Home   >   CSC-OpenAccess Library   >    Manuscript Information
Software Design Level Vulnerability Classification Model
Shabana Rehman, Khurram Mustafa
Pages - 238 - 255     |    Revised - 15-07-2012     |    Published - 10-08-2012
Volume - 6   Issue - 4    |    Publication Date - August 2012  Table of Contents
Security Vulnerabilities, Classification, Machine Leaning, Design Phase
Classification of software security vulnerability no doubt facilitates the understanding of security-related information and accelerates vulnerability analysis. The lack of proper classification not only hinders its understanding but also renders the strategy of developing mitigation mechanism for clustered vulnerabilities. Now software developers and researchers are agreed on the fact that requirement and design phase of the software are the phases where security incorporation yields maximum benefits. In this paper we have attempted to design a classifier that can identify and classify design level vulnerabilities. In this classifier, first vulnerability classes are identified on the basis of well established security properties like authentication and authorization. Vulnerability training data is collected from various authentic sources like Common Weakness Enumeration (CWE), Common Vulnerabilities and Exposures (CVE) etc. From these databases only those vulnerabilities were included whose mitigation is possible at the design phase. Then this vulnerability data is pre-processed using various processes like text stemming, stop word removal, cases transformation. After pre-processing, SVM (Support Vector Machine) is used to classify vulnerabilities. Bootstrap validation is used to test and validate the classification process performed by the classifier. After training the classifier, a case study is conducted on NVD (National Vulnerability Database) design level vulnerabilities. Vulnerability analysis is done on the basis of classification result.
1 Google Scholar 
2 CiteSeerX 
3 refSeek 
4 TechRepublic 
5 Scribd 
6 SlideShare 
7 PdfSR 
A. Basu, C. Walters, M. Shepherd. “Support vector machines for text categorization”. 36th Annual Hawaii International Conference,2003
A. Rajaraman, and J.D. Ullman, Mining of Massive Datasets. 2010. Available: http://infolab.stanford.edu/~ullman/mmds/ch1.pdf
B. Efron. “ Estimating the error rate of a prediction rule: Improvement on cross-validation”. Journal of the American Statistical Association, 78, 1983. pp.316-331.
C. Burges. "A tutorial on support vector machines for pattern recognition”. Data Mining and Knowledge Discovery, 2, 1998, pp. 1-47.
C. Fox. “Lexical Analysis and Stoplist-Data Structures and Algorithms”. New York: Prentice- Hall. 1992.
C.D. Manning, P. Raghavan, and H. Schütze. “Introduction to Information Retrieval”, Cambridge University Press. 2008.
CWE (Common Weakness Enumeration). Available: http://cwe.mitre.org/
D. Byers, S. Ardi, , N. Shahmehri and C. Duma. “Modelling Software Vulnerabilities with Vulnerability Cause Graphs”. 22nd IEEE International Conference on Software Maintenance. , 2006.
E. Wiener, J. O. Pederson, A.S. Weigend. “A neural network approach to topic spotting”, 4th Annual Symposium on Document Analysis and Information Retrieval. 1995.
G. Grefenstette and P. Tapanainen. “What is a Word, What is a Sentence? Problems of Tokenization”. 3rd Conference on Computational Lexicography and Text Research . 1994, pp. 79-87.
G. Hoglund and G. McGraw. “Exploiting Software: How to Break Code”, New York: Addison-Wesley, 2004
I.V. Krsul, “Software Vulnerability Analysis”. Ph.D. Thesis. Purdue University. USA, 1998.
J. A. Wang, and M. Guo. “OVM: An Ontology for Vulnerability Management”. 7th Annual Cyber Security and Information Intelligence Research Workshop.Tennessee, USA. 2009.
J. Han, and M. Kamber “Data Mining: Concepts and Techniques”. San Francisco: Morgan Kaufmann Publisher, 2006.
J.R. Quinlan. “Programs for machine learning”. San Francisco: Morgan Kaufmann Publishers.1993.
J.T.K. Kwok. “Automated Text Categorization Using Support Vector Machine”. International Conference on Neural Information Processing, 1998.
L. Lowis and R. Accorsi. “On a Classification Approach for SOA Vulnerabilities”, 33rd Annual IEEE International Computer Software and Applications Conference. 2009, pp 439- 444.
Lemur Project (2008). The Lemur Toolkit: For Language Modeling and Information Retrieval, 2008. Available: http://www.lemurproject.org.
M. Braschler and B. Ripplinger, “How Effective is Stemming and Decompounding for German Text Retrieval”. Information Retrieval, 7, 2003, pp.291–316.
M. F. Porter. “Snowball: A string processing language for creating stemming algorithms in information retrieval”, 2008. Available: http://snowball.tartarus.org.
N. Moha. “Detection and Correction of Design Defects in Object-Oriented Designs”. Doctoral Symposium, 21st International Conference on Object-Oriented Programming, Systems, Languages and Application, 2007.
N.H.Pham, T.T Nguyen, H.A Nguyen,., X.Wang, , A.T. Nguyen, and T.N Nguyen. “Detecting Recurring and Similar Software Vulnerabilities”, International Conference of Software Engineering. Cape Town, South Africa. 2010.
P.H. Meland, and J. Jensen. “Secure Software Design in Practice”. Third International Conference on Availability, Reliability and Security. 2008.
P.T. Devanbu and S. Stubblebine, “Software Engineering for Security: a Roadmap”. International Conference on Software Engineering 2000 special volume on the Future of Software Engineering, 2000, pp.227-239.
S. M. Weiss, C. Apte, F.J. Damerau, D.E. Johnson, F.J. Oles, T., Goetz, T. Hampp. “Maximizing text-mining performance”. IEEE Intelligent Systems Magazine, 1999.
S. Rehman, and K.Mustafa. “Software Design Level Security Vulnerabilities”, International Journal of Software Engineering, 4 (2). 2011.
T. Hastie, and R. Tibshirani, “Classification by pair wise coupling. Ann. Statist”, 26, 1998, pp. 451–471.
T. Joachims. “A probabilistic analysis of the Rocchio algorithm with TFIDF for text categorization”, 14th International Conference on Machine Learning. 1997.
T. Joachims. “Text categorization with support vector machines: learning with many relevant features”. 10th European Conference on Machine Learning. 1998.
V. Sridharan, and D.R. Kaeli . “Quantifying Software Vulnerability”. Workshop on Radiation effects and fault tolerance in nanometer technologies, Ischia, Italy, 2008.
V. Vapnik,. “The Nature of Statistical Learning Theory”. Berlin: Springer. 1995.
V. Vapnik. “Statistical Learning Theory”. New York: John Wiley and Sons. 1998.
V.C. Berghe, J. Riordan and Piessens “A Vulnerability Taxonomy Methodology applied to Web Services”, 10th Nordic Workshop on Secure IT Systems, 2005.
Y. Li, H.S. Venter, and J.H.P Eloff. “Categorizing vulnerabilities using data clustering techniques”, Information and Computer Security Architectures (ICSA) Research Group. 2009.
Y. Yang and , J.O. Pederson. “A comparative study on feature selection in text categorization”. International Conference on Machine Learning. 1997.
Y. Yang. “An evaluation of statistical approaches to text categorization”. Journal of Information Retrieval. 1 (2). 1999.
Y.Wu, R.A. Gandhi, and H. Siy. “Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories”. 6th International workshop on software Engineering for secure system, Cape Town, South Africa. 2010.
Z. Chen, Y. Zhang, and Z. Chen “A Categorization Framework for Common Computer Vulnerabilities and Exposures”. Computer Journal Advance Access, 2009. Available: http://comjnl.oxfordjournals.org/ cgi/content/abstract/bxp040.
Mr. Shabana Rehman
Salman bin Abdul Aziz University - Saudi Arabia
Professor Khurram Mustafa
Jamia Millia Islamia - India

View all special issues >>