Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

(494.59KB)
This is an Open Access publication published under CSC-OpenAccess Policy.
Publications from CSC-OpenAccess Library are being accessed from over 74 countries worldwide.
Software Design Level Vulnerability Classification Model
Shabana Rehman, Khurram Mustafa
Pages - 238 - 255     |    Revised - 15-07-2012     |    Published - 10-08-2012
Volume - 6   Issue - 4    |    Publication Date - August 2012  Table of Contents
MORE INFORMATION
KEYWORDS
Security Vulnerabilities, Classification, Machine Leaning, Design Phase
ABSTRACT
Classification of software security vulnerability no doubt facilitates the understanding of security-related information and accelerates vulnerability analysis. The lack of proper classification not only hinders its understanding but also renders the strategy of developing mitigation mechanism for clustered vulnerabilities. Now software developers and researchers are agreed on the fact that requirement and design phase of the software are the phases where security incorporation yields maximum benefits. In this paper we have attempted to design a classifier that can identify and classify design level vulnerabilities. In this classifier, first vulnerability classes are identified on the basis of well established security properties like authentication and authorization. Vulnerability training data is collected from various authentic sources like Common Weakness Enumeration (CWE), Common Vulnerabilities and Exposures (CVE) etc. From these databases only those vulnerabilities were included whose mitigation is possible at the design phase. Then this vulnerability data is pre-processed using various processes like text stemming, stop word removal, cases transformation. After pre-processing, SVM (Support Vector Machine) is used to classify vulnerabilities. Bootstrap validation is used to test and validate the classification process performed by the classifier. After training the classifier, a case study is conducted on NVD (National Vulnerability Database) design level vulnerabilities. Vulnerability analysis is done on the basis of classification result.
1 Google Scholar 
2 CiteSeerX 
3 refSeek 
4 TechRepublic 
5 Scribd 
6 SlideShare 
7 PdfSR 
1 P.T. Devanbu and S. Stubblebine, “Software Engineering for Security: a Roadmap”. International Conference on Software Engineering 2000 special volume on the Future of Software Engineering, 2000, pp.227-239.
2 G. Hoglund and G. McGraw. “Exploiting Software: How to Break Code”, New York: Addison-Wesley, 2004
3 L. Lowis and R. Accorsi. “On a Classification Approach for SOA Vulnerabilities”, 33rd Annual IEEE International Computer Software and Applications Conference. 2009, pp 439- 444.
4 V.C. Berghe, J. Riordan and Piessens “A Vulnerability Taxonomy Methodology applied to Web Services”, 10th Nordic Workshop on Secure IT Systems, 2005.
5 N. Moha. “Detection and Correction of Design Defects in Object-Oriented Designs”. Doctoral Symposium, 21st International Conference on Object-Oriented Programming, Systems, Languages and Application, 2007.
6 I.V. Krsul, “Software Vulnerability Analysis”. Ph.D. Thesis. Purdue University. USA, 1998.
7 S. Rehman, and K.Mustafa. “Software Design Level Security Vulnerabilities”, International Journal of Software Engineering, 4 (2). 2011.
8 T. Joachims. “Text categorization with support vector machines: learning with many relevant features”. 10th European Conference on Machine Learning. 1998.
9 J. A. Wang, and M. Guo. “OVM: An Ontology for Vulnerability Management”. 7th Annual Cyber Security and Information Intelligence Research Workshop.Tennessee, USA. 2009.
10 Z. Chen, Y. Zhang, and Z. Chen “A Categorization Framework for Common Computer Vulnerabilities and Exposures”. Computer Journal Advance Access, 2009. Available: http://comjnl.oxfordjournals.org/ cgi/content/abstract/bxp040.
11 P.H. Meland, and J. Jensen. “Secure Software Design in Practice”. Third International Conference on Availability, Reliability and Security. 2008.
12 Y. Li, H.S. Venter, and J.H.P Eloff. “Categorizing vulnerabilities using data clustering techniques”, Information and Computer Security Architectures (ICSA) Research Group. 2009.
13 N.H.Pham, T.T Nguyen, H.A Nguyen,., X.Wang, , A.T. Nguyen, and T.N Nguyen. “Detecting Recurring and Similar Software Vulnerabilities”, International Conference of Software Engineering. Cape Town, South Africa. 2010.
14 D. Byers, S. Ardi, , N. Shahmehri and C. Duma. “Modelling Software Vulnerabilities with Vulnerability Cause Graphs”. 22nd IEEE International Conference on Software Maintenance. , 2006.
15 V. Sridharan, and D.R. Kaeli . “Quantifying Software Vulnerability”. Workshop on Radiation effects and fault tolerance in nanometer technologies, Ischia, Italy, 2008.
16 Y.Wu, R.A. Gandhi, and H. Siy. “Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories”. 6th International workshop on software Engineering for secure system, Cape Town, South Africa. 2010.
17 G. Grefenstette and P. Tapanainen. “What is a Word, What is a Sentence? Problems of Tokenization”. 3rd Conference on Computational Lexicography and Text Research . 1994, pp. 79-87.
18 C. Fox. “Lexical Analysis and Stoplist-Data Structures and Algorithms”. New York: Prentice- Hall. 1992.
19 M. F. Porter. “Snowball: A string processing language for creating stemming algorithms in information retrieval”, 2008. Available: http://snowball.tartarus.org.
20 Lemur Project (2008). The Lemur Toolkit: For Language Modeling and Information Retrieval, 2008. Available: http://www.lemurproject.org.
21 M. Braschler and B. Ripplinger, “How Effective is Stemming and Decompounding for German Text Retrieval”. Information Retrieval, 7, 2003, pp.291–316.
22 C.D. Manning, P. Raghavan, and H. Schütze. “Introduction to Information Retrieval”, Cambridge University Press. 2008.
23 A. Rajaraman, and J.D. Ullman, Mining of Massive Datasets. 2010. Available: http://infolab.stanford.edu/~ullman/mmds/ch1.pdf
24 A. Basu, C. Walters, M. Shepherd. “Support vector machines for text categorization”. 36th Annual Hawaii International Conference,2003
25 T. Joachims. “A probabilistic analysis of the Rocchio algorithm with TFIDF for text categorization”, 14th International Conference on Machine Learning. 1997.
26 J.R. Quinlan. “Programs for machine learning”. San Francisco: Morgan Kaufmann Publishers.1993.
27 S. M. Weiss, C. Apte, F.J. Damerau, D.E. Johnson, F.J. Oles, T., Goetz, T. Hampp. “Maximizing text-mining performance”. IEEE Intelligent Systems Magazine, 1999.
28 E. Wiener, J. O. Pederson, A.S. Weigend. “A neural network approach to topic spotting”, 4th Annual Symposium on Document Analysis and Information Retrieval. 1995.
29 Y. Yang and , J.O. Pederson. “A comparative study on feature selection in text categorization”. International Conference on Machine Learning. 1997.
30 Y. Yang. “An evaluation of statistical approaches to text categorization”. Journal of Information Retrieval. 1 (2). 1999.
31 V. Vapnik,. “The Nature of Statistical Learning Theory”. Berlin: Springer. 1995.
32 C. Burges. "A tutorial on support vector machines for pattern recognition”. Data Mining and Knowledge Discovery, 2, 1998, pp. 1-47.
33 J.T.K. Kwok. “Automated Text Categorization Using Support Vector Machine”. International Conference on Neural Information Processing, 1998.
34 V. Vapnik. “Statistical Learning Theory”. New York: John Wiley and Sons. 1998.
35 T. Hastie, and R. Tibshirani, “Classification by pair wise coupling. Ann. Statist”, 26, 1998, pp. 451–471.
36 CWE (Common Weakness Enumeration). Available: http://cwe.mitre.org/
37 B. Efron. “ Estimating the error rate of a prediction rule: Improvement on cross-validation”. Journal of the American Statistical Association, 78, 1983. pp.316-331.
38 J. Han, and M. Kamber “Data Mining: Concepts and Techniques”. San Francisco: Morgan Kaufmann Publisher, 2006.
Mr. Shabana Rehman
Salman bin Abdul Aziz University - Saudi Arabia
shabana.infosec@gmail.com
Professor Khurram Mustafa
Jamia Millia Islamia - India