摘要
随着软件漏洞分析技术的发展,针对不同漏洞的发现技术和工具被广泛使用。但是如何评价不同技术、方法、工具的能力边界是当前该领域未解决的基础性难题。而构建用于能力评估的漏洞基准测试集(Vulnerability Benchmark)是解决该基础性难题的关键。文中梳理了近20年漏洞基准测试集构建的相关代表性成果。首先从自动化的角度阐述了基准测试集的发展历程;然后对基准测试集构建技术进行了分类,给出了基准测试集构建的通用流程模型,并阐述了不同测试集构建方法的思想、流程以及存在的不足;最后总结当前研究的局限性,并对下一步研究进行了展望。
The development of technology for software vulnerability analysis has led to the widespread use of various techniques and tools for discovering vulnerabilities.Nevertheless,assessing the capability boundary of these techniques,methods,and tools remains a fundamental problem in this field.A vulnerability benchmark for capability assessment plays a pivotal role in solving this problem.The purpose of this paper is to review representative results related to the construction of benchmark test sets over the past 20 years.Firstly,it explains the developmental history of vulnerability benchmark from an automation perspective.Then,it classifies the techniques for constructing vulnerability benchmark and provide a general process model,explaining the ideas and processes of different construction methods and their limitations.Lastly,the limitations of current research are summarized and the future research is prospected.
作者
马总帅
武泽慧
燕宸毓
魏强
MA Zongshuai;WU Zehui;YAN Chenyu;WEI Qiang(State Key laboratory of Mathematical Engineering and Advanced Computing,Information Engineering University,Zhengzhou 450001,China)
出处
《计算机科学》
CSCD
北大核心
2024年第1期316-326,共11页
Computer Science
基金
国家重点研发计划(2019QY0501)。
关键词
漏洞基准测试集
软件漏洞分析
评估指标
Vulnerability benchmark
Software vulnerability analysis
Evaluation metrics
