Nothing Special   »   [go: up one dir, main page]

CN113486354A - Firmware safety evaluation method, system, medium and electronic equipment - Google Patents

Firmware safety evaluation method, system, medium and electronic equipment Download PDF

Info

Publication number
CN113486354A
CN113486354A CN202110721068.9A CN202110721068A CN113486354A CN 113486354 A CN113486354 A CN 113486354A CN 202110721068 A CN202110721068 A CN 202110721068A CN 113486354 A CN113486354 A CN 113486354A
Authority
CN
China
Prior art keywords
firmware
sample
category
samples
library
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110721068.9A
Other languages
Chinese (zh)
Other versions
CN113486354B (en
Inventor
张昊
马雷
刘新
刘冬兰
陈剑飞
于灏
苏冰
王睿
张方哲
赵晓红
赵洋
姚洪磊
赵勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202110721068.9A priority Critical patent/CN113486354B/en
Publication of CN113486354A publication Critical patent/CN113486354A/en
Application granted granted Critical
Publication of CN113486354B publication Critical patent/CN113486354B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computing Systems (AREA)
  • Probability & Statistics with Applications (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure provides a firmware safety evaluation method, system, medium or electronic equipment, which is used for acquiring parameter data of firmware to be tested; obtaining a characteristic vector of the firmware to be tested according to the obtained parameter data; calculating the distance from the feature vector of the firmware to be tested to the optimized clustering center of each category in the firmware library; classifying the firmware to be detected according to an optimized clustering center with the minimum distance from the firmware to be detected to obtain the category of the firmware to be detected; calculating the average value of the security label values of the firmware samples in the category according to the category of the firmware to be detected; when the average value is larger than or equal to a preset threshold value, judging the firmware to be tested as potentially unsafe firmware; the method and the device can effectively avoid the unsafe firmware misjudgment.

Description

Firmware safety evaluation method, system, medium and electronic equipment
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a firmware security assessment method, system, medium, and electronic device.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the continuous improvement of informatization level, as a key infrastructure related to national security, the informatization and intelligent construction of the power system is rapidly developed. Along with this, a large number of power system internet of things devices are introduced and applied to a series of important work such as device control, data acquisition, environmental monitoring and the like of a power grid. On one hand, the informatization and intelligence level of the power grid is greatly improved, but a large amount of information security loopholes are introduced at the same time, and the security operation of the power system is threatened.
The power internet of things device usually adopts a driver software to execute the specified task, and the driver software is firmware. Firmware inside the power internet of things equipment is usually provided by equipment suppliers, and due to the large difference of the coding levels of different technicians, security holes may exist in the firmware. Considering that the firmware generally directly interacts with the underlying hardware, if a security vulnerability exists, the device cannot operate according to a predetermined manner, and a very serious threat is caused to the safe and stable operation of the power system.
The inventor finds that, because the extracted firmware codes are generally binary codes, if each firmware is subjected to complete security analysis, huge time and resource consumption is caused, how to primarily screen the firmware and select the firmware with a large potential threat for further security analysis is realized, the work of firmware security analysis can be greatly reduced, the overall working efficiency is effectively improved, and the problem that needs to be solved urgently in the conventional power system is solved.
Disclosure of Invention
In order to overcome the defects in the prior art, the disclosure provides a firmware security assessment method, a system, a medium and an electronic device, which can effectively avoid the misjudgment of unsafe firmware.
In order to achieve the purpose, the following technical scheme is adopted in the disclosure:
the first aspect of the disclosure provides a firmware security assessment method.
A firmware security assessment method, comprising the processes of:
acquiring parameter data of firmware to be tested;
obtaining a characteristic vector of the firmware to be tested according to the obtained parameter data;
calculating the distance from the feature vector of the firmware to be tested to the optimized clustering center of each category in the firmware library;
classifying the firmware to be detected according to an optimized clustering center with the minimum distance from the firmware to be detected to obtain the category of the firmware to be detected;
calculating the average value of the security label values of the firmware samples in the category according to the category of the firmware to be detected;
and when the average value is greater than or equal to the preset threshold value, judging the firmware to be tested as potentially unsafe firmware.
A second aspect of the present disclosure provides a firmware security assessment system.
A firmware security assessment system, comprising:
a data acquisition module configured to: acquiring parameter data of firmware to be tested;
a feature vector construction module configured to: obtaining a characteristic vector of the firmware to be tested according to the obtained parameter data;
a distance calculation module configured to: calculating the distance from the feature vector of the firmware to be tested to the optimized clustering center of each category in the firmware library;
a classification module configured to: classifying the firmware to be detected according to an optimized clustering center with the minimum distance from the firmware to be detected to obtain the category of the firmware to be detected;
an average calculation module configured to: calculating the average value of the security label values of the firmware samples in the category according to the category of the firmware to be detected;
an unsecure firmware identification module configured to: and when the average value is greater than or equal to the preset threshold value, judging the firmware to be tested as potentially unsafe firmware.
A third aspect of the present disclosure provides a computer-readable storage medium on which a program is stored, the program, when executed by a processor, implementing the steps in the firmware security assessment method according to the first aspect of the present disclosure.
A fourth aspect of the present disclosure provides an electronic device, including a memory, a processor, and a program stored in the memory and executable on the processor, where the processor executes the program to implement the steps in the firmware security evaluation method according to the first aspect of the present disclosure.
Compared with the prior art, the beneficial effect of this disclosure is:
according to the method, the system, the medium or the electronic equipment, the distance between the firmware to be detected and the optimized clustering center of each category in the firmware library is calculated, the category with the minimum distance is selected as the category of the firmware to be detected, so that the firmware to be detected is classified, the average value is calculated according to the security label of the category of the firmware to be detected, the security of the firmware to be detected is determined according to the security of the category, the more samples in the firmware library, the more the security analysis accuracy of the firmware to be detected can be ensured, and the unsafe firmware can be prevented from being missed to be judged.
Advantages of additional aspects of the disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and are not to limit the disclosure.
Fig. 1 is a schematic flowchart of a firmware security evaluation method provided in embodiment 1 of the present disclosure.
Fig. 2 is a schematic flowchart of a firmware security evaluation system according to embodiment 2 of the present disclosure.
Fig. 3 is an internal structural diagram of a computer device provided in embodiment 4 of the present disclosure.
Detailed Description
The present disclosure is further described with reference to the following drawings and examples.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
The embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict.
Example 1:
the clustering algorithm belongs to an unsupervised machine learning method, common clustering algorithms comprise KNN, K-Means and the like, samples with high similarity are classified into the same class through calculating and comparing the similarity among the samples, and samples with low similarity are classified into different classes, so that the classification of the samples is realized. The clustering algorithm is widely applied to a plurality of fields, but no relevant application case is found in the aspect of firmware security analysis at present.
In this embodiment, as shown in fig. 1, a firmware security analysis method is provided, which includes the following steps:
s110, acquiring the distance from the feature vector of the firmware to be tested (the feature vector of the firmware to be tested is obtained according to the acquired parameter data of the firmware to be tested) to the optimized clustering center of each category in the firmware library; the firmware samples in the firmware library are classified into a preset number of categories.
The firmware in the firmware library is divided into a plurality of categories, each category is provided with an optimized clustering center, and the optimized clustering centers are obtained through calculation according to the characteristic vectors of the samples. The preset number is determined according to the requirement, for example, the preset number may be 3, the preset number may be 5, and the preset number may also be 10.
And building a firmware library by using the known firmware safety information and the known safety firmware. For example, the power internet of things device firmware is obtained as an original sample in a manner including, but not limited to, downloading directly from a manufacturer official network or being provided by a device supplier, disguising firmware upgrade request, obtaining through hardware debug interfaces such as UART or JTAG, or obtaining through reading a device memory and recovering firmware contents therefrom; after an original sample is obtained, a firmware unpacking engine is used for analyzing firmware content, a file system containing program codes in firmware is obtained, decompiling software or other technologies are used for converting machine language codes in the file system into assembly language codes, then a statistical module is used for carrying out feature statistics on the firmware codes, and feature vectors used for describing the safety of the firmware are constructed. For example, the feature vector for describing the security of the firmware may be 6 basic block attributes and 1 basic inter-block attribute, the 6 basic block attributes include a string constant, a number of pass instructions, a number of call instructions, a number of operation instructions, and a total number of instructions, and the 1 basic inter-block attribute includes a number of basic block subroutines.
And S120, classifying the firmware to be detected according to the optimized clustering center with the minimum distance to the firmware to be detected to obtain the category of the firmware to be detected.
After the distance between the feature vector of the firmware to be tested and the optimized clustering center of each category in the firmware library is obtained, the category with the minimum distance is selected as the classification of the firmware to be tested.
S130, calculating the average value of the security label values of the firmware samples in the category according to the category of the firmware to be tested.
Wherein each sample of each category in the firmware library is provided with a security label, and each security label has a security label value. After the class of the firmware to be tested is known, the average of the security label values of all samples in the class is calculated.
S140, when the average value is larger than or equal to the threshold value, the firmware to be tested is judged as potentially unsafe firmware.
The threshold value can be set as required, for example, the security label includes high-risk, medium-risk, low-risk and security, the security label is determined by combining information sources such as public leak library and manufacturer security bulletin, and the security label is divided into four types of high-risk, medium-risk, low-risk and security. The high-risk security tag value is 10, the medium-risk security tag value is 6, the low-risk security tag value is 3, the security tag value is 0, and the threshold value can be set to 1, when the average value of the class security tag values of the firmware to be tested is greater than or equal to 1, it is indicated that unsafe firmware exists in the class, and the firmware to be tested is classified into the class, which indicates that the firmware to be tested is also potentially unsafe firmware. For example, when there are 10 firmware samples in the class of the firmware to be tested, and one of the samples is a high-risk firmware, the firmware to be tested may be considered to have potential similarity with the high-risk firmware, and further screening is required.
By the aid of the judgment method, the firmware to be tested does not need to be manually tested one by one, and only the potentially unsafe firmware needs to be tested, so that the safety of all the firmware to be tested can be guaranteed, and the testing workload is greatly reduced.
According to the firmware safety analysis method, the distance between the firmware to be detected and the optimized clustering center of each category in the firmware library is calculated, the category with the minimum distance is selected as the category of the firmware to be detected, so that the firmware to be detected is classified, the average value is calculated according to the safety label of the category to which the firmware to be detected belongs, the safety of the firmware to be detected is determined according to the safety of the category, the more samples in the firmware library, the higher the safety analysis accuracy of the firmware to be detected can be ensured, and the unsafe firmware can be prevented from being missed to be judged.
In one embodiment, before obtaining the distance from the feature vector of the firmware to be tested to the optimized cluster center of each category in the firmware library, the method includes: acquiring a preset number of firmware samples from a firmware library, and respectively constructing an initial clustering center according to the feature vector of each firmware sample; respectively calculating the distance from the feature vector of the rest firmware samples in the firmware library to each initial clustering center; classifying the remaining firmware samples according to the initial clustering center with the minimum distance to each remaining firmware sample in the firmware library to obtain the category of the remaining firmware samples; the method comprises the steps of obtaining firmware samples with preset number from a firmware library, classifying the firmware samples according to corresponding initial clustering centers of the firmware samples, and obtaining corresponding classes of the firmware samples.
The preset number is determined according to the number of the firmware samples in the firmware library, if the number of the firmware samples in the firmware library is large, the value of the preset number is relatively large, and if the number of the firmware samples in the firmware library is small, the value of the preset number is relatively small, the setting mode is to ensure the number of the samples of each category so as to ensure the accuracy of the safety analysis of the firmware to be detected, for example, the preset number may be 3, the preset number may be 5, and the preset number may also be 10.
In particular, fromRandomly selecting K samples in a firmware library as initial clustering centers, wherein A is { a ═ a1,…,aKK is equal to 5, and the value of K can be adjusted according to needs; remaining firmware samples x in the second firmware libraryiAnd calculating the Euclidean distance from the firmware sample to each initial clustering center, and classifying the firmware sample into the category of the clustering center with the minimum Euclidean distance. In addition, after classifying each firmware sample in the estimation library, calculating the optimized clustering center of each class:
Figure BDA0003136550430000071
wherein, aiClustering the feature vector of the center for the ith class, i ═ 1, …, 5, ciSet of samples, | c, representing the ith categoryiL represents the number of samples of the ith class, and x represents the feature vector of the firmware sample (of the ith class).
In this embodiment, the initial clustering center is determined by randomly selecting a preset number of firmware samples, and then the remaining firmware samples in the firmware library are classified according to the initial clustering center, so that each firmware sample in the firmware library can be classified, and the optimized clustering center of each category can be calculated.
In one embodiment, after classifying the remaining firmware samples according to the initial clustering center with the smallest distance from each remaining firmware sample in the firmware library to obtain the categories of the remaining firmware samples, the method includes: after classifying each firmware sample in a firmware library, calculating an optimized clustering center of each class according to the characteristic vector of the firmware sample in each class; respectively calculating the distance from the feature vector of each firmware sample in the firmware library to each optimized clustering center; and re-classifying the firmware samples according to the optimized clustering center with the minimum distance from each firmware sample in the firmware library to obtain the classes of the firmware samples.
The calculation method of the optimized cluster center can be shown with reference to the above embodiment. In this embodiment, each firmware sample in the firmware library is classified again according to the optimized clustering center, so that inaccuracy in randomly selecting the initial clustering center classification can be reduced.
In one embodiment, after reclassifying the firmware samples according to the optimized cluster center with the minimum distance from each firmware sample in the firmware library to obtain the class of the firmware samples, the method includes: and repeating the steps of after classifying each firmware sample in the firmware library, calculating the optimized clustering center of each class according to the characteristic vector of the firmware sample in each class, calculating the distance from the characteristic vector of each firmware sample in the firmware library to the optimized clustering center, and classifying the firmware sample again according to the optimized clustering center with the minimum distance from each firmware sample in the firmware library to obtain the class of the firmware sample until the class of each firmware sample in the firmware library is not changed any more. In the embodiment, the accuracy of the classification of the firmware samples in the firmware library can be ensured by calculating and optimizing the clustering center and reclassifying for multiple times, so that the accuracy of the average value of the safety label values of the subsequent calculation of the classification of the firmware to be detected is ensured.
In one embodiment, the calculating, according to the class of the firmware to be tested, an average value of security tag values of the firmware samples in the class includes: according to the class of the firmware to be detected, obtaining the security label value s of each firmware sample in the classj(ii) a Wherein the security label value is determined from a security label of the firmware sample; security tag value s according to each firmware sample in the class to which it belongsjCalculating the average value S of the security label values of the firmware samples in the category:
Figure BDA0003136550430000091
wherein n is the number of firmware samples in the class to which the firmware sample belongs, and j is the jth firmware sample in the class to which the firmware sample belongs.
In one embodiment, before obtaining the distance from the feature vector of the firmware to be tested to the optimized cluster center of each category in the firmware library, the method includes: classifying the firmware samples in the firmware library for multiple times through a clustering algorithm to obtain the category of each firmware sample in a single classification process; and calculating an optimized clustering center according to the feature vector of each firmware sample in the class. After calculating the average value of the safety label values of the firmware samples in the category according to the category of the firmware to be tested, the method comprises the following steps: and calculating the average value of the security label values corresponding to the class to which the firmware to be detected belongs and the running times of the clustering algorithm according to the single classification process, and calculating the average value again to obtain the corrected average value of the security label values of the firmware samples in the class to which the firmware to be detected belongs.
The initial clustering center is determined according to the randomly selected firmware samples in the firmware library, so that the subsequent classification of the firmware samples in the firmware library can be influenced.
Specifically, after the firmware samples in the firmware library are classified by the clustering algorithm each time, a classification result is obtained, then the class of the firmware to be detected in the classification result is calculated, and the average value S of the security label values of the class is calculatediThen, according to the running times N of the clustering algorithm, calculating the average value of the safety label values of the firmware samples in the category to which the modified firmware to be detected belongs:
Figure BDA0003136550430000092
wherein i is a positive number, i belongs to [1, N ], i represents the operation of the ith clustering algorithm, and N represents the repeated operation times of the clustering algorithm.
In one embodiment, the firmware security analysis method further includes: acquiring a firmware sample data packet; and carrying out characteristic statistics on the firmware codes in the firmware sample data packet to construct a characteristic vector of the firmware sample.
In one embodiment, after the security analysis is performed on the firmware to be tested, or after the manual judgment is performed, the feature vector of the firmware to be tested may be added to the firmware library, each firmware sample in the firmware library is updated, and a security tag is set for the firmware to be tested according to the security of the firmware to be tested. By the method, more and more abundant firmware samples in the firmware library can be ensured, and the accuracy of classification analysis of the subsequent firmware to be detected is improved.
It should be understood that, although the steps in the flowchart of fig. 1 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 1 may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
Example 2:
there is provided a firmware security evaluation system including:
a distance calculation module 210, a classification module 220, an average calculation module 230, and a decision module 240, wherein:
the distance calculation module 210 is configured to obtain a distance from a feature vector of the firmware to be tested to an optimized clustering center of each category in the firmware library; the firmware samples in the firmware library are classified into a preset number of categories.
The classification module 220 is configured to classify the firmware to be tested according to the optimized clustering center with the smallest distance from the firmware to be tested, so as to obtain a category to which the firmware to be tested belongs;
and an average value calculating module 230, configured to calculate an average value of the security tag values of the firmware samples in the class according to the class of the firmware to be tested.
A determining module 240, configured to determine the firmware to be tested as potentially unsafe firmware when the average value is greater than or equal to a threshold value.
In one embodiment, the firmware security analysis system further includes:
the initial clustering center building module is used for obtaining a preset number of firmware samples from a firmware library and respectively building an initial clustering center according to the characteristic vector of each firmware sample;
the initial distance calculation module is used for calculating the distance from the characteristic vector of the residual firmware sample in the firmware library to each initial clustering center respectively;
the initial classification module is used for classifying the remaining firmware samples according to the initial clustering center with the minimum distance from each remaining firmware sample in the firmware library to obtain the categories of the remaining firmware samples; the method comprises the steps of obtaining firmware samples with preset number from a firmware library, classifying the firmware samples according to corresponding initial clustering centers of the firmware samples, and obtaining corresponding classes of the firmware samples.
In one embodiment, the firmware security analysis system further includes:
the optimized clustering center calculating module is used for calculating the optimized clustering center of each category according to the characteristic vector of the firmware sample in each category after classifying each firmware sample in the firmware library;
the optimized distance calculation module is used for calculating the distance from the feature vector of each firmware sample in the firmware library to each optimized clustering center;
and the optimization classification module is used for reclassifying the firmware samples according to the optimization clustering center with the minimum distance from each firmware sample in the firmware library to obtain the classes of the firmware samples.
In one embodiment, the firmware security analysis system further includes:
and the circulating module is used for repeatedly calculating the optimized clustering center of each category according to the characteristic vector of the firmware sample in each category after classifying each firmware sample in the firmware library, respectively calculating the distance from the characteristic vector of each firmware sample in the firmware library to the optimized clustering center, and reclassifying the firmware sample according to the optimized clustering center with the minimum distance from each firmware sample in the firmware library to obtain the category of the firmware sample until the category of each firmware sample in the firmware library does not change any more.
In one embodiment, the average calculating module 230 includes:
a security tag value obtaining unit, configured to obtain, according to the class of the firmware to be tested, a security tag value s of each firmware sample in the class to which the firmware belongsj(ii) a Wherein the security label value is determined from a security label of the firmware sample;
an average value calculation unit for calculating a security tag value s according to each firmware sample in the class to which the firmware sample belongsjCalculating the average value S of the security label values of the firmware samples in the category:
Figure BDA0003136550430000121
wherein n is the number of firmware samples in the class to which the firmware sample belongs, and j is the jth firmware sample in the class to which the firmware sample belongs.
In one embodiment, the firmware security analysis system further includes:
the clustering algorithm operation module is used for classifying the firmware samples in the firmware library for multiple times through a clustering algorithm to obtain the category of each firmware sample in a single classification process;
the optimized clustering center calculating module is used for calculating optimized clustering centers according to the feature vectors of all firmware samples in the classes to which the firmware samples belong;
and the correcting module is used for calculating the average value of the security label values of the firmware samples in the class according to the class of the firmware to be detected, calculating the average value of the security label values corresponding to the class of the firmware to be detected and the running times of the clustering algorithm in a single classification process, and calculating the average value again to obtain the corrected average value of the security label values of the firmware samples in the class of the firmware to be detected.
In one embodiment, the firmware security analysis system further includes:
the data acquisition module is used for acquiring a firmware sample data packet;
and the characteristic vector construction module is used for carrying out characteristic statistics on the firmware codes in the firmware sample data packet and constructing the characteristic vector of the firmware sample.
For specific limitations of the firmware security analysis apparatus, reference may be made to the above limitations of the firmware security analysis method, which are not described herein again. The modules in the firmware security analysis device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
Example 3:
embodiment 3 of the present disclosure provides a computer-readable storage medium on which a computer program is stored, which when executed by a processor implements the steps in embodiment 1.
Example 4:
an embodiment 4 of the present disclosure provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps in embodiment 1 when executing the computer program.
The electronic device may be a computer device, and the computer device may be a server, and its internal structure diagram may be as shown in fig. 3. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is for storing feature vector data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a firmware security analysis method.
Those skilled in the art will appreciate that the architecture shown in fig. 3 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (10)

1. A method for firmware security assessment, comprising: the method comprises the following steps:
acquiring parameter data of firmware to be tested;
obtaining a characteristic vector of the firmware to be tested according to the obtained parameter data;
calculating the distance from the feature vector of the firmware to be tested to the optimized clustering center of each category in the firmware library;
classifying the firmware to be detected according to an optimized clustering center with the minimum distance from the firmware to be detected to obtain the category of the firmware to be detected;
calculating the average value of the security label values of the firmware samples in the category according to the category of the firmware to be detected;
and when the average value is greater than or equal to the preset threshold value, judging the firmware to be tested as potentially unsafe firmware.
2. The firmware security evaluation method of claim 1, wherein:
before calculating the distance from the feature vector of the firmware to be tested to the optimized cluster center of each category in the firmware library, the method comprises the following steps:
acquiring a preset number of firmware samples from a firmware library, and respectively constructing an initial clustering center according to the feature vector of each firmware sample;
respectively calculating the distance from the characteristic vector of the rest firmware samples in the firmware library to each initial clustering center;
classifying the remaining firmware samples according to the initial clustering center with the minimum distance to each remaining firmware sample in the firmware library to obtain the category of the remaining firmware samples; the method comprises the steps of obtaining firmware samples with preset number from a firmware library, classifying the firmware samples according to corresponding initial clustering centers of the firmware samples, and obtaining corresponding classes of the firmware samples.
3. The firmware security evaluation method of claim 2, wherein:
after classifying each firmware sample in the firmware library, calculating an optimized clustering center of each class according to the characteristic vector of the firmware sample in each class;
respectively calculating the distance from the feature vector of each firmware sample in the firmware library to each optimized clustering center;
and re-classifying the firmware samples according to the optimized clustering center with the minimum distance from each firmware sample in the firmware library to obtain the classes of the firmware samples.
4. The firmware security evaluation method of claim 3, wherein:
and repeating the steps of classifying each firmware sample in the firmware library, calculating the optimized clustering center of each class according to the characteristic vector of the firmware sample in each class, calculating the distance from the characteristic vector of each firmware sample in the firmware library to the optimized clustering center, and classifying the firmware sample again according to the optimized clustering center with the minimum distance from each firmware sample in the firmware library to obtain the class of the firmware sample until the class of each firmware sample in the firmware library is not changed any more.
5. The firmware security evaluation method of claim 1, wherein:
according to the category of the firmware to be detected, obtaining the security label value of each firmware sample in the category; and calculating the average value of the security label values of the firmware samples in the class according to the security label value of each firmware sample in the class.
6. The firmware security evaluation method of claim 1, wherein:
before calculating the distance from the feature vector of the firmware to be tested to the optimized cluster center of each category in the firmware library, the method comprises the following steps:
classifying the firmware samples in the firmware library for multiple times through a clustering algorithm to obtain the category of each firmware sample in a single classification process;
calculating an optimized clustering center according to the feature vector of each firmware sample in the class to which the firmware sample belongs;
after calculating the average value of the safety label values of the firmware samples in the category according to the category of the firmware to be tested, the method comprises the following steps:
and calculating the average value of the security label values corresponding to the class to which the firmware to be detected belongs and the operation times of the clustering algorithm according to the single classification process, and calculating the average value again to obtain the corrected average value of the security label values of the firmware samples in the class to which the firmware to be detected belongs.
7. The firmware security evaluation method of claim 1, wherein:
acquiring a firmware sample data packet;
and carrying out characteristic statistics on the firmware codes in the firmware sample data packet to construct a characteristic vector of the firmware sample.
8. A firmware security assessment system, characterized by: the method comprises the following steps:
a data acquisition module configured to: acquiring parameter data of firmware to be tested;
a feature vector construction module configured to: obtaining a characteristic vector of the firmware to be tested according to the obtained parameter data;
a distance calculation module configured to: calculating the distance from the feature vector of the firmware to be tested to the optimized clustering center of each category in the firmware library;
a classification module configured to: classifying the firmware to be detected according to an optimized clustering center with the minimum distance from the firmware to be detected to obtain the category of the firmware to be detected;
an average calculation module configured to: calculating the average value of the security label values of the firmware samples in the category according to the category of the firmware to be detected;
an unsecure firmware identification module configured to: and when the average value is greater than or equal to the preset threshold value, judging the firmware to be tested as potentially unsafe firmware.
9. A computer-readable storage medium, on which a program is stored, which, when being executed by a processor, carries out the steps of the firmware security evaluation method according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor implements the steps of the firmware security evaluation method of any one of claims 1-7 when executing the program.
CN202110721068.9A 2021-08-20 2021-08-20 Firmware security assessment method, system, medium and electronic equipment Active CN113486354B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110721068.9A CN113486354B (en) 2021-08-20 2021-08-20 Firmware security assessment method, system, medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110721068.9A CN113486354B (en) 2021-08-20 2021-08-20 Firmware security assessment method, system, medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN113486354A true CN113486354A (en) 2021-10-08
CN113486354B CN113486354B (en) 2024-08-02

Family

ID=77936360

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110721068.9A Active CN113486354B (en) 2021-08-20 2021-08-20 Firmware security assessment method, system, medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN113486354B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107437088A (en) * 2016-05-27 2017-12-05 百度在线网络技术(北京)有限公司 File identification method and device
CN107562618A (en) * 2017-08-07 2018-01-09 北京奇安信科技有限公司 A kind of shellcode detection method and device
CN107563410A (en) * 2017-08-04 2018-01-09 中国科学院自动化研究所 The sorting technique and equipment with multi-task learning are unanimously clustered based on topic categories
CN109446812A (en) * 2018-05-09 2019-03-08 国家计算机网络与信息安全管理中心 A kind of embedded system firmware safety analytical method and system
CN110009038A (en) * 2019-04-04 2019-07-12 北京百度网讯科技有限公司 Training method, device and the storage medium of screening model
CN112235264A (en) * 2020-09-28 2021-01-15 国家计算机网络与信息安全管理中心 Network traffic identification method and device based on deep migration learning
CN112634231A (en) * 2020-12-23 2021-04-09 香港中文大学深圳研究院 Image classification method and device, terminal equipment and storage medium
CN112765660A (en) * 2021-01-25 2021-05-07 湖南大学 Terminal security analysis method and system based on MapReduce parallel clustering technology
CN112769796A (en) * 2020-12-30 2021-05-07 华北电力大学 Cloud network side collaborative defense method and system based on end side edge computing
CN112801145A (en) * 2021-01-12 2021-05-14 深圳市中博科创信息技术有限公司 Safety monitoring method and device, computer equipment and storage medium
CN112818357A (en) * 2021-03-11 2021-05-18 北京顶象技术有限公司 Automated batch IoT firmware risk assessment method and system
CN113132352A (en) * 2021-03-17 2021-07-16 中国人民解放军战略支援部队信息工程大学 Router threat perception method and system based on flow statistical characteristics

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107437088A (en) * 2016-05-27 2017-12-05 百度在线网络技术(北京)有限公司 File identification method and device
CN107563410A (en) * 2017-08-04 2018-01-09 中国科学院自动化研究所 The sorting technique and equipment with multi-task learning are unanimously clustered based on topic categories
CN107562618A (en) * 2017-08-07 2018-01-09 北京奇安信科技有限公司 A kind of shellcode detection method and device
CN109446812A (en) * 2018-05-09 2019-03-08 国家计算机网络与信息安全管理中心 A kind of embedded system firmware safety analytical method and system
CN110009038A (en) * 2019-04-04 2019-07-12 北京百度网讯科技有限公司 Training method, device and the storage medium of screening model
CN112235264A (en) * 2020-09-28 2021-01-15 国家计算机网络与信息安全管理中心 Network traffic identification method and device based on deep migration learning
CN112634231A (en) * 2020-12-23 2021-04-09 香港中文大学深圳研究院 Image classification method and device, terminal equipment and storage medium
CN112769796A (en) * 2020-12-30 2021-05-07 华北电力大学 Cloud network side collaborative defense method and system based on end side edge computing
CN112801145A (en) * 2021-01-12 2021-05-14 深圳市中博科创信息技术有限公司 Safety monitoring method and device, computer equipment and storage medium
CN112765660A (en) * 2021-01-25 2021-05-07 湖南大学 Terminal security analysis method and system based on MapReduce parallel clustering technology
CN112818357A (en) * 2021-03-11 2021-05-18 北京顶象技术有限公司 Automated batch IoT firmware risk assessment method and system
CN113132352A (en) * 2021-03-17 2021-07-16 中国人民解放军战略支援部队信息工程大学 Router threat perception method and system based on flow statistical characteristics

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张善文 等: "图像模式识别", vol. 1, 29 February 2020, 西安电子科技大学出版社 *

Also Published As

Publication number Publication date
CN113486354B (en) 2024-08-02

Similar Documents

Publication Publication Date Title
CN111274134B (en) Vulnerability identification and prediction method, system, computer equipment and storage medium based on graph neural network
CN108182515B (en) Intelligent rule engine rule output method, equipment and computer readable storage medium
US20230156026A1 (en) System and method of automatizing a threat analysis based on artificial intelligence
CN111813845B (en) Incremental data extraction method, device, equipment and medium based on ETL task
CN115357904B (en) Multi-class vulnerability detection method based on program slicing and graph neural network
CN114218998A (en) Power system abnormal behavior analysis method based on hidden Markov model
CN111177731A (en) Software source code vulnerability detection method based on artificial neural network
CN115098292B (en) Method and device for identifying root cause of application program crash and electronic equipment
Hashemi et al. Runtime monitoring for out-of-distribution detection in object detection neural networks
CN115296876A (en) Network security early warning system of self-adaptation mimicry technique
CN113031991B (en) Remote self-adaptive upgrading method and device for embedded system
CN114095268A (en) Method, terminal and storage medium for network intrusion detection
Pranav et al. Detection of botnets in IoT networks using graph theory and machine learning
CN112966965A (en) Import and export big data analysis and decision method, device, equipment and storage medium
CN116756578B (en) Vehicle information security threat aggregation analysis and early warning method and system
CN112888008A (en) Base station abnormity detection method, device, equipment and storage medium
CN113486354A (en) Firmware safety evaluation method, system, medium and electronic equipment
CN114116456B (en) Test case generation method, system and computer readable storage medium
CN116644437A (en) Data security assessment method, device and storage medium
CN112149121A (en) Malicious file identification method, device, equipment and storage medium
CN111932225A (en) Information processing method based on block chain and digital currency finance and cloud computing platform
CN115906170B (en) Security protection method and AI system applied to storage cluster
CN113221110B (en) Remote access Trojan intelligent analysis method based on meta-learning
CN114330416B (en) Incremental data dynamic update-based anti-electricity-stealing knowledge graph optimization method and system
CN112598118B (en) Method, device, storage medium and equipment for processing abnormal labeling in supervised learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant