보안 취약점 자동 탐색 및 대응기술 동향

  • 장대일 (한국인터넷진흥원 보안기술R&D2팀) ;
  • 김태은 (한국인터넷진흥원 보안기술R&D2팀) ;
  • 김환국 (한국인터넷진흥원 보안기술R&D2팀)
  • Published : 2018.04.30

Abstract

머신러닝 및 인공지능 기술의 발전은 다양한 분야 활용되고 있고, 이는 보안 분야에서도 마찬가지로 로그 분석이나, 악성코드 탐지, 취약점 탐색 및 대응 등 다양한 분야에서 자동화를 위한 연구가 진행되고 있다. 특히 취약점 탐색 및 대응 분야의 경우 2016년 데프콘에서 진행된 CGC를 필두로 바이너리나 소스코드 내의 취약점을 정확하게 탐색하고 패치하기 위해 다양한 연구가 시도되고 있다. 이에 본 논문에서는 취약점을 탐색 및 대응하기 위해 각 연구 별 탐색 기술과 대응 기술을 분류 및 분석한다.

Keywords

References

  1. CVE Details, https://www.cvedetails.com/
  2. B. Arkin, S. Stender, G. McGraw, "Software penetration testing," IEEE Security and Privacy, 3(1), pp. 84-87, 2005.
  3. Matt Bishop, "About penetration testing", IEEE Security & Privacy, pp.84-87, 2007.
  4. Patrice Godefroid, "Random testing for security: Blackbox vs. whitebox fuzzing", In Proceedings of the 2nd International Workshop on Random Testing (RT'07), 2007.
  5. M. E. Khan, F. Khan, "A comparative study of white box, black box and grey box testing techniques", International Journal of Advanced Computer Science and Applications (IJACSA), 2012.
  6. Thomas Zimmermann, Nachiappan Nagappan, Laurie Williams, "Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista", In Proceedings of the 3rd International Conference on Software Testing, Verification and Validation (ICST'10), pp. 421-428, 2010.
  7. Andrew Meneely, Laurie Williams, "Strengthening the empirical analysis of the relationship between linus' law and software security", In Proceedings of the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM'10), 2010.
  8. MaureenDoyle, JamesWalden, "An empirical study of the evolution of PHPweb application security", In Proceedings of the 3rd International Workshop on Security Measurements and Metrics (MetriSec'11), pp.11-20, 2011.
  9. Yonghee Shin, Laurie Williams, "Can traditional fault prediction models be used for vulnerability prediction?", Empir. Softw. Eng, pp.25-59, 2013.
  10. Yonghee Shin, Laurie Williams, "An initial study on the use of execution complexity metrics as indicators of software vulnerabilities", In Proceedings of the 7th International Workshop on Software Engineering for Secure Systems(SESS'11), pp.1-7, 2011.
  11. Sara Moshtari, Ashkan Sami, Mahdi Azimi, "Using complexity metrics to improve software security", Computer Fraud & Security, pp.8-17, May 2011.
  12. James Walden, Jeffrey Stuckman, Riccardo Scandariato, "Predicting vulnerable components: Software metrics vs text mining",In Proceedings of the 25th International Symposium on Software Reliability Engineering (ISSRE'14), pp.23-33, 2014.
  13. Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, Yasemin Acar, "VccFinder: Finding potential vulnerabilities in open-source projects to assist code audits", In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS'15), pp.426-437, 2015.
  14. Awad Younis, Yashwant Malaiya, Charles Anderson, Indrajit Ray, "To fear or not to fear that is the question: Code characteristics of a vulnerable function with an existing exploit", In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY'16), pp.97-104, March 2016.
  15. Fabian Yamaguchi, Felix Lindner, Konrad Rieck, "Vulnerability extrapolation : Assisted discovery of vulnerabilities using machine learning", In Proceedings of the 5th USENIX Workshop on Offensive Technologies, 2011.
  16. Fabian Yamaguchi, Felix Lindner, Konrad Rieck. "Generalized vulnerability extrapolation using abstract syntax trees", In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC'12), pp.359-368, 2012.
  17. Sean Heelan, "Vulnerability detection systems: Think cyborg, not robot", IEEE Security and Privacy, pp.74-77, 2011.
  18. Lwin Khin Shar, Hee Beng Kuan Tan, Lionel C. Briand, "Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis", In Proceedings of the 35th International Conference on Software Engineering (ICSE'13), pp.642-651, 2013.
  19. Lwin Khin Shar, Lionel C Briand, Hee Beng Kuan Tan, "Web application vulnerability prediction using hybrid program analysis and machine learning", IEEE Transactions on Dependable and Secure Computing, pp.688-707, 2015.
  20. Gustavo Grieco, Guillermo Luis Grinblat, Lucas Uzal, Sanjay Rawat, Josselin Feist, Laurent Mounier, "Toward Large-scale Vulnerability Discovery Using Machine Learning", In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY'16), pp.85-96, March 2016.
  21. Dumidu Wijayasekara, Milos Manic, Jason L. Wright, Miles McQueen, "Mining bug databases for unidentified software vulnerabilities", In Proceedings of the 5th International Conference on Human System Interactions (HSI'12), pp.89-96, 2012.
  22. Dumidu Wijayasekara, Milos Manic, Jason L. Wright, Miles McQueen, "Vulnerability identification and classification via text mining bug databases", In Proceedings of the 40th Annual Conference of the IEEE Industrial Electronics Society (IECON'14), 2014.
  23. Dumidu Wijayasekara, Milos Manic, Jason L. Wright, Miles McQueen, "Applications of computational intelligence for static software checking against memory corruption vulnerabilities", In Proceedings of the IEEE Symposium on Computational Intelligence in Cyber Security (CICS'13), pp. 59-66, 2013.
  24. Iberia Medeiros, Nuno F. Neves, Miguel Correia, "Automatic detection and correction of web application vulnerabilities using data mining to predict false positives", In Proceedings of the 23rd International Conference on World Wide Web (WWW'14), pp. 63-74, 2014.
  25. W.Weimer, T. Nguyen, C. Le Goues, and S. Forrest, "Automatically Finding Patches Using Genetic Programming", In Proceedings of the International Conference on Software Engineering, 2009.
  26. Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, "GenProg: A Generic Method for Automatic Software Repair", IEEE transactions on software engineering, pp 54-72, 2012.
  27. A. Arcuri, "Automatic Software Generation and Improvement Through Search Based Techniques", PhD thesis. The University of Birmingham, 2009.
  28. V. Debroy, W.Wong, "Using Mutation to Automatically Suggest Fixes for Faulty Programs", In Proceedings of the International Conference on Software Testing, Verification and Validation, pp. 65-74, 2010.
  29. D. Kim, J. Nam, J. Song, S. Kim, "Automatic Patch Generation Learned From Human-Written Patches", In: Proceedings of ICSE, 2013.
  30. G. Candea, S. Kawamoto, Y. Fujiki, G. Friedman, A. Fox, "Microreboot: a Technique for Cheap Recovery", In: Proceedings of the 6th Conference on Symposium on Operating Systems Design & Implementation, pp. 31-44, 2004.
  31. A. Smirnov, T. Chiueh, "DIRA: Automatic Detection, Identification, and Repair of Control-hijacking Attacks", The 12th Annual Network and Distributed System Security Symposium, 2005.
  32. P. E. Ammann, J. C. Knight, "Data Diversity: An Approach to Software Fault Tolerance", Ieee transactions on computers, pp. 418-425, 2005.
  33. C. Lewis, J. Whitehead, "Runtime Repair of Software Faults Using Event-driven Monitoring", In Proceedings of the 32nd acm/ieee international conference on software engineering(icse '10), pp. 275-280, 2010.
  34. Guodong Li, Indradeep Ghosh, and Sreeranga P. Rajan, "KLOVER: A Symbolic Execution and Automatic Test Generation Tool for C++ Programs", IEEE Software, pp. 33-37, 2017.
  35. L. Luo, Q. Zeng, C. Cao, K. Chen, J. Liu, L. Liu, N. Gao, M. Yang, X. Xing, and P. Liu, "System service call-oriented symbolic execution of android framework with applications to vulnerability discovery and exploit generation," In Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services. ACM, pp. 225-238, 2017.
  36. S. Rawat, V. Jain, A.Kumar, L. Cojocar, C. Giuffrida, H. Bos, "Vuzzer: Application-aware evloutionary fuzzing," In Proceedings of the Network and Districuted System Security Symposium(NDSS), 2017.