CN115525900A - Code security vulnerability checking method, device, equipment and medium - Google Patents
Code security vulnerability checking method, device, equipment and medium Download PDFInfo
- Publication number
- CN115525900A CN115525900A CN202211170840.3A CN202211170840A CN115525900A CN 115525900 A CN115525900 A CN 115525900A CN 202211170840 A CN202211170840 A CN 202211170840A CN 115525900 A CN115525900 A CN 115525900A
- Authority
- CN
- China
- Prior art keywords
- training
- target
- model
- vulnerability
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000012549 training Methods 0.000 claims abstract description 283
- 238000007689 inspection Methods 0.000 claims abstract description 85
- 238000012360 testing method Methods 0.000 claims abstract description 56
- 238000012545 processing Methods 0.000 claims abstract description 41
- 238000006243 chemical reaction Methods 0.000 claims description 12
- 238000005457 optimization Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 8
- 238000010276 construction Methods 0.000 claims description 8
- 230000008569 process Effects 0.000 abstract description 8
- 238000001514 detection method Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 6
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/253—Grammatical analysis; Style critique
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention relates to the technical field of vulnerability detection, and particularly discloses a code security vulnerability detection method, device, equipment and medium. The embodiment of the invention obtains a plurality of training codes and corresponding training loopholes, analyzes and processes the plurality of training codes and obtains a plurality of corresponding training infrastructure; performing model training and testing according to the training infrastructures and the corresponding training vulnerabilities, and constructing an explanation vulnerability check model; acquiring a target code, and analyzing the target code to obtain a target infrastructure; and according to the explained vulnerability checking model, carrying out security vulnerability checking on the target infrastructure to generate a vulnerability checking result. Model training and testing can be carried out on the training codes and the corresponding training vulnerabilities through analysis processing of the training codes, an explained vulnerability inspection model is built, then, after a target base structure is obtained through analysis processing of the target codes, the explained vulnerability inspection model is led in to carry out security vulnerability inspection, and vulnerability inspection results are generated.
Description
Technical Field
The invention belongs to the technical field of vulnerability detection, and particularly relates to a code security vulnerability detection method, device, equipment and medium.
Background
Source code bugs refer to code problems that may potentially harm the program itself, the system, or data, as some code writes are incomplete at the beginning of program design due to concerns such as inattentive issues, thereby leaving back doors that may be hacked. Once discovered and utilized by a lawbreaker, the source code problem causes immeasurable harm. Code vulnerabilities can manifest in many ways, either as a problem with the algorithm itself or the code itself. The concrete expression of the code vulnerability mainly comprises the following steps: 1. the input data is not effectively checked or is not checked well, so that buffer bugs are easy to occur; 2. code logic design flaws or errors, typically caused by the carelessness of programmers; 3. the algorithm has a vulnerability, so that the source code is safe and has no vulnerability, a strict algorithm is firstly ensured to be carried out when the code is written, and the existence of many problems is inevitably caused if the algorithm has a vulnerability.
In the modern information age, the security problem of the network has become a hot issue of social concern. Any vulnerability in a computer system can create serious security risks in many ways, including economic, political, military, social, scientific, and so on. However, the software security hole has a great hidden characteristic, and if the trigger for the software security hole is not formed, the existence of the software security hole is difficult to notice.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a device, and a medium for checking code security vulnerabilities, which are intended to solve the problems in the background art.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
a code security vulnerability checking method specifically comprises the following steps:
acquiring a plurality of training codes and corresponding training loopholes, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructures;
model training and testing are carried out according to the training infrastructures and the corresponding training vulnerabilities, and an explanation vulnerability check model is constructed;
acquiring a target code, and analyzing the target code to obtain a target infrastructure;
and according to the explained vulnerability checking model, carrying out security vulnerability checking on the target infrastructure to generate a vulnerability checking result.
As a further limitation of the technical solution of the embodiment of the present invention, the obtaining a plurality of training codes and corresponding training vulnerabilities, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructure specifically includes the following steps:
obtaining a plurality of training codes and corresponding training vulnerabilities;
performing lexical analysis on the training codes to obtain a plurality of training word sequence data;
carrying out syntactic analysis on the training word sequence data to construct a plurality of training abstract syntactic trees;
and traversing, analyzing and converting the plurality of training abstract syntax trees to generate a plurality of training basic structures.
As a further limitation of the technical solution of the embodiment of the present invention, the training and testing of the model according to the plurality of training infrastructures and the corresponding training vulnerabilities, and the construction of the interpreted vulnerability inspection model specifically includes the following steps:
dividing the training infrastructure and the corresponding training loopholes into a training set and a test set according to a preset dividing proportion;
performing model training according to the training set to construct a training basic inspection model;
and testing and optimizing the training basic inspection model according to the test set to obtain an explanation vulnerability inspection model.
As a further limitation of the technical solution of the embodiment of the present invention, the obtaining of the target code and the analyzing of the target code to obtain the target infrastructure specifically includes the following steps:
acquiring a target code;
performing lexical analysis on the target code to obtain target word sequence data;
carrying out syntactic analysis on the target word sequence data to construct a target abstract syntactic tree;
and traversing, analyzing and converting the target abstract syntax tree to generate a target basic structure.
As a further limitation of the technical solution of the embodiment of the present invention, the performing security vulnerability inspection on the target infrastructure according to the explained vulnerability inspection model, and generating a vulnerability inspection result specifically includes the following steps:
importing the target infrastructure into the interpreted vulnerability inspection model;
and carrying out security vulnerability check on the target infrastructure and exporting vulnerability check results.
A code security vulnerability checking apparatus, the apparatus comprising a training analysis processing unit, a checking model building unit, a target analysis processing unit and a security vulnerability checking unit, wherein:
the training analysis processing unit is used for acquiring a plurality of training codes and corresponding training loopholes, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructure;
the inspection model building unit is used for carrying out model training and testing according to the training infrastructure and the corresponding training vulnerabilities to build an explanation vulnerability inspection model;
the target analysis processing unit is used for acquiring a target code and analyzing and processing the target code to obtain a target infrastructure;
and the security vulnerability checking unit is used for carrying out security vulnerability checking on the target infrastructure according to the explained vulnerability checking model and generating a vulnerability checking result.
As a further limitation of the technical solution of the embodiment of the present invention, the training analysis processing unit specifically includes:
the training code acquisition module is used for acquiring a plurality of training codes and corresponding training vulnerabilities;
the training lexical analysis module is used for carrying out lexical analysis on the training codes to obtain a plurality of training word sequence data;
the training grammar analysis module is used for carrying out grammar analysis on the training word sequence data to construct a plurality of training abstract grammar trees;
and the training analysis conversion module is used for performing traversal analysis conversion on the plurality of training abstract syntax trees to generate a plurality of training basic structures.
As a further limitation of the technical solution of the embodiment of the present invention, the inspection model building unit specifically includes:
the training dividing module is used for dividing the training infrastructures and the corresponding training vulnerabilities into a training set and a test set according to a preset dividing proportion;
the model training construction module is used for carrying out model training according to the training set and constructing a training basic inspection model;
and the model test optimization module is used for carrying out test optimization on the training basic inspection model according to the test set to obtain an explained vulnerability inspection model.
A computer device comprising a memory and a processor, the memory having stored therein a computer program which, when executed by the processor, causes the processor to perform the steps of the code security breach checking method as described above.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, causes the processor to perform the steps of the code security breach checking method as described above.
Compared with the prior art, the invention has the beneficial effects that:
the embodiment of the invention obtains a plurality of training codes and corresponding training loopholes, and analyzes and processes the plurality of training codes to obtain a plurality of corresponding training infrastructures; performing model training and testing according to the training infrastructures and the corresponding training vulnerabilities, and constructing an explanation vulnerability check model; acquiring a target code, and analyzing the target code to obtain a target infrastructure; and according to the explained vulnerability checking model, carrying out security vulnerability checking on the target infrastructure to generate a vulnerability checking result. Model training and testing can be carried out on the training codes and the corresponding training vulnerabilities through analysis processing of the training codes, an explained vulnerability inspection model is built, then, after a target base structure is obtained through analysis processing of the target codes, the explained vulnerability inspection model is led in to carry out security vulnerability inspection, and vulnerability inspection results are generated.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention.
Fig. 1 shows a flow chart of a method provided by an embodiment of the invention.
Fig. 2 shows a flowchart of a training code analysis process in the method provided by the embodiment of the present invention.
Fig. 3 shows a flowchart of model training test construction in the method provided by the embodiment of the present invention.
Fig. 4 shows a flowchart of target code analysis processing in the method provided by the embodiment of the present invention.
Fig. 5 shows a flowchart of security vulnerability checking in the method provided by the embodiment of the present invention.
Fig. 6 shows a block diagram of an apparatus provided in an embodiment of the present invention.
Fig. 7 shows a block diagram of a training analysis processing unit in the apparatus according to the embodiment of the present invention.
Fig. 8 shows a block diagram of an inspection model building unit in the apparatus provided in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It can be understood that, in the prior art, the concrete manifestations of code bugs mainly include: 1. the input data is not effectively checked or cannot be checked well, so that buffer area bugs are easy to occur; 2. code logic design flaws or errors, typically caused by the carelessness of the programmer; 3. the algorithm has a vulnerability, so that the source code is safe and has no vulnerability, a strict algorithm is ensured to be performed when the code is written, and the existence of many problems is caused when the algorithm has a vulnerability. And the software security vulnerability has great hidden characteristics, and if the software security vulnerability does not form a trigger to the software security vulnerability, the existence of the software security vulnerability is difficult to notice.
In order to solve the above problems, in the embodiments of the present invention, a plurality of training codes and corresponding training bugs are obtained, and the plurality of training codes are analyzed to obtain a plurality of corresponding training infrastructure; performing model training and testing according to the training infrastructures and the corresponding training vulnerabilities, and constructing an explanation vulnerability check model; acquiring a target code, and analyzing the target code to obtain a target infrastructure; and performing security vulnerability inspection on the target infrastructure according to the explained vulnerability inspection model to generate a vulnerability inspection result. Model training and testing can be carried out on the training codes and the corresponding training vulnerabilities through analysis processing of the training codes, an explained vulnerability inspection model is built, then, after a target base structure is obtained through analysis processing of the target codes, the explained vulnerability inspection model is led in to carry out security vulnerability inspection, and vulnerability inspection results are generated.
Fig. 1 shows a flow chart of a method provided by an embodiment of the invention.
Specifically, the method for checking the code security vulnerability specifically comprises the following steps:
step S101, obtaining a plurality of training codes and corresponding training loopholes, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructures.
In the embodiment of the invention, a plurality of training codes and corresponding training loopholes which are prepared in advance for model training and testing are received, a plurality of training word sequence data are obtained by performing lexical analysis on the plurality of training codes respectively, each training word sequence data comprises a plurality of corresponding words generated by analyzing code character strings but does not comprise the relation among the words, syntax analysis is performed on the plurality of training word sequence data to construct a plurality of training abstract syntax trees, and traversing analysis conversion is performed on the plurality of training abstract syntax trees to generate a plurality of training basic structures.
It is understood that parsing is the process of analyzing an input composed of a sequence of words and determining its grammatical structure according to a given grammatical form; the traversal analysis and conversion is to traverse the abstract syntax tree, embed the information of the host language recording source code and convert the information into a tree-shaped hierarchical data structure, which is the basis of static analysis.
Specifically, fig. 2 shows a flowchart of the training code analysis process in the method provided by the embodiment of the present invention.
In an embodiment of the present invention, the obtaining a plurality of training codes and corresponding training vulnerabilities, and analyzing the plurality of training codes to obtain a plurality of corresponding training infrastructures specifically includes:
step S1011, a plurality of training codes and corresponding training bugs are obtained.
Step S1012, performing lexical analysis on the plurality of training codes to obtain a plurality of training word sequence data.
In the embodiment of the invention, code characters of a training code are scanned one by one, and corresponding word symbols are spelled out according to the type of the scanned first character, so that all characters in the training code are segmented into a series of words according to a word formation rule, wherein the words comprise reserved characters, identifiers, punctuation marks, constants and the like, and training word sequence data corresponding to the training code is obtained.
Step S1013, performing syntax analysis on the plurality of training word sequence data to construct a plurality of training abstract syntax trees.
And step S1014, performing traversal analysis and conversion on the plurality of training abstract syntax trees to generate a plurality of training basic structures.
Further, the code security vulnerability checking method further comprises the following steps:
and S102, performing model training and testing according to the training infrastructures and the corresponding training vulnerabilities, and constructing an explained vulnerability check model.
In the embodiment of the invention, a preset division ratio is obtained, a plurality of training basic structures and corresponding training vulnerabilities are proportionally divided according to the division ratio to obtain a training set and a test set, model training is carried out on a preset basic algorithm according to the training set to construct a training basic inspection model, and then the test set is used for carrying out test optimization on the basic inspection model to obtain an explained vulnerability inspection model.
It can be understood that the training basic inspection model can be obtained by training according to the existing model, and specifically can be a SySeVR-BLSTM model, a vuldeecker model, or the like; in the process of testing and optimizing the basic inspection model by the test set, matching code elements with vulnerability characteristics is carried out by obtaining the vulnerability characteristics of the test set, verifying whether the result of vulnerability identification of the basic inspection model on the training basic structure in the test set is consistent with the corresponding training vulnerability or not, adjusting and optimizing the basic inspection model when the result is inconsistent, and optimizing the basic inspection model to generate an explanation vulnerability inspection model by the test optimization of the test set.
Specifically, fig. 3 shows a flowchart of model training test construction in the method provided by the embodiment of the present invention.
In an embodiment of the present invention, the model training and testing according to the plurality of training infrastructures and the corresponding training vulnerabilities, and the constructing of the vulnerability-inspection-interpreted model specifically includes the following steps:
and S1021, dividing the training basic structures and the corresponding training vulnerabilities into a training set and a test set according to a preset dividing proportion.
And S1022, performing model training according to the training set, and constructing a training basic inspection model.
And S1023, testing and optimizing the training basic inspection model according to the test set to obtain an explained vulnerability inspection model.
Further, the code security vulnerability checking method further comprises the following steps:
and step S103, acquiring a target code, and analyzing and processing the target code to obtain a target basic structure.
In the embodiment of the invention, target codes are received, lexical analysis is respectively carried out on the target codes to obtain target word sequence data, the target word sequence data comprises a plurality of corresponding words generated by analyzing code character strings but does not comprise the relation among the words, syntactic analysis is carried out on the target word sequence data to construct a target abstract syntax tree, and then traversal analysis and conversion are carried out on the target abstract syntax tree to generate a target basic structure.
Specifically, fig. 4 shows a flowchart of target code analysis processing in the method provided by the embodiment of the present invention.
In a preferred embodiment provided by the present invention, the obtaining of the target code and the analyzing of the target code to obtain the target infrastructure specifically include the following steps:
step S1031, an object code is acquired.
And S1032, performing lexical analysis on the target code to obtain target word sequence data.
Step S1033, carrying out syntactic analysis on the target word sequence data, and constructing a target abstract syntactic tree.
And S1034, performing traversal analysis and conversion on the target abstract syntax tree to generate a target basic structure.
Further, the code security vulnerability checking method further comprises the following steps:
and step S104, performing security vulnerability check on the target infrastructure according to the explained vulnerability check model to generate a vulnerability check result.
In the embodiment of the invention, the target base structure is imported into the vulnerability interpretation inspection model, the vulnerability inspection is carried out on the target base structure through the vulnerability interpretation inspection model, after the vulnerability inspection is finished, the vulnerability inspection result is exported, and continuous vulnerability interpretation inspection model optimization can be carried out according to the vulnerability inspection result.
Specifically, fig. 5 shows a flowchart of security vulnerability checking in the method provided by the embodiment of the present invention.
In an embodiment of the present invention, the performing security vulnerability inspection on the target infrastructure according to the explained vulnerability inspection model, and generating a vulnerability inspection result specifically includes the following steps:
step S1041, importing the target infrastructure into the explained vulnerability inspection model.
Step S1042, carrying out security vulnerability check on the target basic structure and exporting vulnerability check results.
Further, fig. 6 shows a block diagram of a device provided in an embodiment of the present invention.
In another preferred embodiment, a code security vulnerability checking apparatus includes:
the training analysis processing unit 101 is configured to obtain a plurality of training codes and corresponding training vulnerabilities, and analyze the plurality of training codes to obtain a plurality of corresponding training infrastructure.
In the embodiment of the present invention, the training analysis processing unit 101 receives a plurality of training codes and corresponding training bugs prepared in advance for model training and testing, performs lexical analysis on the plurality of training codes, respectively, to obtain a plurality of training word sequence data, each of which includes a plurality of corresponding words generated by analyzing a code character string but does not include a relationship between the words, performs syntax analysis on the plurality of training word sequence data to construct a plurality of training abstract syntax trees, and further performs traversal analysis and conversion on the plurality of training abstract syntax trees to generate a plurality of training infrastructure.
Specifically, fig. 7 shows a block diagram of a structure of the training analysis processing unit 101 in the apparatus according to the embodiment of the present invention.
In a preferred embodiment provided by the present invention, the training analysis processing unit 101 specifically includes:
a training code obtaining module 1011, configured to obtain a plurality of training codes and corresponding training bugs.
And a training lexical analysis module 1012, configured to perform lexical analysis on the training codes to obtain a plurality of training word sequence data.
And a training grammar analysis module 1013 configured to perform grammar analysis on the training word sequence data to construct a plurality of training abstract grammar trees.
And the training analysis and conversion module 1014 is configured to perform traversal analysis and conversion on the plurality of training abstract syntax trees to generate a plurality of training infrastructure.
Further, the code security vulnerability checking apparatus further includes:
and the inspection model building unit 102 is configured to perform model training and testing according to the plurality of training infrastructures and the corresponding training vulnerabilities, and build an interpretation vulnerability inspection model.
In the embodiment of the present invention, the inspection model building unit 102 obtains a preset division ratio, performs proportional division on a plurality of training infrastructure and corresponding training vulnerabilities according to the division ratio to obtain a training set and a test set, performs model training on a preset basic algorithm according to the training set to build a training basic inspection model, and performs test optimization on the basic inspection model through the test set to obtain an explanatory vulnerability inspection model.
Specifically, fig. 8 shows a block diagram of the inspection model building unit 102 in the apparatus provided in the embodiment of the present invention.
In an embodiment of the present invention, the inspection model building unit 102 specifically includes:
and the training dividing module 1021 is used for dividing the plurality of training infrastructures and the corresponding training loopholes into a training set and a test set according to a preset dividing proportion.
And a model training construction module 1022, configured to perform model training according to the training set, and construct a training basis inspection model.
And the model test optimization module 1023 is used for carrying out test optimization on the training basic inspection model according to the test set to obtain an explained vulnerability inspection model.
Further, the code security vulnerability checking apparatus further includes:
and the target analysis processing unit 103 is configured to obtain a target code, and perform analysis processing on the target code to obtain a target infrastructure.
In this embodiment of the present invention, the target analysis processing unit 103 receives the target code, performs lexical analysis on the plurality of target codes to obtain target word sequence data, where the target word sequence data includes a plurality of corresponding words generated by analyzing the code character string but does not include a relationship between the words, performs syntax analysis on the target word sequence data to construct a target abstract syntax tree, and performs traversal analysis and transformation on the target abstract syntax tree to generate a target infrastructure.
And the security vulnerability checking unit 104 is used for performing security vulnerability checking on the target infrastructure according to the interpreted vulnerability checking model to generate a vulnerability checking result.
In the embodiment of the present invention, the security vulnerability checking unit 104 imports the target infrastructure into the interpreted vulnerability checking model, performs security vulnerability checking on the target infrastructure through the interpreted vulnerability checking model, exports the vulnerability checking result after completing the security vulnerability checking, and can perform continuous interpreted vulnerability checking model optimization according to the vulnerability checking result.
In a further embodiment, a computer device is presented, the computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
acquiring a plurality of training codes and corresponding training loopholes, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructures;
performing model training and testing according to the training infrastructures and the corresponding training vulnerabilities, and constructing an explanation vulnerability check model;
acquiring a target code, and analyzing the target code to obtain a target infrastructure;
and according to the explained vulnerability checking model, carrying out security vulnerability checking on the target infrastructure to generate a vulnerability checking result.
In yet another embodiment, a computer readable storage medium is provided, having a computer program stored thereon, which, when executed by a processor, causes the processor to perform the steps of:
acquiring a plurality of training codes and corresponding training loopholes, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructures;
performing model training and testing according to the training infrastructures and the corresponding training vulnerabilities, and constructing an explanation vulnerability check model;
acquiring a target code, and analyzing the target code to obtain a target infrastructure;
and according to the explained vulnerability checking model, carrying out security vulnerability checking on the target infrastructure to generate a vulnerability checking result.
In summary, in the embodiments of the present invention, a plurality of training codes and corresponding training bugs are obtained, and the plurality of training codes are analyzed to obtain a plurality of corresponding training infrastructure; performing model training and testing according to the training infrastructures and the corresponding training vulnerabilities, and constructing an explanation vulnerability check model; acquiring a target code, and analyzing and processing the target code to obtain a target basic structure; and performing security vulnerability inspection on the target infrastructure according to the explained vulnerability inspection model to generate a vulnerability inspection result. Model training and testing can be carried out on the training codes and corresponding training vulnerabilities through analysis processing of the training codes, an explained vulnerability inspection model is built, then, after a target base structure is obtained through analysis processing of the target codes, the explained vulnerability inspection model is led in to carry out security vulnerability inspection, and vulnerability inspection results are generated.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct Rambus Dynamic RAM (DRDRAM), and Rambus Dynamic RAM (RDRAM), among others.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the present invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention. Therefore, the protection scope of the present patent should be subject to the appended claims.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. A code security vulnerability checking method is characterized by specifically comprising the following steps:
acquiring a plurality of training codes and corresponding training loopholes, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructures;
model training and testing are carried out according to the training infrastructures and the corresponding training vulnerabilities, and an explanation vulnerability check model is constructed;
acquiring a target code, and analyzing the target code to obtain a target infrastructure;
and according to the explained vulnerability checking model, carrying out security vulnerability checking on the target infrastructure to generate a vulnerability checking result.
2. The code security vulnerability checking method according to claim 1, wherein the obtaining a plurality of training codes and corresponding training vulnerabilities, and performing analysis processing on the plurality of training codes to obtain a plurality of corresponding training infrastructure structures specifically comprises the following steps:
obtaining a plurality of training codes and corresponding training vulnerabilities;
performing lexical analysis on the training codes to obtain a plurality of training word sequence data;
carrying out syntactic analysis on the training word sequence data to construct a plurality of training abstract syntactic trees;
and traversing, analyzing and converting the plurality of training abstract syntax trees to generate a plurality of training basic structures.
3. The code security vulnerability inspection method according to claim 1, wherein model training and testing are performed according to a plurality of training infrastructures and corresponding training vulnerabilities, and constructing an interpretation vulnerability inspection model specifically comprises the following steps:
dividing the training infrastructure and the corresponding training loopholes into a training set and a test set according to a preset dividing proportion;
performing model training according to the training set to construct a training basic inspection model;
and testing and optimizing the training basic inspection model according to the test set to obtain an explanation vulnerability inspection model.
4. The code security vulnerability checking method according to claim 1, wherein the obtaining of the target code, the analyzing of the target code and the obtaining of the target infrastructure specifically comprises the following steps:
acquiring a target code;
performing lexical analysis on the target code to obtain target word sequence data;
carrying out syntactic analysis on the target word sequence data to construct a target abstract syntactic tree;
and traversing, analyzing and converting the target abstract syntax tree to generate a target basic structure.
5. The code security vulnerability checking method according to claim 1, wherein the security vulnerability checking is performed on the target infrastructure according to the interpreted vulnerability checking model, and generating vulnerability checking results specifically comprises the following steps:
importing the target infrastructure into the interpretation vulnerability inspection model;
and carrying out security vulnerability check on the target infrastructure and exporting vulnerability check results.
6. The code security vulnerability checking device is characterized by comprising a training analysis processing unit, a checking model building unit, a target analysis processing unit and a security vulnerability checking unit, wherein:
the training analysis processing unit is used for acquiring a plurality of training codes and corresponding training loopholes, and analyzing and processing the plurality of training codes to obtain a plurality of corresponding training infrastructure;
the inspection model construction unit is used for carrying out model training and testing according to the training infrastructures and the corresponding training vulnerabilities and constructing an explained vulnerability inspection model;
the target analysis processing unit is used for acquiring a target code and analyzing and processing the target code to obtain a target basic structure;
and the security vulnerability checking unit is used for carrying out security vulnerability checking on the target infrastructure according to the explained vulnerability checking model and generating a vulnerability checking result.
7. The code security vulnerability inspection apparatus according to claim 6, wherein the training analysis processing unit specifically includes:
the training code acquisition module is used for acquiring a plurality of training codes and corresponding training bugs;
the training lexical analysis module is used for carrying out lexical analysis on the training codes to obtain a plurality of training word sequence data;
the training grammar analysis module is used for carrying out grammar analysis on the training word sequence data to construct a plurality of training abstract grammar trees;
and the training analysis conversion module is used for performing traversal analysis conversion on the plurality of training abstract syntax trees to generate a plurality of training basic structures.
8. The code security vulnerability inspection apparatus according to claim 6, wherein the inspection model construction unit specifically comprises:
the training dividing module is used for dividing the training basic structures and the corresponding training loopholes into a training set and a test set according to a preset dividing proportion;
the model training construction module is used for carrying out model training according to the training set and constructing a training basic inspection model;
and the model test optimization module is used for carrying out test optimization on the training basic inspection model according to the test set to obtain an explained vulnerability inspection model.
9. A computer arrangement comprising a memory and a processor, the memory having stored thereon a computer program that, when executed by the processor, causes the processor to carry out the steps of the code security vulnerability checking method according to any of claims 1 to 5.
10. A computer-readable storage medium, having a computer program stored thereon, which, when executed by a processor, causes the processor to perform the steps of the code security vulnerability checking method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211170840.3A CN115525900A (en) | 2022-09-23 | 2022-09-23 | Code security vulnerability checking method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211170840.3A CN115525900A (en) | 2022-09-23 | 2022-09-23 | Code security vulnerability checking method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115525900A true CN115525900A (en) | 2022-12-27 |
Family
ID=84699525
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211170840.3A Pending CN115525900A (en) | 2022-09-23 | 2022-09-23 | Code security vulnerability checking method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115525900A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116383835A (en) * | 2023-06-06 | 2023-07-04 | 北京比瓴科技有限公司 | Software vulnerability monitoring method, device, equipment and medium based on multiple security tools |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114048464A (en) * | 2022-01-12 | 2022-02-15 | 北京大学 | Ether house intelligent contract security vulnerability detection method and system based on deep learning |
| CN114297654A (en) * | 2021-12-31 | 2022-04-08 | 北京工业大学 | Intelligent contract vulnerability detection method and system for source code hierarchy |
| CN115017511A (en) * | 2022-04-28 | 2022-09-06 | 武汉工程大学 | Source code vulnerability detection method and device and storage medium |
-
2022
- 2022-09-23 CN CN202211170840.3A patent/CN115525900A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114297654A (en) * | 2021-12-31 | 2022-04-08 | 北京工业大学 | Intelligent contract vulnerability detection method and system for source code hierarchy |
| CN114048464A (en) * | 2022-01-12 | 2022-02-15 | 北京大学 | Ether house intelligent contract security vulnerability detection method and system based on deep learning |
| CN115017511A (en) * | 2022-04-28 | 2022-09-06 | 武汉工程大学 | Source code vulnerability detection method and device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 杨娟等: "《形式语言与自动机 第2版》", 1 January 2017, 北京邮电大学出版社, pages: 180 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116383835A (en) * | 2023-06-06 | 2023-07-04 | 北京比瓴科技有限公司 | Software vulnerability monitoring method, device, equipment and medium based on multiple security tools |
| CN116383835B (en) * | 2023-06-06 | 2023-09-19 | 北京比瓴科技有限公司 | Software vulnerability monitoring method, device, equipment and medium based on multiple security tools |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021037196A1 (en) | Smart contract code vulnerability detection method and apparatus, computer device and storage medium | |
| CN108614707B (en) | Static code checking method, device, storage medium and computer equipment | |
| US11775414B2 (en) | Automated bug fixing using deep learning | |
| US8572747B2 (en) | Policy-driven detection and verification of methods such as sanitizers and validators | |
| EP2561453A1 (en) | A dual dfa decomposition for large scale regular expression matching | |
| US10681076B1 (en) | Automated security analysis of software libraries | |
| US20230035121A1 (en) | Automatic event graph construction method and device for multi-source vulnerability information | |
| CN112733156A (en) | Intelligent software vulnerability detection method, system and medium based on code attribute graph | |
| CN112148602B (en) | Source code security analysis method based on history optimization feature intelligent learning | |
| CN112822187A (en) | Network attack detection method and device | |
| CN115525900A (en) | Code security vulnerability checking method, device, equipment and medium | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| CN108228312B (en) | System and method for executing code through interpreter | |
| US10782941B1 (en) | Refinement of repair patterns for static analysis violations in software programs | |
| Partenza et al. | Automatic identification of vulnerable code: Investigations with an ast-based neural network | |
| CN115066674A (en) | Method for evaluating source code using numeric array representation of source code elements | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN117235745B (en) | Deep learning-based industrial control vulnerability mining method, system, equipment and storage medium | |
| Zhuang et al. | Just-in-time defect prediction based on AST change embedding | |
| CN117113347A (en) | Large-scale code data feature extraction method and system | |
| CN109784048B (en) | Method for detecting overflow vulnerability of stack buffer based on program diagram | |
| CN115310087A (en) | Website backdoor detection method and system based on abstract syntax tree | |
| Anderson et al. | Supporting analysis of SQL queries in PHP AiR | |
| CN114691197A (en) | Code analysis method and device, electronic equipment and storage medium | |
| CN114186233A (en) | Code anti-obfuscation method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |