CN111339535A - Vulnerability prediction method and system for intelligent contract codes, computer equipment and storage medium - Google Patents
Vulnerability prediction method and system for intelligent contract codes, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111339535A CN111339535A CN202010094870.5A CN202010094870A CN111339535A CN 111339535 A CN111339535 A CN 111339535A CN 202010094870 A CN202010094870 A CN 202010094870A CN 111339535 A CN111339535 A CN 111339535A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- intelligent contract
- code
- characteristic value
- prediction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012549 training Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 20
- 238000007637 random forest analysis Methods 0.000 claims description 17
- 239000013598 vector Substances 0.000 claims description 14
- 238000005070 sampling Methods 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 6
- 238000000691 measurement method Methods 0.000 claims description 5
- 238000012512 characterization method Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 8
- 238000004458 analytical method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000003066 decision tree Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 3
- 238000012935 Averaging Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a vulnerability prediction method, a system, computer equipment and a storage medium for intelligent contract codes, wherein the method comprises the following steps: collecting a plurality of intelligent contract codes and vulnerability data; extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value; constructing a classifier model by utilizing the vulnerability characteristic value aiming at each intelligent contract code; constructing an intelligent contract vulnerability prediction network; randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into a prediction network for training, and generating a vulnerability prediction classifier; and extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into a vulnerability prediction classifier to obtain a vulnerability prediction result. The vulnerability prediction classifier is constructed by combining technologies such as multi-granularity scanning and cascading forests, effective intelligent contract code vulnerability prediction effects can be provided, and the code quality before chaining of the intelligent contract codes is improved.
Description
Technical Field
The invention belongs to the field of software security analysis, and particularly relates to a vulnerability prediction method and system for intelligent contract codes, computer equipment and a storage medium.
Background
A Smart Contract (Smart Contract) is code deployed on a blockchain that executes automatically once a transaction or event triggers a term in the Contract. It is a major component on the blockchain, providing the basis of the programmable nature of the blockchain, supporting various applications on the blockchain.
The intelligent contract is a program which is driven by an event, has a state and runs on a blockchain system, and can keep and process digital assets on a blockchain account book. While the blockchain itself provides a security assurance that is application-domain oriented, the intelligent contract code created on it does not have to be. To date, various intelligent contract code vulnerabilities have been discovered, such as a Parity multiple signature vulnerability, a timestamp dependency vulnerability, etc., which cause extensive economic loss. And once the intelligent contract codes are deployed and operated, other traditional codes are different and cannot be repaired and upgraded. Therefore, how to effectively identify the vulnerabilities in the intelligent contract code before it is linked up becomes very important.
Some technologies are used for predicting and identifying vulnerabilities of intelligent contract codes, but most of the technologies are based on traditional static analysis technology or Fuzzing technology to perform code analysis of intelligent contracts and identify vulnerabilities in the intelligent contract codes.
Disclosure of Invention
The invention aims to provide a method, a system, computer equipment and a storage medium for effectively predicting intelligent contract code vulnerabilities with high precision.
The technical solution for realizing the purpose of the invention is as follows: a vulnerability prediction method for intelligent contract codes comprises the following steps:
step 1, collecting a plurality of intelligent contract codes and corresponding vulnerability data thereof;
step 2, extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
step 3, aiming at each intelligent contract code, constructing a classifier model by utilizing the identified vulnerability characteristic value;
step 4, constructing an intelligent contract vulnerability prediction network based on all classifier models;
step 5, randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into the intelligent contract vulnerability prediction network for training, and generating a vulnerability prediction classifier;
and 6, extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into the vulnerability prediction classifier to obtain a vulnerability prediction result.
Further, the code characteristic value of the intelligent contract code extracted in the step 2 is specifically realized by adopting a CK measurement method.
Further, in step 2, the code characteristic value that the value of the vulnerability data correlation satisfies the preset condition is identified, and the identification is realized through multi-granularity scanning, the multi-granularity scanning adopts a sliding window to scan the local context from a high dimension, and the expression of the input data is learned through different random forests, and the specific scanning process comprises the following steps:
inputting a complete N-dimensional sample;
performing sliding sampling through a sampling window with the length of K to obtain S ═ N-K)/1+ 1K-dimensional characteristic sub-sample vectors;
each subsample vector is used for training a complete random forest and a common random forest, and a probability vector with the length of P is obtained in each forest, so that each forest generates a characterization vector with the length of S x P;
and splicing the results of each layer of forest together to obtain the output of the layer.
Further, the preset conditions in step 2 are as follows: and the correlation value of the code characteristic value and the corresponding vulnerability data is higher than a preset threshold value.
Further, the step 4 of constructing an intelligent contract vulnerability prediction network based on all classifier models specifically includes: and (4) cascading all classifier models to form an intelligent contract vulnerability prediction network.
Further, the classifier model in the step 4 is specifically a random forest classifier model.
Further, in step 5, the randomly selecting a plurality of vulnerability characteristic values includes:
step 5-1, distributing proportions for all intelligent contract codes;
and 5-2, randomly selecting vulnerability characteristic values from vulnerability characteristic values corresponding to all intelligent contract codes according to the distributed proportion.
An intelligent contract code-oriented vulnerability prediction system, the system comprising:
the acquisition module is used for acquiring a plurality of intelligent contract codes and corresponding vulnerability data;
the identification module is used for extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
the model construction module is used for constructing a classifier model by utilizing the identified vulnerability characteristic value aiming at each intelligent contract code;
the prediction network construction module is used for constructing an intelligent contract vulnerability prediction network based on all classifier models;
the prediction classifier building module is used for randomly selecting a plurality of vulnerability characteristic values and inputting the vulnerability characteristic values into the intelligent contract vulnerability prediction network for training to generate a vulnerability prediction classifier;
and the prediction module is used for extracting the code characteristic value of the intelligent contract code to be predicted and inputting the code characteristic value into the vulnerability prediction classifier to obtain a vulnerability prediction result.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
step 1, collecting a plurality of intelligent contract codes and corresponding vulnerability data thereof;
step 2, extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
step 3, aiming at each intelligent contract code, constructing a classifier model by utilizing the identified vulnerability characteristic value;
step 4, constructing an intelligent contract vulnerability prediction network based on all classifier models;
step 5, randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into the intelligent contract vulnerability prediction network for training, and generating a vulnerability prediction classifier;
and 6, extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into the vulnerability prediction classifier to obtain a vulnerability prediction result.
A computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
step 1, collecting a plurality of intelligent contract codes and corresponding vulnerability data thereof;
step 2, extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
step 3, aiming at each intelligent contract code, constructing a classifier model by utilizing the identified vulnerability characteristic value;
step 4, constructing an intelligent contract vulnerability prediction network based on all classifier models;
step 5, randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into the intelligent contract vulnerability prediction network for training, and generating a vulnerability prediction classifier;
and 6, extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into the vulnerability prediction classifier to obtain a vulnerability prediction result.
Compared with the prior art, the invention has the following remarkable advantages: 1) the existing intelligent contract vulnerability data and code characteristics are fully utilized, and a machine learning method is combined, so that the code characteristic expression suitable for intelligent contract code vulnerability recognition is more effectively recognized; 2) by utilizing a multi-granularity scanning algorithm, the measurement characteristics suitable for intelligent contract code vulnerability prediction can be effectively screened out, the sampling of the intelligent contract vulnerability and the training set of the code is reduced, too many training sets do not need to be provided, and the cost of data marking is saved; 3) different from the existing static code analysis technology, the invention does not need to analyze too many details of the intelligent contract code, thereby avoiding the problem of low precision of the existing static analysis.
The present invention is described in further detail below with reference to the attached drawing figures.
Drawings
FIG. 1 is a flowchart of a vulnerability prediction method for intelligent contract code in one embodiment.
FIG. 2 is an exemplary diagram of a random forest in one embodiment.
FIG. 3 is an exemplary diagram of a vulnerability prediction model in one embodiment.
FIG. 4 is a diagram illustrating the basic structure of a forest in one embodiment.
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The vulnerability prediction classifier is constructed by combining technologies such as multi-granularity scanning and cascading forests, effective intelligent contract code vulnerability prediction can be provided, and the code quality before chaining of the intelligent contract codes is improved.
In one embodiment, in conjunction with fig. 1, a method for vulnerability prediction for intelligent contract code is provided, the method comprising the steps of:
step 1, collecting a plurality of intelligent contract codes and corresponding vulnerability data thereof;
step 2, extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
step 3, aiming at each intelligent contract code, constructing a classifier model by utilizing the identified vulnerability characteristic value;
step 4, constructing an intelligent contract vulnerability prediction network based on all classifier models;
step 5, randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into an intelligent contract vulnerability prediction network for training, and generating a vulnerability prediction classifier;
and 6, extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into a vulnerability prediction classifier to obtain a vulnerability prediction result.
Further, in one embodiment, the extracting of the code feature value of the intelligent contract code in step 2 is specifically implemented by using a CK measurement method.
Here, as a specific example, for example, the CK metric shown in table 1 below, the collected characteristic values are shown in table 2 below.
Table 1 CK partial metrics of codes
| Name (R) | Description of the invention |
| WMC | Number of weighting methods of class |
| DIT | Depth of class in inheritance tree |
| NOC | Child node tree of class in inheritance tree |
| CBO | Number of other classes having a coupling relation with the class |
| RFC | Number of external methods that this class can call |
| LOCM | Number of methods within a class to access one or more attributes |
TABLE 2 code eigenvalue collection table
| Intelligent contract code file name | wmc | dit | noc | cbo | rfc | lcom | ca | ce | npm | Whether a bug is present |
| C1 | 5 | 3 | 1 | 7 | 10 | 0 | 1 | 7 | 4 | 0 |
| C2 | 4 | 1 | 0 | 3 | 5 | 4 | 1 | 2 | 3 | 0 |
| C3 | 20 | 4 | 7 | 26 | 95 | 144 | 2 | 26 | 13 | 0 |
| C4 | 3 | 2 | 0 | 8 | 22 | 3 | 2 | 6 | 2 | 1 |
| C5 | 8 | 1 | 4 | 25 | 20 | 22 | 22 | 3 | 6 | 1 |
| C6 | 3 | 1 | 9 | 6 | 3 | 3 | 5 | 2 | 3 | 0 |
| C7 | 1 | 1 | 0 | 0 | 2 | 0 | 0 | 0 | 0 | 0 |
| C8 | 6 | 1 | 6 | 9 | 17 | 15 | 2 | 7 | 6 | 1 |
Further, in one embodiment, the code feature value whose vulnerability data relevance value meets the preset condition is identified in step 2, and the code feature value is implemented by multi-granularity scanning, the multi-granularity scanning employs a sliding window to scan the local context from a high dimension, and the input data is learned and expressed by different random forests, and the specific scanning process includes:
inputting a complete N-dimensional sample;
performing sliding sampling through a sampling window with the length of K to obtain S ═ N-K)/1+ 1K-dimensional characteristic sub-sample vectors;
each subsample vector is used for training a complete random forest and a common random forest, and a probability vector with the length of P is obtained in each forest, so that each forest generates a characterization vector with the length of S x P;
and splicing the results of each layer of forest together to obtain the output of the layer.
Further, in one embodiment, the preset conditions in step 2 are: and the correlation value of the code characteristic value and the corresponding vulnerability data is higher than a preset threshold value.
Here, as a specific example, a multi-granularity scan is performed based on the above table 2, and a code feature value having a correlation with a bug higher than a preset threshold is identified, with the result as shown in the following table 3.
TABLE 3 table of valid feature identification
| Intelligent contract code file name | dit | noc | cbo | rfc | ca | Whether a bug is present |
| C1 | 3 | 1 | 7 | 10 | 1 | 0 |
| C2 | 1 | 0 | 3 | 5 | 1 | 0 |
| C3 | 4 | 7 | 26 | 95 | 2 | 0 |
| C4 | 2 | 0 | 8 | 22 | 2 | 1 |
| C5 | 1 | 4 | 25 | 20 | 22 | 1 |
| C6 | 1 | 9 | 6 | 3 | 5 | 0 |
| C7 | 1 | 0 | 0 | 2 | 0 | 0 |
| C8 | 1 | 6 | 9 | 17 | 15 | 1 |
Exemplarily and preferably, in one embodiment, the classifier model in the step 4 is specifically a random forest classifier model.
Here, a random forest refers to a classifier that trains and predicts samples using a plurality of decision trees. A tree classifier is an abstract representation. Fig. 2 shows a random forest, and it can be seen from fig. 2 that the random forest includes a plurality of decision trees, each decision tree can make a decision on a sample, and finally the forest integrates decision results of the decision trees and outputs a classification result.
Further, in one embodiment, the constructing an intelligent contract vulnerability prediction network based on all classifier models in step 4 specifically includes: and (4) cascading all classifier models to form an intelligent contract vulnerability prediction network.
Here, as a specific example, an intelligent contract vulnerability prediction network is constructed as shown in fig. 3, where the input is a feature vector, the prediction result is finally output after the decision of a multi-layer forest (Level represents the number of layers of the forest network).
Here, as a specific example, the model trained in step 5 is shown in fig. 4, where X represents a selected vulnerability feature value, and the feature vector value finally obtained by the model is obtained by averaging feature values of a plurality of random forests.
Further, in one embodiment, the step 5 randomly selects a plurality of vulnerability characteristic values, and the specific process includes:
step 5-1, distributing proportions for all intelligent contract codes;
and 5-2, randomly selecting vulnerability characteristic values from vulnerability characteristic values corresponding to all intelligent contract codes according to the distributed proportion.
Here, as a specific example, based on the above-described procedure and example, the intelligent contract code to be predicted is predicted, and the prediction result is shown in table 4 below.
TABLE 4 vulnerability prediction results
| Target intelligent contract code file name | dit | noc | cbo | rfc | ca | Predicted results |
| NC1 | 1 | 0 | 6 | 18 | 2 | 0 |
| NC2 | 1 | 0 | 8 | 36 | 2 | 1 |
| NC3 | 4 | 17 | 66 | 8 | 66 | 1 |
| NC4 | 1 | 0 | 4 | 10 | 2 | 0 |
| NC5 | 1 | 0 | 3 | 20 | 1 | 0 |
In table 4 above, column 1 is the file name of the target intelligent contract code; the last column is a prediction result, wherein '1' indicates that the prediction result is a bug, and '0' indicates that the prediction result is no bug; the other columns represent intelligent contract code metric feature values. As can be seen from the results, the two intelligent contract codes NC2 and NC3 have vulnerabilities, and developers need to perform an emphasis test.
In one embodiment, an intelligent contract code-oriented vulnerability prediction system is provided, the system comprising:
the acquisition module is used for acquiring a plurality of intelligent contract codes and corresponding vulnerability data;
the identification module is used for extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
the model construction module is used for constructing a classifier model by utilizing the identified vulnerability characteristic value aiming at each intelligent contract code;
the prediction network construction module is used for constructing an intelligent contract vulnerability prediction network based on all classifier models;
the prediction classifier building module is used for randomly selecting a plurality of vulnerability characteristic values and inputting the vulnerability characteristic values into an intelligent contract vulnerability prediction network for training to generate a vulnerability prediction classifier;
and the prediction module is used for extracting the code characteristic value of the intelligent contract code to be predicted and inputting the code characteristic value into the vulnerability prediction classifier to obtain a vulnerability prediction result.
For further specific definition of the vulnerability prediction system facing the intelligent contract code, reference may be made to the above definition of the vulnerability prediction method facing the intelligent contract code, and details are not described here. All or part of each module in the intelligent contract code-oriented vulnerability prediction system can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer equipment is used for storing data required in the process of fusing the data of the multiple systems. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of multi-system data fusion.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
step 1, collecting a plurality of intelligent contract codes and corresponding vulnerability data thereof;
step 2, extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
step 3, aiming at each intelligent contract code, constructing a classifier model by utilizing the identified vulnerability characteristic value;
step 4, constructing an intelligent contract vulnerability prediction network based on all classifier models;
step 5, randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into an intelligent contract vulnerability prediction network for training, and generating a vulnerability prediction classifier;
and 6, extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into a vulnerability prediction classifier to obtain a vulnerability prediction result.
Further, in one embodiment, the processor executes a computer program to implement the above-mentioned extracting of the code characteristic value of the intelligent contract code, specifically, by using the CK measurement method.
Further, in one embodiment, the processor executes a computer program to identify the code feature value whose vulnerability data relevance value meets a preset condition, specifically by multi-granularity scanning.
For multi-granularity scanning, the above vulnerability prediction method for intelligent contract codes is referred to, and details are not repeated here.
Further, in one embodiment, the processor executes a computer program to implement the above-mentioned method for constructing an intelligent contract vulnerability prediction network based on all classifier models, and specifically implements: and (4) cascading all classifier models to form an intelligent contract vulnerability prediction network.
Further, in one embodiment, the processor executes a computer program to realize the random selection of the vulnerability characterizing values, specifically:
step 5-1, distributing proportions for all intelligent contract codes;
and 5-2, randomly selecting vulnerability characteristic values from vulnerability characteristic values corresponding to all intelligent contract codes according to the distributed proportion.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
step 1, collecting a plurality of intelligent contract codes and corresponding vulnerability data thereof;
step 2, extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
step 3, aiming at each intelligent contract code, constructing a classifier model by utilizing the identified vulnerability characteristic value;
step 4, constructing an intelligent contract vulnerability prediction network based on all classifier models;
step 5, randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into an intelligent contract vulnerability prediction network for training, and generating a vulnerability prediction classifier;
and 6, extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into a vulnerability prediction classifier to obtain a vulnerability prediction result.
Further, in one embodiment, the computer program is executed by the processor to implement the above-mentioned extracting the code characteristic value of the intelligent contract code, specifically, the CK measurement method is used for implementation.
Further, in one embodiment, the computer program is executed by the processor to implement the above-mentioned identifying the code feature value whose vulnerability data correlation value satisfies the preset condition, specifically, by multi-granularity scanning.
For multi-granularity scanning, the above vulnerability prediction method for intelligent contract codes is referred to, and details are not repeated here.
Further, in one embodiment, the computer program is executed by the processor to implement the above-mentioned building of the intelligent contract vulnerability prediction network based on all classifier models, and specifically implements: and (4) cascading all classifier models to form an intelligent contract vulnerability prediction network.
Further, in one embodiment, the computer program is executed by the processor to implement the above randomly selecting the plurality of vulnerability characterizing values, specifically implementing:
step 5-1, distributing proportions for all intelligent contract codes;
and 5-2, randomly selecting vulnerability characteristic values from vulnerability characteristic values corresponding to all intelligent contract codes according to the distributed proportion.
In summary, the vulnerability prediction classifier is constructed by combining technologies such as multi-granularity scanning and cascading forest, effective intelligent contract code vulnerability prediction can be provided, a software developer is helped to predict code vulnerabilities existing in an intelligent contract more quickly, and the code quality before chaining of the intelligent contract codes is improved.
Claims (10)
1. A vulnerability prediction method for intelligent contract codes is characterized by comprising the following steps:
step 1, collecting a plurality of intelligent contract codes and corresponding vulnerability data thereof;
step 2, extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
step 3, aiming at each intelligent contract code, constructing a classifier model by utilizing the identified vulnerability characteristic value;
step 4, constructing an intelligent contract vulnerability prediction network based on all classifier models;
step 5, randomly selecting a plurality of vulnerability characteristic values, inputting the vulnerability characteristic values into the intelligent contract vulnerability prediction network for training, and generating a vulnerability prediction classifier;
and 6, extracting the code characteristic value of the intelligent contract code to be predicted, and inputting the code characteristic value into the vulnerability prediction classifier to obtain a vulnerability prediction result.
2. The intelligent contract code-oriented vulnerability prediction method according to claim 1, wherein the extraction of the code characteristic value of the intelligent contract code in the step 2 is specifically realized by a CK measurement method.
3. The intelligent contract code-oriented vulnerability prediction method according to claim 1 or 2, wherein in the step 2, the code characteristic value of which the relevance value with the vulnerability data meets a preset condition is identified, the vulnerability prediction method is realized through multi-granularity scanning, the multi-granularity scanning adopts a sliding window to scan local context from a high dimension, and the input data is represented through different random forest learning, and the specific scanning process comprises the following steps:
inputting a complete N-dimensional sample;
performing sliding sampling through a sampling window with the length of K to obtain S ═ N-K)/1+ 1K-dimensional characteristic sub-sample vectors;
each subsample vector is used for training a complete random forest and a common random forest, and a probability vector with the length of P is obtained in each forest, so that each forest generates a characterization vector with the length of S x P;
and splicing the results of each layer of forest together to obtain the output of the layer.
4. The intelligent contract code-oriented vulnerability prediction method according to claim 3, wherein the preset conditions in step 2 are: and the correlation value of the code characteristic value and the corresponding vulnerability data is higher than a preset threshold value.
5. The intelligent contract code-oriented vulnerability prediction method according to claim 4, wherein the step 4 of constructing an intelligent contract vulnerability prediction network based on all classifier models specifically comprises: and (4) cascading all classifier models to form an intelligent contract vulnerability prediction network.
6. The intelligent contract code-oriented vulnerability prediction method according to claim 5, wherein in step 4, the classifier model is specifically a random forest classifier model.
7. The intelligent contract code-oriented vulnerability prediction method according to claim 6, wherein the step 5 of randomly selecting a plurality of vulnerability characteristic values comprises the following specific processes:
step 5-1, distributing proportions for all intelligent contract codes;
and 5-2, randomly selecting vulnerability characteristic values from vulnerability characteristic values corresponding to all intelligent contract codes according to the distributed proportion.
8. An intelligent contract code-oriented vulnerability prediction system, the system comprising:
the acquisition module is used for acquiring a plurality of intelligent contract codes and corresponding vulnerability data;
the identification module is used for extracting a code characteristic value of each intelligent contract code, identifying the code characteristic value of which the value related to the vulnerability data meets a preset condition, and recording the code characteristic value as a vulnerability characteristic value;
the model construction module is used for constructing a classifier model by utilizing the identified vulnerability characteristic value aiming at each intelligent contract code;
the prediction network construction module is used for constructing an intelligent contract vulnerability prediction network based on all classifier models;
the prediction classifier building module is used for randomly selecting a plurality of vulnerability characteristic values and inputting the vulnerability characteristic values into the intelligent contract vulnerability prediction network for training to generate a vulnerability prediction classifier;
and the prediction module is used for extracting the code characteristic value of the intelligent contract code to be predicted and inputting the code characteristic value into the vulnerability prediction classifier to obtain a vulnerability prediction result.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010094870.5A CN111339535A (en) | 2020-02-17 | 2020-02-17 | Vulnerability prediction method and system for intelligent contract codes, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010094870.5A CN111339535A (en) | 2020-02-17 | 2020-02-17 | Vulnerability prediction method and system for intelligent contract codes, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111339535A true CN111339535A (en) | 2020-06-26 |
Family
ID=71183399
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010094870.5A Pending CN111339535A (en) | 2020-02-17 | 2020-02-17 | Vulnerability prediction method and system for intelligent contract codes, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111339535A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112528293A (en) * | 2020-12-18 | 2021-03-19 | 中国平安财产保险股份有限公司 | Security vulnerability early warning method, device, equipment and computer readable storage medium |
| CN112579463A (en) * | 2020-12-25 | 2021-03-30 | 北京信息科技大学 | Method for predicting defects of intelligent contract for identity |
| CN112967063A (en) * | 2021-04-06 | 2021-06-15 | 北京工商大学 | Pont deception office detection method oriented to Ether house platform |
| CN113626827A (en) * | 2021-07-29 | 2021-11-09 | 西安电子科技大学 | Intelligent contract vulnerability detection method, system, equipment, medium and terminal |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107943704A (en) * | 2017-12-04 | 2018-04-20 | 扬州大学 | A kind of Software Defects Predict Methods based on depth forest network |
| CN110543419A (en) * | 2019-08-28 | 2019-12-06 | 杭州趣链科技有限公司 | intelligent contract code vulnerability detection method based on deep learning technology |
| CN110737899A (en) * | 2019-09-24 | 2020-01-31 | 暨南大学 | machine learning-based intelligent contract security vulnerability detection method |
-
2020
- 2020-02-17 CN CN202010094870.5A patent/CN111339535A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107943704A (en) * | 2017-12-04 | 2018-04-20 | 扬州大学 | A kind of Software Defects Predict Methods based on depth forest network |
| CN110543419A (en) * | 2019-08-28 | 2019-12-06 | 杭州趣链科技有限公司 | intelligent contract code vulnerability detection method based on deep learning technology |
| CN110737899A (en) * | 2019-09-24 | 2020-01-31 | 暨南大学 | machine learning-based intelligent contract security vulnerability detection method |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112528293A (en) * | 2020-12-18 | 2021-03-19 | 中国平安财产保险股份有限公司 | Security vulnerability early warning method, device, equipment and computer readable storage medium |
| CN112528293B (en) * | 2020-12-18 | 2024-04-30 | 中国平安财产保险股份有限公司 | Security vulnerability early warning method, device, equipment and computer readable storage medium |
| CN112579463A (en) * | 2020-12-25 | 2021-03-30 | 北京信息科技大学 | Method for predicting defects of intelligent contract for identity |
| CN112579463B (en) * | 2020-12-25 | 2024-05-24 | 大卜科技(北京)有限公司 | Solidity intelligent contract-oriented defect prediction method |
| CN112967063A (en) * | 2021-04-06 | 2021-06-15 | 北京工商大学 | Pont deception office detection method oriented to Ether house platform |
| CN112967063B (en) * | 2021-04-06 | 2024-02-02 | 北京工商大学 | Pond cheat detection method for Ethernet platform |
| CN113626827A (en) * | 2021-07-29 | 2021-11-09 | 西安电子科技大学 | Intelligent contract vulnerability detection method, system, equipment, medium and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111339535A (en) | Vulnerability prediction method and system for intelligent contract codes, computer equipment and storage medium | |
| CN108334781B (en) | Virus detection method, device, computer readable storage medium and computer equipment | |
| EP3332320B1 (en) | Model integration tool | |
| US11503061B1 (en) | Automatic evalution of remediation plans using exploitability risk modeling | |
| US11470106B1 (en) | Exploitability risk model for assessing risk of cyberattacks | |
| WO2019079621A1 (en) | Method and system for penetration testing classification based on captured log data | |
| CN108874661B (en) | Test mapping relation library generation method and device, computer equipment and storage medium | |
| CN109766261B (en) | Coverage test method, coverage test device, computer equipment and storage medium | |
| CN109740347A (en) | A kind of identification of the fragile hash function for smart machine firmware and crack method | |
| CN114124567A (en) | Cloud service processing method based on big data vulnerability mining and artificial intelligence system | |
| US20220245260A1 (en) | Method for checking the security of a technical unit | |
| CN114692169B (en) | Page vulnerability processing method applying big data and AI analysis and page service system | |
| CN111949994A (en) | Vulnerability analysis method and system, electronic device and storage medium | |
| CN113722719A (en) | Information generation method and artificial intelligence system for security interception big data analysis | |
| CN116383833A (en) | Method and device for testing software program code, electronic equipment and storage medium | |
| CN109960937B (en) | Method and system for constructing vulnerability drilling environment | |
| Nazarenko et al. | Application for traffic classification using machine learning algorithms | |
| US20180210819A1 (en) | System and method of controlling a web browser plug-in for testing analytics | |
| US20240152604A1 (en) | System and method for automatically generating playbook and verifying validity of playbook based on artificial intelligence | |
| CN111459796B (en) | Automated testing method, apparatus, computer device and storage medium | |
| CN117081801A (en) | Fingerprint identification method, device and medium for content management system of website | |
| CN114780967B (en) | Mining evaluation method based on big data vulnerability mining and AI vulnerability mining system | |
| CN114707151B (en) | Zombie software detection method based on API call and network behavior | |
| CN112817816B (en) | Embedded point processing method and device, computer equipment and storage medium | |
| CN115499164A (en) | Multi-feature fusion block chain intelligent contract vulnerability detection method and device based on graph neural network, computer and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200626 |