Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Software Vulnerability Analysis System using Learning for Source Code Weakness History

소스코드의 취약점 이력 학습을 이용한 소프트웨어 보안 취약점 분석 시스템

  • 이광형 (서일대학교 소프트웨어공학과) ;
  • 박재표 (숭실대학교 정보과학대학원)
  • Received : 2017.10.23
  • Accepted : 2017.11.03
  • Published : 2017.11.30
Download PDF
⟨ Previous Next ⟩

Abstract

Along with the expansion of areas in which ICT and Internet of Things (IoT) devices are utilized, open source software has recently expanded its scope of applications to include computers, smart phones, and IoT devices. Hence, as the scope of open source software applications has varied, there have been increasing malicious attempts to attack the weaknesses of open source software. In order to address this issue, various secure coding programs have been developed. Nevertheless, numerous vulnerabilities are still left unhandled. This paper provides some methods to handle newly raised weaknesses based on the analysis of histories and patterns of previous open source vulnerabilities. Through this study, we have designed a weaknesses analysis system that utilizes weakness histories and pattern learning, and we tested the performance of the system by implementing a prototype model. For five vulnerability categories, the average vulnerability detection time was shortened by about 1.61 sec, and the average detection accuracy was improved by 44%. This paper can provide help for researchers studying the areas of weaknesses analysis and for developers utilizing secure coding for weaknesses analysis.

최근 ICT 및 IoT 제품의 활용 분야가 다양화 되면서 오픈소스 소프트웨어의 활용 분야가 컴퓨터, 스마트폰, IoT 디바이스 등 다양한 기기와 환경에서 활용되고 있다. 이처럼 오픈소스 소프트웨어의 활용분야가 다양해짐에 따라 오픈소스의 보안 취약점을 악용하는 불법적인 사례가 지속적으로 증가하고 있다. 이에 따라 다양한 시큐어 코딩을 위한 도구나 프로그램이 출시되고 활용되고 있지만 여전히 많은 취약점들이 발생하고 있다. 본 논문에서는 안전한 오픈 소스 소프트웨어 개발을 위해 오픈 소스의 취약점 분석 결과에 의한 이력과 패턴을 지속적으로 학습하여 신규 취약점 분석에 활용할 수 있는 방법을 제안한다. 본 연구를통해 취약점 이력 및 패턴 학습기반의 취약점 분석 시스템을 설계하였으며, 프로토타입으로 구현하여 실험을 통해 시스템의 성능을 평가하였다. 5개의 취약점 항목에 대해 평균 취약점 검출 시간은 최대 약 1.61sec가 단축되었으며, 평균 검출 정확도는 약 44%point가 향상된 것을 평가결과에서 확인할 수 있었다. 본 논문의 내용 및 결과는 소프트웨어 취약점 연구 분야에 대한 발전과 소프트웨어 개발자들의 취약점 분석을 통한 시큐어 코딩에 도움이 될 것을 기대한다.

Keywords

References

  1. Jin-Hyeon Chang, "Improvement of The National Technical Qualifications System from ICT point of view", The Journal of The Institute of Internet, Broadcasting and Communication (IIBC), Vol. 16, No. 2, pp. 189-199, Apr. 30, 2016. DOI: http://dx.doi.org/10.7236/JIIBC.2016.16.2.189
  2. Mi-Hee Youn, Dongwon Kim, "A study of Development and Management on ASEAN Women's ICT Development Index and Measurement", The Journal of The Institute of Internet, Broadcasting and Communication (IIBC), Vol. 16, No. 4, pp. 181-187, Aug. 31, 2016. DOI: http://dx.doi.org/10.7236/JIIBC.2016.16.4.181
  3. Young-Jun Jeon, Hee-Joung Hwang, "Design of Dynamic Buffer Assignment and Message model for Large-scale Process Monitoring of Personalized Health Data", The Journal of The Institute of Internet, Broadcasting and Communication (IIBC), Vol. 15, No. 6, pp. 187-193, Dec. 31, 2015. DOI: http://dx.doi.org/10.7236/JIIBC.2015.15.6.187
  4. Jee-Hyun Kim, Young-Im Cho, "A Study on National ICT Competency Model, The Journal of The Institute of Internet", Broadcasting and Communication (IIBC), Vol. 15, No. 6, pp. 275-281, Dec. 31, 2015. DOI: http://dx.doi.org/10.7236/JIIBC.2015.15.6.275
  5. Young-Jun Jeon, Seok-Jin Im, Hee-Joung Hwang, "Design of a Data Grid Model between TOS and HL7 FHIR Service for the Retrieval of Personalized Health Resources", The Journal of The Institute of Internet, Broadcasting and Communication (IIBC), Vol. 16, No. 4, pp. 139-145, Aug. 31, 2016. DOI: http://dx.doi.org/10.7236/JIIBC.2016.16.4.139
  6. Gee-Hyun Hwang, "The Relationship among TQM Practices, Employee Satisfaction and Employee Loyalty in ICT Customer Service and Retail Distribution Organizations", Journal of Society of Korea Industrial and Systems Engineering, Vol.38, No.1, pp. 188-198, 2015. DOI : https://doi.org/10.11627/jkise.2014.38.1.188
  7. Eunhye Kim, Ju-Won Park, "Runtime Prediction Based on Workload-Aware Clustering", J. Soc. Korea Ind. Syst. Eng, Vol. 38, No. 3, pp. 56-63, Sep. 2015. DOI: http://dx.doi.org/10.11627/jkise.2015.38.3.56
  8. H. H. Chae, J. K. Lee, K. H. Lee, "A Study on The Security Vulnerability Analysis of Open an Automatic Demand Response System", Journal of digital Convergence , vol. 14, no. 5, pp. 333-339, 2016. DOI: http://dx.doi.org/10.14400/JDC.2016.14.5.333
  9. H. J. Lee, O. C. Na, S. Y. Sung, H. B. Chang, "A Design on Security Governance Framework for Industry Convergence Environment ", Journal of the Korea Convergence Society, vol. 6, no. 4, pp. 33-40, 2015. DOI: https://doi.org/10.15207/JKCS.2015.6.4.033
  10. S. K. Choi, T. J. Hwang, Y. B. Park, "2011 CWE/SANS Top 25 Dangerous Software Errors-based Vulnerability analysis and Secure Coding of the Hadoop's MapReduce Framework," Korea Computer Congress, 2013.
  11. CAPEC : Comon Attack Pattern Enumeration and Classification, http://capec.mitre.org/. Date accessed: 20/06/2016.
  12. 2011 CWE/SANS Top 25 Most Dangerous Programming Errors, http://cwe.mitre.org/top25/. Date accessed: 20/06/2016.
  13. Ji Hoon Kyung, Chong Su Kim, A Study on Measurements of IT Security Service Quality:Feasibility of Quantitative Measures, J. Soc. Korea Ind. Syst. Eng Vol. 38, No. 4, pp. 30-38, Dec. 2015. DOI: http://dx.doi.org/10.11627/jkise.2015.38.4.30
  14. Hee-Ohl Kim, Dong-Hyun Baek, Prioritize Security Strategy based on Enterprise Type Classification Using Pair Comparison, J. Soc. Korea Ind. Syst. Eng, Vol. 39, No. 4, pp. 97-105, Dec. 2016. DOI: http://dx.doi.org/10.11627/jkise.2016.39.4.097
  15. Common Vulnerability Scoring System, http://www.first.org/cvss/. Date accessed: 20/06/2016.
  16. Common Weakness Enumeration, http://cwe.mitre.org. Date accessed: 20/06/2016.
  17. S. W. Cho, W. J. Jang, H. W. Lee, "mVoIP Vulnerability Analysis And its Countermeasures on Smart Phone", Journal of the Korea Convergence Society, vol. 3, no. 3, pp. 7-12, 2012.
  18. Y. J. Moon, A study on program configuration management methodology based on the configuration management practices of CMMI and SPICE, Master's Thesis, Dept. of Computer Engineering, Yonsei University, 2006.
  19. CODE Community, IT Framework, InforDream, 2006.
  20. J. H. Lee, S. J. Kim, J. P. Park, "A Development of Smart Fuzzing Tool Combined with Black and White Box Testing," Asia Pacific International Conference on Information Science and Technology(APIC-IST) 2016.
  21. S. S. Shin, J. I. Kim, J. J. Youn, "Vulnerability Analysis of the Creativity and Personality Education based on Digital Convergence Curation System", Journal of the Korea Convergence Society, vol. 6, no. 4, pp. 225-234, 2015. DOI: https://doi.org/10.15207/JKCS.2015.6.4.225
  22. Myongyeal Lee, Jaepyo Park, Analysis and Study on Invasion Threat and Security Measures for Smart Home Services in IoT Environment, The Journal of The Institute of Internet, Broadcasting and Communication (IIBC), Vol. 16, No. 5, pp. 27-32, Oct. 31, 2016. DOI: http://dx.doi.org/10.7236/JIIBC.2016.16.5.27
  23. Ho-Yong Lee, Dong-Hoon Lee, Security of Ethernet in Automotive Electric/Electronic Architectures, The Journal of The Institute of Internet, Broadcasting and Communication (IIBC), Vol. 16, No. 5, pp. 39-48, Oct. 31, 2016. DOI: http://dx.doi.org/10.7236/JIIBC.2016.16.5.39