Abstract
A suitable vulnerability assessment process improves the overall security of an organization, and therefore, reduces the chances that an attacker could breach the IT system. The detection of vulnerabilities is one of the first steps in software security lifecycle, but in some cases, it is not enough. Understanding how a vulnerability can affect the rest of the system as well as forecasting its exploitability are important issues when assessing its real impact. Under this premise, this paper presents an overview of the state of the art, including different approaches related to the detection, forecasting and propagation of vulnerabilities in software, focusing mainly on Machine Learning and Data Mining techniques.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Samonas, S., Coss, D.: The cia strikes back: redefining confidentiality, integrity and availability in security. J. Inf. Syst. Securi. 10(3), 21–45 (2014)
Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. (CSUR) 50(4), 1–36 (2017)
Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. ACM SIGOPS Oper. Syst. Rev. 35(5), 57–72 (2001)
Li, Z., Zhou, Y.: PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code. ACM SIGSOFT Softw. Eng. Not. 30(5), 306–315 (2005)
Wasylkowski, A., Zeller, A., Lindig, C.: Detecting object usage anomalies. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (2007)
Gruska, N., Wasylkowski, A., Zeller, A.: Learning from 6,000 projects: lightweight cross-project anomaly detection. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, pp. 119–130 (2010)
Acharya, M., Xie, T., Pei, J., Xu, J.: Mining API patterns as partial orders from source code: from usage scenarios to specifications. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (2007)
Chang, R.Y., Podgurski, A., Yang, J.: Discovering neglected conditions in software by mining dependence graphs. IEEE Trans. Soft. Eng. 34(5), 579–596 (2008)
Thummalapenta, S., Xie, T.: Alattin: mining alternative patterns for detecting neglected conditions. In: 2009 IEEE/ACM International Conference on Automated Software Engineering, pp. 283–294. IEEE (2009)
Livshits, B., Zimmermann, T.: Dynamine: finding common error patterns by mining software revision histories. ACM SIGSOFT Softw. Eng. Not. 30(5), 296–305 (2005)
Yamaguchi, F., Lottmann, M., Rieck, K.: Generalized vulnerability extrapolation using abstract syntax trees. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 359–368 (2012)
Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE (2014)
Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: 2015 IEEE Symposium on Security and Privacy, pp. 797–812. IEEE (2015)
Shar, L.K., Tan, H.B.K.: Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55(10), 1767–1780 (2013)
Shar, L.K., Briand, L.C., Tan, H.B.K.: Web application vulnerability prediction using hybrid program analysis and machine learning. IEEE Trans. Depend. Secure Comput. 12(6), 688–707 (2014)
Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 85–96 (2016)
Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. Trans. Depen. Secure Comput. (2021)
Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. arXiv preprintarXiv:1801.01681 (2018)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540 (2007)
Schröter, A., Zimmermann, T., Zeller, A.: Predicting component failures at design time. In: Proceedings of the 2006 ACM/IEEE International Symposium on Empirical Software Engineering, pp. 18–27 (2006)
Shin, Y., Williams, L.: An empirical model to predict security vulnerabilities using code complexity metrics. In: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 315–317 (2008)
Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans. Softw. Eng. 37(6), 772–787 (2010)
Gegick, M., Williams, L., Osborne, J., Vouk, M.: Prioritizing software security fortification throughcode-level metrics. In: Proceedings of the 4th ACM Workshop on Quality of Protection, pp. 31–38 (2008)
Morrison, P., Herzig, K., Murphy, B., Williams, L.: Challenges with applying vulnerability prediction models. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, pp. 1–9 (2015)
Zimmermann, T., Nagappan, N., Williams, L.: Searching for a needle in a haystack: predicting security vulnerabilities for windows vista. In: 2010 3rd International Conference on Software Testing, Verification and Validation. IEEE (2010)
Younis, A., Malaiya, Y., Anderson, C., Ray, I.: To fear or not to fear that is the question: code characteristics of a vulnerable function with an existing exploit. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (2016)
Bilgin, Z., Ersoy, M.A., Soykan, E.U., Tomur, E., Çomak, P., Karaçay, L.: Vulnerability prediction from source code using machine learning. IEEE Access 8, 150672–150684 (2020)
Hastie, T., Tibshirani, R., Friedman, J.: The elements of statistical learning: data mining, inference, and prediction. Springer Science & Business Media (2009)
Shin, Y., Williams, L.: Can traditional fault prediction models be used for vulnerability prediction? Empirical Softw. Eng. 18(1), 25–59 (2013)
Jacobs, J., Romanosky, S., Edwards, B., Roytman, M., Adjerid, I.: Exploit prediction scoring system (epss). arXiv preprintarXiv:1908.04856 (2019)
Bhatt, N., Anand, A., Yadavalli, V.S.S.: Exploitability prediction of software vulnerabilities. Qual. Ability Eng. Int. 37(2), 648–663 (2021)
Chen, H., Liu, R., Park, N., Subrahmanian, V.S.: Using twitter to predict when vulnerabilities will be exploited. In: Proceedings of the 25th ACM SIGKDD Internacional Conference on Knowledge Discovery & Data Mining, pp. 3143–3152 (2019)
Farris, K.A., Shah, A., Cybenko, G., Ganesan, R., Jajodia, S.: Vulcon: a system for vulnerability prioritization, mitigation, and management. ACM Trans. Priv. Secur. (TOPS) 21(4), 1–28 (2018)
Edkrantz, M., Said, A.: Predicting cyber vulnerability exploits with machine learning. In: SCAI, pp. 48–57 (2015)
Almukaynizi, M., Nunes, E., Dharaiya, K., Senguttuvan, M., Shakarian, J., Shakarian, P.: Proactive identification of exploits in the wild through vulnerability mentions online. In: 2017 International Conference on Cyber Conflict (CyCon US), pp. 82–88. IEEE (2017)
Sabottke, C., Suciu, O., Dumitraş, T.: Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In: 24th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2015), pp. 1041–1056 (2015)
Hassan, A.E., Holt, R.C.: Predicting change propagation in software systems. In: 20th IEEE International Conference on Software Maintenance. Proceedings. IEEE (2004)
Li, B., Sun, X., Leung, H., Zhang, S.: A survey of code-based change impact analysis techniques. Softw. Test. Verif. Reliab. 23(8) (2013)
Cadariu, M., Bouwers, E., Visser, J., van Deursen, A.: Tracking known security vulnerabilities in proprietary software systems. In: IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER). IEEE (2015)
Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411–420. IEEE(2015)
Christiansen, T., Wall, L., Orwant, J., et al.: Programming Perl: Unmatched Power for Text Processing and Scripting. O’Reilly Media, Inc. (2012)
Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: 21st Annual Computer Security Applications Conference (ACSAC 2005). IEEE (2005)
Abadi, M., Jalili, S.: An ant colony optimization algorithm for network vulnerability analysis. Iran. J. Electr. Electron. Eng. 2(3) (2006)
Feng, N., Wang, H.J., Li, M.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)
Hu, W., Wang, Y., Liu, X., Sun, J., Gao, Q., Huang, Y.: Open source software vulnerability propagation analysis algorithm based on knowledge graph. In: IEEE International Conference on Smart Cloud (SmartCloud), pp. 121–127. IEEE (2019)
Agrawal, A., Khan, R.A.: Impact of inheritance on vulnerability propagation at design phase. ACM SIGSOFT Soft. Eng. Notes 34(4), 1–5 (2009)
Garg, U., Sikka, G., Awasthi, L.K.: Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities. Comput. Secur. 77 (2018)
Acknowledgment
This work was supported by the project BIECO (www.bieco.org) that received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 952702, and by the Ayudas Cervera para Centros Tecnológicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) under the project ÉGIDA (CER-20191012).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sotos Martínez, E., Villanueva, N.M., Orellana, L.A. (2022). A Survey on the State of the Art of Vulnerability Assessment Techniques. In: Gude Prego, J.J., de la Puerta, J.G., García Bringas, P., Quintián, H., Corchado, E. (eds) 14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational (CISIS 2021 and ICEUTE 2021). CISIS - ICEUTE 2021. Advances in Intelligent Systems and Computing, vol 1400. Springer, Cham. https://doi.org/10.1007/978-3-030-87872-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-87872-6_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-87871-9
Online ISBN: 978-3-030-87872-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)