Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning

IEEE Transactions on Dependable and Secure Computing

Volumn 12, Issue 6, 2015, Pages 688-707

  Shar, Lwin Khin ^a   Briand, Lionel C ^a   Tan, Hee Beng Kuan ^b  

^a UNIVERSITY OF LUXEMBOURG   (Luxembourg)

^b NANYANG TECHNOLOGICAL UNIVERSITY   (Singapore)

Author keywords

empirical study; input validation and sanitization; program analysis; security measures; Vulnerability prediction

Indexed keywords

CODES (SYMBOLS); ERRORS; FORECASTING; LEARNING ALGORITHMS; MACHINE LEARNING; NETWORK SECURITY; OPEN SOURCE SOFTWARE; SUPERVISED LEARNING;

DYNAMIC PROGRAM ANALYSIS; EMPIRICAL STUDIES; PROBABILITY OF FALSE ALARM; PROGRAM ANALYSIS; SANITIZATION; SECURITY MEASURE; SEMI- SUPERVISED LEARNING; WEB APPLICATION VULNERABILITY;

APPLICATION PROGRAMS;

EID: 84959283014     PISSN: 15455971     EISSN: 19410018     Source Type: Journal    
DOI: 10.1109/TDSC.2014.2373377     Document Type: Article

References (51)

1. OWASP. (2012, Jan.). The open web application security project [Online]. Avaialble: http://www.owasp.org
2. L. K. Shar and H. B. K. Tan, "Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns," Inf. Softw. Technol., vol. 55, no. 10, pp. 1767-1780, 2013.
3. N. Jovanovic, C. Kruegel, E. Kirda, "Pixy: A static analysis tool for detecting web application vulnerabilities," in Proc. IEEE Symp. Security Privacy, 2006, pp. 258-263.
4. Y. Xie and A. Aiken, "Static detection of security vulnerabilities in scripting languages," in Proc. USENIX Security Symp., 2006, pp. 179-192.
5. (2012, Mar.). SourceForge. [Online]. Available: http://www.sourceforge. net
6. (2013, May). CVE: Distributions of vulnerabilities by types [Online]. Available: http://www.cvedetails.com/vulnerabilitiesby-types.php
7. PhpMiner [Online]. Availble: http://sharlwinkhin.com/phpminer.html, 2013.
8. J. Ferrante, K. J. Ottenstein, J. D. Warren, "The program dependence graph and its use in optimization," ACM Trans. Programm. Languages Syst., vol. 9, pp. 319-349, 1987.
9. I. H. Witten, E. Frank, M. A. Hall, Data Mining, 3rd ed. San Mateo, CA, USA: Morgan Kaufmann, 2011.
10. (2012, Mar.). RSnake [Online]. Available: http://ha.ckers.org
11. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, G. Vigna, "Saner: Composing static and dynamic analysis to validate sanitization in web applications," in Proc. IEEE Symp. Security Privacy, 2008, pp. 387-401.
12. L. C. Briand, J. Wust, J. W. Daly, D. V. Porter, "Exploring the relationships between design measures and software quality in object-oriented systems," J. Syst. Softw., vol. 51, no. 3, pp. 245-273, 2000.
13. E. Arisholm, L. C. Briand, E. B. Johannessen, "A systematic and comprehensive investigation of methods to build and evaluate fault prediction models," J. Syst. Softw., vol. 83, no. 1, pp. 2-17, 2010.
14. S. Lessmann, B. Baesens, C. Mues, S. Pietsch, "Benchmarking classification models for software defect prediction: a proposed framework and novel findings," IEEE Trans. Softw. Eng., vol. 34, no. 4, pp. 485-496, Jul./Aug. 2008.
15. T. Menzies, Z. Milton, B. Turhan, B. Cukic, Y. Jiang, A. Bener, "Defect prediction from static code features: current results, limitations, new approaches," Automated Softw. Eng., vol. 17, no. 4, pp. 375-407, 2010.
16. L. K. Shar and H. B. K. Tan, "Predicting common web application vulnerabilities from input validation and sanitization code patterns," in Proc. Int. Conf. Automated Softw. Eng., 2012, pp. 310-313.
17. C. Anley, Advanced SQL Injection in SQL Server Applications, Next Generation Security Software Ltd., White Paper, 2002.
18. S. Palmer, Web application vulnerabilities: Detect, exploit, prevent, Syngress, 2007.
19. Y. Kamei, A. Monden, S. Matsumoto, T. Kakimoto, K. Matsumoto, "The effects of over and under sampling on fault-prone module detection," in Proc. Int. Symp. Empirical Softw. Eng. Meas., 2007, pp. 196-204.
20. J. Dem-sar, "Statistical comparisons of classifiers over multiple data sets," J. Mach. Learning Res., vol. 7, pp. 1-30, 2006.
21. A. Kie-zun, P. J. Guo, K. Jayaraman, M. D. Ernst, "Automatic creation of SQL injection and cross-site scripting attacks," in Proc. Int. Conf. Softw. Eng., 2009, pp. 199-209.
22. M. Martin and M. S. Lam, "Automatic generation of XSS and SQL injection attacks with goal-directed model checking," in Proc. USENIX Security Symp., 2008, pp. 31-43.
23. Y. Shin, A. Meneely, L. Williams, J. A. Osborne, "Evaluating complexity, code churn, developer activity metrics as indicators of software vulnerabilities," IEEE Trans. Softw. Eng., vol. 37, no. 6, pp. 772-787, Nov./Dec. 2011.
24. J. Walden, M. Doyle, G. A. Welch, M. Whelan, "Security of open source web applications," in Proc. Int. Symp. Empirical Softw. Eng. Meas., 2009, pp. 545-553.
25. N. Nagappan, T. Ball, B. Murphy, "Using historical in-process and product metrics for early estimation of software failures," in Proc. Int. Symp. Softw. Rel. Eng., 2006, pp. 62-74.
26. S. Neuhaus, T. Zimmermann, C. Holler, A. Zeller, "Predicting vulnerable software components," in Proc. ACM Conf. Comput. Commun. Security, 2007, pp. 529-540.
27. X. Fu and C.-C. Li, "A string constraint solver for detecting web application vulnerability," in Proc. Int. Conf. Softw. Eng. Knowl. Eng., 2010, pp. 535-542.
28. G. Wassermann and Z. Su, "Sound and precise analysis of web applications for injection vulnerabilities," in Proc. ACM SIGPLAN Conf. Program. Language Des. Implementation, 2007, pp. 32-41.
29. L. K. Shar and H. B. K. Tan, "Automated removal of cross site scripting vulnerabilities in web applications," Inf. Softw. Technol., vol. 54, no. 5, pp. 467-478, 2012.
30. K.-K. Ma, K. Y. Phang, J. S. Foster, M. Hicks, "Directed symbolic execution," in Proc. Int. Conf. Static Anal., 2011, pp. 95-111.
31. M. Weiser, "Program slicing," in Proc. Int. Conf. Softw. Eng., 1981, pp. 439-449.
32. S. Horwitz, T. Reps, D. Binkley, "Interprocedural slicing using dependence graphs," ACM Trans. Program. Languages Syst., vol. 12, no. 1, pp. 26-61, 1990.
33. L. K. Shar, H. B. K. Tan, L. C. Briand, "Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis," in Proc. Int. Conf. Softw. Eng., 2013, pp. 642-651.
34. T. Menzies, J. Greenwald, A. Frank, "Data mining static code attributes to learn defect predictors," IEEE Trans. Softw. Eng., vol. 33, no. 1, pp. 2-13, Jan. 2007.
35. Q. Song, Z. Jia, M. Shepperd, S. Ying, J. Liu, "A general software defect-proneness prediction framework," IEEE Trans. Softw. Eng., vol. 37, no. 3, pp. 356-370, May/Jun. 2011.
36. D. Fisher, L. Xu, N. Zard, "Ordering effects in clustering," in Proc. Int. Workshop Mach. Learning, 1992, pp. 163-168.
37. L. Breiman, "Random forests," Mach. Learning, vol. 45, no. 1, pp. 5-32, 2001.
38. D. W. Hosmer Jr, S. Lemeshow, R. X. Sturdivant, Applied Logistic Regression, 3rd ed. New York, NY, USA: Wiley, 2013.
39. O. Chapelle, B. Scholkopf, A. Zien, Eds., Semi-Supervised Learning. Cambridge, MA, USA: MIT Press, 2006.
40. M. Li, H. Zhang, R. Wu, Z.-H. Zhou, "Sample-based software defect prediction with active and semi-supervised learning," Automated Softw. Eng., vol. 19, pp. 201-230, 2012.
41. H. Lu, B. Cukic, M. Culp, "Software defect prediction using semi-supervised learning with dimension reduction," in Proc. Int. Conf. Automated Softw. Eng., 2012, pp. 314-317.
42. M. Li and Z.-H. Zhou, "Improve computer-aided diagnosis with machine learning techniques using undiagnosed samples," IEEE Trans. Syst., Man Cyberne., Part A: Syst. Humans, vol. 37, no. 6, pp. 1088-1098, Nov. 2007.
43. Z.-H. Zhou, "When semi-supervised learning meets ensemble learning," in Proc. Int. Workshop Multiple Classifier Syst., 2009, pp. 529-538.
44. Chord: A versatile platform for program analysis. (2011). Proc. Tutorial ACM Conf. Program. Language Des. Implementation [Online]. Available: http://pag.gatech.edu/chord
45. F. Yamaguchi, M. Lottmann, K. Rieck, "Generalized vulnerability extrapolation using abstract syntax trees," in Proc. Annu. Comput. Security Appl. Conf., 2012, pp. 359-368.
46. F. Yamaguchi, C. Wressnegger, H. Gascon, K. Rieck, "Chucky: Exposing missing checks in source code for vulnerability discovery," in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2013, pp. 499-510.
47. PHP Security [Online]. Available: http://www.php.net/manual/en/security.php, 2013.
48. H. He, Y. Bai, E. A. Garcia, S. Li, "ADASYN: Adaptive synthetic sampling approach for imbalanced learning," in Proc. Int. Joint Conf. Neural Netw., 2008, pp. 1322-1328.
49. H. He and E. A. Garcia, "Learning from imbalanced data," IEEE Trans. Knowl. Data Eng., vol. 21, no. 9, pp. 1263-1284, Sep. 2009.
50. M. A. Hall, "Correlation-based feature selection for machine learning," Ph.D. thesis, Dept. Comput. Sci., Univ. Waikato, Hamilton, New Zealand, 1998.
51. PHP Top 5 [Online]. Available: https://www.owasp.org/index. php/PHP-Top-5, 2014.