Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning
作者: Konrad Rieck , Fabian Yamaguchi , Felix Lindner
DOI:
关键词: Process (computing) 、 Vulnerability 、 Vulnerability management 、 Data mining 、 Code (cryptography) 、 Artificial intelligence 、 Identification (information) 、 Computer science 、 Machine learning 、 Secure coding 、 Source code 、 Key (cryptography)
摘要: Rigorous identification of vulnerabilities in program code is a key to implementing and operating secure systems. Unfortunately, only some types can be detected automatically. While techniques from software testing accelerate the search for security flaws, general case discovery tedious process that requires significant expertise time. In this paper, we propose method assisted source code. Our proceeds by embedding vector space automatically determining API usage patterns using machine learning. Starting known vulnerability, these exploited guide auditing identify potentially vulnerable with similar characteristics--a refer as vulnerability extrapolation. We empirically demonstrate capabilities our different experiments. study library FFmpeg, are able narrowthe interesting 6,778 20 functions discover two one being flaw other constituting zero-day vulnerability.
prosec-project.org
acm.org 
researchgate.net 参考文章(32)
Tielei Wang, Zhiqiang Lin, Tao Wei, Wei Zou, IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution. network and distributed system security symposium. ,(2009)
Panayiotis Mavrommatis, Niels Provos, Dean McNamee, Nagendra Modadugu, Ke Wang, The ghost in the browser analysis of web-based malware conference on workshop on hot topics in understanding botnets. pp. 4- 4 ,(2007)
David Brumley, Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, AEG: Automatic Exploit Generation network and distributed system security symposium. ,(2011) , 10.1184/R1/6468296.V1
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
James Newsome, Brad Karp, Dawn Song, Paragraph: Thwarting Signature Learning by Training Maliciously Lecture Notes in Computer Science. pp. 81- 105 ,(2006) , 10.1007/11856214_5
Yingbo Song, Michael E. Locasto, Angelos Stavrou, Angelos D. Keromytis, Salvatore J. Stolfo, On the infeasibility of modeling polymorphic shellcode Machine Learning. ,vol. 81, pp. 179- 205 ,(2010) , 10.1007/S10994-009-5143-5
Ulrich Bayer, Paolo Milani Comparetti, Clemens Hlauschek, Christopher Kruegel, Engin Kirda, Scalable, behavior-based malware clustering network and distributed system security symposium. ,(2009)
Gerard Salton, Michael J. McGill, Introduction to Modern Information Retrieval ,(1983)
Robin Sommer, Vern Paxson, Outside the Closed World: On Using Machine Learning for Network Intrusion Detection ieee symposium on security and privacy. pp. 305- 316 ,(2010) , 10.1109/SP.2010.25
Adam Greene, Michael Sutton, Pedram Amini, Fuzzing: Brute Force Vulnerability Discovery ,(2007)