The paper presents a model for verifying antivirus system protection services using the NuSMV model checker. It separates antivirus system behavior into preventive and control behaviors, extracting expected properties formulated in temporal logic. The validation results indicate that the proposed model can effectively detect key properties such as fairness, reachability, and deadlock freedom.

1. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
VERIFICATION OF THE PROTECTION SERVICES IN
ANTIVIRUS SYSTEMS BY USING NUSMV MODEL
CHECKER
Monire Norouzi1, Saeed Parsa2*
1Department of Computer Engineering, Shabestar Branch, Islamic Azad University,
Shabestar, Iran
2Department of Software Engineering, Iran University of Science and Technology,
Tehran, Iran
ABSTRACT
In this paper, a model of protection services in the antivirus system is proposed. The antivirus system
behavior separate in to preventive and control behaviors. We extract the properties which are expected
from the model of antivirus system approach from control behavior in the form of CTL and LTL temporal
logic formulas. To implement the behavior models of antivirus system approach, the ArgoUML tool and the
NuSMV model checker are employed. The results show that the antivirus system approach can detects
fairness, reachability, deadlock free and verify some properties of the proposed model verified by using
NuSMV model checker.
KEYWORDS
verification, antivirus system, protection services, kripke structure, NuSMV
1. INTRODUCTION
Today, antivirus software [1] is very important in business and software development, because in
any computer, system should install a security application on itself to maintain regularize and
secure of its data. In the recent years, many attacks [2] are occurred to variety systems like bank
servers, military systems and home systems by variety Viruses and Malwares [3]. Information
maintenance and prevent to data accessibility is the cause of attacking and destroying data which
has been occurred by Invasive malware [4, 5] widely and suddenly. So, the customers want to a
reliable secure software [6].
The attacks in system security [7] section is divided in to two parts. The first set of
attacks are enabled to eliminate security files or security applications of a computer system. After
disabling these files or applications, these attacks cannot access to the important data in the
computer system [8]. The second set of attacks can remove a set of special files and destroying
important files. These attacks are executed and handled from intelligence agencies and hacker on
computer systems of the users. These attacks have not needed to destroy system security of
computer. But, these attacks are executed and run by hiding themselves in URL web addresses or
in created files using routing software such as Microsoft office, adobe reader, win zip, etc. By
notice to these attacks, a computer system need to an online security system. Of course, an offline
security system prevent to data accessibility in computer system slightly. Unfortunately, by
progression of technology and software system complexity attackers have discovered some new
DOI:10.5121/ijfcst.2014.4506 57

2. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
vulnerable areas in systems that informally called "holes". So, by this ways they disturb system
security.
By the above reasons, we find that testing and verifying the security applications such as
the antivirus systems is very important and essential in Security Discussion [9] of the computer
systems. There are some antivirus applications in software development market such as
Bitdefender1 Antivirus, Kaspersky2 Antivirus, Avira3 Antivirus and etc. Of course, computer
viruses [10], Spywares [11], Trojans, Worms [12] and other new malwares debut every day.
Model checking technique of the software systems verification is an automatic technique
[13]. It has many advantages over simulation, testing, and deductive reasoning. Formal
verification techniques have an important role in validation processes of the software systems.
Formal verification of Antivirus System approach is essential as it protects all type of the system
from the attacks and viruses. State space searching involves exhaustive testing or scenario
analysis.
In this paper, a protection services in Antivirus System approach has been presented. Our
model separated in to two behaviors: preventive behavior and control behavior. In particular, the
contributions of this paper are:
 Proposing an ideal Antivirus System based on Avira Antivirus approach.
 Presenting an Antivirus System behavior model to decouple preventive and control
58
behavior of Antivirus System approach.
 A formal approach extracted from the expected properties of Antivirus System approach
from control behavior in the form of Temporal Logic formulas.
 Implementing the behavior models of Antivirus System approach by using ArgoUML4
tool and NuSMV5 model checker.
The rest of this paper is organized as follows. In section 2, we discuss some related works
in formal verification. Section 3 describes the preventive and control behaviors of the Antivirus
System. Section 4 presents a conversion of behavioral models to Kripke structure. Furthermore,
the behavioral properties of behavioral models are defined by using linear temporal logic and
computation tree logic languages. These properties can be checked by the specification of control
behavior. In section 5 we implement the proposed behavioral models by ArgoUML tool and
NuSMV model checker. Finally, Section 6 shows conclusions and future works.
2. RELATED WORKS
Model checking and verification of software and hardware systems have becoming an interesting
topics in the past few years and many researchers have studied them around the world.
Ravn, et al. [14] presented a formal method of the Web Services Atomic Transaction
(WS-AT) protocol. They described an algorithm for achieving agreement on the outcome of a
distributed transaction. The protocol has been verified by using UPPAAL6 model checker. Their
model is based on a formalization technique by using the mathematical language of the Temporal
Logic of Actions (TLA+).
1 http://www.bitdefender.com/site/view/our-story.html
2 http://www.kaspersky.com/about
3 http://www.avira.com/en/for-home
4 http://argouml-stats.tigris.org/
5 http://nusmv.fbk.eu/
6 www.uppaal.org

3. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
As another new researches in Web services Kova, et al. [15] designed and verified a
behavior of composite Web services based on two behaviors, control and operational. These
behaviors are communicated together by using conversation messages. They used to state charts
for modelling the composite Web services and verifying the synchronization of the conversations
by using NuSMV model checker, too.
Yeung [16] described a formal modeling approach for choreography-based web services
composition and conformance verification. Apart from Web Services Choreography Description
Language (WS-CDL) and Web Services Business Process Execution Language (WS-BPEL),
their approach also supported the use of visual modeling notations such as UML in modeling
choreographies and orchestrations.
Bentahar, et al. [17] modeled the composite web services based on a division of interests
between operational and control behaviors. Some favorable properties such as deadlock freedom,
safety and reachability have been analyzed. The proposed behaviors have been converted to
Kripke structure by using model checking techniques based on BDD.
El-Menshawy, et al. [18] presented a new technique for verifying multi-agent
commitment-based protocols by using model checking techniques. They used a reduction
technique to formally transform the model checking Action Computation Tree Logic (ACTL).
They proved that the reduction technique is sound and fully implemented it on top of the CWB-NC
59
model checker.
Xitong, et al. [19] proposed a Petri Net (PN) approach to analyzing behavioral
compatibility and similarity of web services. Also they developed the Service Workflow Net
(SWN) formalism based on colored Petri Net in order to model Web services. Then formal
definition of behavioral compatibility is presented based on the SWN model. Finally, the authors
used PIPE editor tool [20] to automate the verification of behavioral similarity and equivalence
of Web services.
Souri and Navimipour [21] proposed an adapted antivirus system approach to address
multi-attribute queries in grid computing. They presented a behavioral model for their proposed
approach that separate into data gathering, discovery and control behaviors. So, they used to
kripke structure for modeling these behaviors and verified their behavioral models by using
NuSMV model checker.
Table 1 presents some related works in verification approaches.
Table. 1. Summary of the modeling and verification methods of the related works
Papers Case Study Modeling Temporal
logic
Model
Checker
Kova, et al. [15] Composite Web
Services
- CTL NuSMV
Ravn, et al. [14] Atomic Transaction
Protocol
Mathematical
Language TLA+.
Timed-CTL UPPAAL
Xitong, et al. [19] Web Services Petri Net - -
Bentahar, et al.
[17]
Composite Web
Services
Java Converter
Tool
LTL & CTL NuSMV
Souri and
Navimipour [21]
Resource discovery
Approach
ArgoUML LTL & CTL NuSMV

4. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
60
El-Menshawy, et
al. [18]
Multi-Agent
Commitment-Based
Protocols
- Action
Computation
Tree Logic
(ACTL)
CWB-NC model
checker
3. ANTIVIRUS BEHAVIOR MODEL
This section presents an antivirus behavior model by using formal and model checking
techniques, which separates its behavior into preventive behavior and control behavior. We use
statechart semantics to modeling preventive and control behaviors.
Figure 1.model of preventive behaviour
Figure 1 shows the preventive behavior of the ideal antivirus software. The preventive
behavior starts from protection approach by initial state system protection and specifies system
mode by checking online or offline mode. The offline mode shows PC Protection and includes
protection approach for two states Real-time Protection and System Scanner. In the state Real-time
Protection, system protected automatically in the windows system directory (WSD) in path:
C:windowssystem32. The state detecting file as a type of Detection approach discover any type
of infections in suspicious files and send it to state check cleaning operation as a type of
Identification approach. If the infected file deleted, then the Removal approach is executed and
system receives the safe result in this process. If suspicious file ignored for any reason, then
system receives unsafe result in this process. The recycling operation divides into two parts. In
the first part, by finding infection position, system performs Identification approach and removes
the infection from the file so the file is safe and Removal approach is executed. In the second
part, a suspicious file is found and state check clearing operations executes Identification
approach. If this file is deleted then Removal approach receives the safe result, otherwise system
receives the unsafe result.

5. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
61
Figure 2. Model of control behavior
The control behavior navigates the execution flow of the approaches of antivirus system. In the
figure 2, the control behavior of the antivirus system presents a number of states extracted from
the preventive behavior by using the Buchi automata. These states include Not Activated,
Activated, Process, and Recognition, Done and Aborted.
3.1 EXPLANATION OF ANTIVIRUS SYSTEM APPROACHES
In the antivirus system behaviors we define four approaches. These approaches are Protection
Approach, Detection Approach, Identification Approach and Removal Approach. Connections
between preventive and control behaviors is possible by these approaches. Each of these approach
are mapped on the states of preventive behavior and control behavior. The Protection Approach
includes Not Activated and Activated states in control behavior and also System Protection, PC
Protection and Real-Time Protection in preventive behavior. Detection Approach includes
Process state in control behavior and Detecting Files state in preventive behavior. Identification
Approach includes Recognition state in control behavior and Check Cleaning Operations in
preventive behavior and finally the removal Approach includes Done state in control behavior
and Deliver Safe Status state in preventive behavior.
4. VERIFICATION OF PREVENTIVE AND CONTROL BEHAVIORS
In this section, we describe the model checking mechanism for verifying the behavior
models of the antivirus system by using of Kripke structure of behaviors definition. We first
define the Kripke Structures of the behavioral models.
A Kripke structure is a nondeterministic finite state machine that is used in model
checking to represent system behavior and is a 4-tuple KS = (S, s0, Tr, L), where:
 S is a finite set of states,
 s0S is an initial state,
 Tr  S  S is a transition relation that s S: s'S : ( s , s' )Tr.
 L: S →2AP is labeling function.
Now we present expected rules in control behavior by using symbolic model checking
techniques. For checking the properties in the Kripke structure MK which is associated with the
antivirus system behaviors, these properties can be formulated by using LTL and CTL formulas.
Now, by using the following initials we can define logical properties for model checking:
In= {Not Activated: Na; Activate: Ac; Process: Pr; Identification: Id; Invoked: In; Received: Re;
Aborted: Ab; Done: Do; End: En}.
Let → be the logical implication. We define some examples of CTL properties which can
be verified for the control behavior:

6. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
 C1= AG (Na → AX Ac). There is always a path from state Not Activated to state
62
Activated.
 C2= AG (Ac → AXAF (Ac Pr)). There is always a path from state Activated to state
Activated or process.
 C3= AG (Pr → AX AF (Id Ac)). There is always a path from state Process to state
Identification or Activated.
 C4= AG (In → AX AF (Ab)). There is always a path from state Invoked to state Aborted.
 C5= AG ((Do Ab) → AX AF (En)). There is always a path from state Done or Aborted
to state End.
 C6= AGEF (Ac). State Activated is always potentially reachable.
 C7= AGEF (Ab Re). State Aborted or state Received is always potentially reachable.
 C8= AGEF (Pr → Ac). State Activated comes after state Process is always potentially
reachable.
 C9= AGEF (In → Re). State Received comes after state Invoked is always potentially
reachable.
 C10= AGEF (Do). State Done is always potentially reachable.
 C11= AGEF (En). State End is always potentially reachable.
Examples of LTL properties that can be verified from the control behavior are:
 L1= G (Na → X (Ac)). Always an Activated state comes after a Not Activated state.
 L2= G (Do Ab) → XF (En)). Always a End state comes after a Done state or Aborted
state.
 L3= G (Na → XF (Do Ab)). Always a Done state or Aborted state comes after Not
Activated state.
 L4= G (Pr → XF (Ac Id)). Always an Activated state or Identification state comes after
a Process state.
 L5= G (Id → X (Pr)). Always a Process state comes after an Identification state.
After defining some examples of CTL and LTL rules, we present a translation of the
preventive behavior into a Kripke structure and then for transforming the initial kripke model to
the kripke structure model, we conform the preventive behavior states to the corresponding state
in the control behavior. This translation is from the initial kripke model of preventive behavior
states to the symbols Na, Ac, Pr, Id, In, Re, Ab, Do and En. The result of the reduced Kripke
model is presented in figure 3.
Figure 3. The Reduced Kripke model of Preventive Behavior

7. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
5. SYSTEM IMPLEMENTATION
In this section, we implementation the proposed model by using ArgoUML tool that is a open
source UML modeling tool [22] for behavior specification in figure 4. The behaviors represented
in ArgoUML [23] are shown as statechart diagrams [24].
63
Figure 4. Specification of antivirus system behaviors in ArgoUML tool
Figure 5 shows the translated SMV code from the Kripke structures which is written by
Roudabeh tool7 [25]. By using the Roudabeh tool [26], we can have translation of the reduced
Kripke model to SMV code.
Figure 5. The translation of SMV code by using Roudabeh tool
7 http://ece.ut.ac.ir/fml/rebeca_verifier.htm

8. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
Figure 6 presents the results of the model checking of CTL properties by using NuSMV
64
model checker.
Figure 6. Checking CTL properties in NuSMV Interactive model
In Figure 7, the LTL properties checked in NuSMV model Checker.
Figure 7. Checking LTL properties in NuSMV Interactive mode.
Also in Figure 8, we analyze the states and transitions of antivirus system approach in
reachability and fairness conditions. By compute_reachable command we check state
reachability, state fairness and transition fairness. The result shows that all states are reachable
and fair and all transitions are fair and by check_fsm command we check the deadlock problem
antivirus system model. It is showed that the antivirus system approach has not deadlock.

9. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
65
Figure 8. Checking reachability and fairness of AS approach
6. PERFORMANCE EVALUATION
In this section the proposed approach is evaluated according to the faithfulness of the
formal models and their usefulness for model checking. The valid behaviors of antivirus system
approach are satisfied by the CTL formulas in verification procedure. Also the incorrect traces
checked by appropriated counterexample in the LTL formulas. The verification results of
antivirus system model shows its completeness and soundness. Table 3 shows performance
evaluation results of checking the model of antivirus system by NuSMV model checker tool.
Table. 2 Verification statistics for antivirus system approach.
Memory in use (byte) 4678263
Number of BDD variables 8
Number of sifted variables 1100
Number of swapped variables 1800000
total number of nodes 1300
Also table 3 shows the evaluation results to verify the total number of properties in antivirus
system approach which are obtained by NuSMV model checker tool.
Table. 3 Verification result of all properties in antivirus system approach (PC Intel Core Duo 6600, 2.4
GHz, 2GB RAM, Windows 7, NuSMV 2.4.3).
Property Result Time (s) Memory (KB) Temporal
Language
AG (Na → AX Ac) Satisfied 0.016 26,236 CTL
AG (Ac → AXAF (Ac Pr)) Satisfied 11.778 42,952 CTL
AG (Pr → AX AF (Id Ac)) Satisfied 26.785 57,792 CTL
AG (In → AX AF (Ab)) Satisfied 1.935 17,792 CTL
AG ((Do Ab) → AX AF (En)) Satisfied 16.597 56,956 CTL
AGEF (Ac) Satisfied 85.332 89,136 CTL
AGEF (Ab Re) Not Satisfied 11.22 44,765 CTL

10. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
66
AGEF (Pr → Ac) Satisfied 2.123 46.689 CTL
AGEF (In → Re) Satisfied 3.111 36.725 CTL
AGEF (Do) Not Satisfied 1.201 56.273 CTL
G (Na → X (Ac)) Satisfied 1.865 12,869 LTL
G (Do Ab) → XF (En)) Satisfied 1.201 12.763 LTL
G (Na → XF (Do Ab)) Not Satisfied 4.189 6,980 LTL
G (Pr → XF (Ac Id)) Satisfied 1.865 12,713 LTL
G (Id → X (Pr)) Satisfied 3.159 14,905 LTL
7. CONCLUSION
In this paper, we presented an antivirus system approach. We focus on the antivirus application
and we show that in our proposed model, the real-time protection and web protection perform
more secure. The antivirus system approach is divided into preventive and control behaviors. The
expected properties of antivirus system are extracted from control behavior in the form of
temporal logic formulas. Also we implemented the behavior models of antivirus system approach
by ArgoUML tool and the NuSMV model checker. The results showed that the antivirus system
approach can successfully detects fairness, reachability, deadlock free and verify all of the CTL
and LTL rules. For future work, we try to extend this proposed mechanism for the other section
of antivirus system as well as its formal verification and behavioral modeling.
REFERENCES
[1] P.Szor, The Art of Computer Virus Research and Defense: Addison-Wesley Professional, 2005.
[2] W.Wang, P.-t.Zhang, Y.Tan, and X.-g. He, "Animmune local concentration based virus detection
approach," Journal of Zhejiang University SCIENCE C, vol. 12, pp. 443-454, 2011/06/01 2011.
[3] A.Shabtai, L.Tenenboim-Chekina, D.Mimran, L.Rokach, B. Shapira, and Y. Elovici, "Mobile
malware detection through analysis of deviations in application network behavior," Computers &
Security, vol. 43, pp. 1-18, 6// 2014.
[4] X.-s. Zhang, T.Chen, J.Zheng, and H. Li, "Proactive worm propagation modeling and analysis in
unstructured peer-to-peer networks," Journal of Zhejiang University SCIENCE C, vol. 11, pp. 119-
129, 2010/02/01 2010.
[5] N.Virvilis and D.Gritzalis, "Automatic Defense Against Zero-day Polymorphic Worms in
Communication Networks," Computers & Security, vol. 42, pp. 191-192, 5// 2014.
[6] T.Dube, R.Raines, G.Peterson, K.Bauer, M. Grimaila, and S. Rogers, "Malware target recognition via
static heuristics," Computers & Security, vol. 31, pp. 137-147, 2// 2012.
[7] J.J.C.H.Ryan, T.A.Mazzuchi, D.J.Ryan, J. Lopez de la Cruz, and R. Cooke, "Quantifying information
security risks using expert judgment elicitation," Computers & Operations Research, vol. 39, pp. 774-
784, 4// 2012.
[8] Y.Park, D.S.Reeves, and M. Stamp, "Deriving common malware behavior through graph clustering,"
Computers & Security, vol. 39, Part B, pp. 419-430, 11// 2013.
[9] F.B. Schneider, "Enforceable security policies," ACM Trans. Inf. Syst. Secur., vol. 3, pp. 30-50,
2000.
[10] P.K. Singh and A.Lakhotia, "Analysis and detection of computer viruses and worms: an annotated
bibliography," SIGPLAN Not., vol. 37, pp. 29-35, 2002.
[11] E.Filiol, "Viruses and Malware," in Handbook of Information and Communication Security, P.
Stavroulakis and M. Stamp, Eds., ed: Springer Berlin Heidelberg, 2010, pp. 747-769.
[12] S.H.Sellke, N.B.Shroff, and S.Bagchi, "Modeling and Automated Containment of Worms,"
Dependable and Secure Computing, IEEE Transactions on, vol. 5, pp. 71-86, 2008.
[13] E.M.Clarke, O.Grumberg, and D.A.Peled, Model checking: MIT press, 1999.

11. International Journal in Foundations of Computer Science & Technology (IJFCST), Vol.4, No.5, September 2014
[14] A.P.Ravn, J.Srba, and S. Vighio, "A formal analysis of the web services atomic transaction protocol
with UPPAAL," presented at the Proceedings of the 4th international conference on Leveraging
applications of formal methods, verification, and validation - Volume Part I, Heraklion, Crete,
Greece, 2010.
[15] M.Kova, J.Bentahar, Z.Maamar, and H.Yahyaoui, "A Formal Verification Approach of Conversations
in Composite Web Services Using NuSMV," presented at the Proceedings of the 2009 conference on
New Trends in Software Methodologies, Tools and Techniques: Proceedings of the Eighth
SoMeT_09, 2009.
[16] W.L.Yeung, "A formal and visual modeling approach to choreography based web services
composition and conformance verification," Expert Systems with Applications, vol. 38, pp. 12772-
12785, 9/15/ 2011.
[17] J.Bentahar, H.Yahyaoui, M.Kova, and Z. Maamar, "Symbolic model checking composite Web
services using operational and control behaviors," Expert Systems with Applications, vol. 40, pp.
508-522, 2/1/ 2013.
[18] M.El-Menshawy, J.Bentahar, W.El Kholy, and R.Dssouli, "Verifying conformance of multi-agent
67
commitment-based protocols," Expert Systems with Applications, vol. 40, pp. 122-138, 1// 2013.
[19] L.Xitong, F.Yushun, Q.Z.Sheng, Z.Maamar, and Z.Hongwei, "A Petri Net Approach to Analyzing
Behavioral Compatibility and Similarity of Web Services," Systems, Man and Cybernetics, Part A:
Systems and Humans, IEEE Transactions on, vol. 41, pp. 510-521, 2011.
[20] N.J.Dingle, W.J.Knottenbelt, and T.Suto, "PIPE2: a tool for the performance evaluation of
generalised stochastic Petri Nets," SIGMETRICS Perform. Eval. Rev., vol. 36, pp. 34-39, 2009.
[21] A.Souri and N.J.Navimipour, "Behavioral Modeling and Formal Verification of Resource Discovery
in Grid Computing," Expert Systems with Applications, 2013.
[22] W.Complak, A.Wojciechowski, A.Mishra, and D. Mishra, "Use Cases and Object Modelling Using
ArgoUML," in On the Move to Meaningful Internet Systems: OTM 2011 Workshops. vol. 7046,
R.Meersman, T.Dillon, and P.Herrero, Eds., ed: Springer Berlin Heidelberg, 2011, pp. 246-255.
[23] O.Barais and L. Duchien, "Safarchie Studio: ArgoUML Extensions to Build Safe Architectures," in
Architecture Description Languages. vol. 176, P. Dissaux, M. Filali-Amine, P. Michel, and F.
Vernadat, Eds., ed: Springer US, 2005, pp. 85-100.
[24] T.Arbuckle, "Studying software evolution using artefacts’ shared information content," Science of
Computer Programming, vol. 76, pp. 1078-1097, 12/1/ 2011.
[25] S.F. Alavizaedh, A.H.Nekoo, and M. Sirjani, "ReUML: a UML Profile for Modeling and Verification
of Reactive Systems," in Software Engineering Advances, 2007. ICSEA 2007. International
Conference on, 2007, pp. 50-50.
[26] H.R.Shahriari, M.S.Makarem, M.Sirjani, R.Jalili, and A. Movaghar, "Vulnerability analysis of
networks to detect multiphase attacks using the actor-based language Rebeca," Computers &
Electrical Engineering, vol. 36, pp. 874-885, 9// 2010.