Abstract
Recent there have been many efforts to detect and analyze vulnerabilities using diverse analysis tools, removing them at the development stage. However, vulnerability analysis tools are prone to missed detections, incorrect detections, and over detection, which reduces the accuracy of detection. In this paper, a vulnerability detection technique is proposed that develops and manages safe applications and can resolve and analyze these problems. Risks due to vulnerabilities are computed, and an intelligent vulnerability detection technique is used to improve accuracy and evaluate risks of the final version of the application. This helps the development and execution of safe applications. Through incorporation of tools that use both static analysis and dynamic analysis techniques, our proposed technique overcomes weak points at each stage and improves the accuracy of vulnerability detection. Existing vulnerability risk evaluation system only evaluate self risks; while our proposed vulnerability risk evaluation system reflects vulnerability self-risk and detection accuracy in a complex fashion to evaluate relative. Our proposed technique compares and analyzes existing analysis tools, such as lists for detections and detection accuracy based on the top 10 items of SANS at CWE. Quantitative evaluation systems for existing vulnerability risks and proposed application vulnerability risks are compared and analyzed. Through incorporation of tools that use both static analysis and dynamic analysis techniques. We developed prototype analysis tool using our technique to test the application’s vulnerability–detection ability, and show our proposed technique is superior to existing ones.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Allodi, L., & Massacci, F. (2014). Comparing vulnerability severity and exploits using case-control studies. Journal of ACM Transactions on Information and System Security (TISSEC), 17(1), 1–20.
More Secure Software. (2016). https://www.microsoft.com/en-us/sdl/about/benefits.aspx. Accessed 21 Feb 2017.
Mouzarani, M., Sadeghiyan, B., & Zolfaghari, M. (2016). A smart fuzzing method for detecting heap-based vulnerabilities in executable codes. Journal of Security and Communication Networks, 9(18), 5098–5115.
Ransbotham, S., & Mitra, S. (2013). The impact of immediate disclosure on attack diffusion and volume. In B. Schneier (Ed.), Economics of Information Security and Privacy III (pp. 1–12). New York, NY: Springer.
Chen, T., Zhang, X-s, Zhu, C., Ji, X-l, Guo, S-z, & Yue, W. (2013). Design and implementation of a dynamic symbolic execution tool for windows executables. Journal of Software: Evolution and Process, 25(12), 1249–1272.
Fang, Z., Zhang, Y., Kong, Y., & Liu, Q. (2013). Static detection of logic vulnerabilities in Java web applications. Journal of Security and Communication Networks, 7(3), 519–531.
Lowis, L., & Accorsi, R. (2010). Vulnerability analysis in SOA-based business processes. IEEE Transactions on Services Computing, 4(3), 230–242.
Castro, M., Costa, M., & Harris, T. (2006). Securing software by enforcing data-flow integrity. In Proceeding in OSDI ‘06, advanced computer systems association (pp. 147–160)
Ernst, M.D. (2003). Static and dynamic analysis: synergy and duality. In Proceedings of the ICSE workshop on dynamic analysis (WODA’03) (pp. 24–27).
Khurana, P., Sharma, A., & Kumar Singh, P. (2016). A systematic analysis on mobile application software vulnerabilities: Issues and challenges. Indian Journal of Science & Technology, 9(32), 1–6.
Ehmer Khan, M., & Khan, F. (2012). A comparative study of white box, black box and grey box testing techniques. International Journal of Advanced Computer Science and Applications, 3(6), 12–15.
Introduction To ISO 27005(ISO27005). (2016). http://www.27000.org/iso-27005.htm. Accessed 12 Mar 2017.
Agawal, M., & Singh, A. (2013). Metasploit penetration testing cookbook (2nd ed.). Birmingham: Packt Publishing.
CVE (Common Vulnerabilities and Exposures). (2016). http://cve.mitre.org/. Accessed 25 Feb 2017.
CWE/SANS 25. (2017). http://cwe.mitre.org/top25/. Accessed 12 Mar 2017
CVSS V3.0. (2016). https://www.first.org/cvss/calculator/3.0. Accessed 27 Mar 2017.
Common Weakness Scoring System(CWSS). (2016). http://cwe.mitre.org/cwss/cwss_v1.0.1.html/. Accessed 12 Apr 2017.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Park, J., Choo, Y. & Lee, J. A Hybrid Vulnerability Analysis Tool Using a Risk Evaluation Technique. Wireless Pers Commun 105, 443–459 (2019). https://doi.org/10.1007/s11277-018-5959-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-018-5959-z