KR-20260066683-A - Intent-Behavior Discrepancy Analysis for Vulnerability Detection Systems

Abstract

The present invention relates to an intent-behavior discrepancy-based vulnerability detection system comprising: an intent extraction unit that generates intent specifications for each component by analyzing information sources of a target software system; a behavior profiling unit that calculates the degree of discrepancy with behavior observed in an actual execution environment using the intent specifications as an oracle; and a vulnerability verification unit that verifies vulnerability candidates, generates a report, and feeds the verification results back to the behavior profiling unit. According to the present invention, it has the effect of detecting logical vulnerabilities that do not cause crashes, does not rely on external vulnerability databases, and overcomes blind spots in static analysis-based technologies through dynamic observation based on actual execution.

Inventors

• 안범주

Assignees

• 안범주

Dates

Publication Date

20260512

Application Date

20260415

Claims (1)

1. In an intent-behavior discrepancy-based vulnerability detection system for detecting logical vulnerabilities in a target software system, An intent extraction unit that analyzes one or more information sources obtained from the above-mentioned target software system to generate an intent specification indicating the operational purpose of each component of the above-mentioned target software system; A behavioral profiling unit that calculates a divergence score between the behavior observed while running the target software system in an actual execution environment using the above intent specification as an oracle and the above intent specification, and generates vulnerability candidates based on the divergence score; and An intention-behavior discrepancy-based vulnerability detection system characterized by including: a vulnerability verification unit that performs verification on the above-mentioned vulnerability candidates to generate a vulnerability report and feeds the verification results to the above-mentioned behavior profiling unit.

Description

Intent-Behavior Discrepancy Analysis for Vulnerability Detection Systems The present invention relates to a system for detecting vulnerabilities in a software system, and more specifically, to an intent-behavior discrepancy-based vulnerability detection system that automatically generates intent specifications indicating the operational purpose of each component from a target software system and calculates the degree of discrepancy between the behavior observed in an actual execution environment and the intent specifications, thereby identifying logical vulnerabilities detectable even when the program terminates normally. As the complexity of modern software systems increases rapidly, instances where logical code defects lead to security vulnerabilities are continuously rising. Software vulnerabilities can be broadly classified into memory safety bugs and logical bugs, and traditional security tools have primarily focused on detecting memory safety bugs. Fuzzing is a representative dynamic analysis technique that detects vulnerabilities by supplying various inputs to a target program and using crashes as oracles. However, fuzzers have structural limitations in detecting logical bugs that cause programs to terminate normally, such as authentication bypass, privilege misuse, or violations of transaction atomicity. This is because the fuzzer's oracle does not respond unless a crash occurs. Static analysis-based vulnerability detection technologies, such as taint analysis tools like CodeQL or specification-based detection techniques like VulInstruct, are specialized in analyzing the structure of source code to detect data flow vulnerabilities or the recurrence of known vulnerability patterns. However, because these static analysis techniques do not observe behavior in the actual execution environment, they have fundamental limitations in detecting runtime logic defects or concurrency bugs that occur during normal program execution. In particular, neuro-symbolic approaches such as IRIS (Li et al., 2024) utilize Large Language Models (LLM) to automatically infer taint specifications and combine this with static data flow analysis, while VulInstruct (Zhu et al., 2025) proposes a method that guides vulnerability detection in LLM by extracting security specifications from historical CVE databases. However, all of the aforementioned prior art technologies rely on static analysis of source code without actually executing the target system, and there are blind spots that cannot be detected due to their reliance on external vulnerability databases or known vulnerability patterns. Model checking is a powerful method for verifying property violations through a brute-force search of the state space regarding formal specifications, but it is difficult to apply to large-scale real-world software systems due to limitations such as the state explosion problem and the requirement for formal specifications to be written manually by humans. Therefore, the problem that the present invention aims to solve is to provide a new vulnerability detection system that simultaneously overcomes the limitations of existing fuzzing technology's dependency on crash oracles and static analysis technology's lack of execution observation, autonomously derives intent specifications from information unique to the target system without the need for humans to write specifications in advance, and detects logical vulnerabilities even when a program terminates normally by using the degree of discrepancy based on behavioral observation in the actual execution environment as an oracle. FIG. 1 is a block diagram showing the overall configuration of an intent-behavior discrepancy-based vulnerability detection system according to one embodiment of the present invention. FIG. 2 is a flowchart showing the detailed operation flow of an intention extraction unit (100) according to one embodiment of the present invention. FIG. 3 is a flowchart showing the detailed operation flow of a behavior profiling unit (200) according to one embodiment of the present invention. FIG. 4 is a flowchart showing the detailed operation flow of a vulnerability verification unit (300) according to one embodiment of the present invention. FIG. 5 is a conceptual diagram showing a divergence feedback loop between components according to one embodiment of the present invention. Figure 6 is a Venn diagram comparing the detectable vulnerability areas of the present invention and the prior art. FIG. 7 is a flowchart showing the application flow in a closed-source binary environment according to one embodiment of the present invention. FIG. 8 is an exemplary diagram showing the intention specification items and discrepancy calculation examples when an embodiment of the present invention is applied to a financial transaction system. FIG. 9 is a graph showing the time series change in the degree of divergence by software version according to one embodiment of the present invention. FIG. 10 is