人工智能技术在安全漏洞领域的应用

孙鸿宇; 何远; 王基策; 董颖; 朱立鹏; 王鹤; 张玉清

doi:10.11959/j.issn.1000-436x.2018137

您当前的位置：

首页 >

文章列表页 >

人工智能技术在安全漏洞领域的应用

论文Ⅰ：人工智能与网络安全 | 更新时间：2024-06-05

- 人工智能技术在安全漏洞领域的应用
- Application of artificial intelligence technology in the field of security vulnerability
- 通信学报 2018年39卷第8期页码：1-17
- 作者机构：
  
  1. 西安电子科技大学网络与信息安全学院，陕西西安 710071
  2. 中国科学院大学国家计算机网络入侵防范中心，北京 101408
- 作者简介：
  
  [ "孙鸿宇（1993-），男，陕西渭南人，西安电子科技大学博士生，主要研究方向为信息安全与机器学习。" ]
  [ "何远（1977-），男，云南大理人，中国科学院大学博士生，主要研究方向为计算机信息安全与漏洞挖掘。" ]
  [ "王基策（1992-），男，河南襄城人，中国科学院大学博士生，主要研究方向为移动安全、软件安全等。" ]
  [ "董颖（1991-），女，陕西渭南人，中国科学院大学博士生，主要研究方向为网络安全和机器学习。" ]
  [ "朱立鹏（1994-），男，河北秦皇岛人，西安电子科技大学硕士生，主要研究方向为物联网安全和漏洞挖掘。" ]
  [ "王鹤（1987-），女，河南安阳人，博士，西安电子科技大学讲师，主要研究方向为量子密码协议。" ]
  [ "张玉清（1966-），男，陕西宝鸡人，博士，中国科学院大学教授、博士生导师，主要研究方向为网路与信息系统安全。" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2016YFB0800700);国家自然科学基金资助项目(61572460);国家自然科学基金资助项目(61272481);信息安全国家重点实验室开放课题基金资助项目(2017-ZD-0);国家发展改革委员会信息安全专项基金资助项目((2012)1424)
- DOI：10.11959/j.issn.1000-436x.2018137
  中图分类号： TP18
- 网络出版日期：2018-08，
  
  纸质出版日期：2018-08-25
- 稿件说明：
移动端阅览
孙鸿宇, 何远, 王基策, 等. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018,39(8):1-17.

Hongyu SUN, Yuan HE, Jice WANG, et al. Application of artificial intelligence technology in the field of security vulnerability[J]. Journal on communications, 2018, 39(8): 1-17.
孙鸿宇, 何远, 王基策, 等. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018,39(8):1-17. DOI： 10.11959/j.issn.1000-436x.2018137.

Hongyu SUN, Yuan HE, Jice WANG, et al. Application of artificial intelligence technology in the field of security vulnerability[J]. Journal on communications, 2018, 39(8): 1-17. DOI： 10.11959/j.issn.1000-436x.2018137.

摘要

软件数量的大规模增长以及复杂性的增强给软件安全漏洞的研究带来了严峻的挑战，以人工的方式进行安全漏洞研究的效率较低，无法满足网络空间安全的需要。因此，如何将机器学习、自然语言处理等人工智能技术应用于安全漏洞的研究已成为新的热点，人工智能技术能够智能化地处理漏洞信息来辅助安全漏洞研究，同时提高安全漏洞挖掘的效率。首先分析了安全漏洞的自动化挖掘、自动化评估、自动化利用和自动化修补等关键技术，指出安全漏洞挖掘的自动化是人工智能在安全漏洞领域应用的重点，然后分析和归纳了近年来提出的将人工智能技术应用于安全漏洞研究的最新研究成果，指出了应用中的一些问题，给出了相应的解决方案，最后展望了安全漏洞智能研究的发展趋势。

Abstract

The large number of software and the enhancement of complexity have brought severe challenges to the research of software security vulnerabilities.The efficiency of manual research on security vulnerabilities is low and cannot meet the needs of cyberspace security.Therefore

how to apply artificial intelligence techniques such as machine learning and natural language processing to the study of security vulnerabilities has become a new hot spot.Artificial intelligence technology can intelligently process vulnerability information

which can assist in the research of security vulnerabilities and improve the efficiency of research on security vulnerabilities such as vulnerability mining.Firstly

the key technologies of automatic mining

automatic assessment

automatic exploitation and automatic repair of security vulnerabilities were analyzed

which pointed out that the automation of security vulnerability mining was the key of the application of artificial intelligence in the field of security vulnerability.Then

the latest research results of applying artificial intelligence technology to the research on security vulnerabilities was analyzed and summarized in recent years

which pointed out some problems in the application and gave corresponding solutions.Finally

the development trend of intelligent research on security vulnerabilities was prospected.

关键词

Keywords

references

张玉清 , 宫亚峰 , 王宏 , 等 . 安全漏洞标识与描述规范 [S ] .. GB/T28458-2012,全国信息安全标准化技术委员会(SAC/TC 260) .

ZHANG Y Q , GONG Y F , WANG H , et al . Vulnerability identification and description specification [S ] . GB/T28458-2012,National Information Security Standardization Technical Committee .

WITTEN I H , FRANK E , HALL M A , et al . Data mining:practical machine learning tools and techniques [M ] . Morgan Kaufmann , 2016 .

VAPNIK V N . An overview of statistical learning theory [J ] . IEEE transactions on neural networks , 1999 , 10 ( 5 ): 988 - 999 .

NASRABADI N M . Pattern recognition and machine learning [J ] . Journal of Electronic Imaging , 2007 , 16 ( 4 ):049901.

MITCHELL T M . Machine learning and data mining [J ] . Communications of the ACM , 1999 , 42 ( 11 ): 30 - 36 .

LECUN Y , BENGIO Y , HINTON G . Deep learning [J ] . Nature , 2015 , 521 ( 7553 ):436.

KRIZHEVSKY A , SUTSKEVER I , HINTON G E . ImageNet classification with deep convolutional neural networks [J ] . Communications of the ACM , 2012 , 60 ( 2 ): 2012 - 2025 .

TAIGMAN Y , YANG M , RANZATO M A , et al . Deepface:closing the gap to human-level performance in face verification [C ] // The 29th IEEE Conference on Computer Vision and Pattern Recognition . 2014 : 1701 - 1708 .

COLLOBERT R , WESTON J . A unified architecture for natural language processing:deep neural networks with multitask learning [C ] // The 25th International Conference on Machine Learning . 2008 : 160 - 167 .

HUANG W Y , STOKES J W . MtNet:a multi-task neural network for dynamic malware classification [C ] // The 5th 25th International Conference on Detection of Intrusions and Malware,and Vulnerability Assessment . 2016 : 399 - 418 .

DEBAR H , BECKER M , SIBONI D . A neural network component for an intrusion detection system [C ] // The 23rd Computer Society Symp on Research in Security and Privacy . 1992 : 240 - 250 .

CEARA D , POTET M L , ENSIMAG G I N P , et al . Detecting software vulnerabilities-static taint analysis [J ] . Polytechnic University of Bucharest , 2009 .

KING J C . Symbolic execution and program testing [J ] . Communications of the ACM , 1976 , 19 ( 7 ): 385 - 394 .

GAO D , REITER M K , SONG D . Binhunt:automatically finding semantic differences in binary programs [C ] // International Conference on Information and Communications Security . 2008 : 238 - 255 .

DUKES L S , YUAN X , AKOWUAH F . A case study on web application security testing with tools and manual testing [C ] // 2013 Proceedings of IEEE . 2013 : 1 - 6 .

SUTTON M , GREENE A , AMINI P . Fuzzing:brute force vulnerability discovery [M ] . Pearson Education , 2007 .

NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software [J ] . 2005 .

XIE T , TILLMANN N , DE H J , et al . Fitness-guided path exploration in dynamic symbolic execution [C ] // IEEE/IFIP International Conference on Dependable Systems ＆ Networks . 2009 : 359 - 368 .

SURHONE L M , TENNOE M T , HENSSONOW S F , et al . Common vulnerabilities and exposures [M ] . Betascript Publishing , 2010 .

MELL P , SCARFONE K , ROMANOSKY S . Common vulnerability scoring system [J ] . IEEE Security ＆ Privacy , 2006 , 4 ( 6 ).

MCCABE T J . A complexity measure [J ] . IEEE Transactions on software Engineering , 1976 ( 4 ): 308 - 320 .

HALSTEAD M H . Elements of software science (operating and programming systems series) [M ] . Elsevier Science Inc , 1977 .

ZIMMERMANN T , NAGAPPAN N , WILLIAMS L . Searching for a needle in a haystack:predicting security vulnerabilities for windows vista [C ] // 2010 Third International Conference on Software Testing,Verification and Validation (ICST) . 2010 : 421 - 428 .

SHIN Y , WILLIAMS L . Can traditional fault prediction models be used for vulnerability prediction? [J ] . Empirical Software Engineering , 2013 , 18 ( 1 ): 25 - 59 .

SHIN Y , WILLIAMS L . An empirical model to predict security vulnerabilities using code complexity metrics [C ] // The Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement . 2008 : 315 - 317 .

SHIN Y , WILLIAMS L . Is complexity really the enemy of software security? [C ] // The 4th ACM Workshop on Quality of Protection . 2008 : 47 - 50 .

SHIN Y , WILLIAMS L . An initial study on the use of execution complexity metrics as indicators of software vulnerabilities [C ] // The 7th International Workshop on Software Engineering for Secure Systems . 2011 : 1 - 7 .

DOYLE M , WALDEN J . An empirical study of the evolution of PHP web application security [C ] // 2011 Third International Workshop on Security Measurements and Metrics (Metrisec) . 2011 : 11 - 20 .

CHOWDHURY I , ZULKERNINE M . Using complexity,coupling,and cohesion metrics as early indicators of vulnerabilities [J ] . Journal of Systems Architecture , 2011 , 57 ( 3 ): 294 - 313 .

CHOWDHURY I , ZULKERNINE M . Can complexity,coupling,and cohesion metrics be used as early indicators of vulnerabilities? [C ] // The 2010 ACM Symposium on Applied Computing . 2010 : 1963 - 1969 .

SHIN Y , MENEELY A , WILLIAMS L , et al . Evaluating complexity,code churn,and developer activity metrics as indicators of software vulnerabilities [J ] . IEEE Transactions on Software Engineering , 2011 , 37 ( 6 ): 772 - 787 .

MENEELY A , WILLIAMS L . Strengthening the empirical analysis of the relationship between Linus’ Law and software security [C ] // The 2010 ACM-IEEE International Symposium on Empirical Software Engineering and Measurement . 2010 :9.

MOSHTARI S , SAMI A , AZIMI M . Using complexity metrics to improve software security [J ] . Computer Fraud ＆ Security , 2013 , 2013 ( 5 ): 8 - 17 .

ALVES H , FONSECA B , ANTUNES N . Software metrics and security vulnerabilities:dataset and exploratory study [C ] // Dependable Computing Conference (EDCC) . 2016 : 37 - 44 .

MORRISON P , HERZIG K , MURPHY B , et al . Challenges with applying vulnerability prediction models [C ] // The 2015 Symposium and Bootcamp on the Science of Security . 2015 :4.

SCANDARIATO R , WALDEN J . Predicting vulnerable classes in an Android application [C ] // The 4th International Workshop on Security Measurements and Metrics . 2012 : 11 - 16 .

MENEELY A , SRINIVASAN H , MUSA A , et al . When a patch goes bad:Exploring the properties of vulnerability-contributing commits [C ] // 2013 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement . 2013 : 65 - 74 .

PERL H , DECHAND S , SMITH M , et al . Vccfinder:finding potential vulnerabilities in open-source projects to assist code audits [C ] // The 22nd ACM SIGSAC Conference on Computer and Communications Security . 2015 : 426 - 437 .

YANG L , LI X , YU Y . VulDigger:a just-in-time and cost-aware tool for digging vulnerability-contributing changes [C ] // 2017 IEEE Global Communications Conference . 2017 : 1 - 7 .

GEGICK M , WILLIAMS L , OSBORNE J , et al . Prioritizing software security fortification throughcode-level metrics [C ] // The 4th ACM workshop on Quality of Protection . 2008 : 31 - 38 .

NGUYEN V H , TRAN L M S . Predicting vulnerable software components with dependency graphs [C ] // The 6th International Workshop on Security Measurements and Metrics . 2010 :3.

YAN H , SUI Y , CHEN S , et al . Machine-learning-guided typestate analysis for static use-after-free detection [C ] // The 33rd Annual Computer Security Applications Conference . 2017 : 42 - 54 .

GUPTA M K , GOVIL M C , SINGH G . Predicting cross-site scripting (XSS) security vulnerabilities in web applications [C ] // 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE) . 2015 : 162 - 167 .

ZHANG S , CARAGEA D , OU X . An empirical study on using the national vulnerability database to predict software vulnerabilities [C ] // International Conference on Database and Expert Systems Applications . 2011 : 217 - 231 .

SHAR L K , TAN H B K . Predicting common web application vulnerabilities from input validation and sanitization code patterns [C ] // The 27th IEEE/ACM International Conference on Automated Software Engineering (ASE) . 2012 : 310 - 313 .

SHAR L K , TAN H B K . Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns [J ] . Information and Software Technology , 2013 , 55 ( 10 ): 1767 - 1780 .

SHAR L K , TAN H B K , BRIAND L C . Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis [C ] // The 2013 International Conference on Software Engineering . 2013 : 642 - 651 .

SHAR L K , BRIAND L C , TAN H B K . Web application vulnerability prediction using hybrid program analysis and machine learning [J ] . IEEE Transactions on Dependable and Secure Computing , 2015 , 12 ( 6 ): 688 - 707 .

PADMANABHUNI B M , TAN H B K . buffer overflow vulnerability prediction from x86 executables using static analysis and machine learning [C ] // Computer Software and Applications Conference (COMPSAC) . 2015 : 450 - 459 .

PADMANABHUNI B M , TAN H B K . Predicting buffer overflow vulnerabilities through mining light-weight static code attributes [C ] // 2014 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW) . 2014 : 317 - 322 .

PADMANABHUNI B M , TAN H B K . Auditing buffer overflow vulnerabilities using hybrid static-dynamic analysis [J ] . IET Software , 2016 , 10 ( 2 ): 54 - 61 .

MENG Q , ZHANG B , FENG C , et al . Detecting buffer boundary violations based on SVM [C ] // 2016 3rd International Conference on Information Science and Control Engineering (ICISCE) . 2016 : 313 - 316 .

MENG Q , WEN S , FENG C , et al . Predicting integer overflow through static integer operation attributes [C ] // International Conference on Computer Science and Network Technology . 2017 : 177 - 181 .

WANG D , LIN M , ZHANG H , et al . Detect related bugs from source code using bug information [C ] // Computer Software and Applications Conference (COMPSAC) . 2010 : 228 - 237 .

HOVSEPYAN A , SCANDARIATO R , JOOSEN W , et al . Software vulnerability prediction using text analysis techniques [C ] // The 4th International Workshop on Security Measurements and Metrics . 2012 : 7 - 10 .

SCANDARIATO R , WALDEN J , HOVSEPYAN A , et al . Predicting vulnerable software components via text mining [J ] . IEEE Transactions on Software Engineering , 2014 , 40 ( 10 ): 993 - 1006 .

PANG Y , XUE X , NAMIN A S . Early identification of vulnerable software components via ensemble learning [C ] // 2016 15th IEEE International Conference on Machine Learning and Applications (ICMLA) . 2016 : 476 - 481 .

DAM H K , TRAN T , PHAM T , et al . Automatic feature learning for vulnerability prediction [J ] . arXiv preprint,arXiv:1708.02368 , 2017 .

PANG Y , XUE X , NAMIN A S . Predicting vulnerable software components through n-gram analysis and statistical feature selection [C ] // 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA) . 2015 : 543 - 548 .

PANG Y , XUE X , WANG H . Predicting vulnerable software components through deep neural network [C ] // The 2017 International Conference on Deep Learning Technologies . 2017 : 6 - 10 .

STUCKMAN J , WALDEN J , SCANDARIATO R . The effect of dimensionality reduction on software vulnerability prediction models [J ] . IEEE Transactions on Reliability , 2017 , 66 ( 1 ): 17 - 37 .

WIJAYASEKARA D , MANIC M , WRIGHT J L , et al . Mining bug databases for unidentified software vulnerabilities [C ] // 2012 5th International Conference on Human System Interactions (HSI) . 2012 : 89 - 96 .

WIJAYASEKARA D , MANIC M , MCQUEEN M . Information gain based dimensionality selection for classifying text documents [C ] // 2013 IEEE Congress on Evolutionary Computation (CEC) . 2013 : 440 - 445 .

WIJAYASEKARA D , MANIC M , MCQUEEN M . Vulnerability identification and classification via text mining bug databases [C ] // Industrial Electronics Society,IECON 2014-40th Annual Conference of the IEEE . 2014 : 3612 - 3618 .

YAMAGUCHI F , LOTTMANN M , RIECK K . Generalized vulnerability extrapolation using abstract syntax trees [C ] // The 28th Annual Computer Security Applications Conference . 2012 : 359 - 368 .

YAMAGUCHI F , WRESSNEGGER C , GASCON H , et al . Chucky:exposing missing checks in source code for vulnerability discovery [C ] // The 2013 ACM SIGSAC Conference on Computer ＆ Communications Security . 2013 : 499 - 510 .

YAMAGUCHI F , MAIER A , GASCON H , et al . Automatic inference of search patterns for taint-style vulnerabilities [C ] // 2015 IEEE Symposium on Security and Privacy (SP) . 2015 : 797 - 812 .

MENG Q , WEN S , ZHANG B , et al . Automatically discover vulnerability through similar functions [C ] // Progress in Electromagnetic Research Symposium (PIERS) . 2016 : 3657 - 3661 .

MEDEIROS I , NEVES N , CORREIA M . Detecting and removing web application vulnerabilities with static analysis and data mining [J ] . IEEE Transactions on Reliability , 2016 , 65 ( 1 ): 54 - 69 .

MENG Q , SHAMENG W , CHAO F , et al . Predicting buffer overflow using semi-supervised learning [C ] // International Congress on Image and Signal Processing,BioMedical Engineering and Informatics (CISP-BMEI) , 2016 : 1959 - 1963 .

ALOHALY M , TAKABI H . When do changes induce software vulnerabilities? [C ] // 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC) . 2017 : 59 - 66 .

NEUHAUS S , ZIMMERMANN T , HOLLER C , et al . Predicting vulnerable software components [C ] // The 14th ACM Conference on Computer and Communications Security . 2007 : 529 - 540 .

YAMAGUCHI F , LINDNER F , RIECK K . Vulnerability extrapolation:assisted discovery of vulnerabilities using machine learning [C ] // The 5th USENIX Conference on Offensive Technologies . 2011 :13.

WALDEN J , STUCKMAN J , SCANDARIATO R . Predicting vulnerable components:software metrics vs text mining [C ] // 2014 IEEE 25th International Symposium on Software Reliability Engineering (ISSRE) . 2014 : 23 - 33 .

TANG Y , ZHAO F , YANG Y , et al . Predicting vulnerable components via text mining or software metrics? an effort-aware perspective [C ] // 2015 IEEE International Conference on Software Quality,Reliability and Security (QRS) . 2015 : 27 - 36 .

ZHANG Y , LO D , XIA X , et al . Combining software metrics and text features for vulnerable file prediction [C ] // 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS) . 2015 : 40 - 49 .

MEDEIROS I , NEVES N F , CORREIA M . Automatic detection and correction of web application vulnerabilities using data mining to predict false positives [C ] // The 23rd International Conference on World Wide Web . 2014 : 63 - 74 .

HEO K , OH H , YI K . Machine-learning-guided selectively unsound static analysis [C ] // The 39th International Conference on Software Engineering . 2017 : 519 - 529 .

GRIECO G , GRINBLAT G L , UZAL L , et al . Toward large-scale vulnerability discovery using machine learning [C ] // The Sixth ACM Conference on Data and Application Security and Privacy . 2016 : 85 - 96 .

GODEFROID P , PELEG H , SINGH R . Learn＆fuzz:machine learning for input fuzzing [C ] // The 32nd IEEE/ACM International Conference on Automated Software Engineering . 2017 : 50 - 59 .

LESSMANN S , BAESENS B , MUES C , et al . Benchmarking classification models for software defect prediction:a proposed framework and novel findings [J ] . IEEE Transactions on Software Engineering , 2008 , 34 ( 4 ): 485 - 496 .

GHOTRA B , MCINTOSH S , HASSAN A E . Revisiting the impact of classification techniques on the performance of defect prediction models [C ] // The 37th International Conference on Software Engineering . 2015 : 789 - 800 .

TANTITHAMTHAVORN C , MCINTOSH S , HASSAN A E , et al . Automated parameter optimization of classification techniques for defect prediction models [C ] // 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE) . 2016 : 321 - 332 .

MOU L , LI G , LIU Y , et al . Building program vector representations for deep learning [J ] . arXiv preprint,arXiv:1409.3358 , 2014 .

LI Z , ZOU D , XU S , et al . VulDeePecker:a deep learning-based system for vulnerability detection [J ] . arXiv preprint,arXiv:1801.01681 , 2018 .

WU F , WANG J , LIU J , et al . Vulnerability detection with deep learning [C ] // 2017 3rd IEEE International Conference on Computer and Communications (ICCC) . 2017 : 1298 - 1302 .

MA Y , LUO G , ZENG X , et al . Transfer learning for cross-company software defect prediction [J ] . Information and Software Technology , 2012 , 54 ( 3 ): 248 - 256 .

LIN G , ZHANG J , LUO W , et al . Cross-project transfer representation learning for vulnerable function discovery [J ] . IEEE Transactions on Industrial Informatics , 2012 .

BRUMLEY D , POOSANKAM P , SONG D , et al . Automatic patch-based exploit generation is possible:techniques and implications [C ] // IEEE Symposium on Security and Privacy . 2008 : 143 - 157 .

CHA S K , AVGERINOS T , REBERT A , et al . Unleashing mayhem on binary code [C ] // 2012 IEEE Symposium on Security and Privacy (SP) . 2012 : 380 - 394 .

WANG M , SU P , LI Q , et al . Automatic polymorphic exploit generation for software vulnerabilities [C ] // International Conference on Security and Privacy in Communication Systems . 2013 : 216 - 233 .

HU H , CHUA Z L , ADRIAN S , et al . Automatic generation of dataoriented exploits [C ] // USENIX Security Symposium . 2015 : 177 - 192 .

BAO T , WANG R , SHOSHITAISHVILI Y , et al . Your exploit is mine:automatic shellcode transplant for remote exploits [C ] // 2017 IEEE Symposium on Security and Privacy (SP) . 2017 : 824 - 839 .

ALHUZALI A , ESHETE B , GJOMEMO R , et al . Chainsaw:chained automated workflow-based exploit generation [C ] // ACM Sigsac Conference on Computer and Communications Security . 2016 : 641 - 652 .

HUANG S K , LU H L , LEONG W M , et al . CRAXweb:automatic web application testing and attack generation [C ] // IEEE,International Conference on Software Security and Reliability . 2013 : 208 - 217 .

FELMETSGER V , CAVEDON L , KRUEGEl C , et al . Toward automated detection of logic vulnerabilities in Web applications [C ] // Usenix Security Symposium . 2010 : 143 - 160 .

LUO L , ZENG Q , CAO C , et al . System service call-oriented symbolic execution of android framework with applications to vulnerability discovery and exploit generation [C ] // The 15th Annual International Conference on Mobile Systems,Applications,and Services . 2017 : 225 - 238 .

YOU W , ZONG P , CHEN K , et al . SemFuzz:semantics-based automatic generation of proof-of-concept exploits [C ] // The 2017 ACM SIGSAC Conference on Computer and Communications Security . 2017 : 2139 - 2154 .

YOUNIS A , MALAIYA Y , ANDERSON C , et al . To fear or not to fear that is the question:code characteristics of a vulnerable functionwith an existing exploit [C ] // The Sixth ACM Conference on Data and Application Security and Privacy . 2016 : 97 - 104 .

BOZORGI M , SAUL L K , SAVAGE S , et al . Beyond heuristics:learning to classify vulnerabilities and predict exploits [C ] // The 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining . 2010 : 105 - 114 .

ALLODI L , MASSACCI F . A preliminary analysis of vulnerability scores for attacks in wild:the ekits and sym datasets [C ] // The 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security . 2012 : 17 - 24 .

YAMAMOTO Y , MIYAMOTO D , NAKAYAMA M . Text-mining approach for estimating vulnerability score [C ] // International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security . 2017 : 67 - 73 .

SPANOS G , ANGELIS L , TOLOUDIS D . Assessment of vulnerability severity using text mining [C ] // Pan-Hellenic Conference on Informatics . 2017 : 1 - 6 .

HAN Z , LI X , XING Z , et al . Learning to predict severity of software vulnerability using only vulnerability description [C ] // 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME) . 2017 : 125 - 136 .

ZHANG C , WANG T , WEI T , et al . IntPatch:automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time [C ] // European Symposium on Research in Computer Security . 2010 : 71 - 86 .

LE G C , NGUYEN T V , FORREST S , et al . Genprog:a generic method for automatic software repair [J ] . IEEE Transactions On Software Engineering , 2012 , 38 ( 1 ): 54 - 72 .

WHITE M , TUFANO M , MARTINEZ M , et al . Sorting and transforming program repair ingredients via deep learning code similarities [J ] . arXiv preprint,arXiv:1707.04742 , 2017 .

ZHANG M , YIN H . AppSealer:automatic generation of vulnerability-specific patches for preventing component hijacking attacks in android applications [C ] // NDSS . 2014 .

BEN O L , CHEHRAZI G , BODDEN E , et al . Factors impacting the effort required to fix security vulnerabilities [C ] // International Information Security Conference . 2015 : 102 - 119 .

浏览量

4228

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

人工智能在移动通信中的应用：挑战与实践

基于机器学习的加密流量分类研究综述

面向代码重用检测的程序语义分析模型

基于大语言模型的网络威胁情报知识图谱构建技术研究

工业互联网流量分析技术综述