Top

Published in:

2018 | OriginalPaper | Chapter

Refining Traceability Links Between Vulnerability and Software Component in a Vulnerability Knowledge Graph

Authors : Dongdong Du, Xingzhang Ren, Yupeng Wu, Jien Chen, Wei Ye, Jinan Sun, Xiangyu Xi, Qing Gao, Shikun Zhang

Published in: Web Engineering

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Software vulnerabilities and their corresponding software components information are usually stored in different locations with different representations. Building accurate traceability links between them to form a unified knowledge graph can be very helpful for vulnerability spreading analysis, component dependency management, and relationship inference. In this paper, we first propose a software vulnerability knowledge graph model which integrates CVE (Common Vulnerabilities and Exposures) information, Java Component metadata in Maven repository and project collaboration data on Github. To construct the knowledge graph, we then propose two ontology matching approaches. The first one links Maven project and Github project in a URL text-matching way. The second one introduces random forests algorithm to link CVE project version and Maven project version based on 16 well-defined features. Experimental results show that matching between CVE project version and Maven project version are highly promising with an accuracy rate as high as 99.8%. The traceability links between vulnerabilities and software components can be more accurate based on our approach.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter CME – A Web Application Framework Learning Technique Based on Concerns, Micro-Learning and Examples

next chapter Transferring Tests Across Web Applications

https://www.google.com.

https://www.w3.org/TR/owl2-overview/.

http://cwe.mitre.org.

https://www.first.org/cvss/.

http://maven.apache.org.

https://github.com/rmax/scrapy-redis.

https://neo4j.com.

https://api.github.com/repos/:owner/:repo/languages.

Akbari, I., Fathian, M., Badie, K.: An improved MLMA+ and its application in ontology matching. In: Innovative technologies in intelligent systems and industrial applications, CITISIA 2009, pp. 56–60. IEEE (2009)

Aleksovski, Z., ten Kate, W., van Harmelen, F.: Using multiple ontologies as background knowledge in ontology matching. In: CISWeb Workshop, pp. 35–49 (2008)

Alqahtani, S.S., Eghan, E.E., Rilling, J.: Tracing known security vulnerabilities in software repositories-a semantic web enabled modeling approach. Sci. Comput. Program. 121, 153–175 (2016)CrossRef

Apache-Software-Foundation: Maven central repository. http://central.maven.org/maven2/. Accessed December 2017

Cruz, I.F., Antonelli, F.P., Stroe, C.: Agreementmaker: efficient matching for large real-world schemas and ontologies. Proc. VLDB Endow. 2(2), 1586–1589 (2009)CrossRef

Doan, A., Halevy, A.Y.: Semantic integration research in the database community: a brief survey. AI Mag. 26(1), 83 (2005)

Doan, A., Madhavan, J., Domingos, P., Halevy, A.: Ontology matching: a machine learning approach. In: Staab, S., Studer, R. (eds.) Handbook on Ontologies. INFOSYS, pp. 385–403. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24750-0_19CrossRef

Github: Github.com. https://github.com/. Accessed December 2017

Gracia, J., Bernad, J., Mena, E.: Ontology matching with cider: evaluation report for OAEI 2011. In: Ontology Matching, p. 126 (2011)

10.

He, W., Yang, X., Huang, D.: A hybrid approach for measuring semantic similarity between ontologies based on WordNet. In: Xiong, H., Lee, W.B. (eds.) KSEM 2011. LNCS (LNAI), vol. 7091, pp. 68–78. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25975-3_7CrossRef

11.

Jean-Mary, Y.R., Shironoshita, E.P., Kabuka, M.R.: Ontology matching with semantic verification. Web Semant. Sci. Serv. Agents World Wide Web 7(3), 235–251 (2009)CrossRef

12.

Joslyn, C.A., Paulson, P., White, A.: Measuring the structural preservation of semantic hierarchy alignments. In: Proceedings of the 4th International Conference on Ontology Matching, vol. 551, pp. 61–72. CEUR-WS. org (2009)

13.

Kotis, K., Katasonov, A., Leino, J.: aUTOMSV2 results for OAEI 2012. In: Ontology Matching, p. 124 (2012)

14.

Loia, V., Fenza, G., De Maio, C., Salerno, S.: Hybrid methodologies to foster ontology-based knowledge management platform. In: 2013 IEEE Symposium on Intelligent Agent (IA), pp. 36–43. IEEE (2013)

15.

Mascardi, V., Locoro, A., Rosso, P.: Automatic ontology matching via upper ontologies: a systematic evaluation. IEEE Trans. Knowl. Data Eng. 22(5), 609 (2010)CrossRef

16.

Ngo, D.H.: Enhancing ontology matching by using machine learning, graph matching and information retrieval techniques. Ph.D. thesis, Université Montpellier II-Sciences et Techniques du Languedoc (2012)

17.

Ngo, D., Bellahsene, Z., Coletta, R.: Yam++-a combination of graph matching and machine learning approach to ontology alignment task. J. Web Semant. 16 (2012)

18.

NIST: National vulnerability database. https://nvd.nist.gov/vuln/search. Accessed December 2017

19.

Otero-Cerdeira, L., Rodríguez-Martínez, F.J., Gómez-Rodríguez, A.: Ontology matching: a literature review. Expert Syst. Appl. 42(2), 949–971 (2015)CrossRef

20.

Sánchez-Ruiz, A.A., Ontanón, S., González-Calero, P.A., Plaza, E.: Measuring similarity in description logics using refinement operators. Case Based Reason. Res. Dev. 6880, 289–303 (2011)

21.

Scharffe, F., Zamazal, O., Fensel, D.: Ontology alignment design patterns. Knowl. Inf. Syst. 40(1), 1–28 (2014)CrossRef

22.

Shvaiko, P., Euzenat, J.: Ontology matching: state of the art and future challenges. IEEE Trans. Knowl. Data Eng. 25(1), 158–176 (2013)CrossRef

Title: Refining Traceability Links Between Vulnerability and Software Component in a Vulnerability Knowledge Graph
Authors: Dongdong Du
Xingzhang Ren
Yupeng Wu
Jien Chen
Wei Ye
Jinan Sun
Xiangyu Xi
Qing Gao
Shikun Zhang
Publisher: Springer International Publishing
Book: Web Engineering
Print ISBN: 978-3-319-91661-3

Electronic ISBN: 978-3-319-91662-0

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-91662-0_3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner