CN108985065A - The Calculate Mahalanobis Distance of application enhancements carries out the method and system of firmware Hole Detection - Google Patents

The Calculate Mahalanobis Distance of application enhancements carries out the method and system of firmware Hole Detection Download PDF

Info

Publication number
CN108985065A
CN108985065A CN201810802430.3A CN201810802430A CN108985065A CN 108985065 A CN108985065 A CN 108985065A CN 201810802430 A CN201810802430 A CN 201810802430A CN 108985065 A CN108985065 A CN 108985065A
Authority
CN
China
Prior art keywords
function
sample
covariance matrix
loophole
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810802430.3A
Other languages
Chinese (zh)
Other versions
CN108985065B (en
Inventor
向剑文
冉林军
余曼
林红
赵冬冬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201810802430.3A priority Critical patent/CN108985065B/en
Publication of CN108985065A publication Critical patent/CN108985065A/en
Application granted granted Critical
Publication of CN108985065B publication Critical patent/CN108985065B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/16Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Algebra (AREA)
  • Virology (AREA)
  • Databases & Information Systems (AREA)
  • Complex Calculations (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses the method and system that a kind of Calculate Mahalanobis Distance of application enhancements carries out firmware Hole Detection, method includes the following steps: to extract loophole function and objective function feature;It initially chooses quantitative data and calculates covariance matrix;According to the sample to be calculated being newly added, covariance matrix is updated, calculates the distance between target sample and basic sample using updated covariance matrix;For calculated distance, positive sample or negative sample are belonged to according to the threshold decision of definition sample to be calculated, covariance matrix is updated again according to the result judged.The present invention is for the phenomenon that data set dynamic change, during firmware Hole Detection, the method for improving mahalanobis distance calculating substantially increases the speed of distance calculating between sample in the case where guaranteeing computational accuracy in data mining.Preferable chronergy is achieved to the distance calculating of extensive sample.

Description

The Calculate Mahalanobis Distances of application enhancements carry out firmware Hole Detection method and System
Technical field
The invention belongs to static firmware Hole Detection field, it is related to loophole Function feature in firmware and extracts different letters later The calculating of similarity between number, and in particular to a kind of Calculate Mahalanobis Distance of application enhancements carries out the side of firmware Hole Detection Method and system.
Background technique
The Hole Detection of firmware is divided into dynamic detection and static detection.Dynamic detection is the firmware operation ring in computer simulation Firmware is run in border, and the safety of firmware is assessed according to dynamic data;Static detection method, i.e., to a firmware Binary file carried out decompression and decompiling etc. operation after, the detection of loophole is carried out using the methods of data mining.
In the static detection of firmware loophole, it is necessary first to obtain known loophole function, to known loophole function into Row feature extraction, to a certain extent, the feature vector of acquisition can represent this loophole function.For unknown firmware, need It whether detects in the firmware containing same loophole, then carries out identical processing firstly the need of to function all in firmware, The feature that unknown function is extracted with same method, after obtaining the feature of unknown function, a kind of common mode is to calculate The distance between unknown function and known bugs Function feature vector set a threshold value, according to the size and setting of distance Threshold value judge whether unknown firmware contains known bugs.
In data mining, it is often necessary to calculate the similarity between sample, general way be exactly between calculating sample away from From common distance calculating method has Euclidean distance, manhatton distance, mahalanobis distance, COS distance etc..But different distance meter Calculation mode equally has respective advantage and disadvantage, such as most common Euclidean distance, although this distance applications are the most extensive, it Have the shortcomings that obvious, it equally treats the difference between the different attribute (i.e. each index or each variate-value) of sample, this Point is not able to satisfy specific requirement sometimes.Such as in educational research, the analysis and differentiation to people are frequently encountered, individual does not belong to Property have different importance for distinguishing individual, therefore these Importance of Attributes cannot equally be treated.Mahalanobis distance has Many advantages, it is not influenced by dimension, and the mahalanobis distance between two o'clock is unrelated with the measurement unit of initial data, it is by marking Mahalanobis distance between standardization data and calculated 2 points of centralization data (i.e. the difference of initial data and mean value) is identical, geneva Distance can also exclude the interference of correlation between variable, but it the shortcomings that it is equally obvious, one is that exaggerate variation small Variable effect, another disadvantage is that flexibility is not high, every time calculate a distance, need to calculate an original sample Covariance matrix, higher for dimension, data volume is larger, and the application scenarios constantly converted, original mahalanobis distance calculating side Method complexity is higher, and is not suitable for.
The shortcomings that based on above-mentioned mahalanobis distance, during carrying out extensive firmware bug excavation, if it is considered that using Mahalanobis distance calculates distance between sample, not only to consider the size of sample size, it is also necessary to consider that loophole Function feature dimension is excessive The shortcomings that, it is based on this, a kind of suitable calculation reply is very important with extensive and dynamic sample.
Summary of the invention
The technical problem to be solved in the present invention is that in view of the above-mentioned drawbacks in the prior art, providing a kind of in guarantee calculating In the case where precision, it is possible to provide the firmware Hole Detection of the Calculate Mahalanobis Distance of the application enhancements of firmware Hole Detection efficiency Method.
The technical solution adopted by the present invention to solve the technical problems is:
The method that a kind of Calculate Mahalanobis Distance of application enhancements carries out firmware Hole Detection, including following step are provided It is rapid:
Step 1: extracting in firmware objective function feature in loophole function and firmware to be detected;
Step 2:, it is initial to choose quantitative same type loophole function, and the feature vector of same type loophole function is calculated, it forms Initial sample matrix, and calculate the covariance matrix of initial sample matrix;
Step 3: according to the function sample to be detected being newly added, updating covariance matrix, utilize updated covariance square Battle array calculates the distance between target sample and basic sample, in calculating process, it is assumed that all loophole functions detected with The loophole function known with being distributed, then in the final distribution mean value of all dimensions would tend to known loophole Function feature to Amount, replaces mean value to avoid the calculating of mean value with the feature vector of loophole function;Final calculated distance
Indicate known loophole Function feature vector,Indicate Function feature vector to be detected,Indicate that benefit is wherein used The updated covariance matrix of Function feature vector to be detected,Indicate final calculated distance;
Step 4: for calculated distance, positive sample being belonged to according to the threshold decision of definition sample to be calculated and is still born Sample, positive sample indicate that function check to be detected is loophole function, and negative sample indicates that function to be detected is non-loophole function, according to The result judged again is updated covariance matrix.
It connects above-mentioned technical proposal, in step 2, further comprises the steps of: the feature samples point for obtaining known loophole function in advance Cloth calculates the covariance matrix of feature samples distribution, and covariance matrix interior element calculation formula is as follows:
Cov (x, y) indicates the covariance value in n all samples, between xth dimension and y-dimension in formula;n Indicate sample size size, XiIndicate the value of i-th of sample in xth dimension;YiIndicate the value of i-th of sample in y dimension;Table Show the mean value of all samples of the dimension.
It connects above-mentioned technical proposal, in step 3, the calculation formula of covariance matrix interior element is improved are as follows:
Replace mean value that can exempt from the calculating of mean value with the characteristic value of loophole function, it may be assumed that
Obtain new covariance matrix interior element calculation formula:
COV(X,Y)n, COV (X, Y)n+1Covariance in respectively indicating n-th and calculating for (n+1)th time between X peacekeeping Y dimension Value, Xn+1Indicate the newly-increased value for detection function feature vector, X dimension, Yn+1It indicates newly-increased to tie up for detection function feature vector Y Value;x1With the indicating known loophole Function feature vector value of x dimension, x2Y is tieed up with indicating known loophole Function feature vector Value.
Connect above-mentioned technical proposal, in step 4,
Covariance matrix is updated again according to the end value calculated, specific update mode are as follows:
It enables
Δ S indicates the covariance matrix update amount for current function to be detected;
If finally calculating:Then judge current sample to be detected as positive sample, and
If finally calculating:Then judge current sample to be detected as negative sample, and
Wherein S is the covariance matrix updated before matrix in step 3, and threshold is experience threshold value predetermined.
Above-mentioned technical proposal is connect, feature vector includes the size of code that the function is extracted using tool, the stack that function uses Space, assembly instruction number after decompiling are each substantially near entrance length sequence, the special string of calling in function structure figure Instruction set.
The present invention also provides the system that a kind of Calculate Mahalanobis Distance of application enhancements carries out firmware Hole Detection, packets It includes:
Objective function characteristic extracting module, for extracting, objective function is special in loophole function and firmware to be detected in firmware Sign;
Covariance matrix module for initially choosing quantitative same type loophole function, and calculates same type loophole function Feature vector forms initial sample matrix, and calculates the covariance matrix of initial sample matrix;
The covariance matrix module is also used to update covariance matrix according to the function sample to be detected being newly added, and utilizes Updated covariance matrix calculates the distance between target sample and basic sample, in calculating process, it is assumed that all detections Loophole function out and known loophole function with being distributed, then in the final distribution mean value of all dimensions would tend to it is known Loophole Function feature vector replaces mean value to avoid the calculating of mean value with the feature vector of loophole function;It is final it is calculated away from From
Indicate known loophole Function feature vector,Indicate Function feature vector to be detected,Indicate that benefit is wherein used The updated covariance matrix of Function feature vector to be detected,Indicate final calculated distance;
Function judgment module to be detected is used for for calculated distance, according to the sample that the threshold decision of definition is to be calculated Originally belong to positive sample or negative sample, positive sample indicates that function check to be detected is loophole function, and negative sample indicates letter to be detected Number is non-loophole function, is updated again to covariance matrix according to the result judged.
The beneficial effect comprise that: the firmware Hole Detection of the Calculate Mahalanobis Distance of application enhancements of the present invention Method substantially increases the speed of distance calculating between sample, to the distance of extensive sample in the case where guaranteeing computational accuracy Calculating achieves preferable chronergy.On calculating time complexity, from original O (m2L2) it is increased to O (m2L), that is, it is directed to The increase of sample size calculates time complexity from geometric growth and is improved to linear increase.Carrying out large-scale firmware loophole letter In number detection process, detection efficiency can be significantly improved.
Detailed description of the invention
Present invention will be further explained below with reference to the attached drawings and examples, in attached drawing:
Fig. 1 is the stream that the Calculate Mahalanobis Distance of application enhancements of the embodiment of the present invention carries out the method for firmware Hole Detection Cheng Tu;
Fig. 2 is bent for the calculated distance value curve graph of original mahalanobis distance and the calculated distance of improved mahalanobis distance Line chart.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not For limiting the present invention.
As shown in Figure 1, the method that the Calculate Mahalanobis Distance of application enhancements of the present invention carries out firmware Hole Detection, including Following steps:
Step 1: extracting in firmware objective function individual features in loophole function and firmware to be detected, referred to as leak below Hole function and objective function;
To each loophole function, unique identifier of its feature vector as the function is calculated, for each firmware Interior recognizable function extracts the size of code of the function, the stack space that function uses, assembly instruction after decompiling using tool It counts, it is each substantially near entrance length sequence, the features such as special string instruction set of calling in function structure figure, it is assumed that for not The same calculated feature vector of function is V (code, stack, inst ... List [] ... set { } ..), due to calculating distance Required feature vector is numeric type vector, therefore the List in the feature for extracting, Set etc. need to be located in advance Reason, makes numeric type feature.
For the feature of List type, it is assumed that the sequence type feature of two functions f and g to be compared are respectively LfAnd Lg, then count Calculate the dimension vector of longest common subsequence as function g of two sequences.Calculation formula is as follows:
F indicates that a certain loophole function, g indicate a certain function to be detected in formula;Lf, LgA List in representative function f and g Type feature;LCS(Lf,Lg) i.e. two sequence Lf, LgLongest common subsequence;max(Lf,Lg) indicate in two List type features Maximum length;L0For constant value.For assembly type feature, Jie Kade (jaccard) distance of two set is calculated as letter Dimension vector of number g, it is assumed that the assembly type feature of function f and g to be compared is respectively SfAnd Sg, then the characteristic value meter of the dimension It calculates as follows:
S in formula0For the numeric type constant between 0 to 1.SfAnd SgIndicate the assembly type feature of function f and g to be compared;Sf∩ SgIt indicates to carry out intersection operation, S to two setf∪SgIt indicates to carry out union operation to two set.
Eventually by calculating, to each function, feature vector for uniquely representing the function: V (v will be all obtained1, v2,v3,…,vn)。
Step 2: it is initial to choose quantitative same type loophole function, these loophole functions are calculated in the way of in step 1 Feature vector and the initial sample matrix of composition calculate covariance matrix to initial sample matrix;Same type loophole function representation draws Play the different functions of same loophole, it is believed that the feature vector of these functions obeys same distribution.
Due to being dynamically to update covariance matrix, therefore in this step on the basis of original covariance matrix, A certain amount of data are chosen, covariance matrix is calculated.
Assuming that selecting 200 loophole Function feature data for meeting distribution D as initialization number when initialization sample matrix According to collection, and assume that Function feature vector dimension is 18 dimensional features, then according to covariance matrix calculation method it is found that cov (x, y) Calculation are as follows:
The covariance matrix finally calculated is the matrix of 18*18.Initialization value of the matrix as covariance matrix, rear In continuous calculating, new sample will be on this basis updated covariance matrix.
Step 3: according to the function sample to be detected being newly added, updating covariance matrix, utilize updated covariance square Battle array calculates the distance between function sample and known bugs function sample to be detected;
It is every to calculate primary distance in traditional mahalanobis distance calculates, need to calculate a covariance matrix, it is assumed that matrix Dimension be m, then the specification of covariance matrix be m*m, according to the calculation formula of covariance matrix:
Cov (x, y) indicates the covariance value in n all samples, between xth dimension and y-dimension in formula;n Indicate sample size size, XiIndicate the value of i-th of sample in xth dimension;YiIndicate the value of i-th of sample in y dimension;Table Show the mean value of all samples of the dimension.
Assuming that participating in sample in the initialization sample calculated there are n when primary calculating, then calculateWithWhen, it calculates Time complexity be O (n), due to vector dimension be m tie up, then calculate m dimensional feature in total average value it is total time complexity Degree is O (m*n);
When calculating cov (x, y), due to needing accumulation operations, so the time for calculating a cov is O (n), due to square The specification of battle array is m*m, then calculates the time complexity of a covariance matrix are as follows:
O (m*n)+O (m*m*n)=O (m2n)
Assuming that the function sample number to be detected that system needs to calculate distance is L, it is O due to calculating primary time complexity (m2N), added up (1+2+3+4+ ...+L) obtain value be L (L+1)/2, i.e., then through calculating known to:
The L samples to be detected that feature vector dimension is m are calculated, traditional mahalanobis distance calculating side is used Method, the time complexity calculated completely are O (m2L2)。
From the calculating of time complexity it is found that in traditional mahalanobis distance calculation, when sample size is gradually increased, Calculation amount increases in geometric ways, therefore this calculation is not appropriate for large-scale sample and calculates, and leaks hunting hole in firmware During function check, it is often very huge to participate in the function amount to be detected calculated, therefore in order to improve the efficiency of calculating, this hair The bright calculation to mahalanobis distance carries out certain improvement, being allowed in the case where ensure that the rational situation of calculating, greatly improving The speed calculated.
It is analyzed from the calculation of cov (x, y), when sample size is n, calculation formula are as follows:
To obtain:
It is so n+1 in sample size, i.e., the calculating of newly-increased primary function to be detected, when needing to update covariance matrix:
It indicates after increasing Jacobian matrix to sample matrix to be detected, the new mean value of all samples of the dimension.
As n → ∞, can enableAndThen:
As n → ∞,Then:
Due to when carrying out Hole Detection, needing to define a known loophole function as basic function, others are not Know that function is calculated as function to be detected with basic function, it is assumed that the vector of this loophole function are as follows:Since unknown function to be calculated is at a distance from this loophole function, it is therefore contemplated that all The loophole function and this known loophole function detected is with being distributed, then the mean value of all dimensions would tend in this final distributionReplace mean value that can exempt from the calculating of mean value with the feature vector of loophole function, it may be assumed that
Then
Indicate the mean value of each dimension value in sample matrix, (x1,x2,x3,…xn) indicate as basic letter The characteristic value that several known bugs functions is respectively tieed up.
COV(X,Y)n, COV (X, Y)n+1Covariance in respectively indicating n-th and calculating for (n+1)th time between X peacekeeping Y dimension Value, Xn+1Indicate the newly-increased value for detection function feature vector, X dimension, Yn+1It indicates newly-increased to tie up for detection function feature vector Y Value.
Then in the calculating of primary cov, due to not needing the calculating of average value, and the value of COV (X, Y) is preceding primary On the basis of update, therefore time complexity be O (1).
The L sample that feature vector dimension is m is calculated, calculates and is leaked known to L functions to be detected and one The distance between hole function, using improved Calculate Mahalanobis Distance, the time complexity calculated completely is O (m2L).So that The time complexity of calculating becomes linear increase from geometric growth.
The calculation formula of the covariance S finally improved are as follows:
S indicates that last updated covariance matrix, L indicate sample size size in current sample matrix, n table in formula Show the dimension of vector, (x1,x2,x3,…xn) indicate the Function feature vector to be detected currently calculated,
After having updated covariance matrix, then finally calculated between function and known bugs function to be detected using the matrix Distance, calculation formula is as follows:
Indicate known loophole Function feature vector,Indicate Function feature vector to be detected,It indicates using to be checked The updated covariance matrix of Function feature vector is surveyed,Indicate final calculated distance.
Step 4: for calculated distance, rule of thumb threshold value threshold predetermined judges sample to be calculated Originally belong to positive sample or negative sample, positive sample indicates that function check to be detected is loophole function, and negative sample indicates letter to be detected Number is non-loophole function, is updated again to covariance matrix according to the result judged, again according to the result judged Covariance matrix is updated.
Due to after calculating the distance between two samples, for given threshold value and the distance calculated, Unknown sample can be judged, based on the positive and negative of the sample finally judged, need to re-start covariance matrix It updates.
According to covariance matrix effect it is found that if feature X and characteristic Y be for the value of sample it is negatively correlated, The value of COV (X, Y) is negative, and if it is positively related, then the value of COV (X, Y) is positive, can be according to judgement according to this characteristic Value is again updated covariance matrix.
By the calculating of front it is found that variable quantity is
Δ S indicates the covariance matrix update amount for current function to be detected.
If finally calculating:Then judge current sample to be detected as positive sample, and
If finally calculating:Then judge current sample to be detected as negative sample, and
Wherein S is the covariance matrix updated before matrix in step 3.
In final experimentation, 200 functions to be detected are calculated using two kinds of calculations, are calculated new to be detected The distance between function and loophole function, two ways, which calculates, draws as shown in Figure 2.Figure Green is counted by original mahalanobis distance The distance value curve graph of calculating, RED sector is the calculated distance Curve figure of improved mahalanobis distance, as shown, improved Calculation method distance calculated is reduced in value range, but overall variation tendency is basically unchanged, but from step 3 It is found that calculating speed is greatly improved.
The present invention also provides the systems that a kind of Calculate Mahalanobis Distance of application enhancements carries out firmware Hole Detection, mainly For realizing the method for above-mentioned firmware Hole Detection, which is specifically included that
Objective function characteristic extracting module, for extracting, objective function is special in loophole function and firmware to be detected in firmware Sign;
Covariance matrix module for initially choosing quantitative same type loophole function, and calculates same type loophole function Feature vector forms initial sample matrix, and calculates the covariance matrix of initial sample matrix;
The covariance matrix module is also used to update covariance matrix according to the function sample to be detected being newly added, and utilizes Updated covariance matrix calculates the distance between target sample and basic sample, in calculating process, it is assumed that all detections Loophole function out and known loophole function with being distributed, then in the final distribution mean value of all dimensions would tend to it is known Loophole Function feature vector replaces mean value to avoid the calculating of mean value with the feature vector of loophole function;It is final it is calculated away from From
Indicate known loophole Function feature vector,Indicate Function feature vector to be detected,Indicate that benefit is wherein used The updated covariance matrix of Function feature vector to be detected,Indicate final calculated distance;
Function judgment module to be detected is used for for calculated distance, according to the sample that the threshold decision of definition is to be calculated Originally belong to positive sample or negative sample, positive sample indicates that function check to be detected is loophole function, and negative sample indicates letter to be detected Number is non-loophole function, is updated again to covariance matrix according to the result judged.
Improvement Calculate Mahalanobis Distance proposed in this paper applied to firmware Hole Detection, by theory analysis it is found that On calculating time complexity, from original O (m2L2) it is increased to O (m2L), that is, it is directed to the increase of sample size, it is complicated to calculate the time Degree is improved to linear increase from geometric growth.During carrying out large-scale firmware loophole function check, it can significantly improve Detection efficiency, and during actual firmware loophole function check, this point is also demonstrated well.
Other features of the system are detailed in the method part of above-described embodiment, and this will not be repeated here.
It should be understood that for those of ordinary skills, it can be modified or changed according to the above description, And all these modifications and variations should all belong to the protection domain of appended claims of the present invention.

Claims (6)

1. the method that the Calculate Mahalanobis Distances of application enhancements a kind of carries out firmware Hole Detection, which is characterized in that including with Lower step:
Step 1: extracting in firmware objective function feature in loophole function and firmware to be detected;
Step 2: it is initial to choose quantitative same type loophole function, and the feature vector of same type loophole function is calculated, composition is initial Sample matrix, and calculate the covariance matrix of initial sample matrix;
Step 3: according to the function sample to be detected being newly added, updating covariance matrix, utilize updated covariance matrix meter The distance between target sample and basic sample are calculated, in calculating process, it is assumed that all loophole functions detected with it is known Loophole function is with being distributed, then the mean value of all dimensions would tend to known loophole Function feature vector in the final distribution, uses The feature vector of loophole function replaces mean value to avoid the calculating of mean value;Final calculated distance
Indicate known loophole Function feature vector,Indicate Function feature vector to be detected,Indicate benefit wherein with to be checked The updated covariance matrix of Function feature vector is surveyed,Indicate final calculated distance;
Step 4: for calculated distance, positive sample or negative sample being belonged to according to the threshold decision of definition sample to be calculated This, positive sample indicates that function check to be detected is loophole function, and negative sample indicates that function to be detected is non-loophole function, according to sentencing Disconnected result out is again updated covariance matrix.
2. the method that the Calculate Mahalanobis Distance of application enhancements according to claim 1 carries out firmware Hole Detection, It is characterized in that, in step 2, further comprises the steps of: the feature samples distribution for obtaining known loophole function in advance, calculate feature samples The covariance matrix of distribution, covariance matrix interior element calculation formula are as follows:
Cov (x, y) indicates the covariance value in n all samples, between xth dimension and y-dimension in formula;N is indicated Sample size size, XiIndicate the value of i-th of sample in xth dimension;YiIndicate the value of i-th of sample in y dimension;Indicating should The mean value of all samples of dimension.
3. special according to the method that the Calculate Mahalanobis Distance of application enhancements as claimed in claim 2 carries out firmware Hole Detection Sign is, in step 3, the calculation formula of covariance matrix interior element is improved are as follows:
Replace mean value that can exempt from the calculating of mean value with the characteristic value of loophole function, it may be assumed that
Obtain new covariance matrix interior element calculation formula:
COV(X,Y)n, COV (X, Y)n+1Covariance value in respectively indicating n-th and calculating for (n+1)th time between X peacekeeping Y dimension, Xn+1 Indicate the newly-increased value for detection function feature vector, X dimension, Yn+1Indicate the newly-increased value for detection function feature vector Y dimension;x1 With the indicating known loophole Function feature vector value of x dimension, x2With the indicating known loophole Function feature vector value of y dimension.
4. special according to the method that the Calculate Mahalanobis Distance of application enhancements as claimed in claim 3 carries out firmware Hole Detection Sign is, in step 4,
Covariance matrix is updated again according to the end value calculated, specific update mode are as follows:
It enables
Δ S indicates the covariance matrix update amount for current function to be detected;
If finally calculating:Then judge current sample to be detected as positive sample, and
If finally calculating:Then judge current sample to be detected as negative sample, and
Wherein S is the covariance matrix updated before matrix in step 3, and threshold is experience threshold value predetermined.
5. special according to the method that the Calculate Mahalanobis Distance of application enhancements described in claim 1 carries out firmware Hole Detection Sign is that feature vector includes the size of code that the function is extracted using tool, and the stack space that function uses collects after decompiling Number of instructions, it is each substantially near entrance length sequence, the special string instruction set of calling in function structure figure.
6. the system that a kind of Calculate Mahalanobis Distance of application enhancements carries out firmware Hole Detection characterized by comprising
Objective function characteristic extracting module, for extracting in firmware objective function feature in loophole function and firmware to be detected;
Covariance matrix module for initially choosing quantitative same type loophole function, and calculates the feature of same type loophole function Vector forms initial sample matrix, and calculates the covariance matrix of initial sample matrix;
The covariance matrix module is also used to update covariance matrix according to the function sample to be detected being newly added, utilize update Rear covariance matrix calculates the distance between target sample and basic sample, in calculating process, it is assumed that all to detect Loophole function and known loophole function are with being distributed, then the mean value of all dimensions would tend to known loophole in the final distribution Function feature vector replaces mean value to avoid the calculating of mean value with the feature vector of loophole function;Final calculated distance
Indicate known loophole Function feature vector,Indicate Function feature vector to be detected,Indicate benefit wherein with to be checked The updated covariance matrix of Function feature vector is surveyed,Indicate final calculated distance;
Function judgment module to be detected is used for for calculated distance, according to the sample category that the threshold decision of definition is to be calculated In positive sample or negative sample, positive sample indicates that function check to be detected is loophole function, and negative sample indicates that function to be detected is Non- loophole function, is again updated covariance matrix according to the result judged.
CN201810802430.3A 2018-07-20 2018-07-20 Method and system for detecting firmware bugs by applying improved Mahalanobis distance calculation method Active CN108985065B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810802430.3A CN108985065B (en) 2018-07-20 2018-07-20 Method and system for detecting firmware bugs by applying improved Mahalanobis distance calculation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810802430.3A CN108985065B (en) 2018-07-20 2018-07-20 Method and system for detecting firmware bugs by applying improved Mahalanobis distance calculation method

Publications (2)

Publication Number Publication Date
CN108985065A true CN108985065A (en) 2018-12-11
CN108985065B CN108985065B (en) 2022-03-11

Family

ID=64549495

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810802430.3A Active CN108985065B (en) 2018-07-20 2018-07-20 Method and system for detecting firmware bugs by applying improved Mahalanobis distance calculation method

Country Status (1)

Country Link
CN (1) CN108985065B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110750755A (en) * 2019-09-25 2020-02-04 深圳大学 Communication equipment capacity expansion method and device, terminal and storage medium
CN111444766A (en) * 2020-02-24 2020-07-24 浙江科技学院 Vehicle tracking method and device based on image processing, computer equipment and storage medium
CN112101458A (en) * 2020-09-16 2020-12-18 河海大学常州校区 Taguchi function-signal-to-noise ratio-based characteristic measurement method and device
CN113746701A (en) * 2021-09-03 2021-12-03 四川英得赛克科技有限公司 Data acquisition method, system, storage medium and electronic equipment
CN114785574A (en) * 2022-04-07 2022-07-22 国网浙江省电力有限公司宁波供电公司 AI-assisted-based remote vulnerability accurate verification method
CN116820052A (en) * 2023-07-13 2023-09-29 滁州优胜高分子材料有限公司 PBT material production equipment and control method thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060281068A1 (en) * 2005-06-09 2006-12-14 Chemimage Corp. Cytological methods for detecting a disease condition such as malignancy by Raman spectroscopic imaging
CN102088569A (en) * 2010-10-13 2011-06-08 首都师范大学 Sequence image splicing method and system of low-altitude unmanned vehicle
KR101693405B1 (en) * 2014-11-28 2017-01-05 건국대학교 산학협력단 Apparatus and method for detecting anomaly intrusion using local deviation factor graph based algorithm
CN106970301A (en) * 2017-03-27 2017-07-21 深圳万发创新进出口贸易有限公司 A kind of detecting system based on smart home power supply circuit
CN107153843A (en) * 2017-05-03 2017-09-12 西安电子科技大学 Surface subsidence forecasting system and method based on SVMs

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060281068A1 (en) * 2005-06-09 2006-12-14 Chemimage Corp. Cytological methods for detecting a disease condition such as malignancy by Raman spectroscopic imaging
CN102088569A (en) * 2010-10-13 2011-06-08 首都师范大学 Sequence image splicing method and system of low-altitude unmanned vehicle
KR101693405B1 (en) * 2014-11-28 2017-01-05 건국대학교 산학협력단 Apparatus and method for detecting anomaly intrusion using local deviation factor graph based algorithm
CN106970301A (en) * 2017-03-27 2017-07-21 深圳万发创新进出口贸易有限公司 A kind of detecting system based on smart home power supply circuit
CN107153843A (en) * 2017-05-03 2017-09-12 西安电子科技大学 Surface subsidence forecasting system and method based on SVMs

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LINJUN RAN 等: "An Experimental Study of Four Methods for Homology Analysis of Firmware Vulnerability", 《2017 INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS AND THEIR APPLICATIONS (DSA)》 *
周治平: "改进的马氏距离动态时间规整手势认证方法", 《计算机应用》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110750755A (en) * 2019-09-25 2020-02-04 深圳大学 Communication equipment capacity expansion method and device, terminal and storage medium
CN111444766A (en) * 2020-02-24 2020-07-24 浙江科技学院 Vehicle tracking method and device based on image processing, computer equipment and storage medium
CN112101458A (en) * 2020-09-16 2020-12-18 河海大学常州校区 Taguchi function-signal-to-noise ratio-based characteristic measurement method and device
CN112101458B (en) * 2020-09-16 2024-04-19 河海大学常州校区 Characteristic measurement method and device based on field function-signal-to-noise ratio
CN113746701A (en) * 2021-09-03 2021-12-03 四川英得赛克科技有限公司 Data acquisition method, system, storage medium and electronic equipment
CN114785574A (en) * 2022-04-07 2022-07-22 国网浙江省电力有限公司宁波供电公司 AI-assisted-based remote vulnerability accurate verification method
CN114785574B (en) * 2022-04-07 2023-09-29 国网浙江省电力有限公司宁波供电公司 AI-assisted remote vulnerability accurate verification method
CN116820052A (en) * 2023-07-13 2023-09-29 滁州优胜高分子材料有限公司 PBT material production equipment and control method thereof
CN116820052B (en) * 2023-07-13 2024-02-02 滁州优胜高分子材料有限公司 PBT material production equipment and control method thereof

Also Published As

Publication number Publication date
CN108985065B (en) 2022-03-11

Similar Documents

Publication Publication Date Title
CN108985065A (en) The Calculate Mahalanobis Distance of application enhancements carries out the method and system of firmware Hole Detection
RU2016113791A (en) METHOD AND DEVICE FOR CONSTRUCTION OF PATTERN AND METHOD AND DEVICE FOR IDENTIFICATION OF INFORMATION
CN106126235A (en) A kind of multiplexing code library construction method, the quick source tracing method of multiplexing code and system
CN106096411A (en) A kind of Android malicious code family classification method based on bytecode image clustering
CN109583357A (en) A kind of improvement LBP and the cascade face identification method of light weight convolutional neural networks
CN113223013B (en) Method, device, equipment and storage medium for pulmonary vessel segmentation positioning
CN104572627A (en) Object name editing distance calculating method and object name editing distance matching method based on information entropy
CN110188225A (en) A kind of image search method based on sequence study and polynary loss
CN106228554A (en) Fuzzy coarse central coal dust image partition methods based on many attribute reductions
CN105045715B (en) Leak clustering method based on programming mode and pattern match
CN109544468A (en) A kind of image data amplification method
CN109325510A (en) A kind of image characteristic point matching method based on lattice statistical
Liu et al. Functions-based CFG embedding for malware homology analysis
CN105469099B (en) Pavement crack detection and identification method based on sparse representation classification
CN107564008A (en) Rapid SAR image segmentation method based on crucial pixel fuzzy clustering
CN106874762A (en) Android malicious code detecting method based on API dependence graphs
CN107077617A (en) fingerprint extraction method and device
CN109886151A (en) A kind of false identities attribute detection method
CN106326746A (en) Malicious program behavior feature library construction method and device
CN106528507A (en) Chinese text similarity detection method and device
CN106124700B (en) A kind of electronic nose non-targeted interference Gas Distinguishing Method of band from expression
CN105354597B (en) A kind of classification method and device of game articles
CN104978553A (en) Image analysis method and device
CN107944269A (en) A kind of Android malware detection method based on local binary patterns and principal component analysis technology
CN110019829A (en) Data attribute determines method, apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant