Enhancing Trust –A Unified Meta-Model for Software Security Vulnerability Analysis
作者: Sultan Alqahtani
DOI:
关键词:
摘要: Over the last decade, a globalization of software industry has taken place which facilitated sharing and reuse code across existing project boundaries. At same time, such global also introduces new challenges to Software Engineering community, with not only implementation being shared systems but any vulnerabilities it is exposed as well. Hence, found in APIs no longer affect individual projects instead might spread even ecosystem borders. Tracing on scale becomes an inherently difficult task, many resources required for analysis growing at unprecedented rates heterogeneous resources. developers are struggling identify locate data take full advantage these The Semantic Web its supporting technology stack have been widely promoted model, integrate, support interoperability among sources. This dissertation four major contributions address challenges: (1) It provides literature review use databases (SVDBs) community. (2) Based findings from this review, we present SEVONT, based modeling approach formal semi-automated unifying vulnerability information SEVONT multi-layer knowledge model unified representation, captures different abstract levels allow seamless integration, analysis, modeled knowledge. takes Formal Concept Analysis (FCA) guide engineers identifying reusable concepts them. (3) A Security Vulnerability Framework (SV-AF) introduced, instantiation evidence-based detection. framework integrates ontologies (and data) allowing reasoning services trace assess impact security boundaries. Several case studies presented illustrate applicability flexibility our modelling approach, demonstrating that cannot unify sources enables types analysis.
参考文章(173)
Gary Wassermann, Zhendong Su, Static detection of cross-site scripting vulnerabilities international conference on software engineering. pp. 171- 180 ,(2008) , 10.1145/1368088.1368112
Thomas R. Gruber, A translation approach to portable ontology specifications Knowledge Acquisition. ,vol. 5, pp. 199- 220 ,(1993) , 10.1006/KNAC.1993.1008
Jeffrey Undercoffer, Anupam Joshi, John Pinkston, Modeling Computer Attacks: An Ontology for Intrusion Detection recent advances in intrusion detection. pp. 113- 135 ,(2003) , 10.1007/978-3-540-45248-5_7
T. Kamiya, S. Kusumoto, K. Inoue, CCFinder: a multilinguistic token-based code clone detection system for large scale source code IEEE Transactions on Software Engineering. ,vol. 28, pp. 654- 670 ,(2002) , 10.1109/TSE.2002.1019480
Anupriya Ankolekar, Katia Sycara, James Herbsleb, Robert Kraut, Chris Welty, Supporting online problem-solving communities with the semantic web Proceedings of the 15th international conference on World Wide Web - WWW '06. pp. 575- 584 ,(2006) , 10.1145/1135777.1135862
Eelco Dolstra, Andres Löh, NixOS ACM SIGPLAN Notices. ,vol. 43, pp. 367- 378 ,(2008) , 10.1145/1411203.1411255
Katerina Goseva-Popstojanova, Goce Anastasovski, Risto Pantev, Using Multiclass Machine Learning Methods to Classify Malicious Behaviors Aimed at Web Systems international symposium on software reliability engineering. pp. 81- 90 ,(2012) , 10.1109/ISSRE.2012.30
David Byers, Shanai Ardi, Nahid Shahmehri, Claudiu Duma, Modeling Software VulnerabilitiesWith Vulnerability Cause Graphs international conference on software maintenance. pp. 411- 422 ,(2006) , 10.1109/ICSM.2006.40
Aaron Steele, Ontological Vulnerability Assessment Web Information Systems Engineering – WISE 2008 Workshops. pp. 24- 35 ,(2008) , 10.1007/978-3-540-85200-1_5
Hossain Shahriar, Mohammad Zulkernine, MUTEC: Mutation-based testing of Cross Site Scripting 2009 ICSE Workshop on Software Engineering for Secure Systems. pp. 47- 53 ,(2009) , 10.1109/IWSESS.2009.5068458