Skip to main content
SpringerLink
Log in
Book cover

International Conference on Intelligent Technologies and Applications

INTAP 2018: Intelligent Technologies and Applications pp 473–484Cite as

Predicting Web Vulnerabilities in Web Applications Based on Machine Learning

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 932))

Abstract

Building a secure website is time-consuming, expensive and challenging task for web developers. Researchers to identify webpage sinks to address security efforts, as it helps to reduce time and money to secure web application, are introducing different web vulnerabilities prediction models. Some of the well-known web vulnerabilities are SQL Injection, Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF). Different machine learning methods are being employed by the existing vulnerability prediction models to prevent vulnerable components in web applications. However, majority of these methods cannot challenge all web vulnerabilities. Therefore, this paper proposed a method namely NMPREDICTOR to predict vulnerable files in website for vulnerability prediction as a classification problem by predicting legitimate or vulnerable code. In addition, it is an effort to employ the classification on different classifier of machine learning algorithms to judge elimination of vulnerable components. Numerous experiments have been conducted in our study to evaluate the performance of our proposed model. Through our proposed method, we have builds 6 classifiers on a training set of labeled files represented by their software metrics and text features. Additionally, we builds a Meta classifier, which combines the six underlying classifiers i.e. J48, Naive Bayes and Random forest. NMPREDICTOR is evaluated on datasets of three web applications, which offers 223 superior quality vulnerabilities found in PHPMyAdmin, Moodle and Drupal. Our proposed method shows a clearly has an advantage over results of existing studies in case of Drupal, PhpMyAdmin and Moodle.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Khalid, M.N., Iqbal, M., Alam, M.T., Jain, V., Mirza, H., Rasheed, K.: Web unique method (WUM): an open source blackbox scanner for detecting web vulnerabilities. Int. J. Adv. Comput. Sci. Appl. (IJACSA) 8(12), 411–417 (2017)

    Google Scholar 

  2. Kaur, D., Kaur, P.: Empirical analysis of web attacks. Proc. Comput. Sci. 78, 298–306 (2016)

    Google Scholar 

  3. Alhassan, J.K., Misra, S., Umar, A., Maskeliūnas, R., Damaševičius, R., Adewumi, A.: A fuzzy classifier-based penetration testing for web applications. In: Rocha, Á., Guarda, T. (eds.) Information Theoretic Security. AISC, vol. 721, pp. 95–104. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73450-7_10

    Google Scholar 

  4. Deepa, G., Thilagam, P.S.: Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf. Softw. Technol. 74, 160–180 (2016)

    Google Scholar 

  5. Gupta, M.K., Govil, M.C., Singh, G.: Predicting cross-site scripting (XSS) security vulnerabilities in web applications. In: 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE), pp. 162–167. IEEE (2015)

    Google Scholar 

  6. Bozic, J., Wotawa, F.: PURITY: a planning-based security testing tool. In: 2015 IEEE International Conference on Software Quality, Reliability and Security-Companion (QRS-C), pp. 46–55. IEEE (2015)

    Google Scholar 

  7. Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. (CSUR) 50(4), 56 (2017)

    Google Scholar 

  8. Kang, J., Park, J.H.: A secure-coding and vulnerability check system based on smart-fuzzing and exploit. Neurocomputing 256, 23–34 (2017)

    Google Scholar 

  9. Jovanovic, N., Kruegel, C., Kirda, E.: Static analysis for detecting taint-style vulnerabilities in web applications. J. Comput. Secur. 18(5), 861–907 (2010)

    Google Scholar 

  10. Li, J., et al.: An integration-testing framework and evaluation metric for vulnerability mining methods. China Commun. 15(2), 190–208 (2018)

    Google Scholar 

  11. Sahu, D.R., Tomar, D.S.: Analysis of web application code vulnerabilities using secure coding standards. Arab. J. Sci. Eng. 42(2), 885–895 (2017)

    Google Scholar 

  12. Medeiros, I., Neves, N., Correia, M.: Equipping WAP with weapons to detect vulnerabilities. In: Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2016)

    Google Scholar 

  13. De Sousa Medeiros, I.V.: Detection of vulnerabilities and automatic protection for web applications. Doctoral dissertation, Universidade de Lisboa (2016)

    Google Scholar 

  14. Abunadi, I., Alenezi, M.: An empirical investigation of security vulnerabilities within web applications. J. UCS 22(4), 537–551 (2016)

    Google Scholar 

  15. Medeiros, I., Neves, N., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Trans. Reliab. 65(1), 54–69 (2016)

    Google Scholar 

  16. Gupta, S., Gupta, B.B.: Cross-site Scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manag. 8(1), 512–530 (2017)

    Google Scholar 

  17. Zhang, Y., Lo, D., Xia, X., Xu, B., Sun, J., Li, S.: Combining software metrics and text features for vulnerable file prediction. In: 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 40–49. IEEE (2015)

    Google Scholar 

  18. Walden, J., Stuckman, J., Scandariato, R.: Predicting vulnerable components: software metrics vs text mining. In: 2014 IEEE 25th International Symposium on Software Reliability Engineering (ISSRE), pp. 23–33. IEEE (2014)

    Google Scholar 

  19. Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540. ACM (2007)

    Google Scholar 

  20. Wang, Y., Wang, Y., Ren, J.: Software vulnerabilities detection using rapid density-based clustering. J. Inf. Comput. Sci. 8(14), 3295–3302 (2011)

    Google Scholar 

  21. Scholte, T., Robertson, W., Balzarotti, D., Kirda, E.: Preventing input validation vulnerabilities in web applications through automated type analysis. In: 2012 IEEE 36th Annual Computer Software and Applications Conference (COMPSAC), pp. 233–243. IEEE (2012)

    Google Scholar 

  22. Wijayasekara, D., Manic, M., Wright, J.L., McQueen, M.: Mining bug databases for unidentified software vulnerabilities. In: 2012 5th International Conference on Human System Interactions (HSI), pp. 89–96. IEEE (2012)

    Google Scholar 

  23. Shar, L.K., Tan, H.B.K.: Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: Proceedings of the 34th International Conference on Software Engineering, pp. 1293–1296. IEEE Press (2012)

    Google Scholar 

  24. Shar, L.K., Tan, H.B.K.: Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 310–313. IEEE (2012)

    Google Scholar 

  25. Howard, G.M., Gutierrez, C.N., Arshad, F.A., Bagchi, S., Qi, Y.: pSigene: webcrawling to generalize SQL injection signatures. In: 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 45–56. IEEE (2014)

    Google Scholar 

  26. Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 85–96. ACM (2016)

    Google Scholar 

  27. Taibi, D., Janes, A., Lenarduzzi, V.: How developers perceive smells in source code: a replicated study. Inf. Softw. Technol. 92, 223–235 (2017)

    Google Scholar 

  28. Palomba, F., Bavota, G., Di Penta, M., Fasano, F., Oliveto, R., De Lucia, A.: A large-scale empirical study on the lifecycle of code smell co-occurrences. Inf. Softw. Technol. 99, 1–10 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Bahria University, Karachi Campus, Karachi, Pakistan

    Muhammad Noman Khalid, Humera Farooq, Muhammad Iqbal, Muhammad Talha Alam & Kamran Rasheed

Authors
  1. Muhammad Noman Khalid
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Humera Farooq
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Muhammad Iqbal
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Muhammad Talha Alam
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Kamran Rasheed
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Muhammad Noman Khalid .

Editor information

Editors and Affiliations

  1. Department of Computer Science and IT, Islamia University of Bahawalpur, Baghdad, Pakistan

    Imran Sarwar Bajwa

  2. Mathematical and Computer Sciences, Heriot-Watt University, Edinburgh, UK

    Fairouz Kamareddine

  3. Department of Computer Engineering and Digital Systems, University of Sao Paulo, São Paulo, Brazil

    Anna Costa

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Khalid, M.N., Farooq, H., Iqbal, M., Alam, M.T., Rasheed, K. (2019). Predicting Web Vulnerabilities in Web Applications Based on Machine Learning. In: Bajwa, I., Kamareddine, F., Costa, A. (eds) Intelligent Technologies and Applications. INTAP 2018. Communications in Computer and Information Science, vol 932. Springer, Singapore. https://doi.org/10.1007/978-981-13-6052-7_41

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-6052-7_41

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-6051-0

  • Online ISBN: 978-981-13-6052-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation