Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2018, Vol. 58 Issue (12): 1079-1094    DOI: 10.16511/j.cnki.qhdxxb.2018.21.025
  计算机科学与技术 本期目录 | 过刊浏览 | 高级检索 |
从自动化到智能化:软件漏洞挖掘技术进展
邹权臣1, 张涛1, 吴润浦1, 马金鑫1, 李美聪1, 陈晨2,3, 侯长玉4
1. 中国信息安全测评中心, 北京 100085;
2. 空军工程大学 信息与导航学院, 西安 710077;
3. 北京邮电大学 网络空间安全学院, 北京 100876;
4. 北京中测安华科技有限公司, 北京 100085
From automation to intelligence: Survey of research on vulnerability discovery techniques
ZOU Quanchen1, ZHANG Tao1, WU Runpu1, MA Jinxin1, LI Meicong1, CHEN Chen2,3, HOU Changyu4
1. China Information Technology security Evaluation Center, Beijing 100085, China;
2. School of Information and Navigation, Air Force Engineering University, Xi'an 710077, China;
3. School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China;
4. Beijing Central Security Evaluation Technology Co. Ltd., Beijing 100085, China
全文: PDF(1133 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 近年来,随着软件规模和复杂度的日益增加,软件漏洞挖掘技术正逐渐向高度自动化和智能化演变,该文从传统漏洞挖掘技术和基于学习的智能化漏洞挖掘技术两方面深入调研和分析了相关的研究进展。首先,从静态和动态挖掘技术2方面详细介绍了传统漏洞挖掘技术的研究现状,涉及的技术包括模型检测、二进制比对、模糊测试、符号执行以及漏洞可利用性分析等,并分析了各项技术存在的问题,提出当前的研究难点是实现漏洞挖掘全自动化。然后,介绍了机器学习和深度学习技术在漏洞挖掘领域的应用,具体应用场景包括二进制函数识别、函数相似性检测、测试输入生成、路径约束求解等,并提出了其存在的机器学习算法不够健壮安全、算法选择依靠经验、数据样本不足、特征选择依赖专家知识等问题。最后,对未来研究工作进行了展望,提出应该围绕提高漏洞挖掘的精度和效率、提高自动化和智能化的程度这2方面展开工作。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
邹权臣
张涛
吴润浦
马金鑫
李美聪
陈晨
侯长玉
关键词 漏洞挖掘模糊测试符号执行机器学习深度学习    
Abstract:In recent years, the increasing size and complexity of software packages has led to vulnerability discovery techniques gradually becoming more automatic and intelligent. This paper reviews the search characteristics of both traditional vulnerability discovery techniques and learning-based intelligent vulnerability discovery techniques. The traditional techniques include static and dynamic vulnerability discovery techniques which involve model checking, binary comparisons, fuzzing, symbolic execution and vulnerability exploitability analyses. This paper analyzes the problems of each technique and the challenges for realizing full automation of vulnerability discovery. Then, this paper also reviews machine learning and deep learning techniques for vulnerability discovery that include binary function identification, function similarity detection, test input generation, and path constraint solutions. Some challenges are the security and robustness of machine learning algorithms, algorithm selection, dataset collection, and feature selection. Finally, future research should focus on improving the accuracy and efficiency of vulnerability discovery algorithms and improving the automation and intelligence.
Key wordsvulnerability discovery    fuzzing    symbolic execution    machine learning    deep learning
收稿日期: 2018-08-17      出版日期: 2018-12-13
基金资助:国家自然科学基金重点项目(U1736209);国家自然科学基金青年科学基金项目(61502536);国家自然科学基金面上项目(61872386)
通讯作者: 张涛,研究员,E-mail:zhangt@itsec.gov.cn     E-mail: zhangt@itsec.gov.cn
引用本文:   
邹权臣, 张涛, 吴润浦, 马金鑫, 李美聪, 陈晨, 侯长玉. 从自动化到智能化:软件漏洞挖掘技术进展[J]. 清华大学学报(自然科学版), 2018, 58(12): 1079-1094.
ZOU Quanchen, ZHANG Tao, WU Runpu, MA Jinxin, LI Meicong, CHEN Chen, HOU Changyu. From automation to intelligence: Survey of research on vulnerability discovery techniques. Journal of Tsinghua University(Science and Technology), 2018, 58(12): 1079-1094.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2018.21.025  或          http://jst.tsinghuajournals.com/CN/Y2018/V58/I12/1079
  图1 传统漏洞挖掘技术研究
  表1 基于学习的智能化漏洞挖掘技术研究
[1] CPPCHECK TEAM. Cppcheck software official website[EB/OL].[2018-08-02]. http://cppcheck.sourceforge.net/.
[2] WHEELER D A. Flawfinder software official website[EB/OL].[2018-08-02]. https://www.dwheeler.com/flawfinder/.
[3] DAHSE J. RIPS software official website[EB/OL].[2018-08-02]. http://rips-scanner.sourceforge.net/.
[4] PUGH B, LOSKUTOV A. FindBugs software official website[EB/OL].[2018-08-02]. http://findbugs.sourceforge.net/index.html.
[5] C A TECHNIQUES. VeraCode software official website[EB/OL].[2018-08-02]. https://www.veracode.com/.
[6] NETWORK DESIGN & MANAGEMENT, INC. Fortify software official website[EB/OL].[2018-08-02]. http://www.ndm.net/sast/hp-fortify-static-code-analyzer.
[7] SYNOPSYS, INC. Coverity software official website[EB/OL].[2018-08-02]. https://scan.coverity.com/.
[8] CHECKMARX LTD. Checkmarx software official website[EB/OL].[2018-08-02]. https://www.checkmarx.com/.
[9] LLVM-ADMIN TEAM. LLVM software official website[EB/OL].[2018-08-02]. https://llvm.org/.
[10] LLVM-ADMIN TEAM. Clang software official website[EB/OL].[2018-08-02]. http://clang.llvm.org/.
[11] 吴世忠, 郭涛, 董国伟. 软件漏洞分析技术[M]. 北京:科学出版社, 2014. WU S Z, GUO T, DONG G W. The techniques of software vulnerability analysis[M]. Beijing:Science Press, 2014. (in Chinese)
[12] JOVANOVIC N, KRUEGEL C, KIRDA E. Pixy:A static analysis tool for detecting web application vulnerabilities[C]//Proceedings of the 2006 IEEE Symposium on Security and Privacy. Oakland, California, USA:IEEE Computer Society, 2006:258-263.
[13] BUSH W R, PINCUS J D, SIELAFF D J. A static analyzer for finding dynamic programming errors[J]. Software:Practice and Experience, 2000, 30(7):775-802.
[14] SHASTRY B, YAMAGUCHI F, RIECK K, et al. Towards vulnerability discovery using staged program analysis[C]//Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. New York, USA:Springer, 2016:78-97.
[15] GENS D, SCHMITT S, DAVI L, et al. K-Miner:Uncovering memory corruption in Linux[C]//Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS). San Diego, California, USA:Internet Society, 2018. 10.14722/ndss.2018.23326
[16] CHEN H, WAGNER D. MOPS:An infrastructure for examining security properties of software[C]//Proceedings of the 9th ACM Conference on Computer and Communications Security. Washington, DC, USA:ACM, 2002:235-244.
[17] HENZINGER T A, JHALA R, MAJUMDAR R, et al. Software verification with BLAST[C]//International SPIN Workshop on Model Checking of Software. Heidelberg, Berlin:Springer, 2003:235-239.
[18] BURCH J, CLARKE E M, Long D. Symbolic model checking with partitioned transition relations[M]. Carnegie-Mellon University. Department of Computer Science, 1991.
[19] BALAKRISHNAN G, REPS T. WYSINWYX:What you see is not what you execute[J]. ACM Transactions on Programming Languages and Systems (TOPLAS), 2010, 32(6):23.
[20] CIFUENTES C, VAN EMMERIK M. Recovery of jump table case statements from binary code[C]//International Workshop on Program Comprehension. Pittsburgh, Pennsylvania, USA:IEEE Computer Society, 1999:192-199.
[21] KINDER J, VEITH H. Jakstab:A static analysis platform for binaries[C]//International Conference on Computer Aided Verification. Princeton, USA:Springer, 2008:423-427.
[22] KRUEGEL C, ROBERTSON W, VALEUR F, et al. Static disassembly of obfuscated binaries[C]//USENIX Security Symposium. San Diego, CA USA:USENIX Association, 2004(13):18-18.
[23] SCHWARZ B, DEBRAY S, Andrews G. Disassembly of executable code revisited[C]//Proceedings of the Ninth Working Conference on Reverse Engineering. Richmond, VA, USA:IEEE Computer Society, 2002:45-54.
[24] TROGER J, CIFUENTES C. Analysis of virtual method invocation for binary translation[C]//Proceedings of the Ninth Working Conference on Reverse Engineering. Richmond, VA, USA:IEEE Computer Society, 2002:65-74.
[25] XU L, SUN F, SU Z. Constructing precise control flow graphs from binaries[R]. University of California, Davis:2009.
[26] FEIST J, MOUNIER L, POTET M L. Statically detecting use after free on binary code[J]. Journal of Computer Virology and Hacking Techniques, 2014, 10(3):211-217.
[27] CHENG S, YANG J, WANG J, et al. Loongchecker:Practical summary-based semi-simulation to detect vulnerability in binary code[C]//Proceedings of the 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications. Washington, DC, USA:IEEE Computer Society, 2011:150-159.
[28] GOTOVCHITS I, VAN Tonder R, BRUMLEY D. Saluki:Finding taint-style vulnerabilities with static property checking[C]//Network and Distributed Systems Security (NDSS) Symposium. San Diego, CA, USA:Internet Society, 2018. 10.14722/bar.2018.23019.
[29] SHA L, FU J, JING C, et al. PVDF:An automatic patch-based vulnerability description and fuzzing method[C]//Communications Security Conference. Beijing, China:IET, 2014:1-8.
[30] GAO D, REITER M K, SONG D. BinHunt:Automatically finding semantic differences in binary programs[C]//International Conference on Information and Communications Security. Birmingham UK:Springer, 2008:238-255.
[31] GOOGLE INC. AFL software official website[EB/OL].[2018-08-02]. http://lcamtuf.coredump.cx/afl/
[32] RAWAT S, JAIN V, KUMAR A, et al. Vuzzer:Application-aware evolutionary fuzzing[C]//Proceedings of the Network and Distributed System Security Symposium (NDSS). San Diego, CA, USA:Internet Society, 2017. 10.14722/ndss.2017.23404.
[33] GOOGLE INC. Honggfuzz software official website[EB/OL].[2018-08-02]. http://honggfuzz.com
[34] GOOGLE INC. LibFuzzer software official website[EB/OL].[2018-08-02]. https://github.com/Dor1s/libfuzzer-workshop.
[35] LI Y, CHEN B, CHANDRAMOHAN M, et al. Steelix:Program-state based binary fuzzing[C]//Joint Meeting on Foundations of Software Engineering. Paderborn, Germany:ACM, 2017:627-637.
[36] PENG H, SHOSHITAISHVILI Y, PAYER M, T-Fuzz:Fuzzing by program transformation[C]//IEEE Symposium on Security and Privacy (SP). San Francisco, CA, USA:IEEE Computer Society, 2018:697-710.
[37] BÖHME M, PHAM V T, ROYCHOUDHURY A. Coverage-based greybox fuzzing as Markov chain[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria:ACM, 2016:1032-1043.
[38] BÖHME M, PHAM V T, NGUYEN M D, et al. Directed greybox fuzzing[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas, TX, USA:ACM, 2017:2329-2344.
[39] STEPHENS N, GROSEN J, SALLS C, et al. Driller:Augmenting fuzzing through selective symbolic execution[C]//Proceedings of the Network and Distributed System Security Symposium. San Diego, California, USA:Internet Society, 2016:1-16.
[40] GAN S, ZHANG C, QIN X, et al, CollAFL:Path sensitive fuzzing[C]//2018 IEEE Symposium on Security and Privacy (SP). San Fransisco, CA, USA:IEEE Computer Society, 2018:660-677.
[41] GANESH V, LEEK T, RINARD M. Taint-based directed whitebox fuzzing[C]//International Conference on Software Engineering. British Columbia, Canada:IEEE, 2009:474-484.
[42] WANG T, WEI T, GU G, et al. TaintScope:A checksum-aware directed fuzzing tool for automatic software vulnerability detection[C]//IEEE Symposium on Security and Privacy. Oakland, California, USA:IEEE Computer Society, 2010:497-512.
[43] DOLAN-GAVITT B, HULIN P, KIRDA E, et al. Lava:Large-scale automated vulnerability addition[C]//IEEE Symposium on Security and Privacy. San Jose, California, USA:IEEE Computer Society, 2016:110-121.
[44] PEACH TECH. Peach software official website[EB/OL].[2018-08-02]. http://www.peachfuzzer.com/products/peach-platform/
[45] BRADSHAW S. Spike software official website[EB/OL].[2018-08-02]. http://www.immunitysec.com/
[46] PHAM V T, BÖHME M, ROYCHOUDHURY A. Model-based whitebox fuzzing for program binaries[C]//Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. Singapore:ACM, 2016:543-553.
[47] YANG X, CHEN Y, EIDE E, et al. Finding and understanding bugs in C compilers[J]. ACM SIGPLAN Notices, 2011, 46(6):283-294.
[48] HOLLER C, HERZIG K, ZELLER A. Fuzzing with code fragments[C]//USENIX Security Symposium. San Francisco, California, USA:USENIX Association, 2012:445-458.
[49] VEGGALAM S, RAWAT S, HALLER I, et al. Ifuzzer:An evolutionary interpreter fuzzer using genetic programming[C]//European Symposium on Research in Computer Security. Heraklion, Greece:Springer, 2016:581-601.
[50] RUDERSMAN J. Jsfunfuzz software official website[EB/OL].[2018-08-02].http://www.squarefree.com/2007/08/02/introducing-jsfunfuzz/
[51] DEWEY K, ROESCH J, HARDEKOPF B. Language fuzzing using constraint logic programming[C]//Proceedings of the 29th ACM/IEEE international conference on Automated software engineering. Vasteras, Sweden:ACM, 2014:725-730.
[52] WOO M, SANG K C, GOTTLIEB S, et al. Scheduling black-box mutational fuzzing[C]//Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Berlin, Germany:ACM, 2013:511-522.
[53] REBERT A, CHA S K, AVGERINOS T, et al. Optimizing seed selection for fuzzing[C]//USENIX Security Symposium. San Jose, California, USA:USENIX Association, 2014:861-875.
[54] WANG S, NAM J, TAN L. QTEP:Quality-aware test case prioritization[C]//Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. Paderborn, Germany:ACM, 2017:523-534.
[55] PETSIOS T, ZHAO J, KEROMYTIS A D, et al. Slowfuzz:Automated domain-independent detection of algorithmic complexity vulnerabilities[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas, TX, USA:ACM, 2017:2155-2168.
[56] BOYER R S, ELSPAS B, LEVITT K N. SELECT-A formal system for testing and debugging programs by symbolic execution[J]. ACM SigPlan Notices, 1975, 10(6):234-245.
[57] CLARKE L A. A program testing system[C]//Proceedings of the 1976 annual conference. Texas, USA:ACM, 1976:488-491.
[58] HOWDEN W E. Symbolic testing and the DISSECT symbolic evaluation system[J]. IEEE Transactions on Software Engineering, 1977(4):266-278.
[59] KING J C. Symbolic execution and program testing[J]. Communications of the ACM, 1976, 19(7):385-394.
[60] GODEFROID P, LEVIN M Y, Molnar D A. Automated whitebox fuzz testing[C]//Proceedings of the Network and Distributed System Security Symposium (NDSS). San Diego, California, USA:Internet Society, 2008, 8:151-166.
[61] CHIPOUNOV V, KUZNETSOV V, CANDEA G. S2E:A platform for in-vivo multi-path analysis of software systems[J]. ACM Sigarch Computer Architecture News, 2011, 47(4):265-278.
[62] CHA S K, AVGERINOS T, Rebert A, et al. Unleashing mayhem on binary code[C]//IEEE Symposium on Security and Privacy (SP). San Francisco, California, USA:IEEE,Computer Society, 2012:380-394.
[63] CADAR C, DUNBAR D, ENGLER D R. KLEE:Unassisted and automatic generation of high-coverage tests for complex systems programs[C]//USENIX Conference on Operating Systems Design and Implementation. San Diego USA:USENIX Association, 2009:209-224.
[64] SAUDEL F, SALWAN J. Triton:A dynamic symbolic execution framework[C]//Symposium sur la sécurité des technologies de l'information et des communications. Rennes, France:SSTIC, 2015:31-54.
[65] SHOSHITAISHVILI Y, KRUEGEL C, VIGNA G, et al. Sok:(state of) the art of war:Offensive techniques in binary analysis[C]//2016 IEEE Symposium on Security and Privacy (SP). San Jose, California, USA:IEEE Computer Society, 2016:138-157.
[66] SHOSHITAISHVILI Y, WANG R, HAUSER C, et al. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware[C]//Proceedings of the Network and Distributed System Security Symposium (NDSS). San Diego, California, USA:Internet Society, 2015. 10.14722/ndss.2015.23294.
[67] AVGERINOS T, REBERT A, Cha S K, et al. Enhancing symbolic execution with veritesting[C]//Proceedings of the 36th International Conference on Software Engineering. Hyderabad, India:ACM, 2014:1083-1094.
[68] MA K K, PHANG K Y, FOSTER J S, et al. Directed symbolic execution[C]//International Static Analysis Symposium. Heidelberg, Berlin:Springer, 2011:95-111.
[69] GODEFROID P, NORI A V, Rajamani S K, et al. Compositional may-must program analysis:Unleashing the power of alternation[J]//ACM Sigplan Notices, 2010, 45(1):43-56.
[70] RAMOS D A, ENGLER D R. Under-constrained symbolic execution:Correctness checking for real code[C]//USENIX Security Symposium. Washington, D.C., USA:USENIX Association, 2015:49-64.
[71] BOONSTOPPEL P, CADAR C, ENGLER D. RWset:Attacking path explosion in constraint-based test generation[C]//International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Budapest, Hungary:Springer, 2008:351-366.
[72] BORRALLERAS C, LUCAS S, OLIVERAS A, et al. SAT modulo linear arithmetic for solving polynomial constraints[J]. Journal of Automated Reasoning, 2012, 48(1):107-131.
[73] ARMANDO A, BONACINA M P, RANISE S, et al. New results on rewrite-based satisfiability procedures[J]. ACM Transactions on Computational Logic (TOCL), 2009, 10(1):4.
[74] CIMATTI A, GRIGGIO A, SCHAAFSMA B J, et al. The mathSAT5 SMT solver[C]//International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Rome, Italy:Springer, 2013:93-107.
[75] JHA S, LIMAYE R, SESHIA S A. Beaver:Engineering an efficient smt solver for bit-vector arithmetic[C]//International Conference on Computer Aided Verification. Heidelberg, Berlin:Springer, 2009:668-674.
[76] VAN K T, OGAWA M. SMT for polynomial constraints on real numbers[J]. Electronic Notes in Theoretical Computer Science, 2012, 289:27-40.
[77] SEN K, MARINOV D, AGHA G. CUTE:A concolic unit testing engine for C[J]//ACM SIGSOFT Software Engineering Notes. ACM, 2005, 30(5):263-272.
[78] VISSER W, GELDENHUYS J, DWYER M B. Green:Reducing, reusing and recycling constraints in program analysis[C]//Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. Cary, NC, USA:ACM, 2012:1-11.
[79] AQUINO A, BIANCHI F A, CHEN M, et al. Reusing constraint proofs in program analysis[C]//Proceedings of the 2015 International Symposium on Software Testing and Analysis. Baltimore, MD, USA:ACM, 2015:305-315.
[80] JIA X, GHEZZI C, YING S. Enhancing reuse of constraint solutions to improve symbolic execution[C]//Proceedings of the 2015 International Symposium on Software Testing and Analysis. Baltimore, MD, USA:ACM, 2015:177-187.
[81] YANG G, PǍSǍREANU C S, KHURSHID S. Memoized symbolic execution[C]//Proceedings of the 2012 International Symposium on Software Testing and Analysis. Minneapolis, MN, USA:ACM, 2012:144-154.
[82] CADAR C, GANESH V, PAWLOWSKI P M, et al. EXE:Automatically generating inputs of death[J]. ACM Transactions on Information and System Security (TISSEC), 2008, 12(2):10.
[83] AVGERINOS T, CHA S K, REBERT A, et al. Automatic exploit generation[J]. Communications of the ACM, 2014, 57(2):74-84.
[84] BUCUR S, URECHE V, ZAMFIR C, et al. Parallel symbolic execution for automated real-world software testing[C]//Proceedings of the sixth conference on Computer systems. Salzburg, Austria:ACM, 2011:183-198.
[85] MICORSOFT INC. !exploitable software official website[EB/OL].[2018-08-02]. https://archive.codeplex.com/?p=msecdbg
[86] Software Engineering Institute, Carnegie-Mellon University. gdb-exploitable software official website[EB/OL].[2018-08-02]. https://github.com/jfoote/exploitable
[87] Google Inc. ASan software official website[EB/OL].[2018-08-02]. https://github.com/google/sanitizers
[88] BRUMLEY D, POOSANKAM P, SONG D, et al. Automatic patch-based exploit generation is possible:Techniques and implications[C]//IEEE Symposium on Security and Privacy. Oakland, California, USA:IEEE Computer Society, 2008:143-157.
[89] HEELAN S. Automatic generation of control flow hijacking exploits for software vulnerabilities[D]. Oxford, UK:University of Oxford, 2009.
[90] CHA S K, AVGERINOS T, REBERT A, et al. Unleashing mayhem on binary code[C]//IEEE Symposium on Security and Privacy (SP). San Francisco, California, USA:IEEE Computer Society, 2012:380-394.
[91] HU H, CHUA Z L, ADRIAN S, et al. Automatic generation of data-oriented exploits[C]//USENIX Security Symposium. Washington, D.C., USA:USENIX Association, 2015:177-192.
[92] LECUN Y, BENGIO Y, HINTON G. Deep learning[J]. Nature, 2015, 521(7553):436-444.
[93] BAO T, BURKET J, WOO M, et al. BYTEWEIGHT:Learning to recognize functions in binary code[C]//USENIX Security Symposium. San Jose, California, USA:USENIX Association, 2014:845-860.
[94] CYLAB SECURITY AND PRIVACY INSTITUTE. BAP software official website[EB/OL].[2018-08-02]. http://bap.ece.cmu.edu/.
[95] SHIN E C R, SONG D, MOAZZEZI R. Recognizing functions in binaries with neural networks[C]//USENIX Security Symposium. Washington, D.C., USA:USENIX Association, 2015:611-626.
[96] CHUA Z L, SHEN S, SAXENA P, et al. Neural nets can learn function type signatures from binaries[C]//USENIX Security Symposium. Vancouver, BC, Canada:USENIX Association, 2017:99-115.
[97] XU X, LIU C, FENG Q, et al. Neural network-based graph embedding for cross-platform binary code similarity detection[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. Dallas, TX, USA:ACM, 2017:363-376.
[98] FENG Q, ZHOU R, XU C, et al. Scalable graph-based bug search for firmware images[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria:ACM, 2016:480-491.
[99] GODEFROID P, PELEG H, SINGH R. Learn&fuzz:Machine learning for input fuzzing[C]//Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. Urbana, IL, USA:IEEE Press, 2017:50-59.
[100] SHE D, PEI K, EPSTEIN D, et al. NEUZZ:Efficient fuzzing with neural program learning[J/OL]. (2018-07-15). https://arxiv.org/abs/1807.05620.
[101] BÖTTINGER K, GODEFROID P, SINGH R. Deep reinforcement fuzzing[J/OL]. (2018-01-14). https://arxiv.org/abs/1801.04589.
[102] NICHOLS N, RAUGAS M, JASPER R, et al. Faster fuzzing:Reinitialization with deep neural models[J/OL]. (2017-11-08). https://arxiv.org/abs/1711.02807.
[103] RAJPAL M, BLUM W, SINGH R. Not all bytes are equal:Neural byte sieve for fuzzing[J/OL]. (2017-11-10). https://arxiv.org/abs/1711.04596.
[104] SPIEKER H, GOTLIEB A, MARIJAN D, et al. Reinforcement learning for automatic test case prioritization and selection in continuous integration[C]//Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. Santa Barbara, CA, USA:ACM, 2017:12-22.
[105] CHEN P, CHEN H. Angora:Efficient fuzzing by principled search[C]//IEEE Symposium on Security and Privacy. San Francisco, CA, USA:IEEE Computer Society, 2018:758-772
[106] GRIECO G, GRINBLAT G L, UZAL L, et al. Toward large-scale vulnerability discovery using machine learning[C]//Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. New Orleans, LA, USA:ACM, 2016:85-96.
[107] LI Z, ZOU D, XU S, et al. VulDeePecker:A deep learning-based system for vulnerability Detection[C]//Network and Distributed Systems Security (NDSS) Symposium. San Diego, California USA:Internet Society, 2018. 10.14722/ndss.2018.23158.
[108] HOUSEHOLDER A D, FOOTE J M. Probability-based parameter selection for black-box fuzz testing[R]. Pittsburgh, PA:Software Engineering Institute, Carnegie Mellon University, 2012.
[109] YAN G, KUCUK Y, SLOCUM M, et al. A Bayesian cognitive approach to quantifying software exploitability based on reachability testing[C]//International Conference on Information Security. Honolulu, USA:Springer, 2016:343-365.
[110] YAN G, LU J, SHU Z, et al. ExploitMeter:Combining fuzzing with machine learning for automated evaluation of software exploitability[C]//2017 IEEE Symposium on Privacy-Aware Computing (PAC). Washington DC, USA:IEEE, 2017:164-175.
[111] MARCUS G. Deep Learning:A critical appraisal[J/OL]. (2018-10-02). https://arxiv.org/abs/1801.00631.
[112] STOICA I, SONG D, POPA R A, et al. A berkeley view of systems challenges for AI[J/OL]. (2017-12-15). https://arxiv.org/abs/1712.05855.
[113] STEVENS R, SUCIU O, RUEF A, et al. Summoning demons:The pursuit of exploitable bugs in machine learning[J/OL]. (2017-01-17). https://arxiv.org/abs/1701.04739.
[114] GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples[J]. Computer Science, 2014
[115] GEHR T, MIRMAN M, DRACHSLER-COHEN D, et al. AI 2:Safety and robustness certification of neural networks with abstract interpretation[C]//IEEE Symposium on Security and Privacy (SP). San Francisco, CA, USA:IEEE Computer Society, 2018. 10.1109/SP.2018.00058
[116] CARLINI N, WAGNER D. Towards evaluating the robustness of neural networks[C]///IEEE Symposium on Security and Privacy (SP). San Jose, CA, USA:IEEE Computer Society, 2017:39-57
[117] HUANG X, KWIATKOWSKA M, WANG S, et al. Safety verification of deep neural networks[C]//International Conference on Computer Aided Verification. Heidelberg:Springer, 2017:3-29.
[118] PEI K, CAO Y, YANG J, et al. Deepxplore:Automated whitebox testing of deep learning systems[C]//Proceedings of the 26th Symposium on Operating Systems Principles. Shanghai, China:ACM, 2017:1-18.
[119] JAGIELSKI M, OPREA A, BIGGIO B, et al. Manipulating machine learning:Poisoning attacks and countermeasures for regression learning[C]//IEEE Symposium on Security and Privacy (SP). San Francisco, CA, USA:IEEE Computer Society, 2018.
[120] LI B, WANG Y, SINGH A, et al. Data poisoning attacks on factorization-based collaborative filtering[C]//Advances in Neural Information Processing Systems. Barcelona, Spain:NIPS Press, 2016:1885-1893.
[121] YANG G, GONG N Z, CAI Y. Fake co-visitation injection attacks to recommender systems[C]//Network and Distributed System Security Symposium. San Diego, California, USA:Internet Society, 2017.
[122] KE L, LI B, VOROBEYCHIK Y. Behavioral experiments in email filter evasion[C]//Thirtieth AAAI Conference on Artificial Intelligence. Arizona, USA:AAAI Press, 2016:827-833.
[123] LIU Y, CHEN X, LIU C, et al. Delving into transferable adversarial examples and black-box attacks[J/OL]. (2016-11-08). https://arxiv.org/abs/1611.02770.
[124] PAPERNOT N, Mcdaniel P, GOODFELLOW I, et al. Practical black-box attacks against machine learning[C]//Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. Abu Dhabi, United Arab Emirates:ACM, 2017:506-519.
[125] XU W, QI Y, EVANS D. Automatically evading classifiers[C]//Proceedings of the 2016 Network and Distributed Systems Symposium. San Diego, California, USA:Internet Society, 2016. 10.14722/ndss.2016.23115.
[126] FREDRIKSON M, JHA S, RISTENPART T. Model inversion attacks that exploit confidence information and basic countermeasures[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, USA:ACM, 2015:1322-1333.
[127] FREDRIKSON M, LANTZ E, JHA S, et al. Privacy in pharmacogenetics:An end-to-end case study of personalized warfarin dosing[C]//USENIX Security Symposium. San Jose, California, USA:USENIX Association, 2014:17-32.
[128] LOWD D, MEEK C. Adversarial learning[C]//Proceedings of the Eleventh ACM SIGKDD International Conference on Knowledge Discovery in Data Mining. Chicago, IL, USA:ACM, 2005:641-647.
[129] TRAMÈR F, ZHANG F, JUELS A, et al. Stealing machine learning models via prediction APIs[C]//USENIX Security Symposium. Austin, TX, USA:USENIX Association, 2016:601-618.
[130] WANG B, GONG N Z. Stealing hyperparameters in machine learning[C]//IEEE Symposium on Security and Privacy. San Francisco, CA, USA:IEEE Computer Society, 2018.
[131] DAUPHIN Y N, FAN A, AULI M, et al. Language modeling with gated convolutional networks[J/OL]. (2016-12-23). https://arxiv.org/abs/1612.08083.
[132] YIN W, KANN K, YU M, et al. Comparative study of CNN and RNN for natural language processing[J/OL]. (2017-02-07). https://arxiv.org/abs/1702.01923.
[133] WANG J, CHEN B, Wei L, et al. Skyfire:Data-driven seed generation for fuzzing[C]//IEEE Symposium on Security and Privacy (SP). San Jose, CA, USA:IEEE Computer Society, 2017:579-594.
[1] 王志国, 章毓晋. 监控视频异常检测:综述[J]. 清华大学学报(自然科学版), 2020, 60(6): 518-529.
[2] 宋宇波, 祁欣妤, 黄强, 胡爱群, 杨俊杰. 基于二阶段多分类的物联网设备识别算法[J]. 清华大学学报(自然科学版), 2020, 60(5): 365-370.
[3] 张明远, 武威, 宋宇波, 胡爱群. 面向无线局域网接入设备的安全等级评估系统[J]. 清华大学学报(自然科学版), 2020, 60(5): 371-379.
[4] 蒋文斌, 王宏斌, 刘湃, 陈雨浩. 基于AVX2指令集的深度学习混合运算策略[J]. 清华大学学报(自然科学版), 2020, 60(5): 408-414.
[5] 余传明, 原赛, 胡莎莎, 安璐. 基于深度学习的多语言跨领域主题对齐模型[J]. 清华大学学报(自然科学版), 2020, 60(5): 430-439.
[6] 张思聪, 谢晓尧, 徐洋. 基于dCNN的入侵检测方法[J]. 清华大学学报(自然科学版), 2019, 59(1): 44-52.
[7] 芦效峰, 蒋方朔, 周箫, 崔宝江, 伊胜伟, 沙晶. 基于API序列特征和统计特征组合的恶意样本检测框架[J]. 清华大学学报(自然科学版), 2018, 58(5): 500-508.
[8] 张新钰, 高洪波, 赵建辉, 周沫. 基于深度学习的自动驾驶技术综述[J]. 清华大学学报(自然科学版), 2018, 58(4): 438-444.
[9] 赵刚, 于悦, 黄敏桓, 王玉迎, 王嘉捷, 孙晓霞. PDF阅读器字体解析引擎的测试方法[J]. 清华大学学报(自然科学版), 2018, 58(3): 266-271.
[10] 方勇, 刘道胜, 黄诚. 基于层次聚类的虚假用户检测[J]. 清华大学学报(自然科学版), 2017, 57(6): 620-624.
[11] 强茂山, 张东成, 江汉臣. 基于加速度传感器的建筑工人施工行为识别方法[J]. 清华大学学报(自然科学版), 2017, 57(12): 1338-1344.
[12] 张敏, 丁弼原, 马为之, 谭云志, 刘奕群, 马少平. 基于深度学习加强的混合推荐方法[J]. 清华大学学报(自然科学版), 2017, 57(10): 1014-1021.
[13] 韩心慧, 魏爽, 叶佳奕, 张超, 叶志远. 二进制程序中的use-after-free漏洞检测技术[J]. 清华大学学报(自然科学版), 2017, 57(10): 1022-1029.
[14] 伊胜伟, 张翀斌, 谢丰, 熊琦, 向憧, 梁露露. 基于Peach的工业控制网络协议安全分析[J]. 清华大学学报(自然科学版), 2017, 57(1): 50-54.
[15] 马金鑫, 张涛, 李舟军, 张江霄. Fuzzing过程中的若干优化方法[J]. 清华大学学报(自然科学版), 2016, 56(5): 478-483.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn