Knowledge-Base Semantic Gap Analysis for the Vulnerability Detection

Wu, Raymond; Seki, Keisuke; Sakamoto, Ryusuke; Hisada, Masayuki

doi:10.1007/978-3-642-13365-7_27

Knowledge-Base Semantic Gap Analysis for the Vulnerability Detection

Raymond Wu⁵,
Keisuke Seki⁵,
Ryusuke Sakamoto⁵ &
…
Masayuki Hisada⁵

Conference paper

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 76))

Abstract

Web security became an alert in internet computing. To cope with ever-rising security complexity, semantic analysis is proposed to fill-in the gap that the current approaches fail to commit. Conventional methods limit their focus to the physical source codes instead of the abstraction of semantics. It bypasses new types of vulnerability and causes tremendous business loss.

For this reason, the semantic structure has been studied. Our novel approach introduces token decomposition and semantic abstraction. It aims to solve the issues by using metadata code structure to envision the semantic gap.

In consideration of the optimized control and vulnerability rate, we take SQL injection as an example to demonstrate the approach. For how the syntax abstraction be decomposed to token, and how the semantic structure is constructed by using metadata notation. As the new type of vulnerability can be precisely specified, business impact can be eliminated.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Wu, R., Hisada, M., Ranaweera, R.: Static Analysis of Web Security in generic syntax format. In: The 2009 International Conference on Internet Computing, Las Vegas, USA (2009)
Google Scholar
Chen, K., Wager, D.: Large-Scale Analysis of Format String Vulnerabilities in Debian Linux, UC Berkeley (2007)
Google Scholar
Xu, W., Bhatkar, S., Sekar, R.: Practical Dynamic Taint Analysis for Countering Input Validation Attacks on Web Applications. Stony Brook University (2006)
Google Scholar
Huang, Y., Huang, S., Lin, T., Tsai, C.: Web Application Security Assessment by Fault Injection and Behavior Monitoring. WWW 2003, 148–159 (2003)
Google Scholar
Buehrer, G., Weide, B., Sivilotti, P.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: SEM (2005)
Google Scholar
Boyd, S., Keromytis, A.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–304. Springer, Heidelberg (2004)
Google Scholar
Buehrer, G., Weide, B., Sivilotti, P.: Using parse tree validation to prevent SQL injection attacks. In: Software Engineering and Middleware SEM, pp. 106–113 (2005)
Google Scholar
Wu, R.: Service design and automata theory. In: International Conference on Enterprise Information System and Web Technologies, EISSWT 2007 (2007)
Google Scholar
Christensen, A., Møller, A., Schwartzbach, M.: Precise analysis of string expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)
Chapter Google Scholar
Dysart, F., Sherriff, M.: Automated Fix Generator for SQL Injection Attacks. University of Virginia, Charlottesville (2007)
Google Scholar
Pietraszek1, T., Berghe, C.: Defending against Injection Attacks through Context-Sensitive String Evaluation, IBM Zurich Research Laboratory and Katholieke Universiteit (2004)
Google Scholar
Turker, K., Gertz, M.: Semantic Integrity Support in SQL-99 and Commercial Object- Relational Database Management Systems, Swiss Federal Institute of Technology, ETH (1999)
Google Scholar
Pretorius, A., Wijk, J.: Bridging the Semantic Gap: Visualizing Transition Graphs with User Defined Diagrams. IEEE Computer Society, Los Alamitos (2007)
Google Scholar
Halfond, W., Viegas, J., Orso, A.: A Classification of SQL-Injection Attacks and Countermeasures. In: IEEE Symposium on Secure Software Engineering, ISSSE (2006)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Research and Development, NST, Inc., Aizuwakamatsu, Fukushima, Japan
Raymond Wu, Keisuke Seki, Ryusuke Sakamoto & Masayuki Hisada

Authors

Raymond Wu
View author publications
You can also search for this author in PubMed Google Scholar
Keisuke Seki
View author publications
You can also search for this author in PubMed Google Scholar
Ryusuke Sakamoto
View author publications
You can also search for this author in PubMed Google Scholar
Masayuki Hisada
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

University of Calcutta, India
Samir Kumar Bandyopadhyay
Braunschweig University of Technology, Braunschweig, Germany
Wael Adi
Hannam University, 306-791, Daejeon, South Korea
Tai-hoon Kim
The University of Alabama, Tuscaloosa, AL, USA
Yang Xiao

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wu, R., Seki, K., Sakamoto, R., Hisada, M. (2010). Knowledge-Base Semantic Gap Analysis for the Vulnerability Detection. In: Bandyopadhyay, S.K., Adi, W., Kim, Th., Xiao, Y. (eds) Information Security and Assurance. ISA 2010. Communications in Computer and Information Science, vol 76. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13365-7_27

Download citation

DOI: https://doi.org/10.1007/978-3-642-13365-7_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13364-0
Online ISBN: 978-3-642-13365-7
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics