安全的確保是各種網路應用成功的基礎,電子郵件的使用已經是現在人與人溝通的主要工具,而Web提供各種網路上使用最廣、最重要的服務。由於使用的普及,電子郵件已經成為病毒散播的最主要管道,而目前最普遍的防毒方法就是使用病毒特徵碼比對的方式。可惜這種方法只適合用來偵測已知的病毒,對於未知的病毒是無能為力的。為了能夠偵測到最新的病毒,必須時常更新病毒碼。新的病毒層出不窮,面對病毒的防治,總是處於被動的立場。我們極需一種能夠主動偵測未知新病毒的方法。 本研究從使用者寄件行為著手,發現寄件者的溝通行為具有組群的特性,會形成一個個的通訊團體,這種行為有別於郵件病毒的隨機大量寄送的特性。基於此項特性,我們提出一套異常郵件行為的偵測方法。本方法可用來協助於新的未知病毒出現初期,及早偵測出來,將損失降至最低。 而Web是現今網路上使用最廣的服務,對於Web的攻擊也層出不窮,雖然有各種入侵偵測系統的協助,但仍無法保證不會被入侵。因此本研究提出不同於傳統方式的保護方法,不直接偵測入侵,而改從網頁完整性檢驗的角度出發。本方法具有極低的誤報率,由於本方法非採用攻擊特徵比對的方式,因此沒有攻擊特徵碼需要更新的問題。在處理效能上,僅需做完整性的計算,優於傳統攻擊特徵比對方式。 本文所提出的異常郵件偵測方法,仍難免存在不小的誤報率,而網頁完整性的檢驗具有極低誤報率的優點,因此未來我們可以結合完整性檢驗的方法,應用於電子郵件系統的設計上,解決郵件病毒的問題。 Security assurance is the basis for success on the Internet. Viruses and worms constitute a great threat. Many countermeasures have been applied to counteract these malicious threats. Signature-based detection method works well only for a known virus or worm. It is very difficult to defend against an unknown virus or worm. Anomaly detection has the potential to detect unknown attacks. In this thesis, we proposed an abnormal mail detection method based on user mailing behavior. In our observation, human communication would form many parties. This characteristic can help us to differentiate the mailing behavior from email viruses. The proposed method can help us to detect new unknown viruses at the beginning of virus outbreak. To model user behavior is not easy, however, since user behavior may change over time. In the second part of this thesis, we propose a web content protection method which has a very low error rate. It is based on the concept of “integrity”, that is, the information content can be represented by an integrity value. Integrity is a unique value for any given information content. From a distinct prospective, we measure the integrity of Web content, instead of detecting the intrusion directly. If the integrity is violated it means that content modification has occurred. There is no needed of signature updating which is necessary in signature-based detection system. Besides, the computation time is better than that of the traditional type of signature-based detection systems in the long run. In the future, we plan to construct an email system by combining the integrity concept into the email system design.
