Skip to main content
SpringerLink
Log in

FedREVAN: Real-time DEtection of Vulnerable Android Source Code Through Federated Neural Network with XAI

  • Conference paper
  • First Online:
Computer Security. ESORICS 2023 International Workshops (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14399))

Included in the following conference series:

  • 188 Accesses

Abstract

Adhering to security best practices during the development of Android applications is of paramount importance due to the high prevalence of apps released without proper security measures. While automated tools can be employed to address vulnerabilities during development, they may prove to be inadequate in terms of detecting vulnerabilities. To address this issue, a federated neural network with XAI, named FedREVAN, has been proposed in this study. The initial model was trained on the LVDAndro dataset and can predict potential vulnerabilities with a 96% accuracy and 0.96 F1-Score for binary classification. Moreover, in case the code is vulnerable, FedREVAN can identify the associated CWE category with 93% accuracy and 0.91 F1-Score for multi-class classification. The initial neural network model was released in a federated environment to enable collaborative training and enhancement with other clients. Experimental results demonstrate that the federated neural network model improves accuracy by 2% and F1-Score by 0.04 in multi-class classification. XAI is utilised to present the vulnerability detection results to developers with prediction probabilities for each word in the code. The FedREVAN model has been integrated into an API and further incorporated into Android Studio to provide real-time vulnerability detection. The FedREVAN model is highly efficient, providing prediction probabilities for one code line in an average of 300 ms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://cwe.mitre.org/.

  2. 2.

    https://github.com/softwaresec-labs/FedREVAN.

  3. 3.

    https://www.cvedetails.com/.

  4. 4.

    https://github.com/MobSF/Mobile-Security-Framework-MobSF.

  5. 5.

    https://github.com/linkedin/qark/.

  6. 6.

    https://fossdroid.com/.

  7. 7.

    https://www.tensorflow.org/model optimization.

References

  1. Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y.: Androzoo: collecting millions of android apps for the research community. In: Proceedings of the 13th International Conference on Mining Software Repositories. MSR ’16, pp. 468–471. ACM, New York, NY, USA (2016). https://doi.org/10.1145/2901739.2903508

  2. Beutel, D.J., et al.: Flower: a friendly federated learning research framework (2022)

    Google Scholar 

  3. Bhatnagar, P.: Explainable AI (XAI) - a guide to 7 packages in python to explain your models (2021). https://towardsdatascience.com/explainable-ai-xai-a-guide-to-7-packages_in-python-to-explain-your-models-932967f0634b. Accessed 20 Mar 2023

  4. Calzavara, S., Grishchenko, I., Maffei, M.: Horndroid: practical and sound static analysis of android applications by SMT solving. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 47–62. IEEE, Saarbruecken, Germany (2016). https://doi.org/10.1109/EuroSP.2016.16

  5. Garg, S., Baliyan, N.: Comparative analysis of android and IoS from security viewpoint. Comput. Sci. Rev. 40, 100372 (2021). https://doi.org/10.1016/j.cosrev.2021.100372

    Article  Google Scholar 

  6. Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. 50(4) (2017). https://doi.org/10.1145/3092566

  7. Krasner, H.: The cost of poor software quality in the US: a 2020 report (2021). https://www.it-cisq.org/cisq-files/pdf/CPSQ-2020-report.pdf

  8. Li, L., Fan, Y., Tse, M., Lin, K.Y.: A review of applications in federated learning. Comput. Ind. Eng. 149, 106854 (2020). https://doi.org/10.1016/j.cie.2020.106854

    Article  Google Scholar 

  9. Li, T., Sahu, A.K., Talwalkar, A., Smith, V.: Federated learning: challenges, methods, and future directions. IEEE Sig. Process. Mag. 37(3), 50–60 (2020). https://doi.org/10.1109/MSP.2020.2975749

    Article  Google Scholar 

  10. Mitra, J., Ranganath, V.P.: Ghera: A repository of android app vulnerability benchmarks. In: Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering. PROMISE, pp. 43–52. Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3127005.3127010

  11. Nagaria, B., Hall, T.: How software developers mitigate their errors when developing code. IEEE Trans. Softw. Eng. 48(6), 1853–1867 (2022). https://doi.org/10.1109/TSE.2020.3040554

    Article  Google Scholar 

  12. Namrud, Z., Kpodjedo, S., Talhi, C.: Androvul: a repository for android security vulnerabilities. In: Proceedings of the 29th Annual International Conference on Computer Science and Software Engineering, pp. 64–71. IBM Corp., USA (2019). https://dl.acm.org/doi/abs/10.5555/3370272.3370279

  13. NIST: National vulnerability database (2021). https://nvd.nist.gov/vuln. Accessed 21 Mar 2023

  14. Rajapaksha, S., Senanayake, J., Kalutarage, H., Al-Kadri, M.O.: AI-powered vulnerability detection for secure source code development. In: Bella, G., Doinea, M., Janicke, H. (eds.) SecITC 2022. LNCS, vol. 13809, pp. 275–288. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-32636-3_16

    Chapter  Google Scholar 

  15. Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Android code vulnerabilities early detection using AI-powered ACVED plugin. In: Atluri, V., Ferrara, A.L. (eds.) DBSec 2023. LNCS, vol. 13942, pp. 339–357. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-37586-6_20

    Chapter  Google Scholar 

  16. Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Android source code vulnerability detection: a systematic literature review. ACM Comput. Surv. 55(9) (2023). https://doi.org/10.1145/3556974

  17. Senanayake., J., Kalutarage., H., Al-Kadri., M.O., Piras., L., Petrovski., A.: Labelled vulnerability dataset on android source code (lvdandro) to develop AI-based code vulnerability detection models. In: Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT, pp. 659–666. INSTICC, SciTePress (2023). https://doi.org/10.5220/0012060400003555

  18. Srivastava, G., et al.: XAI for cybersecurity: state of the art, challenges, open issues and future directions (2022). https://doi.org/10.48550/ARXIV.2206.03585

  19. Statista: Average number of new android app releases via google play per month from March 2019 to May 2023 (2023). https://www.statista.com/statistics/1020956/android-app-releases-worldwide/. Accessed 02 July 2023

  20. Tang, J., Li, R., Wang, K., Gu, X., Xu, Z.: A novel hybrid method to analyze security vulnerabilities in android applications. Tsinghua Sci. Technol. 25(5), 589–603 (2020). https://doi.org/10.26599/TST.2019.9010067

Download references

Author information

Authors and Affiliations

  1. School of Computing, Robert Gordon University, Aberdeen, AB10 7QB, UK

    Janaka Senanayake, Harsha Kalutarage & Andrei Petrovski

  2. Faculty of Science, University of Kelaniya, Kelaniya, Sri Lanka

    Janaka Senanayake

  3. University of Doha for Science and Technology, Doha, Qatar

    Mhd Omar Al-Kadri

  4. Department of Computer Science, Middlesex University, London, NW4 4BT, UK

    Luca Piras

Authors
  1. Janaka Senanayake
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Harsha Kalutarage
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrei Petrovski
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mhd Omar Al-Kadri
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Luca Piras
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Janaka Senanayake .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  3. University of Trento, Trento, Italy

    Silvio Ranise

  4. University of Genoa, Genoa, Italy

    Luca Verderame

  5. Consiglio Nazionale delle Ricerche (CNR), Genoa, Italy

    Enrico Cambiaso

  6. SINTEF A.S., Oslo, Norway

    Rita Ugarelli

  7. Instituto Superior de Engenharia do Porto, Porto, Portugal

    Isabel Praça

  8. Hong Kong Polytechnic University, Hong Kong, China

    Wenjuan Li

  9. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

  10. University of Nottingham, Nottingham, UK

    Steven Furnell

  11. Norwegian University of Science and Technology, Gjøvik, Norway

    Basel Katt

  12. Norwegian Computing Center, Oslo, Norway

    Sandeep Pirbhulal

  13. Institute for Energy Technology (IFE), Halden, Norway

    Ankur Shukla

  14. University of Calabria, Rende, Italy

    Michele Ianni

  15. University of Verona, Verona, Italy

    Mila Dalla Preda

  16. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  17. University of Lisbon, Lisbon, Portugal

    Miguel Pupo Correia

  18. University of Twente, Enschede, The Netherlands

    Abhishta Abhishta

  19. University of Amsterdam, Amsterdam, The Netherlands

    Giovanni Sileno

  20. Open University in the Netherlands, Heerlen, The Netherlands

    Mina Alishahi

  21. Robert Gordon University, Aberdeen, UK

    Harsha Kalutarage

  22. Osaka University, Osaka, Japan

    Naoto Yanai

A Appendix

A Appendix

Figure 5 depicts the federated learning simulation environment.

Fig. 5.
figure 5

Federated Learning Simulated Environment

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Senanayake, J., Kalutarage, H., Petrovski, A., Al-Kadri, M.O., Piras, L. (2024). FedREVAN: Real-time DEtection of Vulnerable Android Source Code Through Federated Neural Network with XAI. In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14399. Springer, Cham. https://doi.org/10.1007/978-3-031-54129-2_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54129-2_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54128-5

  • Online ISBN: 978-3-031-54129-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation