Top

Empirical Software Engineering

Published in:

01-11-2022

Predicting sensitive information leakage in IoT applications using flows-aware machine learning approach

Authors: Hajra Naeem, Manar H. Alalfi

Published in: Empirical Software Engineering | Issue 6/2022

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This paper presents an approach for identification of vulnerable IoT applications. The approach focuses on a category of vulnerabilities that leads to sensitive information leakage which can be identified by using taint flow analysis. Tainted flows vulnerability is very much impacted by the structure of the program and the order of the statements in the code, designing an approach to detect such vulnerability needs to take into consideration such information in order to provide precise results. In this paper, we propose and develop an approach, FlowsMiner, that mines features from the code related to program structure such as control statements and methods, in addition to program’s statement order. FlowsMiner, generates features in the form of tainted flows. We developed, Flows2Vec, a tool that transform the features recovered by FlowsMiner into vectors, which are then used to aid the process of machine learning by providing a flow’s aware model building process. The resulting model is capable of accurately classify applications as vulnerable if the vulnerability is exhibited by changes in the order of statements in source code. When compared to a base Bag of Words (BoW) approach, the experiments show that the proposed approach has improved the AUC of the prediction models for all algorithms and the best case for Corpus1 dataset is improved from 0.91 to 0.94 and for Corpus2 from 0.56 to 0.96.

previous article An empirical study of issue-link algorithms: which issue-link algorithms should we use?

next article Testing research software: a survey

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Alon U, Zilberstein M, Levy O, Yahav E (2018) Code2vec: learning distributed representations of code. CoRR, arXiv:1803.09473

Andersen LO (1994) Program analysis and specialization for the C programming language. Ph.D. Dissertation. University of Cophenhagen

Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, Yves LT, Octeau D, McDaniel P (2014) FLOWDROID: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM SIGPLAN Not 49:259–269CrossRef

Avdiienko V, Kuznetsov K, Gorla A, Zeller A, Arzt S, Rasthofer S, Bodden E (2015) Mining apps for abnormal usage of sensitive data. In: 37th IEEE/ACM international conference on software engineering, ICSE 2015, Florence, Italy, vol 1, pp 426–436

Boris C, Rakesh V (2018) Machine learning methods for software vulnerability detection, pp 31–39

Celik ZB, Babun L, Sikder AK, Aksu H, Tan G, McDaniel PD, Uluagac AS (2018) Sensitive information tracking in commodity IoT. In: 27th USENIX security symposium, USENIX security 2018, Baltimore, MD, USA, pp 1687–1704

Dam HK, Tran T, Pham TTM, Ng SW, Grundy J, Ghose A (2018) Automatic feature learning for predicting vulnerable software components. IEEE Trans Softw Eng 1–1

Dam HK, Pham T, Ng SW, Tran T, Grundy J, Ghose A, Kim T, Kim C (2019) Lessons learned from using a deep Tree-Based model for software defect prediction in practice. In: 2019 IEEE/ACM 16th international conference on mining software repositories (MSR), pp 46–57

Harer JA, Kim LY, Russell RL, Ozdemir O, Kosta LR, Rangamani A, Hamilton LH, Centeno GI, Key JR, Ellingwood PM, McConley MW, Opper JM, Chin SP, Lazovich T (2018) Automated software vulnerability detection with machine learning. CoRR, arXiv:1803.04497

Hassan J, Shoaib U (2020) Multi-class review rating classification using deep recurrent neural network. Neural Process Lett 51:1031–1048CrossRef

Irfan MN, Oriat C, Groz R (2010) Angluin style finite state machine inference with non-optimal counterexamples. In: Proceedings of the first international workshop on model inference in testing, pp 11–19

Irfan M -N, Oriat C, Groz R (2013) Model inference and testing. Adv Comput 89:89–139CrossRef

Kim H, Choi T, Jung S, Kim H, Lee O, Doh K (2008) Applying dataflow analysis to detecting software vulnerability. In: 2008 10th International conference on advanced communication technology, pp 255–258

López V, Fernández A, García S, Palade V, Herrera F (2013) An insight into classification with imbalanced data: empirical results and current trends on using data intrinsic characteristics. Inf Sci 250:113–141CrossRef

Medeiros I, Neves NF, Correia M (2016) DEKANT: a static analysis tool that learns to detect web application vulnerabilitiess. In: Proceedings of the 25th international symposium on software testing and analysis, ISSTA 2016, Saarbrücken, Germany, pp 1–11

Mikolov T, Chen K, Corrado G, Dean J (2013a) Efficient estimation of word representations in vector space. In: 1st International conference on learning representations, ICLR 2013, Scottsdale, Arizona, USA, May 2–4, 2013, Workshop Track Proceedings

Naeem H, Alalfi MH (2020) Identifying vulnerable IoT applications using deep learning. In: 27th IEEE international conference on software analysis, evolution and reengineering, SANER 2020, London, ON, Canada, pp 582–586

Parveen S, Alalfi MH (2020) A mutation framework for evaluating security analysis tools in IoT applications. In: 27th IEEE international conference on software analysis, evolution and reengineering, SANER 2020, London, ON, Canada, pp 587–591

Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V, Vanderplas J, Passos A, Cournapeau D, Brucher M, Perrot M, Duchesnay E (2011) Scikit-learn: machine Learning in Python. J Mach Learn Res 12:2825–2830MathSciNetMATH

Sadeghi A, Bagheri H, Malek S (2015) Analysis of android Inter-App security vulnerabilities using COVERT. In: 2015 IEEE/ACM 37th IEEE international conference on software engineering, vol 2, pp 725–728

Scandariato R, Walden J, Hovsepyan A, Joosen W (2014) Predicting vulnerable software components via text mining. IEEE Trans Softw Eng 40:993–1006CrossRef

Schmeidl F, Nazzal B, Alalfi MH (2019) Security analysis for SmartThings IoT applications. In: Proceedings of the 6th international conference on mobile software engineering and systems, MOBILESoft@ICSE, Montreal, QC, Canada, pp 25–29

Shar LK, Tan HBK (2012) Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: 34th International conference on software engineering, ICSE 2012, Zurich, Switzerland, pp 1293–1296

Shar LK, Tan HBK, Briand LC (2013) Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In: 35th International conference on software engineering, ICSE ’13, San Francisco, CA, USA, pp 642–651

Shoaib U, Ahmad N, Prinetto P, Tiotto G (2014) Integrating MultiWordNet with Italian Sign Language lexical resources. Expert Syst Appl 41:2300–2308CrossRef

SmartThings Classic Developer Documentation (2019) https://buildmedia.readthedocs.org/media/pdf/smartthings/latest/smartthings.pdf

Sui Y, Cheng X, Zhang G, Wang H (2020) Flow2vec: value-flow-based precise code embedding. Proc ACM Program Lang 4(OOPSLA):233:1-233:27CrossRef

Tai KS, Socher R, Manning CD (2015) Improved semantic representations from Tree-Structured long Short-Term memory networks. CoRR, arXiv:1503.00075

The Pandas Development Team (2020) Pandas-dev/pandas. Pandas, Zenodo

Towards a definition of the Internet of Things (IoT) (2015) IEEE Internet Initiative and others

Walden J, Stuckman J, Scandariato R (2014) Predicting vulnerable components: software metrics vs text mining. In: 25th IEEE International symposium on software reliability engineering, ISSRE 2014, naples, Italy, pp 23–33

Wang S, Liu T, Tan L (2016) Automatically learning semantic features for defect prediction, pp 297–308

Zhao K, Zhang D, Su X, Li W (2015) Fest: a feature extraction and selection tool for Android malware detection. In: 2015 IEEE Symposium on computers and communication, ISCC 2015, Larnaca, Cyprus, pp 714–720

Zheng W, Gao J, Wu X, Xun Y, Liu G, Chen X (2020) An empirical study of high-impact factors for machine Learning-Based vulnerability detection. In: 2020 IEEE 2nd International workshop on intelligent bug fixing (IBF), pp 26–34

Zhu D, Jin H, Yang Y, Wu D, Chen W (2017) Deepflow: deep learning-based malware detection by mining Android application for abnormal usage of sensitive data. In: 2017 IEEE Symposium on computers and communications (ISCC), pp 438–443

Title: Predicting sensitive information leakage in IoT applications using flows-aware machine learning approach
Authors: Hajra Naeem
Manar H. Alalfi
Publication date: 01-11-2022
Publisher: Springer US
Published in: Empirical Software Engineering / Issue 6/2022
Print ISSN: 1382-3256
Electronic ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-022-10157-y

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 6/2022

The sense of logging in the Linux kernel

Revisiting the debate: Are code metrics useful for measuring maintenance effort?

FIXME: synchronize with database! An empirical study of data access self-admitted technical debt

An empirical study of question discussions on Stack Overflow

The making of accessible Android applications: an empirical study on the state of the practice

GBGallery : A benchmark and framework for game testing

Premium Partner