Extracting rules for vulnerabilities detection with static metrics using machine learning

Gupta, Aakanshi; Suri, Bharti; Kumar, Vijay; Jain, Pragyashree

doi:10.1007/s13198-020-01036-0

Cited by 23 publications

(24 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For the outside XSS, the exploit is executed through the browser. Paper [16] has addressed identification of characteristic exploitation in PHP code. It extends the traditional custom design with a component called cleans.…”

Section: Related Workmentioning

confidence: 99%

Web Security: Emerging Threats and Defense

Almutairi¹,

Mishra²,

Alshehri³

2022

Computer Systems Science and Engineering

View full text Add to dashboard Cite

Web applications have become a widely accepted method to support the internet for the past decade. Since they have been successfully installed in the business activities and there is a requirement of advanced functionalities, the configuration is growing and becoming more complicated. The growing demand and complexity also make these web applications a preferred target for intruders on the internet. Even with the support of security specialists, they remain highly problematic for the complexity of penetration and code reviewing methods. It requires considering different testing patterns in both codes reviewing and penetration testing. As a result, the number of hacked websites is increasing day by day. Most of these vulnerabilities also occur due to incorrect input validation and lack of result validation for lousy programming practices or coding errors. Vulnerability scanners for web applications can detect a few vulnerabilities in a dynamic approach. These are quite easy to use; however, these often miss out on some of the unique critical vulnerabilities in a different and static approach. Although these are time-consuming, they can find complex vulnerabilities and improve developer knowledge in coding and best practices. Many scanners choose both dynamic and static approaches, and the developers can select them based on their requirements and conditions. This research explores and provides details of SQL injection, operating system command injection, path traversal, and cross-site scripting vulnerabilities through dynamic and static approaches. It also examines various security measures in web applications and selected five tools based on their features for scanning PHP, and JAVA code focuses on SQL injection, cross-site scripting, Path Traversal, operating system command. Moreover, this research discusses the approach of a cyber-security tester or a security developer finding out vulnerabilities through dynamic and static approaches using manual and automated web vulnerability scanners.

show abstract

Section: Related Workmentioning

confidence: 99%

Web Security: Emerging Threats and Defense

Almutairi¹,

Mishra²,

Alshehri³

2022

Computer Systems Science and Engineering

View full text Add to dashboard Cite

show abstract

Section: Vulnerability Analysismentioning

confidence: 99%

“…Many studies [10,26,75,79,83,95,100,120,137,148,163,205,215,220,229,238,244,246,271,279,350,366] created their own datasets. Ali Alatwi et al [10], Cui et al [83], Ma et al [205], and Gupta et al [120] created datasets to train vulnerability detectors for Android applications. In particular, Ma et al [205] decompiled and generated cfgs of approximately 10 thousand, both benign and vulnerable, Android applications from AndroZoo and Android Malware datasets; Ali Alatwi et al [10] collected 5,063 Android applications where 1,000 of them were marked as benign and the remaining as malware; Cui et al [83] selected an open-source dataset comprised of 1,179 Android applications that have 4,416 different version (of the 1,179 applications) and labeled the selected dataset by using the Androrisk tool; and Gupta et al [120] used two Android applications (Android-universalimage-loader and JHotDraw) which they have manually labeled based on the projects pmd reports (true if a vulnerability was reported in a pmd file and false otherwise).…”

Section: Vulnerability Analysismentioning

confidence: 99%

A Survey on Machine Learning Techniques for Source Code Analysis

Sharma¹,

Kechagia²,

Georgiou³

et al. 2021

Preprint

View full text Add to dashboard Cite

Context:The advancements in machine learning techniques have encouraged researchers to apply these techniques to a myriad of software engineering tasks that use source code analysis such as testing and vulnerabilities detection. A large number of studies poses challenges to the community to understand the current landscape. Objective: We aim to summarize the current knowledge in the area of applied machine learning for source code analysis. Method: We investigate studies belonging to twelve categories of software engineering tasks and corresponding machine learning techniques, tools, and datasets that have been applied to solve them. To do so, we carried out an extensive literature search and identified 364 primary studies published between 2002 and 2021. We summarize our observations and findings with the help of the identified studies. Results: Our findings suggest that the usage of machine learning techniques for source code analysis tasks is consistently increasing. We synthesize commonly used steps and the overall workflow for each task, and summarize the employed machine learning techniques. Additionally, we collate a comprehensive list of available datasets and tools useable in this context. Finally, we summarize the perceived challenges in this area that include availability of standard datasets, reproducibility and replicability, and hardware resources. CCS Concepts: • Software and its engineering → Software libraries and repositories; Software maintenance tools; Software post-development issues; Maintaining software; • Computing methodologies → Machine learning.

show abstract

“…With the use of ML, vulnerability detection rules were extracted with static metrics as discussed in [122]. Thirty-two supervised ML algorithms were considered for most common vulnerabilities and identified that when the model used the J48 ML algorithm, 96% accuracy could be obtained in vulnerability detection.…”

Section: Applying ML To Detect Source Code Vulnerabilitiesmentioning

confidence: 99%

Android Mobile Malware Detection Using Machine Learning: A Systematic Review

2021

View full text Add to dashboard Cite

With the increasing use of mobile devices, malware attacks are rising, especially on Android phones, which account for 72.2% of the total market share. Hackers try to attack smartphones with various methods such as credential theft, surveillance, and malicious advertising. Among numerous countermeasures, machine learning (ML)-based methods have proven to be an effective means of detecting these attacks, as they are able to derive a classifier from a set of training examples, thus eliminating the need for an explicit definition of the signatures when developing malware detectors. This paper provides a systematic review of ML-based Android malware detection techniques. It critically evaluates 106 carefully selected articles and highlights their strengths and weaknesses as well as potential improvements. Finally, the ML-based methods for detecting source code vulnerabilities are discussed, because it might be more difficult to add security after the app is deployed. Therefore, this paper aims to enable researchers to acquire in-depth knowledge in the field and to identify potential future research and development directions.

show abstract

Extracting rules for vulnerabilities detection with static metrics using machine learning

Cited by 23 publications

References 21 publications

Web Security: Emerging Threats and Defense

Web Security: Emerging Threats and Defense

A Survey on Machine Learning Techniques for Source Code Analysis

Android Mobile Malware Detection Using Machine Learning: A Systematic Review

Contact Info

Product

Resources

About