• Journal of Multimedia Information System
• /
• 제8권4호
• /
• pp.259-266
• /
• 2021

Security vulnerabilities have been reported in major design software systems such as Adobe Photoshop and Illustrator, which are recognized as de facto standard design tools in most of the design industries. Companies need to evaluate and manage their risk levels posed by those vulnerabilities, so that they could mitigate the potential security bridges in advance. In general, security vulnerabilities are discovered throughout their life cycles repeatedly if software systems are continually used. Hence, in this study, we empirically analyze risk levels for the three major graphical design software systems, namely Photoshop, Illustrator and GIMP with respect to a software vulnerability discovery model. The analysis reveals that the Alhazmi-Malaiya Logistic model tends to describe the vulnerability discovery patterns significantly. This indicates that the vulnerability discovery model makes it possible to predict vulnerability discovery in advance for the software systems. Also, we found that none of the examined vulnerabilities requires even a single authentication step for successful attacks, which suggests that adding an authentication process in software systems dramatically reduce the probability of exploitations. The analysis also discloses that, for all the three software systems, the predictions with evenly distributed and daily based datasets perform better than the estimations with the datasets of vulnerability reporting dates only. The observed outcome from the analysis allows software development managers to prepare proactively for a hostile environment by deploying necessary resources before the expected time of vulnerability discovery. In addition, it can periodically remind designers who use the software systems to be aware of security risk, related to their digital work environments.

• 정보보호학회논문지
• /
• 제25권4호
• /
• pp.921-932
• /
• 2015

본 논문에서는 소프트웨어 보안취약점의 중요도를 정량적으로 산출할 수 있는 중요도 정량 평가 체계를 제안한다. 제안된 평가 체계는 국내 소프트웨어 이용 환경을 고려한 보안취약점의 파급도, 위험도, 소프트웨어 점유율, 시스템에서의 사용 정도 등을 복합적으로 반영하여 보안취약점에 대한 심각성을 적절히 평가할 수 있는 평가 척도와 이를 기반으로 한 중요도 계산식으로 구성된다. 논문에서는 제안된 소프트웨어 보안취약점 평가 체계를 국내의 보안취약점에 시범적으로 적용하고 그 효용성을 CVSS 및 CWSS 등과 비교, 분석하였으며, 제안된 평가 체계의 활용 방안을 제시하였다.

• 한국멀티미디어학회논문지
• /
• 제18권2호
• /
• pp.199-206
• /
• 2015

Since security vulnerabilities newly discovered in a popular Web browser immediately put a number of users at risk, urgent attention from developers is required to address those vulnerabilities. Analysis of characteristics in the Web browser vulnerabilities can be used to assess security risks and to determine the resources needed to develop patches quickly to handle vulnerabilities discovered. So far, being a new research area, the quantitative aspects of the Web browser vulnerabilities and risk assessments have not been fully investigated. However, due to the importance of Web browser software systems, further detailed studies are required related to the Web browser risk assessment, using rigorous analysis of actual data which can assist decision makers to maximize the returns on their security related efforts. In this paper, quantitative software vulnerability analysis has been presented for major Web browsers with respect to the Common Vulnerability Scoring System. Further, vulnerability discovery trends in the Web browsers are also investigated. The results show that, almost all the time, vulnerabilities are compromised from remote networks with no authentication required systems. It is also found that a vulnerability discovery model which was originally introduced for operating systems is also applicable to the Web browsers.

• 디지털산업정보학회논문지
• /
• 제17권4호
• /
• pp.77-83
• /
• 2021

As Open Source Software(OSS) recently invigorates, many companies actively use the OSSes in their business software. With such OSS invigoration, our web application is developed in order to provide the safety in using the OSSes, and update the information on the new vulnerabilities and the patches at all times by crawling the web pages of the relevant OSS home pages and the managing organizations of the vulnerabilities. By providing the updated information, our application helps the OSS users and developers to be aware of such security issues, and gives them to work in the safer environment from security risks. In addition, our application can be used as a security platform to greatly contribute to preventing potential security incidents not only for companies but also for individual developers.

• International journal of advanced smart convergence
• /
• 제13권2호
• /
• pp.48-60
• /
• 2024

With the exponential growth of satellite data utilization, machine learning has become pivotal in enhancing innovation and cybersecurity in satellite systems. This paper investigates the role of machine learning techniques in identifying and mitigating vulnerabilities and code smells within satellite software. We explore satellite system architecture and survey applications like vulnerability analysis, source code refactoring, and security flaw detection, emphasizing feature extraction methodologies such as Abstract Syntax Trees (AST) and Control Flow Graphs (CFG). We present practical examples of feature extraction and training models using machine learning techniques like Random Forests, Support Vector Machines, and Gradient Boosting. Additionally, we review open-access satellite datasets and address prevalent code smells through systematic refactoring solutions. By integrating continuous code review and refactoring into satellite software development, this research aims to improve maintainability, scalability, and cybersecurity, providing novel insights for the advancement of satellite software development and security. The value of this paper lies in its focus on addressing the identification of vulnerabilities and resolution of code smells in satellite software. In terms of the authors' contributions, we detail methods for applying machine learning to identify potential vulnerabilities and code smells in satellite software. Furthermore, the study presents techniques for feature extraction and model training, utilizing Abstract Syntax Trees (AST) and Control Flow Graphs (CFG) to extract relevant features for machine learning training. Regarding the results, we discuss the analysis of vulnerabilities, the identification of code smells, maintenance, and security enhancement through practical examples. This underscores the significant improvement in the maintainability and scalability of satellite software through continuous code review and refactoring.

• International Journal of Computer Science & Network Security
• /
• 제21권9호
• /
• pp.354-357
• /
• 2021

Software vulnerabilities are becoming more and more increasing, their role is to harm the computer systems of companies, governmental organizations and agencies. The main objective of this paper is to propose a method that will cluster future software vulnerabilities that may spread. This method is developed by combining the Multiple Correspondence Analysis (MCA), the Elbow procedure and the Kmeans Algorithm. A simulation was done on a dataset of 15713 observations. This simulation allowed us to identify families of future vulnerabilities. This model was evaluated using the silhouette index.

• 한국소프트웨어감정평가학회 논문지
• /
• 제17권2호
• /
• pp.125-142
• /
• 2021

Reports of rampant cross-site scripting (XSS) vulnerabilities raise growing concerns on the effectiveness of current Static Analysis Security Testing (SAST) tools as an internet security device. Attentive to these concerns, this study aims to examine seven open-source SAST tools in order to account for their capabilities in detecting XSS vulnerabilities in PHP applications and to determine their performance in terms of effectiveness and analysis runtime. The representative tools - categorized as either text-based or graph-based analysis tools - were all test-run using real-world PHP applications with known XSS vulnerabilities. The collected vulnerability detection reports of each tool were analyzed with the aid of PhpStorm's data flow analyzer. It is observed that the detection rates of the tools calculated from the total vulnerabilities in the applications can be as high as 0.968 and as low as 0.006. Furthermore, the tools took an average of less than a minute to complete an analysis. Notably, their runtime is independent of their analysis type.

• 정보보호학회논문지
• /
• 제28권6호
• /
• pp.1449-1461
• /
• 2018

소프트웨어 취약점의 수가 해마다 증가함에 따라 소프트웨어에 대한 공격 역시 많이 발생하고 있다. 이에 따라 보안 관리자는 소프트웨어에 대한 취약점을 파악하고 패치 해야 한다. 그러나 모든 취약점에 대한 패치는 현실적으로 어렵기 때문에 패치의 우선순위를 정하는 것이 중요하다. 본 논문에서는 NIST(National Institute of Standards and Technology)에서 제공하는 취약점 자체 정보와 더불어, 공격 패턴이나 취약점을 유발하는 약점에 대한 영향을 추가적으로 고려하여 취약점의 위험도 평가 척도를 확장한 스코어링 시스템을 제안하였다. 제안하는 스코어링 시스템은 CWSS의 평가 척도를 기반으로 확장했으며, 어느 기업에서나 용이하게 사용할 수 있도록 공개된 취약점 정보만을 활용하였다. 이 논문에서 실험을 통해 제안한 자동화된 시스템을 소프트웨어 취약점에 적용함으로써, 공격 패턴과 약점에 의한 영향을 고려한 확장 평가 척도가 유의미한 값을 보이는 것을 확인하였다.

• 정보보호학회논문지
• /
• 제28권3호
• /
• pp.635-642
• /
• 2018

4차 산업혁명 시대에 우리는 소프트웨어 홍수 속에 살고 있다. 그러나, 소프트웨어의 증가는 필연적으로 소프트웨어 취약점 증가로 이어지고 있어 소프트웨어 취약점을 탐지 및 제거하는 작업이 중요하게 되었다. 현재까지 소프트웨어 취약 여부를 예측하는 연구가 진행되었지만, 탐지 시간이 오래 걸리거나, 예측 정확도가 높지 않았다. 따라서 본 논문에서는 기계학습 알고리즘을 이용하여 소프트웨어의 취약 여부를 효율적으로 예측하는 방법을 설명하며, 다양한 기계학습 알고리즘을 이용한 실험 결과를 비교한다. 실험 결과 k-Nearest Neighbors 예측 모델이 가장 높은 예측률을 보였다.

• 정보보호학회논문지
• /
• 제25권4호
• /
• pp.961-974
• /
• 2015

ESM에서 SIEM으로의 발전은 더 많은 데이터를 기반으로 상관분석을 할 수 있게 되었다. 취약점 진단에서 발견된 소프트웨어 취약점을 CWE와 같은 분류 표준으로 수집을 한다면, 로그 분석 및 취합, 보안관제 및 운용 과정 등에서 통일된 유형의 메시지를 활용함으로써 초기대응단계에서의 귀중한 시간절약으로 신속하게 대응할 수 있고, 모든 대응 단계에서 일관성을 유지하여 처리할 수 있게 된다. 취약점 진단과 모니터링 단계에서 CCE, CPE, CVE, CVSS 정보를 공유하여, 사전에 정의된 위협에 대해서만 탐지하지 않고, 각 자산이 가지고 있는 소프트웨어 취약점을 유기적으로 반영할 수 있도록 하고자 하였다. 이에 본 논문에서는 SIEM의 빅데이터 분석 기법을 활용하여 소프트웨어 취약점에 대한 위협을 효과적으로 탐지하고 대응할 수 있는 모델을 제안하고 적용해본 결과 기존의 방법으로 탐지할 수 없었던 소프트웨어 취약점을 탐지함으로서 효과적임을 확인하였다.