检索结果-内蒙古大学图书馆

FAGnet: Family-aware-based android malware analysis using graph neural network

KNOWLEDGE-BASED SYSTEMS 2024年 289卷

作者： Wang, Zhendong Zeng, Kaifa Wang, Junling Li, Dahai Jiangxi Univ Sci & Technol Sch Informat Engn Ganzhou 341000 Jiangxi Peoples R China

Android malware family analysis is essential for building an efficient malware detection mechanism. In recent years, many graph representation learning -based malware detection and classification studies have been proposed, and many methods model malware as graph data to mine the behavioral semantics of malware. However, they do not consider the relationship at the sample (graph) level, and malware belonging to the same family has similar malicious behavior. The transformation of samples according to the Data Processing Inequality (DPI) will lead to the loss of mutual information transmission, which inspired us to consider the analysis of malware based on graph representation learning from this perspective. In this paper, we consider introducing the relationship between malware samples, inserting a family representation refinement component that is conducive to improving the family separability in the graph classification task, and propose a Family -Aware Graph neural network Android malware analysis (FAGnet). We use 4 backbones to perform extension experiments on 2 benchmark datasets and comprehensively compare some baseline methods. The experiments verify the effectiveness of FAGnet, which achieves 98.11 % accuracy on the Drebin dataset and 83.45 % and 72.76 % accuracy on the CICAndMal2017 category and family classification, respectively. In addition, FAGnet is evaluated with real -world data, and its satisfactory performance was maintained in real -world scenarios.

关键词： Android malware analysis Malware family Graph neural network Graph classification static code analysis

来源：评论

学校读者我要写书评

暂无评论

A Large-scale analysis of How OpenSSL Is Used in Open-source Software

A Large-scale Analysis of How OpenSSL Is Used in Open-source...

引用

作者： Heidbrink, Scott Jared Brigham Young University

学位级别：M.Sc.

As vulnerabilities become more common the security of applications are coming under increased scrutiny. In regards to Internet security, recent work discovers that many vulnerabilities are caused by TLS library misuse. This misuse is attributed to large and confusing APIs and developer misunderstanding of security generally. Due to these problems there is a desire for simplified TLS libraries and security handling. However, as of yet there is no analysis of how the existing APIs are used, beyond how incorrect usage motivates the need to replace them. We provide an analysis of contemporary usage of OpenSSL across 410 popular secure applications. These insights will inform the security community as it addresses TLS library redesign.

关键词： TLS SSL API source code analysis static code analysis

来源：评论

学校读者我要写书评

暂无评论

Defect prediction using deep learning with Network Portrait Divergence for software evolution

引用

EMPIRICAL SOFTWARE ENGINEERING 2022年第5期27卷 118-118页

作者： Walunj, Vijay Gharibi, Gharib Alanazi, Rakan Lee, Yugyung Univ Missouri Sch Comp & Engn Kansas City MO 64110 USA Northern Border Univ Fac Comp & Informat Technol Rafha Saudi Arabia

Understanding software evolution is essential for software development tasks, including debugging, maintenance, and testing. As a software system evolves, it grows in size and becomes more complex, hindering its comprehension. Researchers proposed several approaches for software quality analysis based on software metrics. One of the primary practices is predicting defects across software components in the codebase to improve agile product quality. While several software metrics exist, graph-based metrics have rarely been utilized in software quality. In this paper, we explore recent network comparison advancements to characterize software evolution and focus on aiding software metrics analysis and defect prediction. We support our approach with an automated tool named GraphEvoDef. Particularly, GraphEvoDef provides three major contributions: (1) detecting and visualizing significant events in software evolution using call graphs, (2) extracting metrics that are suitable for software comprehension, and (3) detecting and estimating the number of defects in a given code entity (e.g., class). One of our major findings is the usefulness of the Network Portrait Divergence metric, borrowed from the information theory domain, to aid the understanding of software evolution. To validate our approach, we examined 29 different open-source Java projects from GitHub and then demonstrated the proposed approach using 9 use cases with defect data from the the PROMISE dataset. We also trained and evaluated defect prediction models for both classification and regression tasks. Our proposed technique has an 18% reduction in the mean square error and a 48% increase in squared correlation coefficient over the state-of-the-art approaches in the defect prediction domain.

关键词： static code analysis Call graph Program comprehension Software evolution Metric analysis Defect prediction

来源：评论

学校读者我要写书评

暂无评论

Guiding feature model evolution by lifting code-level dependencies

引用

JOURNAL OF COMPUTER LANGUAGES 2021年 63卷

作者： Feichtinger, Kevin Hinterreiter, Daniel Linsbauer, Lukas Praehofer, Herbert Gruenbacher, Paul Johannes Kepler Univ Linz LIT CPS Lab Linz Austria Johannes Kepler Univ Linz Inst Software Syst Engn CDL MEVSS Linz Austria TU Braunschweig Inst Software Engn & Automot Informat Braunschweig Germany Johannes Univ Linz Inst Syst Software Linz Austria

Feature models are a de facto standard for representing the commonalities and variability of product lines and configurable software systems. Requirements-level features are commonly implemented in multiple source code artifacts, resulting in complex dependencies at the code level. As developers add and evolve features frequently, it is challenging to keep feature models consistent with their implementation. This article thus presents an approach combining feature-to-code mappings and code dependency analyses to inform engineers about possible inconsistencies. We focus on code-level changes requiring updates in feature dependencies and constraints. Our approach uses static code analysis and a variation control system to lift complex code-level dependencies to feature models. We present the suggested dependencies to the engineer in two ways: directly as links between features in a feature model and as a heatmap visualizing the dependency changes of all features in a model. We evaluate our approach by analyzing the evolution history of two case study systems: the Pick and-Place Unit and the KePlast product line of our industry partner KEBA AG. We present results of evaluating the utility (RQ1) and performance (RQ2) of our approach, as well as the quality of the suggestions (RQ3).

关键词： Product lines Variation control system static code analysis Dependency analysis

来源：评论

学校读者我要写书评

暂无评论

Estimating the potential of program repair search spaces with commit analysis

引用

JOURNAL OF SYSTEMS AND SOFTWARE 2022年 188卷 111263-111263页

作者： Etemadi, Khashayar Tarighat, Niloofar Yadav, Siddharth Martinez, Matias Monperrus, Martin KTH Royal Inst Technol Stockholm Sweden Sharif Univ Technol Tehran Iran Indraprastha Inst Informat Technol Delhi Delhi India Univ Polytech Hauts De France Valenciennes France

The most natural method for evaluating program repair systems is to run them on bug datasets, such as Defects4J. Yet, using this evaluation technique on arbitrary real-world programs requires heavy configuration. In this paper, we propose a purely static method to evaluate the potential of the search space of repair approaches. This new method enables researchers and practitioners to encode the search spaces of repair approaches and select potentially useful ones without struggling with tool configuration and execution. We encode the search spaces by specifying the repair strategies they employ. Next, we use the specifications to check whether past commits lie in repair search spaces. For a repair approach, including many human-written past commits in its search space indicates its potential to generate useful patches. We implement our evaluation method in LIGHTER. LIGHTER gets a Git repository and outputs a list of commits whose source code changes lie in repair search spaces. We run LIGHTER on 55,309 commits from the history of 72 Github repositories with and show that LIGHTER's precision and recall are 77% and 92%, respectively. Overall, our experiments show that our novel method is both lightweight and effective to study the search space of program repair approaches.(C) 2022 The Author(s). Published by Elsevier Inc.& nbsp

关键词： Program repair Search-space static code analysis Commit analysis

来源：评论

学校读者我要写书评

暂无评论

Real-Time Operating Systems' Compliance With MISRA-C Coding Standard: A Comprehensive Study

引用

IEEE ACCESS 2024年 12卷 151955-151974页

作者： Song, Jia Shigdel, Ronisha Pokharel, Aditi Alves-Foss, Jim Univ Idaho Ctr Secure & Dependable Syst CSDS Moscow ID 83844 USA

Ensuring the security and safety of a real-time operating system (RTOS) is crucial for protecting against potential cyber-attacks. A robust system can provide reliable and uninterrupted operations in the system as well as protect sensitive data and critical functions. To help programmers develop robust programs and systems, multiple secure coding standards have been developed by different organizations. These coding standards offer guidelines for writing secure code to eliminate vulnerabilities and prevent undefined behaviors from happening. The goal of this research is to understand whether several free common RTOSs follow these secure coding standards. We chose MISRA-C:2012 for our experiment because it is a widely recognized coding standard specifically designed for the safe use of the C programming language in critical systems. To investigate whether existing RTOSs adhere to MISRA-C:2012, we utilized a static code analysis tool, Cppcheck, to analyze 16 open-source RTOSs (written in C) for compliance with 153 rules in MISRA-C:2012. The results indicate that most of the RTOSs conform to mandatory rules of MISRA-C. However, quite a few of the required rules are still violated by many of the RTOSs. Some of the violated rules can potentially result in critical issues in the RTOSs, but most of them can be avoided by simply writing better and safer C code. This paper discusses the major issues in the implementation of RTOSs found in our experiment. The analysis of the results will help programmers and researchers understand the primary concerns in RTOSs' code and learn how to avoid them by implementing better code.

关键词： Standards codes Security Safety C plus plus languages Source coding Programming Software reliability Standards organizations Operating systems Real-time systems Open source software MISRA-C secure coding standards static code analysis RTOS RTOS safety

来源：评论

学校读者我要写书评

暂无评论

Reducing the fault vulnerability of hard real-time systems

引用

JOURNAL OF SYSTEMS ARCHITECTURE 2022年 133卷

作者： Bouquillon, Fabien Niar, Smail Lipari, Giuseppe Univ Lille CNRS Inria Cent LilleUMR 9189 CRIStAL F-59000 Lille France Univ Polytech Hauts De France CNRS UMR 8201 LAMIH F-59313 Valenciennes France Univ Modena & Reggio Emilia Modena Italy

With the progress of the technology, the presence of transient faults (e.g. bit-flipping errors) in cache memories becomes a challenge, especially in embedded real-time systems. These are mission critical systems that are often subject to both fault-tolerant and real-time *** reduce the impact of transient faults, hardware protection mechanisms are usually proposed. However, these mechanisms introduce too much pessimism in the computation of the worst-case execution time of a task, decreasing the overall system *** this paper, we propose a methodology to evaluate and reduce the vulnerability of hard real-time applications to soft errors in IL1 cache *** use static analysis tools to analyze a binary program and compute the overall vulnerability of its instructions. Then, we propose to reduce this vulnerability by invalidating some cache blocks at specific instants during the execution, thus forcing vulnerable instruction blocks to be reloaded from higher layers of memory. Since adding invalidation points will likely increase the WCETs of the tasks, we perform a static analysis to guarantee that the application deadlines are respectedFinally, we analyze how our methodology can be combined with hardware protection mechanisms as ECC memories, and we evaluate the performance on a set of benchmarks.

关键词： Real-time systems Reliability Cache memory Transient faults Vulnerability static code analysis WCET analysis

来源：评论

学校读者我要写书评

暂无评论

Insecurity Refactoring: Automated Injection of Vulnerabilities in Source code

引用

COMPUTERS & SECURITY 2023年 128卷

作者： Schuckert, Felix Katt, Basel Langweg, Hanno Norwegian Univ Sci & Technol NTNU Fac Informat Technol & Elect Engn Dept Informat Secur & Commun Technol Gjevik Norway HTWG Konstanz Univ Appl Sci Dept Comp Sci Constance Germany

Insecurity Refactoring is a change to the internal structure of software to inject a vulnerability without changing the observable behavior in a normal use case scenario. An implementation of Insecurity Refac-toring is formally explained to inject vulnerabilities in source code projects by using static code analysis. It creates learning examples with source code patterns from known vulnerabilities. Insecurity Refactoring is achieved by creating an Adversary Controlled Input Dataflow tree based on a code Property Graph. The tree is used to find possible injection paths. Transformation of the possible injection paths allows to inject vulnerabilities. Insertion of data flow patterns introduces different code patterns from related Common Vulnerabilities and Exposures (CVE) reports. The approach is evaluated on 307 open source projects. Additionally, insecurity-refactored projects are deployed in virtual machines to be used as learning examples. Different static code analysis tools, dynamic tools and manual inspections are used with modified projects to confirm the presence of vulnerabilities. The results show that in 8.1% of the open source projects it is possible to inject vulnerabilities. Differ-ent inspected code patterns from CVE reports can be inserted using corresponding data flow patterns. Furthermore the results reveal that the injected vulnerabilities are useful for a small sample size of at-tendees (n=16). Insecurity Refactoring is useful to automatically generate learning examples to improve software security training. It uses real projects as base whereas the injected vulnerabilities stem from real CVE reports. This makes the injected vulnerabilities unique and realistic. (c) 2023 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://***/licenses/by/4.0/)

关键词： Web security static code analysis Refactoring Vulnerability Pattern PHP SQLi xSS

来源：评论

学校读者我要写书评

暂无评论

Are automated static analysis tools worth it? An investigation into relative warning density and external software quality on the example of Apache open source projects

引用

EMPIRICAL SOFTWARE ENGINEERING 2023年第3期28卷 66-66页

作者： Trautsch, Alexander Herbold, Steffen Grabowski, Jens Univ Passau Passau Germany Univ Gottingen Inst Comp Sci Gottingen Germany

Automated static analysis Tools (ASATs) are part of software development best practices. ASATs are able to warn developers about potential problems in the code. On the one hand, ASATs are based on best practices so there should be a noticeable effect on software quality. On the other hand, ASATs suffer from false positive warnings, which developers have to inspect and then ignore or mark as invalid. In this article, we ask whether ASATs have a measurable impact on external software quality, using the example of PMD for Java. We investigate the relationship between ASAT warnings emitted by PMD on defects per change and per file. Our case study includes data for the history of each file as well as the differences between changed files and the project in which they are contained. We investigate whether files that induce a defect have more static analysis warnings than the rest of the project. Moreover, we investigate the impact of two different sets of ASAT rules. We find that, bug inducing files contain less static analysis warnings than other files of the project at that point in time. However, this can be explained by the overall decreasing warning density. When compared with all other changes, we find a statistically significant difference in one metric for all rules and two metrics for a subset of rules. However, the effect size is negligible in all cases, showing that the actual difference in warning density between bug inducing changes and other changes is small at best.

关键词： static code analysis Quality evolution Software metrics Software quality

来源：评论

学校读者我要写书评

暂无评论

An Evaluation of Coding Violation Focusing on Change History and Authorship of Source File

引用

INTERNATIONAL JOURNAL OF NETWORKED AND DISTRIBUTED COMPUTING 2017年第4期5卷 211-220页

作者： Burhandenny, Aji Ery Aman, Hirohisa Kawahara, Minoru Ehime Univ Grad Sch Sci & Engn 3 Bunkyo Cho Matsuyama Ehime 7908577 Japan Mulawarman Univ Fac Engn Samarinda 75119 East Kalimantan Indonesia Ehime Univ Ctr Informat Technol 3 Bunkyo Cho Matsuyama Ehime 7908577 Japan

This paper focuses on an evaluation of coding violation warned by a static code analysis tool while considering the change history of violation and the authorship of source file. Through an empirical study with data collected from seven open source software projects, the following findings are reported: (1) the variety and the evaluation of a coding violation tend to vary accroding to the authoring type of the source file;(2) while important violations tend to vary from project to project, about 30% of violations are commonly disregarded by many programmers.

关键词： static code analysis coding violation authorship of source file programmer's attention

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：