Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis
In previous work, we proposed a set of static attributes that characterize input validation and input sanitization code patterns. We showed that some of the proposed static attributes are significant predictors of SQL injection and cross site scripting vulnerabilities. Static attributes have the adv...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2013
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4781 https://ink.library.smu.edu.sg/context/sis_research/article/5784/viewcontent/Mining_SQL_Injection_and_Cross_Site_Scripting_Vulnerabilities_using_Hybrid_Program_Analysis_ICSE13.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5784 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-57842020-01-16T10:18:47Z Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis SHAR, Lwin Khin TAN, Hee Beng Kuan BRIAND, Lionel C. In previous work, we proposed a set of static attributes that characterize input validation and input sanitization code patterns. We showed that some of the proposed static attributes are significant predictors of SQL injection and cross site scripting vulnerabilities. Static attributes have the advantage of reflecting general properties of a program. Yet, dynamic attributes collected from execution traces may reflect more specific code characteristics that are complementary to static attributes. Hence, to improve our initial work, in this paper, we propose the use of dynamic attributes to complement static attributes in vulnerability prediction. Furthermore, since existing work relies on supervised learning, it is dependent on the availability of training data labeled with known vulnerabilities. This paper presents prediction models that are based on both classification and clustering in order to predict vulnerabilities, working in the presence or absence of labeled training data, respectively. In our experiments across six applications, our new supervised vulnerability predictors based on hybrid (static and dynamic) attributes achieved, on average, 90% recall and 85% precision, that is a sharp increase in recall when compared to static analysis-based predictions. Though not nearly as accurate, our unsupervised predictors based on clustering achieved, on average, 76% recall and 39% precision, thus suggesting they can be useful in the absence of labeled training data. 2013-05-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4781 info:doi/10.1109/ICSE.2013.6606610 https://ink.library.smu.edu.sg/context/sis_research/article/5784/viewcontent/Mining_SQL_Injection_and_Cross_Site_Scripting_Vulnerabilities_using_Hybrid_Program_Analysis_ICSE13.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Defect prediction vulnerability input validation and sanitization static and dynamic analysis empirical study Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Defect prediction vulnerability input validation and sanitization static and dynamic analysis empirical study Software Engineering |
| spellingShingle |
Defect prediction vulnerability input validation and sanitization static and dynamic analysis empirical study Software Engineering SHAR, Lwin Khin TAN, Hee Beng Kuan BRIAND, Lionel C. Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis |
| description |
In previous work, we proposed a set of static attributes that characterize input validation and input sanitization code patterns. We showed that some of the proposed static attributes are significant predictors of SQL injection and cross site scripting vulnerabilities. Static attributes have the advantage of reflecting general properties of a program. Yet, dynamic attributes collected from execution traces may reflect more specific code characteristics that are complementary to static attributes. Hence, to improve our initial work, in this paper, we propose the use of dynamic attributes to complement static attributes in vulnerability prediction. Furthermore, since existing work relies on supervised learning, it is dependent on the availability of training data labeled with known vulnerabilities. This paper presents prediction models that are based on both classification and clustering in order to predict vulnerabilities, working in the presence or absence of labeled training data, respectively. In our experiments across six applications, our new supervised vulnerability predictors based on hybrid (static and dynamic) attributes achieved, on average, 90% recall and 85% precision, that is a sharp increase in recall when compared to static analysis-based predictions. Though not nearly as accurate, our unsupervised predictors based on clustering achieved, on average, 76% recall and 39% precision, thus suggesting they can be useful in the absence of labeled training data. |
| format |
text |
| author |
SHAR, Lwin Khin TAN, Hee Beng Kuan BRIAND, Lionel C. |
| author_facet |
SHAR, Lwin Khin TAN, Hee Beng Kuan BRIAND, Lionel C. |
| author_sort |
SHAR, Lwin Khin |
| title |
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis |
| title_short |
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis |
| title_full |
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis |
| title_fullStr |
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis |
| title_full_unstemmed |
Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis |
| title_sort |
mining sql injection and cross site scripting vulnerabilities using hybrid program analysis |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2013 |
| url |
https://ink.library.smu.edu.sg/sis_research/4781 https://ink.library.smu.edu.sg/context/sis_research/article/5784/viewcontent/Mining_SQL_Injection_and_Cross_Site_Scripting_Vulnerabilities_using_Hybrid_Program_Analysis_ICSE13.pdf |
| _version_ |
1770575029333917696 |