Research On Software Behavior Modeling And Detecting Based On State Graph And Semantic Analysis

With the development of scientific and technological, software has played amore and more important role in people’s work and life. However, fault and failure ofsoftware generally bring us a lot of inconvenience. As a result, it has become anurgent and important task for software security protection. In order to control softwarestate and find all sorts of problems of software as early as possible, we proposes anapproach of software behavior modeling and detecting in this paper based on stategraph and semantic analysis, the thesis focuses on the following aspects:Firstly, research status of software behavior modeling and detecting is reviewed.Definition of software behavior and the way of description behavior information areintroduced, and various kinds of modeling approaches are recommend as well asmerits and demerits analysis. Consider that previous modeling methods are toocomplicated to realize and lack of semantic analysis, system architecture of softwarebehavior modeling and detecting based on state graph and semantic analysis isproposed. Our approach effectively reduces the complexity of the model and solvesthe problem of lacking semantic analysis.Then, a bottom-up three-layer software behavior model is proposed. The firstlayer aims at building system layer model, that is, mine the inner mode of system callsequence, and then transfer system call sequence into state sequences using HiddenMarkov Model, thus grounding for the entire model. The second layer tries to buildstate layer model by establishing state graph. The original graph is generated byexecuting process of software. And then state transfer graph and local function graphsare established by reducing and optimizing the original graph with the help of threepruning rules. The third layer is designed to build the functional layer model whichcontains functional semantic set and functional semantic tree. The set depends on thedivision of the software functions while the tree depends on the logical relationship offunctions as well as functions themselves.Finally, an approach of two-layer detection is proposed based on deviationdensity and semantic rules. Deviation density detection is special for state layer,behaviors deviate from state transfer graph is accumulated to discover abnormal. Thislayer of detection focuses on control flow of software, which can detect anomaly suchas code injection attacks that influence system call sequence. Semantic rules detectionis special for function layer, behaviors which not in accord with these rules are judgedabnormal. These rules restrain behaviors according to software function behaviorfeatures such as credibility, effectiveness, duality and timeliness. This layer ofdetection can discover semantic layer attacks such as loop attacks, maliciousmanipulation attacks and etc. Case study and contrast experiment has proved that ourmodel has an excellent expression ability and detection ability, which is superior tothe traditional behavior models.