基于静态检测工具的软件缺陷检测模型研究

针对如何降低静态检测工具的误报率、漏报率和重报率这些问题,本文研究设计一个基于静态检测工具的软件缺陷检测模型。该模型通过对不同的静态检测工具的检测结果进行多级处理,有效地降低误报率、漏报率和重报率。最后,将两种静态检测工具应用于该模型,对开源软件NMap进行缺陷检测,实验结果表明该模型的有效性和实用性。     

The Neutralizer: a self‐configurable failure detector for minimizing distributed storage maintenance cost

To achieve high data availability or reliability in an efficient manner, distributed storage systems must detect whether an observed node failure is permanent or transient, and if necessary, generate replicas to restore the desired level of replication. Given the unpredictability of network dynamics, however, distinguishing permanent and transient failures is extremely difficult. Though timeout‐based detectors can be used to avoid mistaking transient failures as permanent failures, it is unknown how the timeout values should be selected to achieve a better tradeoff between detection latency and accuracy. In this paper, we address this fundamental tradeoff from several perspectives. First, we explore the impact of different timeout values on maintenance cost by examining the probability of their false positives and false negatives. Second, we propose a self‐configurable failure detector called the Neutralizer based on the idea of counteracting false positives with false negatives. The Neutralizer could enable the system to maintain a desired replication level on average with the least amount of bandwidth. We conduct extensive simulations using real trace data from a widely deployed peer‐to‐peer system and synthetic traces based on PlanetLab and Microsoft PCs, showing a significant reduction in aggregate bandwidth usage after applying the Neutralizer (especially in an environment with a low average node availability). Overall, we demonstrate that the Neutralizer closely approximates the performance of a perfect ‘oracle’ detector in many cases. Copyright © 2008 John Wiley & Sons, Ltd.     

并发程序中数据竞争检测方法

针对数据竞争检测过程中的误报和漏报问题，提出一种静态数据竞争检测方法。首先，使用控制流分析自动构造线程内和线程间函数调用图；然后，收集线程内变量访问事件信息，定义竞争产生条件并分析检测出所有可能的竞争；其次，为了提高检测的准确率，进行别名变量和别名锁的分析降低漏报和误报；最后，通过控制流分析来抽象访问事件之间的时序关系，并结合程序切片技术对访问事件的发生序关系进行判断，以此避免因忽略线程交互带来的误报。依据该方法，使用Java语言在Soot软件分析框架下实现了一个数据竞争检测工具。在实验中，对JGF和IBM Contest基准测试套件中的raytracer和airline等程序进行数据竞争检测，并与目前已有的数据竞争检测算法和工具（HB算法和RVPredict）进行对比。实验结果表明，与HB算法和RVPredict工具相比，该方法检测到的数据竞争总数分别增加了81%和16%，数据竞争检测的准确率分别提升了约14%和19%，有效地避免了数据竞争检测中的漏报和误报现象。     

面向高可信软件的整数溢出错误的自动化测试

面向高可信软件提出了一种二进制级高危整数溢出错误的全自动测试方法(dynamic automatic integer-overflow detection and testing,简称DAIDT).该方法无需任何源码甚至是符号表支持,即可对二进制应用程序进行全面测试,并自动发现高危整数溢出错误.在理论上形式化证明了该技术对高危整数溢出错误测试与发掘的无漏报性、零误报性与错误可重现特性.为了验证该方法的有效性,实现了IntHunter原型系统.IntHunter对3个最新版本的高可信应用程序(微软公司Windows 2003和2000 Server的WINS服务、百度公司的即时通讯软件BaiDu Hi)分别进行了24小时测试,共发现了4个高危整数溢出错误.其中3个错误可导致任意代码执行,其中两个由微软安全响应中心分配漏洞编号CVE-2009-1923,CVE-2009-1924,另一个由百度公司分配漏洞编号CVE-2008-6444.     

基于静态检测工具的源代码安全缺陷检测研究*

针对已有的使用单个静态检测工具进行源代码安全缺陷检测存在的漏报率和误报率很高的问题,提出了一种基于多种静态检测工具的检测方法。该方法通过对多种工具的检测结果进行统计分析,有效地降低了漏报率和误报率。设计和实现了一个可扩展的源代码静态分析工具平台,并通过实验表明,相对于单个工具的检测结果而言,该平台明显降低了漏报率和误报率。     

防范入侵的静态分析技术比较

建立了一个具有常见漏洞的测试代码,然后通过扫描测试代码来比较3个典型应用静态分析技术来防范入侵的常用工具。比较结果揭示了检查漏洞库函数的工具漏报率较低,但误报率较高;基于约束分析的工具误报率较低,但漏报率较高;利用软件模型来检测漏洞的工具在检测违背指定安全规则的漏洞时漏报率较低,但在检测具有许多安全漏洞类型的程序时漏报率却非常低。     

基于深度学习的分布式安全日志分析方法

为了提高日志分析是当前进行入侵检测和安全防御的重要手段。针对传统基于规则的分析方法中误报、漏报较高,应对海量日志分析效率过低的问题,该文章提出了一种基于深度学习的分布式安全日志分析方法,通过将深度学习算法与现有黑白名单、规则匹配以及统计策略等技术结合,进行日志分析,检测网络中的安全威胁。系统采用分布式的存储和计算平台,能够进行离线和实时两种日志分析模式,可以满足大多数场景下海量的日志数据分析需求。     

The future of software infrastructure protection

In this paper the author describes how a Gatekeeper prototype had detected 83 percent of all unknown real viruses thrown at it. Even more intriguing was that the 17 percent of viruses missed were all due to the prototype code's immaturity, rather than any failing of the method used to detect them. Stated another way: An enterprise-ready version of the prototype would have captured every virus the Internet could have thrown at it during its testing period. Of course, many signature-based virus detection tools can detect 100 percent of known viruses. But very few of them can recognize new viruses.     

基于核的K-最近邻算法的主动式防御研究

介绍了病毒主动式防御技术、已知病毒的变形检测技术以及改进的K-近邻算法的病毒主动式防御技术,并分析了它们的不足。提出了一种基于核的K-近邻算法与主动式防御技术相结合的解决方案,此方案既可高效地判断安全进程,又可较为准确地检测出未知病毒。     

Learning Line Features in 3D Geometry

Feature detection in geometric datasets is a fundamental tool for solving shape matching problems such as partial symmetry detection. Traditional techniques usually employ a priori models such as crease lines that are unspecific to the actual application. Our paper examines the idea of learning geometric features. We introduce a formal model for a class of linear feature constellations based on a Markov chain model and propose a novel, efficient algorithm for detecting a large number of features simultaneously. After a short user‐guided training stage, in which one or a few example lines are sketched directly onto the input data, our algorithm automatically finds all pieces of geometry similar to the marked areas. In particular, the algorithm is able recognize larger classes of semantically similar but geometrically varying features, which is very difficult using unsupervised techniques. In a number of experiments, we apply our technique to point cloud data from 3D scanners. The algorithm is able to detect features with very low rates of false positives and negatives and to recognize broader classes of similar geometry (such as “windows” in a building scan) even from few training examples, thereby significantly improving over previous unsupervised techniques.     

基于数据融合的源代码静态分析漏洞检测技术

针对目前现有静态分析方法存在的漏报率和误报率较高的问题,提出一种基于数据融合的源代码静态分析漏洞检测技术.该技术通过对不同检测方法的分析结果进行解析和数据融合,有效地降低误报率和漏报率.设计与实现了一个可扩展的源代码静态分析工具原型,可通过用户的反馈信息自动寻优.实验结果表明:相对于单个漏洞检测方法而言,该方法的误报率和漏报率明显降低.     

Microcalcification detection using fuzzy logic and scale space approaches

Breast cancer is one of the leading causes of women mortality in the world. Since the causes are unknown, breast cancer cannot be prevented. It is difficult for radiologists to provide both accurate and uniform evaluation over the enormous number of mammograms generated in widespread screening. Computer-aided mammography diagnosis is an important and challenging task. Microcalcifications and masses are the early signs of breast carcinomas and their detection is one of the key issues for breast cancer control. In this study, a novel approach to microcalcification detection based on fuzzy logic and scale space techniques is presented. First, we employ fuzzy entropy principal and fuzzy set theory to fuzzify the images. Then, we enhance the fuzzified image. Finally, scale-space and Laplacian-of-Gaussian filter techniques are used to detect the sizes and locations of microcalcifications. A free-response operating characteristic curve is used to evaluate the performance. The major advantage of the proposed method is its ability to detect microcalcifications even in the mammograms of very dense breasts. A data set of 40 mammograms (Nijmegen database) containing 105 clusters of microcalcifications is studied. Experimental results demonstrate that the microcalcifications can be accurately and efficiently detected using the proposed approach. It can produce lower false positives and false negatives than the existing methods.     

针对ROP攻击的动态运行时检测系统

根据面向返回的编程(ROP)攻击及其变种的攻击原理,设计一个针对ROP攻击的动态运行时检测系统。该系统包括静态插桩和动态运行监控2个阶段。静态插桩为待检测程序装配分析代码,动态运行利用ret完整性检测、call完整性检测和jmp完整性检测方法分析程序的控制流和数据流,判断是否为ROP攻击。实验结果表明,该方法能完全检测出ROP恶意代码。     

基于免疫和D-S证据理论的计算机病毒检测方法

针对基于特征码的检查方法不能检测出未知病毒和已知病毒的新变种的问题,提出了一种基于免疫原理和D-S证据理论的计算机病毒检测方法。基于对现有计算机病毒免疫系统的深入剖析,提出了一种新的抗原提呈策略;借助基于免疫原理的计算机病毒检测方法输出的抽象层信息,提出了针对病毒检测的融合方法;通过融合不同抗原提呈基因库的检测结果,可提高基于免疫原理的计算机病毒检测方法的检测性能。实验结果表明:该方法对未知病毒具有良好的检测效果,在较低的误报率下获得了较高的检测率。实验验证了所提出方法的有效性,为病毒检测方法研究提供了一种新的思路。     

基于形式概念分析的依赖簇检测方法研究

依赖簇是相互依赖的程序组件的最大集合,大尺寸依赖簇已被证实在程序中普遍存在。依赖簇中任意一点产生变动都会引起其他组件的连锁反应,进而对整个系统造成潜在的影响,这将会阻碍软件理解、测试、维护等方面的工作。检测出依赖簇是消除不良影响的前提,目前通过单调切片尺寸图近似检测依赖簇的方法的准确度较低,会出现漏报和误报。提出了一种基于形式概念分析的依赖簇检测方法,通过概念包含度选取的大型概念来检测大尺寸依赖簇,并进一步提出轻量化策略以有针对性地选取大型概念,降低计算开销。在12个不同规模和领域的开源程序上,将所提方法与单调切片尺寸图法进行对比实验,结果表明所提方法及其轻量化策略能够有效地检测大尺寸依赖簇,可以提高依赖簇检测的准确度和效率。     

基于复制行为的病毒检测

复制是所有病毒都具有的基本特征。给出一个通过检测病毒复制行为来检测病毒的方法。检测病毒复制行为的方法关注病毒复制时执行的读写操作,通过构造这些操作的关系树来检测病毒的复制行为。在实验中对每个病毒和程序调用的Win32 API的日志文件进行分析,检测是否出现了病毒复制行为,结果表明可以通过检测病毒的复制行为来检测病毒。     

Non-signature based virus detection

A non-signature-based virus detection approach using Self-Organizing Maps (SOMs) is presented in this paper. Unlike classical virus detection techniques using virus signatures, this SOM-based approach can detect virus-infected files without any prior knowledge of virus signatures. Exploiting the fact that virus code is inserted into a complete file which was built using a certain compiler, an untrained SOM can be trained in one go with a single virus-infected file and will then present an area of high density data, identifying the virus code through SOM projection. The virus detection approach presented in this paper has been tested on 790 different virus-infected files, including polymorphic and encrypted viruses. It detects viruses without any prior knowledge – e.g. without knowledge of virus signatures or similar features – and is therefore assumed to be highly applicable to the detection of new, unknown viruses. This non-signature-based virus detection approach was capable of detecting 84% of the virus-infected files in the sample set which included, as already mentioned, polymorphic and encrypted viruses. The false positive rate was 30%. The combination of the classical virus detection technique for known viruses and this SOM-based technique for unknown viruses can help systems be even more secure.     

对未知攻击进行检测的蜜罐系统的实现

针对当前防火墙和入侵检测系统不能够对未知攻击作出有效的判断,而造成信息误报和漏报的问题,提出了一种蜜罐系统结构,通过过滤掉已知攻击,在系统调用层,采用攻击签名机制,实现对未知攻击的检测和分析。     

基于软件运行特征的故障检测方法研究

针对软件源代码静态检测时故障报告中误报较多问题,提出一种基于软件运行特征的故障检测方法,通过引入动态分析的方式进行故障检测;首先扩展了动态测试插装库,设计了八种常见故障模式对应的探针函数,然后在程序中搜索故障监控位置并进行故障监控探针的插装,最后在软件执行过程中分析插装消息中的运行特征从而识别故障;实验结果表明该方法能够有效检测程序故障且检测出的故障均为真实存在,弥补了静态分析误报率高的问题。     

基于HMM-SVM的图像型火焰识别

针对单一的隐马尔科夫模型在图像型火灾探测中误报率偏高的问题,提出了隐马尔科夫模型和支持向量机相结合的图像型火焰识别算法。对捕获到的图像进行运动区域检测和颜色分析,提取疑似火焰区域,利用隐马尔科夫模型计算疑似区域与火焰模型的相似度,并输入到训练好的支持向量机进行二次识别。实验结果表明,与传统单一隐马尔科夫模型相比,该方法可以有效地降低误报率,提高火焰识别准确性。