Source code-oriented bipolar software security vulnerability graph construction method

A software security and construction method technology, applied in computer security devices, platform integrity maintenance, data mining, etc., can solve the problems of insufficient vulnerability map, coarse recording information granularity, low efficiency of vulnerability mining algorithm, etc., and achieve intuitive and clear map. Clear and accurate effects

Active Publication Date: 2020-03-24
XIAN TECH UNIV
View PDF3 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The granularity of recorded information in the existing vulnerability database is relatively coarse, and the available information is relatively small. Most of the vulnerability mining technologies are aimed at specific programming languages ​​or types of vulnerabilities. The efficiency of mining algorithms is low, and the false positive rate and false negative rate of security vulnerabilities are high
[0005] In summary, for the construction of source code-oriented vulnerability graphs, the existing research is only on the application of vulnerability graphs, and only considers one-sided vulnerability graphs Vulnerability characteristics only show the relevant characteristics of the vulnerability node, but not the relevant characteristics of the patch node. Secondly, it lacks sufficient semantic features, resulting in the construction of a vulnerability map that is not comprehensive and in-depth.
So far, there is no method for constructing vulnerability graphs for network security problems

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Source code-oriented bipolar software security vulnerability graph construction method
  • Source code-oriented bipolar software security vulnerability graph construction method
  • Source code-oriented bipolar software security vulnerability graph construction method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0024] With the continuous development of Internet technology, hidden defects in software may lead to security vulnerabilities. These vulnerabilities are usually caused by developers leaving behind or improper handling when writing codes. Attackers can potentially damage systems and applications, bringing national security risks. a huge threat. Vulnerability graphs are used to describe and describe the relevant semantic structural features of vulnerabilities, express the complex characteristics of vulnerabilities, and use them to study the causes of vulnerabilities and exploit them.

[0025] Existing studies have found that the granularity of recorded information in the vulnerability database is relatively coarse, and the available information is relatively small. Most of the vulnerability mining technologies are aimed at specific programming languages ​​or types of vulnerabilities. Vulnerability mining algorithms are less efficient, and the false positive rate and false negat...

Embodiment 2

[0034] The construction method of the source code bipolar software security vulnerability map is the same as embodiment 1, the data analysis extraction and extraction described in step (3), including the following steps:

[0035] 3.1) Feature extraction

[0036] Vulnerability source code for feature extraction includes vulnerability code and patch code. Feature extraction is performed on preprocessed data through text mining; a tree classification with CWE-number as the root node and CVE-number as child nodes is obtained. The CWE-number in the feature classification obtained can be further divided into directory traversal, incorrect input validation, buffer overflow, cross-site scripting attack, SQL injection, information exposure and resource management error according to the type of vulnerability.

[0037] 3.2) Entity extraction

[0038] Entity extraction is also called named entity recognition. The tree classification obtained by feature extraction is used for entity recog...

Embodiment 3

[0043] The construction method of the source code bipolar software security vulnerability graph is the same as example 1-2, and the vulnerability graph described in the step (4) of the present invention is constructed, including the following steps:

[0044] 4.1) The subgraph is the basic unit of the vulnerability graph

[0045] The subgraph starts from the position of the vulnerability patch code increase and decrease, and is a unit formed based on the CVE-number. , is the basic composition of the vulnerability graph. Analyze the subgraph nodes and the relationship between the nodes. The relationship between the nodes in the subgraph can be one-to-many or many-to-many, as shown in the attached image 3 As shown, arrows of different shapes are used to represent nodes and their relationships.

[0046] Subgraphs and subgraphs form a complete vulnerability map through CWE-numbers, G=g 1 ∪g 2 ∪…∪g n means that g n is the nth subgraph, n is the serial number of any subgraph, ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a source code-oriented bipolar software security vulnerability graph construction method, solving the problems of single vulnerability feature, lack of semantic information andlow vulnerability mining precision in a current vulnerability graph model. The technical scheme includes the steps: obtaining vulnerability source codes through crawlers; preprocessing the vulnerability source codes; carrying out data analysis and extraction, including feature extraction, entity extraction and relationship extraction; constructing a vulnerability graph, including taking the sub-graph as a basic unit of the vulnerability graph, and visualizing and storing the vulnerability graph; and performing vulnerability graph optimization: removing a large amount of redundant informationby pruning the sub-graph to achieve vulnerability graph optimization. According to the vulnerability graph constructed by the invention, the forward and reverse characteristics of the vulnerability are displayed at the same time through comparison; the complex relation among the characteristic items is embodied; existing semantic structure information is enriched; a reliable basis is provided forresearch of vulnerability causes; vulnerability mining precision is improved; system software safety is guaranteed; and the vulnerability graph is used for computer security vulnerability mining and management.

Description

technical field [0001] The invention belongs to the technical field of computer information security, and mainly relates to the construction of a map of software security vulnerabilities, in particular to a method for constructing a map of source code-oriented bipolar software security vulnerabilities, which is used for mining and management of computer security vulnerabilities. Background technique [0002] With the widespread use of computer systems, hidden flaws in software may lead to security holes. These holes are usually left behind by developers or caused by improper handling when writing code. Attackers can potentially damage systems and applications through these holes. A large number of vulnerabilities are disclosed and submitted to the National Vulnerability Database every year. According to the statistics of the National Vulnerability Database (NVD), these data are increasing year by year. Due to the prevalence of open source software and code reuse, these vulne...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/57G06F16/951G06F16/2458
CPCG06F21/577G06F16/951G06F16/2465G06F2216/03
Inventor 郭军军王乐
Owner XIAN TECH UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products