安全的確保是各種網路應用成功的基礎，電子郵件的使用已經是現在人與人溝通的主要工具，而Web提供各種網路上使用最廣、最重要的服務。由於使用的普及，電子郵件已經成為病毒散播的最主要管道，而目前最普遍的防毒方法就是使用病毒特徵碼比對的方式。可惜這種方法只適合用來偵測已知的病毒，對於未知的病毒是無能為力的。為了能夠偵測到最新的病毒，必須時常更新病毒碼。新的病毒層出不窮，面對病毒的防治，總是處於被動的立場。我們極需一種能夠主動偵測未知新病毒的方法。
本研究從使用者寄件行為著手，發現寄件者的溝通行為具有組群的特性，會形成一個個的通訊團體，這種行為有別於郵件病毒的隨機大量寄送的特性。基於此項特性，我們提出一套異常郵件行為的偵測方法。本方法可用來協助於新的未知病毒出現初期，及早偵測出來，將損失降至最低。
而Web是現今網路上使用最廣的服務，對於Web的攻擊也層出不窮，雖然有各種入侵偵測系統的協助，但仍無法保證不會被入侵。因此本研究提出不同於傳統方式的保護方法，不直接偵測入侵，而改從網頁完整性檢驗的角度出發。本方法具有極低的誤報率，由於本方法非採用攻擊特徵比對的方式，因此沒有攻擊特徵碼需要更新的問題。在處理效能上，僅需做完整性的計算，優於傳統攻擊特徵比對方式。
本文所提出的異常郵件偵測方法，仍難免存在不小的誤報率，而網頁完整性的檢驗具有極低誤報率的優點，因此未來我們可以結合完整性檢驗的方法，應用於電子郵件系統的設計上，解決郵件病毒的問題。

Security assurance is the basis for success on the Internet. Viruses and worms constitute a great threat. Many countermeasures have been applied to counteract these malicious threats. Signature-based detection method works well only for a known virus or worm. It is very difficult to defend against an unknown virus or worm. Anomaly detection has the potential to detect unknown attacks. In this thesis, we proposed an abnormal mail detection method based on user mailing behavior. In our observation, human communication would form many parties. This characteristic can help us to differentiate the mailing behavior from email viruses. The proposed method can help us to detect new unknown viruses at the beginning of virus outbreak.
To model user behavior is not easy, however, since user behavior may change over time. In the second part of this thesis, we propose a web content protection method which has a very low error rate. It is based on the concept of “integrity”, that is, the information content can be represented by an integrity value. Integrity is a unique value for any given information content. From a distinct prospective, we measure the integrity of Web content, instead of detecting the intrusion directly. If the integrity is violated it means that content modification has occurred. There is no needed of signature updating which is necessary in signature-based detection system. Besides, the computation time is better than that of the traditional type of signature-based detection systems in the long run. In the future, we plan to construct an email system by combining the integrity concept into the email system design.

1. 2004 Virus Prevalence Survey, http://www.icsalabs.com/icsa/docs/html/library/whitepapers/VPS2004.pdf
2. Yen, David C., Chou, David C., and Cao, J. H., "Innovation in Information Technology: Integration of Web and Database Technologies," Int. J. of Innovation and Learning, Vol. 1, No.2 , 2004, pp.143-157
3. Hollander, Yona, The Future of Web Server Security, http://www.mcafee.com/us/local_content/white_papers/wp_future.pdf.
4. Symantec, http://www.symantec.com/avcenter/
5. Trend Micro, http://www.trendmicro.com/tw/home/enterprise.htm
6. B. Le Charlier, A. Mounji and Morton Swimmer, “Dynamic detection and Classification of Computer viruses using general behaviour patterns”, Proceedings of Fifth International Virus Bulletin Conference, Sep 1995
7. Virii Generators: Understanding the Threat，http://www.sans.org/reading_room/whitepapers/malicious/144.php
8. Simple Mail Transfer Protocol, http://www.sendmail.org/rfc/0821.html
9. E-mail Explained, http://www.sendmail.org/misc/email-explained.html
10. 電腦病毒有著巨大的破壞潛力，http://www.symantec.com/region/tw/enterprise/article/virus_protect.html
11. 各類防毒技術，http://www.trendmicro.com/tw/security/general/guide/overview/guide04.htm
12. G. Tesauro, J. O. Kephart and G. B. Sorkin, “Neural Network for Computer Virus Recognition” , IEEE expert, Vol 11, No 4, Aug 1996, pp5-6
13. Steve R. White, Morton Swimmer, Edward J. Pring et al, “Anatomy of a Commercial-Grade Immune System”, http://www.research.ibm.com/antivirus/SciPapers/White/Anatomy.html
14. The Digital Immune System, http://www.symantec.com/avcenter/reference/dis.tech.brief.pdf
15. Understanding Heuristics: Symantec’s Bloodhound Technology, http://www.symantec.com/avcenter/reference/heuristc.pdf
16. Steve R. White, “Open Problems in Computer Virus Research”, Virus Bulletin Conference, Munich, Germany, October 1998, access from http://www.research.ibm.com/antivirus/SciPapers/White/Problems/Problems.html
17. Intrusion Detection FAQ, http://www.sans.org/newlook/resources/IDFAQ
18. S. Forrest, S. A. Hofmeyr, A. Somayaji and Thomas A. Longstaff, “A Sense of Self for Unix Processes”, Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, 1996, pp120-128
19. Terran Lane and Carla E. Brodley, “Temporal sequence learning and data reduction for anomaly detection”, Proceedings of the 5th Conference on computer & Communications Security, ACM, San Francisco, CA, USA, Nov 2-5, 1998, pp 150~158
20. Stefan Axelsson, “On a difficulty of Intrusion Detection”, 2nd Intl. Workshop on Recent Advances in Intrusion Detection (RAID''99), September 7-9, 1999
21. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford-Chen, R. Yip, and D. Zerkle, "The Design of GrIDS. A Graph-Based Intrusion Detection System," Technical Report CSE-99-2, Computer Science Department, The University of California, Davis, January 1999.
22. Keisuke Ishibashi, Tsuyoshi Toyono, Toyama, Katsuyasu, Ishino, Masahiro, Ohshima, Haruhiko, and Mizukoshi, Ichiro, “Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data”, In Proc. of the 2005 ACM SIGCOMM workshop on Mining network data, Philadelphia, Pennsylvania, USA, August 22-26, 2005, pp.159-164
23. Whyte, D., Oorschot, P.C. van, and Kranakis, E., “Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network.”, Carleton University, SCS Technical Report, TR-05-06, May 2005.
24. Stolfo, Salvatore J., Hu, Chia-Wei, Li, Wei-Jen, Hershkop, Shlomo, Wang, Ke, and Nimeskern, Olivier. "Combining Behavior Models to Secure Email Systems", CU Tech Report, April 2003
25. Salvotore J. Stolfo, Shlomo Hershkop, Chia-Wei Hu, Wei-Jen Li, Olivier Nimeskern, Ke Wang, "Behavior-based Modeling and its Application to Email Analysis", ACM Transactions on Internet Technology (TOIT) , Feb 2006
26. Tripwire Software for Use on Web Servers，http://www.tripwire.com/files/literature/application_notes/Tripwire_App_Note_TFS_Web_Servers.pdf
27. SecureIIS™ Web Server Protection，http://www.eeye.com/html/products/secureiis/
28. UrlScan Security Tool，http://www.microsoft.com/technet/security/tools/urlscan.mspx
29. IIS Lockdown Tool，http://www.microsoft.com/technet/security/tools/locktool.mspx
30. ModSecurity，http://www.modsecurity.org/documentation/index.html
31. KNOPPIX, http://www.knoppix.org/
32. CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL, http://www.cert.org/advisories/CA-2001-19.html
33. Conquering Complex Viruses, http://enterprisesecurity.symantec.com/article.cfm?articleid=11&PID=4402422, 2000.
34. Sandeep Kumar and Eugene H. Spafford, “A Generic Virus Scanner in C++”, In Proc. of the 8th Computer Security Applications Conference, IEEE press, 1992.
35. Da-Wei Lin and Yi-Min Chen, ”Detection of Anomalous Mailing Behavior Using Novel Data Mining Approaches”, Journal of Information, Technology and Society, 中央警察大學, Jun 2006.
36. Jiawei Han and Micheline Kamber, Data mining: Concepts and Techniques, Morgan Kaufmann, 2001.
37. R. Agrawal, T. Imielinski and A. Swami, “Mining Association Rules between Sets of Items in Large Databases”, In Proc. of the ACM SIGMOD Conference on Management of Data, Washington D.C., May 1993, pp.207-216.
38. R. Srikant and R. Agrawal, “Mining Generalized Association Rules”, In Proc. of the 21st international Conference on Very Large Data Bases, 1995, pp. 407-419
39. V. Barnett and T. Lewis, Outliers in Statistical Data, 3rd edition, John Wiley, 1994.
40. Edwin M. Knorr and Raymond T. Ng, “Algorithms for Mining Distance-Based Outliers in Large Datasets”, In Proc. of the 24th VLDB Conference, New York, USA, 1998.
41. R. L. Kennedy, Y. Lee, B.V. Roy, C. D. Reed and R. P. Lippmann, “Solving Data Mining Problems through Pattern Recognition”, Prentice Hall, 1998
42. Julio Cella “Antivirus at SMTP Gateways Level” http://www.giac.org/certified_professionals/practicals/gsec/0846.php.
43. William Stallings, Network and Internet Security, Prentice Hall, 1995
44. Hollander, Yona, Prevent Web Site Defacement, http://www.mcafee.com/us/local_content/white_papers/wp_2000hollanderdefacement.pdf.
45. Yona Hollander, The Future of Web Server Security, http://www.mcafee.com/us/local_content/white_papers/wp_future.pdf.
46. Automatic Execution of Embedded MIME Types, http://www.cert.org/advisories/CA-2001-06.html, 2001.
47. Julio Cella, “Antivirus at SMTP Gateways Level” http://www.giac.org/certified_professionals/practicals/gsec/0846.php.
48. Lance Spitzner, Honeytokens: The Other Honeypot, http://www.securityfocus.com/infocus/1713, July 2003.
49. Da-Wei Lin and Yi-Min Chen, “Dynamic Webpage protection based on Content integrity”, Int. J. Services and Standards, has been accepted to be published.
50. Apache software foundation, http://www.apache.org, 2006
51. PHP: Hypertxt Preprocessor, http://www.php.net, 2006
52. MySQL, http://www.mysql.com, 2006.
53. Perl, http://www.perl.com, 2006