Design architecture is the edifice that strengthens the functionalities as well as the security of web applications.In order to facilitate architectural security from the web application’s design phase itself,practit...Design architecture is the edifice that strengthens the functionalities as well as the security of web applications.In order to facilitate architectural security from the web application’s design phase itself,practitioners are now adopting the novel mechanism of security tactics.With the intent to conduct a research from the perspective of security tactics,the present study employs a hybrid multi-criteria decision-making approach named fuzzy analytic hierarchy process-technique for order preference by similarity ideal solution(AHP-TOPSIS)method for selecting and assessing multi-criteria decisions.The adopted methodology is a blend of fuzzy analytic hierarchy process(fuzzy AHP)and fuzzy technique for order preference by similarity ideal solution(fuzzy TOPSIS).To establish the efficacy of this methodology,the results are obtained after the evaluation have been tested on fifteen different web application projects(Online Quiz competition,Entrance Test,and others)of the Babasaheb Bhimrao Ambedkar University,Lucknow,India.The tabulated outcomes demonstrate that the methodology of the Multi-Level Fuzzy Hybrid system is highly effective in providing accurate estimation for strengthening the security of web applications.The proposed study will help experts and developers in developing and managing security from any web application design phase for better accuracy and higher security.展开更多
A software security testing behavior model,SETAM,was proposed in our previous work as the integrated model for describing software security testing requirements behavior,which is not only compatible with security func...A software security testing behavior model,SETAM,was proposed in our previous work as the integrated model for describing software security testing requirements behavior,which is not only compatible with security functions and latent typical misuse behaviors,but also with the interaction of them.In this paper,we analyze the differences between SETAM with security use case and security misuse case in different types of security test requirements.To illustrate the effectiveness of SETAM,we compare them in a practical case study by the number of test cases and the number of faults detected by them.The results show that SETAM could decrease about 34.87% use cases on average,and the number of faults detected by SETAM increased by 71.67% in average,which means that our model can detect more faults with fewer test cases for software security testing.展开更多
In order to improve the security of high school campus networks,this paper introduces the goal,system composition,and function of the network security of high school campus networks,and puts forward a series of strate...In order to improve the security of high school campus networks,this paper introduces the goal,system composition,and function of the network security of high school campus networks,and puts forward a series of strategies,including the establishment of network security protection system,data backup and recovery mechanism,and strengthening network security management and training.Through these strategies,the safety and stable operation of the campus network can be ensured,the quality of education can be improved,and school’s development can be promoted.展开更多
Security is critical to the success of software,particularly in today’s fast-paced,technology-driven environment.It ensures that data,code,and services maintain their CIA(Confidentiality,Integrity,and Availability).T...Security is critical to the success of software,particularly in today’s fast-paced,technology-driven environment.It ensures that data,code,and services maintain their CIA(Confidentiality,Integrity,and Availability).This is only possible if security is taken into account at all stages of the SDLC(Software Development Life Cycle).Various approaches to software quality have been developed,such as CMMI(Capabilitymaturitymodel integration).However,there exists no explicit solution for incorporating security into all phases of SDLC.One of the major causes of pervasive vulnerabilities is a failure to prioritize security.Even the most proactive companies use the“patch and penetrate”strategy,inwhich security is accessed once the job is completed.Increased cost,time overrun,not integrating testing and input in SDLC,usage of third-party tools and components,and lack of knowledge are all reasons for not paying attention to the security angle during the SDLC,despite the fact that secure software development is essential for business continuity and survival in today’s ICT world.There is a need to implement best practices in SDLC to address security at all levels.To fill this gap,we have provided a detailed overview of secure software development practices while taking care of project costs and deadlines.We proposed a secure SDLC framework based on the identified practices,which integrates the best security practices in various SDLC phases.A mathematical model is used to validate the proposed framework.A case study and findings show that the proposed system aids in the integration of security best practices into the overall SDLC,resulting in more secure applications.展开更多
Today, the demand for security software is Six Sigma quality, i.e. practically zero-defects. A practical and stochastic method is proposed for a Six Sigma security software quality management. Monte Carlo Simulation i...Today, the demand for security software is Six Sigma quality, i.e. practically zero-defects. A practical and stochastic method is proposed for a Six Sigma security software quality management. Monte Carlo Simulation is used in a Six Sigma DMAIC (Define, Measure, Analyze, Improve, Control) approach to security software testing. This elaboration used a published real project’s data from the final product testing lasted for 15 weeks, after which the product was delivered. The experiment utilised the first 12 weeks’ data to allow the results verification on the actual data from the last three weeks. A hypothetical testing project was applied, supposed to be completed in 15 weeks. The product due-date was Week 16 with zero-defects quality assurance aim. The testing project was analysed at the end of the 12th week with three weeks of testing remaining. Running a Monte Carlo Simulation with data from the first 12 weeks produced results which indicated that the product would not be able to meet its due-date with the desired zero-defects quality. To quantify an improvement, another simulation was run to find when zero-defects would be achieved. Simulation predicted that zero-defects would be achieved in week 35 with 56% probability, and there would be 82 defects from Weeks 16 - 35. Therefore, to meet the quality goals, either more resources should be allocated to the project, or the deadline for the project should be moved to Week 36. The paper concluded that utilising Monte Carlo Simulations in a Six Sigma DMAIC structured framework is better than conventional approaches using static analysis methods. When the simulation results were compared to the actual data, it was found to be accurate within ﹣3.5% to +1.3%. This approach helps to improve software quality and achieve the zero-defects quality assurance goal, while assigning quality confidence levels to scheduled product releases.展开更多
As one of the most effective techniques for finding software vulnerabilities,fuzzing has become a hot topic in software security.It feeds potentially syntactically or semantically malformed test data to a target progr...As one of the most effective techniques for finding software vulnerabilities,fuzzing has become a hot topic in software security.It feeds potentially syntactically or semantically malformed test data to a target program to mine vulnerabilities and crash the system.In recent years,considerable efforts have been dedicated by researchers and practitioners towards improving fuzzing,so there aremore and more methods and forms,whichmake it difficult to have a comprehensive understanding of the technique.This paper conducts a thorough survey of fuzzing,focusing on its general process,classification,common application scenarios,and some state-of-the-art techniques that have been introduced to improve its performance.Finally,this paper puts forward key research challenges and proposes possible future research directions that may provide new insights for researchers.展开更多
Software developers endeavor to build their products with the least number of bugs.Despite this,many vulnerabilities are detected in software that threatens its integrity.Various automated software i.e.,vulnerability ...Software developers endeavor to build their products with the least number of bugs.Despite this,many vulnerabilities are detected in software that threatens its integrity.Various automated software i.e.,vulnerability scanners,are available in the market which helps detect and manage vulnerabilities in a computer,application,or a network.Hence,the choice of an appropriate vulnerability scanner is crucial to ensure efficient vulnerability management.The current work serves a dual purpose,first,to identify the key factors which affect the vulnerability discovery process in a network.The second,is to rank the popular vulnerability scanners based on the identified attributes.This will aid the firm in determining the best scanner for them considering multiple aspects.The multi-criterion decision making based ranking approach has been discussed using the Intuitionistic Fuzzy set(IFS)and Technique for Order of Preference by Similarity to Ideal Solution(TOPSIS)to rank the various scanners.Using IFS TOPSIS,the opinion of a whole group could be simultaneously considered in the vulnerability scanner selection.In this study,five popular vulnerability scanners,namely,Nessus,Fsecure Radar,Greenbone,Qualys,and Nexpose have been considered.The inputs of industry specialists i.e.,people who deal in software security and vulnerability management process have been taken for the ranking process.Using the proposed methodology,a hierarchical classification of the various vulnerability scanners could be achieved.The clear enumeration of the steps allows for easy adaptability of the model to varied situations.This study will help product developers become aware of the needs of the market and design better scanners.And from the user’s point of view,it will help the system administrators in deciding which scanner to deploy depending on the company’s needs and preferences.The current work is the first to use a Multi Criterion Group Decision Making technique in vulnerability scanner selection.展开更多
Since the beginning of web applications,security has been a critical study area.There has been a lot of research done to figure out how to define and identify security goals or issues.However,high-security web apps ha...Since the beginning of web applications,security has been a critical study area.There has been a lot of research done to figure out how to define and identify security goals or issues.However,high-security web apps have been found to be less durable in recent years;thus reducing their business continuity.High security features of a web application are worthless unless they provide effective services to the user and meet the standards of commercial viability.Hence,there is a necessity to link in the gap between durability and security of the web application.Indeed,security mechanisms must be used to enhance durability as well as the security of the web application.Although durability and security are not related directly,some of their factors influence each other indirectly.Characteristics play an important role in reducing the void between durability and security.In this respect,the present study identifies key characteristics of security and durability that affect each other indirectly and directly,including confidentiality,integrity availability,human trust and trustworthiness.The importance of all the attributes in terms of their weight is essential for their influence on the whole security during the development procedure of web application.To estimate the efficacy of present study,authors employed the Hesitant Fuzzy Analytic Hierarchy Process(H-Fuzzy AHP).The outcomes of our investigations and conclusions will be a useful reference for the web application developers in achieving a more secure and durable web application.展开更多
Cloud computing is an emerging and popular method of accessing shared and dynamically configurable resources via the computer network on demand. Cloud computing is excessively used by mobile applications to offload da...Cloud computing is an emerging and popular method of accessing shared and dynamically configurable resources via the computer network on demand. Cloud computing is excessively used by mobile applications to offload data over the network to the cloud. There are some security and privacy concerns using both mobile devices to offload data to the facilities provided by the cloud providers. One of the critical threats facing cloud users is the unauthorized access by the insiders (cloud administrators) or the justification of location where the cloud providers operating. Although, there exist variety of security mechanisms to prevent unauthorized access by unauthorized user by the cloud administration, but there is no security provision to prevent unauthorized access by the cloud administrators to the client data on the cloud computing. In this paper, we demonstrate how steganography, which is a secrecy method to hide information, can be used to enhance the security and privacy of data (images) maintained on the cloud by mobile applications. Our proposed model works with a key, which is embedded in the image along with the data, to provide an additional layer of security, namely, confidentiality of data. The practicality of the proposed method is represented via a simple case study.展开更多
Many organizations,to save costs,are moving to the Bring Your Own Mobile Device(BYOD)model and adopting applications built by third-parties at an unprecedented rate.Our research examines software assurance methodologi...Many organizations,to save costs,are moving to the Bring Your Own Mobile Device(BYOD)model and adopting applications built by third-parties at an unprecedented rate.Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection,mitigation,and prevention.This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project(OWASP).OWASP maintains lists of the top ten security threats to web and mobile applications.We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code.We analyze 200+healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten mobile threats,the threat of“Insecure Data Storage.”We find that many of the applications are storing personally identifying information(PII)in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data.展开更多
With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted...With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.展开更多
Aiming to improve the Structured Query Language( SQL) injection penetration test accuracy through the formalismguided test case generation,an attack purpose based attack tree model of SQL injection is proposed,and the...Aiming to improve the Structured Query Language( SQL) injection penetration test accuracy through the formalismguided test case generation,an attack purpose based attack tree model of SQL injection is proposed,and then under the guidance of this model, the formal descriptions for the SQL injection vulnerability feature and SQL injection attack inputs are established. Moreover,according to new coverage criteria,these models are instantiated and the executable test cases are generated.Experiments show that compared with the random enumerated test case used in other works,the test case generated by our method can detect the SQL injection vulnerability more effectively. Therefore,the false negative is reduced and the test accuracy is improved.展开更多
Aiming at the characteristics of huge knowledge points,strong practicality and diversity of software security course,adhering to the“Π”scheme for emerging engineering education,based on Tencent classroom,Tencent co...Aiming at the characteristics of huge knowledge points,strong practicality and diversity of software security course,adhering to the“Π”scheme for emerging engineering education,based on Tencent classroom,Tencent conference and Lan ink cloud class,and guided by BOPPPS teaching model and deep learning theory,“three preparations before class,five channels in class and five tracking after class”is proposed.Three preparations before class and five tracking after class serve the five channels in class.Five channels in class take live teaching as the core,and teach students knowledge through five channels.Practice has proved that this mode can effectively solve the problem of teaching a large number of knowledge in limited class hours,improve students’practical ability and enhance the effect of classroom teaching.展开更多
The Ethereum blockchain’s smart contract is a programmable transaction that performs general-purpose computations and can be executed automatically on the blockchain.Leveraging this component,blockchain technology(BT...The Ethereum blockchain’s smart contract is a programmable transaction that performs general-purpose computations and can be executed automatically on the blockchain.Leveraging this component,blockchain technology(BT)has grown beyond the scope of cryptocurrencies and can now be applicable in various industries other than finance.In this paper,we investigated the current trends in Ethereum-based decentralized applications(DApps)to be able to categorize and analyze the DApps to measure the complexity of smart contracts behind them,their level of security and their correlation to the maintainability of the DApps.We leveraged the source code analysis,security analysis,and the developmental metadata of the DApps to infer this correlation.Based on our findings,we concluded that the maintainability of Ethereum DApps is proportional to the code size,number of functions,and,most importantly,the number of outgoing invocations and statements in the smart contracts.展开更多
Intelligent vehicles are advancing at a fast speed with the improvement of automation and connectivity,which opens up new possibilities for different cyber-attacks,including in-vehicle attacks(e.g.,hijacking attacks)a...Intelligent vehicles are advancing at a fast speed with the improvement of automation and connectivity,which opens up new possibilities for different cyber-attacks,including in-vehicle attacks(e.g.,hijacking attacks)and vehicle-to-everything communicationattacks(e.g.,data theft).These problems are becoming increasingly serious with the development of 4G LTE and 5G communication technologies.Although many efforts are made to improve the resilience to cyber attacks,there are still many unsolved challenges.This paper first identifies some major security attacks on intelligent connected vehicles.Then,we investigate and summarize the available defences against these attacks and classify them into four categories:cryptography,network security,software vulnerability detection,and malware detection.Remaining challenges and future directions for preventing attacks on intelligent vehicle systems have been discussed as well.展开更多
Computer security is a matter of great interest.In the last decade there have been numerous cases of cybercrime based on the exploitation of software vulnerabilities.This fact has generated a great social concern and ...Computer security is a matter of great interest.In the last decade there have been numerous cases of cybercrime based on the exploitation of software vulnerabilities.This fact has generated a great social concern and a greater importance of computer security as a discipline.In this work,the most important vulnerabilities of recent years are identified,classified,and categorized individually.A measure of the impact of each vulnerability is used to carry out this classification,considering the number of products affected by each vulnerability,as well as its severity.In addition,the categories of vulnerabilities that have the greatest presence are identified.Based on the results obtained in this study,we can understand the consequences of the most common vulnerabilities,which software products are affected,how to counteract these vulnerabilities,and what their current trend is.展开更多
Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer...Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.展开更多
Security testing is a key technology for software security.The testing results can reflect the relationship between software testing and software security,and they can help program designers for evaluating and improvi...Security testing is a key technology for software security.The testing results can reflect the relationship between software testing and software security,and they can help program designers for evaluating and improving software security.However,it is difficult to describe by mathematics the relationship between the results of software functional testing and software nonfunctional security indexes.In this paper,we propose a mathematics model(MSMAM) based on principal component analysis and multiattribute utility theory.This model can get nonfunctional security indexes by analyzing quantized results of functional tests.It can also evaluate software security and guide the effective allocation of testing resources in the process of software testing.The feasibility and effectiveness of MSMAM is verified by experiments.展开更多
Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer...Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.展开更多
During the initial stages of software development,the primary goal is to define precise and detailed requirements without concern for software realizations.Security constraints should be introduced then and must be ba...During the initial stages of software development,the primary goal is to define precise and detailed requirements without concern for software realizations.Security constraints should be introduced then and must be based on the semantic aspects of applications,not on their software architectures,as it is the case in most secure development methodologies.In these stages,we need to identify threats as attacker goals and indicate what conceptual security defenses are needed to thwart these goals,without consideration of implementation details.We can consider the effects of threats on the application assets and try to find ways to stop them.These threats should be controlled with abstract security mechanisms that can be realized by abstract security patterns(ASPs),that include only the core functions of these mechanisms,which must be present in every implementation of them.An abstract security pattern describes a conceptual security mechanism that includes functions able to stop or mitigate a threat or comply with a regulation or institutional policy.We describe here the properties of ASPs and present a detailed example.We relate ASPs to each other and to Security Solution Frames,which describe families of related patterns.We show how to include ASPs to secure an application,as well as how to derive concrete patterns from them.Finally,we discuss their practical value,including their use in“security by design”and IoT systems design.展开更多
文摘Design architecture is the edifice that strengthens the functionalities as well as the security of web applications.In order to facilitate architectural security from the web application’s design phase itself,practitioners are now adopting the novel mechanism of security tactics.With the intent to conduct a research from the perspective of security tactics,the present study employs a hybrid multi-criteria decision-making approach named fuzzy analytic hierarchy process-technique for order preference by similarity ideal solution(AHP-TOPSIS)method for selecting and assessing multi-criteria decisions.The adopted methodology is a blend of fuzzy analytic hierarchy process(fuzzy AHP)and fuzzy technique for order preference by similarity ideal solution(fuzzy TOPSIS).To establish the efficacy of this methodology,the results are obtained after the evaluation have been tested on fifteen different web application projects(Online Quiz competition,Entrance Test,and others)of the Babasaheb Bhimrao Ambedkar University,Lucknow,India.The tabulated outcomes demonstrate that the methodology of the Multi-Level Fuzzy Hybrid system is highly effective in providing accurate estimation for strengthening the security of web applications.The proposed study will help experts and developers in developing and managing security from any web application design phase for better accuracy and higher security.
基金Supported by the National High Technology Research and Development Program of China (863 Program) (2009AA01Z402)the PLA University of Science and Technology Pre-research Project (20110202, 20110210)+1 种基金the Natural Science Foundation of Jiangsu Province of China (BK2012059,BK2012060)the PLAUST Outstanding Graduate Student Thesis Fund (2012)
文摘A software security testing behavior model,SETAM,was proposed in our previous work as the integrated model for describing software security testing requirements behavior,which is not only compatible with security functions and latent typical misuse behaviors,but also with the interaction of them.In this paper,we analyze the differences between SETAM with security use case and security misuse case in different types of security test requirements.To illustrate the effectiveness of SETAM,we compare them in a practical case study by the number of test cases and the number of faults detected by them.The results show that SETAM could decrease about 34.87% use cases on average,and the number of faults detected by SETAM increased by 71.67% in average,which means that our model can detect more faults with fewer test cases for software security testing.
文摘In order to improve the security of high school campus networks,this paper introduces the goal,system composition,and function of the network security of high school campus networks,and puts forward a series of strategies,including the establishment of network security protection system,data backup and recovery mechanism,and strengthening network security management and training.Through these strategies,the safety and stable operation of the campus network can be ensured,the quality of education can be improved,and school’s development can be promoted.
文摘Security is critical to the success of software,particularly in today’s fast-paced,technology-driven environment.It ensures that data,code,and services maintain their CIA(Confidentiality,Integrity,and Availability).This is only possible if security is taken into account at all stages of the SDLC(Software Development Life Cycle).Various approaches to software quality have been developed,such as CMMI(Capabilitymaturitymodel integration).However,there exists no explicit solution for incorporating security into all phases of SDLC.One of the major causes of pervasive vulnerabilities is a failure to prioritize security.Even the most proactive companies use the“patch and penetrate”strategy,inwhich security is accessed once the job is completed.Increased cost,time overrun,not integrating testing and input in SDLC,usage of third-party tools and components,and lack of knowledge are all reasons for not paying attention to the security angle during the SDLC,despite the fact that secure software development is essential for business continuity and survival in today’s ICT world.There is a need to implement best practices in SDLC to address security at all levels.To fill this gap,we have provided a detailed overview of secure software development practices while taking care of project costs and deadlines.We proposed a secure SDLC framework based on the identified practices,which integrates the best security practices in various SDLC phases.A mathematical model is used to validate the proposed framework.A case study and findings show that the proposed system aids in the integration of security best practices into the overall SDLC,resulting in more secure applications.
文摘Today, the demand for security software is Six Sigma quality, i.e. practically zero-defects. A practical and stochastic method is proposed for a Six Sigma security software quality management. Monte Carlo Simulation is used in a Six Sigma DMAIC (Define, Measure, Analyze, Improve, Control) approach to security software testing. This elaboration used a published real project’s data from the final product testing lasted for 15 weeks, after which the product was delivered. The experiment utilised the first 12 weeks’ data to allow the results verification on the actual data from the last three weeks. A hypothetical testing project was applied, supposed to be completed in 15 weeks. The product due-date was Week 16 with zero-defects quality assurance aim. The testing project was analysed at the end of the 12th week with three weeks of testing remaining. Running a Monte Carlo Simulation with data from the first 12 weeks produced results which indicated that the product would not be able to meet its due-date with the desired zero-defects quality. To quantify an improvement, another simulation was run to find when zero-defects would be achieved. Simulation predicted that zero-defects would be achieved in week 35 with 56% probability, and there would be 82 defects from Weeks 16 - 35. Therefore, to meet the quality goals, either more resources should be allocated to the project, or the deadline for the project should be moved to Week 36. The paper concluded that utilising Monte Carlo Simulations in a Six Sigma DMAIC structured framework is better than conventional approaches using static analysis methods. When the simulation results were compared to the actual data, it was found to be accurate within ﹣3.5% to +1.3%. This approach helps to improve software quality and achieve the zero-defects quality assurance goal, while assigning quality confidence levels to scheduled product releases.
基金supported in part by the National Natural Science Foundation of China under Grants 62273272,62303375,and 61873277in part by the Key Research and Development Program of Shaanxi Province under Grant 2023-YBGY-243+1 种基金in part by the Natural Science Foundation of Shaanxi Province under Grant 2020JQ-758in part by the Youth Innovation Team of Shaanxi Universities,and in part by the Special Fund for Scientific and Technological Innovation Strategy of Guangdong Province under Grant 2022A0505030025.
文摘As one of the most effective techniques for finding software vulnerabilities,fuzzing has become a hot topic in software security.It feeds potentially syntactically or semantically malformed test data to a target program to mine vulnerabilities and crash the system.In recent years,considerable efforts have been dedicated by researchers and practitioners towards improving fuzzing,so there aremore and more methods and forms,whichmake it difficult to have a comprehensive understanding of the technique.This paper conducts a thorough survey of fuzzing,focusing on its general process,classification,common application scenarios,and some state-of-the-art techniques that have been introduced to improve its performance.Finally,this paper puts forward key research challenges and proposes possible future research directions that may provide new insights for researchers.
文摘Software developers endeavor to build their products with the least number of bugs.Despite this,many vulnerabilities are detected in software that threatens its integrity.Various automated software i.e.,vulnerability scanners,are available in the market which helps detect and manage vulnerabilities in a computer,application,or a network.Hence,the choice of an appropriate vulnerability scanner is crucial to ensure efficient vulnerability management.The current work serves a dual purpose,first,to identify the key factors which affect the vulnerability discovery process in a network.The second,is to rank the popular vulnerability scanners based on the identified attributes.This will aid the firm in determining the best scanner for them considering multiple aspects.The multi-criterion decision making based ranking approach has been discussed using the Intuitionistic Fuzzy set(IFS)and Technique for Order of Preference by Similarity to Ideal Solution(TOPSIS)to rank the various scanners.Using IFS TOPSIS,the opinion of a whole group could be simultaneously considered in the vulnerability scanner selection.In this study,five popular vulnerability scanners,namely,Nessus,Fsecure Radar,Greenbone,Qualys,and Nexpose have been considered.The inputs of industry specialists i.e.,people who deal in software security and vulnerability management process have been taken for the ranking process.Using the proposed methodology,a hierarchical classification of the various vulnerability scanners could be achieved.The clear enumeration of the steps allows for easy adaptability of the model to varied situations.This study will help product developers become aware of the needs of the market and design better scanners.And from the user’s point of view,it will help the system administrators in deciding which scanner to deploy depending on the company’s needs and preferences.The current work is the first to use a Multi Criterion Group Decision Making technique in vulnerability scanner selection.
基金funded by the Taif University Researchers Supporting Projects at Taif University,Kingdom of Saudi Arabia,under Grant Number:TURSP-2020/231.
文摘Since the beginning of web applications,security has been a critical study area.There has been a lot of research done to figure out how to define and identify security goals or issues.However,high-security web apps have been found to be less durable in recent years;thus reducing their business continuity.High security features of a web application are worthless unless they provide effective services to the user and meet the standards of commercial viability.Hence,there is a necessity to link in the gap between durability and security of the web application.Indeed,security mechanisms must be used to enhance durability as well as the security of the web application.Although durability and security are not related directly,some of their factors influence each other indirectly.Characteristics play an important role in reducing the void between durability and security.In this respect,the present study identifies key characteristics of security and durability that affect each other indirectly and directly,including confidentiality,integrity availability,human trust and trustworthiness.The importance of all the attributes in terms of their weight is essential for their influence on the whole security during the development procedure of web application.To estimate the efficacy of present study,authors employed the Hesitant Fuzzy Analytic Hierarchy Process(H-Fuzzy AHP).The outcomes of our investigations and conclusions will be a useful reference for the web application developers in achieving a more secure and durable web application.
文摘Cloud computing is an emerging and popular method of accessing shared and dynamically configurable resources via the computer network on demand. Cloud computing is excessively used by mobile applications to offload data over the network to the cloud. There are some security and privacy concerns using both mobile devices to offload data to the facilities provided by the cloud providers. One of the critical threats facing cloud users is the unauthorized access by the insiders (cloud administrators) or the justification of location where the cloud providers operating. Although, there exist variety of security mechanisms to prevent unauthorized access by unauthorized user by the cloud administration, but there is no security provision to prevent unauthorized access by the cloud administrators to the client data on the cloud computing. In this paper, we demonstrate how steganography, which is a secrecy method to hide information, can be used to enhance the security and privacy of data (images) maintained on the cloud by mobile applications. Our proposed model works with a key, which is embedded in the image along with the data, to provide an additional layer of security, namely, confidentiality of data. The practicality of the proposed method is represented via a simple case study.
文摘Many organizations,to save costs,are moving to the Bring Your Own Mobile Device(BYOD)model and adopting applications built by third-parties at an unprecedented rate.Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection,mitigation,and prevention.This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project(OWASP).OWASP maintains lists of the top ten security threats to web and mobile applications.We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code.We analyze 200+healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten mobile threats,the threat of“Insecure Data Storage.”We find that many of the applications are storing personally identifying information(PII)in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data.
基金supported by National Natural Science Foundation of China (CN) Project (U153610079,61401038, 61762086)
文摘With the popularization and rapid development of mobile intelligent terminals(MITs), the number of mobile applications, or apps, has increased exponentially. It is increasingly common for malicious code to be inserted into counterfeit apps, which can cause significant economic damage and threaten the security of users. Code obfuscation techniques are a highly efficient group of methods for code security protection. In this paper, we propose a novel control flow obfuscation based method for Android code protection. First, algorithms to insert irrelevant code and flatten the control flow are employed that minimize the cost of obfuscation while ensuring its strength. Second, we improve the traditional methods of control flow flattening to further reduce the costs of obfuscation. Lastly, the use of opaque predicates is strengthened by establishing an access control strategy, which converts the identification of opaque predicates in the entire program into a graph traversal problem, and thereby increases the strength of the code protection. We did some experiments to evaluate our method, and the results show that the proposed method can work well.
基金National Natural Science Foundation of China(No.51274150)Tianjin Major Project of Application Foundation and Advanced Technology,China(No.12JCZDJC27800)
文摘Aiming to improve the Structured Query Language( SQL) injection penetration test accuracy through the formalismguided test case generation,an attack purpose based attack tree model of SQL injection is proposed,and then under the guidance of this model, the formal descriptions for the SQL injection vulnerability feature and SQL injection attack inputs are established. Moreover,according to new coverage criteria,these models are instantiated and the executable test cases are generated.Experiments show that compared with the random enumerated test case used in other works,the test case generated by our method can detect the SQL injection vulnerability more effectively. Therefore,the false negative is reduced and the test accuracy is improved.
基金This research was funded by 2020 Shandong Province Undergraduate Teaching Reform Research and Cultivation Project“Research and Practice of Mixed Teaching Mode Under the Construction of MOOC Teaching Pilot College”(Project Number:26)Harbin Institute of Technology under Grant No.JPPY-2021056,and 2021 First class courses in Shandong Province“Software Engineering”.
文摘Aiming at the characteristics of huge knowledge points,strong practicality and diversity of software security course,adhering to the“Π”scheme for emerging engineering education,based on Tencent classroom,Tencent conference and Lan ink cloud class,and guided by BOPPPS teaching model and deep learning theory,“three preparations before class,five channels in class and five tracking after class”is proposed.Three preparations before class and five tracking after class serve the five channels in class.Five channels in class take live teaching as the core,and teach students knowledge through five channels.Practice has proved that this mode can effectively solve the problem of teaching a large number of knowledge in limited class hours,improve students’practical ability and enhance the effect of classroom teaching.
文摘The Ethereum blockchain’s smart contract is a programmable transaction that performs general-purpose computations and can be executed automatically on the blockchain.Leveraging this component,blockchain technology(BT)has grown beyond the scope of cryptocurrencies and can now be applicable in various industries other than finance.In this paper,we investigated the current trends in Ethereum-based decentralized applications(DApps)to be able to categorize and analyze the DApps to measure the complexity of smart contracts behind them,their level of security and their correlation to the maintainability of the DApps.We leveraged the source code analysis,security analysis,and the developmental metadata of the DApps to infer this correlation.Based on our findings,we concluded that the maintainability of Ethereum DApps is proportional to the code size,number of functions,and,most importantly,the number of outgoing invocations and statements in the smart contracts.
文摘Intelligent vehicles are advancing at a fast speed with the improvement of automation and connectivity,which opens up new possibilities for different cyber-attacks,including in-vehicle attacks(e.g.,hijacking attacks)and vehicle-to-everything communicationattacks(e.g.,data theft).These problems are becoming increasingly serious with the development of 4G LTE and 5G communication technologies.Although many efforts are made to improve the resilience to cyber attacks,there are still many unsolved challenges.This paper first identifies some major security attacks on intelligent connected vehicles.Then,we investigate and summarize the available defences against these attacks and classify them into four categories:cryptography,network security,software vulnerability detection,and malware detection.Remaining challenges and future directions for preventing attacks on intelligent vehicle systems have been discussed as well.
基金part of the BIZDEVOPS-GLOBALUMU project (No.RTI2018-098309-B-C33) supported by the Spanish Ministry of Economy and Competitiveness and the European Fund for Regional Development (ERDF)
文摘Computer security is a matter of great interest.In the last decade there have been numerous cases of cybercrime based on the exploitation of software vulnerabilities.This fact has generated a great social concern and a greater importance of computer security as a discipline.In this work,the most important vulnerabilities of recent years are identified,classified,and categorized individually.A measure of the impact of each vulnerability is used to carry out this classification,considering the number of products affected by each vulnerability,as well as its severity.In addition,the categories of vulnerabilities that have the greatest presence are identified.Based on the results obtained in this study,we can understand the consequences of the most common vulnerabilities,which software products are affected,how to counteract these vulnerabilities,and what their current trend is.
基金This work was supported by ARO W911NF-13-1-0421(MURI),NSF CNS-1814679,and ARO W911NF-15-1-0576.
文摘Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.
基金Supported by the National Natural Science Foundation of China (91018008,61003268,61103220,91118003)the National Natural Science Foundation of Hubei Province (2010cdb08601)the Fundamental Research Funds for the Central Universities (3101038)
文摘Security testing is a key technology for software security.The testing results can reflect the relationship between software testing and software security,and they can help program designers for evaluating and improving software security.However,it is difficult to describe by mathematics the relationship between the results of software functional testing and software nonfunctional security indexes.In this paper,we propose a mathematics model(MSMAM) based on principal component analysis and multiattribute utility theory.This model can get nonfunctional security indexes by analyzing quantized results of functional tests.It can also evaluate software security and guide the effective allocation of testing resources in the process of software testing.The feasibility and effectiveness of MSMAM is verified by experiments.
基金supported by ARO W911NF-13-1-0421(MURI),NSF CNS-1814679,and ARO W911NF-15-1-0576.
文摘Although using machine learning techniques to solve computer security challenges is not a new idea,the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community.This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniques to solve computer security challenges.In particular,the review covers eight computer security problems being solved by applications of Deep Learning:security-oriented program analysis,defending return-oriented programming(ROP)attacks,achieving control-flow integrity(CFI),defending network attacks,malware classification,system-event-based anomaly detection,memory forensics,and fuzzing for software security.
基金This work received no external funding,but the National Institute of Informatics of Japan funded the trip of the first and fourth authors to Tokyo to participate in meetings where the idea of this paper was developed.
文摘During the initial stages of software development,the primary goal is to define precise and detailed requirements without concern for software realizations.Security constraints should be introduced then and must be based on the semantic aspects of applications,not on their software architectures,as it is the case in most secure development methodologies.In these stages,we need to identify threats as attacker goals and indicate what conceptual security defenses are needed to thwart these goals,without consideration of implementation details.We can consider the effects of threats on the application assets and try to find ways to stop them.These threats should be controlled with abstract security mechanisms that can be realized by abstract security patterns(ASPs),that include only the core functions of these mechanisms,which must be present in every implementation of them.An abstract security pattern describes a conceptual security mechanism that includes functions able to stop or mitigate a threat or comply with a regulation or institutional policy.We describe here the properties of ASPs and present a detailed example.We relate ASPs to each other and to Security Solution Frames,which describe families of related patterns.We show how to include ASPs to secure an application,as well as how to derive concrete patterns from them.Finally,we discuss their practical value,including their use in“security by design”and IoT systems design.
