期刊文献+
共找到9篇文章
< 1 >
每页显示 20 50 100
Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities 被引量:4
1
作者 Juan R.Bermejo Higuera Javier Bermejo Higuera +2 位作者 Juan A.Sicilia Montalvo Javier Cubo Villalba Juan JoséNombela Pérez 《Computers, Materials & Continua》 SCIE EI 2020年第9期1555-1577,共23页
To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities ... To detect security vulnerabilities in a web application,the security analyst must choose the best performance Security Analysis Static Tool(SAST)in terms of discovering the greatest number of security vulnerabilities as possible.To compare static analysis tools for web applications,an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project(OWASP)Top Ten project is required.The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance.Given the significant cost of commercial tools,this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project.Thus,the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project.The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality. 展开更多
关键词 Web application benchmark security vulnerability security Analysis Static Tools assessment methodology false positive false negative precision F-MEASURE
下载PDF
A Survey on Sensor-and Communication-Based Issues of Autonomous UAVs
2
作者 Pavlo Mykytyn Marcin Brzozowski +1 位作者 Zoya Dyka Peter Langendoerfer 《Computer Modeling in Engineering & Sciences》 SCIE EI 2024年第2期1019-1050,共32页
The application field for Unmanned Aerial Vehicle (UAV) technology and its adoption rate have been increasingsteadily in the past years. Decreasing cost of commercial drones has enabled their use at a scale broader th... The application field for Unmanned Aerial Vehicle (UAV) technology and its adoption rate have been increasingsteadily in the past years. Decreasing cost of commercial drones has enabled their use at a scale broader thanever before. However, increasing the complexity of UAVs and decreasing the cost, both contribute to a lack ofimplemented securitymeasures and raise new security and safety concerns. For instance, the issue of implausible ortampered UAV sensor measurements is barely addressed in the current research literature and thus, requires moreattention from the research community. The goal of this survey is to extensively review state-of-the-art literatureregarding common sensor- and communication-based vulnerabilities, existing threats, and active or passive cyberattacksagainst UAVs, as well as shed light on the research gaps in the literature. In this work, we describe theUnmanned Aerial System (UAS) architecture to point out the origination sources for security and safety issues.Weevaluate the coverage and completeness of each related research work in a comprehensive comparison table as wellas classify the threats, vulnerabilities and cyber-attacks into sensor-based and communication-based categories.Additionally, for each individual cyber-attack, we describe existing countermeasures or detectionmechanisms andprovide a list of requirements to ensureUAV’s security and safety.We also address the problem of implausible sensormeasurements and introduce the idea of a plausibility check for sensor data. By doing so, we discover additionalmeasures to improve security and safety and report on a research niche that is not well represented in the currentresearch literature. 展开更多
关键词 Unmanned aerial vehicle unmanned aerial system cyber security and privacy drone swarm security vulnerabilities cyber-threats cyber-attacks plausibility check
下载PDF
A Cross Language Code Security Audit Framework Based on Normalized Representation
3
作者 Yong Chen Chao Xu +1 位作者 Jing Selena He Sheng Xiao 《Journal of Quantum Computing》 2022年第2期75-84,共10页
With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an impor... With the rapid development of information technology,audit objects and audit itself are more and more inseparable from software.As an important means of software security audit,code security audit will become an important aspect of future audit that cannot be ignored.However,the existing code security audit ismainly based on source code,which is difficult to meet the audit needs of more and more programming languages and binary commercial software.Based on the idea of normalized transformation,this paper constructs a cross language code security audit framework(CLCSA).CLCSA first uses compile/decompile technology to convert different highlevel programming languages and binary codes into normalized representation,and then usesmachine learning technology to build a cross language code security audit model based on normalized representation to evaluate code security and find out possible code security vulnerabilities.Finally,for the discovered vulnerabilities,the heuristic search strategy will be used to find the best repair scheme from the existing normalized representation sample library for automatic repair,which can improve the effectiveness of code security audit.CLCSA realizes the normalized code security audit of different types and levels of code,which provides a strong support for improving the breadth and depth of code security audit. 展开更多
关键词 Code security audit NORMALIZATION cross language security vulnerabilities
下载PDF
Hybrid Security Assessment Methodology for Web Applications 被引量:1
4
作者 Roddy A.Correa Juan Ramon Bermejo Higuera +3 位作者 Javier Bermejo Higuera Juan Antonio SiciliaMontalvo Manuel Sanchez Rubio A.Alberto Magrenan 《Computer Modeling in Engineering & Sciences》 SCIE EI 2021年第1期89-124,共36页
This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessment... This study presents a methodology to evaluate and prevent security vulnerabilities issues for web applications.The analysis process is based on the use of techniques and tools that allow to perform security assessments of white box and black box,to carry out the security validation of a web application in an agile and precise way.The objective of the methodology is to take advantage of the synergies of semi-automatic static and dynamic security analysis tools and manual checks.Each one of the phases contemplated in the methodology is supported by security analysis tools of different degrees of coverage,so that the results generated in one phase are used as feed for the following phases in order to get an optimized global security analysis result.The methodology can be used as part of other more general methodologies that do not cover how to use static and dynamic analysis tools in the implementation and testing phases of a Secure Software Development Life Cycle(SSDLC).A practical application of the methodology to analyze the security of a real web application demonstrates its effectiveness by obtaining a better optimized vulnerability detection result against the true and false positive metrics.Dynamic analysis with manual checking is used to audit the results,24.6 per cent of security vulnerabilities reported by the static analysis has been checked and it allows to study which vulnerabilities can be directly exploited externally.This phase is very important because it permits that each reported vulnerability can be checked by a dynamic second tool to confirm whether a vulnerability is true or false positive and it allows to study which vulnerabilities can be directly exploited externally.Dynamic analysis finds six(6)additional critical vulnerabilities.Access control analysis finds other five(5)important vulnerabilities such as Insufficient Protected Passwords or Weak Password Policy and Excessive Authentication Attacks,two vulnerabilities that permit brute force attacks. 展开更多
关键词 Web applications security vulnerability WEAKNESS security analysis white box black box interactive application security testing static application security testing dynamic application security testing
下载PDF
SMINER:Detecting Unrestricted and Misimplemented Behaviors of Software Systems Based on Unit Test Cases
5
作者 Kyungmin Sim Jeong Hyun Yi Haehyun Cho 《Computers, Materials & Continua》 SCIE EI 2023年第5期3257-3274,共18页
Despite the advances in automated vulnerability detection approaches,security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems.Such security design flaws can ... Despite the advances in automated vulnerability detection approaches,security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems.Such security design flaws can bring unrestricted and misimplemented behaviors of a system and can lead to fatal vulnerabilities such as remote code execution or sensitive data leakage.Therefore,it is an essential task to discover unrestricted and misimplemented behaviors of a system.However,it is a daunting task for security experts to discover such vulnerabilities in advance because it is timeconsuming and error-prone to analyze the whole code in detail.Also,most of the existing vulnerability detection approaches still focus on detecting memory corruption bugs because these bugs are the dominant root cause of software vulnerabilities.This paper proposes SMINER,a novel approach that discovers vulnerabilities caused by unrestricted and misimplemented behaviors.SMINER first collects unit test cases for the target system from the official repository.Next,preprocess the collected code fragments.SMINER uses pre-processed data to show the security policies that can occur on the target system and creates a test case for security policy testing.To demonstrate the effectiveness of SMINER,this paper evaluates SMINER against Robot Operating System(ROS),a real-world system used for intelligent robots in Amazon and controlling satellites in National Aeronautics and Space Administration(NASA).From the evaluation,we discovered two real-world vulnerabilities in ROS. 展开更多
关键词 security vulnerability test case generation security policy test robot operating system vulnerability assessment
下载PDF
A hierarchical algorithm for cyberspace situational awareness based on analytic hierarchy process 被引量:7
6
作者 胡威 Li Jianhua Jiang Xinghao Zhang Yueguo Chen Xiuzhen 《High Technology Letters》 EI CAS 2007年第3期291-296,共6页
The existing network security management systems are unable either to provide users with useful security situation and risk assessment, or to aid administrators to make right and timely decisions based on the current ... The existing network security management systems are unable either to provide users with useful security situation and risk assessment, or to aid administrators to make right and timely decisions based on the current state of network. These disadvantages always put the whole network security management at high risk. This paper establishes a simulation environment, captures the alerts as the experimental data and adopts statistical analysis to seek the vulnerabilities of the services provided by the hosts in the network. According to the factors of the network, the paper introduces the two concepts: Situational Meta and Situational Weight to depict the total security situation. A novel hierarchical algorithm based on analytic hierarchy process (AHP) is proposed to analyze the hierarchy of network and confirm the weighting coefficients. The algorithm can be utilized for modeling security situation, and determining its mathematical expression. Coupled with the statistical results, this paper simulates the security situational trends. Finally, the analysis of the simulation results proves the algorithm efficient and applicable, and provides us with an academic foundation for the implementation in the security situation 展开更多
关键词 analytic hierarchical process security management situational awareness security vulnerabilities security situation
下载PDF
Authentication masking code against DoS of T-MAC protocol 被引量:2
7
作者 SON Young-ho HONG Jin-keun BAE Keun-sung 《Journal of Central South University》 SCIE EI CAS 2013年第7期1889-1895,共7页
Security vulnerability of denial of service (DoS) in time out-medium access control (T-MAC) protocol was discussed and analysis of power consumption at each stage of T-MAC protocol was carried out. For power efficient... Security vulnerability of denial of service (DoS) in time out-medium access control (T-MAC) protocol was discussed and analysis of power consumption at each stage of T-MAC protocol was carried out. For power efficient authentication scheme which can provide reliability, efficiency, and security for a general T-MAC communication, a novel synchronization and authentication scheme using authentication masking code was proposed. Authentication data were repeated and masked by PN sequence. The simulation results show that the proposed approach can provide synchronization and authentication simultaneously for nodes in wireless sensor network (WSN). 63 bits AMC code gives above 99.97% synchronization detection and 93.98% authentication data detection probability in BER 0.031 7. 展开更多
关键词 time out-medium access control (T-MAC) security vulnerability AUTHENTICATION SYNCHRONIZATION authenticationmasking code
下载PDF
An Improved String-Searching Algorithm and Its Application in Component Security Testing 被引量:1
8
作者 Jinfu Chen Saihua Cai +4 位作者 Lili Zhu Yuchi Guo Rubing Huang Xiaolei Zhao Yunqi Sheng 《Tsinghua Science and Technology》 SCIE EI CAS CSCD 2016年第3期281-294,共14页
Mass monitor logs are produced during the process of component security testing. In order to mine the explicit and implicit security exception information of the tested component, the log should be searched for keywor... Mass monitor logs are produced during the process of component security testing. In order to mine the explicit and implicit security exception information of the tested component, the log should be searched for keyword strings. However, existing string-searching algorithms are not very efficient or appropriate for the operation of searching monitor logs during component security testing. For mining abnormal information effectively in monitor logs, an improved string-searching algorithm is proposed. The main idea of this algorithm is to search for the first occurrence of a character in the main string. The character should be different and farther from the last character in the pattern string. With this algorithm, the backward moving distance of the pattern string will be increased and the matching time will be optimized. In the end, we conduct an experimental study based on our approach, the results of which show that the proposed algorithm finds strings in monitor logs 11.5% more efficiently than existing approaches. 展开更多
关键词 component testing security vulnerabilities detection monitor log abnormal information string-searching
原文传递
A Vulnerability Model Construction Method Based on Chemical Abstract Machine
9
作者 LI Xiang CHEN Jinfu +4 位作者 LIN Zhechao ZHANG Lin WANG Zibin ZHOU Minmin XIE Wanggen 《Wuhan University Journal of Natural Sciences》 CAS CSCD 2018年第2期150-162,共13页
It is difficult to formalize the causes of vulnerability, and there is no effective model to reveal the causes and characteristics of vulnerability. In this paper, a vulnerability model construction method is proposed... It is difficult to formalize the causes of vulnerability, and there is no effective model to reveal the causes and characteristics of vulnerability. In this paper, a vulnerability model construction method is proposed to realize the description of vulnerability attribute and the construction of a vulnerability model. A vulnerability model based on chemical abstract machine(CHAM) is constructed to realize the CHAM description of vulnerability model, and the framework of vulnerability model is also discussed. Case study is carried out to verify the feasibility and effectiveness of the proposed model. In addition, a prototype system is also designed and implemented based on the proposed vulnerability model. Experimental results show that the proposed model is more effective than other methods in the detection of software vulnerabilities. 展开更多
关键词 software security vulnerability detection vulner-ability analysis vulnerability model chemical abstract machine
原文传递
上一页 1 下一页 到第
使用帮助 返回顶部