ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (10): 2140-2162.doi: 10.7544/issn1000-1239.2021.20210620

所属专题: 2021密码学与网络空间安全治理专题

• 信息安全 • 上一篇    下一篇

基于深度学习的软件安全漏洞挖掘

顾绵雪1,2,孙鸿宇2,3,韩丹1,2,杨粟2,曹婉莹2,郭祯1,曹春杰1,王文杰2,张玉清1,2,3   

  1. 1(海南大学网络空间安全学院 海口 570228);2(国家计算机网络入侵防范中心(中国科学院大学) 北京 101408);3(西安电子科技大学网络与信息安全学院 西安 710126) (gumx@nipc.org.cn)
  • 出版日期: 2021-10-01
  • 基金资助: 
    国家自然科学基金项目(U1836210);海南省重点研发计划项目(ZDYF202012)

Software Security Vulnerability Mining Based on Deep Learning

Gu Mianxue1,2, Sun Hongyu2,3, Han Dan1,2, Yang Su2, Cao Wanying2, Guo Zhen1, Cao Chunjie1, Wang Wenjie2, Zhang Yuqing1,2,3   

  1. 1(College of Cyberspace Security, Hainan University, Haikou 570228);2(National Computer Network Intrusion Protection Center (University of Chinese Academy of Sciences), Beijing 101408);3(College of Cyber Engineering, Xidian University, Xi’an 710126)
  • Online: 2021-10-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (U1836210) and the Key Research and Development Program of Hainan Province (ZDYF202012).

摘要: 软件的高复杂性和安全漏洞的形态多样化给软件安全漏洞研究带来了严峻的挑战.传统的漏洞挖掘方法效率低下且存在高误报和高漏报等问题,已经无法满足日益增长的软件安全性需求.目前,大量的研究工作尝试将深度学习应用于漏洞挖掘领域,以实现自动化和智能化漏洞挖掘.对深度学习应用于安全漏洞挖掘领域进行了深入的调研和分析.首先,通过梳理和分析基于深度学习的软件安全漏洞挖掘现有研究工作,概括其一般工作框架和技术方法;其次,以深度特征表示为切入点,分类阐述和归纳不同代码表征形式的安全漏洞挖掘模型;然后,分别探讨基于深度学习的软件安全漏洞挖掘模型在具体领域的应用,并重点关注物联网和智能合约安全漏洞挖掘;最后,依据对现有研究工作的整理和总结,指出该领域面临的不足与挑战,并对未来的研究趋势进行展望.

关键词: 深度学习, 漏洞挖掘, 代码表征, 物联网安全, 智能合约安全

Abstract: The increasing complexity of software and the diversified forms of security vulnerabilities have brought severe challenges to the research of software security vulnerabilities. Traditional vulnerability mining methods are inefficient and have problems such as high false positives and high false negatives, which have been unable to meet the increasing demands for software security. At present, a lot of research works have attempted to apply deep learning to the field of vulnerability mining to realize automated and intelligent vulnerability mining. This review conducts an in-depth investigation and analysis of the deep learning methods applied to the field of software security vulnerability mining. First, through collecting and analyzing existing research works of software security vulnerability mining based on deep learning, its general work framework and technical route are summarized. Subsequently, starting from the extraction of deep features, security vulnerability mining works with different code representation forms are classified and discussed. Then, specific areas of deep learning based software security vulnerability mining works are discussed systematically, especially in the field of the Internet of Things and smart contract security. Finally, based on the summary of existing research works, the challenges and opportunities in this filed are discussed, and the future research trends are presented.

Key words: deep learning, vulnerability mining, code representation, IoT security, smart contract security

中图分类号: