg2000[46]

Class

Property

Individual

Uschold King[41] Ontology

1.

4-3

2. ontology

(General concept)

3. OWL[45]

OWL 4-1

4. OWL Protg-2000

13

4-2

4-1 OWL

4-2

4.4 PN

Ontology Ontology 4-2Ontology Petri Net 4-4 (Rule) 4-5

4.4.1 Ontology Petri Net

4-4 Petri Net OWL Protg Ontology

4-4 Petri Net Ontology

ConceptA ConceptA1ConceptA2ConceptA3 Petri Net Place4

Place1Place2 Place3

Concept B ConceptB1ConceptB2ConceptB3 Petri Net Place1 Place2 Place3 (fire) Place4

ConceptA ConceptA1ConceptA1 ConceptA11 ConceptA11 ConceptA PetriNet Place1 Place2 Place3

ConceptA ConceptBConceptB ConceptA Petri Net Place2 Place4

4-4 Ontology Petri Net

Ontology Petri net Ontology 4-2 4-4 4-4 PN

Confidence

14

support confidence Support A B Confidence A B 60% 4-3 A B 60%

4-3

ConfidenceAB= PBA

4-3 Confidence formula

4-5

Ontology PetriNet 4-4 4-5 12 [0,1,,1]

Example

1. 12 [x1,x2,,x12] 1 0

12

[1,1,1,0,0,1,0,0,0,0,1,1] 4-5 R1R2R3R6R11R12

2. (R1R2R3)

X6=MAX(X1X6 X2X6 X3X6)=MAX(1*0.898 1*0.924 1*0.949)=0.949

3. R11 X11=0.949*0.898=0.836 X9 X10 X11 X11

4. R12 X12=0836*1=0.836

5. R13 X13=0.836*1=0.836

X13

X8

X6

X5

X4

X3

X2

X1

X7

X11

X10

X9

X12 X13

c16=0.898

c26=0.924

c36=0.949

c48=0.714

c58=0.285

c69=1.0

c6-12=1.0

c6-10=0.761

c7-10=0.40

c7-12=1.0c7-11=1.0

c8-10=1.0c8-11=1.0

c8-12=1.0

c9-12=1.0

c10-12=1.0

c11-12=1.0

c12-13=1.0

c6-11=0.898

4-4 PN

R1: IF dl or d2 or d3 THEN d6R2: IF d4 or d5 THEN d8R3: IF d6 THEN d9R4: IF d6 THEN d10R5: IF d6 THEN d11R6: IF d6 THEN d12R7: IF d7 THEN d10R8: IF d7 THEN d11

R9: IF d7 THEN d12R10: IF d8 THEN d10R11 :IF d8 THEN d11R12: IF d8 THEN d12R13: IF d9 THEN d12R14: IF d11 THEN d12R15: IF d10 THEN d12R16: IF d12 THEN d13

4-5

15

4.5

1. True Positive(TP)

2. True Negatives(TN)

3. False Positives(FP)

4. False Negatives(FN)

5. Detection RateTP/ TP + FN

6. False Positive RateFP/ TN + FP

7. Overall AccuracyTP + TN/ TP + TN +FN + FN

4-6

\

(TP) (FN)

(FP) (TN)

(1999 2004 )

TPTN99%FN0%FP2%

(Cross Validation)

2004 12

4-7 SOMNave Bayes Decisiontree[36]

4-7 (= detected)

5-1

Mail Server

Y

N

1.2.

5-1

16

1.

(1,1,1,1,0,0,0,1,0,1)

2.

Network-based)

5.1.1

1.

ID

2. (1).

(2).

(3).

ID ID

ID

3. (1).

IP

(2).

4. (1).

Web browser

WEB Mail

17

5-2

SMART

5-2 SMART

5.2

5.2.1

5-3

https

Base64

Mail Server

httpshttps

Security Server Expert

End User

NetworkManager

Sales Manager

IMAP

https

EEVF

5-3

5.3

NET-Start-IXP Intel Xscale IXP420 CPU IPX420 RSIC 32bit IPX420 NET-StartIXP

Embedded Linux

WebMail

18

Mail Server 5-1

5-1

5.4

1.

5-4

(1).

(2).

(3).

START

?

?

N

Y

Y

N

Logout

5-4

2.

5-5

Mail

(1).

(2).

19

(3). Mail

(4).

Mail

Start

?

?

Logout

N

Y

Y

N

? N

Y

5-5

5.5 UML

(Unified ModelingLanguage, UML)[18]

UML

;

5.5.1 UML

UML

UML

UML

UML [3] UML

5.5.2

Use Case

(Actor)Use Case Diagram

20

1.

ID ID

5-6

SystemProvider

Network Manager

Mail Server

Mail Server

Internet

Internet

LAN

LAN

EEVF

5-6

2. EEVF

EEVF 5-7

End User

EEVF

5-7

5.5.3

1.

5-8

SecurityServer

21

3.4.Password

11.Mail Server IP12.

1./

2./

10./Password

5.Password

6./Password

8.

9.Password

7.Password

NetworkManager

EEVFEnd UserMail

Server

SecurityServer

5-8

2.

5-9 Security Server

8.

7.

3.

1.

2.

6.

5./Password

4.

NetworkManager

EEVFEnd UserMail

Server

SecurityServer

5-9

3.

5-10

5.

6.

4.

1.

NetworkManager

EEVFEnd User MailServer

SecurityServer

2.

7.

3.

5-10

4.

5-11

1.

4.

2.

ExpertSecurityServer

3.

5-11

5.

5-12 Security Server

22

1.

3.2.

SalesManager

SecurityServer

5.6.

7.

8.

NetworkManager

9.

10.

4.

5-12

1.

2.

Server https

3. WEBMail

1. Shih, D. H., S. F. Hsu, H. S. Chiang and

C. P. Chang, 2005, Misuse Detection ofEmail Viruses base on SOM withk-medoids, Research on computerscience - Advances in AI applications,vol. 17, pp. 139-148.

2. Shih D. H. , H. S. Chiang and D. C. Yen,2005/06, Classification Methods in theDetection of New Malicious Emails,Information Sciences, Vol. 172, pp.241-261. (SCI, SSCI)

3. Shih, D.H., 2004, Detection of NewMalicious Emails Based onSelf-Organizing Maps And K-MedoidsClustering, J. of InformationManagement, Vol. 11, No. 2, pp.211-235. (TSSCI)

4. Shih, D. H., H. S. Chiang, C.Y. Chan,2004, Internet Security: MaliciousEmails Detection and Protection,Industrial Management and DataSystems, Vol. 104, No. 7, pp. 613623.(SCI)

5. Shih D. H. and H. S. Chiang, 2004,Email virus: How organizations canprotect their emails, Online InformationReview, Vol. 28, No.5, pp. 356 -366.(SSCI)

6. H. S. Chiang, J. C. Shen, D. H. Shih,2006/07, Ontology based Knowledge

23

Management of Email Viruses,Proceedings of International Conferenceon Pacific Rim Management 16thAnnual Meeting, 2006/07/27 ~2006/07/29, USA, Honolulu, Hawaii,pp455-460.

7. Shih D. H., S. F. Hsu, H. S. Chiang andC. P. Chang, 2005/11, Misuse Detectionof Email Viruses base on SOM withk-medoids, Mexican InternationalConference on Artificial Intelligence,2005/11/14 ~ 2005/11/18, MEXICO,Monterrey,, pp.10 pages.

[1] 2004 Petri net

[2] 2003

[3] UML 2002 5p117-p120

[4] 2004 ARM MP3

[5] 2002-

[6] 2001

[7] . , , Dec, 2000.

[8] 8. R.L. Rivest, 1992, The MD5 Message Digest

Algorithm, RFC 1321, April 1992.[9] Bernaras, A., Laresogiti, I. & Corera, J., 1996,

Building and reusing ontologies for electricalnetwork applications, In W. Wahlster (Ed.) EuropeanConference on Aritficial Intelligence, pp.298 -302.

[10] Bunge, M., 1977, Ontology I: The Furnitu re of theWorld. Treaties on Basic Philosophy, Vol. 3, Boston,Mass.: D. Reidel Publishing.

[11] C., G., Looney, and A., R., Alfize, "Logical controlsvia Boolean rule matrix transformations." IEEE Trans.Syst., Man, Cybern., vol. SMC-17, no. 6, pp.1077-1082, Nov./Dec. 1987.

[12] Chen .S, J. S. Ke and Chang J, "KnowledgeRepresentation Using Fuzzy Petri Nets ," IEEETransactions on Knowledge and Data Engineering,Vol. 2, No. 3, pp. 311-319, 1990.

[13] Cohen, F. Security Technology, 1991, Current bestpractice against computer viruses,25th Annual IEEEInternational Carnahan Conference on,Page(s):261-270.

[14] Cole, B., 2001, Microcontrollers craft a networkfuture, Electronic Engineering Times, May 21, Issue1167, p71-73.

[15] D. H. Shih, and H. S. Chiang and D. C. Yen, 2005,Classification Methods in the Detection of NewMalicious Emails, Information Sciences, Vol. 172,Issue: 1-2, June 9, pp241-261.

[16] Davis, R , 1988 ,Aerospace Computer Security

Applications Conference, Fourth , Page(s): 7/11.[17] Fernandez-Lopez, M., Gomez-Perez, A., Sierra, J.P.

& Sierra, A.P., 1999, Building a chemical ontologyusing Methontology and the Ontology DesignEnvironment, IEEE Intelligent Systems, Vol.14,No.1, pp.37-46.

[18] Grady Booch, James Rumbaugh, and Ivar Jacobson,1999,.The Unified Modeling Language User Guide,Reading MA: Addison-Wesley.

[19] Guarino, N. & Welty, C., 2000, A formal ontology ofproperties, In R.Dieng & O. Corby (eds),Proceedings of the 12th European Workshop onKnowledge Acquisition, Modeling and Management,London, Vol.1937, pp.97-112.

[20] J. H. Wang, P. S. Deng, et al., 2003 ,Virus DetectionUsing Data Mining Techniques, IEEE SecurityTechnology, Oct. , pp. 71-76.

[21] J. Han, and M., Kamber, 2001, Data mining conceptsand techniques. Morgan Kaufmann, pp. 226 -230,USA.

[22] Jieh-Sheng Lee, Jieh Hsiang, Po-Hao Tsang, 1997 ,AGeneric Virus Detection Agent on the Internet,System Sciences, Proceedings of the Thirtieth HwaiiInternational Conference on Volume: 4 , Page(s): 210-219 vol.4

[23] Kienzle, Darrell M., and Elder, Matthew C., 2003,Recent Worms: A Survey and Trends, the 2003ACM workshop on Rapid Malcode, Washington, DC,USA, October 27, pp1-10

[24] Lee, J. S. & Hsu, P. L., 2003, An IDEF0/Petri netapproach to the system integration in semiconductormanufacturing systems , IEEE InternationalConference Systems, Man and Cybernetics, Vol.5,pp.4910-4915.

[25] Lioyd, B. and Susnik, M., 2002, Web embeddedfield devices, IEEE Pulp and Paper IndustryTechnical Conference, p199-202.

[26] Luke, J.; Harris, C.J. 1999 ,The application ofCMAC based intelligent agents in the detection ofpreviously unseen computer viruses,Informatio nIntelligence and Systems, Proceedings. InternationalConference on, 1999 ,Page(s): 662 666.

[27] M. G. Schultz, E. Eskin, F. Zadok, S.J. Stolfo, Datamining methods for detection of new maliciousexecutables, IEEE Security and Privacy, pp. 38 -49.

[28] M. Sahami, S. Dumais, D. Heckerman, and E.Horvitz, "A Bayesian Approach to Filtering JunkE-Mail," in Proc. AAAI 1998, Jul. 1998.

[29] Murata, T. ,1989, Petri nets: Properties, analysis an dapplication. Proceedings of the IEEE, Vol. 77, No.4,pp.541-580.

[30] Neches, R., Fikes R. E., Finin T., Gruber T. R.,Senator, T. & Swartout W. R., 1991, Enablingtechnology for knowledge sharing. AI Magazine, Vol.12, No. 3, pp. 36-56.

[31] NIST FIPS PUB 180-1,1995, Secure HashStandard, National Institute of Standard andTechnology, U.S. Department of Commerce, Apri l.

[32] Patterson, S. K.,2000, Embedded Web server aidsmonitoring, Electronic Engineering Times, Feb. 28,Issue 1102, p112-113.

[33] Shear, D, 1997, Putting an Embedded System on theInternet, EDN, Sep. 12, pp.37 -46.

[34] Shih D. H. and H. S. Chiang, 2004, Email virus: Howorganizations can protect their emails, OnlineInformation Review, Vol. 28, No.5, pp. 356 -366.

[35] Shih, D. H., H. S. Chiang, C.Y. Chan, 200 4, InternetSecurity: Malicious Emails Detection and Protection,Industrial Management and Data Systems, Vol. 104,No. 7, pp. 613623.

24

[36] Shih, D.H. and Hwang Y. C., 2003, Analysis andstudy of web intrusion detection system, J. ofInformation Management, Vol . 9, No. 2, pp. 183-214.

[37] Shih, D.H., 2004, Detection of New Malicious EmailsBased on Self-Organizing Maps And K-MedoidsClustering, J. of Information Management, Vol. 11,No. 2, pp. 211-235.

[38] Swarout, B., Ramesh, P., Knight, K. & Russ, T., 1997,Toward distributed use of large-scale ontlolgy. In A.Farquhar, M. Gruninger, A. Gomez -Perez, M.Uschool & ven der Vet P (Eds.) AAAAI97 SpringSymposium on Ontological Engineering(pp.138 -148).California: Stanford University.

[39] T. Okamoto and Y. Ishida, A Distribu ted Approach toComputer Virus Detection and Neutralization byAutonomous and Heterogeneous Agents, The FourthInternational Symposium on Integration ofHeterogeneous Systems, March 1999, pp. 328 -331.

[40] Takeshi, Okanmoto and Yoshiteru, Ishida, 2002, AnAnalysis of a Model of Computer Viruses Spreadingvia Electronic Mail, Systems and computers in Japan,Vol. 33, No. 14.

[41] Uschold, M., King, M., Moralee, S. & Zorgios, Y.,1995, The enterprose ontology. The KnowledgeEngineering Review, Vol.13, No.1, pp.31 -89.

[42] IEE The Institution of Electrical Engineers,

Available online atwww.iee.org./policy/areas/Y2K/w-46.cfm.

[43] Lawrence A., 2006, CSI/FBI Computer Crime andSecurity Survey, Available online at, 2006:http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf

[44] Netscape Communications Corporation, Introductionto SSL, Available online at,2006http://developer.netscape.com/docs/manuals/security/sslin/index.htm.

[45] OWL Web Ontology Language Overview. Availableonline at: http://www.w3.org/2001/sw/WebOnt/ , 2005

[46] Protege 2000, Available online athttp://protege.stanford.edu/, 2006

[47] Reti Corporation, Available online at, 2006,http://tw.reticorp.com/

[48] Reti Corporation,, Available online at,2006, http://tw.reticorp.com/News/eDm0606.htm

[49] Win Treese, SSL/TLS , Available online at,http://www.ietf.org/html.charters/tls -charter.html.

[50] , Available online at, 2006http://www.find.org.tw/find/home.aspx?page=many&id=140

[51] , Available online at, 2006http://de.wikipedia.org/wiki/Base64

[52] , Available online at, 2006,http://www.issdu.com.tw/

[53] , Available online at, 2006http://survey.yam.com/survey2004/chart/index.php

[54] , Available online at, 2006http://www.Symantec.com/region/tw/enterprise/article/virus_protect.html

[55] ,Bloodhound, Available online at, 2006http://www.symantec.com/region/tw /avcenter/sarc_brief.html

[56] , Available online at, 2006http://www.trendmicro.com/download/zh -tw/

[57] ScriptTraphttp://fr.trendmicro-europe.com/global/products/collaterals/manual/man_01_pcc9_030818_en.pdf
www.iee.orghttp://www.cpppe.umd.edu/Bookstore/Documents/20http://developer.netscape.com/docs/manuals/secuhttp://www.w3.org/2001/sw/WebOnt/http://protege.stanford.edu/http://tw.reticorp.com/http://tw.reticorp.com/News/eDm0606.htmhttp://www.ietf.org/html.charters/http://www.find.org.tw/find/home.aspxhttp://de.wikipedia.org/wiki/Base64http://www.issdu.com.tw/http://survey.yam.com/survey2004/chart/index.phphttp://www.Symantec.com/region/tw/enterprise/articlhttp://www.symantec.com/region/tw/avcenter/sarc_brhttp://www.trendmicro.com/download/zh-tw/http://fr.trendmicro-europe.com/global/products/collat

]LQe ’ıNöu¯kÒ’NoþVhNKx zv - OpenFoundry · 2 The three main results of the study were,...

Documents

Transcript of ]LQe ’ıNöu¯kÒ’NoþVhNKx zv - OpenFoundry · 2 The three main results of the study were,...