摘要
模糊测试是当今比较流行的漏洞挖掘技术之一。传统的模糊测试往往需要大量人工参与,测试周期较长且测试效果依赖于专家经验。近年来,机器学习应用广泛,这为软件安全测试技术注入了新活力。一些研究工作使用机器学习技术对模糊测试过程进行优化和改进,弥补了传统模糊测试技术的诸多缺陷。文章对基于机器学习的模糊测试技术进行了全面分析。首先,总结了常见的漏洞挖掘方法、模糊测试过程与分类以及传统模糊测试技术的不足;然后,从模糊测试的测试用例生成、变异、筛选和调度等角度入手,着重介绍了机器学习方法在模糊测试技术中的应用研究,并结合机器学习和模糊测试实现其他功能的研究工作;最后,基于现有的工作分析总结了目前研究的局限性和面临的挑战,并对该领域未来的发展方向进行了展望。
Fuzzing is one of the most popular vulnerability discovering techniques today.Traditional fuzzing often requires a lot of labor,which increases the application cycle of fuzzing.Besides,expert experience determines the effect of fuzzing.The wide application of machine learning has enabled machine learning techniques to be applied to software security testing.Many research works use machine learning to optimize the fuzzing process,making up for many defects of traditional fuzzing technology.This paper provided a review of fuzzing based on machine learning.Firstly,common vulnerability discovery methods,fuzzing process and classification,and the shortcomings of traditional fuzzing were summarized.Then,from the perspective of test case generation,mutation,screening,and scheduling of fuzzing,this paper focused on the application research of machine learning methods in fuzzing,as well as the research work on combining machine learning and fuzzing to realize other functions.Finally,based on the existing work,this paper analyzed and summarized the limitations and challenges in the current research work,and prospected the future development directions of this field.
作者
王鹃
张冲
龚家新
李俊娥
WANG Juan;ZHANG Chong;GONG Jiaxin;LI Jun’e(School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China;Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education,Wuhan University,Wuhan 430072,China)
出处
《信息网络安全》
CSCD
北大核心
2023年第8期1-16,共16页
Netinfo Security
基金
国家自然科学基金[61872430]
国家重点研发计划[2020AAA0107700]
国家电网有限公司科技项目[520940210009]。
关键词
模糊测试
漏洞挖掘
机器学习
深度学习
fuzzing
vulnerability discovery
machine learning
deep learning
