Abstract
Adhering to security best practices during the development of Android applications is of paramount importance due to the high prevalence of apps released without proper security measures. While automated tools can be employed to address vulnerabilities during development, they may prove to be inadequate in terms of detecting vulnerabilities. To address this issue, a federated neural network with XAI, named FedREVAN, has been proposed in this study. The initial model was trained on the LVDAndro dataset and can predict potential vulnerabilities with a 96% accuracy and 0.96 F1-Score for binary classification. Moreover, in case the code is vulnerable, FedREVAN can identify the associated CWE category with 93% accuracy and 0.91 F1-Score for multi-class classification. The initial neural network model was released in a federated environment to enable collaborative training and enhancement with other clients. Experimental results demonstrate that the federated neural network model improves accuracy by 2% and F1-Score by 0.04 in multi-class classification. XAI is utilised to present the vulnerability detection results to developers with prediction probabilities for each word in the code. The FedREVAN model has been integrated into an API and further incorporated into Android Studio to provide real-time vulnerability detection. The FedREVAN model is highly efficient, providing prediction probabilities for one code line in an average of 300 ms.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y.: Androzoo: collecting millions of android apps for the research community. In: Proceedings of the 13th International Conference on Mining Software Repositories. MSR ’16, pp. 468–471. ACM, New York, NY, USA (2016). https://doi.org/10.1145/2901739.2903508
Beutel, D.J., et al.: Flower: a friendly federated learning research framework (2022)
Bhatnagar, P.: Explainable AI (XAI) - a guide to 7 packages in python to explain your models (2021). https://towardsdatascience.com/explainable-ai-xai-a-guide-to-7-packages_in-python-to-explain-your-models-932967f0634b. Accessed 20 Mar 2023
Calzavara, S., Grishchenko, I., Maffei, M.: Horndroid: practical and sound static analysis of android applications by SMT solving. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 47–62. IEEE, Saarbruecken, Germany (2016). https://doi.org/10.1109/EuroSP.2016.16
Garg, S., Baliyan, N.: Comparative analysis of android and IoS from security viewpoint. Comput. Sci. Rev. 40, 100372 (2021). https://doi.org/10.1016/j.cosrev.2021.100372
Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. 50(4) (2017). https://doi.org/10.1145/3092566
Krasner, H.: The cost of poor software quality in the US: a 2020 report (2021). https://www.it-cisq.org/cisq-files/pdf/CPSQ-2020-report.pdf
Li, L., Fan, Y., Tse, M., Lin, K.Y.: A review of applications in federated learning. Comput. Ind. Eng. 149, 106854 (2020). https://doi.org/10.1016/j.cie.2020.106854
Li, T., Sahu, A.K., Talwalkar, A., Smith, V.: Federated learning: challenges, methods, and future directions. IEEE Sig. Process. Mag. 37(3), 50–60 (2020). https://doi.org/10.1109/MSP.2020.2975749
Mitra, J., Ranganath, V.P.: Ghera: A repository of android app vulnerability benchmarks. In: Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering. PROMISE, pp. 43–52. Association for Computing Machinery, New York, NY, USA (2017). https://doi.org/10.1145/3127005.3127010
Nagaria, B., Hall, T.: How software developers mitigate their errors when developing code. IEEE Trans. Softw. Eng. 48(6), 1853–1867 (2022). https://doi.org/10.1109/TSE.2020.3040554
Namrud, Z., Kpodjedo, S., Talhi, C.: Androvul: a repository for android security vulnerabilities. In: Proceedings of the 29th Annual International Conference on Computer Science and Software Engineering, pp. 64–71. IBM Corp., USA (2019). https://dl.acm.org/doi/abs/10.5555/3370272.3370279
NIST: National vulnerability database (2021). https://nvd.nist.gov/vuln. Accessed 21 Mar 2023
Rajapaksha, S., Senanayake, J., Kalutarage, H., Al-Kadri, M.O.: AI-powered vulnerability detection for secure source code development. In: Bella, G., Doinea, M., Janicke, H. (eds.) SecITC 2022. LNCS, vol. 13809, pp. 275–288. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-32636-3_16
Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Android code vulnerabilities early detection using AI-powered ACVED plugin. In: Atluri, V., Ferrara, A.L. (eds.) DBSec 2023. LNCS, vol. 13942, pp. 339–357. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-37586-6_20
Senanayake, J., Kalutarage, H., Al-Kadri, M.O., Petrovski, A., Piras, L.: Android source code vulnerability detection: a systematic literature review. ACM Comput. Surv. 55(9) (2023). https://doi.org/10.1145/3556974
Senanayake., J., Kalutarage., H., Al-Kadri., M.O., Piras., L., Petrovski., A.: Labelled vulnerability dataset on android source code (lvdandro) to develop AI-based code vulnerability detection models. In: Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT, pp. 659–666. INSTICC, SciTePress (2023). https://doi.org/10.5220/0012060400003555
Srivastava, G., et al.: XAI for cybersecurity: state of the art, challenges, open issues and future directions (2022). https://doi.org/10.48550/ARXIV.2206.03585
Statista: Average number of new android app releases via google play per month from March 2019 to May 2023 (2023). https://www.statista.com/statistics/1020956/android-app-releases-worldwide/. Accessed 02 July 2023
Tang, J., Li, R., Wang, K., Gu, X., Xu, Z.: A novel hybrid method to analyze security vulnerabilities in android applications. Tsinghua Sci. Technol. 25(5), 589–603 (2020). https://doi.org/10.26599/TST.2019.9010067
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Figure 5 depicts the federated learning simulation environment.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Senanayake, J., Kalutarage, H., Petrovski, A., Al-Kadri, M.O., Piras, L. (2024). FedREVAN: Real-time DEtection of Vulnerable Android Source Code Through Federated Neural Network with XAI. In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14399. Springer, Cham. https://doi.org/10.1007/978-3-031-54129-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-54129-2_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-54128-5
Online ISBN: 978-3-031-54129-2
eBook Packages: Computer ScienceComputer Science (R0)