AIM: Automated Input Set Minimization for Metamorphic Security Testing

[en] Although the security testing of Web systems can be automated by generating crafted inputs, solutions to automate the test oracle, i.e., vulnerability detection, remain difficult to apply in practice. Specifically, though previous work has demonstrated the potential of metamorphic testing, security failures can be determined by metamorphic relations that turn valid inputs into malicious inputs, metamorphic relations are typically executed on a large set of inputs, which is time-consuming and thus makes metamorphic testing impractical. We propose AIM, an approach that automatically selects inputs to reduce testing costs while preserving vulnerability detection capabilities. AIM includes a clustering-based black-box approach, to identify similar inputs based on their security properties. It also relies on a novel genetic algorithm to efficiently select diverse inputs while minimizing their total cost. Further, it contains a problem-reduction component to reduce the search space and speed up the minimization process. We evaluated the effectiveness of AIM on two well-known Web systems, Jenkins and Joomla, with documented vulnerabilities. We compared AIM's results with four baselines involving standard search approaches. Overall, AIM reduced metamorphic testing time by 84% for Jenkins and 82% for Joomla, while preserving the same level of vulnerability detection. Furthermore, AIM significantly outperformed all the considered baselines regarding vulnerability coverage.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation

Disciplines :

Computer science

Author, co-author :

Bayati Chaleshtari, Nazanin; School of Electrical and Computer Engineering of University of Ottawa, Canada

MARQUER, Yoann ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

PASTORE, Fabrizio ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

Briand, Lionel C.; School of Electrical and Computer Engineering of University of Ottawa, Canada

External co-authors :

yes

Language :

English

Title :

AIM: Automated Input Set Minimization for Metamorphic Security Testing

Publication date :

December 2024

Journal title :

IEEE Transactions on Software Engineering

ISSN :

0098-5589

eISSN :

1939-3520

Publisher :

Institute of Electrical and Electronics Engineers (IEEE)

Pages :

1-31

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Security, Reliability and Trust

Additional URL :

http://xplorestaging.ieee.org/ielx8/32/4359463/10738434.pdf?arnumber=10738434

European Projects :

H2020 - 957254 - COSMOS - DevOps for Complex Cyber-physical Systems

Name of the research project :

R-AGR-3884 - H2020 - COSMOS - BIANCULLI Domenico

Funders :

Union Européenne

Data Set :

AIM: Automated Input Set Minimization for Metamorphic Security Testing (2.0)

Available on ORBilu :

since 08 November 2024

Statistics

Number of views

216 (30 by Unilu)

Number of downloads

120 (12 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

P. X. Mai, F. Pastore, A. Goknil, and L. C. Briand, "A natural language programming approach for requirements-based security testing, " Proc. IEEE 29th Int. Symp. Softw. Rel. Eng. (ISSRE), 2018, pp. 58-69. [Online]. Available: Https://api.semanticscholar.org/CorpusID:53711718
P. X. Mai, A. Goknil, L. K. Shar, F. Pastore, L. C. Briand, and S. Shaame, "Modeling security and privacy requirements: A use casedriven approach, " Inf. Softw. Technol., vol. 100, pp. 165-182, 2018. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0950584918300703
W. Howden, "Theoretical and empirical studies of program testing, " IEEE Trans. Softw. Eng., vol. SE-4, no. 4, pp. 293-298, Jul. 1978.
E. T. Barr, M. Harman, P. McMinn, M. Shahbaz, and S. Yoo, "The oracle problem in software testing: A survey, " IEEE Trans. Softw. Eng., vol. 41, no. 5, pp. 507-525, May 2015.
S. Segura, G. Fraser, A. B. Sanchez, and A. Ruiz-Cortés, "A survey on metamorphic testing, " IEEE Trans. Softw. Eng., vol. 42, no. 9, pp. 805-824, Sep. 2016.
N. C. Bayati, F. Pastore, A. Goknil, and L. C. Briand, "Metamorphic testing for web system security, " IEEE Trans. Softw. Eng., vol. 49, no. 6, pp. 3430-3471, Jun. 2023.
P. X. Mai, F. Pastore, A. Goknil, and L. C. Briand, "Metamorphic security testing for web systems, " in Proc. IEEE 13th Int. Conf. Softw. Testing, Validation Verification (ICST), 2019, pp. 186-197. [Online]. Available: Https://api.semanticscholar.org/CorpusID:209202564
N. B. Chaleshtari, Y. Marquer, F. Pastore, and L. C. Briand, "Replication package, " 2024. [Online]. Available: Https://zenodo.org/records/13983166
T. Y. Chen et al., "Metamorphic testing: A review of challenges and opportunities, " ACM Comput. Surv., vol. 51, no. 1, Jan. 2018, doi: 10.1145/314356.
"Open web application security project, " OWASP Foundation. 2023. [Online]. Available: Https://www.owasp.org/
"CWE view: Architectural concepts, " MITRE. [Online]. Available: Https://cwe.mitre.org/data/definitions/1008.html
"CWE-668: Exposure of resource to wrong sphere, " MITRE. [Online]. Available: Https://cwe.mitre.org/data/definitions/668.html
S. Yoo and M. Harman, "Regression testing minimization, selection and prioritization: A survey, " Softw. Test. Verif. Reliab., vol. 22, no. 2, pp. 67-120, Mar. 2012, doi: 10.1002/stv.430.
B. Miranda and A. Bertolino, "Scope-aided test prioritization, selection and minimization for software reuse, " J. Syst. Softw., vol. 131, pp. 528-549, 2017. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0164121216300875
R. Noemmer and R. Haas, "An evaluation of test suite minimization techniques, " in Softw. Qual.: Qual. Intell. Softw. Syst. Eng., D. Winkler, S. Biffl, D. Mendez, and J. Bergsmann, Eds, Cham, Switzerland: Springer International Publishing, 2020, pp. 51-66.
E. Cruciani, B. Miranda, R. Verdecchia, and A. Bertolino, "Scalable approaches for test suite reduction, " in Proc. IEEE/ACM 41st Int. Conf. Softw. Eng. (ICSE), May 2019, pp. 419-429.
R. Pan, T. A. Ghaleb, and L. Briand, "ATM: Black-box test case minimization based on test code similarity and evolutionary search, " in Proc. 45th Int. Conf. Softw. Eng., (ICSE). IEEE Press, 2023, pp. 1700-1711, doi: 10.1109/ICSE48619.2023.0014.
C. Arora, M. Sabetzadeh, L. Briand, and F. Zimmer, "Automated extraction and clustering of requirements glossary terms, " IEEE Trans. Softw. Eng., vol. 43, no. 10, pp. 918-945, Oct. 2017.
M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, "A density-based algorithm for discovering clusters in large spatial databases with noise, " in Proc. 2nd Int. Conf. Knowl. Discovery Data Mining, (KDD), Portland, Oregon: AAAI Press, 1996, pp. 226-231.
L. McInnes, J. Healy, and S. Astels, "HDBSCAN: Hierarchical density based clustering, " J. Open Source Softw., vol. 2, no. 11, 2017, Art. no. 205, doi: 10.21105/joss.00205.
S. Wang, S. Ali, and A. Gotlieb, "Cost-effective test suite minimization in product lines using search techniques, " J. Syst. Softw., vol. 103, pp. 370-391, 2015. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0164121214001757
M. Zhang, S. Ali, and T. Yue, "Uncertainty-wise test case generation and minimization for cyber-physical systems, " J. Syst. Softw., vol. 153, pp. 1-21, 2019. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0164121219300561
B. Li, J. Li, K. Tang, and X. Yao, "Many-objective evolutionary algorithms: A survey, " ACM Comput. Surv., vol. 48, no. 1, Sep. 2015, doi: 10.1145/2792984.
K. Deb, A. Pratap, S. Agarwal, and T. Meyarivan, "A fast and elitist multiobjective genetic algorithm: NSGA-II, " IEEE Trans. Evol. Comput., vol. 6, no. 2, pp. 182-197, Apr. 2002.
E. Zitzler, M. Laumanns, and L. Thiele, "Spea2: Improving the strength pareto evolutionary algorithm, " Computer Engineering and Communication Networks Lab (TIK), Swiss Federal Institute of Technology (ETH), Zurich, Tech. Rep. 103, 2001.
M. Kim, T. Hiroyasu, M. Miki, and S. Watanabe, "Spea2+: Improving the performance of the strength pareto evolutionary Algorithm 2, " in Parallel Problem Solving from Nature-PPSN VIII, X. Yao, E. K. Burke, J. A. Lozano, J. Smith, J. J. Merelo-Guervós, J. A. Bullinaria, J. E. Rowe, P. Ti?no, A. Kabán, and H.-P. Schwefel, Eds. Berlin, Heidelberg: Springer, 2004, pp. 742-751.
K. Deb and H. Jain, "An evolutionary many-objective optimization algorithm using reference-point-based nondominated sorting approach, Part I: Solving problems with box constraints, " IEEE Trans. Evol. Computation, vol. 18, no. 4, pp. 577-601, Aug. 2014.
A. Panichella, F. M. Kifetew, and P. Tonella, "Reformulating branch coverage as a many-objective optimization problem, " in Proc. IEEE 8th Int. Conf. Softw. Testing, Verification Validation (ICST), Graz, Austria. Piscataway, NJ, USA: IEEE Press, Apr. 2015, pp. 1-10.
H. Jain and K. Deb, "An evolutionary many-objective optimization algorithm using reference-point based nondominated sorting approach, Part II: Handling constraints and extending to an adaptive approach, " IEEE Trans. Evol. Comput., vol. 18, no. 4, pp. 602-622, Aug. 2014.
P. Ammann and J. Offutt, Introduction to Software Testing. Cambridge, U.K.: Cambridge Univ. Press, 2016.
G. Fraser and A. Arcuri, "Whole test suite generation, " IEEE Trans. Softw. Eng., vol. 39, no. 2, pp. 276-291, Feb. 2013.
A. Arcuri, "It does matter how you normalise the branch distance in search based software testing, " in Proc. 3rd Int. Conf. Softw. Testing, Verification Validation, Paris, France, Piscataway, NJ, USA: IEEE Press, Apr. 2010, pp. 205-214.
Z. Li, M. Harman, and R. M. Hierons, "Search algorithms for regression test case prioritization, " IEEE Trans. Softw. Eng., vol. 33, no. 4, pp. 225-237, Apr. 2007.
S. Busygin, O. Prokopyev, and P. M. Pardalos, "Biclustering in data mining, " Comput. & Oper. Res., vol. 35, no. 9, pp. 2964-2987, 2008. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0305054807000159
B. Pontes, R. Giráldez, and J. S. Aguilar-Ruiz, "Biclustering on expression data: A review, " J. Biomed. Inform., vol. 57, pp. 163-180, 2015. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S1532046415001380
M. Attaoui, H. Fahmy, F. Pastore, and L. Briand, "Black-box safety analysis and retraining of DNNs based on feature extraction and clustering, " ACM Trans. Softw. Eng. Methodol., vol. 32, no. 3, Apr. 2023, doi: 10.1145/3550271.
M. O. Attaoui, H. Fahmy, F. Pastore, and L. Briand, "DNN explanation for safety analysis: An empirical evaluation of clustering-based approaches, " arXiv, 2023.
H. Hemmati, A. Arcuri, and L. Briand, "Achieving scalable model-based testing through test case diversity, " ACM Trans. Softw. Eng. Methodol., vol. 22, no. 1, pp. 1-42, 2013.
J. Thomé, L. K. Shar, D. Bianculli, and L. Briand, "Search-driven string constraint solving for vulnerability detection, " in Proc. IEEE/ACM 39th Int. Conf. Softw. Eng. (ICSE), Buenos Aires, Argentina, Piscataway, NJ, USA: IEEE Press, 2017, pp. 198-208.
S. Zhang, Y. Hu, and G. Bian, "Research on string similarity algorithm based on levenshtein distance, " in Proc. IEEE 2nd Adv. Inf. Technol., Electron. Automat. Control Conf. (IAEAC), Chongqing, China, Piscataway, NJ, USA: IEEE Press, 2017, pp. 2247-2251.
S. Mergen, "Extending the bag distance for string similarity search, " SN Comput. Sci., vol. 4, no. 2, Dec. 2022, doi: 10.1007/s42979-022-01502-5.
I. Bartolini, P. Ciaccia, and M. Patella, "String matching with metric trees using an approximate distance, " in String Process. Inf. Retrieval: 9th Int. Symp., SPIRE Lisbon, Portugal, Proc., Berlin, Heidelberg: Springer, 2002, pp. 271-283.
M. Biagiola, A. Stocco, F. Ricca, and P. Tonella, "Diversity-based web test generation, " in Proc. 27th ACM Joint Meeting Eur. Softw. Eng. Conf. Symp. Found. Softw. Eng., (ESEC/FSE), New York, NY, USA: ACM, 2019, pp. 142-153, doi: 10.1145/3338906.3338970.
B. Korte and J. Vygen, Combinatorial Optimization: Theory and Algorithms, 6th ed. Springer Publishing Company, Incorporated, 2018.
P. Slavík, "A tight analysis of the greedy algorithm for set cover, " in Proc. 28th Annu. ACM Symp. Theory Comput., (STOC), New York, NY, USA: ACM, 1996, pp. 435-441, doi: 10.1145/237814.237991.
V. V. Vazirani, Approximation Algorithms. Berlin, Heidelberg: Springer-Verlag, 2001.
B. Korte and R. Schrader, "On the existence of fast approximation schemes, " in Nonlinear Programming, O. L. Mangasarian, R. R. Meyer, and S. M. Robinson, Eds. Madison, Wisconsin. Academic Press, 1981, pp. 415-437. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/B9780124686625500203
Eclipse Foundation, "Jenkins ci/cd server." 2018. [Online]. Available: Https://jenkins.io/
Joomla, "Joomla", 2018. [Online]. Available: Https://www.joomla.org/
(2018) Selenium Web Testing Framework, [Online]. Available: Https://www.seleniumhq.org/
N. B. Chaleshtari, F. Pastore, A. Goknil, and L. C. Briand, "Replication package, " 2023, doi: 10.5281/zenodo.770275.
"Cve-2018-1000406, concerns cwe-276, " MITRE. Nov. 2018. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000406
"Cve-2018-1000409, concerns otg-sess-003, " MITRE. 2018. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999003
"Cve-2018-1999003, concerns otg-authz-002, " MITRE. Nov. 2018. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999003
"Cve-2018-1999004, concerns otg-authz-002, " MITRE. 2018. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999004
"Cve-2018-1999006, concerns cwe-138, " MITRE. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999006
"Cve-2018-1999046, concerns otg-authz-002, " MITRE. Nov. 2018. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999046
"Cve-2020-2162, concerns otg-inpval-003, " MITRE. 2020. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2162
"Cve-2018-11327, concerns cwe-200, " MITRE. 2018. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11327
"Cve-2018-17857, concerns cwe-200." MITRE. 2018. [Online]. Available: Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17857
Z.-w. Hui, X. Wang, S. Huang, and S. Yang, "MT-ART: A test case generation method based on adaptive random testing and metamorphic relation, " IEEE Trans. Rel., vol. 70, no. 4, pp. 1397-1421, Dec. 2021.
A. C. Barus, T. Y. Chen, F.-C. Kuo, H. Liu, and H. W. Schmidt, "The impact of source test case selection on the effectiveness of metamorphic testing, " in Proc. 1st Int. Workshop Metamorphic Testing, (MET), New York, NY, USA: ACM, 2016, pp. 5-11, doi: 10.1145/2896971.2896977.
N. Gupta, A. Sharma, and M. K. Pachariya, "Multi-objective test suite optimization for detection and localization of software faults, " J. King Saud Univ.-Comput. Inf. Sci., vol. 34, no. 6, Part A, pp. 2897-2909, 2022. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S1319157819313850
A. Kiran, W. H. Butt, M. W. Anwar, F. Azam, and B. Maqbool, "A comprehensive investigation of modern test suite optimization trends, tools and techniques, " IEEE Access, vol. 7, pp. 89093-89117, 2019.
M. Naz, Z. Anwaar, and W. H. Butt, "Automated white box test case generation for statement coverage using U-NSGA-III, " in Proc. 17th Int. Conf. Open Source Syst. Technol. (ICOSST), 2023, pp. 1-6.
Z. Aghababaeyan, M. Abdellatif, M. Dadkhah, and L. Briand, "DeepGD: A multi-objective black-box test selection approach for deep neural networks, " ACM Trans. Softw. Eng. Methodol., vol. 33, no. 6, Jun. 2024, doi: 10.1145/3644388.
I. Dinur and D. Steurer, "Analytical approach to parallel repetition, " in Proc. 46th Annu. ACM Symp. Theory Comput., (STOC), New York, NY, USA: ACM, 2014, pp. 624-633, doi: 10.1145/2591796.2591884.
A. Arcuri and L. Briand, "A hitchhiker's guide to statistical tests for assessing randomized algorithms in software engineering, " Softw. Test. Verif. Reliab., vol. 24, no. 3, pp. 219-250, May 2014, doi: 10.1002/stvr.1486.
A. Vargha and H. D. Delaney, "A critique and improvement of the CL common language effect size statistics of mcgraw and wong, " J. Educ. Behav. Statist., vol. 25, no. 2, pp. 101-132, 2000. [Online]. doi: 10.3102/10769986025002101.
B. Kitchenham et al., "Robust statistical methods for empirical software engineering, " Empirical Softw. Engg., vol. 22, no. 2, pp. 579-630, Apr. 2017, doi: 10.1007/s10664-016-9437-5.
J. Demšar, "Statistical comparisons of classifiers over multiple data sets, " J. Mach. Learn. Res., vol. 7, pp. 1-30, Dec. 2006.
D. S. Kerby, "The simple difference formula: An approach to teaching nonparametric correlation, " Comprehensive Psychol., vol. 3, pp. 11.IT.3.1, 2014, doi: 10.2466/11.IT.3.1.
C. Wohlin, P. Runeson, M. Hst, M. C. Ohlsson, B. Regnell, and A. Wessln, Experimentation in Software Engineering. Heidelberg, Germany: Springer Publishing Company, Incorporated, 2012.
T. Y. Chen, P.-L. Poon, and X. Xie, "Metric: Metamorphic relation identification based on the category-choice framework, " J. Syst. Softw., vol. 116, pp. 177-190, 2016. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0164121215001624
C.-A. Sun, A. Fu, P.-L. Poon, X. Xie, H. Liu, and T. Y. Chen, "Metric++: A metamorphic relation identification technique based on input plus output domains, " IEEE Trans. Softw. Eng., vol. 47, no. 9, pp. 1764-1785, 2021.
B. Zhang, H. Zhang, J. Chen, D. Hao, and P. Moscato, "Automatic discovery and cleansing of numerical metamorphic relations, " in Proc. IEEE Int. Conf. Softw. Maintenance Evol. (ICSME), Cleveland, USA. Piscataway, NJ, USA: IEEE Press, 2019, pp. 235-245.
J. Ayerdi, V. Terragni, A. Arrieta, P. Tonella, G. Sagardui, and M. Arratibel, "Generating metamorphic relations for cyber-physical systems with genetic programming: An industrial case study, " in Proc. 29th ACM Joint Meeting Eur. Softw. Eng. Conf. Symp. Found. Softw. Eng., (ESEC/FSE), New York, NY, USA: ACM, 2021, pp. 1264-1274, doi: 10.1145/3468264.3473920.
A. Blasi, A. Gorla, M. D. Ernst, M. Pezzè, and A. Carzaniga, "MeMo: Automatically identifying metamorphic relations in javadoc comments for test automation, " J. Syst. Softw., vol. 181, 2021, Art. no. 111041. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0164121221001382
S. Segura, J. C. Alonso, A. Martin-Lopez, A. Durán, J. Troya, and A. Ruiz-Cortés, "Automated generation of metamorphic relations for query-based systems, " in Proc. 7th Int. Workshop Metamorphic Testing, (MET), New York, NY, USA: ACM, 2023, pp. 48-55, doi: 10.1145/3524846.3527338.
J. Y. Tang, A. Yang, T. Y. Chen, and J. W. Ho, "Harnessing multiple source test cases in metamorphic testing: A case study in bioinformatics, " in Proc. IEEE/ACM 2nd Int. Workshop Metamorphic Testing (MET). Buenos Aires, Argentina. Piscataway, NJ, USA: IEEE Press, 2017, pp. 10-13.
M. Zhang, J. W. Keung, T. Y. Chen, and Y. Xiao, "Validating class integration test order generation systems with metamorphic testing, " Inf. Softw. Technol., vol. 132, 2021, Art. no. 106507. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0950584920302470
J. Zhou, K. Qiu, Z. Zheng, T. Y. Chen, and P.-L. Poon, "Using metamorphic testing to evaluate dnn coverage criteria, " in Proc. IEEE Int. Symp. Softw. Rel. Eng. Workshops (ISSREW), Coimbra, Portugal. Piscataway, NJ, USA: IEEE Press, 2020, pp. 147-148.
P. Saha and U. Kanewala, "Fault detection effectiveness of source test case generation strategies for metamorphic testing, " in Proc. 3rd Int. Workshop Metamorphic Testing, (MET), New York, NY, USA: ACM, 2018, pp. 2-9, doi: 10.1145/3193977.3193982.
G. Fraser and A. Arcuri, "Evosuite: Automatic test suite generation for object-oriented software, " in Proc. 19th ACM SIGSOFT Symp. 13th Eur. Conf. Foundations Softw. Eng., (ESEC/FSE), New York, NY, USA: ACM, 2011, pp. 416-419, doi: 10.1145/2025113.2025179.
C.-a. Sun, B. Liu, A. Fu, Y. Liu, and H. Liu, "Path-directed source test case generation and prioritization in metamorphic testing, " J. Syst. Softw., vol. 183, 2022, Art. no. 111091. [Online]. Available: Https://www.sciencedirect.com/science/article/pii/S0164121221001886
C.-A. Sun, H. Dai, H. Liu, and T. Y. Chen, "Feedback-directed metamorphic testing, " ACM Trans. Softw. Eng. Methodol., vol. 32, no. 1, Feb. 2023, doi: 10.1145/3533314.