CN116305134A - Binary system-based software traceability detection method - Google Patents
Binary system-based software traceability detection method Download PDFInfo
- Publication number
- CN116305134A CN116305134A CN202211372658.6A CN202211372658A CN116305134A CN 116305134 A CN116305134 A CN 116305134A CN 202211372658 A CN202211372658 A CN 202211372658A CN 116305134 A CN116305134 A CN 116305134A
- Authority
- CN
- China
- Prior art keywords
- matching
- file
- feature
- software
- detected
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 229910002056 binary alloy Inorganic materials 0.000 title claims description 4
- 239000013598 vector Substances 0.000 claims abstract description 19
- 238000001914 filtration Methods 0.000 claims abstract description 18
- 230000000903 blocking effect Effects 0.000 claims abstract description 9
- 230000006870 function Effects 0.000 claims description 73
- 238000000034 method Methods 0.000 claims description 25
- 230000011218 segmentation Effects 0.000 claims 1
- 238000011161 development Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000008676 import Effects 0.000 description 4
- 239000000284 extract Substances 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/16—Program or content traceability, e.g. by watermarking
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the application discloses a binary-based software traceability detection method, which comprises the following steps: extracting binary file characteristics of software to be detected; matching the extracted binary file features with a feature knowledge base to obtain a matching file; grouping all the obtained matching files, and performing matching file feature blocking based on grouping results to obtain matching file feature blocks; filtering the matched file feature blocks to obtain filtered matched file feature blocks; extracting the function feature vector of the matching file contained in the software to be detected and the filtered matching file feature block; and tracing detection is carried out on the software to be detected according to the function feature vector.
Description
Technical Field
The application relates to the technical field of computers, in particular to a binary system-based software traceability detection method.
Background
With the continuous development of the internet and the increasing development source project of the software spirit, developers can carry out development projects by referring to third party components in order to improve development efficiency and reduce development cost. However, open source is not equal to free, and although the user can use the open source software freely, the user must follow the open source protocol in the open source software, otherwise, license conflict and other consequences may be caused, and even serious legal problems are caused. Secondly, open source software is subjected to a large number of tests after being released, and if a certain version of the software is found to contain a bug, a developer can repair the bug and release a new version of the software. If the user did not pay attention to the security of the open source software at an early stage or used software containing a vulnerability version, and then did not follow the maintenance flow of the software, the system would have a potential vulnerability risk. Therefore, the method is particularly important for detection and analysis of software homologous components.
Disclosure of Invention
In order to solve or partially solve the above problems, the present application provides a binary-based software trace source detection method.
The application provides a binary-based software traceability detection method, which comprises the following steps: extracting binary file characteristics of software to be detected; matching the extracted binary file features with a feature knowledge base to obtain a matching file; grouping all the obtained matching files, and performing matching file feature blocking based on grouping results to obtain matching file feature blocks; filtering the matched file feature blocks to obtain filtered matched file feature blocks; extracting the function feature vector of the matching file contained in the software to be detected and the filtered matching file feature block; and tracing detection is carried out on the software to be detected according to the function feature vector.
In some examples, performing trace-source detection on the software to be detected according to the function feature vector includes: obtaining a homologous function of the matching file contained in the software to be detected and the filtered matching file feature block according to the function feature vector; constructing a function call relation of the matching file contained in the software to be detected and the filtered matching file feature block; comparing whether the function call relations of the homologous functions are the same or not, and determining the traceability detection result of the software to be detected based on the comparison result.
In some examples, comparing whether the function call relationships of the homologous functions are the same, determining the traceable detection result of the software to be detected based on the comparison result includes: and when the function call relations of the homologous functions are the same, taking the matching file contained in the filtered matching file feature block as a tracing detection result of the software to be detected.
In some examples, the method further comprises, before matching the extracted binary file features with a feature knowledge base to obtain a matching file: and collecting open source components, vulnerabilities and license data, and establishing a feature knowledge base.
In some examples, after extracting the binary features of the software to be detected, the method further comprises: filtering the non-representative features, and updating the binary file features.
In some examples, grouping all the obtained matching files, and performing matching file feature blocking based on the grouping result to obtain matching file feature blocks, including: grouping all the obtained matching files, and calculating the matching proportion of the matching files after grouping based on grouping results; and carrying out matching file feature blocking on the grouping result based on the matching proportion to obtain a matching file feature block.
In some examples, filtering the matching file feature blocks to obtain filtered matching file feature blocks includes: and filtering the matched file feature blocks based on the project version to obtain filtered matched file feature blocks.
Compared with the prior art, the application has the following beneficial effects:
in the technical scheme provided by the application, a binary-based software traceability detection method comprises the following steps: extracting binary file characteristics of software to be detected; matching the extracted binary file features with a feature knowledge base to obtain a matching file; grouping all the obtained matching files, and performing matching file feature blocking based on grouping results to obtain matching file feature blocks; filtering the matched file feature blocks to obtain filtered matched file feature blocks; extracting the function feature vector of the matching file contained in the software to be detected and the filtered matching file feature block; and tracing detection is carried out on the software to be detected according to the function feature vector. Different from the traditional comparison of single features one by one, the method provided by the invention considers the physical position of the binary file features in the file and proposes the definition of the matched file feature blocks (logic feature blocks). The logic feature block is based on extracting features, and takes a continuous feature set as a feature block. In matching features and components, matching is performed in units of blocks of logical features instead of single features. The detection method uses the block as a unit, so that the problem of reuse caused by matching scattered features is avoided. The technology selects constant character strings, derived functions and functions containing 80-bit features as features, realizes item-level homology detection based on the constant character strings and the derived functions, provides a matching algorithm of logic feature blocks, calculates feature distances for the 80-bit functions, realizes file-level similarity detection through a function call graph, greatly solves the reuse problem, reduces false alarm and improves detection result accuracy.
Drawings
Fig. 1 is a basic schematic diagram of a binary-based software trace source detection method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.
Also to be described is: reference to "a plurality" in this application means two or more than two. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., a and/or B may represent: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
Example 1
Referring to fig. 1, fig. 1 is a schematic diagram illustrating a binary-based software trace source detection method according to an exemplary embodiment, where the binary-based software trace source detection method includes:
s101, extracting binary file characteristics of software to be detected;
s102, matching the extracted binary file features with a feature knowledge base to obtain a matching file;
s103, grouping all the obtained matching files, and performing matching file feature block division based on a grouping result to obtain matching file feature blocks;
s104, filtering the matched file feature blocks to obtain filtered matched file feature blocks;
s105, extracting function feature vectors of the matching files contained in the software to be detected and the filtered matching file feature blocks;
s106, performing traceability detection on the software to be detected according to the function feature vector.
In some examples, performing trace-source detection on the software to be detected according to the function feature vector includes: obtaining a homologous function of the matching file contained in the software to be detected and the filtered matching file feature block according to the function feature vector; constructing a function call relation of the matching file contained in the software to be detected and the filtered matching file feature block; comparing whether the function call relations of the homologous functions are the same or not, and determining the traceability detection result of the software to be detected based on the comparison result.
In some examples, comparing whether the function call relationships of the homologous functions are the same, determining the traceable detection result of the software to be detected based on the comparison result includes: and when the function call relations of the homologous functions are the same, taking the matching file contained in the filtered matching file feature block as a tracing detection result of the software to be detected. Wherein when the function call relations of the homologous functions are different, the matching files contained in the filtered matching file feature blocks are characterized as non-homologous to the software to be detected, at the moment, the matching files contained in the filtered matching file feature blocks are discarded,
in some examples, the method further comprises, before matching the extracted binary file features with a feature knowledge base to obtain a matching file: and collecting open source components, vulnerabilities and license data, and establishing a feature knowledge base. The link is mainly to establish an open source component binary characteristic knowledge base, a vulnerability knowledge base and a license knowledge base by collecting the sorted open source component, vulnerability and license data, and the binary characteristic knowledge base, the vulnerability knowledge base and the license knowledge base are used as data bases for binary detection. The binary feature knowledge base comprises open source component information, binary file feature records, mapping relation between features and files and the like. The vulnerability knowledge base and license knowledge base include vulnerability and license information and associated information with the open source component.
In some examples, when the feature knowledge base is established, the features such as constant strings, import functions, export functions, other functions and the like of binary features of the open source component, the vulnerability and the license data are extracted, analyzed, and then effective features are selected to establish the feature knowledge base. In order to select effective features, the present example performs hierarchical analysis on the four features from multiple angles such as the total number of features, the number of files containing features, the number of component versions containing features, the number of items containing features, and finally sets a filtering rule by combining specific content of the features and analysis results.
Taking the derived function as an example, the version and the number of items of the derived function are analyzed, and the content of the first 10 discrete points with the largest occurrence number is found to be basically information related to_init, _fini and the like, and the information is not representative in the process of real matching. Thus, the filtering rules set herein are: features starting with identifiers of _INIT_, _FINI_, _DT_INIT, _DT_FINI, etc. are filtered. In addition, for both constant string and derived function features, if a feature appears in more than 1000 files, it will be considered to be non-representative of the component, as determined empirically, so this feature is filtered. Then, if the number of features in a file is less than 10, the resulting file is ignored. For the functions, in the extraction process, the method extracts more information as much as possible, wherein the information comprises function names, father function information, son function information, calling character string information, calling import function information, parameter number, instruction sets (opcodes), pcode and the like. Wherein pcode relates to 69 kinds of function body information, and consists of whether the function body information exists or not. In this way, the information of each function is richer and more comprehensive, and the subsequent matching is facilitated.
In some examples, after extracting the binary features of the software to be detected, the method further comprises: filtering the non-representative features, and updating the binary file features. The filtering rules establish the feature knowledge base as above, and are not described herein.
In some examples, grouping all the obtained matching files, and performing matching file feature blocking based on the grouping result to obtain matching file feature blocks, including: grouping all the obtained matching files, and calculating the matching proportion of the matching files after grouping based on grouping results; and carrying out matching file feature blocking on the grouping result based on the matching proportion to obtain a matching file feature block.
In some examples, filtering the matching file feature blocks to obtain filtered matching file feature blocks includes: and filtering the matched file feature blocks based on the project version to obtain filtered matched file feature blocks.
Constant strings and derived functions are a grammatical feature that cannot represent the code logic of each binary file. Meanwhile, in most cases, a feature always appears in a plurality of files and a plurality of items, and the meaning represented by each feature and the functions that can be realized are different. In related technology implementation, most technologies extract features from a file to be tested and compare the features with features in a database built by themselves. In this example, consider a feature set of a binary file to be extracted and compare the different feature sets. This example refers to feature sets as logical feature blocks, meaning that features are physically and logically partitioned. When features are extracted from binary files of software to be detected, after the features of the binary files are obtained, candidate items are matched to feature sets of all files stored in a database, and meanwhile, each item is matched to obtain matched similar segments. Because the link aims at detecting the project version, the project version is used as a unit in the logic block detection algorithm, and all feature sets in the project version are detected. Taking Firefox software of Mac platform as an example, firefox contains binary files such as libmozavcodec.so, libnssul 3.so, libxul.so, etc. The link firstly extracts the characteristics of each binary file, then compares the characteristics of each binary file with a database characteristic set (characteristic knowledge base) to obtain a candidate matching file set, then groups the matching files in the candidate file set to a project version layer, and at the moment, gathers the characteristics of each version under each project to form a specific characteristic set (grouping result).
The definition of the logical feature blocks is as follows: for the feature set extracted from the binary file, 10 features which are continuous in physical logic are taken as a unit group, and the feature sets of a plurality of unit groups are combined to be taken as a logic feature block (the feature of the matching file is fast). After the matched feature set is obtained, detecting all item versions meeting the conditions through a logic block algorithm, and obtaining an optimal version in each item.
Considering that multiple versions may appear in the candidate set in the logic feature block matching algorithm due to the equal feature numbers or feature probabilities in each item, and the link needs to obtain more accurate version information through the logic feature blocks. Thus, the link orders the versions of the items. In the process of realizing version matching, the link is judged based on two principles:
(1) Features appear in both versions;
(2) None of the features appear in both versions;
in the process of version iteration, judging whether the missing features between the two versions are not in the feature set of the target to be detected, if so, the initial version of the item can go to the next step, and the range of the version is further narrowed. After finishing the logic feature block detection algorithm, selecting the intermediate value of the version range as the version of the candidate item, and finally, obtaining the version corresponding to each candidate item as the version result set, wherein each version contains the matched file set.
The link is to further analyze the grammar logic of the binary file based on the detection result obtained in the above steps to improve the correctness of the detection result obtained in the above steps.
The link composes the feature information of the function into an 80-bit feature vector, which is also called a function feature vector, wherein the 80-bit information includes: the number of parent functions, the number of child functions, the number of called character strings, the number of called import functions, the number of nodes, the number of edges, the computational complexity, the number of parameters and the number of Operation codes (Operation codes) of the control flow chart where the called import functions are located, and 69 pcode. And (3) further filtering the result in the step (3) through the 80-bit function feature vector to obtain a more accurate result.
Finally, the steps may also be performed: associating vulnerability license information;
the link aims at associating corresponding loopholes and license information based on detection results obtained in the previous steps so as to achieve the safety problem display of software components. The vulnerability and license related data and the association relationship data of the open source component and the vulnerability license are both from network collection and manual analysis.
Different from the traditional comparison of single features one by one, the method provided by the invention considers the physical position of the binary file features in the file and proposes the definition of the matched file feature blocks (logic feature blocks). The logic feature block is based on extracting features, and takes a continuous feature set as a feature block. In matching features and components, matching is performed in units of blocks of logical features instead of single features. The detection method uses the block as a unit, so that the problem of reuse caused by matching scattered features is avoided.
The technology selects constant character strings, derived functions and functions containing 80-bit features as features, realizes item-level homology detection based on the constant character strings and the derived functions, provides a matching algorithm of logic feature blocks, calculates feature distances for the 80-bit functions, realizes file-level similarity detection through a function call graph, greatly solves the reuse problem, reduces false alarm and improves detection result accuracy.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and units described above may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment of the present invention.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above description of the technical solution provided by the embodiments of the present invention has been provided in detail, and specific examples are applied in this patent to illustrate the principles and implementation of the embodiments of the present invention, where the above description of the embodiments is only suitable for helping to understand the principles of the embodiments of the present invention; the foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.
Claims (7)
1. The binary system-based software traceability detection method is characterized by comprising the following steps of:
extracting binary file characteristics of software to be detected;
matching the extracted binary file features with a feature knowledge base to obtain a matching file;
grouping all the obtained matching files, and performing matching file feature blocking based on grouping results to obtain matching file feature blocks;
filtering the matched file feature blocks to obtain filtered matched file feature blocks;
extracting the function feature vector of the matching file contained in the software to be detected and the filtered matching file feature block;
and tracing detection is carried out on the software to be detected according to the function feature vector.
2. The method of claim 1, wherein performing trace-source detection on the software to be detected according to a function feature vector comprises:
obtaining a homologous function of the matching file contained in the software to be detected and the filtered matching file feature block according to the function feature vector;
constructing a function call relation of the matching file contained in the software to be detected and the filtered matching file feature block;
comparing whether the function call relations of the homologous functions are the same or not, and determining the traceability detection result of the software to be detected based on the comparison result.
3. The method according to claim 2, wherein comparing whether the function call relationships of the homologous functions are the same, determining the traceable detection result of the software to be detected based on the comparison result, comprises:
and when the function call relations of the homologous functions are the same, taking the matching file contained in the filtered matching file feature block as a tracing detection result of the software to be detected.
4. The method of claim 1, wherein the extracted binary file features are matched to a feature knowledge base to obtain a matched file, the method further comprising:
and collecting open source components, vulnerabilities and license data, and establishing a feature knowledge base.
5. The method of claim 1, wherein after extracting the binary file features of the software to be detected, the method further comprises:
filtering the non-representative features, and updating the binary file features.
6. The method according to claim 1, wherein grouping all the obtained matching files and performing matching file feature segmentation based on the grouping result to obtain matching file feature blocks comprises:
grouping all the obtained matching files, and calculating the matching proportion of the matching files after grouping based on grouping results;
and carrying out matching file feature blocking on the grouping result based on the matching proportion to obtain a matching file feature block.
7. The method of claim 1, wherein filtering the matching file feature blocks to obtain filtered matching file feature blocks comprises:
and filtering the matched file feature blocks based on the project version to obtain filtered matched file feature blocks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211372658.6A CN116305134A (en) | 2022-11-03 | 2022-11-03 | Binary system-based software traceability detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211372658.6A CN116305134A (en) | 2022-11-03 | 2022-11-03 | Binary system-based software traceability detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116305134A true CN116305134A (en) | 2023-06-23 |
Family
ID=86801944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211372658.6A Pending CN116305134A (en) | 2022-11-03 | 2022-11-03 | Binary system-based software traceability detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116305134A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110399729A (en) * | 2019-04-11 | 2019-11-01 | 国家计算机网络与信息安全管理中心 | A kind of binary software analysis1 method based on module diagnostic weight |
| CN110704308A (en) * | 2019-09-11 | 2020-01-17 | 无锡江南计算技术研究所 | Multistage feature extraction method |
| CN111046385A (en) * | 2019-11-22 | 2020-04-21 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
| CN111930610A (en) * | 2020-07-07 | 2020-11-13 | 北京白泽洞冥科技有限公司 | Software homology detection method, device, equipment and storage medium |
| CN114064116A (en) * | 2020-07-30 | 2022-02-18 | 华为技术有限公司 | Software detection method and device |
-
2022
- 2022-11-03 CN CN202211372658.6A patent/CN116305134A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110399729A (en) * | 2019-04-11 | 2019-11-01 | 国家计算机网络与信息安全管理中心 | A kind of binary software analysis1 method based on module diagnostic weight |
| CN110704308A (en) * | 2019-09-11 | 2020-01-17 | 无锡江南计算技术研究所 | Multistage feature extraction method |
| CN111046385A (en) * | 2019-11-22 | 2020-04-21 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
| CN111930610A (en) * | 2020-07-07 | 2020-11-13 | 北京白泽洞冥科技有限公司 | Software homology detection method, device, equipment and storage medium |
| CN114064116A (en) * | 2020-07-30 | 2022-02-18 | 华为技术有限公司 | Software detection method and device |
Non-Patent Citations (2)
| Title |
|---|
| 成正: "微软恶意软件同源分析及检测系统架构设计", 《信息科技》, 15 January 2018 (2018-01-15) * |
| 李广旭;李伟华;潘炜;史豪斌;: "软件安全逆向分析中程序结构解析模型设计", 计算机工程与应用, no. 32, 11 November 2008 (2008-11-11) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109697162B (en) | Software defect automatic detection method based on open source code library | |
| CN108268777B (en) | Similarity detection method for carrying out unknown vulnerability discovery by using patch information | |
| CN112491872A (en) | Abnormal network access behavior detection method and system based on equipment image | |
| US11533373B2 (en) | Global iterative clustering algorithm to model entities' behaviors and detect anomalies | |
| Yang et al. | Asteria-Pro: Enhancing Deep Learning-based Binary Code Similarity Detection by Incorporating Domain Knowledge | |
| CN107193915A (en) | A kind of company information sorting technique and device | |
| CN112115326B (en) | Multi-label classification and vulnerability detection method for Etheng intelligent contracts | |
| CN108491228A (en) | A kind of binary vulnerability Code Clones detection method and system | |
| CN113297580B (en) | Code semantic analysis-based electric power information system safety protection method and device | |
| CN113468524B (en) | RASP-based machine learning model security detection method | |
| CN108667678A (en) | A kind of O&M Log security detection method and device based on big data | |
| CN115017511A (en) | Source code vulnerability detection method and device and storage medium | |
| CN115658080A (en) | Method and system for identifying open source code components of software | |
| CN114329455B (en) | User abnormal behavior detection method and device based on heterogeneous graph embedding | |
| CN114139636B (en) | Abnormal operation processing method and device | |
| WO2023035362A1 (en) | Polluted sample data detecting method and apparatus for model training | |
| CN114662096A (en) | Threat hunting method based on graph kernel clustering | |
| CN111988327B (en) | Threat behavior detection and model establishment method and device, electronic equipment and storage medium | |
| CN114492366A (en) | Binary file classification method, computing device and storage medium | |
| CN110765100B (en) | Label generation method and device, computer readable storage medium and server | |
| CN113971283A (en) | Malicious application program detection method and device based on features | |
| CN111737694A (en) | Behavior tree-based malicious software homology analysis method | |
| CN114969738B (en) | Interface abnormal behavior monitoring method, system, device and storage medium | |
| CN116305134A (en) | Binary system-based software traceability detection method | |
| CN116821903A (en) | Detection rule determination and malicious binary file detection method, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |