| 引用本文: |
-
林哲超,卢帅兵,聂原平,张甲,段海新,李响,况晓辉.人机协同信息系统漏洞挖掘机理研究与实践[J].信息安全学报,已采用 [点击复制]
- LIN Zhe Chao,LU Shuai Bing,NIE Yuan Ping,ZHANG Jia,DUAN Hai Xin,LI Xiang,KUANG Xiao Hui.Research on Mechanism of Human-Machine Collaborative Vulnerability Mining[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 漏洞挖掘对于提高信息系统的安全性和可靠性起着至关重要的作用。随着信息技术的不断发展,漏洞挖掘技术持续向自动化智能化方向演进。虽然机器在其中扮演越来越重要的角色,但是信息系统规模的不断增大以及网络空间的日益复杂化,使得单纯依靠机器自动化挖掘漏洞的局限性也逐渐显现出来。统计分析表明,人在高价值漏洞发现过程发挥着不可替代的作用。本文首先从人机关系的角度宏观分析了漏洞挖掘技术半个世纪的发展历程,并根据人与机器的关系以及协同程度,构建了人机协同概念框架,提出工具、助手和伙伴3个层次的人机协同概念。其次,在人机协同概念框架基础上,结合漏洞挖掘技术的发展趋势、漏洞挖掘的内涵本质,面临的问题挑战,从交互方式、人机规模、以及人机关系等角度,探讨了人机协同漏洞挖掘模型的分类,包括单向辅助式人机协同、双向互助式人机协同以及共融互促式人机协同漏洞挖掘模型。由于当前漏洞挖掘技术正处在双向互助式人机协同的发展阶段,尚未发展出共融互促式人机协同,因此本文重点阐述了双向互助式人机协同漏洞挖掘模型的内涵。在该模型的指导下,围绕3类典型场景下漏洞挖掘面临的问题挑战,研究提出并实现了对应的人机协同漏洞挖掘模式。实验结果表明,人机协同漏洞挖掘方法相对于已有的研究工作,在代码覆盖率、漏洞发现效率、漏洞发现类型等方面有了显著提升,并在真实系统中发现未公开漏洞30余个。 |
| 关键词: 漏洞挖掘 人机协同漏洞挖掘模型 模式 |
| DOI: |
| 投稿时间:2024-03-31修订日期:2024-07-21 |
| 基金项目: |
|
| Research on Mechanism of Human-Machine Collaborative Vulnerability Mining |
|
LIN Zhe Chao1, LU Shuai Bing1, NIE Yuan Ping1, ZHANG Jia2, DUAN Hai Xin2, LI Xiang1, KUANG Xiao Hui1
|
| (1.Institute of System Engineering Academy of Military Sciences;2.Institute for Network Science and Cyberspace, Tsinghua University) |
| Abstract: |
| Vulnerability mining plays a vital role in improving the security and reliability of information systems. With the continuous advancement of information technology, vulnerability mining technology is evolving towards automation and intelligence. Although machines played an increasingly pivotal role in this domain, the continuous increase in the scale of information systems and the increasing complexity of cyberspace have gradually revealed the limitations of relying solely on machine automation to mine vulnerabilities. Some statistical analysis reveals that human involvement remains indispensable in the process of discovering high-value vulnerabilities. This paper examines the development history of vulnerability mining technology over half a century from the perspective of the man-machine relationship. First, based on the relationship between humans and machines and the degree of collaboration, a conceptual framework for human-machine collaboration was constructed, and a three-level concept of human-machine collaboration relationship was proposed, namely tools, assistants, and partners. Secondly, drawing upon the conceptual framework of man-machine collaboration, combined with the development trend of vulnerability mining technology, the connotation and essence of vulnerability mining, and the problems and challenges faced, from the perspectives of interaction mode, the scale of human and machine, and human-machine relationship, this paper explores the classification of man-machine collaborative vulnerability mining models, including one-directional assisted human-machine collaborative vulnerability mining, bidirectional assisted man-machine collaborative vulnerability mining, and inclusive and mutually promoting human-machine collaborative vulnerability mining models. Since the current vulnerability mining technology is in the development stage of bidirectional assisted human-machine collaboration and has not yet developed inclusive and mutual-ly promoting human-machine collaboration, this paper has a particular emphasis on elucidating the essence of bidirectional mutual man-machine collaborative vulnerability mining models. Under the guidance of this model, focusing on the problems and challenges faced by vulnerability mining in three typical scenarios, the corresponding man-machine collaborative vulnerability mining mode is proposed and implemented. Experimental validation demonstrates that com-pared to existing research efforts, our proposed method significantly enhances code coverage, efficiency in identifying vulnerabilities, as well as diversifying types discovered; more than 30 undisclosed vulnerabilities were successfully identified within real systems. |
| Key words: vulnerability mining Human-Machine collaborative vulnerability mining model pattern |
