CN102693393A - Software vulnerability detection method based on behavioral characteristic automaton model - Google Patents
Software vulnerability detection method based on behavioral characteristic automaton model Download PDFInfo
- Publication number
- CN102693393A CN102693393A CN2012101628964A CN201210162896A CN102693393A CN 102693393 A CN102693393 A CN 102693393A CN 2012101628964 A CN2012101628964 A CN 2012101628964A CN 201210162896 A CN201210162896 A CN 201210162896A CN 102693393 A CN102693393 A CN 102693393A
- Authority
- CN
- China
- Prior art keywords
- behavioural characteristic
- automaton model
- leak
- logic
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000003542 behavioural effect Effects 0.000 title claims abstract description 86
- 238000001514 detection method Methods 0.000 title claims abstract description 17
- 238000000034 method Methods 0.000 claims abstract description 17
- 230000008569 process Effects 0.000 claims description 4
- 238000005259 measurement Methods 0.000 abstract 1
- 230000006870 function Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 3
- 238000011002 quantification Methods 0.000 description 3
- 230000007704 transition Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002860 competitive effect Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012905 input function Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The invention relates to a software vulnerability detection method based on a behavioral characteristic automaton model, comprising the steps of 1), loading the automaton model with data constraint to the flow from the vulnerability behavioral characteristic library, building an automaton model with data constraint; 2), converting the behavioral characteristic sequence in the vulnerability behavioral characteristic library into behavioral characteristic language by the automaton model; 3), cyclically judging if the behavioral characteristic has uniqueness or measuring similarity among measurement behavioral characteristic individuals by the automaton model; if the behavioral characteristic has uniqueness, detecting software state based on mathematical logic and reporting existence of the software vulnerability by the automaton model; if the behavioral characteristic has similarity, detecting software state based on Bayesian logic and reporting existence of the software vulnerability by the automaton model. Compared with the prior art, the method has the advantages of improving software vulnerability detection efficiency of a computer, etc.
Description
Technical field
The present invention relates to a kind of detection method of computer software leak, especially relate to a kind of software vulnerability detection method based on the behavioural characteristic automaton model.
Background technology
Software vulnerability is the potential safety hazard that exists in the program, if by the computer virus utilization, will cause serious harm to system.Though had been found that many leaks, and set up vulnerability database, the known bugs behavior description is imperfection also.Describing in the unknown leak process of discovery according to these, also need assist a large amount of artificial judgment, robotization reasoning degree is low.
It is too fuzzy that behavioural characteristic in subject matter (1) vulnerability database is described semanteme, can't utilize existing feature description to go to judge and have unknown leak in the software.
Current vulnerability database mainly is a semantic layer to the leak behavior description; Google Chrome arbitrary code is carried out leak; Their leak semantic description is " there is the race condition mistake in version before the Google Chrome 17.0.963.46, allows long-range attack person to carry out arbitrary code through the vector that meeting triggers the utility program collapse ".Such semantic description is too unintelligible, and specific software has just been explained in this description, and certain type of leak that exists in the particular version number can't go whether to have unknown leak in the reasoning and judging other types software according to these descriptions.
The classification of subject matter (2) leak behavioural characteristic and quantification are too simple, can't be used for unknown Hole Detection.
When Google Chrome arbitrary code was carried out leak and classified, common leak disclosed the form that tabulation CVE adopts vulnerability database name+discovery time+numbering, and like CVE-2011-3961, such classified information not enough.China country computer network instrument is taken precautions against the center this leak has been adopted oneself numbering NIPC-2012-0428, is the classification of competitive condition mistake to the leak type.This sorting technique is applied among the China national information security vulnerability database leak CNNVD-201202-170 equally.According to leak characteristic attribute method than chronological classification method improvement has been arranged.The risk class that " general leak points-scoring system " CVSS V2 provides this leak is: 9.3, but such quantification explains that just leak has very high-risk grade, the quantification gradation value is for not effect of reasoning and judging.
Subject matter (3) is in the Hole Detection process, and the employing lexical analysis can't detect the behavior leak, and the constraint Analysis method can produce a large amount of noises in tracking behavior control stream, can't clear expression behavior semanteme.In detection, also need assist a large amount of artificial judgment, robotization reasoning degree is lower.
In sum; On the basis of following the trail of domestic and international present Research; Find the bottleneck problem of existence: the behavioural characteristic of known bugs is described too fuzzy; The classification of characteristic and quantized result are too simple, and the behavioural characteristic performance is indeterminate with the essential connection of leak, therefore can't detect unknown leak according to these feature inferences.
Summary of the invention
The object of the invention is exactly for the defective that overcomes above-mentioned prior art existence a kind of software vulnerability detection method based on the behavioural characteristic automaton model that can accurately judge whether to exist software vulnerability according to known behavioural characteristic to be provided.
The object of the invention can be realized through following technical scheme:
A kind of software vulnerability detection method based on the behavioural characteristic automaton model, this method may further comprise the steps:
The automaton model that 1) will have a data constraint is written into flow process from leak behavioural characteristic storehouse, set up the automaton model with data constraint;
2) convert the behavioural characteristic sequence in the leak behavioural characteristic storehouse to the behavioural characteristic language through automaton model;
3) whether have the similarity between uniqueness or tolerance behavioural characteristic individuality through automaton model cycle criterion behavioural characteristic, if behavioural characteristic has uniqueness, then execution in step 4), if behavioural characteristic has similarity, then execution in step 5);
4) according to the semanteme of behavioural characteristic, automaton model detects application state based on mathematical logic, and the existence of reporting software leak;
5) according to the semanteme of behavioural characteristic, automaton model detects application state based on Bayesian logic, and the existence of reporting software leak.
Described automat comprises finite-state automata and behavioural characteristic automat, and described finite-state automata judges whether behavioural characteristic has uniqueness, the similarity between described behavioural characteristic automat tolerance behavioural characteristic individuality.
Describedly detect application state based on mathematical logic and be specially:
It is semantic to adopt propositional logic or predicate logic to express behavioural characteristic, and automaton model judges whether to exist software vulnerability according to known behavioural characteristic.
Describedly detect application state based on Bayesian logic and be specially:
On the basis of behavior characteristic semanteme, utilize Bayesian formula, make up probabilistic logic, judge whether to exist software vulnerability through automaton model.
Compared with prior art, the present invention can detect the existence of software vulnerability accurately according to known behavioural characteristic, thereby improves the reliability and the security of computer software.
Description of drawings
Fig. 1 is the schematic flow sheet of detection method of the present invention.
Embodiment
Below in conjunction with accompanying drawing and specific embodiment the present invention is elaborated.
Embodiment
As shown in Figure 1, a kind of software vulnerability detection method based on the behavioural characteristic automaton model, this method may further comprise the steps:
1) expression of known bugs behavioural characteristic in the leak behavioural characteristic storehouse;
11) set up automaton model BAR with data constraint:
BAR=function(Behavior(),Automaton(),reasoning())
Behavior=B(Judge,In,Out,State,Action)
Automaton=(FSM(In,Out,State,f(In),g(s)),BM(Behavior))
Re?asoning(Logic(FSM(),NoClassicalLogic(BM()))
Wherein, Behavior representes the behavioural characteristic expression, and Automaton representes automat, and reasoning representes reasoning; Behavioural characteristic is expressed as and retrains Judge, input In, output Out, function that state State is relevant with behavior Action; Automat comprises finite-state automata FSM (In, Out, State, f (In), g (s)) and behavioural characteristic automat BM (Behavior), wherein representes f (In) input function, and g (s) representes state transition function; Inference method comprises reasoning and the approximate resoning in the non-classical logic in the classical logic.
12) convert the behavioural characteristic sequence in the leak behavioural characteristic storehouse to behavioural characteristic language L (BAR) through automaton model, for follow-up language classification is laid a good foundation:
L(BAR)={w|w∈In,f(S
0,w)∈S,f
1(S
0,w)∈B}
W is automat BAR acceptable behavior sequence w, and these sequences belong to input set In.From original state S
0Beginning is through state transition function f (S
0, w), the result is the element of state set S;
Same through f
1(S
0, w) ∈ B, the result is the element of behavior set B.State transition function and behavior transfer function all with original state S
0Relevant with the behavior sequence w of input.
2) judge through automaton model whether behavioural characteristic has the similarity between uniqueness or tolerance behavioural characteristic individuality;
21) the language L (w that is accepted by finite-state automata
0) be the software action uniqueness characteristic, the concrete judgement of uniqueness is following:
Suppose that Ω is the ensemble space of behavioural characteristic L (w), behavioural characteristic need meet the following conditions
L(w
1)∪L(w
2)…∪L(w
n)=Ω
L (w so
1) ∪ L (w
2) ... ∪ L (w
n) be the division of Ω, research is at w
iLast extraction behavioural characteristic L (w
i) method, enable to satisfy any two characteristics and occur simultaneously for empty, make it and possess " uniqueness ", can divide characteristic set.
22) similarity is meant the difference of behavior and characteristic.Similarity P (w
i| L (w
0)) be the key foundation which kind of type leak the judgement behavior belongs to, its formula is following:
When the behavioural characteristic of individuality can not be by speech recognition
Similarity is defined as personal feature S (w
i) and category feature S (w
0) the ratio.
3) according to the semanteme of behavioural characteristic, automaton model detects application state based on mathematical logic or Bayesian logic, and the existence of reporting software leak.For definite semantic, promptly have the behavioural characteristic of uniqueness, with the behavioural characteristic that propositional logic or predicate logic are described, select classical logic for use, make up automat and detect judgement.For semantic ambiguity, promptly have the behavioural characteristic of similarity, adopt Bayesian logic to describe behavioural characteristic, adopt the approximate resoning to judge the possibility that has leak.
31) detect based on logistic automat reasoning
Finite-state automata has solved the description of software vulnerability grammer, and mathematical logic can solve semantic reasoning, and is applied to inference method in the automat, has behavioural characteristic according to known software, and reasoning and judging belongs to the sort of type leak.
311) the semantic definition of behavioural characteristic
The instruction level of subordinate act characteristic, it is semantic to express behavior with propositional logic or predicate logic.
P for example assigns a topic: integer Overflow Vulnerability Q: buffer-overflow vulnerability R: overflow.
The integer Overflow Vulnerability causes overflowing, and contains definition: P → R;
Buffer-overflow vulnerability causes overflowing, the definition of containing: Q → R;
Known conditions: taken place to overflow: R is not a buffer-overflow vulnerability:
infer and to have the sort of type leak?
312) definition is contained and equivalence formula
Contain formula definition: (I1) P ∧ Q=>P; (I2) Q, Q → R=>R; (I3) P, P → R=>R formula definition of equal value: (E1)
313) make up the reasoning automat
With inference machine the definition of containing formula and equivalence formula is described, then according to known behavioural characteristic, the unknown leak that reasoning and judging exists.The definition of reasoning automat:
R={w,L(w),V,I,E}
R is the reasoning automat, and w is a software action,, L (w) is a behavioural characteristic, and V is the leak set, and I contains formulary, and E is the equivalence formula collection.
32) the approximate automat reasoning based on Bayesian logic detects
This known results, the situation of reasoning reason can utilize Bayes's posterior probability to derive.
321) Bayesian logic
If Vulnerability events B
1, B
2..., B
n, and behavioural characteristic A satisfies B
1, B
2..., B
nObjectionable intermingling in twos, P (B
i)>0, i=1,2 ..., n,
P (A)>0
Prior probability P (B
i), represent certain type of leak probability of happening P (B
1), P (B
2)
Conditional probability P (A/B
i), represent leak the probability of behavioural characteristic, P (B to occur
1→ A), P (B
2→ A)
Posterior probability P (B
i/ A), and after software takes place unusually, the posterior probability that certain leak takes place.P(A→B
1)=?
Bayesian logic:
322) the Bayesian approximate resoning in the automat
In automat, contain formula (I2) Q; Q → R=>R; P (Q); P (R|Q) can adopt the formula P (I2)
that contains of its probability to represent.According to prior probability P (B
i), conditional probability P (A/B
i), ask P (B
i/ A) probability is verified in the back, expresses reasoning from logic with bayes method.Automat can carry out approximate resoning to the behavior semantic feature according to probable value.
Adopt the suitable environment of automat approximate resoning method: suppose that leak is made up of the leak of some types, objectionable intermingling between the leak, the probability of each leak generation is all greater than 0.When knowing that probability that leak takes place with leak back software takes place and has unusual probability, require reasoning and judging to work as after software occurs unusually, the probability of certain type of leak generation just can
Conditional probability, Bayesian formula is incorporated in the automat inference system, can better reflect the probabilistic law of " cause and effect ", make " by fruit north because of " deduction, can realize that known behavioural characteristic infers unknown software vulnerability.
On the basis of behavior characteristic semanteme, utilize Bayesian formula, make up probabilistic logic; And structure automat inference method; The unknown leak of reasoning and judging is applicable to the cause-effect relationship that has disclosed behavioural characteristic and leak, realizes the reasoning of known behavioural characteristic to unknown leak.
Claims (4)
1. software vulnerability detection method based on the behavioural characteristic automaton model is characterized in that this method may further comprise the steps:
The automaton model that 1) will have a data constraint is written into flow process from leak behavioural characteristic storehouse, set up the automaton model with data constraint;
2) convert the behavioural characteristic sequence in the leak behavioural characteristic storehouse to the behavioural characteristic language through automaton model;
3) whether have the similarity between uniqueness or tolerance behavioural characteristic individuality through automaton model cycle criterion behavioural characteristic, if behavioural characteristic has uniqueness, then execution in step 4), if behavioural characteristic has similarity, then execution in step 5);
4) according to the semanteme of behavioural characteristic, automaton model detects application state based on mathematical logic, and the existence of reporting software leak;
5) according to the semanteme of behavioural characteristic, automaton model detects application state based on Bayesian logic, and the existence of reporting software leak.
2. a kind of software vulnerability detection method according to claim 1 based on the behavioural characteristic automaton model; It is characterized in that; Described automat comprises finite-state automata and behavioural characteristic automat; Described finite-state automata judges whether behavioural characteristic has uniqueness, the similarity between described behavioural characteristic automat tolerance behavioural characteristic individuality.
3. a kind of software vulnerability detection method based on the behavioural characteristic automaton model according to claim 1 is characterized in that, describedly detects application state based on mathematical logic and is specially:
Adopt propositional logic or predicate logic to express the semanteme of behavioural characteristic, automaton model judges whether to exist software vulnerability according to known behavioural characteristic.
4. a kind of software vulnerability detection method based on the behavioural characteristic automaton model according to claim 1 is characterized in that, describedly detects application state based on Bayesian logic and is specially:
On the basis of behavior characteristic semanteme, utilize Bayesian formula, make up probabilistic logic, judge whether to exist software vulnerability through automaton model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210162896.4A CN102693393B (en) | 2012-05-21 | 2012-05-21 | Software vulnerability detection method based on behavioral characteristic automaton model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210162896.4A CN102693393B (en) | 2012-05-21 | 2012-05-21 | Software vulnerability detection method based on behavioral characteristic automaton model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102693393A true CN102693393A (en) | 2012-09-26 |
| CN102693393B CN102693393B (en) | 2015-03-04 |
Family
ID=46858818
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210162896.4A Active CN102693393B (en) | 2012-05-21 | 2012-05-21 | Software vulnerability detection method based on behavioral characteristic automaton model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102693393B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102982282A (en) * | 2012-11-26 | 2013-03-20 | 北京神州绿盟信息安全科技股份有限公司 | Program bug detection system and method |
| CN105763575A (en) * | 2016-05-17 | 2016-07-13 | 北京智言金信信息技术有限公司 | Loophole control method based on loophole states |
| CN107392029A (en) * | 2017-07-28 | 2017-11-24 | 中国人民解放军63928部队 | A kind of Vulnerability Model construction method based on Chemical Abstract Machine |
| CN109508540A (en) * | 2018-09-12 | 2019-03-22 | 成都奥卡思微电科技有限公司 | A kind of chip secure monitoring method and security monitoring chip |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388055A (en) * | 2008-10-22 | 2009-03-18 | 南京大学 | Program operation characteristic extracting method for detecting vulnerability model |
| CN101571828A (en) * | 2009-06-11 | 2009-11-04 | 北京航空航天大学 | Method for detecting code security hole based on constraint analysis and model checking |
-
2012
- 2012-05-21 CN CN201210162896.4A patent/CN102693393B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388055A (en) * | 2008-10-22 | 2009-03-18 | 南京大学 | Program operation characteristic extracting method for detecting vulnerability model |
| CN101571828A (en) * | 2009-06-11 | 2009-11-04 | 北京航空航天大学 | Method for detecting code security hole based on constraint analysis and model checking |
Non-Patent Citations (3)
| Title |
|---|
| 张晛譞: "基于模糊度量的软件漏洞检测技术的研究", 《网络安全技术与应用》, no. 4, 30 April 2010 (2010-04-30), pages 12 * |
| 肖峰: "源码审核技术中的语法分析研究", 《中国优秀硕士学位论文全文数据库》, 31 August 2009 (2009-08-31), pages 26 * |
| 陈楷: "计算机软件中安全漏洞检测技术的应用", 《数字技术与应用 》, no. 7, 31 July 2010 (2010-07-31), pages 90 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102982282A (en) * | 2012-11-26 | 2013-03-20 | 北京神州绿盟信息安全科技股份有限公司 | Program bug detection system and method |
| CN102982282B (en) * | 2012-11-26 | 2015-12-23 | 北京神州绿盟信息安全科技股份有限公司 | The detection system of bug and method |
| CN105763575A (en) * | 2016-05-17 | 2016-07-13 | 北京智言金信信息技术有限公司 | Loophole control method based on loophole states |
| CN105763575B (en) * | 2016-05-17 | 2019-05-10 | 北京智言金信信息技术有限公司 | A kind of loophole control method based on Vuln Status |
| CN107392029A (en) * | 2017-07-28 | 2017-11-24 | 中国人民解放军63928部队 | A kind of Vulnerability Model construction method based on Chemical Abstract Machine |
| CN107392029B (en) * | 2017-07-28 | 2020-07-07 | 中国人民解放军63928部队 | Vulnerability model construction method based on chemical abstract machine |
| CN109508540A (en) * | 2018-09-12 | 2019-03-22 | 成都奥卡思微电科技有限公司 | A kind of chip secure monitoring method and security monitoring chip |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102693393B (en) | 2015-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106844424A (en) | A kind of file classification method based on LDA | |
| Rakha et al. | Studying the needed effort for identifying duplicate issues | |
| CN106294619A (en) | Public sentiment intelligent supervision method | |
| CN105930360A (en) | Storm based stream computing frame text index method and system | |
| CN107103363B (en) | A kind of construction method of the software fault expert system based on LDA | |
| CN103970730A (en) | Method for extracting multiple subject terms from single Chinese text | |
| Hooi et al. | A survey on ontology mapping techniques | |
| CN103164428B (en) | Determine the method and apparatus of the correlativity of microblogging and given entity | |
| CN113595998A (en) | Bi-LSTM-based power grid information system vulnerability attack detection method and device | |
| Liu et al. | A concurrent fault diagnosis method of transformer based on graph convolutional network and knowledge graph | |
| Herzig | Belief change operations: a short history of nearly everything, told in dynamic logic of propositional assignments | |
| CN102693393B (en) | Software vulnerability detection method based on behavioral characteristic automaton model | |
| Qiu et al. | Extracting causal relations from emergency cases based on conditional random fields | |
| Gu et al. | Enhancing text classification by graph neural networks with multi-granular topic-aware graph | |
| Yun et al. | An efficient approach for mining weighted approximate closed frequent patterns considering noise constraints | |
| Hong et al. | Rule-enhanced noisy knowledge graph embedding via low-quality error detection | |
| Madani et al. | Fake news detection using deep learning integrating feature extraction, natural language processing, and statistical descriptors | |
| Han et al. | Multi-spatial scale event detection from geo-tagged tweet streams via power-law verification | |
| Lassalle et al. | Improving pairwise coreference models through feature space hierarchy learning | |
| Chaganty et al. | Combining relational learning with SMT solvers using CEGAR | |
| Zhang et al. | Acquiring knowledge from inconsistent data sources through weighting | |
| Tovar et al. | Identification of Ontological Relations in Domain Corpus Using Formal Concept Analysis. | |
| Yang et al. | Attribute reduction based on misclassification cost in variable precision rough set model | |
| Rodriguez et al. | Modal uncertainty logics with fuzzy neighborhood semantics | |
| Amara et al. | Syntaxshap: Syntax-aware explainability method for text generation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 200090 No. 2103, Pingliang Road, Shanghai, Yangpu District Patentee after: Shanghai University of Electric Power Address before: 200090 No. 2103, Pingliang Road, Shanghai, Yangpu District Patentee before: SHANGHAI University OF ELECTRIC POWER |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220124 Address after: Room 1001-11, 323 Guoding Road, Yangpu District, Shanghai 200433 Patentee after: SHANGHAI YUNJIAN INFORMATION TECHNOLOGY Co.,Ltd. Address before: 200090 No. 2103, Pingliang Road, Shanghai, Yangpu District Patentee before: Shanghai University of Electric Power |