CN102982282A - Program bug detection system and method - Google Patents
Program bug detection system and method Download PDFInfo
- Publication number
- CN102982282A CN102982282A CN2012104872984A CN201210487298A CN102982282A CN 102982282 A CN102982282 A CN 102982282A CN 2012104872984 A CN2012104872984 A CN 2012104872984A CN 201210487298 A CN201210487298 A CN 201210487298A CN 102982282 A CN102982282 A CN 102982282A
- Authority
- CN
- China
- Prior art keywords
- leak
- fuzzy
- fuzzy pattern
- degree
- related information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a program bug detection system and method, which are used for solving the problems that the detection of a program bug by adopting a program bug detection manner provided by the prior art is not complete enough and is higher in false alarm rate. The program bug detection system comprises an execution path analog generator, a bug attribute association generator and a fuzzy state automata detector. The execution path analog generator is used for determining execution path information of a program source code and sending the execution path information to the fuzzy state automata detector; the bug attribute association generator is used for generating a frequency fuzzy mode set to be sent to the fuzzy state automata detector according to bug information stored in a set vulnerability database; and the fuzzy state automata detector is used for determining an execution flow of the program source code according to the execution path information, determining the matching degree between the execution flow and a fuzzy mode contained in the frequency fuzzy mode set and determining the safety degree of the program source code according to the matching degree.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of detection system and method for bug.
Background technology
Usually, Hole Detection mainly can be divided into detection of dynamic and Static Detection two large classes.
Wherein, detection of dynamic refers to analyze the result who obtains after the detection working procedure and the difference between the expected results by the running environment (such as environmental variance, internal memory, heap and stack etc.) to program.Detection of dynamic generally is used for Black-box Testing, and its advantage is not need update routine source code or its binary code, and its shortcoming is the detection of leak perfect not.Such as the leak that may cause computer software attacked by stack that this detection of dynamic of DEP may exist in just only can trace routine, piled the leak of attack and can not detect the computer software that may cause that exists in the program.
Static Detection then refers to not working procedure itself, but comes the correctness of scrutiny program by grammer, structure, process and the interface etc. of analysis or scrutiny program.The essence of Static Detection is a state model of creation facilities program (CFP), and then how routine analyzer is changed between the different conditions that this state model comprises.Existing Static Detection has been proved and has had defective: the detection to bug is perfect not, can not effectively excavate unknown leak simultaneously, lacks the ability of adaptive learning.Be by the crucial grammer of extraction procedure such as, this a kind of Static Detection of lexical analysis, and explain its semanteme come trace routine whether to have leak.But lexical analysis only is to carry out phraseological detection, is that procedure division is become one by one fragment specifically, each fragment and one are compared with " the morphology database " that sets, thus determining program leak whether.The leak that this detection mode can detect is considerably less, and often some the known fixedly leaks that detect, and rate of false alarm is quite high.Be to detect a kind of code scans technology of known bugs such as, this a kind of Static Detection of rule detection again, for the known type leak, this technology has efficient and the high characteristics of accuracy rate, but can not detect the leak of UNKNOWN TYPE.
Summary of the invention
The embodiment of the invention provides a kind of detection system and method for bug, and is perfect not to the detection of bug in order to the bug detection mode that adopts prior art to provide to be provided, and has the higher problem of rate of false alarm.
The embodiment of the invention is by the following technical solutions:
A kind of detection system of bug comprises execution route simulation maker, leak Attribute Association maker and fringe automat detecting device, wherein:
Described execution route simulation maker is for the execution path information of determining program source code to be detected; And the execution path information of determining sent to described fringe automat detecting device;
Described leak Attribute Association maker, for the vulnerability information of storing according to the vulnerability database that arranges, the leak related information set that generation is made of a plurality of leak related informations, wherein, each leak related information is made of a plurality of vulnerability informations that possess logic association respectively; And determine that respectively each bar leak related information of comprising in the set of leak related information is for the support of each fuzzy pattern; Wherein, each fuzzy pattern corresponds respectively to the different leak attack patterns of appointment; According to the support of determining, from the fuzzy pattern of described each leak attack pattern corresponding to appointment, choose fuzzy pattern and consist of frequent fuzzy pattern set; And the set of frequent fuzzy pattern sent to described fringe automat detecting device;
Described fringe automat detecting device is used for receiving the execution path information of described execution route simulation maker transmission and the frequent fuzzy pattern set that described leak Attribute Association maker sends; And according to the described execution path information that receives, determine the execution flow process of described program source code; Determine the matching degree of the fuzzy pattern that comprises in this execution flow process and the frequent fuzzy pattern set; And according to described matching degree, determine the degree of safety of described program source code.
A kind of method of trace routine leak comprises:
Execution route simulation maker is determined the execution path information of program source code to be detected, and the execution path information of determining is sent to fringe automat detecting device;
Leak Attribute Association maker generates the leak related information set that is made of a plurality of leak related informations according to the vulnerability information of storing in the vulnerability database that arranges, and wherein, each leak related information is made of a plurality of vulnerability informations that possess logic association respectively;
Leak Attribute Association maker is determined respectively each bar leak related information of comprising in the set of leak related information for the support of each fuzzy pattern, and wherein, each fuzzy pattern corresponds respectively to the different leak attack patterns of appointment;
Leak Attribute Association maker is according to the support of determining, from the fuzzy pattern of described each leak attack pattern corresponding to appointment, choose fuzzy pattern and consist of frequent fuzzy pattern set, and frequent fuzzy pattern set is sent to fringe automat detecting device;
Fringe automat detecting device receives the execution path information of execution route simulation maker transmission and the frequent fuzzy pattern set that leak Attribute Association maker sends;
Fringe automat detecting device is determined the execution flow process of described program source code according to the described execution path information that receives;
Fringe automat detecting device is determined the matching degree of the fuzzy pattern that comprises in described execution flow process and the frequent fuzzy pattern set, and according to described matching degree, determines the degree of safety of described program source code.
The beneficial effect of the embodiment of the invention is as follows:
The such scheme that the embodiment of the invention provides is by the execution flow process of fringe automat detecting device determining program source code and matching degree corresponding to the fuzzy pattern of different leak attack patterns, because the easier leak that is subject to of the execution flow process of the more high more read-me of matching degree source code is attacked, thereby can determine to characterize according to this matching degree the degree of safety value of described program source code degree of safety.This scheme is the equal of that Static Detection of the prior art is improved, and can reach to improve Hole Detection technology of the prior art, the purpose of false alert reduction.Further, the vulnerability information of fringe automat detecting device determine procedures source code, and the vulnerability information of determining sent to vulnerability database, thereby realized according to detected newtype leak perfect vulnerability database, the bug detection mode of having avoided the employing prior art to provide can not detect the problem of UNKNOWN TYPE leak, has improved validity and the adaptivity of detection system.
Description of drawings
The concrete structure synoptic diagram of the detection system of a kind of bug that Fig. 1 provides for the embodiment of the invention;
Fig. 2 is the original state of leak attack pattern and the transfer synoptic diagram between the succeeding state;
Fig. 3 is the concrete structure synoptic diagram based on the Novel static adaptive fuzzy finite automaton detection technique model that blurs separation vessel in the practical application;
The idiographic flow synoptic diagram of the detection method of a kind of bug that Fig. 4 provides for the embodiment of the invention.
Embodiment
, the bug detection mode that adopts prior art to provide to detect the problem of UNKNOWN TYPE leak for being provided, the embodiment of the invention provides a kind of detection scheme of bug, the execution flow process of coming the determining program source code by fringe automat detecting device and matching degree corresponding to the fuzzy pattern of different leak attack patterns.Because the easier leak that is subject to of the execution flow process of the more high more read-me of matching degree source code is attacked, thereby can determine to characterize according to this matching degree the degree of safety value of described program source code degree of safety.Further, the vulnerability information of fringe automat detecting device determine procedures source code, and the vulnerability information of determining sent to vulnerability database, thereby realized according to detected newtype leak perfect vulnerability database, the bug detection mode of having avoided the employing prior art to provide can not detect the problem of UNKNOWN TYPE leak, has improved validity and the adaptivity of detection system.
Below in conjunction with accompanying drawing, describe the scheme that the embodiment of the invention provides in detail.
At first, the embodiment of the invention provides a kind of detection system of bug as shown in Figure 1, and this system comprises execution route simulation maker, leak Attribute Association maker and fringe automat detecting device, about its being specifically described as follows of function separately.
Execution route simulation maker is for the execution path information of determining program source code to be detected; And the execution path information of determining sent to fringe automat detecting device.
Leak Attribute Association maker, for the vulnerability information of storing according to the vulnerability database that arranges, the leak related information set (wherein, each leak related information is made of a plurality of vulnerability informations that possess logic association respectively) that generation is made of a plurality of leak related informations; And determine respectively each bar leak related information of comprising in the set of leak related information for the support of each fuzzy pattern, wherein, each fuzzy pattern corresponds respectively to the different leak attack patterns of appointment; According to the support of determining, from the fuzzy pattern corresponding to each leak attack pattern of appointment, choose fuzzy pattern and consist of frequent fuzzy pattern set; And the set of frequent fuzzy pattern sent to fringe automat detecting device.
Fringe automat detecting device is used for receiving the execution path information of execution route simulation maker transmission and the frequent fuzzy pattern set that leak Attribute Association maker sends; And according to the execution path information that receives, the execution flow process of determine procedures source code; Determine the matching degree of the fuzzy pattern that comprises in this execution flow process and the frequent fuzzy pattern set; And according to the matching degree of determining, the degree of safety of determine procedures source code.
Optionally, fringe automat detecting device can also further be determined the vulnerability information of this program source code, and the vulnerability information of determining is fed back to vulnerability database.
Specifically, fringe automat detecting device specifically can adopt following substep to realize by to the determining of the matching degree of the fuzzy pattern that comprises in above-mentioned execution flow process and the frequent fuzzy pattern set, finally realizes determining the degree of safety value:
Substep one is judged the original state q that whether has occurred the corresponding leak attack pattern of fuzzy pattern in the frequent fuzzy pattern set in this execution flow process
0, when the determination result is NO, carry out substep two, and in judged result when being, execution substep three;
Substep two determine to be carried out the fuzzy pattern that comprises in flow process and the frequent fuzzy pattern set and is not mated, and the degree of safety value of determine procedures source code degree of safety is 0, and flow process finishes;
Substep three is determined to be the succeeding state of the leak attack pattern of carrying out the original state that occurs in the flow process, and changes execution substep four over to;
As shown in Figure 2, be the original state of the corresponding leak attack pattern of fuzzy pattern and the transfer synoptic diagram between the succeeding state.Wherein, q
0Be the original state of leak attack pattern, q
vThere is the leak that mates fully with the known leak related information of certain bar in the representation program source code, and is occurring thereafter and be positioned at final sensing q successively
v, the succeeding state q on the path that comprises a plurality of states
1, q
13Deng regarding a kind of leak attack pattern of common formation as.Similarly, occurring thereafter and be positioned at final sensing q successively
v, the q on the path that comprises a plurality of states
2, q
12Deng also can regarding the another kind of leak attack pattern of common formation as.
In addition, q
wThe representation program source code does not exist leak, q
zThere is the leak with known any leak related information Incomplete matching in the representation program source code.Usually, q
zCorresponding vulnerability information may just comprise the new vulnerability information that need to feed back in the vulnerability database.
In the embodiment of the invention, can determine that the succeeding state of the corresponding leak attack pattern of fuzzy pattern is (such as q according to the state transition function that sets in advance
12, q
13Deng).
Substep four, determine the succeeding state of determining in the substep three and the matching degree of carrying out flow process, and when carrying out flow process and be matched with each fuzzy value that a fuzzy pattern comprises fully, the degree of safety value of determine procedures source code degree of safety is 1, thereby based on Fig. 2, the state that state transition function is finally determined is q
wAnd when carrying out the flow process Incomplete matching in each fuzzy value that any fuzzy pattern comprises, the degree of safety value of determine procedures source code degree of safety is for greater than 0 less than 1 value, thereby based on Fig. 2, the state that state transition function is finally determined is q
z
So far, can finish the treatment scheme of above-mentioned substep.
More than be the introduction about a kind of specific implementation of fringe automat detector functions, below further introduce the specific implementation of leak Attribute Association maker function.
One, the systematic function of leak related information set.
In the embodiment of the invention, leak Attribute Association maker can be first according to the vulnerability information of storing in the vulnerability database and the leak logic association information that obtains of statistics in advance, determine respectively a plurality of leak related informations that possess logic association that consisted of by the vulnerability information of storing in the vulnerability database; Then, again according to predetermined leak related information selection rule, from a determinate multitudes leak related information, choose the leak related information and consist of the set of leak related information.
Wherein, leak related information selection rule is specifically as follows: choose logic association degree between the vulnerability information that comprises greater than the leak related information of default degree of association threshold value.
Optionally, also can not according to this selection rule, gather and directly consist of the leak related information with above-mentioned a plurality of leak related informations of determining.But need to prove, the benefit of choosing the set of leak related information formation leak related information according to this selection rule is, although some can there be certain logic association, but the leak logic association information that the more weak vulnerability information of logical associations consists of is got rid of outside the set of leak related information, waste system resource to avoid the lower leak related information of practicality to participate in subsequent calculations and the system that affects for the detection efficiency of leak.
Two, the leak related information is for definite function of the support of fuzzy pattern.
In the embodiment of the invention, can suppose that different fuzzy patterns include respectively a plurality of fuzzy values.So, leak Attribute Association maker can be respectively for every the leak related information that comprises in the set of leak related information, determine respectively that in the following manner this leak related information is for the support of each fuzzy pattern of the different leak attack patterns that correspond respectively to appointment:
At first, for each fuzzy pattern, calculate respectively each fuzzy value that this fuzzy pattern comprises for the degree of membership of this leak related information;
The minimum degree of membership that then, will calculate again is defined as this leak related information for the support of this fuzzy pattern.
For degree of membership referred to above, it is described as follows:
If the arbitrary element x among domain (scope of the research) U has a number A(x) ∈ [0,1] is corresponding with it, claims that then A is the fuzzy set on the U, A(x) is called x to the degree of membership of A.When x changes in U, be exactly a function A(x), be called the subordinate function of A.Degree of membership A(x) more close to 1, the degree that expression x belongs to A is higher, and it is lower A(x) more to belong to the degree of A close to 0 expression x.With value in interval 0,1 subordinate function A(x) characterize the degree height that x belongs to A.
Such as, if the subordinate function of hypothesis A (x)=expression fuzzy set " old ", A represents fuzzy set " old ".So, A(x when age x≤50)=0 show that x does not belong to fuzzy set A(" old "); When x 〉=100, show that A(x)=1 x belongs to A fully; When 50<x<100,0<A(x)<1, and x is more near 100, it is just higher A(x) more to belong to the degree of A near 1, x.Such expression is obviously more reasonable than briefly " people more than 100 years old is old, and the people below 100 years old is just not old ".
And for subordinate function, existing membership function commonly used mainly comprises Gauss member function, broad sense bell subordinate function and triangle subordinate function etc.
Three, the systematic function of frequent fuzzy pattern set.
In the embodiment of the invention, leak Attribute Association maker can but be not limited to adopt following manner to generate the set of frequent fuzzy pattern:
Take any leak related information as example, can according to this leak related information of determining for the support of each fuzzy pattern and the support threshold value that sets in advance, from the support of determining, determine the support greater than the support threshold value; And choose the corresponding fuzzy pattern of support greater than the support threshold value, consist of frequent fuzzy pattern set.
Below take a specific embodiment as example, introduce in detail the said system application in practice that the embodiment of the invention provides.
In actual applications, the said system that provides of the embodiment of the invention can be realized by a kind of being called based on the Novel static adaptive fuzzy finite automaton detection technique model (hereinafter to be referred as detection model) of fuzzy separation vessel.The core of this model is fuzzy separation vessel and fuzzy finite state automaton.
Wherein, fuzzy finite state automaton is a kind of mathematical model with system of discrete input and output.This mathematical model can represent with a five-tuple, such as M=(Q, Σ, δ, T, F).Wherein Q, Σ and δ difference correspondence represents input set, state set and output collection; T and F then represent respectively state transition function and output function.In finite-state automata (DFA, Deterministic Finite Automaton), state transition function T and output function F determine.When state transition function T and output function F obfuscation, finite-state automata has just become the fringe automat so.The fringe automat has obvious advantage at the aspects such as rule association, behavioural analysis, pattern-recognition and self study of complication system, also has considerable effect to identifying unknown leak.When using the fuzzy finite state automaton conduct that program source code is carried out the standard of fuzzy diagnosis, as long as set up proper states transfer function and output function, just can allow whole detection model have the ability of fuzzy diagnosis.
Based on the These characteristics of fuzzy finite state automaton, in this specific embodiment, combine the technology of fringe automat and pattern-recognition self-learning function, the Novel static adaptive fuzzy finite automaton detection technique model based on fuzzy separation vessel has been proposed.A kind of concrete structure of this model as shown in Figure 3.
What input, testing process and the output in the square frame of Fig. 3 left side represented is from program source code being input to the detection model until finally produce the flow process of testing result.Execution route simulation maker, leak Attribute Association maker and fringe automat detecting device in the dotted line frame of right side then consist of whole detection model jointly.
As seen from Figure 3, testing process is at first simulated maker from program source code being inputted execution route, and vulnerability database input loophole Attribute Association maker is begun; Then, the output detections result by the processing of detection model, and detected vulnerability information fed back to vulnerability database, finish the self study process of detection model.
Below introduce respectively each important component part among Fig. 3:
1, vulnerability database.It is a database that is used for stored program vulnerability information, under original state, its storage generally be existing known vulnerability information, buffer-overflow vulnerability, heap Overflow Vulnerability, integer overflow leak, format string leak and common character string leak etc. may appear such as common.
Can upgrade vulnerability database by the mode of adding manually vulnerability information, also can detected new vulnerability information be fed back to vulnerability database by the mode of detection model self study, to realize based on the renewal of the new vulnerability information that feeds back to vulnerability database.
2, leak rule association maker.It is used for the vulnerability information for vulnerability database, according to the logic association between the different leaks, generates leak related information (also becoming the leak associated record).Those leak related informations are used for as the foundation that generates frequent fuzzy pattern set.In the embodiment of the invention, can from the leak related information that generates, exclude some useless combinations, namely delete some by the leak related information that the vulnerability information that possesses more weak logic association generates, to alleviate the burden of detection system, avoid the unnecessary processing wasting of resources.In the many situations of useless combination, the meaning that this strategy brings is very great.
On the basis that has generated the leak related information, leak rule association maker determines respectively that further each bar leak related information of comprising in the set of leak related information is for the support of each fuzzy pattern of the different leak attack patterns that correspond respectively to appointment.Wherein, fuzzy pattern is different from general mode, and with regard to intrusion detection, fuzzy pattern is the set of the corresponding fuzzy value of attribute in the network connection, and fuzzy value is the feature of describing network behavior from the various aspects of network connection.For instance, attacking the corresponding a kind of fuzzy pattern of this leak attack pattern such as DDOS is (protocol is tcp, protocol_flag is SYN, duration is high, result is DDOS), this fuzzy pattern has comprised four fuzzy values, is respectively protocol is tcp, protocol_flag is SYN, duration is high, result is DDOS.Wherein first three fuzzy value is as regular former piece, and last fuzzy value is consequent.This fuzzy pattern has comprised four fuzzy variables, is respectively protocol, protocol_flag, duration and result.If suppose to have 4 leak related informations, these 4 leak related informations consist of a data set, then can calculate respectively every leak related information for this fuzzy pattern (protocol is tcp, protocol_flag is SYN, duration is high, result is DDOS) degree of membership, and the minimum degree of membership that will calculate is defined as this leak related information for the support of this fuzzy pattern.Particularly, for these 4 leak related informations, the degree of membership that calculates and the final support of determining can be with reference to following tables.Wherein, the 2nd ~ 5 in table row respectively record be each fuzzy value respectively for the degree of membership of different leak related informations, last row record then be that the final different leak related informations of determining are for the support of this fuzzy pattern.
| Record | Protocol is tcp | protocol_flagis SYN | Durationishigh | resultis DDOS | Support |
| 1 | 1.0 | 0.9 | 0.3 | 1.0 | 0.3 |
| 2 | 1.0 | 0.7 | 0.2 | 1.0 | 0.2 |
| 3 | 1.0 | 0.6 | 0.8 | 1.0 | 0.6 |
| 4 | 1.0 | 0.7 | 0.5 | 1.0 | 0.5 |
In the embodiment of the invention, for any fuzzy pattern, can be with different leak related informations for the mean value of the support of this fuzzy pattern support S as this fuzzy pattern, specific formula for calculation is as shown in the formula shown in [1].Wherein, denominator R is total number of the leak related information of leak rule association maker generation, and the s in the molecule
iBe the support of i leak related information in R the leak related information for this fuzzy pattern, this support s
i=min(f
1, f
2... f
n), the number of the fuzzy value that n comprises for this fuzzy pattern, the fuzzy value of fi(1≤i≤n) comprise for this fuzzy pattern is respectively for the degree of membership of same leak related information.
For example, more than table is example, and the support of fuzzy pattern (protocol is tcp, protocol_flag is SYN, duration is high, result is DDOS) can be calculated according to following formula [1], thereby obtains following formula [2]:
(0.3+0.2+0.6+0.5)/4=0.4 [2]
Hence one can see that, and the support of fuzzy pattern (protocol is tcp, protocol_flag is SYN, duration is high, result is DDOS) is 0.4.
On the basis of the support of having determined fuzzy pattern, leak rule association maker just can further be determined frequent fuzzy pattern collection.In this specific embodiment, frequent fuzzy pattern collection can be all set that consist of more than or equal to the corresponding fuzzy pattern of the support of support threshold values.Can say that the support threshold values has determined the quality and quantity of frequent fuzzy pattern collection.Usually, if will guarantee the degree of accuracy of Hole Detection, a little support threshold values can be set.
3, execution route model generator.It is a kind of maker that can make up according to program source code virtual software execution route model, and its input is generally program source code, and output then is the execution path information of program source code generally.
4, fringe automat detecting device.It is the core component of detection model.
Be similar to neural network, can exist the degree of defective to be [0,1] by the define program source code.Wherein 1 represent the definite leak of program source code existence, 0 represents program source code safety, and the value between 0 ~ 1 is representation program source code existence safety defect to a certain degree then, and numerical value is the closer to 1, and the safety defect degree is higher.
This fringe automat detecting device has utilized the theory of fringe finite-state automata to set up.Wherein, the input set Q among the M=(Q, Σ, δ, T, F) is the output of execution route model generator, i.e. the execution path information of execution route model generator output; State set Σ is the output of leak rule association maker, the frequent fuzzy pattern set that namely generates; Output collection δ is { q
w, q
z, q
v, q
wWhat represent is program source code safety, q
vThe representation program source code exists the leak of determining, q
zThere is safety defect to a certain degree in the representation program source code.In addition, output function F is divided into two parts: first can be shown to the analyst programmer with predetermined display mode with the safety defect hazard level that reflects among the output collection δ, and the program implementation routing information is shown to the analyst programmer; Second portion then can be used for the vulnerability information of determine procedures source code, and the vulnerability information of determining is fed back to the leak rule base.Usually, the vulnerability information of saying here can refer to the attribute of leak.
Fringe automat detecting device has also been used state transition function in the process that generates output collection δ.The essence of state transition function is exactly to make the active program source code jump to another state from standing state according to different conditions, if programming realizes state transition function, then it mostly is by if or case statement and consists of.The Main Function of this state transition function is: if hypothesis q
0Be the original state of leak attack pattern, then according to state transition function, if do not occur the fuzzy pattern that comprises in the set of frequent fuzzy pattern in the implementation of program source code, then the determine procedures source code is in original state q all the time
0, namely state does not just change; And if occurred leak in the implementation of program source code, namely with the set of frequent fuzzy pattern at least one fuzzy pattern of comprising be complementary (as be matched with in the fuzzy pattern a fuzzy value), then state transition function is carried out the state transitions to the implementation of program source code, and safety defect risk factor value or the degree of safety value of the existence of calculation procedure source code.According to above-mentioned processing mode, if the fuzzy pattern that the execution flow process of program source code comprises in gathering with frequent fuzzy pattern does not mate, and the degree of safety value of determine procedures source code is 0; If when the execution flow process of program source code was matched with the various fuzzy value that a fuzzy pattern comprises fully, the degree of safety value of determine procedures source code was 1; If the execution flow process Incomplete matching of program source code when various fuzzy value that any fuzzy pattern comprises, the degree of safety value of determine procedures source code for greater than 0 less than 1 value.
A concrete example is: a fuzzy pattern that comprises in gathering such as frequent fuzzy pattern is (protocol is tcp, protocol_flag is SYN, duration is high, result is DDOS), and to be detected be a packet of Internet Transmission.So, can judge that at first this encapsulates the employed agreement of this packet, if it adopts is ARP agreement but not Transmission Control Protocol, conversion so just can not get the hang of.If be Transmission Control Protocol and it adopts, will forward so NextState to, judge that namely protocol_flag is SYN.The like.At last, can transform function according to state and obtain last state, judge whether dangerous this packet is.
Correspondingly, the embodiment of the invention also provides a kind of detection method of bug, and the method comprises following step as shown in Figure 4:
Optionally, said method can further include step: the vulnerability information of fringe automat detecting device determine procedures source code, and the vulnerability information of determining sent to vulnerability database.
Optionally, the specific implementation process of step 42 can comprise:
At first, leak Attribute Association maker is according to the vulnerability information of storing in the vulnerability database and add up in advance the leak logic association information that obtains, and determines respectively a plurality of leak related informations that possess logic association that are made of the vulnerability information of storing in the vulnerability database; Then, leak Attribute Association maker is chosen the leak related information and is consisted of the set of leak related information according to predetermined leak related information selection rule from a determinate multitudes leak related information; Wherein, leak related information selection rule is specially: choose logic association degree between the vulnerability information that comprises greater than the leak related information of default degree of association threshold value.
Optionally, when different fuzzy patterns included a plurality of fuzzy value respectively, the specific implementation process of step 43 can comprise:
Leak Attribute Association maker is for every the leak related information that comprises in the leak related information set, determines respectively that in the following manner this leak related information is for the support of each fuzzy pattern of the different leak attack patterns that correspond respectively to appointment:
For each fuzzy pattern, calculate respectively each fuzzy value that this fuzzy pattern comprises for the degree of membership of this leak related information; And the minimum degree of membership that will calculate is defined as this leak related information for the support of this fuzzy pattern.
Optionally, leak Attribute Association maker described in the step 44 is according to the support of determining, from the fuzzy pattern of described each leak attack pattern corresponding to appointment, choose fuzzy pattern and consist of frequent fuzzy pattern set, specifically can comprise: leak Attribute Association maker is determined the support greater than the support threshold value according to the support of determining and the support threshold value that sets in advance from the support of determining; And choose the corresponding fuzzy pattern of support greater than the support threshold value, consist of frequent fuzzy pattern set.
The such scheme that the embodiment of the invention provides is by the execution flow process of fringe automat detecting device determining program source code and matching degree corresponding to the fuzzy pattern of different leak attack patterns, because the easier leak that is subject to of the execution flow process of the more high more read-me of matching degree source code is attacked, thereby can determine to characterize according to this matching degree the degree of safety value of described program source code degree of safety.This scheme is the equal of that Static Detection of the prior art is improved, and can reach to improve Hole Detection technology of the prior art, the purpose of false alert reduction.Further, the vulnerability information of fringe automat detecting device determine procedures source code, and the vulnerability information of determining sent to vulnerability database, thereby realized according to detected newtype leak perfect vulnerability database, the bug detection mode of having avoided the employing prior art to provide can not detect the problem of UNKNOWN TYPE leak, has improved validity and the adaptivity of detection system.
Optionally, the concrete implementation of step 47 can comprise:
At first, fringe automat detecting device is judged the original state that whether has occurred the corresponding leak attack pattern of fuzzy pattern in the frequent fuzzy pattern set in the described execution flow process;
Then, fringe automat detecting device determines that the fuzzy pattern that comprises in described execution flow process and the frequent fuzzy pattern set does not mate when the determination result is NO, and the degree of safety value that is identified for characterizing described program source code degree of safety is 0; And in judged result when being, be determined to be the succeeding state of the leak attack pattern of the described original state that occurs in the described execution flow process; And determine the matching degree of described succeeding state and described execution flow process, and when described execution flow process is matched with each fuzzy value that a fuzzy pattern comprises fully, the degree of safety value that is identified for characterizing described program source code degree of safety is 1; And at described execution flow process Incomplete matching during in each fuzzy value that any fuzzy pattern comprises, the degree of safety value that is identified for characterizing described program source code degree of safety for greater than 0 less than 1 value.
Those skilled in the art should understand that embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt complete hardware implementation example, complete implement software example or in conjunction with the form of the embodiment of software and hardware aspect.And the present invention can adopt the form of the computer program of implementing in one or more computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) that wherein include computer usable program code.
The present invention is that reference is described according to process flow diagram and/or the block scheme of method, equipment (system) and the computer program of the embodiment of the invention.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block scheme and/or square frame and process flow diagram and/or the block scheme and/or the combination of square frame.Can provide these computer program instructions to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device producing a machine, so that the instruction of carrying out by the processor of computing machine or other programmable data processing device produces the device of the function that is used for being implemented in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame appointments.
These computer program instructions also can be stored in energy vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work, so that the instruction that is stored in this computer-readable memory produces the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame.
These computer program instructions also can be loaded on computing machine or other programmable data processing device, so that carry out the sequence of operations step producing computer implemented processing at computing machine or other programmable devices, thereby be provided for being implemented in the step of the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame in the instruction that computing machine or other programmable devices are carried out.
Although described the preferred embodiments of the present invention, in a single day those skilled in the art get the basic creative concept of cicada, then can make other change and modification to these embodiment.So claims are intended to all changes and the modification that are interpreted as comprising preferred embodiment and fall into the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (12)
1. the detection system of a bug is characterized in that, comprises execution route simulation maker, leak Attribute Association maker and fringe automat detecting device, wherein:
Described execution route simulation maker is for the execution path information of determining program source code to be detected; And the execution path information of determining sent to described fringe automat detecting device;
Described leak Attribute Association maker, for the vulnerability information of storing according to the vulnerability database that arranges, the leak related information set that generation is made of a plurality of leak related informations, wherein, each leak related information is made of a plurality of vulnerability informations that possess logic association respectively; And determine that respectively each bar leak related information of comprising in the set of leak related information is for the support of each fuzzy pattern; Wherein, each fuzzy pattern corresponds respectively to the different leak attack patterns of appointment; According to the support of determining, from the fuzzy pattern of described each leak attack pattern corresponding to appointment, choose fuzzy pattern and consist of frequent fuzzy pattern set; And the set of frequent fuzzy pattern sent to described fringe automat detecting device;
Described fringe automat detecting device is used for receiving the execution path information of described execution route simulation maker transmission and the frequent fuzzy pattern set that described leak Attribute Association maker sends; And according to the described execution path information that receives, determine the execution flow process of described program source code; Determine the matching degree of the fuzzy pattern that comprises in this execution flow process and the frequent fuzzy pattern set; And according to described matching degree, determine the degree of safety of described program source code.
2. the system as claimed in claim 1 is characterized in that, described fringe automat detecting device also is used for determining the vulnerability information of described program source code, and the vulnerability information of determining is sent to described vulnerability database.
3. the system as claimed in claim 1 is characterized in that, described fringe automat detecting device specifically is used for:
Judge the original state that whether has occurred the corresponding leak attack pattern of fuzzy pattern in the frequent fuzzy pattern set in the described execution flow process;
When the determination result is NO, determine that the fuzzy pattern that comprises in described execution flow process and the frequent fuzzy pattern set does not mate, and the degree of safety value that is identified for characterizing described program source code degree of safety is 0;
When being, be determined to be the succeeding state of the leak attack pattern of the described original state that occurs in the described execution flow process in judged result; And determine the matching degree of described succeeding state and described execution flow process, and when described execution flow process is matched with each fuzzy value that a fuzzy pattern comprises fully, the degree of safety value that is identified for characterizing described program source code degree of safety is 1; And at described execution flow process Incomplete matching during in each fuzzy value that any fuzzy pattern comprises, the degree of safety value that is identified for characterizing described program source code degree of safety for greater than 0 less than 1 value.
4. the system as claimed in claim 1 is characterized in that, described leak Attribute Association maker specifically is used for:
According to the vulnerability information of storing in the described vulnerability database and the leak logic association information that obtains of statistics in advance, determine respectively a plurality of leak related informations that possess logic association that consisted of by the vulnerability information of storing in the described vulnerability database; And according to predetermined leak related information selection rule, from described a plurality of leak related informations of determining, choose the leak related information and consist of described leak related information set;
Wherein, described leak related information selection rule is specially: choose logic association degree between the vulnerability information that comprises greater than the leak related information of default degree of association threshold value.
5. the system as claimed in claim 1 is characterized in that, different fuzzy patterns include respectively a plurality of fuzzy values; Then
Described leak Attribute Association maker specifically is used for: every leak related information that set comprises for described leak related information, determine respectively that in the following manner this leak related information is for the support of each fuzzy pattern of the different leak attack patterns that correspond respectively to appointment:
For each fuzzy pattern, calculate respectively each fuzzy value that this fuzzy pattern comprises for the degree of membership of this leak related information; And the minimum degree of membership that will calculate is defined as this leak related information for the support of this fuzzy pattern.
6. such as claim 1 or 5 described systems, it is characterized in that described leak Attribute Association maker specifically is used for:
According to the support of determining and the support threshold value that sets in advance, from the support of determining, determine the support greater than the support threshold value; And choose the corresponding fuzzy pattern of support greater than the support threshold value, consist of frequent fuzzy pattern set.
7. the method for a trace routine leak is characterized in that, comprising:
Execution route simulation maker is determined the execution path information of program source code to be detected, and the execution path information of determining is sent to fringe automat detecting device;
Leak Attribute Association maker generates the leak related information set that is made of a plurality of leak related informations according to the vulnerability information of storing in the vulnerability database that arranges, and wherein, each leak related information is made of a plurality of vulnerability informations that possess logic association respectively;
Leak Attribute Association maker is determined respectively each bar leak related information of comprising in the set of leak related information for the support of each fuzzy pattern, and wherein, each fuzzy pattern corresponds respectively to the different leak attack patterns of appointment;
Leak Attribute Association maker is according to the support of determining, from the fuzzy pattern of described each leak attack pattern corresponding to appointment, choose fuzzy pattern and consist of frequent fuzzy pattern set, and frequent fuzzy pattern set is sent to fringe automat detecting device;
Fringe automat detecting device receives the execution path information of execution route simulation maker transmission and the frequent fuzzy pattern set that leak Attribute Association maker sends;
Fringe automat detecting device is determined the execution flow process of described program source code according to the described execution path information that receives;
Fringe automat detecting device is determined the matching degree of the fuzzy pattern that comprises in described execution flow process and the frequent fuzzy pattern set, and according to described matching degree, determines the degree of safety of described program source code.
8. method as claimed in claim 7 is characterized in that, also comprises:
Fringe automat detecting device is determined the vulnerability information of described program source code, and the vulnerability information of determining is sent to described vulnerability database.
9. method as claimed in claim 7, it is characterized in that fringe automat detecting device is determined the matching degree of the fuzzy pattern that comprises in described execution flow process and the frequent fuzzy pattern set, and according to described matching degree, determine the degree of safety of described program source code, specifically comprise:
Fringe automat detecting device is judged the original state that whether has occurred the corresponding leak attack pattern of fuzzy pattern in the frequent fuzzy pattern set in the described execution flow process;
Fringe automat detecting device determines that the fuzzy pattern that comprises in described execution flow process and the frequent fuzzy pattern set does not mate when the determination result is NO, and the degree of safety value that is identified for characterizing described program source code degree of safety is 0;
Fringe automat detecting device when being, is determined to be the succeeding state of the leak attack pattern of the described original state that occurs in the described execution flow process in judged result; And determine the matching degree of described succeeding state and described execution flow process, and when described execution flow process is matched with each fuzzy value that a fuzzy pattern comprises fully, the degree of safety value that is identified for characterizing described program source code degree of safety is 1; And at described execution flow process Incomplete matching during in each fuzzy value that any fuzzy pattern comprises, the degree of safety value that is identified for characterizing described program source code degree of safety for greater than 0 less than 1 value.
10. method as claimed in claim 7 is characterized in that, leak Attribute Association maker generates the leak related information set that is made of a plurality of leak related informations according to the vulnerability information of storing in the vulnerability database that arranges, and specifically comprises:
Leak Attribute Association maker is according to the vulnerability information of storing in the described vulnerability database and add up in advance the leak logic association information that obtains, and determines respectively a plurality of leak related informations that possess logic association that are made of the vulnerability information of storing in the described vulnerability database;
Leak Attribute Association maker is chosen the leak related information and is consisted of described leak related information set according to predetermined leak related information selection rule from described a plurality of leak related informations of determining;
Wherein, described leak related information selection rule is specially: choose logic association degree between the vulnerability information that comprises greater than the leak related information of default degree of association threshold value.
11. method as claimed in claim 7 is characterized in that, different fuzzy patterns include respectively a plurality of fuzzy values; Then
Leak Attribute Association maker determines that respectively each bar leak related information of comprising in the set of leak related information for the support of each fuzzy pattern of the different leak attack patterns that correspond respectively to appointment, specifically comprises:
Leak Attribute Association maker is for every the leak related information that comprises in the set of described leak related information, determines respectively that in the following manner this leak related information is for the support of each fuzzy pattern of the different leak attack patterns that correspond respectively to appointment:
For each fuzzy pattern, calculate respectively each fuzzy value that this fuzzy pattern comprises for the degree of membership of this leak related information; And the minimum degree of membership that will calculate is defined as this leak related information for the support of this fuzzy pattern.
12. such as claim 7 or 11 described methods, it is characterized in that, leak Attribute Association maker is according to the support of determining, chooses fuzzy pattern and consist of frequent fuzzy pattern set from the fuzzy pattern of described each leak attack pattern corresponding to appointment, specifically comprises:
Leak Attribute Association maker is determined the support greater than the support threshold value according to the support of determining and the support threshold value that sets in advance from the support of determining; And choose the corresponding fuzzy pattern of support greater than the support threshold value, consist of frequent fuzzy pattern set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210487298.4A CN102982282B (en) | 2012-11-26 | 2012-11-26 | The detection system of bug and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210487298.4A CN102982282B (en) | 2012-11-26 | 2012-11-26 | The detection system of bug and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102982282A true CN102982282A (en) | 2013-03-20 |
| CN102982282B CN102982282B (en) | 2015-12-23 |
Family
ID=47856286
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210487298.4A Active CN102982282B (en) | 2012-11-26 | 2012-11-26 | The detection system of bug and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102982282B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103268281A (en) * | 2013-05-07 | 2013-08-28 | 北京天广汇通科技有限公司 | Method and system for detecting vulnerability of source codes |
| CN104715190A (en) * | 2015-02-03 | 2015-06-17 | 中国科学院计算技术研究所 | Method and system for monitoring program execution path on basis of deep learning |
| WO2019144548A1 (en) * | 2018-01-26 | 2019-08-01 | 平安科技(深圳)有限公司 | Security test method, apparatus, computer device and storage medium |
| CN111259400A (en) * | 2018-11-30 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Vulnerability detection method, device and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510204B (en) * | 2009-03-02 | 2010-09-29 | 南京航空航天大学 | Abnormal enquiry and monitor method based on target condition association rule database |
| CN101930401A (en) * | 2010-09-20 | 2010-12-29 | 南京大学 | Detection object-based software vulnerability model detection method |
| CN102693393A (en) * | 2012-05-21 | 2012-09-26 | 上海电力学院 | Software vulnerability detection method based on behavioral characteristic automaton model |
-
2012
- 2012-11-26 CN CN201210487298.4A patent/CN102982282B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510204B (en) * | 2009-03-02 | 2010-09-29 | 南京航空航天大学 | Abnormal enquiry and monitor method based on target condition association rule database |
| CN101930401A (en) * | 2010-09-20 | 2010-12-29 | 南京大学 | Detection object-based software vulnerability model detection method |
| CN102693393A (en) * | 2012-05-21 | 2012-09-26 | 上海电力学院 | Software vulnerability detection method based on behavioral characteristic automaton model |
Non-Patent Citations (3)
| Title |
|---|
| 张晛譞等: "《基于模糊度量的软件漏洞检测技术研究》", 《网络安全技术与应用》 * |
| 王炳雪: "《模糊时态序列演化模式挖掘》", 《计算机工程与应用》 * |
| 魏念忠: "《基于模糊关联规则挖掘的网络入侵检测研究》", 《微电子学与计算机》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103268281A (en) * | 2013-05-07 | 2013-08-28 | 北京天广汇通科技有限公司 | Method and system for detecting vulnerability of source codes |
| CN103268281B (en) * | 2013-05-07 | 2017-02-08 | 北京天广汇通科技有限公司 | Method and system for detecting vulnerability of source codes |
| CN104715190A (en) * | 2015-02-03 | 2015-06-17 | 中国科学院计算技术研究所 | Method and system for monitoring program execution path on basis of deep learning |
| WO2019144548A1 (en) * | 2018-01-26 | 2019-08-01 | 平安科技(深圳)有限公司 | Security test method, apparatus, computer device and storage medium |
| CN111259400A (en) * | 2018-11-30 | 2020-06-09 | 阿里巴巴集团控股有限公司 | Vulnerability detection method, device and system |
| CN111259400B (en) * | 2018-11-30 | 2023-05-09 | 阿里巴巴集团控股有限公司 | Vulnerability detection method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102982282B (en) | 2015-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111177417B (en) | Security event correlation method, system and medium based on network security knowledge graph | |
| EP3490223B1 (en) | System and method for simulating and foiling attacks on a vehicle on-board network | |
| CN108200030A (en) | Detection method, system, device and the computer readable storage medium of malicious traffic stream | |
| Bulychev et al. | Rewrite-based statistical model checking of WMTL | |
| Cassel et al. | RALib: A LearnLib extension for inferring EFSMs | |
| Gutiérrez‐Madroñal et al. | Evolutionary mutation testing for IoT with recorded and generated events | |
| CN112100625B (en) | Operating system access control vulnerability discovery method based on model detection | |
| CN104866764B (en) | A kind of Android phone malware detection method based on object reference figure | |
| CN109561112A (en) | A kind of artificial intelligence real-time detection security attack system | |
| CN105117430B (en) | A kind of iterative task process discovery method based on equivalence class | |
| CN102982282B (en) | The detection system of bug and method | |
| CN115857461A (en) | Piglet premixed feed production online monitoring method and system | |
| CN112738003B (en) | Malicious address management method and device | |
| CN116662177A (en) | Automatic test case generation method and system for power system terminal | |
| CN116980162A (en) | Cloud audit data detection method, device, equipment, medium and program product | |
| CN116756327A (en) | Threat information relation extraction method and device based on knowledge inference and electronic equipment | |
| Cui et al. | A Uniform Abstraction Framework for Generalized Planning. | |
| CN108897678B (en) | Static code detection method, static code detection system and storage device | |
| Swain et al. | Test case design using slicing of UML interaction diagram | |
| CN116702157B (en) | Intelligent contract vulnerability detection method based on neural network | |
| CN117113348A (en) | Threat detection code generation and use methods, apparatus, devices and media | |
| Chimisliu et al. | Using dependency relations to improve test case generation from UML statecharts | |
| CN112487421B (en) | Android malicious application detection method and system based on heterogeneous network | |
| US10121008B1 (en) | Method and process for automatic discovery of zero-day vulnerabilities and expoits without source code access | |
| Zhang et al. | Machine Learning-based Fuzz Testing Techniques: A Survey |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
| CP01 | Change in the name or title of a patent holder |