惡意電子郵件偵測之研究－以自我組織映射圖與k-medoids群集模式為例

Detection of New Malicious Emails Based on Self-Organizing Maps and K-Medoids Clustering

10.6382/JIM.200404.0211

施東河(Dong-Her Shih)

自我組織映射圖 ； k-medoids群集 ； 電子郵件病毒偵測 ； 電子郵件病毒 ； self-organizing maps SOM ； K-medoids ； email virus detection ； anti-virus

資訊管理學報

11卷2期（2004 / 04 / 01）

211 - 235

繁體中文

現今最重要的網際網路安全威脅議題之一，便是透過電子郵件為傳播媒介的惡意電子郵件病毒與網路蠕蟲，這些病毒與蠕蟲每年以數千隻的比率在成長，構成的一連串的安全威脅。現今的防毒軟體大都以找出病毒特徵碼的方式來防範新的電子郵件病毒，但在新的電子郵件病毒特徵碼尚未找出與更新之前，使用者電腦是暴露在電子郵件病毒的威脅之下。本研究擬提出惡意電子郵件偵測模式，結合自我組織映射圖與k-medoids群集模式來偵測未知、新的惡意電子郵件病毒。 本研究所提之惡意電子郵件偵測模式係透過分析各種惡意電子郵件病毒的特性，找出正常電子郵件與惡意電子郵件病毒間的行為特徵，以便自動偵測新的、未知的惡意電子郵件病毒。本文採用偵測率與誤判率作為績效指標，將本研究所提之惡意電子郵件偵測模式與貝式分類、防毒軟體做比較，實驗結果顯示，本研究提出的惡意電子郵件偵測模式明顯優於貝式分類與一般防毒軟體。

A serious security threat today is malicious emails, especially new, unseen Internet worms and virus often arriving as email attachments. These new malicious emails are created at the rate of thousands every year and pose a serious security threat. Current anti-virus systems attempt to detect these new malicious mail viruses with signatures generated by hand but it is costly and oftentimes. In this paper, we present a method of combining self-organizing maps (SOM) and a k-medoids clustering for detecting new, previously unseen malicious emails accurately and automatically. This method automatically found behaviors in data set and used these behaviors to detect a set of new malicious mail viruses included scripts that hadn't been discussed before. Naïve Bayes classification and anti-virus software's results are also shown for comparison. Comparison results show that our proposed method outperformed than other methods.

1. Trend Micro
2. Arnold W.,Tesauro G.(2000).Automatically Generated Win32 Heuristic Virus Detection.Proceedings of the 2000 International Virus Bulletin Conference
3. Coulthard A.,Vuori T.A.(2002).Computer viruses: a quantitative analysis.Logistics Information Management,15(5/6),400-409.
4. Crawford R.,Kerchen P.,Levitt K.,Olsson R.,Archer M.,Casillas M.(1993).Automated Assistance for Detecting Malicious Code.Proceedings of the 6th International Computer Virus and Security Conference
5. Garber L.(1999).Melissa Virus Creates a New Type of Threat.Computer,32(6),16-19.
6. Gryaznov D.(1999).Scanners of the Year 2000: Heuristics, Proceedings of the 5th International Virus Bulletin.
7. Han J.,Kamber M.(2001).Data mining concepts and techniques.USA:Morgan Kaufmann.
8. Kaufman L.,Rousseeuw P. J.(1990).Finding Groups in Data: an Introduction to Cluster Analysis.John Wiley & Sons.
9. Kephart J. O.,Arnold W. C.(1994).Automatic Extraction of Computer Virus Signatures.4th Virus Bulletin International Conference
10. Kerchen P.,Lo R.,Crossley J.,Elkinbard G.,Olsson R.(1990).Static Analysis Virus Detection Tools for UNIX Systems.Proceedings of the 13th National Computer Security Conference
11. Kohonen T.(1995).Self-organization map.Springer.
12. Kohonen T.(1990).The Self-organization maps.Proc. IEEE,78(9),1480-1481.
13. Lee J.S.,Hsiang J.,Tsang P.H.(1997).A Generic Virus Detection Agent on the Internet.System Sciences, Proceedings of the Thirtieth Hawaii International Conference on
14. Lee W.,Stolfo S.,Mok K.(1999).A Data Mining Framework for Building Intrusion Detection Models.IEEE Symposium on Security and Privacy
15. Lo R.W.,Levitt K.N.,Olsson R.A.(1995).MCF: a Malicious Code Filter.Computers & Security,14(6),541-566.
16. Luke J.,Harris C.J.(1999).The application of CMAC based intelligent agents in the detection of previously unseen computer viruses.Information Intelligence and Systems, Proceedings, 1999 International Conference on
17. McGraw G.,Morrisett G.(2000).Attacking malicious code: Report to the infosec research council.IEEE software,17(5),33-41.
18. Mendenhall W.,Beaver R.(1994).Introduction to Probability and Statistics.Duxbury Press.
19. Michie D.,Spiegelhalter D. J.,Taylor D. C. C.(1994).Machine learning of rules and trees.Machine Learning, Neural and Statistical Classification, Ellis Horwood.
20. Okamoto T.,Ishida Y.(2002).An Analysis of a Model of Computer Viruses Spreading via Electronic Mail.Systems and Computers in Japan,33(14),81-90.
21. Schultz M. G.,Eskin E.,Hershkop S.,Stolfo S. J.(2002).MET: An Experimental System for Malicious Email Tracking.Proceedings of the 2002 New Security Paradigms Workshop, NSPW-2002,September,23-26.
22. Schultz M. G.,Eskin E.,Hershkop S.,Stolfo S. J.(2001).Data Mining Methods for Detection of New Malicious Executables.Proceedings of IEEE Symposium on Security and Privacy, IEEE S&P-2001,Oakland, CA:
23. Spafford E. H.(1988).The Internet worm program: an analysis, Tech.Report CSD-TR-823.
24. Symatec''s Bloodhound Technology.Understanding Heuristics: Symatec White Paper Series.
25. Tesauro G.,Kephart J. O.,Sorkin G. B.(1996).Neural Networks for Computer Virus Recognition.IEEE Expert,11(4),5-6.
26. IBM Research White Paper
27. Zenkin D.(2001).Fighting against the Invisible Enemy.Computers & Security,20,316-321.

1. 黃信銓、施東河、姜琇森(2007)。以本體論為基礎之惡意郵件偵測。資訊管理學報，14(S)，1-28。