ANN Modelling on Vulnerabilities Detection in Code Smells-Associated Android Applications

Gupta, Aakanshi; Sharma, Deepanshu; Phulli, Kritika

doi:10.2478/fcds-2022-0001

Abstract

There has been a lot of software design concerns in recent years that come under the code smell. Android Applications Developments experiences more security issues related to code smells that lead to vulnerabilities in software. This research focuses on the vulnerability detection in Android applications which consists of code smells. A multi-layer perceptron-based ANN model is generated for detection of software vulnerabilities and has a precision value of 74.7% and 79.6% accuracy with 2 hidden layers. The focus is laid on 1390 Android classes and involves association mining of the software vulnerabilities with android code smells using APRIORI algorithm. The generated ANN model The findings represent that Member Ignoring Method (MIM) code smell shows an association with Bean Member Serialization (BMS) vulnerability having 86% confidence level and 0.48 support value. An algorithm has also been proposed that would help developers in detecting software vulnerability in the smelly source code of an android applications at early stages of development.

References

[1] Adebiyi A, Arreymbi J, Imafidon C. Security Assessment of Software Design using Neural Network. arXiv preprint arXiv:1303.2017, 2013.10.14569/IJARAI.2012.010401
Search in Google Scholar Back to article
[2] Aakanshi Gupta, Bharti Suri and Vijin Vincent. An Empirical Examination of the Relationship between Code Smells and Vulnerabilities. International Journal of Computer Applications 176(32):1-9, June 2020. DOI: 10.5120/ijca202092036210.5120/ijca2020920362
Search in Google Scholar Back to article
[3] Android Developers. The contribution of android to economic growth. Available at androiddeveloper.galileo.edu/2017/05/12/the-contribution-of-android-to-economic-growth/, 2017.
Search in Google Scholar Back to article
[4] Carette A, Younes MA, Hecht G, Moha N, Rouvoy R. Investigating the energy impact of android smells. In2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), 2017 (pp. 115-126). IEEE.10.1109/SANER.2017.7884614
Search in Google Scholar Back to article
[5] Chowdhury I, Zulkernine M. Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture. 2011, 57(3):294-313.10.1016/j.sysarc.2010.06.003
Search in Google Scholar Back to article
[6] Craig. Chapple. Global app revenue grew 23 billion. Available at sensortower.com/blog/app-revenue-and-downloads-q3-2019.
Search in Google Scholar Back to article
[7] Fontana FA, Mäntylä MV, Zanoni M, Marino A. Comparing and experimenting machine learning techniques for code smell detection. Empirical Software Engineering.;, 2016, 21(3):1143-91.10.1007/s10664-015-9378-4
Search in Google Scholar Back to article
[8] Fontana FA, Walter B, Zanoni M. Code smells and micro patterns correlations. InRefTest 2013 Workshop, co-located event with XP 2013 Conference, 2013.
Search in Google Scholar Back to article
[9] Fowler M. Refactoring. Improving the design of existing code. In11th European Conference. Jyväskylä, Finland, 1997.
Search in Google Scholar Back to article
[10] Gupta A, Suri B, Kumar V, Jain P. Extracting rules for vulnerabilities detection with static metrics using machine learning. International Journal of System Assurance Engineering and Management, 2020.10.1007/s13198-020-01036-0
Search in Google Scholar Back to article
[11] Gupta A, Suri B, Kumar V, Misra S, Blažauskas T, Damaševičius R. Software code smell prediction model using Shannon, Rényi and Tsallis entropies. Entropy, 2018.20(5):372.10.3390/e20050372
Search in Google Scholar Back to article
[12] Harer JA, Kim LY, Russell RL, Ozdemir O, Kosta LR, Rangamani A, Hamilton LH, Centeno GI, Key JR, Ellingwood PM, Antelman E. Automated software vulnerability detection with machine learning. arXiv preprint arXiv:1803.04497. 2018 Feb 14.
Search in Google Scholar Back to article
[13] Hei X, Du X, Lin S. Two vulnerabilities in Android OS kernel. In2013 IEEE International Conference on Communications, 2013(ICC (pp. 6123-6127). IEEE.10.1109/ICC.2013.6655583
Search in Google Scholar Back to article
[14] Hornik K, Stinchcombe M, White H. Multilayer feedforward networks are universal approximators. Neural networks. 1989 Jul 1;2(5):359-66.10.1016/0893-6080(89)90020-8
Search in Google Scholar Back to article
[15] Huang H, Zhu S, Chen K, Liu P. From system services freezing to system server shutdown in android: All you need is a loop in an app. InProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015 (pp. 1236-1247).10.1145/2810103.2813606
Search in Google Scholar Back to article
[16] Islam MR, Zibran MF. A comparative study on vulnerabilities in categories of clones and non-cloned code. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER) 2016, (Vol. 3, pp. 8-14). IEEE.10.1109/SANER.2016.90
Search in Google Scholar Back to article
[17] Jošt GR, Huber J, HeriČko M. Using object oriented software metrics for mobile application development. In 2nd Workshop of Software Quality Analysis, Monitoring, Improvement, and Applications, 2013 (pp. 17-27).
Search in Google Scholar Back to article
[18] Khashei M, Bijari M. An artificial neural network (p, d, q) model for timeseries forecasting. Expert Systems with applications, 2010.37(1):479-89.10.1016/j.eswa.2009.05.044
Search in Google Scholar Back to article
[19] Lee S, Choeh JY. Predicting the helpfulness of online reviews using multilayer perceptron neural networks. Expert Systems with Applications. 2014; 41(6):3041-6.10.1016/j.eswa.2013.10.034
Search in Google Scholar Back to article
[20] Li Z, Zou D, Xu S, Ou X, Jin H, Wang S, Deng Z, Zhong Y. Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681. 2018 Jan 5.10.14722/ndss.2018.23158
Search in Google Scholar Back to article
[21] Lieberherr KJ, Holland IM. Assuring good style for object-oriented programs. IEEE software. 1989 Sep;6(5):38-48.10.1109/52.35588
Search in Google Scholar Back to article
[22] Linares-Vásquez M, Bavota G, Escobar-Velásquez C.. An empirical study on android-related vulnerabilities. In2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR) 2017. (pp. 2-13). IEEE.10.1109/MSR.2017.60
Search in Google Scholar Back to article
[23] Mahmood R, Mahmoud QH. Evaluation of static analysis tools for finding vulnerabilities in Java and C/C++ source code. arXiv preprint arXiv:1805.09040. 2018 May 23.
Search in Google Scholar Back to article
[24] Meshram PD, Thool RC. A survey paper on vulnerabilities in android OS and security of android devices. In2014 IEEE Global Conference on Wireless Computing & Networking (GCWCN). 2014 (pp. 174-178). IEEE.10.1109/GCWCN.2014.7030873
Search in Google Scholar Back to article
[25] Mohit Maheshwari. Top programming languages for android app development. Available at dzone.com/articles/most-used-programming-languages-for-android-appde.
Search in Google Scholar Back to article
[26] Palomba F, Bavota G, Di Penta M, Oliveto R, De Lucia A, Poshyvanyk D. Detecting bad smells in source code using change history information. In2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE) 2013.(pp. 268-278). IEEE.10.1109/ASE.2013.6693086
Search in Google Scholar Back to article
[27] Palomba F, Di Nucci D, Panichella A, Zaidman A, De Lucia A. Lightweight detection of android-specific code smells: The adoctor project. In2017 IEEE 24th international conference on software analysis, evolution and reengineering (SANER)2017. (pp. 487-491). IEEE.10.1109/SANER.2017.7884659
Search in Google Scholar Back to article
[28] Palomba F, Oliveto R, De Lucia A. Investigating code smell co-occurrences using association rule learning: A replicated study. In 2017 IEEE Workshop on Machine Learning Techniques for Software Quality Evaluation (MaLTeSQuE) 2017 (pp. 8-13). IEEE.10.1109/MALTESQUE.2017.7882010
Search in Google Scholar Back to article
[29] Pang Y, Xue X, Wang H. Predicting vulnerable software components through deep neural network. InProceedings of the 2017 International Conference on Deep Learning Technologies 2017 Jun 2 (pp. 6-10).10.1145/3094243.3094245
Search in Google Scholar Back to article
[30] Park H, Baek S.An empirical validation of a neural network model for software effort estimation. Expert Systems with Applications.2008, 35(3):929-37.10.1016/j.eswa.2007.08.001
Search in Google Scholar Back to article
[31] PI LLC. (2014). The security impact of mobile device use by employees. Ponemon Institute, Tech. Rep., 2014.
Search in Google Scholar Back to article
[32] Reimann J, Brylski M, Aßmann U. A tool-supported quality smell catalogue for android developers. InProc. of the conference Modellierung 2014 in the Workshop Modellbasierte und modellgetriebene Softwaremodernisierung–MMSM
Search in Google Scholar Back to article
[33] Rob Sobers. (2020). 110 must-know cybersecurity statistics for 2020. Available at www.varonis.com/blog/cybersecurity-statistics/.
Search in Google Scholar Back to article
[34] Robert JS. Pattern Recognition. Statistical, Structural and Neural Approaches. New York. 1992.
Search in Google Scholar Back to article
[35] Rutar N, Almazan CB, Foster JS. A comparison of bug finding tools for java. In15th International Symposium on Software Reliability Engineering, 2004 (pp. 245-256). IEEE.10.1109/ISSRE.2004.1
Search in Google Scholar Back to article
[36] Saccente N, Dehlinger J, Deng L, Chakraborty S, Xiong Y. Project achilles: A prototype tool for static method-level vulnerability detection of java source code using a recurrent neural network. In2019 34th IEEE/ACM International Conference on Automated Software Engineering Workshop (ASEW) 2019 Nov 11 (pp. 114-121). IEEE.10.1109/ASEW.2019.00040
Search in Google Scholar Back to article
[37] Sahraoui HA, Godin R, Miceli T. Can metrics help bridging the gap between the improvement of OO design quality and its automation. InProceedings of the International Conference on Software Maintenance, ICSM, 200010.1109/ICSM.2000.883034
Search in Google Scholar Back to article
[38] Scheffer T. Finding association rules that trade support optimally against confidence. In European conference on principles of data mining and knowledge Discovery, 2001 (pp. 424-435). Springer, Berlin, Heidelberg.10.1007/3-540-44794-6_35
Search in Google Scholar Back to article
[39] Shewale H, Patil S, Deshmukh V, Singh P. Analysis of android vulnerabilities and modern exploitation techniques. ICTACT journal on communication technology, 2014. 5(1):863-7.10.21917/ijct.2014.0122
Search in Google Scholar Back to article
[40] Skybox Security. vulnerability and threat trends. Available at lp.skyboxsecurity.com/rs/440-MPQ-510/images/2020VTTrendsReportreduced.pdf., 2020.
Search in Google Scholar Back to article
[41] Szőke G, Nagy C, Fülöp LJ, Ferenc R, Gyimóthy T. FaultBuster. An automatic code smell refactoring toolset. In 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM) 2015, (pp. 253-258). IEEE.10.1109/SCAM.2015.7335422
Search in Google Scholar Back to article
[42] Wang Q, Yu B, Zhu J. Extract rules from software quality prediction model based on neural network. In16th IEEE International Conference on Tools with Artificial Intelligence. 2004 (pp. 191-195). IEEE.
Search in Google Scholar Back to article
[43] Wu, F., Wang, J., Liu, J. and Wang, W., December. Vulnerability detection with deep learning. In 2017 3rd IEEE International Conference on Computer and Communications (ICCC), 2017. (pp. 1298-1302).10.1109/CompComm.2017.8322752
Search in Google Scholar Back to article
[44] Yamashita A, Moonen L. Do developers care about code smells? An exploratory survey. In2013 20th Working Conference on Reverse Engineering (WCRE), 2013(pp. 242-251). IEEE.10.1109/WCRE.2013.6671299
Search in Google Scholar Back to article

ANN Modelling on Vulnerabilities Detection in Code Smells-Associated Android Applications

Abstract

Paradigm

My account