| In recent years,with the continuous development of information technology,the importance of cybersecurity in academic,financial,industrial,and defense fields has been increasing,and the discussions around cybersecurity in cyberspace have become increasingly fierce.Linux,as the most widely used mainstream operating system,plays an indispensable role in the industrial production field while also becoming the primary target of network attacks.While bringing convenience to industrial production,the number of vulnerabilities discovered in Linux system has always been high.Linux system maintains a large number of open-source software libraries,with complex dependencies and replacement relationships among the software,as well as serious security vulnerabilities internally.In such a situation,it is extremely difficult to perform vulnerability mining and detection on the software library.How to represent the complex relationships between software clearly and identify vulnerabilities and threats in software libraries mainly based on Linux system is the current pressing problem.This article mainly conducts research work from the following points:1.Propose a feasible knowledge graph construction plan for Linux open-source software libraries,examine the relationship between software and vulnerabilities from the perspective of knowledge graph,and unify CVE vulnerabilities and Linux software packages into ontology representation form.Design a software vulnerability ontology model.Based on the ontology,clean and process the data,use the word matching method to integrate the software and vulnerability databases to construct the software vulnerability knowledge base.2.Propose a knowledge-based open-source software propagation path search algorithm and a key node truncation algorithm for vulnerability propagation on the dependency chain.Represent vulnerability and software package information as nodes using knowledge,represent the relationship between vulnerabilities and software packages and between software packages as edges,and represent the degree of dependence of software packages as weights to construct a vulnerability-software graph.Apply the improved full-path search algorithm on the graph to quickly obtain the vulnerability propagation chain of the entire map.Secondly,on the basis of the vulnerability propagation chain,perform weighted evaluation of the in-degree and out-degree of each node,propagate the weighted evaluation results to all adjacent nodes through multiple iterations to make each node reach a stable evaluation value,and finally locate high-evaluation nodes for deletion or replacement to achieve vulnerability propagation truncation.At the same time,an improved GCN model is proposed to address the problem of dynamically monitoring software vulnerabilities.Transform the knowledge base data into node matrix information and use the SAGPool pooling method with self-attention mechanism to effectively process multi-node features and graph topology information to predict the existence of software vulnerabilities.Experimental results prove that the propagation path search algorithm accurately searches for the vulnerability propagation path with a small time complexity,and the key node truncation algorithm can effectively block the wide-spread impact of vulnerabilities.The improved GCN model on the software vulnerability dataset can accurately predict software vulnerability risks,demonstrating the effectiveness and accuracy of the model. |
PDF Full Text Request