VERIFICATION OF THE PROTECTION SERVICES IN ANTIVIRUS SYSTEMS BY USING NUSMV MODEL CHECKER

International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014

DOI:10.5121/ijfcst.2014.4506 57

VERIFICATION OF THE PROTECTION SERVICES IN ANTIVIRUS SYSTEMS BY USING NUSMV MODEL

CHECKER

Monire Norouzi1, Saeed Parsa2*

1Department of Computer Engineering, Shabestar Branch, Islamic Azad University, Shabestar, Iran

2Department of Software Engineering, Iran University of Science and Technology, Tehran, Iran

ABSTRACT In this paper, a model of protection services in the antivirus system is proposed. The antivirus system behavior separate in to preventive and control behaviors. We extract the properties which are expected from the model of antivirus system approach from control behavior in the form of CTL and LTL temporal logic formulas. To implement the behavior models of antivirus system approach, the ArgoUML tool and the NuSMV model checker are employed. The results show that the antivirus system approach can detects fairness, reachability, deadlock free and verify some properties of the proposed model verified by using NuSMV model checker. KEYWORDS verification, antivirus system, protection services, kripke structure, NuSMV 1. INTRODUCTION Today, antivirus software [1] is very important in business and software development, because in any computer, system should install a security application on itself to maintain regularize and secure of its data. In the recent years, many attacks [2] are occurred to variety systems like bank servers, military systems and home systems by variety Viruses and Malwares [3]. Information maintenance and prevent to data accessibility is the cause of attacking and destroying data which has been occurred by Invasive malware [4, 5] widely and suddenly. So, the customers want to a reliable secure software [6].

The attacks in system security [7] section is divided in to two parts. The first set of attacks are enabled to eliminate security files or security applications of a computer system. After disabling these files or applications, these attacks cannot access to the important data in the computer system [8]. The second set of attacks can remove a set of special files and destroying important files. These attacks are executed and handled from intelligence agencies and hacker on computer systems of the users. These attacks have not needed to destroy system security of computer. But, these attacks are executed and run by hiding themselves in URL web addresses or in created files using routing software such as Microsoft office, adobe reader, win zip, etc. By notice to these attacks, a computer system need to an online security system. Of course, an offline security system prevent to data accessibility in computer system slightly. Unfortunately, by progression of technology and software system complexity attackers have discovered some new


58

vulnerable areas in systems that informally called "holes". So, by this ways they disturb system security.

By the above reasons, we find that testing and verifying the security applications such as the antivirus systems is very important and essential in Security Discussion [9] of the computer systems. There are some antivirus applications in software development market such as Bitdefender1 Antivirus, Kaspersky2 Antivirus, Avira3 Antivirus and etc. Of course, computer viruses [10], Spywares [11], Trojans, Worms [12] and other new malwares debut every day.

Model checking technique of the software systems verification is an automatic technique

[13]. It has many advantages over simulation, testing, and deductive reasoning. Formal verification techniques have an important role in validation processes of the software systems. Formal verification of Antivirus System approach is essential as it protects all type of the system from the attacks and viruses. State space searching involves exhaustive testing or scenario analysis.

In this paper, a protection services in Antivirus System approach has been presented. Our

model separated in to two behaviors: preventive behavior and control behavior. In particular, the contributions of this paper are:

Proposing an ideal Antivirus System based on Avira Antivirus approach. Presenting an Antivirus System behavior model to decouple preventive and control

behavior of Antivirus System approach. A formal approach extracted from the expected properties of Antivirus System approach

from control behavior in the form of Temporal Logic formulas. Implementing the behavior models of Antivirus System approach by using ArgoUML4

tool and NuSMV5 model checker.

The rest of this paper is organized as follows. In section 2, we discuss some related works in formal verification. Section 3 describes the preventive and control behaviors of the Antivirus System. Section 4 presents a conversion of behavioral models to Kripke structure. Furthermore, the behavioral properties of behavioral models are defined by using linear temporal logic and computation tree logic languages. These properties can be checked by the specification of control behavior. In section 5 we implement the proposed behavioral models by ArgoUML tool and NuSMV model checker. Finally, Section 6 shows conclusions and future works.

2. RELATED WORKS Model checking and verification of software and hardware systems have becoming an interesting topics in the past few years and many researchers have studied them around the world.

Ravn, et al. [14] presented a formal method of the Web Services Atomic Transaction

(WS-AT) protocol. They described an algorithm for achieving agreement on the outcome of a distributed transaction. The protocol has been verified by using UPPAAL6 model checker. Their model is based on a formalization technique by using the mathematical language of the Temporal Logic of Actions (TLA+).

1 http://www.bitdefender.com/site/view/our-story.html 2 http://www.kaspersky.com/about 3 http://www.avira.com/en/for-home 4 http://argouml-stats.tigris.org/ 5 http://nusmv.fbk.eu/ 6 www.uppaal.org


59

As another new researches in Web services Kova, et al. [15] designed and verified a behavior of composite Web services based on two behaviors, control and operational. These behaviors are communicated together by using conversation messages. They used to state charts for modelling the composite Web services and verifying the synchronization of the conversations by using NuSMV model checker, too.

Yeung [16] described a formal modeling approach for choreography-based web services

composition and conformance verification. Apart from Web Services Choreography Description Language (WS-CDL) and Web Services Business Process Execution Language (WS-BPEL), their approach also supported the use of visual modeling notations such as UML in modeling choreographies and orchestrations.

Bentahar, et al. [17] modeled the composite web services based on a division of interests

between operational and control behaviors. Some favorable properties such as deadlock freedom, safety and reachability have been analyzed. The proposed behaviors have been converted to Kripke structure by using model checking techniques based on BDD.

El-Menshawy, et al. [18] presented a new technique for verifying multi-agent

commitment-based protocols by using model checking techniques. They used a reduction technique to formally transform the model checking Action Computation Tree Logic (ACTL). They proved that the reduction technique is sound and fully implemented it on top of the CWB-NC model checker.

Xitong, et al. [19] proposed a Petri Net (PN) approach to analyzing behavioral

compatibility and similarity of web services. Also they developed the Service Workflow Net (SWN) formalism based on colored Petri Net in order to model Web services. Then formal definition of behavioral compatibility is presented based on the SWN model. Finally, the authors used PIPE editor tool [20] to automate the verification of behavioral similarity and equivalence of Web services.

Souri and Navimipour [21] proposed an adapted antivirus system approach to address

multi-attribute queries in grid computing. They presented a behavioral model for their proposed approach that separate into data gathering, discovery and control behaviors. So, they used to kripke structure for modeling these behaviors and verified their behavioral models by using NuSMV model checker.

Table 1 presents some related works in verification approaches.

Table. 1. Summary of the modeling and verification methods of the related works

Papers Case Study Modeling Temporal logic

Model Checker

Kova, et al. [15] Composite Web Services

- CTL NuSMV

Ravn, et al. [14] Atomic Transaction Protocol

Mathematical Language TLA+.

Timed-CTL UPPAAL

Xitong, et al. [19] Web Services Petri Net - -

Bentahar, et al. [17]

Composite Web Services

Java Converter Tool

LTL & CTL NuSMV

Souri and Navimipour [21]

Resource discovery Approach

ArgoUML LTL & CTL NuSMV


60

El-Menshawy, et al. [18]

Multi-Agent Commitment-Based

Protocols

- Action Computation Tree Logic

(ACTL)

CWB-NC model checker

3. ANTIVIRUS BEHAVIOR MODEL This section presents an antivirus behavior model by using formal and model checking techniques, which separates its behavior into preventive behavior and control behavior. We use statechart semantics to modeling preventive and control behaviors.

Figure 1.model of preventive behaviour

Figure 1 shows the preventive behavior of the ideal antivirus software. The preventive behavior starts from protection approach by initial state system protection and specifies system mode by checking online or offline mode. The offline mode shows PC Protection and includes protection approach for two states Real-time Protection and System Scanner. In the state Real-time Protection, system protected automatically in the windows system directory (WSD) in path: C:\windows\system32. The state detecting file as a type of Detection approach discover any type of infections in suspicious files and send it to state check cleaning operation as a type of Identification approach. If the infected file deleted, then the Removal approach is executed and system receives the safe result in this process. If suspicious file ignored for any reason, then system receives unsafe result in this process. The recycling operation divides into two parts. In the first part, by finding infection position, system performs Identification approach and removes the infection from the file so the file is safe and Removal approach is executed. In the second part, a suspicious file is found and state check clearing operations executes Identification approach. If this file is deleted then Removal approach receives the safe result, otherwise system receives the unsafe result.


61

Figure 2. Model of control behavior

The control behavior navigates the execution flow of the approaches of antivirus system. In the figure 2, the control behavior of the antivirus system presents a number of states extracted from the preventive behavior by using the Buchi automata. These states include Not Activated, Activated, Process, and Recognition, Done and Aborted. 3.1 EXPLANATION OF ANTIVIRUS SYSTEM APPROACHES In the antivirus system behaviors we define four approaches. These approaches are Protection Approach, Detection Approach, Identification Approach and Removal Approach. Connections between preventive and control behaviors is possible by these approaches. Each of these approach are mapped on the states of preventive behavior and control behavior. The Protection Approach includes Not Activated and Activated states in control behavior and also System Protection, PC Protection and Real-Time Protection in preventive behavior. Detection Approach includes Process state in control behavior and Detecting Files state in preventive behavior. Identification Approach includes Recognition state in control behavior and Check Cleaning Operations in preventive behavior and finally the removal Approach includes Done state in control behavior and Deliver Safe Status state in preventive behavior.

4. VERIFICATION OF PREVENTIVE AND CONTROL BEHAVIORS

In this section, we describe the model checking mechanism for verifying the behavior models of the antivirus system by using of Kripke structure of behaviors definition. We first define the Kripke Structures of the behavioral models.

A Kripke structure is a nondeterministic finite state machine that is used in model checking to represent system behavior and is a 4-tuple KS = (S, s0, Tr, L), where:

S is a finite set of states, s0S is an initial state, Tr S S is a transition relation that s S: s'S : ( s , s' )Tr. L: S →2AP is labeling function.

Now we present expected rules in control behavior by using symbolic model checking

techniques. For checking the properties in the Kripke structure MK which is associated with the antivirus system behaviors, these properties can be formulated by using LTL and CTL formulas.

Now, by using the following initials we can define logical properties for model checking: In= {Not Activated: Na; Activate: Ac; Process: Pr; Identification: Id; Invoked: In; Received: Re; Aborted: Ab; Done: Do; End: En}.

Let → be the logical implication. We define some examples of CTL properties which can

be verified for the control behavior:


62

C1= AG (Na → AX Ac). There is always a path from state Not Activated to state Activated.

C2= AG (Ac → AXAF (Ac Pr)). There is always a path from state Activated to state Activated or process.

C3= AG (Pr → AX AF (Id Ac)). There is always a path from state Process to state Identification or Activated.

C4= AG (In → AX AF (Ab)). There is always a path from state Invoked to state Aborted. C5= AG ((Do Ab) → AX AF (En)). There is always a path from state Done or Aborted

to state End. C6= AGEF (Ac). State Activated is always potentially reachable. C7= AGEF (Ab Re). State Aborted or state Received is always potentially reachable. C8= AGEF (Pr → Ac). State Activated comes after state Process is always potentially

reachable. C9= AGEF (In → Re). State Received comes after state Invoked is always potentially

reachable. C10= AGEF (Do). State Done is always potentially reachable. C11= AGEF (En). State End is always potentially reachable.

Examples of LTL properties that can be verified from the control behavior are: L1= G (Na → X (Ac)). Always an Activated state comes after a Not Activated state. L2= G (Do Ab) → XF (En)). Always a End state comes after a Done state or Aborted

state. L3= G (Na → XF (Do Ab)). Always a Done state or Aborted state comes after Not

Activated state. L4= G (Pr → XF (Ac Id)). Always an Activated state or Identification state comes after

a Process state. L5= G (Id → X (Pr)). Always a Process state comes after an Identification state.

After defining some examples of CTL and LTL rules, we present a translation of the

preventive behavior into a Kripke structure and then for transforming the initial kripke model to the kripke structure model, we conform the preventive behavior states to the corresponding state in the control behavior. This translation is from the initial kripke model of preventive behavior states to the symbols Na, Ac, Pr, Id, In, Re, Ab, Do and En. The result of the reduced Kripke model is presented in figure 3.

Figure 3. The Reduced Kripke model of Preventive Behavior


63

5. SYSTEM IMPLEMENTATION In this section, we implementation the proposed model by using ArgoUML tool that is a open source UML modeling tool [22] for behavior specification in figure 4. The behaviors represented in ArgoUML [23] are shown as statechart diagrams [24].

Figure 4. Specification of antivirus system behaviors in ArgoUML tool

Figure 5 shows the translated SMV code from the Kripke structures which is written by Roudabeh tool7 [25]. By using the Roudabeh tool [26], we can have translation of the reduced Kripke model to SMV code.

Figure 5. The translation of SMV code by using Roudabeh tool

7 http://ece.ut.ac.ir/fml/rebeca_verifier.htm


64

Figure 6 presents the results of the model checking of CTL properties by using NuSMV model checker.

Figure 6. Checking CTL properties in NuSMV Interactive model

In Figure 7, the LTL properties checked in NuSMV model Checker.

Figure 7. Checking LTL properties in NuSMV Interactive mode.

Also in Figure 8, we analyze the states and transitions of antivirus system approach in reachability and fairness conditions. By compute_reachable command we check state reachability, state fairness and transition fairness. The result shows that all states are reachable and fair and all transitions are fair and by check_fsm command we check the deadlock problem antivirus system model. It is showed that the antivirus system approach has not deadlock.


65

Figure 8. Checking reachability and fairness of AS approach

6. PERFORMANCE EVALUATION

In this section the proposed approach is evaluated according to the faithfulness of the formal models and their usefulness for model checking. The valid behaviors of antivirus system approach are satisfied by the CTL formulas in verification procedure. Also the incorrect traces checked by appropriated counterexample in the LTL formulas. The verification results of antivirus system model shows its completeness and soundness. Table 3 shows performance evaluation results of checking the model of antivirus system by NuSMV model checker tool.

Table. 2 Verification statistics for antivirus system approach.

Memory in use (byte) 4678263

Number of BDD variables 8

Number of sifted variables 1100

Number of swapped variables 1800000

total number of nodes 1300

Also table 3 shows the evaluation results to verify the total number of properties in antivirus system approach which are obtained by NuSMV model checker tool.

Table. 3 Verification result of all properties in antivirus system approach (PC Intel Core Duo 6600, 2.4

GHz, 2GB RAM, Windows 7, NuSMV 2.4.3).

Property Result Time (s) Memory (KB) Temporal Language

AG (Na → AX Ac) Satisfied 0.016 26,236 CTL

AG (Ac → AXAF (Ac Pr)) Satisfied 11.778 42,952 CTL

AG (Pr → AX AF (Id Ac)) Satisfied 26.785 57,792 CTL

AG (In → AX AF (Ab)) Satisfied 1.935 17,792 CTL

AG ((Do Ab) → AX AF (En)) Satisfied 16.597 56,956 CTL

AGEF (Ac) Satisfied 85.332 89,136 CTL

AGEF (Ab Re) Not Satisfied 11.22 44,765 CTL


66

AGEF (Pr → Ac) Satisfied 2.123 46.689 CTL

AGEF (In → Re) Satisfied 3.111 36.725 CTL

AGEF (Do) Not Satisfied 1.201 56.273 CTL

G (Na → X (Ac)) Satisfied 1.865 12,869 LTL

G (Do Ab) → XF (En)) Satisfied 1.201 12.763 LTL

G (Na → XF (Do Ab)) Not Satisfied 4.189 6,980 LTL

G (Pr → XF (Ac Id)) Satisfied 1.865 12,713 LTL

G (Id → X (Pr)) Satisfied 3.159 14,905 LTL 7. CONCLUSION In this paper, we presented an antivirus system approach. We focus on the antivirus application and we show that in our proposed model, the real-time protection and web protection perform more secure. The antivirus system approach is divided into preventive and control behaviors. The expected properties of antivirus system are extracted from control behavior in the form of temporal logic formulas. Also we implemented the behavior models of antivirus system approach by ArgoUML tool and the NuSMV model checker. The results showed that the antivirus system approach can successfully detects fairness, reachability, deadlock free and verify all of the CTL and LTL rules. For future work, we try to extend this proposed mechanism for the other section of antivirus system as well as its formal verification and behavioral modeling. REFERENCES [1] P.Szor, The Art of Computer Virus Research and Defense: Addison-Wesley Professional, 2005. [2] W.Wang, P.-t.Zhang, Y.Tan, and X.-g. He, "Animmune local concentration based virus detection

approach," Journal of Zhejiang University SCIENCE C, vol. 12, pp. 443-454, 2011/06/01 2011. [3] A.Shabtai, L.Tenenboim-Chekina, D.Mimran, L.Rokach, B. Shapira, and Y. Elovici, "Mobile

malware detection through analysis of deviations in application network behavior," Computers & Security, vol. 43, pp. 1-18, 6// 2014.

[4] X.-s. Zhang, T.Chen, J.Zheng, and H. Li, "Proactive worm propagation modeling and analysis in unstructured peer-to-peer networks," Journal of Zhejiang University SCIENCE C, vol. 11, pp. 119-129, 2010/02/01 2010.

[5] N.Virvilis and D.Gritzalis, "Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks," Computers & Security, vol. 42, pp. 191-192, 5// 2014.

[6] T.Dube, R.Raines, G.Peterson, K.Bauer, M. Grimaila, and S. Rogers, "Malware target recognition via static heuristics," Computers & Security, vol. 31, pp. 137-147, 2// 2012.

[7] J.J.C.H.Ryan, T.A.Mazzuchi, D.J.Ryan, J. Lopez de la Cruz, and R. Cooke, "Quantifying information security risks using expert judgment elicitation," Computers & Operations Research, vol. 39, pp. 774-784, 4// 2012.

[8] Y.Park, D.S.Reeves, and M. Stamp, "Deriving common malware behavior through graph clustering," Computers & Security, vol. 39, Part B, pp. 419-430, 11// 2013.

[9] F.B. Schneider, "Enforceable security policies," ACM Trans. Inf. Syst. Secur., vol. 3, pp. 30-50, 2000.

[10] P.K. Singh and A.Lakhotia, "Analysis and detection of computer viruses and worms: an annotated bibliography," SIGPLAN Not., vol. 37, pp. 29-35, 2002.

[11] E.Filiol, "Viruses and Malware," in Handbook of Information and Communication Security, P. Stavroulakis and M. Stamp, Eds., ed: Springer Berlin Heidelberg, 2010, pp. 747-769.

[12] S.H.Sellke, N.B.Shroff, and S.Bagchi, "Modeling and Automated Containment of Worms," Dependable and Secure Computing, IEEE Transactions on, vol. 5, pp. 71-86, 2008.

[13] E.M.Clarke, O.Grumberg, and D.A.Peled, Model checking: MIT press, 1999.


67

[14] A.P.Ravn, J.Srba, and S. Vighio, "A formal analysis of the web services atomic transaction protocol with UPPAAL," presented at the Proceedings of the 4th international conference on Leveraging applications of formal methods, verification, and validation - Volume Part I, Heraklion, Crete, Greece, 2010.

[15] M.Kova, J.Bentahar, Z.Maamar, and H.Yahyaoui, "A Formal Verification Approach of Conversations in Composite Web Services Using NuSMV," presented at the Proceedings of the 2009 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the Eighth SoMeT_09, 2009.

[16] W.L.Yeung, "A formal and visual modeling approach to choreography based web services composition and conformance verification," Expert Systems with Applications, vol. 38, pp. 12772-12785, 9/15/ 2011.

[17] J.Bentahar, H.Yahyaoui, M.Kova, and Z. Maamar, "Symbolic model checking composite Web services using operational and control behaviors," Expert Systems with Applications, vol. 40, pp. 508-522, 2/1/ 2013.

[18] M.El-Menshawy, J.Bentahar, W.El Kholy, and R.Dssouli, "Verifying conformance of multi-agent commitment-based protocols," Expert Systems with Applications, vol. 40, pp. 122-138, 1// 2013.

[19] L.Xitong, F.Yushun, Q.Z.Sheng, Z.Maamar, and Z.Hongwei, "A Petri Net Approach to Analyzing Behavioral Compatibility and Similarity of Web Services," Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Transactions on, vol. 41, pp. 510-521, 2011.

[20] N.J.Dingle, W.J.Knottenbelt, and T.Suto, "PIPE2: a tool for the performance evaluation of generalised stochastic Petri Nets," SIGMETRICS Perform. Eval. Rev., vol. 36, pp. 34-39, 2009.

[21] A.Souri and N.J.Navimipour, "Behavioral Modeling and Formal Verification of Resource Discovery in Grid Computing," Expert Systems with Applications, 2013.

[22] W.Complak, A.Wojciechowski, A.Mishra, and D. Mishra, "Use Cases and Object Modelling Using ArgoUML," in On the Move to Meaningful Internet Systems: OTM 2011 Workshops. vol. 7046, R.Meersman, T.Dillon, and P.Herrero, Eds., ed: Springer Berlin Heidelberg, 2011, pp. 246-255.

[23] O.Barais and L. Duchien, "Safarchie Studio: ArgoUML Extensions to Build Safe Architectures," in Architecture Description Languages. vol. 176, P. Dissaux, M. Filali-Amine, P. Michel, and F. Vernadat, Eds., ed: Springer US, 2005, pp. 85-100.

[24] T.Arbuckle, "Studying software evolution using artefacts’ shared information content," Science of Computer Programming, vol. 76, pp. 1078-1097, 12/1/ 2011.

[25] S.F. Alavizaedh, A.H.Nekoo, and M. Sirjani, "ReUML: a UML Profile for Modeling and Verification of Reactive Systems," in Software Engineering Advances, 2007. ICSEA 2007. International Conference on, 2007, pp. 50-50.

[26] H.R.Shahriari, M.S.Makarem, M.Sirjani, R.Jalili, and A. Movaghar, "Vulnerability analysis of networks to detect multiphase attacks using the actor-based language Rebeca," Computers & Electrical Engineering, vol. 36, pp. 874-885, 9// 2010.

VERIFICATION OF THE PROTECTION SERVICES IN ANTIVIRUS SYSTEMS BY USING NUSMV MODEL CHECKER

Documents

Transcript of VERIFICATION OF THE PROTECTION SERVICES IN ANTIVIRUS SYSTEMS BY USING NUSMV MODEL CHECKER