Identify And Eliminating Online Application Misbehaviors by Static Analysis Approach
Keywords:
Data Mining, Web Protection, Input Validation Vulnerabilities, Software Security, Source Code Static Analysis, Web Applications, PHPAbstract
An extensive research work on web application security has been continuing for over 10 years, the security of web applications keeps on being a difficult issue. An essential some portion of that issue gets from unprotected source code, regularly written in risky dialects like PHP. Source code static investigation devices are response for discover vulnerabilities, however they have a tendency to produce false positives, and require extensive work for software engineers to resolve the code. We investigate the utilization of a mix of strategies to find vulnerabilities in source code with less false positives. We combine Taint analysis, which discovers hopeful vulnerabilities, with information mining, to predict the presence of false positives. This approach unites two methodologies that are obviously orthogonal: people coding the information about vulnerabilities (for Taint Analysis), joined with the apparently orthogonal approach of consequently getting that information (with machine learning, for information mining). Given this upgraded type of detection, we propose doing programmed code remedy by embeddings settles in the source code. Our approach was executed in the WAP device, and an investigative assessment was performed with an expansive arrangement of PHP applications. Our apparatus discovered 388 vulnerabilities in 1.4 million lines of code. Its exactness and accuracy were roughly 5% superior to PhpMinerII's and 45% superior to Pixy's.
References
- G. T. Buehrer, B. W. Weide, and P. Sivilotti, "Using parse tree validation to prevent SQL injection attacks," in Proc. 5th Int. Workshop Software Engineering and Middleware, Sep. 2005, pp. 106-113.
- N. Jovanovic, C. Kruegel, and E. Kirda, "Precise alias analysis for static detection of web application vulnerabilities," inProc. 2006Workshop Programming Languages and Analysis for Security, Jun. 2006, pp. 27-36.
- G. Wassermann and Z. Su, "Sound and precise analysis of web applications for injection vulnerabilities," in Proc. 28th ACM SIGPLAN Conf. Programming Language Design and Implementation, 2007, pp. 32-41.
- E. Arisholm, L. C. Briand, and E. B. Johannessen, "A systematic and comprehensive investigation of methods to build and evaluate fault prediction models," J. Syst. Softw., vol. 83, no. 1, pp. 2-17, 2010.
- L. K. Shar and H. B. K. Tan, "Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities," in Proc. 34th Int. Conf. Software Engineering, 2012, pp. 1293-1296.
- T. Pietraszek and C. V. Berghe, "Defending against injection attacks through context-sensitive string evaluation," in Proc. 8th Int. Conf. Recent Advances in Intrusion Detection, 2005, pp. 124-145.
- S. Lessmann, B. Baesens, C. Mues, and S. Pietsch, "Benchmarking classification models for software defect prediction: A proposed framework and novel findings," IEEE Trans. Softw. Eng., vol. 34, no. 4, pp. 485-496, 2008.
Downloads
Published
Issue
Section
License
Copyright (c) IJSRCSEIT
This work is licensed under a Creative Commons Attribution 4.0 International License.