KAVE: A Knowledge-Based Multi-Agent System for Web Vulnerability Detection

Multi-Agent System; Multi-Layer Knowledge Graph; Software Security; Static Analysis; Web Application Vulnerabilities; Knowledge based; Knowledge graphs; Multi-layer knowledge graph; Multi-layers; Multiagent systems (MASs); Software security; Vulnerability detection; WEB application; Web application vulnerability; Web applications; Artificial Intelligence; Computer Networks and Communications; Computer Science Applications; Information Systems; Information Systems and Management

Abstract :

[en] The growing use of the web has led to a rise in cyber attacks exploiting software vulnerabilities, thereby causing significant damage to companies and individuals. Static analysis tools can assist programmers in identifying vulnerabilities within their code. However, these tools are prone to producing false positives and lack precision, which relegates them to a somewhat marginalised role in software development. This paper proposes a new and more effective static analysis approach for assessing and evaluating web applications against vulnerabilities by using a knowledge-based multi-agent system web vulnerability detector called KAVE. The multi-agent system performs static taint analysis over a specially designed multi-layer knowledge graph, whereas this graph aggregates diverse interconnected representations of the lexical and semantic features of the application's source code, their data and control flows, and function calls. Additionally, this graph integrates security properties associated with vulnerabilities. The evaluation results of KAVE and comparison with existing tools showed that KAVE employs an effective and efficient method to detect vulnerabilities in web applications, finding 235 vulnerabilities with a precision of 95.9% over 12 open-source PHP web applications.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SerVal - Security, Reasoning & Validation

Disciplines :

Computer science

Author, co-author :

ROSA MESQUITA RAMIRES, Rafael Francisco ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SerVal ; Universidade de Lisboa, Lasige, Di, Faculdade de Ciências, Portugal

Respício, Ana; Universidade de Lisboa, Lasige, Di, Faculdade de Ciências, Portugal

Medeiros, Ibéria; Universidade de Lisboa, Lasige, Di, Faculdade de Ciências, Portugal

External co-authors :

yes

Language :

English

Title :

KAVE: A Knowledge-Based Multi-Agent System for Web Vulnerability Detection

Publication date :

July 2024

Event name :

2024 IEEE International Conference on Web Services (ICWS)

Event place :

Shenzhen, Chn

Event date :

07-07-2024 => 13-07-2024

Main work title :

Proceedings - 2024 IEEE International Conference on Web Services, ICWS 2024

Editor :

Chang, Rong N.

Publisher :

Institute of Electrical and Electronics Engineers Inc.

ISBN/EAN :

9798350368550

Pages :

Peer reviewed :

Peer reviewed

Focus Area :

Computational Sciences

Additional URL :

http://xplorestaging.ieee.org/ielx8/10707332/10707376/10707503.pdf?arnumber=10707503

Funding text :

This work was supported by FCT through the LASIGE Research Unit, ref. UIDB/00408/2020 (https://doi.org/10.54499/UIDB/00408/2020) and ref. UIDP/00408/2020 (https://doi.org/10.54499/UIDP/00408/2020). It is based upon work from COST Action CA22104 - Behavioral Next Generation in Wireless Networks for Cyber Security (BEiNG-WISE), supported by COST (European Cooperation in Science and Technology) www.cost.eu.

Available on ORBilu :

since 06 February 2025

Statistics

Number of views

88 (11 by Unilu)

Number of downloads

77 (3 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

J. Daley, "Insecure software is eating the world: Promoting cybersecurity in an age of ubiquitous software embedded systems., " Stanford Technology Law Review, vol. 19, no. 3, 2017.
CVE, "CVE Details. " https: //www. cvedetails. com/browse-by-date. php, 2023.
Veracode, "State of Software Security 2023. Annual Report on the State of Application Security. " https: //info. veracode. com/rs/790-ZKW-291/ images/Veracode State of Software Security 2023. pdf, 2023.
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, "Securing web application code by static analysis and runtime protection, " in Proceedings of the 13th International Conference on World Wide Web, WWW '04, (New York, NY, USA), p. 40-52, Association for Computing Machinery, 2004.
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo, "Verifying web applications using bounded model checking, " in Proceedings of the 2004 International Conference on Dependable Systems and Networks, DSN '04, (USA), p. 199, IEEE Computer Society, 2004.
I. Medeiros, N. Neves, and M. Correia, "Detecting and removing web application vulnerabilities with static analysis and data mining, " IEEE Transactions on Reliability, vol. 65, no. 1, pp. 54-69, 2016.
F. Yamaguchi, N. Golde, D. Arp, and K. Rieck, "Modeling and discovering vulnerabilities with code property graphs, " in Proceedings of the 2014 IEEE Symposium on Security and Privacy, pp. 590-604, May 2014.
O. Foundation, "Open web application security project. " https: //www. owasp. org/, 2023.
T. M. Corporation, "Common weakness enumeration. " https: //cwe. mitre. org/, 2023.
W3Techs-Web Technology Surveys, "Usage statistics of serverside programming languages for websites. " https: //w3techs. com/ technologies/overview/programming language, 2023.
T. D. Oyetoyan, B. Milosheska, M. Grini, and D. S. Cruzes, "Myths and facts about static application security testing tools: An action research at telenor digital, " in Agile Processes in Software Engineering and Extreme Programming-19th International Conference, XP 2018, Porto, Portugal, May, Proceedings (J. Garbajosa, X. Wang, and A. Aguiar, eds.), vol. 314 of Lecture Notes in Business Information Processing, pp. 86-103, Springer, 2018.
N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A static analysis tool for detecting web application vulnerabilities, " in 2006 IEEE Symposium on Security and Privacy (SP'06), pp. 6 pp.-263, 2006.
P. Nunes, J. Fonseca, and M. Vieira, "phpSAFE: A security analysis tool for OOP web application plugins, " in Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, June 2015.
J. Dahse and T. Holz, "Simulation of built-in PHP features for precise static code analysis, " in Proceedings of the Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February, The Internet Society, 2014.
R. Morgado, I. Medeiros, and N. Neves, "Towards web application security by automated code correction, " in Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering, pp. 86-96, Apr. 2020.
A. Figueiredo, T. Lide, D. Matos, and M. Correia, "Merlin: Multilanguage web vulnerability detection, " in Proceedings of the IEEE 19th International Symposium on Network Computing and Applications (NCA), pp. 1-9, 2020.
Y. Zhou, S. Liu, J. Siow, X. Du, and Y. Liu, "Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks, " in Proceedings of the 33rd Conference on Advances in Neural Information Processing Systems, pp. 10197-10207, Dec. 2019.
M. Wijngaard, "Dependence analysis in php, " Aug. 2016.
J. Ferrante, K. J. Ottenstein, and J. D. Warren, "The program dependence graph and its use in optimization, " ACM Trans. Program. Lang. Syst., vol. 9, p. 319-349, jul 1987.
A. Johnson, L. Waye, S. Moore, and S. Chong, "Exploring and enforcing security guarantees via program dependence graphs, " SIGPLAN Not., vol. 50, p. 291-302, jun 2015.
M. Backes, K. Rieck, M. Skoruppa, B. Stock, and F. Yamaguchi, "Efficient and flexible discovery of PHP application vulnerabilities, " in Proceedings of the 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 334-349, Apr. 2017.
F. Yamaguchi, A. Maier, H. Gascon, and K. Rieck, "Automatic inference of search patterns for taint-style vulnerabilities, " in Proceedings of the 2015 IEEE Symposium on Security and Privacy, pp. 797-812, May 2015.
A. Alhuzali, R. Gjomemo, B. Eshete, and V. Venkatakrishnan, "NAVEX: Precise and scalable exploit generation for dynamic web applications, " in Proceedings of the 27th USENIX Security Symposium, pp. 377-392, Aug. 2018.
X. Du, B. Chen, Y. Li, J. Guo, Y. Zhou, Y. Liu, and Y. Jiang, "Leopard: Identifying vulnerable code for vulnerability assessment through program metrics, " in In Proceedings of the 41st International Conference on Software Engineering, ICSE 2019, Montreal, QC, Canada, May (J. M. Atlee, T. Bultan, and J. Whittle, eds.), pp. 60-71, IEEE / ACM, 2019.
G. Weiss, Multiagent Systems, A Modern Approach to Distributed Artificial Intelligence. Cambridge, Massachussetts, London, England: The MIT Press, 1999.
L. Panait and S. Luke, "Cooperative multi-agent learning: The state of the art, " Springer, 2005.
N. R. Jennings, "On agent-based software engineering, " Artificial intelligence, vol. 117, no. 2, pp. 277-296, 2000.
O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman, "Taj: Effective taint analysis of web applications, " ACM Sigplan Notices, vol. 44, no. 6, pp. 87-97, 2009.
Rafael Ramires, "KAVe: Knowledge-Based Multi-Agent System Vulnerability Detector. " https: //github. com/rframires/KAVe. git, 2024.
A. C. for Schools, "Western association of schools and colleges. " https: //www. acswasc. org/, 2023.
Kingthorin, "Sql injection. " https: //owasp. org/www-community/attacks/ SQL Injection, 2023.
S. Kost, "An introduction to sql injection attacks for oracle developers, " 2007.
A. Klein, "Dom based cross site scripting or xss of the third kind. " http: //www. webappsec. org/projects/articles/071105. shtml, 2005.
D. Wichers, A. Dabirsiaghi, S. D. Paolo, M. Heiderich, E. A. V. Nava, and J. Williams, "Types of xss. " https: //owasp. org/www-community/ Types of Cross-Site Scripting, 2023.
R. Johnson, D. Pearson, and K. Pingali, "The program structure tree: Computing control regions in linear time, " PLDI '94, (New York, NY, USA), p. 171-185, Association for Computing Machinery, 1994.
F. E. Allen, "Control flow analysis, " SIGPLAN Not., vol. 5, p. 1-19, jul 1970.
M. De Domenico, A. Solé-Ribalta, E. Cozzo, M. Kivelä, Y. Moreno, M. A. Porter, S. Gómez, and A. Arenas, "Mathematical formulation of multilayer networks, " Physical Review X, vol. 3, no. 4, p. 041022, 2013.
S. Russell and P. Norvig, Artificial Intelligence: A Modern Approach. Prentice Hall, 3 ed., 2010.
P. Maes, "Pattie maes on sofware agents: Humanizing the global computer, " IEEE Internet Computing, vol. 1, no. 4, pp. 10-19, 1997.
N. Gilbert and R. Conte, Artificial societies. Taylor & Francis, 1995.
D. C. Smith, A. Cypher, and J. Spohrer, "Kidsim: Programming agents without a programming language, " Commun. ACM, vol. 37, p. 54-67, jul 1994.
P. J. S. Aric A. Hagberg, Daniel A. Schult, "Exploring network structure, dynamics, and function using networkx, " 2008.
National Institute of Standards and Technology (NIST), "NIST Software Assurance Reference Dataset (SARD), " 2023. Accessed December 15, 2023.
NAVEX-fixed., 2019. https: //github. com/UUUUnotfound/Navex fixed.
I. Medeiros, N. Neves, and M. Correia, "Statically detecting vulnerabilities by processing programming languages as natural languages, " IEEE Transactions on Reliability, vol. 71, no. 2, pp. 1033-1056, 2022.
J. Graf, "Speeding up context-, object-and field-sensitive sdg generation, " in 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation, pp. 105-114, 2010.
Y. Shi, Y. Zhang, T. Luo, X. Mao, Y. Cao, Z. Wang, Y. Zhao, Z. Huang, and M. Yang, "Backporting security patches of web applications: A prototype design and implementation on injection vulnerability patches, " in 31st USENIX Security Symposium, pp. 1993-2010, Aug. 2022.
S. Kim, Y. M. Kim, J. Hur, S. Song, G. Lee, and B. Lee, "FuzzOrigin: Detecting UXSS vulnerabilities in browsers through origin fuzzing, " in 31st USENIX Security Symposium (USENIX Security 22), (Boston, MA), pp. 1008-1023, USENIX Association, Aug. 2022.
F. A. Kassar, G. Clerici, L. Compagna, D. Balzarotti, and F. Yamaguchi, "Testability tarpits: The impact of code patterns on the security testing of web applications, " in 29th Annual Network and Distributed System Security Symposium, Apr. 2022.
I. Medeiros and N. Neves, "Effect of coding styles in detection of web application vulnerabilities, " in 16th European Dependable Computing Conference, pp. 111-118, 2020.
I. Medeiros and N. Neves, "Impact of coding styles on behaviours of static analysis tools for web applications, " in 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks, pp. 55-56, June 2020.
H. Huang, Y. Guo, Q. Shi, P. Yao, R. Wu, and C. Zhang, "Beacon: Directed grey-box fuzzing with provable path pruning, " in 2022 IEEE Symposium on Security and Privacy (SP), pp. 36-50, 2022.
S. Park, D. Kim, S. Jana, and S. Son, "FUGIO: Automatic exploit generation for PHP object injection vulnerabilities, " in 31st USENIX Security Symposium (USENIX Security 22), (Boston, MA), pp. 197-214, USENIX Association, Aug. 2022.
C. Lin, Y. Xu, Y. Fang, and Z. Liu, "Vuleye: A novel graph neural network vulnerability detection approach for php application, " Applied Sciences, vol. 13, no. 2, 2023.