“DEKANT: A Static Analysis Tool that Learns to Detect Web Application Vulnerabilities”

From Navigators

(Difference between revisions)
Jump to: navigation, search
(Created page with "{{Publication |type=inproceedings |document=Document for Publication-ISSTA 2016.pdf |title=DEKANT: A Static Analysis Tool that Learns to Detect Web Application Vulnerabilities |a...")
Line 3: Line 3:
|document=Document for Publication-ISSTA 2016.pdf
|document=Document for Publication-ISSTA 2016.pdf
|title=DEKANT: A Static Analysis Tool that Learns to Detect Web Application Vulnerabilities
|title=DEKANT: A Static Analysis Tool that Learns to Detect Web Application Vulnerabilities
-
|author=Ibéria Medeiros, Nuno Neves, Miguel Correia,  
+
|author=Ibéria Medeiros, Nuno Ferreira Neves, Miguel Correia,
-
|Project=Project:SEGRID,  
+
|Project=Project:SEGRID,
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
|ResearchLine=Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
|month=jun
|month=jun
|year=2016
|year=2016
-
|abstract=The state of web security remains troubling as web applications continue to be favorite targets of hackers. Static analysis tools are important mechanisms for programmers to deal with this problem as they search for vulnerabilities automatically in the application source code, allowing programmers to remove them. However, developing these tools requires explicitly coding knowledge about how to discover each kind of vulnerability. This paper presents a new approach in which static analysis tools learn to detect vulnerabilities automatically using machine learning. The approach uses a sequence model to learn to characterize vulnerabilities based on a set of annotated source code slices. This model takes into consideration the order in which the code elements appear and are executed in the slices. The model created can then be used as a static analysis tool to discover and identify vulnerabilities in source code. The approach was implemented in the DEKANT tool and evaluated experimentally with a set of open source PHP applications and WordPress plugins, finding 16 zero-day vulnerabilities.  
+
|abstract=The state of web security remains troubling as web applications continue to be favorite targets of hackers. Static analysis tools are important mechanisms for programmers to deal with this problem as they search for vulnerabilities automatically in the application source code, allowing programmers to remove them. However, developing these tools requires explicitly coding knowledge about how to discover each kind of vulnerability. This paper presents a new approach in which static analysis tools learn to detect vulnerabilities automatically using machine learning. The approach uses a sequence model to learn to characterize vulnerabilities based on a set of annotated source code slices. This model takes into consideration the order in which the code elements appear and are executed in the slices. The model created can then be used as a static analysis tool to discover and identify vulnerabilities in source code. The approach was implemented in the DEKANT tool and evaluated experimentally with a set of open source PHP applications and WordPress plugins, finding 16 zero-day vulnerabilities.
|booktitle=Proceedings of the International Symposium on Software Testing and Analysis (ISSTA)
|booktitle=Proceedings of the International Symposium on Software Testing and Analysis (ISSTA)
}}
}}

Revision as of 08:04, 5 June 2016

Ibéria Medeiros, Nuno Ferreira Neves, Miguel Correia

in Proceedings of the International Symposium on Software Testing and Analysis (ISSTA), Jun. 2016.

Abstract: The state of web security remains troubling as web applications continue to be favorite targets of hackers. Static analysis tools are important mechanisms for programmers to deal with this problem as they search for vulnerabilities automatically in the application source code, allowing programmers to remove them. However, developing these tools requires explicitly coding knowledge about how to discover each kind of vulnerability. This paper presents a new approach in which static analysis tools learn to detect vulnerabilities automatically using machine learning. The approach uses a sequence model to learn to characterize vulnerabilities based on a set of annotated source code slices. This model takes into consideration the order in which the code elements appear and are executed in the slices. The model created can then be used as a static analysis tool to discover and identify vulnerabilities in source code. The approach was implemented in the DEKANT tool and evaluated experimentally with a set of open source PHP applications and WordPress plugins, finding 16 zero-day vulnerabilities.

Download paper

Download DEKANT: A Static Analysis Tool that Learns to Detect Web Application Vulnerabilities

Export citation

BibTeX

Project(s): Project:SEGRID

Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)

Personal tools
Navigators toolbox