With the development of the 5th generation of mobile communi-cation(5G)networks and artificial intelligence(AI)technologies,the use of the Internet of Things(IoT)has expanded throughout industry.Although IoT networks ...With the development of the 5th generation of mobile communi-cation(5G)networks and artificial intelligence(AI)technologies,the use of the Internet of Things(IoT)has expanded throughout industry.Although IoT networks have improved industrial productivity and convenience,they are highly dependent on nonstandard protocol stacks and open-source-based,poorly validated software,resulting in several security vulnerabilities.How-ever,conventional AI-based software vulnerability discovery technologies cannot be applied to IoT because they require excessive memory and com-puting power.This study developed a technique for optimizing training data size to detect software vulnerabilities rapidly while maintaining learning accuracy.Experimental results using a software vulnerability classification dataset showed that different optimal data sizes did not affect the learning performance of the learning models.Moreover,the minimal data size required to train a model without performance degradation could be determined in advance.For example,the random forest model saved 85.18%of memory and improved latency by 97.82%while maintaining a learning accuracy similar to that achieved when using 100%of data,despite using only 1%.展开更多
Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to dete...Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to detect software vulnerabilities, we present SwordDTA, a tool that can perform dynamic taint analysis for binaries. This tool is flexible and extensible that it can work with commodity software and hardware. It can be used to detect software vulnerabilities with vulnerability modeling and taint check. We evaluate it with a number of commonly used real-world applications. The experimental results show that SwordDTA is capable of detecting at least four kinds of softavare vulnerabilities including buffer overflow, integer overflow, division by zero and use-after-free, and is applicable for a wide range of software.展开更多
Intelligent vehicles are advancing at a fast speed with the improvement of automation and connectivity,which opens up new possibilities for different cyber-attacks,including in-vehicle attacks(e.g.,hijacking attacks)a...Intelligent vehicles are advancing at a fast speed with the improvement of automation and connectivity,which opens up new possibilities for different cyber-attacks,including in-vehicle attacks(e.g.,hijacking attacks)and vehicle-to-everything communicationattacks(e.g.,data theft).These problems are becoming increasingly serious with the development of 4G LTE and 5G communication technologies.Although many efforts are made to improve the resilience to cyber attacks,there are still many unsolved challenges.This paper first identifies some major security attacks on intelligent connected vehicles.Then,we investigate and summarize the available defences against these attacks and classify them into four categories:cryptography,network security,software vulnerability detection,and malware detection.Remaining challenges and future directions for preventing attacks on intelligent vehicle systems have been discussed as well.展开更多
Software vulnerabilities pose significant risks to computer systems,impacting our daily lives,productivity,and even our health.Identifying and addressing security vulnerabilities in a timely manner is crucial to preve...Software vulnerabilities pose significant risks to computer systems,impacting our daily lives,productivity,and even our health.Identifying and addressing security vulnerabilities in a timely manner is crucial to prevent hacking and data breaches.Unfortunately,current vulnerability identification methods,including classical and deep learning-based approaches,exhibit critical drawbacks that prevent them from meeting the demands of the contemporary software industry.To tackle these issues,we present JFinder,a novel architecture for Java vulnerability identification that leverages quad self-attention and pre-training mechanisms to combine structural information and semantic representations.Experimental results demonstrate that JFinder outperforms all baseline methods,achieving an accuracy of 0.97 on the CWE dataset and an F1 score of 0.84 on the PROMISE dataset.Furthermore,a case study reveals that JFinder can accurately identify four cases of vulnerabilities after patching.展开更多
Software vulnerability is always an enormous threat to software security. Quantitative analysis of software vulnerabilities is necessary to the evaluation and improvement of software security. Current vulnerability pr...Software vulnerability is always an enormous threat to software security. Quantitative analysis of software vulnerabilities is necessary to the evaluation and improvement of software security. Current vulnerability prediction models mainly focus on predicting the number of vulnerabilities regardless of the seriousness of vulnerabilities, therefore these models are unable to reflect the security level of software accurately. Starting from this, we propose a vulnerability prediction model based on probit regression in this paper. Unlike traditional ones, we measure the seriousness of vulnerability by the loss it causes and aim at predicting the accumulative vulnerability loss rather than the number of vulnerabilities. To validate our model, experiment is carried out on two soft- ware -- OpenSSL and Xpdf, and the experimental result shows a good performance of our model.展开更多
Computer security is a matter of great interest.In the last decade there have been numerous cases of cybercrime based on the exploitation of software vulnerabilities.This fact has generated a great social concern and ...Computer security is a matter of great interest.In the last decade there have been numerous cases of cybercrime based on the exploitation of software vulnerabilities.This fact has generated a great social concern and a greater importance of computer security as a discipline.In this work,the most important vulnerabilities of recent years are identified,classified,and categorized individually.A measure of the impact of each vulnerability is used to carry out this classification,considering the number of products affected by each vulnerability,as well as its severity.In addition,the categories of vulnerabilities that have the greatest presence are identified.Based on the results obtained in this study,we can understand the consequences of the most common vulnerabilities,which software products are affected,how to counteract these vulnerabilities,and what their current trend is.展开更多
It is difficult to formalize the causes of vulnerability, and there is no effective model to reveal the causes and characteristics of vulnerability. In this paper, a vulnerability model construction method is proposed...It is difficult to formalize the causes of vulnerability, and there is no effective model to reveal the causes and characteristics of vulnerability. In this paper, a vulnerability model construction method is proposed to realize the description of vulnerability attribute and the construction of a vulnerability model. A vulnerability model based on chemical abstract machine(CHAM) is constructed to realize the CHAM description of vulnerability model, and the framework of vulnerability model is also discussed. Case study is carried out to verify the feasibility and effectiveness of the proposed model. In addition, a prototype system is also designed and implemented based on the proposed vulnerability model. Experimental results show that the proposed model is more effective than other methods in the detection of software vulnerabilities.展开更多
基金supported by a National Research Foundation of Korea (NRF)grant funded by the Ministry of Science and ICT (MSIT) (No.2020R1F1A1061107)the Korea Institute for Advancement of Technology (KIAT)grant funded by the Korean Government (MOTIE) (P0008703,The Competency Development Program for Industry Specialists)the MSIT under the ICAN (ICT Challenge and Advanced Network of HRD)program (No.IITP-2022-RS-2022-00156310)supervised by the Institute of Information&Communication Technology Planning and Evaluation (IITP).
文摘With the development of the 5th generation of mobile communi-cation(5G)networks and artificial intelligence(AI)technologies,the use of the Internet of Things(IoT)has expanded throughout industry.Although IoT networks have improved industrial productivity and convenience,they are highly dependent on nonstandard protocol stacks and open-source-based,poorly validated software,resulting in several security vulnerabilities.How-ever,conventional AI-based software vulnerability discovery technologies cannot be applied to IoT because they require excessive memory and com-puting power.This study developed a technique for optimizing training data size to detect software vulnerabilities rapidly while maintaining learning accuracy.Experimental results using a software vulnerability classification dataset showed that different optimal data sizes did not affect the learning performance of the learning models.Moreover,the minimal data size required to train a model without performance degradation could be determined in advance.For example,the random forest model saved 85.18%of memory and improved latency by 97.82%while maintaining a learning accuracy similar to that achieved when using 100%of data,despite using only 1%.
基金Supported by the National High Technology Research and Development Program of China(863 Program)(2012AA012902)the“HGJ”National Major Technological Projects(2013ZX01045-004)
文摘Software vulnerabilities are the root cause of various information security incidents while dynamic taint analysis is an emerging program analysis technique. In this paper, to maximize the use of the technique to detect software vulnerabilities, we present SwordDTA, a tool that can perform dynamic taint analysis for binaries. This tool is flexible and extensible that it can work with commodity software and hardware. It can be used to detect software vulnerabilities with vulnerability modeling and taint check. We evaluate it with a number of commonly used real-world applications. The experimental results show that SwordDTA is capable of detecting at least four kinds of softavare vulnerabilities including buffer overflow, integer overflow, division by zero and use-after-free, and is applicable for a wide range of software.
文摘Intelligent vehicles are advancing at a fast speed with the improvement of automation and connectivity,which opens up new possibilities for different cyber-attacks,including in-vehicle attacks(e.g.,hijacking attacks)and vehicle-to-everything communicationattacks(e.g.,data theft).These problems are becoming increasingly serious with the development of 4G LTE and 5G communication technologies.Although many efforts are made to improve the resilience to cyber attacks,there are still many unsolved challenges.This paper first identifies some major security attacks on intelligent connected vehicles.Then,we investigate and summarize the available defences against these attacks and classify them into four categories:cryptography,network security,software vulnerability detection,and malware detection.Remaining challenges and future directions for preventing attacks on intelligent vehicle systems have been discussed as well.
基金supported by the National Key R&D Program of China(2019YFB2102600)the National Natural Science Foundation of China(62002067)+1 种基金the Guangzhou Youth Talent of Science(QT20220101174)the Project of Philosophy and Social Science Planning of GuangDong(GD21YGL16).
文摘Software vulnerabilities pose significant risks to computer systems,impacting our daily lives,productivity,and even our health.Identifying and addressing security vulnerabilities in a timely manner is crucial to prevent hacking and data breaches.Unfortunately,current vulnerability identification methods,including classical and deep learning-based approaches,exhibit critical drawbacks that prevent them from meeting the demands of the contemporary software industry.To tackle these issues,we present JFinder,a novel architecture for Java vulnerability identification that leverages quad self-attention and pre-training mechanisms to combine structural information and semantic representations.Experimental results demonstrate that JFinder outperforms all baseline methods,achieving an accuracy of 0.97 on the CWE dataset and an F1 score of 0.84 on the PROMISE dataset.Furthermore,a case study reveals that JFinder can accurately identify four cases of vulnerabilities after patching.
基金Supported by the Nuclear High Base Major Special(2012zx01039-004-46)the National Development and Reform Commission Information Security Special(2012-1424)
文摘Software vulnerability is always an enormous threat to software security. Quantitative analysis of software vulnerabilities is necessary to the evaluation and improvement of software security. Current vulnerability prediction models mainly focus on predicting the number of vulnerabilities regardless of the seriousness of vulnerabilities, therefore these models are unable to reflect the security level of software accurately. Starting from this, we propose a vulnerability prediction model based on probit regression in this paper. Unlike traditional ones, we measure the seriousness of vulnerability by the loss it causes and aim at predicting the accumulative vulnerability loss rather than the number of vulnerabilities. To validate our model, experiment is carried out on two soft- ware -- OpenSSL and Xpdf, and the experimental result shows a good performance of our model.
基金part of the BIZDEVOPS-GLOBALUMU project (No.RTI2018-098309-B-C33) supported by the Spanish Ministry of Economy and Competitiveness and the European Fund for Regional Development (ERDF)
文摘Computer security is a matter of great interest.In the last decade there have been numerous cases of cybercrime based on the exploitation of software vulnerabilities.This fact has generated a great social concern and a greater importance of computer security as a discipline.In this work,the most important vulnerabilities of recent years are identified,classified,and categorized individually.A measure of the impact of each vulnerability is used to carry out this classification,considering the number of products affected by each vulnerability,as well as its severity.In addition,the categories of vulnerabilities that have the greatest presence are identified.Based on the results obtained in this study,we can understand the consequences of the most common vulnerabilities,which software products are affected,how to counteract these vulnerabilities,and what their current trend is.
基金Supported by the National Natural Science Foundation of China(61202110 and 61502205)the Project of Jiangsu Provincial Six Talent Peaks(XYDXXJS-016)
文摘It is difficult to formalize the causes of vulnerability, and there is no effective model to reveal the causes and characteristics of vulnerability. In this paper, a vulnerability model construction method is proposed to realize the description of vulnerability attribute and the construction of a vulnerability model. A vulnerability model based on chemical abstract machine(CHAM) is constructed to realize the CHAM description of vulnerability model, and the framework of vulnerability model is also discussed. Case study is carried out to verify the feasibility and effectiveness of the proposed model. In addition, a prototype system is also designed and implemented based on the proposed vulnerability model. Experimental results show that the proposed model is more effective than other methods in the detection of software vulnerabilities.
