ANN Modelling on Vulnerabilities Detection in Code Smells-Associated Android Applications

• Autorzy: Gupta Aakanshi , Sharma Deepanshu , Phulli Kritika

Identyfikatory

DOI

10.2478/fcds-2022-0001

• Języki publikacji: EN

Abstrakty

EN

There has been a lot of software design concerns in recent years that come under the code smell. Android Applications Developments experiences more security issues related to code smells that lead to vulnerabilities in software. This research focuses on the vulnerability detection in Android applications which consists of code smells. A multi-layer perceptron-based ANN model is generated for detection of software vulnerabilities and has a precision value of 74.7% and 79.6% accuracy with 2 hidden layers. The focus is laid on 1390 Android classes and involves association mining of the software vulnerabilities with android code smells using APRIORI algorithm. The generated ANN model The findings represent that Member Ignoring Method (MIM) code smell shows an association with Bean Member Serialization (BMS) vulnerability having 86% confidence level and 0.48 support value. An algorithm has also been proposed that would help developers in detecting software vulnerability in the smelly source code of an android applications at early stages of development.

Słowa kluczowe

EN

software vulnerabilities; code smells; Android; ANN; apriori algorithm; deep learning; machine learning

• Wydawca: Wydawnictwo Politechniki Poznańskiej
• Czasopismo: Foundations of Computing and Decision Sciences
• Rocznik: 2022
• Tom: Vol. 47, No. 1
• Strony: 3--26
• Opis fizyczny: Bibliogr. 44 poz., rys., tab.

Twórcy

autor

Gupta Aakanshi

• ASET, GGSIPU, New Delhi, India

• https://orcid.org/0000-0003-0835-8413

autor

Sharma Deepanshu

• Executive Branch-IT, Indian Navy

• https://orcid.org/0000-0003-1862-0606

autor

Phulli Kritika

• Application Development Associate Accenture, India

• https://orcid.org/0000-0002-1777-3240

Bibliografia

• [1] Adebiyi A, Arreymbi J, Imafidon C. Security Assessment of Software Design using Neural Network. arXiv preprint arXiv:1303.2017, 2013.
• [2] Aakanshi Gupta, Bharti Suri and Vijin Vincent. An Empirical Examination of the Relationship between Code Smells and Vulnerabilities. International Journal of Computer Applications 176(32): 1-9, June 2020. DOI: 10.5120/ijca2020920362.
• [3] Android Developers. The contribution of android to economic growth. Available at androiddeveloper.galileo.edu/2017/05/12/the-contribution-of-android-to-economic-growth/, 2017.
• [4] Carette A, Younes MA, Hecht G, Moha N, Rouvoy R. Investigating the energy impact of android smells. In2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), 2017 (pp. 115-126). IEEE.
• [5] Chowdhury I, Zulkernine M. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture. 2011, 57(3): 294-313.
• [6] Craig. Chapple. Global app revenue grew 23 billion. Available at sensortower.com/blog/app-revenue-and-downloads-q3-2019.
• [7] Fontana FA, Mäntylä MV, Zanoni M, Marino A. Comparing and experimenting machine learning techniques for code smell detection. Empirical Software Engineering; 2016 21(3): 1143-91.
• [8] Fontana FA, Walter B, Zanoni M. Code smells and micro patterns correlations. InRefTest 2013 Workshop, co-located event with XP 2013 Conference, 2013.
• [9] Fowler M. Refactoring. Improving the design of existing code. In11th European Conference. Jyväskylä, Finland, 1997.
• [10] Gupta A, Suri B, Kumar V, Jain P. Extracting rules for vulnerabilities detection with static metrics using machine learning. International Journal of System Assurance Engineering and Management, 2020.
• [11] Gupta A, Suri B, Kumar V, Misra S, Blažauskas T, Damaševičius R. Software code smell prediction model using Shannon, Rényi and Tsallis entropies. Entropy, 2018 20(5): 372.
• [12] Harer JA, Kim LY, Russell RL, Ozdemir O, Kosta LR, Rangamani A, Hamilton LH, Centeno GI, Key JR, Ellingwood PM, Antelman E. Automated software vulnerability detection with machine learning. arXiv preprint arXiv:1803.04497. 2018 Feb 14.
• [13] Hei X, Du X, Lin S. Two vulnerabilities in Android OS kernel. In2013 IEEE International Conference on Communications, 2013 (ICC (pp. 6123-6127). IEEE.
• [14] Hornik K, Stinchcombe M, White H. Multilayer feedforward networks are universal approximators. Neural networks. 1989 Jul 1; 2(5): 359-66.
• [15] Huang H, Zhu S, Chen K, Liu P. From system services freezing to system server shutdown in android: All you need is a loop in an app. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015 (pp. 1236-1247).
• [16] Islam MR, Zibran MF. A comparative study on vulnerabilities in categories of clones and non-cloned code. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER) 2016, (Vol. 3, pp. 8-14). IEEE.
• [17] Jošt GR, Huber J, HeriČko M. Using object oriented software metrics for mobile application development. In 2nd Workshop of Software Quality Analysis, Monitoring, Improvement, and Applications, 2013 (pp. 17-27).
• [18] Khashei M, Bijari M. An artificial neural network (p, d, q) model for timeseries forecasting. Expert Systems with applications, 2010 37(1): 479-89.
• [19] Lee S, Choeh JY. Predicting the helpfulness of online reviews using multilayer perceptron neural networks. Expert Systems with Applications. 2014 41(6): 3041-6.
• [20] Li Z, Zou D, Xu S, Ou X, Jin H, Wang S, Deng Z, Zhong Y. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681. 2018 Jan 5.
• [21] Lieberherr KJ, Holland IM. Assuring good style for object-oriented programs. IEEE software. 1989 Sep; 6(5): 38-48.
• [22] Linares-Vásquez M, Bavota G, Escobar-Velásquez C. An empirical study on android-related vulnerabilities. In2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR) 2017 (pp. 2-13). IEEE.
• [23] Mahmood R, Mahmoud QH. Evaluation of static analysis tools for finding vulnerabilities in Java and C/C++ source code. arXiv preprint arXiv:1805.09040. 2018 May 23.
• [24] Meshram PD, Thool RC. A survey paper on vulnerabilities in android OS and security of android devices. In2014 IEEE Global Conference on Wireless Computing & Networking (GCWCN). 2014 (pp. 174-178). IEEE.
• [25] Mohit Maheshwari. Top programming languages for android app development. Available at dzone.com/articles/most-used-programming-languages-for-android-app-de.
• [26] Palomba F, Bavota G, Di Penta M, Oliveto R, De Lucia A, Poshyvanyk D. Detecting bad smells in source code using change history information. In2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE) 2013 (pp. 268-278). IEEE.
• [27] Palomba F, Di Nucci D, Panichella A, Zaidman A, De Lucia A. Lightweight detection of android-specific code smells: The adoctor project. In2017 IEEE 24th international conference on software analysis, evolution and reengineering (SANER) 2017 (pp. 487-491). IEEE.
• [28] Palomba F, Oliveto R, De Lucia A. Investigating code smell co-occurrences using association rule learning: A replicated study. In 2017 IEEE Workshop on Machine Learning Techniques for Software Quality Evaluation (MaLTeSQuE) 2017 (pp. 8-13). IEEE.
• [29] Pang Y, Xue X, Wang H. Predicting vulnerable software components through deep neural network. InProceedings of the 2017 International Conference on Deep Learning Technologies 2017 Jun 2 (pp. 6-10).
• [30] Park H, Baek S.An empirical validation of a neural network model for software effort estimation. Expert Systems with Applications. 2008 35(3): 929-37.
• [31] PI LLC. (2014). The security impact of mobile device use by employees. Ponemon Institute, Tech. Rep., 2014.
• [32] Reimann J, Brylski M, Aßmann U. A tool-supported quality smell catalogue for android developers. InProc. of the conference Modellierung 2014 in the Workshop Modellbasierte und modellgetriebene Softwaremodernisierung–MMSM.
• [33] Rob Sobers. (2020). 110 must-know cybersecurity statistics for 2020. Available at www.varonis.com/blog/cybersecurity-statistics/.
• [34] Robert JS. Pattern Recognition. Statistical, Structural and Neural Approaches. New York. 1992.
• [35] Rutar N, Almazan CB, Foster JS. A comparison of bug finding tools for java. In15th International Symposium on Software Reliability Engineering, 2004 (pp. 245-256). IEEE.
• [36] Saccente N, Dehlinger J, Deng L, Chakraborty S, Xiong Y. Project achilles: A prototype tool for static method-level vulnerability detection of java source code using a recurrent neural network. In2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW) 2019 Nov 11 (pp. 114-121). IEEE.
• [37] Sahraoui HA, Godin R, Miceli T. Can metrics help bridging the gap between the improvement of OO design quality and its automation. InProceedings of the International Conference on Software Maintenance, ICSM, 2000
• [38] Scheffer T. Finding association rules that trade support optimally against confidence. In European conference on principles of data mining and knowledge Discovery, 2001 (pp. 424-435). Springer, Berlin, Heidelberg.
• [39] Shewale H, Patil S, Deshmukh V, Singh P. Analysis of android vulnerabilities and modern exploitation techniques. ICTACT journal on communication technology, 2014 5(1): 863-7.
• [40] Skybox Security. vulnerability and threat trends. Available at lp.skyboxsecurity.com/rs/440-MPQ- 510/images/2020V TT rends Report reduced.pdf., 2020.
• [41] Szőke G, Nagy C, Fülöp LJ, Ferenc R, Gyimóthy T. FaultBuster. An automatic code smell refactoring toolset. In 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM) 2015 (pp. 253-258). IEEE.
• [42] Wang Q, Yu B, Zhu J. Extract rules from software quality prediction model based on neural network. In16th IEEE International Conference on Tools with Artificial Intelligence. 2004 (pp. 191-195). IEEE.
• [43] Wu, F., Wang, J., Liu, J. and Wang, W., December. Vulnerability detection with deep learning. In 2017 3rd IEEE International Conference on Computer and Communications (ICCC), 2017 (pp. 1298-1302).
• [44] Yamashita A, Moonen L. Do developers care about code smells? An exploratory survey. In 2013 20th Working Conference on Reverse Engineering (WCRE), 2013 (pp. 242-251). IEEE.