Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning

Shar, Lwin Khin; Briand, Lionel C.; Tan, Hee Beng Kuan

doi:10.1109/tdsc.2014.2373377

Cited by 108 publications

(57 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Inferring from this thought process, authors [37] have worked towards bringing out a substantial patern that illustrates both input validation and sanitisation code which are expected to be the predicted vectors of web application vulnerabilities. They have applied both supervised and semi-supervised learning when building vulnerability predictors based on hybrid code atributes.…”

Section: Detecting Application Security Breachesmentioning

confidence: 99%

Machine Learning in Application Security

Sangani¹,

Zarger²

2017

Advances in Security in Computing and Communications

View full text Add to dashboard Cite

Security threat landscape has transformed drastically over a period of time. Right from viruses, trojans and Denial of Service (DoS) to the newborn malicious family of ransomware, phishing, distributed DoS, and so on, there is no stoppage. The phenomenal transformation has led the atackers to have a new strategy born in their atack vector methodology making it more targeted-a direct aim towards the weakest link in the security chain aka humans. When we talk about humans, the irst thing that comes to an atacker's mind is applications. Traditional signature-based techniques are inadequate for rising atacks and threats that are evolving in the application layer. They serve as good defences for protecting the organisations from perimeter and endpoint-driven atacks, but what needs to be focused and analysed is right at the application layer where such defences fail. Protecting web applications has its unique challenges in identifying malicious user behavioural paterns being converted into a compromise. Thus, there is a need to look at a dynamic and signature-independent model of identifying such malicious usage paterns within applications. In this chapter, the authors have explained on the technical aspects of integrating machine learning within applications in detecting malicious user behavioural patern.

show abstract

Section: Detecting Application Security Breachesmentioning

confidence: 99%

Machine Learning in Application Security

Sangani¹,

Zarger²

2017

Advances in Security in Computing and Communications

View full text Add to dashboard Cite

show abstract

“…A recent work [9] employing a hybrid of dynamic and static approach predicted code vulnerabilities against a supervised model which achieved 0.77 (77%) recall value. There was no AUC value provided in the paper to gauge the decency of the model in overall performance.…”

Section: Related Workmentioning

confidence: 99%

Numerical encoding to Tame SQL injection attacks

Uwagbole

Buchanan

Lü

2016

NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

“…Shar et al in their paper had proposed the use of a set of hybrid of the static and dynamic code attributes which characterize input validation and input sanitization code patterns [6]. They are in fact expected to be the most important indicators of web application vulnerabilities.…”

Section: Literature Reviewmentioning

confidence: 99%

Identification and Illustration of Insecure Direct Object References and their Countermeasures

Shrestha¹,

Maharjan²,

Paudel³

2015

IJCA

View full text Add to dashboard Cite

The insecure direct object reference simply represents the flaws in the system design without the full protection mechanism for the sensitive system resources or data. It basically occurs when the web application developer provides direct access to objects in accordance with the user input. So any attacker can exploit this web vulnerability and gain access to privileged information by bypassing the authorization. The main aim of this paper is to demonstrate the real effect and the identification of the insecure direct object references and then to provide the feasible preventive solutions such that the web applications do not allow direct object references to be manipulated by attackers. The experiment of the insecure direct object referencing is carried out using the insecure J2EE web application called WebGoat and its security testing is being performed using another JAVA based tool called BURP SUITE. The experimental result shows that the access control check for gaining access to privileged information is a very simple problem but at the same time its correct implementation is a tricky task. The paper finally presents some ways to overcome this web vulnerability.

show abstract

Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning

Cited by 108 publications

References 29 publications

Machine Learning in Application Security

Machine Learning in Application Security

Numerical encoding to Tame SQL injection attacks

Identification and Illustration of Insecure Direct Object References and their Countermeasures

Contact Info

Product

Resources

About