期刊文献+

上下文感知的安卓应用程序漏洞检测研究 被引量:6

Research on context-aware Android application vulnerability detection
下载PDF
导出
摘要 针对基于学习的安卓应用程序的漏洞检测模型对源程序的特征提取结果欠缺语义信息,且提取的特征化结果包含与漏洞信息无关的噪声数据,导致漏洞检测模型的准确率下降的问题,提出了一种基于代码切片(CIS)的程序特征提取方法。该方法和抽象语法树(AST)特征方法相比可以更加精确地提取和漏洞存在直接关系的变量信息,避免引入过多噪声数据,同时可以体现漏洞的语义信息。利用CIS,基于Bi-LSTM和注意力机制提出了一个上下文感知的安卓应用程序漏洞检测模型VulDGArcher;针对安卓漏洞数据集不易获得的问题,构建了一个包含隐式Intent通信漏洞和Pending Intent权限绕过漏洞的41812个代码片段的数据集,其中漏洞代码片段有16218个。在这个数据集上,VulDGArcher检测准确率可以达到96%,高于基于AST特征和未进行处理的APP源码特征的深度学习漏洞检测模型。 The vulnerability detection model of Android application based on learning lacks semantic features. The extracted features contain noise data unrelated to vulnerabilities, which leads to the false positive of vulnerability detection model. A feature extraction method based on code information slice(CIS) was proposed. Compared with the abstract syntax tree(AST) feature method, the proposed method could extract the variable information directly related to vulnerabilities more accurately and avoid containing too much noise data. It contained semantic information of vulnerabilities.Based on CIS and BI-LSTM with attention mechanism, a context-aware Android application vulnerability detection model VulDGArcher was proposed. For the problem that the Android vulnerability data set was not easy to obtain, a data set containing 41 812 code fragments including the implicit Intent security vulnerability and the bypass PendingIntent permission audit vulnerability was built. There were 16 218 code fragments of vulnerability. On this data set, VulDGArcher’s detection accuracy can reach 96%, which is higher than the deep learning vulnerability detection model based on AST features and APP source code features.
作者 秦佳伟 张华 严寒冰 何能强 涂腾飞 QIN Jiawei;ZHANG Hua;YAN Hanbing;HE Nengqiang;TU Tengfei(State Key Laboratory of Networking and Switching Technology,Beijing University of Posts and Telecommunications,Beijing 100876,China;The National Computer Network Emergency Response Technical Team/Coordination Center of China,Beijing 100029,China)
出处 《通信学报》 EI CSCD 北大核心 2021年第11期13-27,共15页 Journal on Communications
基金 国家自然科学基金资助项目(No.62072051,No.61976024,No.61972048) 中央高校基本科研业务费专项资金资助项目(No.2019XD-A01) 教育部区块链核心计划基金资助项目(No.2020KJ010802)。
关键词 安卓漏洞检测 深度学习 代码切片 漏洞语义特征 Android vulnerability detection deep learning CIS semantic characteristics of vulnerabilities
  • 相关文献

参考文献4

二级参考文献4

共引文献28

同被引文献62

引证文献6

二级引证文献1

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部