计算机科学 ›› 2015, Vol. 42 ›› Issue (5): 183-187.doi: 10.11896/j.issn.1002-137X.2015.05.037

• 信息安全 • 上一篇    下一篇

一种基于软集和多属性综合的软件漏洞发现方法

唐成华,田吉龙,王 璐,王丽娜,强保华   

  1. 桂林电子科技大学广西信息科学实验中心 桂林541004;桂林电子科技大学计算机科学与工程学院 桂林541004,桂林电子科技大学计算机科学与工程学院 桂林541004,桂林电子科技大学计算机科学与工程学院 桂林541004,桂林电子科技大学计算机科学与工程学院 桂林541004,桂林电子科技大学广西信息科学实验中心 桂林541004;桂林电子科技大学计算机科学与工程学院 桂林541004
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受国家自然科学基金(61462020,6,61163057),广西信息科学实验中心基金(20130329),广西自然科学基金(2014GXNSFAA118375),桂林电子科技大学研究生教育创新计划项目(2013110124)资助

Method for Software Vulnerability Discovery Based on Soft Set and Multi-attribute Comprehensiveness

TANG Cheng-hua, TIAN Ji-long, WANG Lu, WANG Li-na and QIANG Bao-hua   

  • Online:2018-11-14 Published:2018-11-14

摘要: 针对软件漏洞检测中的漏洞覆盖率和人工缺陷审查等问题,提出了一种基于软集和多属性综合的软件漏洞发现方法。首先基于多检测工具的可信集成,建立了软件漏洞影响的评估模型;其次引入软集实现漏洞影响因素的度量,接着通过多属性综合的集成工具确定漏洞对软件安全的严重性影响,并最终完成软件漏洞的发现过程。实验结果表明,该方法对不同级别的漏洞均有较好的检测能力,为改善软件漏洞检测的误报率和漏报率等问题提供了一种可行的途径。

关键词: 软件漏洞,软集,属性集,漏报率,误报率

Abstract: Aiming at the problem of the vulnerability coverage and artificial defect review in the software vulnerability detection,a method for software vulnerability discovery based on the soft set and multi-attribute comprehensiveness was proposed.Firstly,based on trusted integrated detection tools,an evaluation model of software vulnerability factors was established.Secondly,the soft set was introduced to measure vulnerability factors,then the serious impact on software security was determined through the method of multi-attribute comprehensive integration tools,and the discovery process of software vulnerability was finally completed.Experimental results show that the method has better detection capabilities for vulnerability in different level ,which provides a feasible way for the improvement of software vulnerability detection false positive rate and false negative rate.

Key words: Software vulnerability,Soft set,Attribute set,False negative rate,False positive rate

[1] 陈平,韩浩,沈晓斌,等.基于动静态程序分析的整形漏洞检测工具[J].电子学报,2010,38(8):1741-1747
[2] 张大林,金大海,宫云战,等.基于缺陷关联的静态分析优化[J].软件学报,2014,25(2):386-399
[3] Williams C C,Hollingsworth J K.Automatic mining of source code repositories to improve bug finding techniques[J].Journal of IEEE Transactions on Software Engineering,2005,31(6):466-480
[4] Nahid S,Amel M,Edgardo M de O,et al.An advanced approach for modeling and detecting software vulnerabilities[J].Information and Software Technology,2012,54(9):997-1013
[5] Ren J D,Cai B L,He H T,et al.A method for detecting software vulnerabilities based on clustering and model analyzing[J].Journal of Computational Information Systems,2011,7(4):1065-1073
[6] Zhang Ruo-yu,Huang Shi-qiu,Qi Zheng-wei,et al.Static pro-gram analysis assisted dynamic taint tracking for software vulnerability discovery[J].Computers & Mathematics with Applications,2012,63(2):469-480
[7] 孔德光,郑烇,陈超,等.基于数据融合的源代码静态分析漏洞检测技术[J].小型微型计算机系统,2008,29(6):1109-1112
[8] 李鑫,李京春,郑雪峰,等.一种基于层次分析法的信息系统漏洞量化评估方法[J].计算机科学,2012,39(7):58-63
[9] 周亮,李俊娥,陆天波,等.信息系统漏洞风险定量评估模型研究[J].通信学报,2009,30(2):71-76
[10] 李珍,田俊峰,杨晓晖.基于检查点分级属性的软件动态可信评测模型[J].计算机研究与发展,2013,0(11):2397-2405

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!