Towards a Deep Learning Model for Vulnerability Detection on Web Application Variants
Reported vulnerabilities have grown significantly over the recent years, with SQL injection (SQLi) being one of the most prominent, especially in web applications. For these, such increase can be explained by the integration of multiple software parts (e.g., various plugins and modules), often developed by different organizations, composing thus web application variants. Machine Learning has the potential to be a great ally on finding vulnerabilities, aiding experts by reducing the search space or even by classifying programs on their own. However, previous work usually does not consider SQLi or utilizes techniques hard to scale. Moreover, there is a clear gap in vulnerability detection with machine learning for PHP, the most popular server-side language for web applications. This paper presents a Deep Learning model able to classify PHP slices as vulnerable (or not) to SQLi. As slices can belong to any variant, we propose the use of an intermediate language to represent the slices and interpret them as text, resorting to well-studied Natural Language Processing (NLP) techniques. Preliminary results of the use of the model show that it can discover SQLi, helping programmers and precluding attacks that would eventually cost a lot to repair.
Wed 28 OctDisplayed time zone: Lisbon change
11:00 - 12:30 | |||
11:00 30mFull-paper | Towards a Deep Learning Model for Vulnerability Detection on Web Application Variants ToCaMS 2020 Ana Fidalgo LASIGE, Faculdade de Ciências da Universidade de Lisboa, Ibéria Medeiros LaSIGE, Faculdade de Ciências da Universidade de Lisboa, Paulo Antunes LASIGE, Faculdade de Ciências da Universidade de Lisboa, Nuno Neves DI FC UL Link to publication DOI | ||
11:30 30mFull-paper | Test Design with the Classification Tree Method in Presence of Variants ToCaMS 2020 Link to publication DOI | ||
12:00 30mFull-paper | Regression Test Suite Reduction for Cloud Systems ToCaMS 2020 Oussama Jebbar Gina Cody School of Engineering and Computer Science, Concordia University, Montreal, Mohamed Aymen Saied Concordia University, Ferhat Khendek Concordia University, Maria Toeroe Ericsson Inc, Montreal Link to publication DOI |