软件漏洞智能化挖掘技术研究进展

软件规模的不断扩大和新技术平台的发展对软件漏洞挖掘方法提出了新的挑战。在突破漏洞挖掘技术瓶颈的过程中,研究人员将机器学习方法应用于漏洞挖掘,利用机器学习模型自动学习代码的深层语法和语义规律,以提高漏洞挖掘的智能化水平和有效性,软件漏洞智能化挖掘技术已成为当前研究的热点。围绕软件漏洞智能化挖掘技术的研究展开分析,从静态挖掘和动态挖掘2个方面,对机器学习与漏洞挖掘技术结合的研究进行了深入分析。在漏洞智能化静态挖掘方面,从基于代码度量、基于代码模式和基于代码相似性3个方面梳理了现有研究工作;在漏洞智能化动态挖掘方面,则分类阐述了机器学习方法与动态挖掘方法结合的相关研究。依据对现有工作的总结,对未来漏洞智能化挖掘的发展趋势进行了展望。

Survey of software vulnerability mining methods basedon machine learning

Software vulnerability is the main cause of various network security events, and ithas received continuous and extensive attention from security research institutions, academicgroups and enterprises. With the expansion of software scale and the development of newtechnology, researchers in software vulnerability mining fields are facing new challenges.However, it has been found that applying machine learning model to vulnerability mining canautomatically learn the deep syntax and semantic rules of code. This method has been provedto effectively improve the intelligence level and effectiveness of vulnerability mining. In thisreview, we conducted an extensive and in-depth investigation and analysis of vulnerabilitymining technology combined with machine learning methods, especially deep learning methods.First, the static vulnerability mining methods based on machine learning were analyzedfrom three aspects: code metrics, code patterns, and code similarity. Then, the applicationof machine learning in the dynamic vulnerability mining was summarized and discussed. Finally,based on the summary of existing research, the challenges of machine learning basedvulnerability mining were proposed, and future trends were presented.