ĐẠI HỌC QUỐC GIA TP HCM TRƯỜNG ĐẠI HỌC BÁCH KHOA NGUYỄN THIÊN BÌNH ÁP DỤNG KIỂM TRA MƠ HÌNH VÀ PHÂN TÍCH KHÁI NIỆM HÌNH THỨC ĐỂ PHÂN LOẠI VÀ PHÁT HIỆN Mà ĐỘC Chuyên ngành: Khoa học máy tính Mã số chuyên ngành: 62.48.01.01 Phản biện độc lập 1: PGS TS Võ Trung Hùng Phản biện độc lập 2: PGS TS Trương Ninh Thuận Phản biện 1: PGS TS Đỗ Văn Nhơn Phản biện 2: PGS TS Trần Minh Triết Phản biện 3: PGS TS Bùi Hoài Thắng NGƯỜI HƯỚNG DẪN KHOA HỌC PGS TS Quản Thành Thơ TP HỒ CHÍ MINH NĂM 2018 LÕI CAM OAN Tác gi£ xin cam oan ây cơng trình nghiên c˘u cıa b£n thân tác gi£ Các k∏t qu£ nghiên c˘u k∏t lu™n lu™n án trung thác v khụng chộp t bòt k mẻt ngun no v dểi bòt k hỡnh thc no Viêc tham khÊo cỏc ngun ti liêu (nu cú) ó ềc thác hiên trớch dđn v ghi ngun ti liêu tham khÊo úng quy ‡nh Tác gi£ lu™n án Ch˙ k˛ Nguyπn Thiờn Bỡnh i TểM TỗT LUọN N khc phc nhềc im ca phẽng phỏp phỏt hiên mó ẻc băng cách so trùng ch˙ k˛ cơng nghiªp, hiªn có nghiên c˘u theo h˜Ĩng ti∏p c™n áp dˆng kim tra mụ hỡnh phỏt hiên mó ẻc nhè vo viêc cho phộp biu din hnh vi nguy hĐi mẻt cỏch lun l Tuy nhiờn, tr ngĐi cẽ bÊn cıa ph˜Ïng pháp ki∫m tra mơ hình vßn ∑ bùng nÍ khơng gian tr§ng thái Dù ã có nhi∑u nghiờn cu giÊi quyt vòn ny, nhng hiên v®n ch˜a có nghiên c˘u t™p trung vào toỏn phỏt hiên mó ẻc Thụng qua viêc phõn tớch cỏc hnh vi nguy hĐi ca mó ẻc thác t, chỳng tụi nhn thòy hnh vi nguy hĐi ca mó ẻc xuòt hiên mẻt oĐn mó ngun ˜Ịc gÂi !-region ∞c tính cÏ s ∫ lu™n án ∑ xußt ph˜Ïng pháp ki∫m tra gia tng tng phản giỳp thu giÊm ẻ phc tĐp ca mơ hình ch˜Ïng trình, t¯ ó giúp gi£i quy∏t vßn bựng n khụng gian trĐng thỏi Bờn cĐnh vòn ∑ bùng nÍ khơng gian tr§ng thái, ph˜Ïng pháp ki∫m tra mụ hỡnh phỏt hiên mó ẻc cũn gp mẻt tr ngĐi lển, ú l mó ẻc thèng ỏp dˆng kˇ thu™t làm rËi mã (obfuscation) ∫ che dòu hnh vi nguy hĐi ca chỳng Tuy ó cú mẻt sậ xuòt theo hểng tip cn cÊi tin lu™n l˛ thÌi gian ∫ gi£i quy∏t vßn ∑ nói nh˜ng mÈi ∑ xt theo h˜Ĩng chø có th∫ gi£i quy∏t ˜Ịc mỴt kˇ thu™t làm rËi mã, Áng thÌi ph£i c™p nh™t cơng cˆ ki∫m tra mơ hỡnh, dđn n chi phớ x l mẻt k thu™t làm rËi mã rßt lĨn Do ó, lu™n án ã nghiên c˘u áp dˆng suy diπn tr¯u t˜Òng ∫ tr¯u t˜Ịng hố ch˜Ïng trình c¶n ˜Ịc ki∫m tra thnh mẻt biu din trung gian tậi giÊn, giỳp loĐi b‰ h¶u h∏t kˇ thu™t làm rËi mã Ngồi ra, lun ỏn xuòt khung thc HOPE, vểi viêc phân tách b˜Óc gi£i rËi mã (deobfuscation) b˜Óc ki∫m tra mơ hình NhÌ v™y, x˚ l˛ mỴt kˇ thu™t làm rËi mã mĨi, cơng cˆ ki∫m tra mơ hình khơng c¶n ˜Ịc c™p nh™t, t¯ ó tËi ˜u ềc chi phớ Vòn cũn lĐi ca phẽng phỏp kim tra mụ hỡnh phỏt hiên mó ẻc l cỏc hnh vi nguy hĐi ềc biu din băng cỏc cơng th˘c lu™n l˛, v™y h˜Ĩng ti∏p c™n khai phỏ d liêu dáa trờn viêc trớch xuòt c tính g∞p rßt nhi∑u khó kh´n Lu™n án gi£i quy∏t vòn ny băng mẻt khung thc ềc gi l MarCHGen (Malware Conceptual Hierarchy Generation) Trong khung thc ny, băng cỏch m rẻng phõn tớch khỏi niêm hỡnh thc, phẽng phỏp phõn tớch khỏi niêm lun l mó ẻc (Viral Logical Concept Analysis - V-LCA) ˜Ịc lu™n án ∑ xt xõy dáng gin khỏi niêm mó ẻc Sau ú, lun ỏn xuòt k thut gom cm khỏi niêm liờn tc giỳp xõy dáng cõy phõn còp khỏi niêm mó ẻc Cuậi cựng, cõy phõn còp khỏi niêm mó Îc ˜Òc giám sát bi mÎt kˇ thu™t ˜Òc gÂi qu£n l˛ t™p c™n phÍ bi∏n (pre-large dataset management), giỳp trỏnh viêc tỏi gom cm nhiu lản khụng cản thi∏t T¯ khố: Phân tích mã th¸c thi, suy diπn tr¯u t˜Ịng, ki∫m tra mơ hình, bùng nÍ khơng gian trĐng thỏi, !-region, phõn tớch khỏi niêm hỡnh thc, phõn tớch khỏi niêm lun l mó ẻc, gom cm khỏi niªm liên tˆc ii ABSTRACT To overcome the drawbacks of signature matching malware detection methods that widely used in industry, there is much research approaching the application of model checking to detect malware since this technique can logically represent malicious behaviors However, model checking usually suffers from the infamous state explosion problem Many studies have been conducted to address this, but none of them is dedicated for malware detection By studying large amount of malware, we found that malicious behavior should not occupy in more than one code segment so-called !-region This provides a solid fundamental for the thesis to propose incremental verification method, which allows reducing program model complexity, thus helping to solve the state explosion problem In addition to the state explosion problem, model checking approach for malware detection encounters a major drawback that malware often employs obfuscation techniques to mask their harmful behavior Despite some suggestions into the direction of improving temporal logic to solve this problem, each proposal following this direction can only handle one obfuscation technique with the requirement to update the model checker, resulting in enormous costs to handle one code obfuscation technique Thus, the thesis studied the utilization of abstract interpretation in order to abstract the program into a minimal intermediate representation, eliminating most of the obfuscation techniques Moreover, the thesis proposes HOPE framework, with the separation of the deobfuscation step and the model checking step As a result, when processing a new obfuscation technique, model checking tool does not need to be updated, thus optimizing the costs The remaining problem of model checking for malicious code detection is that malicious behaviors are represented by logical formulae Therefore, the typical data mining approaches based on feature extraction are not easily applied The thesis solves this problem with a framework called MarCHGen (Malware Conceptual Hierarchy Generation) In this framework, by extending Formal Concept Analysis (FCA), Viral Logical Concept Analysis (V-LCA) is proposed in the thesis to generate viral concept lattice Then, the thesis proposes an On-the-fly Conceptual Clustering (OCC) technique to generate malware concept hierarchy Finally, the malware concept hierarchy will be monitored by the pre-large dataset management technique to avoid re-clustering several times unnecessarily Keywords: Binary code analysis, abstract interpretation, model checking, state explosion, !-region, formal concept analysis, viral logical concept analysis, on-the-fly conceptual clustering technique iii LÕI CÁM ÃN Cho phép ˜Ịc g˚i ∏n PGS TS Qu£n Thành ThÏ lÌi c£m ẽn sõu sc v sá tri õn chõn thnh nhòt ca tụi vỡ nhng sá hẩ trề, quan tõm, dĐy bÊo, nh hểng v ẻng viờn m thảy ó dnh cho tụi suật thèi gian nghiờn cu, thác hiên v bÊo vê lun ỏn Bờn cĐnh ú, tụi xin phộp cÊm ẽn Ban giỏm hiêu, Phũng Sau Đi hc, Khoa Khoa hÂc Kˇ thu™t máy tính, BỴ mơn Cụng nghê phản mm; v cỏc Thảy Cụ, cỏc bĐn nghiên c˘u sinh  Tr˜Ìng §i hÂc Bách Khoa TP HÁ Chí Minh ã hÈ trỊ tơi q trình nghiên c˘u, hÂc t™p t§i Tr˜Ìng Ci cùng, tơi cÙng muận chia sƠ sá trõn trng ậi vểi nhng ng hẻ ca gia ỡnh tụi v nhòt l tụi, cho q trình nghiên c˘u hÂc t™p cıa tơi thÌi gian qua Tp HCM, tháng 1, n´m 2018 Nguyπn Thiên Bình iv M÷C L÷C Danh sách hình v≥ vii Danh sách b£ng viii GiĨi thiªu 1.1 Mã Îc 1.2 Các kˇ thu™t phân tớch mó ẻc cụng nghiêp 1.3 p dng kim tra mơ hình ∫ phân tích mã Ỵc 1.4 Sá cản thit thác hiên ti 1.5 Câu h‰i nghiên c˘u 1.6 Mˆc tiêu nghiên c˘u 1.7 óng góp 1.8 T¶m quan trÂng cıa lu™n án 1.9 GiĨi h§n cıa lu™n án 1.10 Cßu trúc lu™n án 1 10 10 11 N∑n t£ng nghiên c˘u liên quan 2.1 Mã Ỵc 2.1.1 Phõn loĐi mó ẻc 2.1.2 Kˇ thu™t phân tích Ỵng mã Ỵc 2.1.3 Kˇ thu™t phân tích tỉnh mã Îc 2.1.4 Th£o lu™n 2.2 Ki∫m tra mơ hình 2.2.1 Mô hình hố 2.2.2 ∞c t£ hình th˘c Linear Temporal Logic (LTL) Computational Temporal Logic (CTL) 2.2.3 Vßn ∑ bùng nÍ khơng gian tr§ng thái 2.2.4 Th£o lu™n 2.3 Làm rËi mã 2.3.1 Các kˇ thu™t làm rËi mã 2.3.2 Các kˇ thu™t làm rËi mã ˜Òc mã Ỵc s˚ dˆng 2.3.3 Các kˇ thu™t gi£i rËi mã 2.3.4 Th£o lu™n 2.4 Gom cˆm d˙ liªu 2.4.1 Ph˜Ïng pháp gom cˆm phân ho§ch 2.4.2 Ph˜Ïng pháp gom cˆm phân cßp 2.4.3 Th£o lu™n 13 13 15 16 18 20 21 22 23 24 25 26 27 27 28 30 31 33 33 34 35 36 Ph˜Ïng pháp ki∫m tra gia t´ng t¯ng ph¶n 3.1 Các nghiên c˘u liên quan 3.1.1 Xây d¸ng CFG 3.1.2 Ph˜Ïng pháp ki∫m tra thành ph¶n 3.2 Các ‡nh nghỉa ban ¶u 3.3 Ki∫m tra gia t´ng t¯ng ph¶n !-region 3.4 Xây d¸ng t™p !-region 3.5 Tr¯u t˜Ịng hố !-region 3.6 Xây d¸ng t™p !-instruction 3.7 Ví dˆ minh ho§ 38 39 39 41 43 51 55 57 58 60 v 3.8 3.9 Áp 4.1 4.2 4.3 4.4 4.5 4.6 3.7.1 H˜Óng ti∏p c™n ki∫m tra mơ hình thơng th˜Ìng 3.7.2 Ph˜Ïng pháp ki∫m tra gia t´ng t¯ng ph¶n Thí nghiªm 3.8.1 Mơi tr˜Ìng 3.8.2 T™p d˙ liªu 3.8.3 Ỵ o 3.8.4 Các ph˜Ïng pháp ki∫m tra 3.8.5 K∏t qu£ thí nghiªm Th£o lu™n 60 62 63 63 63 65 65 66 71 dˆng suy diπn tr¯u t˜Ịng ∫ lo§i b‰ kˇ thu™t làm rËi mã Các nghiên c˘u liên quan HOPE - khung th˘c x˚ l˛ kˇ thu™t làm rËi mã Tr¯u t˜Ịng hố hành vi ∫ gi£i rËi mã Ch˘ng minh kh£ n´ng gi£i rËi mã Thí nghiªm Th£o lu™n 73 74 77 79 81 82 83 84 84 88 88 89 90 90 90 93 98 98 101 101 102 103 104 105 105 106 Hª thËng hố mã Ỵc 5.1 Các nghiên c˘u liên quan 5.1.1 Phân tích khái niªm hình th˘c m rỴng 5.1.2 Phân tích khái niªm hình th˘c h˜Ĩng ∞c tính 5.1.3 TÍng qt hố lu™n l˛ cho phân tích khái niªm hình th˘c 5.1.4 ∞c tÊ v phõn loĐi mó ẻc 5.2 Các ‡nh nghỉa ban ¶u 5.2.1 Phân tích khái niªm hình th˘c 5.2.2 Phân tích khái niªm lu™n l˛ mã Ỵc 5.3 Hª thËng hố mã Îc d¸a vào V-LCA 5.4 Gom cˆm khái niªm liên tˆc 5.5 Qu£n l˛ t™p c™n phÍ bi∏n 5.5.1 Khái niªm phÍ bi∏n 5.5.2 Qu£n l˛ c™p nh™t khái niªm phÍ bi∏n 5.6 Thí nghiªm 5.6.1 Hiêu suòt ca k thu™t gom cˆm d¸a FCA 5.6.2 S˚ dˆng Ỵ o AUP ∫ so sánh chßt l˜Ịng gom cˆm 5.6.3 ánh giỏ hiêu suòt theo chòt lềng cm 5.7 Th£o lu™n K∏t lu™n h˜Ĩng m rỴng 107 6.1 Tóm t≠t k∏t lu™n 107 6.2 H˜Ĩng m rỴng 108 vi DANH SÁCH HÌNH Vì 1.1 1.2 Ch˙ k˛ virus Chernobyl Còu trỳc nẻi dung lun ỏn 11 2.1 2.2 2.3 2.4 2.5 Bi∫u diπn ch˜Ïng trình Áp dˆng ki∫m tra mơ hình ∫ phát Cßu trúc Kripke Virus Avron Ph˜Ïng pháp gom cˆm phân cßp 19 20 25 32 35 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 Ph˜Ïng pháp ki∫m tra thành ph¶n Các bểc thác hiên kim tra thnh phản ASM, CFG không gian trĐng thỏi ca chẽng trỡnh Quy tc thác thi Nhng lênh khụng cha mđu nhn diên mó Îc Ph˜Ïng pháp ki∫m tra gia t´ng t¯ng ph¶n !-regions Khơng gian tr§ng thái ki∫m tra mơ hình Ch˜Ïng trình r≥ nhánh Ïn gi£n ph˘c t§p So sánh tÍng thÌi gian ch§y So sánh bỴ nhÓ s˚ dˆng So sỏnh sậ trĐng thỏi duyêt 41 42 44 50 51 53 61 62 64 68 69 70 4.1 4.2 4.3 4.4 4.5 4.6 S˚ dˆng công th˘c CTL ∫ ∞c t£ hành vi nguy h§i Áp dˆng kˇ thu™t làm rËi mã virus Avron Hành vi nguy h§i Hành vi vơ h§i Khung th˘c HOPE Các b˜Ĩc tr¯u t˜Ịng hoá hành vi 74 75 76 77 77 80 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 Cõy khỏi niêm ca cỏc oĐn mã mô t£ B£ng 5.1 Giàn khỏi niêm mó ẻc ềc tĐo bi phẽng phỏp FCA Gin khỏi niêm mó ẻc ềc tĐo bi V-LCA MarCHGen - khung thc thậng hoỏ mó ẻc Cõy phõn còp tĐo bi OCC Giàn khái niªm phÍ bi∏n Xác ‡nh t™p phÍ bi∏n Cây phân cßp mã Ỵc Hiêu suòt ca cỏc thut toỏn gom cˆm khái niªm 87 92 96 98 101 102 103 104 104 hiªn mã vii Ỵc DANH SÁCH BÉNG 3.1 3.2 3.3 Danh sách !-instructions T™p d˙ liªu thí nghiªm K∏t qu£ thí nghiªm 60 65 66 4.1 4.2 Ngơn ng˙ tr¯u t˜Ịng K∏t qu£ thí nghiªm 79 83 5.1 5.2 5.3 5.4 5.5 5.6 Các o§n mã bi∫u diπn hành vi nguy h§i MỴt sË nhóm mã Ỵc phÍ bi∏n Ng˙ c£nh hình th˘c ˜Ịc t§o t¯ o§n mã B£ng 5.1 Ng˙ c£nh hình th˘c lu™n l˛ mã Ỵc cıa o§n mã B£ng Kˇ thu™t tr¯u t˜Ịng hố mã Ỵc Tru tềng hoỏ mó ẻc cho cỏc khỏi niêm B£ng 5.3 86 90 91 94 96 97 viii 5.1 DANH MữC CC T VIũT TỗT T vit tt API Vit ¶y ı Application Programming Interface AUP Average Uninterpolated Precision ASI BDD CFG CTL CTPL Aggregate Structure Identification Binary Decision Diagrams Control Flow Graph Computation Tree Logic Computation Tree Predicate Logic CURE Clustering Using Representative FCA Formal Concept Analysis F-FCA Feature-driven Formal Concept Analysis HAC Hierarchical Agglomerative Clustering HOPE Handling Obfuscated Polymorphic malwarE LCA LTL Logical Concept Analysis Linear Temporal Logic MarCHGen Malware Conceptual Hierarchy Generation OCC On-the-fly Conceptual Clustering PDDP Principal Direction Divisive Partitioning PAT Process Analysis Toolkit ROCK RObust Clustering using linKs SCTPL Stack Computation Tree Predicate Logic SCTPL\X Stack Computation Tree Predicate Logic with the next time operator X SLTPL Stack Linear Temporal Predicate Logic TL SMV Temporal Logic Symbolic Model Verifier V-LCA Viral Logical Concept Analysis VSA Value Set Analysis fi nghỉa Giao diªn l™p trình ˘ng dˆng Ỵ xác khơng suy gi£m trung bình Xác ‡nh cßu trúc tÍng hỊp Bi∫u Á quy∏t ‡nh nh‡ phân Á th‡ luÁng th¸c thi Lu™n l˛ tính tốn Lu™n l˛ v‡ t¯ tính tốn Thu™t toỏn gom cm s dng phản t Đi diên Phõn tích khái niªm hình th˘c Phân tích khái niªm hình th˘c h˜Ĩng ∞c tính Thu™t tốn gom cˆm trỴn phân còp Khung thc x l mó ẻc a hỡnh b làm rËi Phân tích khái niªm lu™n l˛ Lu™n l˛ thÌi gian tuy∏n tính Khung th˘c xây d¸ng phân còp khỏi niêm mó ẻc Gom cm khỏi niêm liờn tc Gom cm phõn hoĐch hểng ch Đo Bẻ cụng cˆ phân tích ti∏n trình Thu™t tốn gom cˆm m§nh m≥ s˚ dˆng liên k∏t Lu™n l˛ v‡ t¯ tính tốn ng´n x∏p Lu™n l˛ v‡ t¯ tính tốn ng´n x∏p vĨi tốn t˚ neXt Lu™n l˛ v‡ t¯ thÌi gian tuy∏n tính ng´n x∏p Lu™n l˛ thÌi gian Ki∫m tra mơ hình k˛ hiªu Phân tích khái niêm lun l mó ẻc Phõn tớch giỏ tr International Journal on Computational Sciences & Applications (IJCSA) Vol, vol 4, pp 103–111, 2014 [8] M Madou, L V Put, and K D Bosschere, “Loco: an interactive code (de) obfuscation tool,” in Proceeding of the ACM SIGPLAN 2006 Workshop on Partial Evaluation and Program Manipulation, 2006 [9] L Ertaul and S Venkatesh, “Jhide – a tool kit for code obfuscation,” in Proceeding of the Eighth IASTED International Conference Software Engineering and Application, November 2004, pp 133–138 [10] E M Gold, “Language identification in the limit,” Information and Computation, 1967 [11] M Egele, T Scholte, E Kirda, and C Kruegel, “A survey on automated dynamic malware-analysis techniques and tools,” ACM Comput Surv., vol 44, no 2, pp 6:1–6:42, 2012 [Online] Available: http://doi.acm.org/10.1145/2089125.2089126 [12] E M Clarke and J M Wing, “Formal methods: State of the art and future directions,” ACM Computing Surveys (CSUR) - Special ACM 50th-anniversary issue: strategic directions in computing research, vol 28, pp 626–643, December 1996 [13] G Balakrishnan, T W Reps, N Kidd, A Lal, J Lim, D Melski, R Gruian, S H Yong, C H Chen, and T Teitelbaum, “Model checking x86 executable with codesurfer/x86 and wpds++,” in Proceedings of International Conference of Computer-Aided Verification (CAV), 2005, pp 158–163 [14] E M Clarke and E A Emerson, “Design and synthesis of synchronization skeletons using branching time temporal logic,” D Kozen, Ed Springer Berlin Heidelberg, 1982, pp 52–71 [15] N M Hai, N T Binh, Q T Tho, and M Ogawa, “A hybrid approach for control flow graph construction from binary code,” in Proceedings of the 20th Asia-Pacific Software Engineering Conference, 2013 114 [16] F Song and T Touili, “Efficient malware detection using model-checking,” in FM 2012: Formal Methods - 18th International Symposium, Paris, France, August 27-31, 2012 Proceedings, 2012, pp 418–433 [Online] Available: https: //doi.org/10.1007/978-3-642-32759-9_34 [17] J Kinder, S Katzenbeisser, C Schallhart, and H Veith, “Detecting malicious code by model checking,” in Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005, Vienna, Austria, July 7-8, 2005, Proceedings, 2005, pp 174–187 [Online] Available: https://doi.org/10.1007/11506881_11 [18] F Song and T Touili, “Pushdown model checking for malware detection,” in Tools and Algorithms for the Construction and Analysis of Systems - 18th International Conference, TACAS 2012, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24 - April 1, 2012 Proceedings, 2012, pp 110–125 [Online] Available: https://doi.org/10.1007/978-3-642-28756-5_9 [19] E M Clarke, O Grumberg, S Jha, Y Lu, and H Veith, “Progress on the state explosion problem in model checking,” in Informatics - 10 Years Back 10 Years Ahead., 2001, pp 176–194 [Online] Available: http://dx.doi.org/10.1007/3-540-44577-3_12 [20] H Garavel, F Lang, and R Mateescu, “Compositional verification of asynchronous concurrent systems using CADP,” Acta Inf., vol 52, no 4-5, pp 337–392, 2015 [Online] Available: http://dx.doi.org/10.1007/s00236-015-0226-1 [21] E M Clarke, D E Long, and K L McMillan, “Compositional model checking,” in Proceedings of the Fourth Annual Symposium on Logic in Computer Science, 1989, pp 353–362 [22] B Ganter and R Wille, Formal concept analysis - mathematical foundations Springer, 1999 [23] D Moore, C Shannon, and K C Claffy, “Code-red: a case study on the spread and victims of an internet worm,” in Proceedings of the 2nd ACM SIGCOMM Internet 115 Measurement Workshop, IMW 2002, Marseille, France, November 6-8, 2002, 2002, pp 273–284 [Online] Available: http://doi.acm.org/10.1145/637201.637244 [24] B Stone-Gross, M Cova, L Cavallaro, B Gilbert, M Szydlowski, R A Kemmerer, C Kruegel, and G Vigna, “Your botnet is my botnet: analysis of a botnet takeover,” in Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, November 9-13, 2009, 2009, pp 635–647 [Online] Available: http://doi.acm.org/10.1145/1653662.1653738 [25] C Kanich, C Kreibich, K Levchenko, B Enright, G M Voelker, V Paxson, and S Savage, “Spamalytics: an empirical analysis of spam marketing conversion,” in Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27-31, 2008, 2008, pp 3–14 [Online] Available: http://doi.acm.org/10.1145/1455770.1455774 [26] E H Spafford, “The internet worm incident,” in ESEC ’89, 2nd European Software Engineering Conference, University of Warwick, Coventry, UK, September 11-15, 1989, Proceedings, 1989, pp 446–468 [Online] Available: https://doi.org/10.1007/ 3-540-51635-2_54 [27] J M Ehrenfeld, “Wannacry, cybersecurity and health information technology: A time to act,” Journal of medical systems, vol 41, no 7, p 104, 2017 [28] M Sikorski and A Honig, “Practical malware analysis,” William Pollock, San Francisco, CA, 2012 [29] G Hunt and D Brubacher, “Detours: Binary interception of win 32 functions,” in 3rd usenix windows nt symposium, 1999 [30] M Christodorescu, S Jha, and C Kruegel, “Mining specifications of malicious behavior,” in Proceedings of the 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2007, Dubrovnik, Croatia, September 3-7, 2007, 2007, pp 5–14 [Online] Available: http://doi.acm.org/10.1145/1287624.1287628 116 [31] J Xu, A H Sung, P Chavez, and S Mukkamala, “Polymorphic malicious executable scanner by API sequence analysis,” in 4th International Conference on Hybrid Intelligent Systems (HIS 2004), 5-8 December 2004, Kitakyushu, Japan, 2004, pp 378–383 [Online] Available: https://doi.org/10.1109/ICHIS.2004.75 [32] G Nebbett, Windows NT/2000 native API reference Sams Publishing, 2000 [33] J Bergeron, M Debbabi, J Desharnais, M M Erhioui, Y Lavoie, and N Tawbi, “Static detection of malicious code in executable programs,” Symposium on Re- quirements Engineering for Information Security, 2001 [34] E M Clarke, O Grumberg, and D Peled, Model checking MIT press, 1999 [35] E M Clarke, O Grumberg, H Hiraishi, S Jha, D E Long, K L McMillan, and L A Ness, “Verification of the futurebus+ cache coherence protocol.” in CHDL, vol 93, 1993, pp 15–30 [36] C Baier and J Katoen, Principles of model checking MIT Press, 2008 [37] A Pnueli, “The temporal logic of programs,” vol The 18th Annual Symposium on Foundations of Computer Science, pp 46–57, 1977 [38] J Queille and J Sifakis, “Specification and verification of concurrent systems in cesar,” International Symposium on Programming, vol 137, pp 337–351, 1982 [39] K L McMillan, “Symbolic model checking,” in Symbolic Model Checking Springer, 1993, pp 25–60 [40] E M Clarke, K L McMillan, S V A Campos, and V Hartonas-Garmhausen, “Symbolic model checking,” in Computer Aided Verification, 8th International Conference, CAV ’96, New Brunswick, NJ, USA, July 31 - August 3, 1996, Proceedings, 1996, pp 419–427 [Online] Available: https://doi.org/10.1007/3-540-61474-5_93 [41] E M Clarke, W Klieber, M Novácek, and P Zuliani, “Model checking and the state explosion problem,” in Tools for Practical Software Verification, LASER, International 117 Summer School 2011, Elba Island, Italy, Revised Tutorial Lectures, 2011, pp 1–30 [Online] Available: https://doi.org/10.1007/978-3-642-35746-6-1 [42] D A Peled and A Pnueli, “Proving partial order liveness properties,” in Automata, Languages and Programming, 17th International Colloquium, ICALP90, Warwick University, England, July 16-20, 1990, Proceedings, 1990, pp 553–571 [Online] Available: https://doi.org/10.1007/BFb0032058 [43] D Peled and A Pnueli, “Proving partial order properties,” Theor Comput Sci., vol 126, no 2, pp 143–182, 1994 [Online] Available: https://doi.org/10.1016/0304-3975(94)90009-4 [44] A Biere, A Cimatti, E M Clarke, O Strichman, and Y Zhu, “Bounded model checking,” Advances in Computers, vol 58, pp 117–148, 2003 [Online] Available: https://doi.org/10.1016/S0065-2458(03)58003-2 [45] T Abe, T Ugawa, and T Maeda, “Reordering control approaches to state explosion in model checking with memory consistency models,” in Verified Software Theories, Tools, and Experiments, A Paskevich and T Wies, Eds Cham: Springer International Publishing, 2017, pp 170–190 [46] R Rezin, I Afanasyev, M Mazzara, and V Rivera, “Model checking in multiplayer games development,” in 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), May 2018, pp 826–833 [47] H D Macedo, A Fantechi, and A E Haxthausen, “Compositional model checking of interlocking systems for lines with multiple stations,” in NASA Formal Methods, C Barrett, M Davies, and T Kahsai, Eds Cham: Springer International Publishing, 2017, pp 146–162 [48] E M Clarke, “Acm turing award lectures.” New York, NY, USA: ACM, 2007, ch Model Checking: My 27-year Quest to Overcome the State Explosion Problem [Online] Available: http://doi.acm.org/10.1145/1283920.1962298 [49] E M Clarke, T A Henzinger, H Veith, and R Bloem, Handbook of Model Checking, 1st ed Springer Publishing Company, Incorporated, 2018 118 [50] C S Collberg, C D Thomborson, and D Low, “Breaking abstractions and unstructuring data structures,” in Proceedings of the 1998 International Conference on Computer Languages, ICCL 1998, Chicago, IL, USA, May 14-16, 1998, 1998, pp 28–38 [Online] Available: https://doi.org/10.1109/ICCL.1998.674154 [51] C Collberg, C Thomborson, and D Low, “A taxonomy of obfuscating transformations,” Department of Computer Science, The University of Auckland, New Zealand, Tech Rep., 1997 [52] C S Collberg, C D Thomborson, and D Low, “Manufacturing cheap, resilient, and stealthy opaque constructs,” in POPL ’98, Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Diego, CA, USA, January 19-21, 1998, 1998, pp 184–196 [Online] Available: http://doi.acm.org/10.1145/268946.268962 [53] M H Halstead, Elements of software science Elsevier New York, 1977, vol [54] M Paulk, “Capability maturity model for software,” Encyclopedia of Software Engineering, 1993 [55] E I Oviedo, “Control flow, data flow and program complexity,” in Software engineering metrics I McGraw-Hill, Inc., 1993, pp 52–65 [56] J C Munson and T M Khoshgoftaar, “Measurement of data structure complexity,” Journal of Systems and Software, vol 20, no 3, pp 217–225, 1993 [Online] Available: https://doi.org/10.1016/0164-1212(93)90065-6 [57] D Low, “Protecting java code via code obfuscation,” Crossroads, vol 4, no 3, pp 21–23, 1998 [58] W Zhu, C D Thomborson, and F Wang, “Obfuscate arrays by homomorphic functions,” in 2006 IEEE International Conference on Granular Computing, GrC 2006, Atlanta, Georgia, USA, May 10-12, 2006, 2006, pp 770–773 [Online] Available: https://doi.org/10.1109/GRC.2006.1635914 119 [59] C Wang, J Hill, J Knight, and J Davidson, “Software tamper resistance: Obstructing static analysis of programs,” Technical Report CS-2000-12, University of Virginia, 12 2000, Tech Rep., 2000 [60] J Kinder and H Veith, “Jakstab: A static analysis platform for binaries,” in Computer Aided Verification, A Gupta and S Malik, Eds Springer Berlin Heidelberg, 2008, vol 5123, pp 423–427 [61] A Balakrishnan and C Schulze, “Code obfuscation literature survey code obfuscation literature survey.” [Online] Available: http://pages.cs.wisc.edu/~arinib/writeup.pdf [62] I You and K Yim, “Malware obfuscation techniques: A brief survey,” in Proceedings of the Fifth International Conference on Broadband and Wireless Computing, Communication and Applications, BWCCA 2010, November 4-6, 2010, Fukuoka Institute of Technology, Fukuoka, Japan (In conjunction with the 3PGCIC-2010 International Conference), 2010, pp 297–300 [Online] Available: https://doi.org/10.1109/BWCCA.2010.85 [63] F E Allen and J Cocke, “A program data flow analysis procedure,” Commun ACM, vol 19, no 3, pp 137–147, 1976 [Online] Available: http://doi.acm.org/10.1145/360018.360025 [64] N D Jones, “An introduction to partial evaluation,” ACM Comput Surv., vol 28, no 3, pp 480–503, 1996 [Online] Available: http://doi.acm.org/10.1145/243439.243447 [65] M Weiser, “Program slicing,” IEEE Trans Software Eng., vol 10, no 4, pp 352–357, 1984 [Online] Available: https://doi.org/10.1109/TSE.1984.5010248 [66] G Balakrishnan and T Reps, “Analyzing memory accesses in x86 executables,” in Compiler Construction, E Duesterwald, Ed Springer Berlin Heidelberg, 2004, vol 2985, pp 5–23 [67] T Izumida, K Futatsugi, and A Mori, “A generic binary analysis method for malware,” in Advances in Information and Computer Security, ser Lecture Notes in Computer Science, I Echizen, N Kunihiro, and R Sasaki, Eds Springer Berlin Heidelberg, 2010, vol 6434 [68] C Cadar, D Dunbar, and D R Engler, “KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs,” in 8th USENIX Symposium 120 on Operating Systems Design and Implementation, OSDI 2008, December 8-10, 2008, San Diego, California, USA, Proceedings, 2008, pp 209–224 [Online] Available: http://www.usenix.org/events/osdi08/tech/full_papers/cadar/cadar.pdf [69] D S Wilks, “Cluster analysis,” in International geophysics Elsevier, 2011, vol 100, pp 603–616 [70] C C Aggarwal and C K Reddy, Data clustering: algorithms and applications CRC press, 2013 [71] P Berkhin, “A survey of clustering data mining techniques,” in Grouping Multidimensional Data - Recent Advances in Clustering, 2006, pp 25–71 [Online] Available: https://doi.org/10.1007/3-540-28349-8_2 [72] J A Hartigan and M A Wong, “Algorithm as 136: A k-means clustering algorithm,” Journal of the Royal Statistical Society Series C (Applied Statistics), vol 28, no 1, pp 100–108, 1979 [73] L Kaufman and P J Rousseeuw, Finding Groups in Data: An Introduction to Cluster Analysis John Wiley, 1990 [74] R Sokal, “The principles of numerical taxonomy: twenty-five years later,” Computer-assisted bacterial systematics, pp 1–20, 1985 [75] B King, “Step-wise clustering procedures,” Journal of the American Statistical Association, vol 62, no 317, pp 86–101, 1967 [76] J H Ward Jr, “Hierarchical grouping to optimize an objective function,” Journal of the American statistical association, vol 58, no 301, pp 236–244, 1963 [77] B S Everitt, Cluster Analysis Edward Arnold and Halsted Press, 1993 [78] J.-G Sun, J Liu, and L Y Zhao, “Clustering algorithms research,” Journal of software, vol 19, no 1, pp 48–61, 2008 [79] D Boley, “Principal direction divisive partitioning,” Data Min Knowl Discov., vol 2, no 4, pp 325–344, 1998 [Online] Available: https://doi.org/10.1023/A:1009740529316 121 [80] M Ester, H Kriegel, J Sander, and X Xu, “A density-based algorithm for discovering clusters in large spatial databases with noise,” in Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD-96), Portland, Oregon, USA, 1996, pp 226–231 [Online] Available: http: //www.aaai.org/Library/KDD/1996/kdd96-037.php [81] S Guha, R Rastogi, and K Shim, “CURE: an efficient clustering algorithm for large databases,” in SIGMOD 1998, Proceedings ACM SIGMOD International Conference on Management of Data, June 2-4, 1998, Seattle, Washington, USA., 1998, pp 73–84 [Online] Available: http://doi.acm.org/10.1145/276304.276312 [82] G K Zipf, The psycho-biology of language; an introduction to dynamic philology Boston, Houghton Mifflin company, 1935 [83] C Eagle, The IDA pro book No Starch Press, 2011 [84] S Bardin, P Herrmann, J Leroux, O Ly, R Tabary, and A Vincent, “The bincoa framework for binary code analysis,” in Computer Aided Verification, ser Lecture Notes in Computer Science, G Gopalakrishnan and S Qadeer, Eds Springer Berlin Heidelberg, 2011, vol 6806, pp 165–170 [85] J Kinder, “Static analysis of x86 executables,” Ph.D dissertation, Technische Universitat Darmstadt, 2010 [86] C Collberg and J Nagra, Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection, 1st ed Addison-Wesley Professional, 2009 [87] A Valmari, “Compositionality in state space verification methods,” in Proceedings of the 17th International Conference on Application and Theory of Petri Nets, no 28 London, UK, UK: Springer-Verlag, 1996, pp 29–56 [88] S Haddad, J.-M Ilié, and K Klai, “Design and evaluation of a symbolic and abstractionbased model checker,” in Automated Technology for Verification and Analysis: Second International Conference, ATVA 2004, Taipei, Taiwan, ROC, October 31-November 3, 122 2004 Proceedings, F Wang, Ed Berlin, Heidelberg: Springer Berlin Heidelberg, 2004, pp 196–210 [89] A Duret-Lutz, K Klai, D Poitrenaud, and Y Thierry-Mieg, “Self-loop aggregation product — a new hybrid approach to on-the-fly ltl model checking,” in Automated Technology for Verification and Analysis: 9th International Symposium, ATVA 2011, Taipei, Taiwan, October 11-14, 2011 Proceedings, T Bultan and P.-A Hsiung, Eds., 2011, pp 336–350 [90] T Shanley, x86 Instruction Set Architecture MindShare press, 2010 [91] S Sarkar, P Sewell, F Z Nardelli, S Owens, T Ridge, T Braibant, M O Myreen, and J Alglave, “The semantics of x86-cc multiprocessor machine code,” in Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, January 21-23, 2009, 2009, pp 379–391 [Online] Available: http://doi.acm.org/10.1145/1480881.1480929 [92] M Schroeder, Fractals, chaos, power laws: Minutes from an infinite paradise Courier Corporation, 2009 [93] J Ramos et al., “Using tf-idf to determine word relevance in document queries,” in Proceedings of the first instructional conference on machine learning, vol 242, 2003, pp 133–142 [94] N M Hai, M Ogawa, and Q T Tho, “Obfuscation code localization based on CFG generation of malware,” in The 8th International Symposium on Foundations and Practice of Security Springer, 2015 [95] J Sun, Y Liu, J S Dong, and J Pang, “Pat: Towards flexible verification under fairness,” in International Conference on Computer Aided Verification Springer, 2009, pp 709–714 [96] A Nappa, M Z Rafique, and J Caballero, “The MALICIA dataset: identification and analysis of drive-by download operations,” Int J Inf Sec., vol 14, no 1, pp 15–33, 2015 [Online] Available: https://doi.org/10.1007/s10207-014-0248-7 123 [97] R E Tarjan, “Depth-first search and linear graph algorithms,” SIAM J Comput., vol 1, no 2, pp 146–160, 1972 [Online] Available: http://dx.doi.org/10.1137/0201010 [98] M Madou, L V Put, and K D Bosschere, “LOCO: an interactive code (de)obfuscation tool,” in Proceedings of the 2006 ACM SIGPLAN Workshop on Partial Evaluation and Semantics-based Program Manipulation, 2006, Charleston, South Carolina, USA, January 9-10, 2006, 2006, pp 140–144 [Online] Available: http://doi.acm.org/10.1145/1111542.1111566 [99] L Ertaul and S Venkatesh, “Jhide - A tool kit for code obfuscation,” in Proceedings of the IASTED Conference on Software Engineering and Applications, November 9-11, 2004, MIT, Cambridge, MA, USA, 2004, pp 133–138 [100] F Song and T Touili, “LTL model-checking for malware detection,” in Tools and Algorithms for the Construction and Analysis of Systems, N Piterman and S Smolka, Eds Springer Berlin Heidelberg, 2013, vol 7795, pp 416–431 [101] S Ferré and O Ridoux, “A logical generalization of formal concept analysis,” in Conceptual Structures: Logical, Linguistic, and Computational Issues, 8th International Conference on Conceptual Structures, ICCS 2000, Darmstadt, Germany, August 14-18, 2000, Proceedings, 2000, pp 371–384 [Online] Available: http://dx.doi.org/10.1007/10722280_26 [102] M Kaytoue, S O Kuznetsov, A Napoli, and S Duplessis, “Mining gene expression data with pattern structures in formal concept analysis,” Inf Sci., vol 181, no 10, pp 1989–2001, 2011 [Online] Available: https://doi.org/10.1016/j.ins.2010.07.007 [103] F Coste, G Garet, A Groisillier, J Nicolas, and T Tonon, “Automated enzyme classification by formal concept analysis,” in Formal Concept Analysis - 12th International Conference, ICFCA 2014, Cluj-Napoca, Romania, June 10-13, 2014 Proceedings, 2014, pp 235–250 [Online] Available: https://doi.org/10.1007/978-3-319-07248-7_17 [104] S A Obiedkov, “Modeling ceteris paribus preferences in formal concept analysis,” in Formal Concept Analysis, 11th International Conference, ICFCA 2013, Dresden, 124 Germany, May 21-24, 2013 Proceedings, 2013, pp 188–202 [Online] Available: https://doi.org/10.1007/978-3-642-38317-5_12 [105] D Dubois and H Prade, “Possibility theory and formal concept analysis: Characterizing independent sub-contexts,” Fuzzy Sets and Systems, vol 196, pp 4–16, 2012 [Online] Available: https://doi.org/10.1016/j.fss.2011.02.008 [106] C Lee, J Jeon, and Y Park, “Monitoring trends of technological changes based on the dynamic patent lattice: A modified formal concept analysis approach,” Technological Forecasting and Social Change, vol 78, no 4, pp 690 – 702, 2011 [Online] Available: http://www.sciencedirect.com/science/article/pii/S004016251000274X [107] Y Du and H Li, “Strategy for mining association rules for web pages based on formal concept analysis,” Appl Soft Comput., vol 10, no 3, pp 772–783, 2010 [Online] Available: https://doi.org/10.1016/j.asoc.2009.09.007 [108] P Elzinga, J Poelmans, S Viaene, G Dedene, and S Morsing, “Terrorist threat assessment with formal concept analysis,” in IEEE International Conference on Intelligence and Security Informatics, ISI 2010, Vancouver, BC, Canada, May 23-26, 2010, Proceedings, 2010, pp 77–82 [Online] Available: https://doi.org/10.1109/ISI.2010.5484773 [109] V Dufour-Lussier, J Lieber, E Nauer, and Y Toussaint, “Text adaptation using formal concept analysis,” in Case-Based Reasoning Research and Development, 18th International Conference on Case-Based Reasoning, ICCBR 2010, Alessandria, Italy, July 19-22, 2010 Proceedings, 2010, pp 96–110 [Online] Available: https: //doi.org/10.1007/978-3-642-14274-1_9 [110] N He, P Ră ummer, and D Kroening, “Test-case generation for embedded simulink via formal concept analysis,” in Proceedings of the 48th Design Automation Conference, DAC 2011, San Diego, California, USA, June 5-10, 2011, 2011, pp 224–229 [Online] Available: http://doi.acm.org/10.1145/2024724.2024777 [111] S Doerfel, R Jă aschke, and G Stumme, “Publication analysis of the formal concept analysis community,” in Formal Concept Analysis - 10th International Conference, ICFCA 125 2012, Leuven, Belgium, May 7-10, 2012 Proceedings, 2012, pp 77–95 [Online] Available: https://doi.org/10.1007/978-3-642-29892-9_12 [112] G.-Q Zhang, “Chu spaces, concept lattices, and domains,” Electronic Notes in Theoretical Computer Science, vol 83, pp 287–302, 2003 [113] B Ganter, “Two basic algorithms in concept analysis,” in Formal Concept Analysis, 8th International Conference, ICFCA 2010, Agadir, Morocco, March 15-18, 2010 Proceedings, 2010, pp 312–340 [Online] Available: http://dx.doi.org/10.1007/978-3-642-11928-6_22 [114] D Poshyvanyk, M Gethers, and A Marcus, “Concept location using formal concept analysis and information retrieval,” ACM Trans Softw Eng Methodol., vol 21, no 4, p 23, 2012 [Online] Available: http://doi.acm.org/10.1145/2377656.2377660 [115] L Wang, X Liu, and J Cao, “A new algebraic structure for formal concept analysis,” Inf Sci., vol 180, no 24, pp 4865–4876, 2010 [Online] Available: http://dx.doi.org/10.1016/j.ins.2010.08.020 [116] N T Binh, T C Doi, Q T Tho, and N M Hai, “Feature-driven formal concept analysis for malware hierarchy construction,” in Multi-disciplinary Trends in Artificial Intelligence - 9th International Workshop, MIWAI 2015, Fuzhou, China, November 13-15, 2015, Proceedings, 2015, pp 385–396 [Online] Available: https://doi.org/10.1007/978-3-319-26181-2_36 [117] B Ganter and R Wille, Formal concept analysis: mathematical foundations Springer Science & Business Media, 2012 [118] A Ketterlin, P Gan¸carski, and J J Korczak, “Conceptual clustering in structured databases: A practical approach,” in Proceedings of the First International Conference on Knowledge Discovery and Data Mining (KDD-95), Montreal, Canada, August 20-21, 1995, 1995, pp 180–185 [Online] Available: http://www.aaai.org/Library/KDD/1995/kdd95-020.php [119] W Pan, “A new fruit fly optimization algorithm: Taking the financial distress model as an example,” Knowl.-Based Syst., vol 26, pp 69–74, 2012 [Online] Available: https://doi.org/10.1016/j.knosys.2011.07.001 126 [120] T T Quan, S C Hui, and T H Cao, “A fuzzy fca-based approach to conceptual clustering for automatic generation of concept hierarchy on uncertainty data,” in Proceedings of the CLA 2004 International Workshop on Concept Lattices and their Applications, Ostrava, Czech Republic, September 23-24, 2004., 2004 [Online] Available: http://ceur-ws.org/Vol-110/paper3.pdf [121] T Hong and C Wang, “An efficient and effective association-rule maintenance algorithm for record modification,” Expert Syst Appl., vol 37, no 1, pp 618–626, 2010 [Online] Available: https://doi.org/10.1016/j.eswa.2009.06.019 [122] T Hong, C Wang, and Y Tao, “A new incremental data mining algorithm using pre-large itemsets,” Intell Data Anal., vol 5, no 2, pp 111–129, 2001 [Online] Available: http://content.iospress.com/articles/intelligent-data-analysis/ida00046 [123] N Nanas, V S Uren, and A N D Roeck, “Building and applying a concept hierarchy representation of a user profile,” in SIGIR 2003: Proceedings of the 26th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, July 28 - August 1, 2003, Toronto, Canada, 2003, pp 198–204 [Online] Available: http://doi.acm.org/10.1145/860435.860473 [124] P J Rousseeuw, “Silhouettes: a graphical aid to the interpretation and validation of cluster analysis,” Journal of computational and applied mathematics, vol 20, pp 53–65, 1987 [125] B Franke, J Plante, R Roscher, A Lee, C Smyth, A Hatefi, F Chen, E Gil, A G Schwing, A Selvitella, M M Hoffman, R Grosse, D Hendricks, and N Reid, “Statistical inference, learning and models in big data,” CoRR, vol abs/1509.02900, 2015 [Online] Available: http://arxiv.org/abs/1509.02900 [126] N E Oweis, S S J Owais, W George, M G Suliman, and V Snásel, “A survey on big data, mining: (tools, techniques, applications and notable uses),” in Intelligent Data Analysis and Applications, Proceedings of the Second Euro-China Conference on Intelligent Data Analysis and Applications, ECC 2015, Jun 29, 2015 - Jul 1, 2015, 127 Technical University of Ostrava, Czech Republic, 2015, pp 109–119 [Online] Available: https://doi.org/10.1007/978-3-319-21206-7_10 128 ... Mơ hình trừu tượng n Trừu tượng Mơ hình Phân rã Mơ hình … Mơ hình n Đặc tả thuộc tính Mơ hình Cơng cụ kiểm tra mơ hình Kết kiểm tra Hình 3.1: Ph˜Ïng pháp ki∫m tra thành ph¶n Q trình ki∫m tra. .. T¯ khố: Phân tích mã th¸c thi, suy diπn tr¯u t˜Ịng, ki∫m tra mơ hình, bùng nÍ khơng gian tr§ng thái, !-region, phân tích khái niªm hình th˘c, phân tích khái niªm lu™n l˛ mã Îc, gom cˆm khái niªm... dùng ∫ chËng l§i ph˜Ïng pháp d‡ch ng˜Ịc, sau phân tích ph˜Ïng pháp phân tích Ỵng, phân tích tỉnh phân tích hÈn hỊp, chúng tơi nh™n thßy cơng cˆ BE-PUM vĨi kˇ thu™t phân tích tiên ti∏n cho k∏t quÊ