Abstract
Building a secure website is time-consuming, expensive and challenging task for web developers. Researchers to identify webpage sinks to address security efforts, as it helps to reduce time and money to secure web application, are introducing different web vulnerabilities prediction models. Some of the well-known web vulnerabilities are SQL Injection, Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF). Different machine learning methods are being employed by the existing vulnerability prediction models to prevent vulnerable components in web applications. However, majority of these methods cannot challenge all web vulnerabilities. Therefore, this paper proposed a method namely NMPREDICTOR to predict vulnerable files in website for vulnerability prediction as a classification problem by predicting legitimate or vulnerable code. In addition, it is an effort to employ the classification on different classifier of machine learning algorithms to judge elimination of vulnerable components. Numerous experiments have been conducted in our study to evaluate the performance of our proposed model. Through our proposed method, we have builds 6 classifiers on a training set of labeled files represented by their software metrics and text features. Additionally, we builds a Meta classifier, which combines the six underlying classifiers i.e. J48, Naive Bayes and Random forest. NMPREDICTOR is evaluated on datasets of three web applications, which offers 223 superior quality vulnerabilities found in PHPMyAdmin, Moodle and Drupal. Our proposed method shows a clearly has an advantage over results of existing studies in case of Drupal, PhpMyAdmin and Moodle.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Khalid, M.N., Iqbal, M., Alam, M.T., Jain, V., Mirza, H., Rasheed, K.: Web unique method (WUM): an open source blackbox scanner for detecting web vulnerabilities. Int. J. Adv. Comput. Sci. Appl. (IJACSA) 8(12), 411–417 (2017)
Kaur, D., Kaur, P.: Empirical analysis of web attacks. Proc. Comput. Sci. 78, 298–306 (2016)
Alhassan, J.K., Misra, S., Umar, A., Maskeliūnas, R., Damaševičius, R., Adewumi, A.: A fuzzy classifier-based penetration testing for web applications. In: Rocha, Á., Guarda, T. (eds.) Information Theoretic Security. AISC, vol. 721, pp. 95–104. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73450-7_10
Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016)
Gupta, M.K., Govil, M.C., Singh, G.: Predicting cross-site scripting (XSS) security vulnerabilities in web applications. In: 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE), pp. 162–167. IEEE (2015)
Bozic, J., Wotawa, F.: PURITY: a planning-based security testing tool. In: 2015 IEEE International Conference on Software Quality, Reliability and Security-Companion (QRS-C), pp. 46–55. IEEE (2015)
Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. (CSUR) 50(4), 56 (2017)
Kang, J., Park, J.H.: A secure-coding and vulnerability check system based on smart-fuzzing and exploit. Neurocomputing 256, 23–34 (2017)
Jovanovic, N., Kruegel, C., Kirda, E.: Static analysis for detecting taint-style vulnerabilities in web applications. J. Comput. Secur. 18(5), 861–907 (2010)
Li, J., et al.: An integration-testing framework and evaluation metric for vulnerability mining methods. China Commun. 15(2), 190–208 (2018)
Sahu, D.R., Tomar, D.S.: Analysis of web application code vulnerabilities using secure coding standards. Arab. J. Sci. Eng. 42(2), 885–895 (2017)
Medeiros, I., Neves, N., Correia, M.: Equipping WAP with weapons to detect vulnerabilities. In: Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2016)
De Sousa Medeiros, I.V.: Detection of vulnerabilities and automatic protection for web applications. Doctoral dissertation, Universidade de Lisboa (2016)
Abunadi, I., Alenezi, M.: An empirical investigation of security vulnerabilities within web applications. J. UCS 22(4), 537–551 (2016)
Medeiros, I., Neves, N., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65(1), 54–69 (2016)
Gupta, S., Gupta, B.B.: Cross-site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manag. 8(1), 512–530 (2017)
Zhang, Y., Lo, D., Xia, X., Xu, B., Sun, J., Li, S.: Combining software metrics and text features for vulnerable file prediction. In: 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 40–49. IEEE (2015)
Walden, J., Stuckman, J., Scandariato, R.: Predicting vulnerable components: software metrics vs text mining. In: 2014 IEEE 25th International Symposium on Software Reliability Engineering (ISSRE), pp. 23–33. IEEE (2014)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540. ACM (2007)
Wang, Y., Wang, Y., Ren, J.: Software vulnerabilities detection using rapid density-based clustering. J. Inf. Comput. Sci. 8(14), 3295–3302 (2011)
Scholte, T., Robertson, W., Balzarotti, D., Kirda, E.: Preventing input validation vulnerabilities in web applications through automated type analysis. In: 2012 IEEE 36th Annual Computer Software and Applications Conference (COMPSAC), pp. 233–243. IEEE (2012)
Wijayasekara, D., Manic, M., Wright, J.L., McQueen, M.: Mining bug databases for unidentified software vulnerabilities. In: 2012 5th International Conference on Human System Interactions (HSI), pp. 89–96. IEEE (2012)
Shar, L.K., Tan, H.B.K.: Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: Proceedings of the 34th International Conference on Software Engineering, pp. 1293–1296. IEEE Press (2012)
Shar, L.K., Tan, H.B.K.: Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 310–313. IEEE (2012)
Howard, G.M., Gutierrez, C.N., Arshad, F.A., Bagchi, S., Qi, Y.: pSigene: webcrawling to generalize SQL injection signatures. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 45–56. IEEE (2014)
Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 85–96. ACM (2016)
Taibi, D., Janes, A., Lenarduzzi, V.: How developers perceive smells in source code: a replicated study. Inf. Softw. Technol. 92, 223–235 (2017)
Palomba, F., Bavota, G., Di Penta, M., Fasano, F., Oliveto, R., De Lucia, A.: A large-scale empirical study on the lifecycle of code smell co-occurrences. Inf. Softw. Technol. 99, 1–10 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Khalid, M.N., Farooq, H., Iqbal, M., Alam, M.T., Rasheed, K. (2019). Predicting Web Vulnerabilities in Web Applications Based on Machine Learning. In: Bajwa, I., Kamareddine, F., Costa, A. (eds) Intelligent Technologies and Applications. INTAP 2018. Communications in Computer and Information Science, vol 932. Springer, Singapore. https://doi.org/10.1007/978-981-13-6052-7_41
Download citation
DOI: https://doi.org/10.1007/978-981-13-6052-7_41
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-6051-0
Online ISBN: 978-981-13-6052-7
eBook Packages: Computer ScienceComputer Science (R0)