Information Technology Reference
In-Depth Information
for automatic generation of test cases are also applicable. However, the objective
of this paper was not to evaluate the performances in test case generation, but
the accuracy of the oracle in classifying tests.
This paper extends a preliminary workshop paper [3] that sketched the initial
intuition of the security oracle.
6Conluon
In this paper, we used kernel methods for implementing a security oracle for
web applications. The proposed security oracle has been assessed on a real PHP
application, with good performances in terms of precision, recall and scalability.
From this experiment, we learned which two kernel methods are the most ap-
propriate to use in this domain, they are Partial Tree Kernel (PTK) and Partial
Tree Kernel with no leaves (uPTK). Moreover, our empirical assessment high-
lighted an important aspect of the approach, attacks should be appropriately
represented among learning data in order to improve the performance of the
oracle.
As future works, we intend to experiment with customized kernel methods
to improve the performance of the security oracle. Moreover, we plan to con-
duct studies with web applications written in other languages and, possibly, to
consider different kind of vulnerabilities (e.g., Cross-site request forgery).
Acknowledgements.
The research described in this paper has been partially
supported by the European Community's Seventh Framework Programme
(FP7/2007-2013) under the grants #247758:
EternalS
- Trustworthy Eternal
Systems via Evolving Software, Data and Knowledge, and #288024:
LiMoSINe
- Linguistically Motivated Semantic aggregation engiNes.
References
1. Avancini, A., Ceccato, M.: Towards security testing with taint analysis and genetic
algorithms. In: Proceedings of the 2010 ICSE Workshop on Software Engineering
for Secure Systems, pp. 65-71. ACM (2010)
2. Avancini, A., Ceccato, M.: Security testing of web applications: A search-based
approach for cross-site scripting vulnerabilities. In: 2011 11th IEEE International
Working Conference on Source Code Analysis and Manipulation, SCAM, pp. 85-
94. IEEE (2011)
3. Avancini, A., Ceccato, M.: Grammar based oracle for security testing of web appli-
cations. In: Proceedings of 7th International Workshop on Automation of Software
Test (2012) (to appear)
4. Christey, S., Martin, R.A.: Vulnerability type distributions in cve. Tech. rep., The
MITRE Corporation (2006),
5. Collins, M., Duffy, N.: Convolution kernels for natural language. In: Advances in
Neural Information Processing Systems 14, pp. 625-632. MIT Press (2001)
Search WWH ::
Custom Search