Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning

Shar, Lwin Khin; Briand, Lionel; Tan, Hee Beng Kuan

Reference : Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Le...


	Document type :	Scientific journals : Article
	Discipline(s) :	Engineering, computing & technology : Computer science
	To cite this reference:	http://hdl.handle.net/10993/18549

Title :	Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning
Language :	English
Author, co-author :	Shar, Lwin Khin [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Briand, Lionel [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > > ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
	Tan, Hee Beng Kuan [Nanyang Technological University > School of Electrical and Electronic Engineering]
Publication date :	2015
Journal title :	IEEE Transactions on Dependable and Secure Computing
Publisher :	IEEE
Volume :	12
Issue/season :	6
Pages :	688-707
Peer reviewed :	Yes (verified by ORBi^lu)
Audience :	International
ISSN :	1545-5971
Keywords :	[en] Vulnerability prediction ; security measures ; input validation and sanitization
Abstract :	[en] Due to limited time and resources, web software engineers need support in identifying vulnerable code. A practical approach to predicting vulnerable code would enable them to prioritize security auditing efforts. In this paper, we propose using a set of hybrid (static+dynamic) code attributes that characterize input validation and input sanitization code patterns and are expected to be significant indicators of web application vulnerabilities. Because static and dynamic program analyses complement each other, both techniques are used to extract the proposed attributes in an accurate and scalable way. Current vulnerability prediction techniques rely on the availability of data labeled with vulnerability information for training. For many real world applications, past vulnerability data is often not available or at least not complete. Hence, to address both situations where labeled past data is fully available or not, we apply both supervised and semi-supervised learning when building vulnerability predictors based on hybrid code attributes. Given that semi-supervised learning is entirely unexplored in this domain, we describe how to use this learning scheme effectively for vulnerability prediction. We performed empirical case studies on seven open source projects where we built and evaluated supervised and semi-supervised models. When cross validated with fully available labeled data, the supervised models achieve an average of 77% recall and 5% probability of false alarm for predicting SQL injection, cross site scripting, remote code execution and file inclusion vulnerabilities. With a low amount of labeled data, when compared to the supervised model, the semi- supervised model showed an average improvement of 24% higher recall and 3% lower probability of false alarm, thus suggesting semi-supervised learning may be a preferable solution for many real world applications where vulnerability data is missing.
Permalink :	http://hdl.handle.net/10993/18549

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Limited access	Web Application Vulnerability Prediction using Hybrid Program Analysis and Machine Learning.pdf		Author preprint	33.12 MB	Request a copy

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices