Combining Static Code Analysis and Machine Learning for Automatic Detection of Security Vulnerabilities in Mobile Apps

2017 ◽  
pp. 68-94
Author(s):  
Marco Pistoia ◽  
Omer Tripp ◽  
David Lubensky
Keyword(s):  
Machine Learning ◽  
Static Analysis ◽  
Private Information ◽  
Program Analysis ◽  
Mobile Applications ◽  
Mobile Apps ◽  
Security Vulnerabilities ◽  
Code Analysis ◽  
Analysis Tools ◽  
Static Code Analysis

Mobile devices have revolutionized many aspects of our lives. Without realizing it, we often run on them programs that access and transmit private information over the network. Integrity concerns arise when mobile applications use untrusted data as input to security-sensitive computations. Program-analysis tools for integrity and confidentiality enforcement have become a necessity. Static-analysis tools are particularly attractive because they do not require installing and executing the program, and have the potential of never missing any vulnerability. Nevertheless, such tools often have high false-positive rates. In order to reduce the number of false positives, static analysis has to be very precise, but this is in conflict with the analysis' performance and scalability, requiring a more refined model of the application. This chapter proposes Phoenix, a novel solution that combines static analysis with machine learning to identify programs exhibiting suspicious operations. This approach has been widely applied to mobile applications obtaining impressive results.

Combining Static Code Analysis and Machine Learning for Automatic Detection of Security Vulnerabilities in Mobile Apps

2018 ◽  
pp. 1121-1147
Author(s):  
Marco Pistoia ◽  
Omer Tripp ◽  
David Lubensky
Keyword(s):  
Machine Learning ◽  
Static Analysis ◽  
Private Information ◽  
Program Analysis ◽  
Mobile Applications ◽  
Mobile Apps ◽  
Security Vulnerabilities ◽  
Code Analysis ◽  
Analysis Tools ◽  
Static Code Analysis

Mobile devices have revolutionized many aspects of our lives. Without realizing it, we often run on them programs that access and transmit private information over the network. Integrity concerns arise when mobile applications use untrusted data as input to security-sensitive computations. Program-analysis tools for integrity and confidentiality enforcement have become a necessity. Static-analysis tools are particularly attractive because they do not require installing and executing the program, and have the potential of never missing any vulnerability. Nevertheless, such tools often have high false-positive rates. In order to reduce the number of false positives, static analysis has to be very precise, but this is in conflict with the analysis' performance and scalability, requiring a more refined model of the application. This chapter proposes Phoenix, a novel solution that combines static analysis with machine learning to identify programs exhibiting suspicious operations. This approach has been widely applied to mobile applications obtaining impressive results.

An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios

Computing ◽  
2018 ◽  
Vol 101 (2) ◽  
pp. 161-185 ◽  
Author(s):  
Paulo Nunes ◽  
Ibéria Medeiros ◽  
José Fonseca ◽  
Nuno Neves ◽  
Miguel Correia ◽  
...  
Keyword(s):  
Empirical Study ◽  
Static Analysis ◽  
Web Security ◽  
Security Vulnerabilities ◽  
Development Scenarios ◽  
Analysis Tools

Permission-Based Malware Detection System for Android Using Machine Learning Techniques

2019 ◽  
Vol 29 (01) ◽  
pp. 43-61 ◽  
Author(s):  
Recep Sinan Arslan ◽  
İbrahim Alper Doğru ◽  
Necaattin Barişçi
Keyword(s):  
Machine Learning ◽  
Mobile Applications ◽  
Detection System ◽  
Security And Privacy ◽  
Machine Learning Techniques ◽  
Accuracy Rate ◽  
Code Analysis ◽  
Learning Techniques ◽  
Accuracy Level ◽  
Privacy Models

Mobile applications create their own security and privacy models through permission-based models. Some applications may request extra permissions that they do not need but may use for suspicious activities. The aim of this study is to identify those spare permissions requested and use this information in the security and privacy approach, which uses static and code analysis together and applies them to the existing datasets; then the results are compared and accuracy level is determined. Classification is made with an accuracy rate of 91.95%.

Sign in / Sign up

Export Citation Format

Share Document