The International Arab Journal of Information Technology (IAJIT)

..............................
..............................
..............................


Prediction of Future Vulnerability Discovery in Software Applications using Vulnerability Syntax

Tree (PFVD-VST),
Software applications are the origin to spread vulnerabilities in systems, networks and other software applications. Vulnerability Discovery Model (VDM) helps to encounter the susceptibilities in the problem domain. But preventing the software applications from known and unknown vulnerabilities is quite difficult and also need large database to store the history of attack information. We proposed a vulnerability prediction scheme named as Prediction of Future Vulnerability Discovery in Software Applications using Vulnerability Syntax Tree (PFVD-VST) which consists of five steps to address the problem of new vulnerability discovery and prediction. First, Classification and Clustering are performed based on the software application name, status, phase, category and attack types. Second, Code Quality is analyzed with the help of code quality measures such as, Cyclomatic Complexity, Functional Point Analysis, Coupling, Cloning between the objects, etc,. Third, Genetic based Binary Code Analyzer (GABCA) is used to convert the source code to binary code and evaluates each bit of the binary code. Fourth, Vulnerability Syntax Tree (VST) is trained with the help of vulnerabilities collected from National Vulnerability Database (NVD). Finally, a combined Naive Bayesian and Decision Tree based prediction algorithm is implemented to predict future vulnerabilities in new software applications. The experimental results of this system depicts that the prediction rate, recall, precision has improved significantly.


[1] Abdulla S., Ramadass S., Altaher A., and Al- Nassiri A., “Employing Machine Learning Algorithms to Detect Unknown Scanning and Email Worms,” The International Arab Journal of Information Technology, vol. 11, no. 2, pp. 140-148, 2014.

[2] Alabsi F. and Naoum R., “Fitness Function for Genetic Algorithm used in Intrusion Detection System,” International Journal of Applied Science and Technology, vol. 2, no. 4, pp. 129- 134, 2012.

[3] Alhazmi O. and Malaiya Y., “Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers,” in Proceedings of 17th International Symposium on Software Reliability Engineering, Raleigh, pp. 343-352, 2006.

[4] Alhazmi O. and Malaiya Y., “Prediction Capabilities of Vulnerability Discovery Models,” in Proceedings of Annual Reliability and Maintainability Symposium, Newport Beach, pp. 86-91, 2006.

[5] Alhazmi O., Malaiya Y., and Ray I., “Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems,” Computers and Security, pp. 1-10, 2006.

[6] Basili V., Briand L., and Melo W., “A Validation of Object-Oriented Design Metrics as Quality Indicators,” IEEE Transactions on Software Engineering, vol. 22, no. 10, pp. 751- 761, 1996.

[7] Cavusoglu H., Cavusoglu H., and Raghunathan S., “Efficiency of Vulnerability Disclosure (7) (8) (9) Classifiers Accuracy of Classification ii e i pP21 log-Entrop y (E)  )()(adEntropybdEntropyIG 2n 1iGf- 1= ) (IIndex Gini i 294 The International Arab Journal of Information Technology, Vol. 16, No. 2, March 2019 Mechanisms to Disseminate Vulnerability Knowledge,” IEEE Transaction Software Engineering, vol. 33, no. 3, pp. 171-185, 2007.

[8] Ingols K., Chu M., Lippmann R., Webster S., and Boyer S., “Modeling Modern Network Attacks and Countermeasures using Attack Graphs,” in Proceedings of Annual Computer Security Applications Conference, Honolulu, pp. 117-126, 2009.

[9] Joh H., Kim J., and Malaiya Y., “Vulnerability Discovery Modeling using Weibull Distribution,” in Proceedings of 19th International Software Reliability Engineering, Seattle, pp. 299-300, 2008.

[10] Kim J., Malaiya Y., and Ray I., “Vulnerability Discovery in Multi-Version Software Systems,” in Proceedings of 10th IEEE High Assurance Systems Engineering Symposium, Plano, pp. 141- 148, 2007.

[11] Kishore K., Samarjeet B., “Use of Genetic Algorithms in Intrusion Detection Systems: An Analysis,” International Journal of Applied Research and Studies, vol. 2, no. 8, 2013.

[12] Nagappan N., Ball T., and Zeller A., “Mining Metrics to Predict Component Failures,” in Proceedings of the 28th International Conference on Software Engineering, Shanghai, pp. 452-461, 2006.

[13] National Institute of Standards and Technology 2011

[online]. Available: http://www.nist.gov/, Last Visited, 2014.

[14] National vulnerability database: http://www.cvedetails.com/, Last Visited, 2014.

[15] Newsome J. and Song D., “Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software,” School of Computer Science, Pittsburgh, 2004.

[16] Nguyen V. and Tran L., “Predicting Vulnerable Software Components with Dependency Graphs,” in Proceeding of 6th International Workshop Security Measures Metrics, Bolzano, pp. 1-8, 2010.

[17] Ozment A., “Improving Vulnerability Discovery Models,” in Proceedings of ACM Workshop on Quality of Protection, Alexandria, pp. 6-11, 2007. Kola Periyasamy received the M.C.A., M.E. degree from Anna University, Chennai, India and she completed her research Ph.D. in Anna University, India. She is currently working as an Assistant Professor (Senior Grade) at Madras Institute of Technology, Anna University, India. Her research is focusing on data mining and soft computing. Saranya Arirangan received the M. Tech. Information Technology degree from Madras Institute of Technology, Anna University, Chennai, India in 2014. She is currently working as an Assistant Professor at SRM Institute of Technology and Engineering, India. Her research is focusing on predicting vulnerabilities in software applications, data mining analytics techniques and Block chain applications.