Similarity detection method for unknown vulnerability discovery based on patch information

Abstract

The invention relates to a similarity detection method for unknown vulnerability discovery based on patch information. The method comprises steps as follows: a known vulnerability function and a patchfunction after patching are sliced, and slices containing vulnerability related statements and slices containing patch statements are generated; variable names, variable types and function call namesof a to-be-detected function, the vulnerability slices and the patch slices are subjected to symbol normalization; the to-be-detected function, the vulnerability slices and the patch slices are mapped to vector space to generate to-be-detected function characteristic vectors, vulnerability characteristic vectors and patch characteristic vectors, one vector is formed by each of the to-be-detectedfunction characteristic vectors, the vulnerability characteristic vectors and the patch characteristic vectors, and a value of each dimension of the one vector represents a product of the number of appearing times of the characteristic statement in the function and TF-IDF weight; after generation of the characteristic vectors, similarity of the characteristic vectors is calculated and sequencing is performed, and whether unknown vulnerability with the characteristics similar to those of known vulnerability in a to-be-detected function set is judged. According to the method, disturbance of vulnerability unrelated statements can be effectively reduced, and detection accuracy is improved.

Description

technical field [0001] The invention relates to a method for detecting unknown loopholes, in particular to a similarity detection method for discovering unknown loopholes by using patch information applied in the field of information security. Background technique [0002] Vulnerability is an important cause of software failures and errors, so vulnerability detection has always been a research hotspot in the field of software security. Static detection technology, as one of the mainstream vulnerability detection technologies, has been proven to be effective in detecting vulnerabilities in code, and many related works have proposed methods to detect specific vulnerabilities through static analysis, such as detecting the use of some unsafe functions. In order to automatically detect specific vulnerabilities, these static analysis methods need to rely on prior knowledge, that is, coding rules to detect code that violates them. Whether the coding rules are given manually based ...

AI Technical Summary

Problems solved by technology

When a function that does not contain a vulnerability is similar to a function with known vulnerabilities in the noise part, a higher similarity may be obtained due to a larger noise ratio, resulting in false positives; and when a function that does contain similar vulnerabilities, When the characteristics of the noise statement outside the vulnerability-related statement are not similar to the known vulnerability function, the calculated similarity value may be low and the ranking result may be lower, resulting in false negatives

Therefore, if the noise in the function where the known vulnerability is located is not processed, the extracted function features will be mixed with noise features, which will eventually affect the effectiveness of the detection method and increase the difficulty of manual auditing.

Images