数据库漏洞评估安全技术

数据库漏洞评估(Database Vulnerability Assessment-DB-VA)技术是指通过搜索侦测评估数据库用户密码、访问权限和配置定义中的漏洞,来加强数据库的安全性。1数据库漏洞评估的必要性1.1防护数据库信息由于数据库存放了大量机密信息,数据本身有可能在提取转化后具有经济价值。数据库系统本身通常会采取3种安全保护技术措施,例如:(1)用户角色管理,     

动态信息流分析的漏洞利用检测系统

安全相关的函数使用了来自网络用户输入或配置文件的非可信数据,由于未经过严格验证,引发了软件安全问题.大量软件漏洞都与非可信数据传播相关.非可信数据传播分析的漏洞利用检测系统将从网络用户输入或配置文件中获得的非可信数据标记为污染数据,使用信息流方法分析污染数据的传播范围,对可能使用污染数据的函数使用多种策略进行污染检查.借助开源的虚拟机代码实现动态信息流跟踪的漏洞检测原型系统,并优化了漏洞利用检测过程.     

一种可用于数据和模型分享的模型链

机器学习开始在越来越多的行业中得到应用,但使用机器学习执行任务的软件一直受限于第三方软件商更新模型.文中基于区块链,将训练神经网络消耗的算力和区块链的工作量证明机制相结合,提出并实现了模型链.模型链作为一种可用于分享数据和机器学习模型的区块链,基于骨架网络训练神经网络模型,以全网节点匿名分享的数据作为训练模型的数据集,实现了不依赖第三方更新神经网络模型.模型链使用环签名来保护用户数据隐私,节点训练的模型使用统一的测试集评估,通过评估的模型将作为节点的工作量证明用于投票达成一致共识.文中提出了两种可行的激励机制,即物质奖励和模型奖励.对于潜在的威胁,如账本分析、脏数据攻击和欺骗投票,给出了相应的解决方案.实现了一个用于数字识别的模型链.实验结果表明,模型链中的模型可以适应实际场景下发生的用户变迁和数据变化.     

一种可用于数据和模型分享的模型链

机器学习开始在越来越多的行业中得到应用,但使用机器学习执行任务的软件一直受限于第三方软件商更新模型.文中基于区块链,将训练神经网络消耗的算力和区块链的工作量证明机制相结合,提出并实现了模型链.模型链作为一种可用于分享数据和机器学习模型的区块链,基于骨架网络训练神经网络模型,以全网节点匿名分享的数据作为训练模型的数据集,实现了不依赖第三方更新神经网络模型.模型链使用环签名来保护用户数据隐私,节点训练的模型使用统一的测试集评估,通过评估的模型将作为节点的工作量证明用于投票达成一致共识.文中提出了两种可行的激励机制,即物质奖励和模型奖励.对于潜在的威胁,如账本分析、脏数据攻击和欺骗投票,给出了相应的解决方案.实现了一个用于数字识别的模型链.实验结果表明,模型链中的模型可以适应实际场景下发生的用户变迁和数据变化.     

SQL-to-text模型的组合泛化能力评估方法

数据库的结构化查询语言（SQL）到自然语言的翻译(SQL-to-text)能提高关系数据库的易用性。近年来该领域主要使用机器学习的方法进行研究并已取得一定进展,然而现有翻译模型的能力仍不足以投入实际应用。由于组合泛化能力是SQL-to-text模型在实际应用中提升翻译效果的必要能力,且目前缺少对此类模型组合泛化能力的研究,因此提出一种SQL-to-text模型的组合泛化能力评估方法。基于现有的SQL-to-text数据集生成大量SQL和对应的自然语言翻译（SQL-自然语言对）,并按SQL-自然语言对所含SQL子句的个数将其划分为训练数据与测试数据,使测试数据中的SQL子句皆以不同的组合方式在训练数据中出现,从而得到可评估模型组合泛化能力的新数据集。评估结果表明,该方法对查询知识的使用程度较高,划分数据的方式更加合理,所得数据集符合评估组合泛化能力的需求且贴近模型的实际应用场景,受到原始数据集的限制程度更低,并证实现有模型的组合泛化能力仍需提升,其中针对SQL-to-text任务设计的关系感知图转换器模型组合泛化能力最弱,表明原有的SQL-to-text数据集对组合泛化能力的考察存在欠缺...     

基于机器学习的软件漏洞挖掘方法综述

软件复杂性的增加给软件安全性带来极大的挑战.随着软件规模不断增大以及漏洞形态多样化,传统漏洞挖掘方法由于存在高误报率和高漏报率的问题,已无法满足复杂软件的安全性分析需求.近年来,随着人工智能产业的兴起,大量机器学习方法被尝试用于解决软件漏洞挖掘问题.首先,本文通过梳理基于机器学习的软件漏洞挖掘的现有研究工作,归纳了其技术特征与工作流程.接着,从其中核心的原始数据特征提取切入,以代码表征形式作为分类依据对现有研究工作进行分类阐述,并系统地进行了对比分析.最后依据对现有研究工作的整理总结,探讨了基于机器学习的软件漏洞挖掘领域面临的挑战,并展望了该领域的发展趋势.     

基于市场占有率的操作系统安全漏洞检测模型

操作系统等系统软件中的安全漏洞本质上是一种没有满足软件安全性的缺陷.对安全漏洞的检测过程进行深入研究能够使安全测试人员合理分配测试资源,更准确地评估软件的安全性.深入分析了影响操作系统软件安全漏洞检测的因素,认为安全漏洞检测速度与软件的市场占有率、已发现漏洞数和未发现漏洞数成正比.在此基础上建立了基于市场占有率的漏洞检测模型.该模型表明:在软件发布之前只会暴露少量安全漏洞;某些安全漏洞最终不会被检测到.这两个结论已被实际的数据证实.最后用提出的模型分析了三种流行操作系统的漏洞检测数据集.与同类模型相比,模型具有更好的拟合能力与预测能力.     

信息系统安全通过程序设计多方位控制策略的探讨

信息系统安全需要从多方面予以保障。可是，人们当前在很多情况下是分开考虑的，比如有些主要从数据库方面关注，考虑数据库自身的数据安全、访问控制和数据一致性；而有些着眼于从程序结构、设计方法等来满足系统安全。实际中，用户使用数据库中的数据不是直接从中得到的，而是经过展现在他们面前的程序界面实现的，从用户看到的
的程序界面到数据库本身的数据，中间可能经过了多个程序控制的环节，而将数据库和程序设计一起考虑，如何提高系统的安全性并不多见。本文探讨了如何通过程序设计对数据库进行多方位控制来保证信息系统所使用的数据的安全。     

基于代码相似度自动漏洞检测系统设计与实现

当下软件的应用越来越广泛，随之而来的软件漏洞问题也越来越受到人们的关注，安全问题一直是软件领域的重点研究内容之一。为了进一步提升软件漏洞检测能力，本文设计并实现了一个基于代码相似度分析的软件漏洞自动检测系统，我们首先对代码进行相似度分析，整理数量足够且能够表现漏洞特征的代码按照固定格式存储在数据库中。随后使用距离算法计算源代码和漏洞代码的相似度，分析漏洞可能性，最终系统返回可读性较强的扫描结果。测试结果表明，该系统能满足漏洞扫描的要求，并且检测结果精度比仅使用相似性算法的方法有所提升。     

自动漏洞入侵防护拦截最危险威胁

互联网早已不是一个安全的所在,网络罪犯总是在觊觎个人信息(尤其同财务相关的信息)、账号数据以及计算机资源访问权。他们会利用这些资源发布垃圾邮件,或者从事其他网络犯罪行为。利用恶意软件感染用户计算机,最有效和最危险的手段是使用常见程序或操作系统中的漏洞。这些漏洞能够在用户执行一些绝对安全的操作时触发,例如打开一个PDF格式文档或访问一个被感染网站。其中,危害性最高的漏洞被称为零日漏洞。黑客能够在软件开发商发布安全修补补丁之前,利用这种安全漏洞进行攻击。     

一种基于Mealy!机的语义程序验证方法

语义验证是束缚语义软件和语义程序设计语言发展的问题之一,针对这一问题,在基于语义Web服务的语义程序设计语言SPL及其知识库业务领域本体(BDO)的基础上,提出了一种基于Mealy!机对SPL所编排的业务过程进行语义验证的方法,结合在线外汇交易平台的案例,详细描述了运用该方法进行语义验证的过程。通过案例证明,本方法有助于编写语义正确的语义程序。     

Semantic role labeling for Arabic language using case-based reasoning approach

Many natural language processing areas use semantic roles in order to improve the applications of the extracted information, the question answering and the machine translation, etc. In Arabic, the work of constructing the semantic role labeling system or the annotated corpus is extremely limited compared to their speaker’s number and to English language as well. In this paper, we present a supervised method for the semantic role labeling of Arabic sentences. Hence, we use the feedback capacity of the case-based reasoning to annotate new sentences from already annotated ones besides the use of the Arabic PropBank as a reference to the semantic labels. We test our method under a wide range corpus that contains 2332 attributes and 5291 arguments. Accordingly, an Arabic semantic role labeling system is tested, for the first time, in that corpus. As a result, our method shows the ability to annotate new sentences from the labeled sentences or the construction of the annotated corpus.     

基于代码结构知识的软件文档语义搜索方法

自然语言文本形式的文档是软件项目的重要组成部分.如何帮助开发者在大量文档中进行高效、准确的信息定位,是软件复用领域中的一个重要研究问题.提出了一种基于代码结构知识的软件文档语义搜索方法.该方法从软件项目的源代码中解析出代码结构图,并以此作为领域特定的知识来帮助机器理解自然语言文本的语义.这一语义信息与信息检索技术相结合,从而实现了对软件文档的语义检索.在StackOverflow问答文档数据集上的实验表明,与多种文本检索方法相比,该方法在平均准确率（mean average precision,简称MAP）上可以取得至少13.77%的提升.     

APIReal: an API recognition and linking approach for online developer forums

When discussing programming issues on social platforms (e.g, Stack Overflow, Twitter), developers often mention APIs in natural language texts. Extracting API mentions from natural language texts serves as the prerequisite to effective indexing and searching for API-related information in software engineering social content. The task of extracting API mentions from natural language texts involves two steps: 1) distinguishing API mentions from other English words (i.e., API recognition), 2) disambiguating a recognized API mention to its unique fully qualified name (i.e., API linking). Software engineering social content lacks consistent API mentions and sentence writing format. As a result, API recognition and linking have to deal with the inherent ambiguity of API mentions in informal text, for example, due to the ambiguity between the API sense of a common word and the normal sense of the word (e.g., append, apply and merge), the simple name of an API can map to several APIs of the same library or of different libraries, or different writing forms of an API should be linked to the same API. In this paper, we propose a semi-supervised machine learning approach that exploits name synonyms and rich semantic context of API mentions for API recognition in informal text. Based on the results of our API recognition approach, we further propose an API linking approach leveraging a set of domain-specific heuristics, including mention-mention similarity, scope filtering, and mention-entry similarity, to determine which API in the knowledge base a recognized API actually refers to. To evaluate our API recognition approach, we use 1205 API mentions of three libraries (Pandas, Numpy, and Matplotlib) from Stack Overflow text. We also evaluate our API linking approach with 120 recognized API mentions of these three libraries.     

A semi supervised learning model for mapping sentences to logical forms with ambiguous supervision

Semantic parsing is the task of mapping a sentence in natural language to a meaning representation. The limitation of previous work on supervised semantic parsing is that it is very difficult to obtain annotated training data in which a sentence is paired with a semantic representation. To deal with this problem, we introduce a semi supervised learning model for semantic parsing with ambiguous supervision. The main idea of our method is to utilize a large amount of data, to enrich feature space with the maximum entropy model using our semantic learner. We evaluate the proposed models on standard corpora to demonstrate that our methods are suitable for semantic parsing. Experimental results show that the proposed methods work efficiently and well on ambiguous data and it is comparable to the state of the art methods.     

Language and domain aware lightweight ontology matching

Concepts and relations in ontologies and in other knowledge organisation systems are usually annotated with natural language labels. Most ontology matchers rely on such labels in element-level matching techniques. State-of-the-art approaches, however, tend to make implicit assumptions about the language used in labels (usually English) and are either domain-agnostic or are built for a specific domain. When faced with labels in different languages, most approaches resort to general-purpose machine translation services to reduce the problem to monolingual English-only matching. We investigate a thoroughly different and highly extensible solution based on semantic matching where labels are parsed by multilingual natural language processing and then matched using language-independent and domain aware background knowledge acting as an interlingua. The method is implemented in NuSM, the language and domain aware evolution of the SMATCH semantic matcher, and is evaluated against a translation-based approach. We also design and evaluate a fusion matcher that combines the outputs of the two techniques in order to boost precision or recall beyond the results produced by either technique alone.     

一种基于结构化语料库的概念语义网络自动生成算法

概念语义网络是为了解决信息检索中的词汇不匹配的问题而提出的,是提高检索效果的基本途径之一．以面向自然语言的网络答疑为应用背景,提出了一种基于半结构化语料库的概念语义网络自动生成算法．通过分析语料的组成特点,对不同的概念关系类型,采取不同的模板进行文档抽取,并设定不同的窗口单元计算概念间的相关度;然后经过阈值筛选和角色转换,获得各种类型的概念关系,在此基础上进行语义网络的优化调整．实验结果表明,本算法获得的概念语义网络可以有效地提高问题检索的效果．     

Learning from natural instructions

Machine learning is traditionally formalized and investigated as the study of learning concepts and decision functions from labeled examples, requiring a representation that encodes information about the domain of the decision function to be learned. We are interested in providing a way for a human teacher to interact with an automated learner using natural instructions, thus allowing the teacher to communicate the relevant domain expertise to the learner without necessarily knowing anything about the internal representations used in the learning process. In this paper we suggest to view the process of learning a decision function as a natural language lesson interpretation problem, as opposed to learning from labeled examples. This view of machine learning is motivated by human learning processes, in which the learner is given a lesson describing the target concept directly and a few instances exemplifying it. We introduce a learning algorithm for the lesson interpretation problem that receives feedback from its performance on the final task, while learning jointly (1) how to interpret the lesson and (2) how to use this interpretation to do well on the final task. traditional machine learning by focusing on supplying the learner only with information that can be provided by a task expert. We evaluate our approach by applying it to the rules of the solitaire card game. We show that our learning approach can eventually use natural language instructions to learn the target concept and play the game legally. Furthermore, we show that the learned semantic interpreter also generalizes to previously unseen instructions.     

Terminological ontology learning and population using latent Dirichlet allocation

The success of Semantic Web will heavily rely on the availability of formal ontologies to structure machine understanding data. However, there is still a lack of general methodologies for ontology automatic learning and population, i.e. the generation of domain ontologies from various kinds of resources by applying natural language processing and machine learning techniques In this paper, the authors present an ontology learning and population system that combines both statistical and semantic methodologies. Several experiments have been carried out, demonstrating the effectiveness of the proposed approach.