A Survey on the State of the Art of Vulnerability Assessment Techniques

  1. Sotos Martínez, Eva
  2. Villanueva, Nora M.
  3. Orellana, Lilian Adkinson
Libro:
14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational (CISIS 2021 and ICEUTE 2021)

ISSN: 2194-5357 2194-5365

ISBN: 9783030878719 9783030878726

Ano de publicación: 2021

Páxinas: 203-213

Tipo: Capítulo de libro

DOI: 10.1007/978-3-030-87872-6_20 GOOGLE SCHOLAR lock_openAcceso aberto editor

Referencias bibliográficas

  • Samonas, S., Coss, D.: The cia strikes back: redefining confidentiality, integrity and availability in security. J. Inf. Syst. Securi. 10(3), 21–45 (2014)
  • Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. (CSUR) 50(4), 1–36 (2017)
  • Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. ACM SIGOPS Oper. Syst. Rev. 35(5), 57–72 (2001)
  • Li, Z., Zhou, Y.: PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code. ACM SIGSOFT Softw. Eng. Not. 30(5), 306–315 (2005)
  • Wasylkowski, A., Zeller, A., Lindig, C.: Detecting object usage anomalies. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (2007)
  • Gruska, N., Wasylkowski, A., Zeller, A.: Learning from 6,000 projects: lightweight cross-project anomaly detection. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, pp. 119–130 (2010)
  • Acharya, M., Xie, T., Pei, J., Xu, J.: Mining API patterns as partial orders from source code: from usage scenarios to specifications. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (2007)
  • Chang, R.Y., Podgurski, A., Yang, J.: Discovering neglected conditions in software by mining dependence graphs. IEEE Trans. Soft. Eng. 34(5), 579–596 (2008)
  • Thummalapenta, S., Xie, T.: Alattin: mining alternative patterns for detecting neglected conditions. In: 2009 IEEE/ACM International Conference on Automated Software Engineering, pp. 283–294. IEEE (2009)
  • Livshits, B., Zimmermann, T.: Dynamine: finding common error patterns by mining software revision histories. ACM SIGSOFT Softw. Eng. Not. 30(5), 296–305 (2005)
  • Yamaguchi, F., Lottmann, M., Rieck, K.: Generalized vulnerability extrapolation using abstract syntax trees. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 359–368 (2012)
  • Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE (2014)
  • Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: 2015 IEEE Symposium on Security and Privacy, pp. 797–812. IEEE (2015)
  • Shar, L.K., Tan, H.B.K.: Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55(10), 1767–1780 (2013)
  • Shar, L.K., Briand, L.C., Tan, H.B.K.: Web application vulnerability prediction using hybrid program analysis and machine learning. IEEE Trans. Depend. Secure Comput. 12(6), 688–707 (2014)
  • Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 85–96 (2016)
  • Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. Trans. Depen. Secure Comput. (2021)
  • Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. arXiv preprintarXiv:1801.01681 (2018)
  • Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540 (2007)
  • Schröter, A., Zimmermann, T., Zeller, A.: Predicting component failures at design time. In: Proceedings of the 2006 ACM/IEEE International Symposium on Empirical Software Engineering, pp. 18–27 (2006)
  • Shin, Y., Williams, L.: An empirical model to predict security vulnerabilities using code complexity metrics. In: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 315–317 (2008)
  • Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans. Softw. Eng. 37(6), 772–787 (2010)
  • Gegick, M., Williams, L., Osborne, J., Vouk, M.: Prioritizing software security fortification throughcode-level metrics. In: Proceedings of the 4th ACM Workshop on Quality of Protection, pp. 31–38 (2008)
  • Morrison, P., Herzig, K., Murphy, B., Williams, L.: Challenges with applying vulnerability prediction models. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, pp. 1–9 (2015)
  • Zimmermann, T., Nagappan, N., Williams, L.: Searching for a needle in a haystack: predicting security vulnerabilities for windows vista. In: 2010 3rd International Conference on Software Testing, Verification and Validation. IEEE (2010)
  • Younis, A., Malaiya, Y., Anderson, C., Ray, I.: To fear or not to fear that is the question: code characteristics of a vulnerable function with an existing exploit. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (2016)
  • Bilgin, Z., Ersoy, M.A., Soykan, E.U., Tomur, E., Çomak, P., Karaçay, L.: Vulnerability prediction from source code using machine learning. IEEE Access 8, 150672–150684 (2020)
  • Hastie, T., Tibshirani, R., Friedman, J.: The elements of statistical learning: data mining, inference, and prediction. Springer Science & Business Media (2009)
  • Shin, Y., Williams, L.: Can traditional fault prediction models be used for vulnerability prediction? Empirical Softw. Eng. 18(1), 25–59 (2013)
  • Jacobs, J., Romanosky, S., Edwards, B., Roytman, M., Adjerid, I.: Exploit prediction scoring system (epss). arXiv preprintarXiv:1908.04856 (2019)
  • Bhatt, N., Anand, A., Yadavalli, V.S.S.: Exploitability prediction of software vulnerabilities. Qual. Ability Eng. Int. 37(2), 648–663 (2021)
  • Chen, H., Liu, R., Park, N., Subrahmanian, V.S.: Using twitter to predict when vulnerabilities will be exploited. In: Proceedings of the 25th ACM SIGKDD Internacional Conference on Knowledge Discovery & Data Mining, pp. 3143–3152 (2019)
  • Farris, K.A., Shah, A., Cybenko, G., Ganesan, R., Jajodia, S.: Vulcon: a system for vulnerability prioritization, mitigation, and management. ACM Trans. Priv. Secur. (TOPS) 21(4), 1–28 (2018)
  • Edkrantz, M., Said, A.: Predicting cyber vulnerability exploits with machine learning. In: SCAI, pp. 48–57 (2015)
  • Almukaynizi, M., Nunes, E., Dharaiya, K., Senguttuvan, M., Shakarian, J., Shakarian, P.: Proactive identification of exploits in the wild through vulnerability mentions online. In: 2017 International Conference on Cyber Conflict (CyCon US), pp. 82–88. IEEE (2017)
  • Sabottke, C., Suciu, O., Dumitraş, T.: Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In: 24th $$\{$$USENIX$$\}$$ Security Symposium ($$\{$$USENIX$$\}$$ Security 2015), pp. 1041–1056 (2015)
  • Hassan, A.E., Holt, R.C.: Predicting change propagation in software systems. In: 20th IEEE International Conference on Software Maintenance. Proceedings. IEEE (2004)
  • Li, B., Sun, X., Leung, H., Zhang, S.: A survey of code-based change impact analysis techniques. Softw. Test. Verif. Reliab. 23(8) (2013)
  • Cadariu, M., Bouwers, E., Visser, J., van Deursen, A.: Tracking known security vulnerabilities in proprietary software systems. In: IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER). IEEE (2015)
  • Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411–420. IEEE(2015)
  • Christiansen, T., Wall, L., Orwant, J., et al.: Programming Perl: Unmatched Power for Text Processing and Scripting. O’Reilly Media, Inc. (2012)
  • Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: 21st Annual Computer Security Applications Conference (ACSAC 2005). IEEE (2005)
  • Abadi, M., Jalili, S.: An ant colony optimization algorithm for network vulnerability analysis. Iran. J. Electr. Electron. Eng. 2(3) (2006)
  • Feng, N., Wang, H.J., Li, M.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)
  • Hu, W., Wang, Y., Liu, X., Sun, J., Gao, Q., Huang, Y.: Open source software vulnerability propagation analysis algorithm based on knowledge graph. In: IEEE International Conference on Smart Cloud (SmartCloud), pp. 121–127. IEEE (2019)
  • Agrawal, A., Khan, R.A.: Impact of inheritance on vulnerability propagation at design phase. ACM SIGSOFT Soft. Eng. Notes 34(4), 1–5 (2009)
  • Garg, U., Sikka, G., Awasthi, L.K.: Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities. Comput. Secur. 77 (2018)