A Research And Implementation Of Software Attack Automated Modeling Based On Attack Knowledge Base

As a kind of knowledge intensive digital assets, software condenses a lot of wisdom and knowledge of designers and developers. The process of software development is complex and it always costs very much time of developers, but copying and pirating is much simpler. The copying and pirating of software will, at some point, cause software security issues. As a consequence, these issues have become one of the most serious problems for both the software companies and developers.In order to evaluate software security, many researchers prefer to quantify the strength or evaluate the anti-attack ability of protected software, but most of these schemes depend on the attacker’s subjective mind, so the evaluation results are always lack of objectivity. Thus how to reduce the subjectivity of evaluation results and make it more objective becomes a research hotspot in recent years. An effective scheme is standing in the view of the attacker to model, based on this modeling and attack guidance algorithm we can obtain some useful data, and then use these data to evaluate the protected software. Thereby, we can reduce the subjective in the evaluation process. However, most of modeling methods of software attack are by manual, not only will lead to problems like low efficiency, inaccurate model and different results from person to person to the same protected software; but also can cause the differences of evaluation data which extracted by the attack model, and affects the credibility of evaluation results.To solve problems above, this paper proposes an automated modeling method based on attack knowledge base. Then, collect evaluation data and evaluate the security of protected software according to this model. Firstly, this paper proposed an automated-oriented modeling method that is used to classify software attack techniques and generate a knowledge base. Then employ Petri nets and XML files to describe the similar attack techniques. Secondly, this paper constructs an automating modeling framework based on the attack knowledge base and designed and implemented a SAAM (Software Attack Automated Modeling) system based on the framework. Finally, verify the feasibility and correctness of the SAAM system on the basis of experiments, and analyze the applicability of the attack model, which can lay a foundation for further software security evaluation.