Research On Security Testing Model And Framework For Third-Party Components Based On Data Mining

With the rapid development of software engineering technology, components have been widely used due to the characteristics of reuse and "plug and play". Component-based software engineering(CBSE) emerges as the development requirement, which greatly improves the efficiency of software development. Not only the cycle of software development is shortened, but also the cost of development and maintenance is greatly reduced. CBSE has become a hot research topic in the field of software engineering. Nowadays, the component plays a very important role in the software system of each industry, so the quality of the component is particularly important. The low quality component may cause the software system to crash, which can bring disastrous consequences to the software industry. In order to ensure the security and reliability of software system, the component and component system must be tested. Especially the components developed by third-party organizations, because of lack of access to the source code and detailed development documents, it is difficult to take traditional testing methods to ensure the security, which has brought great challenges to third-party component security testing.The data mining technology has been applied in the field of software engineering, the main methods including classification, clustering, prediction, statistic and association rules analysis technology are used to find potential knowledge and rules from a variety of software resource library. The potential knowledge and rules can be used to guide software engineering activities to guarantee the software quality and improve the development efficiency. With the development of data mining technology, the effective requirements specification and testing sequence of interface methods can be obtained. In addition, component state and related security testing information can also be mined by analyzing large and complex testing log. This paper proposes a security testing model for third-party component based on data mining, and presents a testing framework based on the proposed model. In the meantime, a third-party component security testing system is designed and implemented. The main research work is organized as follows.1. A security testing model for third-party component based on data mining is proposed. To begin with, the basic elements of the model are defined formally, including component requirement specification set, set of dynamic monitoring log, data mining algorithm set, component security testing sequence set, component vulnerability testing result set and set of vulnerability detection algorithm and security rules. Then, the formal description of testing process is carried out with the technology of monad.2. A testing framework based on the security testing model is also presented and used to guide component security testing. First, interface information of third-party component is analyzed and static information of methods and parameters are obtained. Second, effective interface methods are generated by mining the component requirement specification. Third, method execution sequences is produced based on each effective method name, method preconditions and postconditions. Fourth, test cases are generated to test component and the running process is dynamically monitored to obtain monitoring log. Finally, the monitoring log is analyzed to find security vulnerability of the component.3. A third-party component security testing system based on data mining(CSTS-DM) is designed and implemented. Based on the system, a large number of tests are conducted on the security of third-party component. The testing results show that the proposed security testing model is correct and effective. In addition, CSTS-DM has good feasibility and performance.