[1]胡 飞,陈 昊,王 媛,等.基于图网络的 Java 反序列化漏洞检测方法[J].计算机技术与发展,2023,33(05):122-129.[doi:10. 3969 / j. issn. 1673-629X. 2023. 05. 019]
 HU Fei,CHEN Hao,WANG Yuan,et al.Call Chain Detection Method for Java Deserialization Vulnerability Based on Graph Network[J].,2023,33(05):122-129.[doi:10. 3969 / j. issn. 1673-629X. 2023. 05. 019]
点击复制

基于图网络的 Java 反序列化漏洞检测方法()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
33
期数:
2023年05期
页码:
122-129
栏目:
网络空间安全
出版日期:
2023-05-10

文章信息/Info

Title:
Call Chain Detection Method for Java Deserialization Vulnerability Based on Graph Network
文章编号:
1673-629X(2023)05-0122-08
作者:
胡 飞1 陈 昊2 王 媛1 弋 雯1 胡 颖3 刘宝英1
1. 西北大学 信息科学与技术学院,陕西 西安 710100;
2. 中国劳动关系学院,北京 100048;
3. 新华社技术通信局,北京 100803
Author(s):
HU Fei1 CHEN Hao2 WANG Yuan1 YI Wen1 HU Ying3 LIU Bao-ying1
1. School of Information Science & Technology,Northwest University,Xi’an 710100,China;
2. China University of Labor Relations,Beijing 100048,China;
3. Technical Bureau of Xinhua News Agency,Beijing 100803,China
关键词:
漏洞检测图数据库Java 反序列化图神经网络调用链
Keywords:
vulnerability detectiongraph databaseJava deserializationgraph neural networkcall chain
分类号:
TP391
DOI:
10. 3969 / j. issn. 1673-629X. 2023. 05. 019
摘要:
Java 反序列化漏洞由于其很容易被非法利用,已经成为目前最具威胁的软件漏洞之一。 在开发过程中,事先对软件所使用的第三方公共组件库进行检测,提前发现并防御潜在的反序列化漏洞尤为重要。 目前已有的反序列化漏洞检测,主要有基于规则匹配和基于污点分析两种检测方法,前者采用白名单或者黑名单的方法无法发现未知的反序列化漏洞,而后者因其对漏洞调用链检测能力有限,故漏报和误报率高。 为了弥补已有方法的缺陷,提出了一种基于图网络的Java 反序列化漏洞调用链检测方法 SerialFinder,该方法利用图结构充分表达反序列化漏洞调用链的语义信息,训练图同构网络模型,进而可以检测潜在的反序列化漏洞调用链。 SerialFinder 在多个第三方组件库进行验证,与业界最先进的 Java反序列化漏洞调用链检测方法 Gadget Inspector 进行对比,结果表明,SerialFinder 在三个公共组件库上的平均命中率为64% ,比 Gadget Inspector 高 31% 。
Abstract:
The Java deserialization vulnerability has become one of the most threatening software vulnerabilities due to its easyexploitation. During the development process,it is particularly?
important to detect the third-party public component library used by thesoftware in advance, and to detect and defend against potential deserialization vulnerabilities in advance.?
At present, the existingdeserialization vulnerability detection mainly includes two detection methods based on rule matching and based on taint analysis. Theformer cannot find?
unknown deserialization vulnerabilities by using whitelist or blacklist methods,while the latter has a high rate of falsenegatives and false positives due to its limited ability to detect?
vulnerability call chains. In order to make up for the shortcomings ofexisting methods,we propose a call chain detection method SerialFinder based on graph network for Java?
deserialization vulnerabilities.The method uses the graph structure to fully express the semantic information of the deserialization vulnerability call chain, trains thegraph isomorphic?
network model, and then can detect the potential deserialization vulnerability call chain. SerialFinder is verified inmultiple third - party component libraries and compared with Gadget Inspector, the industry ’ s most advanced Java deserialization vulnerability call chain detection method. The results show that SerialFinder has an average hit rate of 64% on the three?
public component libraries,which is 31% higher than Gadget Inspector.

相似文献/References:

[1]马凯,蔡皖东,姚烨.Web2.0环境下SQL注入漏洞注入点提取方法[J].计算机技术与发展,2013,(03):121.
 MA Kai,CAI Wan-dong,YAO Ye.Injection Point Extraction Approach in SQL Injection Vulnerability under Web2. 0 Environment[J].,2013,(05):121.
[2]陈春玲,张凡,余瀚.Web应用程序漏洞检测系统设计[J].计算机技术与发展,2017,27(09):101.
 CHEN Chun-ling,ZHANG Fan,YU Han. Design of Vulnerability Detection System for Web Application Program[J].,2017,27(05):101.
[3]董国良,臧 洌,李 航,等.基于污点分析的二进制程序漏洞检测[J].计算机技术与发展,2018,28(03):137.[doi:10.3969/ j. issn.1673-629X.2018.03.029]
 DONG Guo-liang,ZANG Lie,LI Hang,et al.Vulnerability Detection of Binary Program Based on Dynamic Taint Analysis[J].,2018,28(05):137.[doi:10.3969/ j. issn.1673-629X.2018.03.029]
[4]黄东晋,秦 汉,郭 昊.基于 BERT-CNN 的电影原声智能问答系统[J].计算机技术与发展,2020,30(11):158.[doi:10. 3969 / j. issn. 1673-629X. 2020. 11. 029]
 HUANG Dong-jin,QIN Han,GUO Hao.Movie Soundtrack Intelligent Question and Answer System Based on BERT-CNN[J].,2020,30(05):158.[doi:10. 3969 / j. issn. 1673-629X. 2020. 11. 029]
[5]李 阳,杜睿山 *,张豪鹏.面向医药信息的知识图谱构建[J].计算机技术与发展,2022,32(10):189.[doi:10. 3969 / j. issn. 1673-629X. 2022. 10. 031]
 LI Yang,DU Rui-shan *,ZHANG Hao-peng.Construction of Knowledge Graph for Medical Data[J].,2022,32(05):189.[doi:10. 3969 / j. issn. 1673-629X. 2022. 10. 031]
[6]尚福华,徐凡钧,曹茂俊.测井处理解释领域知识图谱构建方法研究[J].计算机技术与发展,2022,32(12):206.[doi:10. 3969 / j. issn. 1673-629X. 2022. 12. 031]
 SHANG Fu-hua,XU Fan-jun,CAO Mao-jun.Research on Knowledge Graph Construction for Logging Process and Interpretation Domain[J].,2022,32(05):206.[doi:10. 3969 / j. issn. 1673-629X. 2022. 12. 031]
[7]傅紫薇,沈子牛,陈云芳,等.以太坊智能合约的漏洞自动化修复技术研究[J].计算机技术与发展,2023,33(02):110.[doi:10. 3969 / j. issn. 1673-629X. 2023. 02. 017]
 FU Zi-wei,SHEN Zi-niu,CHEN Yun-fang,et al.Research on Automatic Vulnerability Repair Technology of Smart Contracts on Ethereum[J].,2023,33(05):110.[doi:10. 3969 / j. issn. 1673-629X. 2023. 02. 017]
[8]熊可欣,李 涛*,余 琴,等.PDGcross:基于跨文件图表征的源代码漏洞检测[J].计算机技术与发展,2023,33(08):102.[doi:10. 3969 / j. issn. 1673-629X. 2023. 08. 015]
 XIONG Ke-xin,LI Tao*,YU Qin,et al.PDGcross:Source Code Vulnerability Detection Based on Cross-file Graph Representation[J].,2023,33(05):102.[doi:10. 3969 / j. issn. 1673-629X. 2023. 08. 015]
[9]刘哲峰,梁 平,顾进广.基于坐标映射及多重图划分的图相似查询研究[J].计算机技术与发展,2023,33(12):58.[doi:10. 3969 / j. issn. 1673-629X. 2023. 12. 008]
 LIU Zhe-feng,LIANG Ping,GU Jin-guang.Research on Graph Similarity Query Based on Coordinate Mapping and Multigraph Partition[J].,2023,33(05):58.[doi:10. 3969 / j. issn. 1673-629X. 2023. 12. 008]
[10]巴伦敦,梁 平,顾进广.基于预处理-枚举的子图匹配算法[J].计算机技术与发展,2023,33(12):85.[doi:10. 3969 / j. issn. 1673-629X. 2023. 12. 012]
 BA Lun-dun,LIANG Ping,GU Jin-guang.Subgraph Matching Algorithm Based on Preprocessing-enumeration[J].,2023,33(05):85.[doi:10. 3969 / j. issn. 1673-629X. 2023. 12. 012]

更新日期/Last Update: 2023-05-10