隨著網路應用的快速發展，軟體系統的應用亦逐漸普及，早期以靜態網頁方式呈現的資訊應用，已進步到更多元的個人化服務，但也因此造成了許多資訊系統安全的漏洞與威脅，如何發展一個具有足夠安全的軟體應用環境來加以改善，已成為資訊應用的重要課題。根據調查，雖然現行網路應用系統的資安弱點非常繁複，而分析各項安全漏洞的形成原因，大致可以歸納成兩大類：(1)軟體系統製程缺失；(2)狀態錯誤漏洞；因安全漏洞已成為軟體運作過程中的一顆不定時炸彈，隨時都可能造成無法預期的危險，故本研究利用知識本體論具有邏輯語意呈現、資訊表達架構和推導分析的功能特色，結合考量在軟體開發生命週期各階段的需求，建置一個安全軟體開發架構，以改善軟體開發階段的安全性，冀能減少軟體系統在開發過程中因語意錯誤所造成的漏洞，並可進一步節省系統測試過程中所耗費的人力與時間。研究中運用本體論語言OWL及軟體Protégé規劃語意推論架構以建立知識庫，依據領域專家的知識及經驗，發展相關規則，驗證在軟體開發生命週期中可能的推論漏洞缺失，並提出改善建議，研究結果將可提供後續開發者參考。

Accompany with the network popularized, the usage of software systems are disseminated. However, there are a lot of personalization services in different web applications and bring a lot of vulnerability and threaten as well. Thus, how to build the software system with an adequate level of security assurance for its applications becomes more and more challenging today. According to survey, the reasons to cause vulnerability of information system are very complex. Basically, the weakness of threaten may be classified into two fields: (1) the drawbacks in software developing process (2) the protecting drawbacks in software operating environment. Both of them may be originated from the system developing phases. Therefore, in this study, we try to combine the attributes of ontology and concern the requirements of software development phases to develop a secure software framework, which can improve the security weakness and the vulnerabilities caused by semantic errors. In the system, an ontology-based database is created by Protégé software first, then collects the Rules of experts to inference and verifies the possible vulnerability in different phases of SDLC. The results may be provided for further considerations of related researchers in the future.

摘 要ii
ABSTRACTiii
誌謝iv
目錄v
表目錄vii
圖目錄viii
1. 緒論1
1.1.研究背景1
1.2.研究動機2
1.3.研究目的3
1.4.研究限制與範圍4
2. 文獻探討5
2.1.本體論(Ontology)5
2.2.語意網的本體知識語言14
2.3.軟體開發生命週期21
2.4.漏洞的威脅28
3. 分析與設計34
3.1.系統架構34
3.2.Web漏洞知識本體架構35
3.3.規則制訂43
4. 系統實作及驗證58
4.1.建構知識庫58
4.2.規則設計69
4.3.範例驗證72
5. 結論及未來研究方向80
5.1.結論80
5.2.未來研究方向81
參考文獻82

1.Jie Ren, Richard N. Tayl, "A Secure Software Architecture Description Language," University of California, California 2005.
2.Bruce Potter,G. McGraw,Booz Allen Hamilton, "Software Security Testing," IEEE COMPUTER SOCIETY, vol. 04, pp. 32-36, 2004.
3.賴森堂, "以量測為基礎的軟體安全風險改善作業," 創新與管理, vol. 5, pp. 83-100, 3月 2008.
4.徐濟世、洪庭啟, "以本體論為基礎之案例推理系統之研究:以旅遊行程推薦為例," 管理與資訊學報, vol. 9, pp. 31-61, 2004.
5.維基百科. (2010, 9月3日). 本體論 (維基媒體基金會 ed.). Available: http://en.wikipedia.org/wiki/Ontology
6.Yair Wand，Ron Weber, Ontology I: The Furniture of the WorldThe furniture of the world ,vol. 3. Boston: Reidel 1977.
7.Yair Wand，Ron Weber, "An Ontological Model of an Information System," IEEE, vol. 16, pp. 1282-1292, 1990.
8.Robert Neches,Richard Fikes, Tim Finin, Thomas Gruber,Ramesh Patil, Ted Senator,William R. Swartout. (1991, FALL) Enabling technology for knowledge sharing. AI [Magazine]. 36-56.
9.Thomas R. Gruber, "A Translation Approach to Portable Ontology Specifications," Stanford University, California, Technical Report KSL 92-71, Revised April 1993.
10.Wielinga,Schreiber, "Reusable and sharable knowledge bases: a European perspective," presented at the In Proceeding of proceedings of first International conference on building and sharing of very large-scaled knowledge bases, Tokyo, Japan, 1993.
11.Alberts, L.K., "YMIR: an ontology for engineering design," Doctoral thesis, University of Twente, Netherlands, 1993.
12.Nicola Guarino, "Formal Ontology, Conceptual Analysis and Knowledge Representation," International Journal of Human-Computer Studies, vol. 43, pp. 625-640, 1995.
13.Nicola Guarino , Pierdaniele Giaretta "Ontologies and Knowledge Bases - Towards a Terminological Clarification " In Towards Very Large Knowledge Bases pp. 25-32, 1995.
14.Guus Schreiber Bob , Bob Wielinga , Wouter Jansweijer , Wouter Jansweijer, "The KACTUS View on the 'O' Word," presented at the IJCAI Workshop on Basic Ontological Issues in Knowledge Sharing, Netherlands, 1995.
15.Amaia Bernaras, Iñaki Laresgoiti, Jose Manuel Corera, "Building and Reusing Ontologies for Electrical Network Applications," 12th European Conference on Artificial Intelligence, pp. 298-302, 8,1996.
16.Ramesh Patil ,Kevin Knight,Tom Russ, "Toward Distributed Use of Large-Scale Ontologies," presented at the Ontological engineering, AAAI-97 Spring symposium series, California, 1997.
17.Borst,Willem Nico, "Construction of engineering ontologies for knowledge sharing and reuse," PhD Thesis, College van Promoties, Netherlands, 1997.
18.G . VAN H EIJST , A . T H . S CHREIBER , B . J . W IELINGA, "Using explicit ontologies in KBS development," Human – Computer Studies, vol. 45, pp. 183-292, 1997.
19.Rudi Studer, V. Richard Benjamins, and Dieter Fensel, "Knowledge engineering : principles and methods," Data and knowledge engineering, pp. 161-197, 1998.
20.Nicola Guarino, "Formal Ontology and Information Systems," IOS Press, Trento, Italy,6-8 June 1998.
21.William , Austin Swartout, "Guest Editors' Introduction:Ontologies," IEEE Intelligent Systems, vol. 14, pp. 18-19, Jan/Feb 1999.
22.B.Chandrasekaran ,John R. Josephson, "What are ontologies, and why do we need them?," IEEE Intelligent Systems, pp. 20-25, Jan/Feb 1999.
23.Steffen Staab, Hans-Peter Schnurr, Rudi Studer, York Sure, "Knowledge Processes and Ontologies," IEEE Intelligent Systems, pp. 2-10, November 29, 2000.
24.Dagobert Soergel, "Thesauri and ontologies in digital libraries Tutorial," presented at the joint conference on digital libraries Roanoke, VA, USA., 2001.
25.Chandrasekaran，Benjamins, "What are ontologies, and why do we need them?," IEEE Intelligent systems, pp. 20-25, January/February 1999.
26.Michael Denny. (2002, 11,6). Ontology Building:A Survey of Editing Tools. Available: http://www.xml.com/pub/a/2002/11/06/ontologies.html?page=1
27.Biplab K. Sarker, Peter Wallace and Will Gill, "Some Observations on Mind Map and Ontology Building Tools for Knowledge Management," Research & Development, Innovatia Inc, Canada2007.
28.Deborah L. McGuinness 、Frank van Harmelen. (2004), OWL Web Ontology Language Overview (3 ed.) [web]. Available: http://www.w3.org/TR/owl-features/
29.W3C. (2001) DAML+OIL,Reference Description. Available: http://www.w3.org/TR/daml+oil-reference
30.葉建宏, "以OWL輔助UML工具在軟體開發的應用," 碩士, 資訊管理學系, 元智大學, 桃園, 2005.
31.Grigoris Antoniou，Frank van Harmelen, A Semantic Web Primer, The MIT Press, 2004.
32.Tim Berners-Lee, James Hendler and Ora Lassila, "The Semantic Web," Scientific American, pp. 34-43, May 17, 2001.
33.張体首，蔡明, "語義搜索引擎概念模型," 微電子學與計算機, vol. 24, pp. 171-174, 2007.
34.Dragan Djuric, "MDA-based Ontology Infrastructure," Computer Science and Information Systems, vol. 1, pp. 91-116, February 2004.
35.何海芸，袁春風, "基於Ontology的領域知識構建技術綜述," 計算機應用研究, vol. 第3期, pp. 14-18, 2005.
36.邢彬彬，姚鄭, "CMM/CMMI與軟件生命周期模型關係的研究," 計算機應用研究, vol. 24, pp. 65-69, 11月 2007.
37.傅潔瑩. (2007, 09.20). 軟體發展的生命週期. 台灣大學電子報 [電子報]. 第0002期.
38.李允中, 軟體工程, 初版 ed. vol. 340. 台灣: 美商麥格羅.希爾, 2009.
39.Gary McGraw, Cigital, Software Security : Building Security In, E ed.: Addison-Wesley, 2006.
40.吳明蔚、黃耀文、游堯忠、陳勇君、邱華明、侯望倫、鍾榮翰, "97年度Web 應用程式安全參考指引V.2," 行政院研究發展考核委員會, 台北 ICST-C-008, 3月 2009.
41.Carl E. Landwehr et al., "A Taxonomy of Computer Program Security Flaws," ACM Computing Surveys, vol. 26, pp. 211-254, September 1994.
42.Edward G. Amoroso, Fundamentals of Computer Security Technology. USA: Prentice-Hall, Inc, 1994.
43.杜經農、盧炎生, "1種Web軟件安全漏洞分類方法," 計算機工程與應用, vol. 25, pp. 10-14, 6/18 2009.
44.Dave Wichers. (2010, 4,19). OWASP Top 10 - 2010 (OWASP ed.) [Report].
45.Chris Shiflett, Essential PHP Security. USA: O'Reilly Media, Inc., 2005.
46.Thomas Myer, "Locking down your PHP applications," IBM, Texas,2006.
47.J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, "How To: Prevent Cross-Site Scripting in ASP.NET," Microsoft Corporation,2005.
48.J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, "How To: Protect From SQL Injection in ASP.NET," Microsoft Corporation,2005.
49.OWASP. (2008) Preventing SQL Injection in Java. Available: https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java
50.Dave Wichers.(2011) SQL Injection Prevention Cheat Sheet. Available: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
51.Gonn. (2010) 如何編寫安全的PHP代碼. Available: http://www.nowamagic.net/php/php_HowToWriteSafePhpCode.php
52.JieNet. (2008) 防止SQL 注入攻擊. Available: http://www.cnblogs.com/JieNet/archive/2008/05/30/1210654.html
53.Jimmy Yu Yu. (2009) 防止跨網站(XSS)指令碼攻擊. Available: http://www.dotblogs.com.tw/jimmyyu/archive/2009/04/21/8118.aspx
54.李明儒. (2006, 12) ASP.NET防駭指南. RUN!PC [網頁技術]. 125.
55.游昇峰、姚辰旻、傅雅萍. (2010) 如何在ASP.NET網站應用程式中防範XSS的弱點. Available: http://knowledge.twisc.ntust.edu.tw/doku.php
56.褚誠雲. (2009) 跨站腳本XSS. Available: http://huaidan.org/archives/3181.html
57.Learning Note. (2007) [$_SERVER['PHP_SELF']跨站腳本攻擊. Available: http://alphalins.blogspot.com/2007/11/serverphpself.html
58.黑暗執行緒. (2009) 小心Eval潛藏XSS漏洞. Available: http://blog.darkthread.net/post-2008-06-19-eval-xss.aspx
59.中國網管聯盟. (2010) 怎麼預防SQL Injection 漏洞利用攻擊. Available: http://www.bitscn.com/network/protect/201004/184369_4.html
60.程裕繁、袁亦強、張雅惠、宋坤昌, "小型組織網際網路圖書管理資訊系統2.0," in 96年度全國校園軟體設計創意競賽, 修平技術學院, Ed., ed. 台北: 教育部, 2007.
61.游象甫、林聖雄、邱坤煒、莊詠筌、陳威傑, "跨校聯合招生特色的碩士班甄試入學網路報名系統," in 96年度全國校園軟體設計創意競賽得獎作品, 台北教育大學, Ed., 1 ed. 台北: 教育部, 2007.
62.廖文忠、陳渝琳、黃儷文、羅雅芳, "Moodle線上課輔會談與預約模組的建置-整合DimDim、Google Calendar之應用," in 98年度全國校園軟體設計創意競賽得獎作品, 勤益科技大學, Ed., ed. 台北: 教育部, 98.