A multi-level protocol software dangerous behavior detection method

By employing a multi-level reduction method and utilizing multi-dimensional temporal feature fusion and a large language model, a temporal logic specification weight tree is constructed. This solves the problems of scarce counterexamples and excessively large search space in the detection of dangerous software behaviors, improving the accuracy and sensitivity of detection and effectively identifying dangerous behaviors in complex scenarios.

CN121859332BActive Publication Date: 2026-06-09SUN YAT SEN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SUN YAT SEN UNIV
Filing Date
2026-03-19
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies for detecting dangerous software behaviors suffer from a scarcity of counterexamples and an excessively large search space, resulting in insufficient detection sensitivity and difficulty in effectively distinguishing between safe and dangerous behaviors, especially in complex fault scenarios where detection performance is poor.

Method used

A multi-level reduction method is adopted, which constructs a distance metric function that fuses multi-dimensional temporal features by setting distance-aware runtime scenario reduction, document-driven positive example bias sampling, and dynamic weight tree logic reduction inspired by large language models. It clusters the set of positive examples, generates negative examples by using positive example bias sampling, dynamically updates the temporal logic specification weight tree, reduces the search space, and generates temporal logic specifications.

Benefits of technology

It achieves efficient extraction of temporal logic specifications from software behavior sequences, reduces the generalization problem caused by the scarcity of counterexamples, improves the accuracy and sensitivity of software dangerous behavior detection, and can effectively identify dangerous behaviors in complex scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121859332B_ABST
    Figure CN121859332B_ABST
Patent Text Reader

Abstract

The application belongs to the technical field of software dangerous behavior detection, and is a multi-level specification software dangerous behavior detection method, comprising the following steps: setting a positive and negative example set and a distance measurement function for quantifying the similarity degree of software behavior sequences, and dividing the positive example set into a plurality of positive example subsets; constructing a temporal logic specification weight tree as a triple consisting of a root node weight function, a left child formula depth weight function and a right child formula depth weight function; extracting positive examples from the positive example subsets to form a positive example reduced set; inquiring a large language model to obtain software dangerous behavior logic formulas and converting the software dangerous behavior logic formulas into equivalent finite state automata; sampling a negative example reduced set from the automata; inquiring the large language model based on the positive and negative example reduced sets multiple times to obtain formula fragments, dynamically updating the weight tree, and obtaining candidate formulas; and selecting the optimal candidate formula as a temporal logic specification to detect whether the software behavior sequence conforms to the temporal logic specification. The application alleviates the challenges of scarce dangerous behavior data and a too large dangerous behavior search space.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention pertains to software dangerous behavior detection technology, specifically relating to a multi-level specification software dangerous behavior detection method. Background Technology

[0002] After software starts, it may exhibit unexpected and dangerous behaviors during runtime due to code vulnerabilities or attacks. Dangerous software behavior refers to actions that are not anticipated or permitted in the software's requirements, design, or security specifications, and that have the actual or potential to cause personal injury, significant property damage, loss of control of critical systems, or serious information security incidents. For example, the software may fail to send information in a timely manner, leading to state desynchronization. Therefore, it is necessary to detect dangerous software behavior to determine whether the software is operating normally, and to issue warnings when dangerous behavior occurs.

[0003] A software behavior sequence is a set of snapshots of behaviors arranged chronologically; at each moment, it records all the operations the software is performing. To detect dangerous software behaviors, it's necessary to extract the temporal logical specifications that the software should follow for safe operation from the software behavior sequence. A logic detector can then check whether the software behavior conforms to these temporal logical specifications and issue a warning when the behavior does not. Therefore, software behavior sequences can be divided into safe software behavior sequences and dangerous software behavior sequences. Safe software behavior sequences (i.e., positive examples) come from expert demonstrations, success logs, and manual annotations; for example, the software can send information and update its status in a timely manner. Dangerous software behavior sequences (i.e., negative examples) come from test generation, failure cases, and risky behaviors; for example, the software fails to send information in a timely manner, leading to state desynchronization.

[0004] Since the majority of software operation time is spent running normally, a large number of positive examples can be continuously and stably collected from success logs. However, because failures and attacks are rare and sporadic, obtaining negative examples is more difficult and costly, resulting in a scarcity of negative examples. If negative examples are ignored and temporal logic specifications are extracted only from positive examples, the lack of constraints from negative examples leads to overly generalized temporal logic specifications, easily overlooking some failure scenarios, failing to effectively distinguish between safe and dangerous behaviors, and struggling to handle various complex failure scenarios. In recent years, large language models, due to their powerful logical reasoning and domain knowledge retrieval capabilities, have been introduced into the temporal logic specification extraction task, aiming to solve the problems of data imbalance and search space explosion by guiding the search process with specific domain knowledge.

[0005] Currently, the main solutions for detecting dangerous software behaviors fall into the following two categories:

[0006] The first category is approximate specification extraction schemes based on neural networks. These schemes transform the discrete finite-state automaton mining problem into a continuous neural network parameter learning problem. They simulate the automaton's transition process by designing specialized neural network structures and synthesize potential counterexamples through mutation operations using various predefined linear temporal logic templates. Gradient descent is then used to find the optimal automaton in the continuous space that accepts positive examples and rejects synthesized counterexamples. However, when generating counterexamples, these schemes primarily rely on simple predefined logic templates for random mutation, lacking an understanding of the specific software business logic. Counterexamples generated in this way often differ significantly from positive examples and are disconnected from real-world dangerous software behaviors. This distant comparison fails to enable the model to learn the stringent constraints of software behavior at critical moments, and cannot provide effective search bias. This results in either overgeneralization of the extracted specifications or overfitting to specific positive examples, leading to insufficient detection sensitivity when faced with complex, subtle violations strongly related to the business scenario.

[0007] The second category combines canonical learning schemes with human interpretations and demonstration sequences. These schemes utilize large language models to transform the software behavior logic described in natural language by humans into linear temporal logic fragments, assigning weights to these fragments. The canonical extraction task is transformed into a weighted maximum satisfiability problem. A constraint solver searches the candidate logic space for a final canonical formula that both conforms to the demonstration sequence and contains as many high-weight logic fragments as possible. However, this type of scheme heavily relies on comprehensive and accurate logical descriptions written by humans for each demonstration sequence, making it extremely costly and prone to errors. If the initial human interpretation is flawed, or if the large language model misinterprets the interpretation, the underlying constraint solver will fail to generate correct canonicals due to the lack of a self-correction mechanism. Summary of the Invention

[0008] This invention provides a multi-level specification method for detecting dangerous software behaviors, which realizes a step-by-step specification process from runtime scenario data to dangerous behavior data and then to logical specifications, thus alleviating the challenges of scarce dangerous behavior data and excessively large dangerous behavior search space.

[0009] The technical solution adopted in this embodiment of the invention is: a method for detecting dangerous software behaviors based on multi-level specifications, comprising the following steps:

[0010] S1. Establish distance-aware operational scenario specifications, including setting a positive example set of software safe behavior sequences, a negative example set of software dangerous behavior sequences, and designing a distance metric function for quantifying the similarity of software behavior sequences through multi-dimensional temporal feature fusion; cluster the positive example set based on the distance metric function, dividing the positive example set into... A set of representative positive examples of software operation scenarios; the set of negative examples is initialized to be empty.

[0011] S2. For a finite linear temporal logic formula represented by a prefix, define the level of its root node as... The level of a parent node is Then the level numbers of the left and right child nodes of the parent node are: Construct a temporal logic canonical weight tree based on the weight function of the root node. Left child formula depth weight function And the right child formula depth weight function The triplet , is used to characterize the probability that the left child node and right child node are a certain logical operator or atomic proposition variable under the constraints of the parent node and the level of the finite linear temporal logic formula;

[0012] S3. Set the negative example sample reduction for document-driven positive example bias sampling. Randomly select one positive example from the positive example set of all software running scenarios and form a positive example simplified set from all the selected positive examples. Based on the software document and the positive example simplified set, query the large language model to obtain the software dangerous behavior logic formula and convert the software dangerous behavior logic formula into an equivalent finite state automaton. Based on the positive example bias sampling strategy, sample the negative example simplified set corresponding to the positive example simplified set from the equivalent finite state automaton and add the negative example simplified set to the negative example set.

[0013] S4. Set up a dynamic weight tree logic reduction inspired by the large language model. Based on the simplified set of positive examples and the simplified set of negative examples, query the large language model multiple times to obtain a set of formula fragments. Dynamically update the temporal logic specification weight tree according to the formula fragments, and perform biased random walk sampling on the temporal logic specification weight tree to obtain a set of candidate formulas. Then add the candidate formulas to the candidate formula set.

[0014] S5. Adopt a globally consistent specification based on iterative evolution: If the given maximum number of iterations is not reached, jump to S3; otherwise, select the candidate formula from the candidate formula set that optimizes the performance of the classification model on the full set of positive examples and the cumulative set of negative examples, as the final extracted temporal logic specification; for software that needs to detect dangerous behavior, check whether the software behavior sequence during software operation conforms to the temporal logic specification to determine whether the software has dangerous behavior.

[0015] Compared with the prior art, the technical effects achieved by the present invention include:

[0016] To address the issues of overgeneralization and search space explosion in existing technologies when extracting temporal logic specifications from software behavior sequences where negative examples are scarce (i.e., sequences of dangerous software behaviors are scarce), this invention designs a distance metric function that fuses multi-dimensional temporal features during the detection of dangerous software behaviors. This function quantifies the similarity of software behavior sequences in terms of software behavior and runtime, dividing the set of positive examples into several representative sets of positive examples for software running scenarios. This invention does not require precise descriptions of each software behavior sequence in natural language. Instead, based on software documentation and a positive example bias sampling strategy, it constructs a simplified set of positive examples and a simplified set of negative examples that contain only a small number of software behavior sequences but cover as many scenarios as possible, generating only a small number of negative examples to assist in the extraction of temporal logic specifications. Furthermore, inspired by large language models, this invention uses formula fragments to dynamically update the weight tree of temporal logic specifications, reducing the search space and achieving a step-by-step reduction process from running scenario data to dangerous behavior data and then to logic specifications. Attached Figure Description

[0017] Figure 1 This is an overall flowchart of the software dangerous behavior detection method with multi-level specifications in an embodiment of the present invention;

[0018] Figure 2 This is an equivalent finite state automaton of the logic formula for dangerous software behaviors in the embodiments of the present invention;

[0019] Figure 3 The formula is obtained by performing biased random walk sampling on the temporal logic canonical weight tree in this embodiment of the invention. A schematic diagram. Detailed Implementation

[0020] To make the technical solution of the present invention clearer, the technical solution of the present invention will be described in detail below with reference to the accompanying drawings and embodiments, but the implementation of the present invention is not limited thereto.

[0021] Example

[0022] This embodiment provides a multi-level specification-based method for detecting dangerous software behaviors. For software requiring detection of dangerous behaviors, during the extraction of logical specifications from software behavior sequences, given software documentation, a set of safe software behavior sequences, and a detailed description of the automatic extraction process of temporal logical specifications, a temporal logical specification expressed using a finite linear temporal logic formula is obtained. During software runtime, it checks whether the software behavior sequences conform to this temporal logical specification to determine if the software is running normally. If the software behavior is abnormal, i.e., the software behavior sequence does not conform to the temporal logical specification, a warning is issued.

[0023] like Figure 1 As shown, this embodiment specifically includes the following steps:

[0024] S1. Establish distance-aware operational scenario specifications, including setting a positive example set of software safe behavior sequences, a negative example set of software dangerous behavior sequences, and designing a distance metric function for quantifying the similarity of software behavior sequences through multi-dimensional temporal feature fusion; cluster the positive example set based on the distance metric function, dividing the positive example set into... A set of positive examples representing typical software operation scenarios; the set of negative examples is initialized to be empty.

[0025] Among them, software safe behavior sequences and software dangerous behavior sequences are collectively referred to as software behavior sequences.

[0026] More specifically, this step includes the following sub-steps:

[0027] S11. For software that requires detection of dangerous behaviors, obtain a set of software security behavior sequences from highly reliable sources of security behavior, such as expert demonstrations, success logs, and manual annotations, as a set of positive examples. Set of counterexamples Initialize to an empty set.

[0028] Suppose the software that needs to detect dangerous behaviors has two security behaviors: "business execution" and "sending information". Using atomic propositions... To represent "business execution" software behavior, atomic propositions are used. This represents the "sending message" software behavior. Let's assume a value is obtained from the software's successful execution log. The following are examples of positive cases at any given moment:

[0029] time : Business execution, information sending; time Send a message.

[0030] Then a finite sequence can be used This represents the positive example; and the specific set of positive examples obtained is represented as follows:

[0031] ;

[0032] Set of counterexamples With candidate formula set Initialize to empty, that is .

[0033] S12. Design a distance metric function that fuses multidimensional temporal features to quantify the similarity of software behavior sequences.

[0034] Let the set of software behaviors be There are a total of Software behaviors, among which Represents a set The number of software behaviors; combining two software behavior sequences and The distance metric function between them is defined as:

[0035] ;

[0036] The distance metric function mentioned above includes a penalty for inconsistent behavior. and length difference penalty item Two parts, of which For size in arrive The weighting parameters between them.

[0037] For penalties related to inconsistent behavior ,in Representing software behavior sequence Number of moments and software behavior sequence Number of moments The minimum value in, Indicates symmetric difference. Representing software behavior sequence At any moment The software behavior executed Representing software behavior sequence At any moment The software behavior executed Representing software behavior sequence and software behavior sequence At any moment The number of distinct actions between two software action sequences. For the common elements between two software action sequences... arrive Every moment between Inconsistent behavior penalty term is used to calculate software behavior sequence. and software behavior sequence At any moment Number of distinct actions and assign a size of The weight.

[0038] For the length difference penalty term This indicates that each additional moment in a longer sequence of software behaviors results in a certain number of software behaviors. Penalize the size and assign the size as The weights. Among them, Represents two software behavior sequences and The absolute value of the difference in the number of moments.

[0039] The distance metric function designed in this step ensures considerable sensitivity to both behavioral inconsistencies and temporal inconsistencies between two software behavior sequences, describing the differences in the trends of various software behaviors between the two sequences. The smaller the distance between the software behavior sequences calculated using the distance metric function, the stronger the software behavior sequence... With software behavior sequence The more similar they are.

[0040] More specifically, let the set of software behaviors be... There are a total of This type of software behavior involves weighting parameters. If we set it to 2 / 3, then the distance metric function for multidimensional temporal feature fusion is:

[0041] .

[0042] For software behavior sequences and software behavior sequence The distance between software behavior sequences is calculated using a distance metric function as follows:

[0043] In the behavioral inconsistency penalty item, for two software behavior sequences and Shared moments ,time At any moment At that time, sequence and All of them performed business execution (i.e., executed software behavior). ), and sequence Sending information (i.e., performing software actions) ), but sequence No information is sent, therefore the number of inconsistent software behaviors is [number missing]. At any moment At that time, sequence and Neither performs business operations, and the sequence and Both send messages, and the number of instances of inconsistent software behavior is: The penalty for inconsistent behavior is as follows:

[0044] ;

[0045] In the length difference penalty term, the set of software behaviors is: There are a total of Software behavior, and software behavior sequence have That moment, namely Software behavior sequence There are also That moment, namely Then the length difference penalty term .

[0046] Therefore, the calculation of the software behavior sequence distance is as follows:

[0047] ;

[0048] in This refers to the distance between software behavior sequences specifically calculated using a distance metric function.

[0049] S13. Call the distance metric function designed in step S12 to calculate the software behavior sequence distance between any two positive examples in the set of positive examples in step S11, and obtain the distance matrix; based on the distance matrix and the preset number of classes... Cluster the set of positive examples, dividing the set of positive examples into groups. A set of representative positive examples of software operation scenarios.

[0050] Specifically, calculate the set of positive examples. The software behavior sequence distance between any two positive examples (which can be simply referred to as...) (distance), to obtain a distance matrix Distance matrix No. Line number The values ​​in the column represent the set of positive examples. The Middle The first positive example and the first Between positive examples distance.

[0051] Furthermore, based on the distance matrix and preset number of categories For the set of positive examples Perform K-medoids clustering to divide the set of positive examples into... A collection of representative positive examples of software operation scenarios ;where the distance matrix for:

[0052] ;

[0053] In this embodiment, Divide the set of positive examples into A collection of representative positive examples of software operation scenarios :

[0054] ;

[0055] .

[0056] S2. For a finite linear temporal logic formula represented by a prefix, define the level of its root node as... The level of a non-leaf node (i.e., its parent node) is . Then the level numbers of the left and right child nodes of the parent node are: Construct a temporal logic canonical weight tree based on the weight function of the root node. Left child formula depth weight function And the right child formula depth weight function The triplet , is used to characterize the probability that the left child node and right child node are a certain logical operator or atomic proposition variable under the constraints of the parent node and the level of the finite linear temporal logic formula.

[0057] In the temporal logic canonical weight tree, the root node is a logical operator or an atomic proposition variable. The weight of time is The floor number is And it is a logical operator The parent node of a variable whose left child node is a logical operator or an atomic proposition variable. The weight of time is Its right child node is a logical operator or an atomic proposition variable. The weight of time is .

[0058] Initialize the temporal logic canonical weight tree by setting all weights to 0. Set the candidate formula set. Initialize to an empty set.

[0059] S3. Set the negative example sample reduction for document-driven positive example bias sampling. Randomly select one positive example from the positive example set of all software running scenarios and form a simplified positive example set from all the selected positive examples. Based on the software document and the simplified positive example set, query the large language model to obtain the software dangerous behavior logic formula and convert the software dangerous behavior logic formula into an equivalent finite state automaton. Based on the positive example bias sampling strategy, sample the simplified negative example set corresponding to the simplified positive example set from the equivalent finite state automaton and add the simplified negative example set to the negative example set.

[0060] In this embodiment, this step further includes:

[0061] S31, obtained from clustering A collection of positive examples of software operation scenarios In the process, one positive example is randomly selected from each of the two sets to form a simplified set of positive examples. .

[0062] Preferably, given the number of classes That is, dividing the set of positive examples into two sets of positive examples, obtained from clustering. A collection of positive examples of software operation scenarios In the process, one positive example is randomly selected from each of the following to form a simplified set of positive examples:

[0063] .

[0064] S32. Based on the software documentation and the simplified set of positive examples, query the large language model to obtain the logic formula of software dangerous behavior, and convert the logic formula of software dangerous behavior into an equivalent finite state automaton using logic tools.

[0065] The process of obtaining the logical formula for dangerous software behaviors specifically includes:

[0066] (1) Provide software documentation, for example: "This software is a highly reliable transaction synchronizer. It is required to complete the full network status broadcast within the first clock cycle after the initialization response to prevent communication islands. At the same time, since the core of the system design is to bear the business pressure, any running sequence that does not contain the execution of core business instructions is regarded as a silent idling failure caused by the failure of logic triggers.

[0067] (2) Describe the task of generating logical formulas for dangerous software behaviors, for example: "Given two sequences of safe software behaviors, output a finite linear temporal logical formula as the logical formula for dangerous software behaviors, such that all sequences of dangerous software behaviors satisfy the formula, while all sequences of safe software behaviors do not satisfy the formula. The sequences of safe software behaviors will appear when the software is used correctly, while the sequences of dangerous software behaviors will not."

[0068] (3) Describe the constraints that the output should follow, for example: "You must return only one finite linear temporal logic formula without any explanation. Please strictly use atomic propositions and the following logical operators (i.e., symbolic operators):" (and), (or), (No), (Next, the next moment) (Finally, it was finally established) (Globally, always true) (Until, meaning until it is true).

[0069] (4) Emotional inducement, for example: "Please do your best to answer correctly, otherwise I will lose my job."

[0070] (5) Provide a simplified set of positive examples For example, it could be: "A set of software security behavior sequences:" .

[0071] The thought process behind the large language model is as follows: "I am analyzing the hard red lines of 'first-cycle broadcast' and 'no idle business,' and by observing the consistent synchronization performance of the safety sequence at time t=1, I deduce the temporal logic boundary of the system... I reverse-model the 'communication island' and 'silent fault' in the document as logical conflicts, and compared them with the second positive example to verify the logical operator." AND logical operators The applicability of this was ultimately established by inverting the security attributes. The core of this hazard assessment criterion… This logic, by accurately identifying missing actions at critical points, achieves a complete definition of the sequence of violations.

[0072] Finally, the logical formula for dangerous software behavior is obtained. This formula indicates that the software either never performs any business operations or never sends any information in the next moment after startup. The logical formula for dangerous software behavior can be converted into an equivalent finite state automaton using logic tools, such as... Figure 2 As shown.

[0073] S33, Simplified Set of Positive Examples Each positive example Based on the positive example bias sampling strategy, a corresponding negative example is sampled from the equivalent finite state automaton. All the sampled counterexamples are combined into a simplified counterexample set. ; Simplify the set of counterexamples All counterexamples are added to the counterexample set. middle.

[0074] The positive example bias sampling strategy starts from the random initial state of the equivalent finite state automaton at time 0. At each time step, it performs a state transition decision: if the current state of the automaton has a transition that can accept the software behavior of the positive example at the corresponding time, then the existing transition is executed first, and the negative example executes the same software behavior as the positive example at the corresponding time; if the current state of the automaton does not have a transition that can accept the software behavior of the positive example at the corresponding time, then from all the legal transitions of the current state, the negative example executes the software behavior with the smallest number of different software behaviors from the positive example at the corresponding time, and the automaton executes the corresponding transition; then the time is incremented, and the above state transition decision is repeated until the runtime of the sampled negative example is the same as that of the positive example.

[0075] More specifically, for positive examples See Figure 2 The positive example bias sampling process is as follows:

[0076] At time 0, let the initial state of the automaton be state 0. All legal transitions of the current state of the automaton include: (1) accepting (That is, no business operations are performed, among which) (2) Accept (indicates NOT), transition from state 0 to state 1; (i.e., any software behavior), transitioning from state 0 to state 2. Therefore, a valid transition (2) can accept the software behavior of a positive example at time 0. If a transition occurs (i.e., performing business operations and sending information), that transition is executed first, the automaton transitions to state 2, and the negative example performs the same software behavior as the positive example at time 0. ;

[0077] At time 1, the automaton is in state 2. All legal transitions in the current state include: ① Accept (i.e., no information is sent), transitioning from state 2 to state 3. Therefore, there is no software behavior that can accept positive examples at time 1. The migration (i.e., sending information) minimizes the number of software behaviors that the negative example performs at time 1 that are distinct from the positive example at time 1. (That is, no business operations are performed and no information is sent), the automaton transitions to state 3;

[0078] Due to the negative examples obtained from sampling The sampling time has reached the same as the normal example's; sampling has ended.

[0079] Similarly, positive examples can be obtained. Corresponding counterexamples Together they form a simplified set of counterexamples:

[0080] ;

[0081] Simplify the set of counterexamples All counterexamples are added to the counterexample set. In the middle, then:

[0082] .

[0083] S4. Set up a dynamic weighted tree logic reduction inspired by the large language model. Based on the simplified set of positive examples and the simplified set of negative examples, query the large language model multiple times to obtain a set of formula fragments. Dynamically update the temporal logic specification weighted tree according to the formula fragments, and perform biased random walk sampling on the temporal logic specification weighted tree to obtain a set of candidate formulas. Then add the candidate formulas to the candidate formula set.

[0084] In this embodiment, the simplified set of positive examples obtained in step S3 Concise Set of Counterexamples It contains only a small number of software behavior sequences, but covers as many software operation scenarios as possible. In this step, based on the simplified set of positive examples... Concise Set of Counterexamples The large language model is queried multiple times to obtain a set of formula fragments. The temporal logic canonical weight tree constructed in step S2 is dynamically updated based on these formula fragments. Biased random walk sampling is then performed on the temporal logic canonical weight tree to obtain a set of candidate formulas, which are then added to the candidate formula set. This step specifically includes:

[0085] S41, Simplified Set Based on Positive Examples Concise Set of Counterexamples Repeatedly query the large language model Next time, obtain A formula fragment.

[0086] More specifically, let Based on the simplified positive and negative example sets, a large language model for repeated queries. The process of generating formula fragments by querying a large language model includes:

[0087] (1) Describe the formula fragment generation task, for example: "Based on the input positive and negative examples, output a finite linear temporal logic formula such that all positive examples satisfy the formula as much as possible and all negative examples do not satisfy the formula as much as possible. Among them, positive or negative examples are represented as a list of states, and states are represented as a list of atomic propositions. Each state should not contain duplicate atomic propositions. If an atomic proposition appears in a state, it means that the atomic proposition is true in that state, otherwise it is false."

[0088] (2) Describe the constraints that the output should follow, for example: "Only return finite linear temporal logic formulas, without interpretation. Strictly use operators:" (and), (or), (No), (Next, the next moment) (Finally, it was finally established) (Globally, always true) (Until, meaning until it is true).

[0089] (3) Emotional inducement, for example: "Please do your best to answer correctly, otherwise I will lose my job."

[0090] (4) Provide a simplified set of positive examples For example: "Positive example: .

[0091] (5) Provide a concise set of counterexamples For example, it could be: "Counterexample: .

[0092] In one of the queries, the large language model's thought process was as follows: "I am comparing the positive and negative example sets and find that the initial states overlap, while the divergence point lies in the next state ( The jump characteristics of ) ... Positive examples all hold in the next state The lack of counterexamples led to the conclusion that... Operators are used to extract common features by backtracking to the initial state. ...By combining the initial active attributes and the next-state evolution rules, a formula fragment was finally constructed. This confirms that it can perfectly partition the sample set.

[0093] Suppose the large language model ultimately generates two formula fragments: the first formula fragment is... This indicates that the software performs business operations or sends information upon startup, and sends the information at the next moment after startup; the second formula fragment is... This indicates that the software ultimately performs business operations, and always performs business operations or sends information.

[0094] S42. Use logic tools to convert the formula fragments obtained in step S41 into formula fragments in prefix representation, and dynamically update the temporal logic specification weight tree based on the formula fragments in prefix representation.

[0095] Wherein, for each prefix represents a formula fragment Calculation formula fragment Accuracy on the reduced sets of positive and negative examples If the formula fragment The root node is a logical operator or an atomic proposition variable. Then let the root node weight The value increments. ; For formula fragments Perform a preorder traversal; if the current level is... And it is a logical operator The parent node of a variable whose left child node is a logical operator or an atomic proposition variable. Then let the left child formula depth weight Self-incrementing Its right child node is a logical operator or an atomic proposition variable. Then let the right child formula depth weight. Self-incrementing .

[0096] More specifically, for formula fragments The converted prefix is ​​represented as The accuracy of this formula fragment on both the reduced positive and negative example sets is [percentage missing]. Due to formula fragments The root node is a logical operator. Then let the root node weight The value increments. For formula fragments Perform a preorder traversal, where for the level number is And it is a logical operator The parent node has a left child node that is an atomic proposition variable. Then let the left child formula depth weight Self-incrementing Its right child node is an atomic propositional variable. Then let the right child formula depth weight. Self-incrementing .

[0097] Similarly, the final updated temporal logic canonical weight tree is: root node weight. Left child formula depth weight , , , , , , Right child formula depth weight , , , , All other weights are 0.

[0098] S43, Given the number of samples Perform the updated temporal logic canonical weight tree Second biased random walk sampling, obtained There are 10 candidate formulas. Add all candidate formulas to the candidate formula set. .

[0099] In a biased random walk sampling, let the set of logical operators or atomic proposition variables be . The root node is a logical operator or an atomic proposition variable. The probability is ,in It is any logical operator or atomic proposition variable. Represents the root node weights of all logical operators or atomic proposition variables. The sum, according to probability Randomly sample a logical operator or atomic proposition variable as the symbol of the root node. If the sampled root node is an atomic proposition variable, the sampling ends; otherwise, for the layer number... And it is a logical operator or an atomic proposition variable. nodes Perform the following recursive processing:

[0100] (1) If the node If it is an atomic proposition variable, then it is a leaf node with no left or right children;

[0101] (2) If the node If a node is a logical operator, then it is the parent node, and its left child nodes are logical operators or atomic proposition variables. The probability is ,in This indicates that all logical operators or atomic proposition variables are at their respective level number. And it is a logical operator Left child formula depth weight of the parent node The sum, according to probability Randomly sample a logical operator or atomic proposition variable as the symbol of its left child node; further, (2.1) if the parent node If it is a unary operator, then it has no right child node; (2.2) if the parent node If a variable is a binary operator, then its right child node is either a logical operator or an atomic proposition variable. The probability is ,in This indicates that all logical operators or atomic proposition variables are at their respective level number. And it is a logical operator Formula depth weight of the right child of the parent node The sum, according to probability Randomly sample a logical operator or atomic proposition variable as the symbol of its right child node.

[0102] More specifically, given the number of samples Perform the updated temporal logic canonical weight tree One biased random walk sampling. In one biased random walk sampling, let the set of logical operators or atomic proposition variables be . Then the root node is a logical operator. The probability is ,in It is any logical operator or atomic proposition variable. Represents the root node weights of all logical operators or atomic proposition variables. The sum. Assume the root node symbol obtained by random sampling is a logical operator. .

[0103] Since the root node is a logical operator Then continue sampling. For the layer number... And it is a logical operator root node Because of this node If a node is a logical operator, then its parent node is a logical operator, and its left child node is also a logical operator. The probability is ,in This indicates that all logical operators or atomic proposition variables are at their respective level number. And it is a logical operator Left child formula depth weight on the node The sum, randomly sampled, yields the sign of its left child node as a logical operator. And this node If a node is a binary operator, then its right child node is a logical operator. The probability is ,in This indicates that all logical operators or atomic proposition variables are at their respective level number. And it is a logical operator The right child formula depth weight on the node The sum, randomly sampled to obtain the sign of its right child node, is the logical operator. .

[0104] And so on, such as Figure 3 As shown, there are The probability of sampling to the formula This formula indicates that the software performs business operations or sends information upon startup, and always does so.

[0105] Assume the final sampling results are obtained There are 10 candidate formulas, namely and The two candidate formulas obtained from sampling are added to the candidate formula set. ,but .

[0106] S5. Adopt a globally consistent specification based on iterative evolution: If the given maximum number of iterations is not reached, jump to S3; otherwise, select the candidate formula from the candidate formula set that optimizes the performance of the classification model on the full set of positive examples and the cumulative set of negative examples, as the final extracted temporal logic specification; for software that needs to detect dangerous behavior, check whether the software behavior sequence during software operation conforms to the temporal logic specification to determine whether the software has dangerous behavior.

[0107] For software that needs to detect dangerous behavior, during software runtime, a logic detector is used to check whether the software behavior sequence conforms to the aforementioned temporal logic specification. This is used to determine whether the software is running normally, that is, to determine whether the software is exhibiting dangerous behavior. If the software behavior is abnormal, that is, the software behavior sequence does not conform to the stated temporal logic specification. If so, a warning will be issued.

[0108] This embodiment uses accuracy to evaluate the performance of the classification model from the candidate formula set. Selected from the full set of positive examples With the cumulative set of counterexamples The candidate formula with the highest accuracy was selected as the final temporal logic specification. .

[0109] Assuming the given maximum number of iterations has been reached, from the set of candidate formulas... In the set of positive examples, select and set of counterexamples The most accurate temporal logic specification The selected temporal logic specification This is the final extracted temporal logic specification; this temporal logic specification requires the software to be ready at the next moment after startup (i.e., time). It sends information and ultimately performs business operations.

[0110] For software that needs to detect dangerous behavior, if the software behavior sequence is recorded as follows during runtime: Time 0: Business execution; Time 1: Business execution; Time 2: Business execution and information sending; Time 3: Information sending, then the software does not send information at the next time after startup (i.e., Time 1). Therefore, the software behavior sequence does not conform to the final extracted temporal logic specification, the software behavior is abnormal, thus dangerous software behavior is detected, and a warning is issued.

[0111] The above embodiments are preferred embodiments of the present invention, but the embodiments of the present invention are not limited to the above embodiments. Any changes, modifications, substitutions, combinations, or simplifications made without departing from the spirit and principle of the present invention shall be considered equivalent substitutions and shall be included within the protection scope of the present invention.

Claims

1. A method for detecting dangerous software behaviors based on multi-level specifications, characterized in that, Includes the following steps: S1. Set up distance-aware runtime scenario specifications, including setting up a set of positive examples of software safe behavior sequences, a set of negative examples of software dangerous behavior sequences, and designing a distance metric function for fusion of multi-dimensional temporal features to quantify the similarity of software behavior sequences. Clustering of the positive example set based on the aforementioned distance metric function divides the positive example set into three groups. A set of representative positive examples of software operation scenarios; the set of negative examples is initialized to be empty. S2. For a finite linear temporal logic formula represented by a prefix, define the level of its root node as... The level of a parent node is Then the level numbers of the left and right child nodes of the parent node are: ; Constructing a temporal logic canonical weight tree is done by the weight function of the root node. Left child formula depth weight function And the right child formula depth weight function The triplet , is used to characterize the probability that the left child node and right child node are a certain logical operator or atomic proposition variable under the constraints of the parent node and the level of the finite linear temporal logic formula; S3. Set the negative example sample reduction for document-driven positive example bias sampling. Randomly select one positive example from the positive example set of all software running scenarios and form a positive example simplified set from all the selected positive examples. Based on the software document and the positive example simplified set, query the large language model to obtain the software dangerous behavior logic formula and convert the software dangerous behavior logic formula into an equivalent finite state automaton. Based on the positive example bias sampling strategy, sample the negative example simplified set corresponding to the positive example simplified set from the equivalent finite state automaton and add the negative example simplified set to the negative example set. S4. Set up a dynamic weight tree logic reduction inspired by the large language model. Based on the simplified set of positive examples and the simplified set of negative examples, query the large language model multiple times to obtain a set of formula fragments. Dynamically update the temporal logic specification weight tree according to the formula fragments, and perform biased random walk sampling on the temporal logic specification weight tree to obtain a set of candidate formulas. Then add the candidate formulas to the candidate formula set. S5. Use iterative evolution for global consistency reduction: If the given maximum number of iterations has not been reached, jump to S3; Otherwise, the candidate formula that optimizes the classification model performance on both the full set of positive examples and the cumulative set of negative examples is selected from the candidate formula set and used as the final extracted temporal logic specification. For software that needs to detect dangerous behavior, the software behavior sequence during runtime is checked to see if it conforms to the temporal logic specification in order to determine whether the software exhibits dangerous behavior.

2. The method for detecting dangerous software behavior according to claim 1, characterized in that, Step S1 includes: S11. For software that needs to detect dangerous behaviors, obtain a set of software security behavior sequences from highly reliable security behavior sources as a set of positive examples. Set of counterexamples Initialize to an empty set; S12. Design a distance metric function for multi-dimensional temporal feature fusion, which integrates two software behavior sequences. and The distance metric function between them is defined as: ; in Indicates penalties for inconsistent behavior. This indicates a length difference penalty term. These are weight parameters; S13. Call the distance metric function designed in step S12 to calculate the software behavior sequence distance between any two positive examples in the set of positive examples in step S11, and obtain the distance matrix; based on the distance matrix and the preset number of classes... Cluster the set of positive examples, dividing the set of positive examples into groups. A set of representative positive examples of software operation scenarios.

3. The software dangerous behavior detection method according to claim 2, characterized in that, In the distance metric function designed in step S12, the behavioral inconsistency penalty term is: ; in Representing software behavior sequence Number of moments and software behavior sequence Number of moments The minimum value in, Indicates symmetric difference, Representing software behavior sequence At any moment The software behavior executed Representing software behavior sequence At any moment The software behavior executed Representing software behavior sequence and software behavior sequence At any moment The number of distinct actions between two software action sequences; the number of actions common to both sequences. arrive Every moment between Inconsistent behavior penalty term is used to calculate software behavior sequence. and software behavior sequence At any moment Number of distinct actions and assign a size of The weights; The length difference penalty is: ; in, Represents two software behavior sequences and The absolute value of the difference in the number of moments. Represents a set of software behaviors. Represents a set of software behaviors The number of software actions; the length difference penalty term represents the increase in the number of software actions for each additional moment in a longer sequence of software actions. Penalize the size and assign the size as The weight.

4. The method for detecting dangerous software behavior according to claim 1, characterized in that, In the temporal logic canonical weight tree constructed in step S2, the root node is a logic operator or an atomic proposition variable. The weight of time is The floor number is And it is a logical operator The parent node of a variable whose left child node is a logical operator or an atomic proposition variable. The weight of time is Its right child node is a logical operator or an atomic proposition variable. The weight of time is .

5. The method for detecting dangerous software behavior according to claim 1, characterized in that, Step S3 includes: S31, from From the set of positive examples for each software operation scenario, one positive example is randomly selected from each scenario to form a simplified set of positive examples. ; S32. Based on the software documentation and the simplified set of positive examples, query the large language model to obtain the logic formula of software dangerous behavior, and convert the logic formula of software dangerous behavior into an equivalent finite state automaton using logic tools. S33, Simplified Set of Positive Examples Each positive example Based on the positive example bias sampling strategy, a corresponding negative example is sampled from the equivalent finite state automaton. All the sampled counterexamples are combined into a simplified counterexample set. ; Simplify the set of counterexamples All counterexamples are added to the counterexample set. middle.

6. The method for detecting dangerous software behavior according to claim 5, characterized in that, In step S33, the positive example bias sampling strategy starts from the random initial state of the equivalent finite automaton at time 0, and performs state transition determination at each time step: If the current state of the automaton has a transition that can accept the software behavior of the positive example at the corresponding moment, then the existing transition is executed first, and the negative example is made to perform the same software behavior as the positive example at the corresponding moment; If the current state of the automaton does not have a transition that can accept the software behavior of the positive example at the corresponding time, then from all the legal transitions in the current state that can accept the software behavior, the negative example executes the software behavior with the smallest number of different software behaviors from the positive example at the corresponding time, and the automaton executes the corresponding transition. The time increments thereafter, and the state transition determination is repeated until the runtime of the sampled negative example is the same as that of the positive example.

7. The method for detecting dangerous software behavior according to claim 1, characterized in that, Step S4 includes: S41, Simplified Set Based on Positive Examples Concise Set of Counterexamples Repeatedly query the large language model Next time, obtain A formula fragment; S42. Use logic tools to convert the formula fragments obtained in step S41 into formula fragments in prefix representation, and dynamically update the temporal logic specification weight tree based on the formula fragments in prefix representation. S43, Given the number of samples Perform the updated temporal logic canonical weight tree Second biased random walk sampling, obtained There are 10 candidate formulas. Add all candidate formulas to the candidate formula set. .

8. The method for detecting dangerous software behavior according to claim 7, characterized in that, In step S42, for each prefix representing a formula fragment Calculation formula fragment Accuracy on the reduced sets of positive and negative examples If the formula fragment The root node is a logical operator or an atomic proposition variable. Then let the root node weight The value increments. ; For formula fragments Perform a preorder traversal; if the current level is... And it is a logical operator The parent node of a variable whose left child node is a logical operator or an atomic proposition variable. Then let the left child formula depth weight Self-incrementing ; Its right child node is a logical operator or an atomic proposition variable. Then let the right child formula depth weight. Self-incrementing .

9. The method for detecting dangerous software behavior according to claim 7, characterized in that, Step S43: In a biased random walk sampling, let the set of logical operators or atomic proposition variables be... The root node is a logical operator or an atomic proposition variable. The probability is ,in It is any logical operator or atomic proposition variable. Represents the root node weight of all logical operators or atomic proposition variables. The sum, according to probability Randomly sample a logical operator or atomic proposition variable as the symbol of the root node; If the root node being sampled is an atomic proposition variable, then sampling ends; otherwise, for the node at which the sampling point is... And it is a logical operator or an atomic proposition variable. nodes Perform the following recursive processing: (1) If node If it is an atomic proposition variable, then it is a leaf node with no left or right children; (2) If node If a node is a logical operator, then it is the parent node, and its left child nodes are logical operators or atomic proposition variables. The probability is ,in This indicates that all logical operators or atomic proposition variables are at their respective level number. And it is a logical operator Left child formula depth weight of the parent node The sum, according to probability Randomly sample a logical operator or atomic proposition variable as the symbol of its left child node; further, (2.1) if the parent node If it is a unary operator, then it has no right child node; (2.2) If the parent node If a variable is a binary operator, then its right child node is either a logical operator or an atomic proposition variable. The probability is ,in This indicates that all logical operators or atomic proposition variables are at their respective level number. And it is a logical operator Formula depth weight of the right child of the parent node The sum, according to probability Randomly sample a logical operator or atomic proposition variable as the symbol of its right child node.

10. The method for detecting dangerous software behavior according to claim 2, characterized in that, The sources of highly reliable security behavior in step S11 include expert demonstrations, success logs, and manual annotations.