Vulnerability Evaluation Method for E-Commerce Transaction Systems With Unobservable Transitions

E-commerce transaction systems have become an important factor in trading activities. However, e-commerce systems are still undergoing development. Unobservable actions and attacks on systems are frequent problems that increase the vulnerability of e-commerce systems. Most existing approaches to addressing these issues cannot describe or analyze the overall structure of a local specification and unobservable actions well. The vulnerable e-commerce transaction net (VET-net) is a useful model for describing the unobservable actions, online transactions and third-party payment platforms of e-commerce systems. Based on a VET-net, we focus on the detection and evaluation of e-commerce transaction systems to attacks. We propose the concept of vulnerable transitions, which include not only vulnerable actions but also unobservable transitions. Then, we use an improved slice method to locate the vulnerable transitions. For these vulnerable transitions, we propose a vulnerable transition evaluation method based on a hidden Markov model along with a reachability graph (HMM-RG). The HMM-RG uses hidden Markov models (HMMs) to approximate the state reachability graph of a VET-net. By calculating the firing probability, the HMM-RG can evaluate the vulnerability degree of malicious states. We use a real-world case to show our method’s effectiveness and reasonability.


I. INTRODUCTION
With the development of e-commerce, an increasing number of people are paying attention to the study of economic systems. Due to the imperfect nature of the e-commerce system itself, there are many problems in managing e-commerce systems [1]. There are some useful modeling methods to describe e-commerce systems, such as those of [2]- [8]. Du et al. [2] use a labeled Petri net (LPN) to analyze the obligation and accountability of cooperative systems and extend the LPN to a labeled workflow net (LWN) to model e-commerce workflows. However, they do not consider the The associate editor coordinating the review of this manuscript and approving it for publication was Zhiwu Li . three parties (shopper, merchant, and third-party payment platform (TPP)) involved in the transaction. Yu et al. [4], [6] propose an e-commerce business process net (EBPN) to construct an e-commerce business process. Based on the EBPN, they describe malicious behavior patterns in [5]. The behavior patterns represent potential attacks that violate security [5]. However, they are not suitable for vulnerable e-commerce systems with unobservable actions. For a safe system, there are methods that can be used to diagnose insecurity for users, such as those of [9]- [11]. In fact, this premise of system security is idealized. Most of the time, an e-commerce system is not completely secure. Thus, it is important to analyze vulnerable e-commerce systems. For a vulnerable e-commerce system, our previous VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ work [12] proposes vulnerable e-commerce transaction nets (VET-nets). VET nets consider both normal actions and malicious actions. Malicious actions include attacks and unobservable actions. In this paper, we use VET-nets as modeling tools. For a VET-net, we know that if we provide a known attack form, we can locate the cause of the attack form in an e-commerce system using, e.g., the methods in [12]- [14]. Depending on the attack, there are vulnerable points used to complete the attack process. In fact, there may not be only one of these points. Some points are closely related to these unobservable transitions. These actions may play different roles in a VET-net. The different effects can be represented in terms of the effect degree. This effect degree is called the vulnerability degree. Existing methods mainly aim at observable system attacks, and they are suitable for vulnerability diagnosis from observable activities. For some unobservable activities and unpredictable attack forms, these methods are not applicable. From the perspective of observed actions, one only analyzes these unobservable states of malicious activity. Such a method ignores the effects of unobservable activities that lead to a malicious state. It cannot perform the appropriate adjustment of the e-commerce system. In other words, the system mostly performs analysis after malicious activity, and it does not prevent the effects. It is mostly postmortem analysis. It has difficulty preventing attacks. Another method only considers unexpected attack forms and ignores unobservable actions. It is not good for testing the e-commerce system itself. So our goal is to address two issues (i.e., unknown attacks and unobservable actions). The starting point of security practices for e-commerce systems is to evaluate their vulnerability. When a potential threat exploits the vulnerable actions of the system, it can lead to the destruction and damage of the system. Vulnerability assessment is a process of interpretation and vulnerability analysis. The purpose of vulnerability assessment is to find and control vulnerability. In fact, if we can control these unobservable actions and assess the occurrence probability of each path to the final condition, we can diagnose and assess the e-commerce system. Therefore, we emphasize unobservable actions.
Our goal is to determine how to use a formal method to identify the vulnerable actions of a VET-net system and to give a formal calculation method for the vulnerability degree of a VET-net. The contributions of this paper include: 1) We propose the concept of vulnerable transitions, which includes not only vulnerable actions but also unobservable transitions. We present a new method to locate the vulnerable transitions of a VET-net. 2) We use hidden Markov models (HMMs) to approximate the state reachability graph of a VET-net. Based on this, we give a vulnerable state evaluation method for a VET-net. Fig. 1 shows the framework of our methods. In the first stage, by capturing the user transaction behaviors of the e-commerce trading process, we analyze the observable and unobservable actions and then construct a VET-net model. Based on the VET-net, we can find all paths to the final condition; then, according to the characteristics of behaviors, we can locate the vulnerable actions of VET-nets, locating the source of fragility of the trading system for the user in the second step. In the third step, we can obtain a hidden Markov model according to the reachability graph of the VET-net. According to the hidden Markov model and reachability graph, we can compute the vulnerability degree of the VET-net.
The remainder of this paper is organized as follows: Section II discusses related work. Section III reviews some basic concepts and definitions as the basis of the study. Section IV proposes a vulnerability analysis and evaluation method. In Section V, we provide and analyze a real e-commerce example. Finally, we conclude in Section VI.

II. RELATED WORK
Some researchers have studied vulnerability detection and assessment. Some studies on vulnerability diagnosis, for example, Emeka and Liu [15] proposed a method to identify software security vulnerabilities. However, their work mostly concerned software rather than systems themselves. Xu and Nygard [7], Fang et al. [16] proposed a method to locate change based on behavioral profiles. They determined the different parts by comparing the differences between two models. However, this method was based on two models, and it was not suitable for a single model. In fact, in most cases, we do not know the meta-model. In our previous work [12], [13], we proposed a method to diagnose the vulnerability of a model. At the same time, we provided a method to locate the vulnerable points. However, this method could not evaluate these vulnerable points. Allodi and Massacci [17] considered two-stage attacks and escalated the attacks. The escalated attack could be performed by exploiting local vulnerabilities in the target. Wang et al. [18] proposed a method for fault diagnosis of a timed Petri net (TPN). They used a fault diagnosis graph to diagnose an observable TPN. Li and Hadjicostis [19] proposed a method for estimating the minimum initial marking in labeled Petri nets. They used this method to determine the minimum number of resources. Prakash et al. [20] proposed a method to perform online fault detection and isolate multiple faults. They analyzed global and local faults by using the global fault sensitivity signature matrix (GFSSM) and fault sensitivity signature matrix (FSSM). Lefebvre [21] proposed a diagnosis decision method by analyzing observation sequences. However, this method was suitable for observable actions.
Some studies on vulnerability diagnosis, for example, Al-Dwairi and Kamala [22] used security, privacy, design, and content to evaluate the quality of B2C e-commerce websites. They gave an evaluation pattern for B2C e-commerce. However, for an arbitrary e-commerce system, they did not give a clear determination and evaluation method. Wang et al. [23] proposed a vulnerability evaluation method based on the attack graph. This method could address lowcomplexity attack paths. However, it could not address attack paths with unobservable activities. Fonseca et al. [24] gave a method and a tool to evaluate security mechanisms. This method could determine the possibility of injecting realistic vulnerabilities in a website. However, this diagnostic method was suitable for the process model itself. Pedroni [25] analyzed uncertainty modeling and quantification methods to assess reliability and risk. The analysis compared advanced methods for the modeling, simulation and analysis of safety-critical systems and infrastructure under uncertainty. Khalid et al. [26] examined the degree of customer satisfaction with an e-commerce system. They used a modified American customer satisfaction index (ACSI) model to describe 149 online data points. They showed that customer expectations and e-commerce service quality could affect perceived value. Najafi [27] introduced e-trust building models and provided a method to enhance e-commerce security. Grejner-Brzezinska et al. [28] proposed a method based on spatial positioning, navigation, and timing (PNT) to analyze accuracy, continuity, and reliability. Cabasino et al. [29] used Petri nets based on the notions of minimal explanations and markings to diagnose DESs. They assumed that fault events could be modeled by observable transitions. This method was suitable for observable transitions. Hu et al. [30] proposed a method based on active diagnosis to enhance the diagnosability for a finite state automaton. This method had the computational advantage than the diagnoser-based ones, but it was not suitable for unobservable transitions. Basile et al. [31] proposed a state estimation and fault diagnosis method for a labeled-time Petri net. They used a modified state class graph (MSCG) to perform fault diagnosis. Shoukry et al. [32] proposed a method to evaluate security. They used satisfiability modulo theory to address the complexity of secure state estimation. Bonhomme [33] proposed a method to assess the marking of an unlabeled P-time Petri net with unobservable transitions. This method used the candidate firing sequences to estimate the marking. Koga et al. [34] used the full-state and associated output feedback control law to control and estimate the one-phase Stefan problem. Hu et al. [35] proposed a method to determine the optimal marked signal distribution. They used a given distortion constraint and expected embedding rate to obtain the optimal distribution.
Although these methods have their own advantages, they are not suitable for detecting the vulnerabilities of unobservable actions. Overall, no sufficient vulnerability assessment methods exist for VET-nets. Thus, in this paper, we focus on vulnerability assessment methods for VET-nets.

III. PRELIMINARIES
This section describes the basic concepts and definitions used in this paper. For more details, the definitions of Petri nets and labeled Petri nets can be found in [16], [36]- [47]. For the definitions of the hidden Markov model and Bayes' theorem, we can refer to [48]- [58].
The triple N = (P, T , F) is a net, if it satisfies the conditions : where dom(F) = {x ∈ P T | ∃y ∈ P T : (x, y) ∈ F} and cod(F) = {x ∈ P T | ∃y ∈ P T : (y, x) ∈ F} P and T are two disjoint sets called the set of places and set of transitions, respectively. F is the flow relation of N .
A Petri net satisfies the following enabling and firing rules: iii) If there exist transitions t 1 , t 2 , and · · · , t k and markings  called a reachability marking set and satisfies the following two conditions: A labeled PN is a 3-tuple G L = (N , , L), which is a labeling function that assigns a label (which can be the null label ε) to each transition.
To better describe the abnormal actions containing unobservable behaviors in the electronic transaction process, our previous work [12] proposes a vulnerable e-commerce transaction net (VET -net).
Definition 1 (VET-net [12]): A VET-net is a 10-tuple 1) (P, T , F, M 0 ) is a Petri net; P is a finite set of places, p I ∈ P is a source place satisfying · p I = ∅ and p F ∈ P is a sink place satisfying · p F = ∅; 2) A is a finite set of actions; where yo represents an observable input, no represents an unobservable input, yf represents an observable output, and nf represents an unobservable output.
The dotted box represents an unobservable transition. The dashed-line box represents an observable transition. Fig. 2 shows four simple VET -nets. In Fig. 2(a) The enabling and firing rules can refer to GSPN [36] and literature [12].
In fact, from the definition of VET-net and GSPN, it is not difficult to see the difference between the two is that VET-net focuses on considering both normal actions and malicious actions. Hence, it is possible to use the PIPE tool to analyze its firing sequence and reachability analysis. An attack [59]- [62] is a sequence of actions a 1 .a 2 · · · a n ∈ T such that there exists an elementary path from some initial state induced by a 1 · · · a n that reaches the set G. Fig. 3 characterizes the attack. Based on the attack, vulnerable points can be obtained. Then, the vulnerable transitions can be computed.
A vulnerable point [12] is a point that induces an attack. Accordingly, a vulnerable transition is a transition triggered by a vulnerable point and an unobservable transition.
For example, in Fig. 2(a), the unobservable transitions t 1 , t 2 , t 3  5) π = {π 1 , · · · , π n }, π 1 = p(X 1 = q j ) is the initial state distribution. For 1), we use s t to denote the hidden state at time t, and the value of s t is an element in the set X . For 4), let us suppose that X = X 1 , · · · , X t ; then, b ij (k) = p(X t = O k | s t−1 = q i , s t = q j ).

IV. VULNERABILITY ANALYSIS AND EVALUATION A. VULNERABILITY ANALYSIS
According to the definition of vulnerable transitions, if we locate the vulnerable points of the VET-net, we can compute the vulnerable transitions. We are inspired by the idea of slices [64], [65]. We assume that the malicious state is the final state, and the vulnerable points are the points in a slice of a VET-net that lead to malicious states. Algorithm 1 is the method to locate the vulnerable transitions.
Theorem 1: Algorithm 1 is correct and can be terminated. Proof: Steps 1-33 absorb all conditions of firing path relations. If there is not only one path to P q , then V P is P q , as shown steps 8, 18. If there is some common path C to P q , then V P = slice(M i−1 , C, P q ) by step 6. Steps 34-35 satisfy the definition of vulnerable transitions. If there is another common path to P q , then the set of vulnerable points is the whole set P, according the definition of slice, vulnerable point and vulnerable transition. Therefore, Algorithm 1 is correct. There are eight decision conditions, at Steps 4, 5, 7, 14, 15, 17, 24 and 26, that are used to determine the firing sequences. The firing sequences σ i are finite sets. Then, the algorithm moves backward by adding a new firing sequence to the slice and removing the current slice until it is empty. Thus, Algorithm 1 will terminate. Algorithm 1 is the process of locating vulnerable transitions. The input of Algorithm 1 consists of a VET-net, reachability graph, unobservable transitions set and goal state set. Given such input, it always terminates.

Algorithm 1 Vulnerable Transitions Location Algorithm
Input: VET −net, reachability graph RG, unobservable transitions set U T , a goal state set P q . Output: Vulnerability transitions set V T . 1 for all firing sequences σ 1 , σ 2 , · · · , σ n from M 0 to P q do 2 V P = ∅; transitions set is as follows: Property 1: It takes polynomial time to compute V T of a bounded VET-net.  Fig. 2(a) in PIPE tool. Proof: For a bounded VET-net, the number of places, transactions, arcs and firing sequences are all finite. Let |P| be the number of places, |T | be the number of transitions, |F| be the number of arcs in the VET-net and |σ | be the number of firing sequences. Then, we can see that most of the time is spent computing vulnerabilty transitions. In each sequence, there are at most |T | transactions and at most |T | + 1 states. Therefore, the first step computes the first sequence σ 1, which requires σ − 1 operations. The second step computes the sequence σ 2, which costs |σ | − 2 operations, and the third step computes the sequence σ 3, which requires |σ | − 3 operations. We continue with similar calculations until the last sequence σ |σ |. Thus, the total computing time is [(|σ − 1||σ |)/2]. In addition, each sequence has at most |T |+1. And we can see that the time of computing unobservable transitions at most need spent |T |. Hence, the V T can be constructed in polynomial time (i.e., O([((|T | + 1)(|σ | − 1)|σ |)/2])).
Similarly, for Fig. 2(c), the vulnerable transitions set is as follows: In fact, we find that the vulnerable transitions sets of Figs. 2(a), (b), (c) and (d) are the same set {t 1 , t 2 , t 3 , t 4 , t 5 }. In Fig. 2(c), the vulnerable transition t 2 occurs two times. However, in Figs. 2(b) and (d), the vulnerable transition t 2 occurs only one time. To distinguish these conditions, we give the evaluation method for these vulnerable transitions in section IV. B.

B. VULNERABILITY EVALUATION
The whole computation process is as follows: 1) use the PIPE tool to obtain the reachability graph; 2) compute the occurrence probability of vulnerable transitions based on the hid- and an observed label sequence ω ∈ * (i.e., ω ∈ * , ω = ε), according to [66], we know a priori probability for each initial marking, i.e., P r (M (i) Given a sequence of observations ω, along with their a posteriori probabilities, we can obtain  | ω) is a posteriori probability. l:M (l) ∈C r (ω) p (l) (ω) = 1. For ω = ε, S r (ε) = ε and C r (ε) = M 0 .
We will denote these probabilities by 0 to indicate that the VET-net started at the initial marking M (j) 0 and the sequence of transitions s (k) occurred.
Given a sequence of observations ω, we can obtain the conditional probabilities p (l) (ω), where l is an arbitrary index in C r (ω)). The only possible firing sequences are sequences in the set S r (ω). Since the sequences in the set S r (ω) are not prefixes of each other, the probability of observing ω is The probability of observing ω is the sum of the joint probabilities Pr(s (k) , M (j) 0 ) [66]. For each marking M (l) ∈ C r (ω), we can calculate using Bayes' rule and (4): According to [66], we can obtain an associated probability p M (t) that indicates the a priori probability that t fires at M . In addition, t∈T : Then for k ≥ 2, we have We see that the marking M in the above definition satisfies M ∈ C r (e i 1 e i 2 · · · e i k ). Thus, we have C r (e i 1 e i 2 · · · e i k ) = {M ∈ N n | ∃S ∈ T * T 0 , ∃M ∈ C r (e i 1 e i 2 · · · e i k ) To obtain C rP (e i 1 e i 2 · · · e i k ) by recursion based on C rP (e i 1 e i 2 · · · e i k−1 ), let ω = e i 1 e i 2 · · · e i k−1 and ω = e i 1 e i 2 · · · e i k = ω e i k , we can focus on calculating the numerator of the expression in (7), i.e., where p u stands for an unnormalized probability. Using this decomposition for each string s (k) ∈ S r (ω), we can write the second sum as follows:  Then, according to (13) and (14), we have We take Fig. 2 as an example. The Markov chain model of Fig. 5 is shown in Fig. 6. For Fig. 6(a) In Fig. 6(a), we know that observation α occurs via a transition sequence of (t1t2) * t3 or (t1t2) * t5, which leads to the marking M (1) or M (3) . We can calculate the unnormalized probabilities p (1) u (α) and p (3) u (α) as follows: Similarly, we know that observation αβ occurs via a transition sequence of (t1t2) * t3t4, which leads to the marking M (3) . VOLUME 8, 2020 We can calculate the unnormalized probability p The normalized probabilities of Fig. 6 are given in Table 1.

V. CASE STUDY
In 2015, a Tmall fraud case occurred in Mongolia in China. This process is shown in Fig. 7. We provide a description of this case [12]. First, B obtains the buyers' and sellers' contact information through a Trojan. Second, B tells seller C to help A change this information. Then, B implants a Trojan program into A's computer and transfers A's money to a1. Then, B uses a1 to buy cards and builds a Tmall shop. B transfers money from a1 to a2 as in a normal transaction [12]. The VET-net model of Fig. 7 is shown in Fig. 8. Table 2 describes the meaning of the transitions in Fig. 8. We use PIPE to construct a reachability graph, as shown in Fig. 9. Figs. 10 and 11 show the overview of the transition sequences. In Fig. 10, the horizontal axis shows each state, and the vertical coordinates show the number of sequences. According to 10, there are 504 firing sequences to reach state S 47 . In Fig. 11, the horizontal axis shows the number of layers. Layer 1 indicates the first layer, including     a15, a21, a22, a23, b22, b23, c14 that can trigger to reach S 47 . σ 1 σ 2 · · · σ i σ j = ∅; there is not only one path to S 47 , and ∀p ∈ P.M i−1 (p) ≥ M i (p). Then, according to Algorithm 1, The vulnerable transitions set is as follows: The normalized probabilities are given in Fig. 12. In Fig. 12, yellow shows the firing probability of transitions in each sequence, and blue shows the firing probability of transitions in all sequences. We can see that the probability of the transitions a15, a21, a22, b22, b23, c14 is 1 in each sequence. The probability of transitions a23 and b23 in each sequence is 0.1190 and 0.8810, respectively. The probabilities in all transitions are 0.125, 0.235119047619048, 0.264880952380952, 0.0148809523809524, 0.125, 0.110119047619048, and 0.125.

VI. CONCLUSION & FUTURE WORK
Due to the short times involved in online transactions and online payment platforms, online trading processes and trusted behavior issues are emerging along with the rapid development of online shopping and have gradually become a bottleneck in network trade development. Many e-commerce software systems are not mature and reliable, and they have flaws and mistakes that can be used by invaders. This leads to the emergence of security vulnerabilities and loss of user funds. This paper is motivated by the trusted behavior issues faced by these vulnerable network trade systems. Due to the uncomplicated graphical representation of a labeled Petri net, it can describe the overall structure of a local specification and unobservable actions well. However, the formal definition of its components can be used to provide precise abstraction. The VET-net is a subclass of labeled Petri nets. It can be used to model and simulate vulnerable e-commerce systems with unobservable actions. In this paper, on the basis of VET-nets, we describe the concept of vulnerable transitions, which include not only vulnerable actions but also unobservable transitions. Based on the concept of a slice, we then present a new method to locate the vulnerable transitions of a VET-net. We use hidden Markov models (HMMs) to approximate the state reachability graph of a VET-net; this is called the HMM-RG method. Based on the HMM-RG, we describe the vulnerable state evaluation method of VET-nets. The vulnerable state evaluation method addresses the original problem. The proposed method is suitable for verifying and evaluating an online transaction system. It can also be used to verify simple e-commerce systems. The advantages of these methods are in dealing with unobservable actions. The proposed vulnerability assessment method can help designers analyze, diagnose and evaluate system vulnerabilities. Thus, the proposed method can be readily used in the system design and analysis of industrial online transaction business processes. Due to neglecting data information, the methods are not suitable for some e-commerce systems, e.g., EBPN [4], [6], [13]. Regarding future work, there are other problems that require study related to the vulnerability evaluation of e-commerce systems, such as evaluation of data information and attack prevention.