臺灣博碩士論文加值系統

資訊技術安全標準共同準則（Common Criteria：簡稱CC）是一套用來認證資訊產品是否安全的一國際性共同標準與規範，然現行進行CC認證審查由於內容過於繁雜，而需耗費很多時間與人力，故本研究的目的希望能改善此問題。本研究在Windows平台建立了一套協助CC認證之查詢及審查工具，我們透過知識本體論(Ontology)的方法將CC繁雜規範與內容建立結構化之知識庫，並根據此本體論建立下列工具：1.CC內容查詢工具 2.CC輸入工具 3.CC審查工具 4.CC報表工具。本研究所發展的技術及工具可改進CC的可理解性(例如可透過階層式分類歸納或關鍵字查詢方式)，並提昇審查效率及績效。

The Common Criteria for Information Technology Security Evaluation provides comprehensive guidelines for the evaluation and certification of IT security regarding data security and data privacy. However, Due to CC’s complexity and the CC-based certification process is a time-consuming. The thesis aims to develop CC Ontology and then construct ontology-based review tool as follow:1.CC Query Tool 2.CC Mark-up Tool 3.CC Review Tool 4.CC Report Tool. The techniques and tools developed in this research can improve CC’s understandability and enhance the efficiency and effectiveness of CC-certification team.

第1章.緒論(Introduction)..........................01
第2章.相關背景研究(Background)....................02
第3章.研究方法(Research Method)...................26
第4章.以個人門禁系統PP進行實驗以驗證審查工具效益..56
第5章.結論與未來展望(Conclusion & Future Work)....66
參考文獻(Reference)...............................67

[1] CC,”Common criteria for Information technology security evaluation. Part1:Introduction and general model V2.3,” August, 2005, http://www.commoncriteriaportal.org
[2] CC,”Common criteria for Information technology security evaluation. Part 2: Security functional components V2.3,” August, 2005, http://www.commoncriteriaportal.org
[3] CC,”Common criteria for Information technology security evaluation. Part 3: Security assurance components V2.3,” August, 2005, http://www.commoncriteriaportal.org
[4] Common Methodology for Information Technology Security Evaluation. Evaluation methodology V2.3,” August, 2005, http://www.commoncriteriaportal.org
[5]C. S. Lee, Z. W. Jian, and L. K. Huang, “A fuzzy ontology and its application to news summarization,” IEEE Transactions on Systems, Man and Cybernetics Part B, ”vol. 35, no. 5, pp. 859-880, Oct. 2005.
[6] RDF,”Resource description framework. www.w3.org/ref/,”2006.
[7] Andres Ekclhart, Stefan Fenz, Gernot Goluch, and Edgar Weippl Secure Business Austria,1040 Vienna. “Ontological Mapping of Common Criteria’s Security Assurance Requirements,” New Approaches for Security, Privacy and Trust in Complex Environments (Proceedings of the IFIP TC-11 22nd International Conference, May 2007, South Africa)
[8] The Protégé Ontology Editor and Knowledge Acquisition System.
http://protege.stanford.edu
[9] Lotus Education, “Domino Designer Fundamentals,” Lotus Development
Corporation, an IBM subsidiary, 1999.
[10] Guidance for smartcard evaluation v1-3, March. 2006
http://www.commoncriteriaportal.org
[11] Common Criteria Design Toolbox, Informatics and Mathematical Modelling, Technical University of Denmark, DTU, 2007.
[12] V. Raskin, C. F. Hempelmann, K. E. Triezenberg, and S. Nirenburg, “Ontology in information security: a useful theoretical foundation and methodological tool.” in In Proceedings of the 2001 Workshop on New Security Paradigms, NSPW’ 01, ACM Press, New York, 2001.
[13] A. Ekelhart, S. Fenz, M. Kiemen, and E. Weippl, “Security ontologies: Improving quantitative risk analysis,” in in Proceedings HICCS, 2007.
[14] OWL, “http://www.w3.org/tr/owl-features,” 2004.
[15] A. Gmez-Prez, M. Fernndez-Lpez, and O. Corcho, Ontological Engineering. Springer, London, first edition, 2004
[16] M. Razzazi, M. Jafari, S. Moradi, H. Sharifipanah, M. Damanafshan, K. Fayazbakhsh, and A. Nickabadi, “Common criteria security evaluation: A time and cost effective approach.” in in Procedings Information and Communication Technologies, ICTTA, vol. 2, 2006, pp. 3287–3292.
[17] J. Hearn, “Does the common criteria paradigm have a future?” Security & Privacy Magazine, IEEE, vol. 2, p. 6465, 2004.
[18] S. Katzke, “The common criteria years (19931998): Looking back and ahead.” Presentation, 4th International Common Criteria Conference, 2003.
[19] A. Ekelhart, S. Fenz, M. Kiemen, and E. Weippl, “Security ontologies: Improving quantitative risk analysis,” in in Proceedings HICCS, 2007.
[20] A. Ekelhart, S. Fenz, M. Kiemen, A. Tjoa, and E. Weippl, “Ontology-based business knowledge for simulating threats to corporate assets,” in in Proceedings of the International Conference on Practical Aspects of Knowledge Management PAKM, Springer Lecture Notes in Computer Science, 2006.
[21] S. Fenz and E. Weippl, “Ontology based it-security planning,“ in in IEEE Proceedings on IEEE International Symposium Pacific Rim Dependable Computing PRDC, 2006.
[22] Protege, “The protege ontology editor and knowledge acquisition system. http://protege.stanford.edu,” 2005.
[23] Common Criteria Configuration and Administration Guide , v2.1, Apple Inc., September 21, 2009.
[23] 梁聖瑜，”以SSE-CMM產生保護剖繪的技術及應用”，元智大學資訊工程所，碩士論文，民國95年。