Skip to main content
SpringerLink
Log in

An integrated framework for software vulnerability detection, analysis and mitigation: an autonomic system

  • Published:
Sādhanā Aims and scope Submit manuscript

Abstract

Nowadays, the number of software vulnerabilities incidents and the loss due to occurrence of software vulnerabilities are growing exponentially. The current existing security strategies, the vulnerability detection and remediating approaches are not intelligent, automated, self-managed and not competent to combat against the vulnerabilities and security threats, and to provide secured self-managed software environment to the organizations. Hence, there is a strong need to devise an intelligent and automated approach to optimize security and prevent the occurrence of vulnerabilities or mitigate the vulnerabilities. The autonomic computing is a nature-inspired and self-management-based computational model. In this paper, an autonomic-computing-based integrated framework is proposed to detect, fire the trigger of alarm, assess, classify, prioritize, mitigate and manage the software vulnerability automatically. The proposed framework uses a knowledge base and inference engine, which automatically takes the remediating actions on future occurrence of software security vulnerabilities through self-configuration, self-healing, self-prevention and self-optimization as per the needs. The proposed framework is beneficial to industry and society in various aspects because it is an integrated, cross-concern and intelligent framework and provides more secured self-managed environment to the organizations. The proposed framework reduces the security risks and threats, and also monetary and reputational loss. It can be embedded easily in existing software and incorporated or implemented as an inbuilt integral component of the new software during software development.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5

Similar content being viewed by others

References

  1. Agrawal A, Chandra S and Khan R A 2009 An efficient measurement of object oriented design vulnerability. In: Proceedings of the International Conference on Availability, Reliability and Security, ARES’09

  2. Dai H, Murphy C and Kaiser G 2010 Configuration fuzzing for software vulnerability detection. In: Proceedings of the International Conference on Availability, Reliability and Security, pp. 525–530

  3. Kumar M 2016 A paradigm shift towards incorporation and exploration of autonomic computing for software vulnerability detection, mitigation and management. Communicated to Informatica

  4. Sharma A, Chauhan S and Grover P S 2011 Autonomic computing: paradigm shift for software development. CSI Commun. 35(6): 16–18

    Google Scholar 

  5. Howard M and Lipner S 2003 Inside the Windows security push. IEEE Security Privacy 1(1): 57–61

    Article  Google Scholar 

  6. Alhazmi O H, Woo S W and Malaiya Y K 2006 Security vulnerability categories in major software systems. In: Proceedings of Communication, Network, and Information Security 2006, 138–143

    Google Scholar 

  7. Bansiya J and Davis C G 2002 A hierarchical model for object-oriented design quality assessment. IEEE Trans. Softw. Eng. 28: 4–17

    Article  Google Scholar 

  8. Bansiya J 1997 A hierarchical model for quality assessment of object-oriented designs. PhD Thesis, University of Alabama in Huntsville

  9. Bishop M and Bailey D 1996 A critical analysis of vulnerability taxonomies. Technical Report, CSE-96-11, Department of Computer Science at the University of California at Davis, September

  10. Bishop M 2003 Computer security: art and science. Boston: Addison-Wesley

    Google Scholar 

  11. Byres D and Shahmehri N 2007 Design of a process for software security. In: Proceedings of the Second International Conference on Availability, Reliability and Security (ARES’07), 10–13 April, IEEE Press, Vienna, pp. 301–309

  12. McGraw G 2006 Software security: building security. Upper Saddle River, NJ: Addison-Wesley

    Google Scholar 

  13. Meland P H and Jensen J 2008 Secure software design in practice. In: Proceedings of the Third International Conference on Availability, Reliability and Security (ARES’09), 4–7 March, IEEE Press, Fukuoka, Japan, pp. 1164–1171, doi:10.1109/ARES.2008.48

  14. Walsh L 2003 Trustworthy yet? Inf. Security Mag. February

  15. Kannan K, Telang R and Xu H 2004 Economic analysis of the market for software vulnerability. In: Proceedings of the 37th Hawali International Conference on System Sciences

  16. Sahadeva K, Kumar Y S and Sharma A 2012 A new SDLC framework with autonomic computing elements. Int. J. Comput. Appl. 54(3): 17–23

    Google Scholar 

  17. Gilliam D P, Wolfe T L, Sherif J S and Bishop M 2003 Softawre secuirty checklist for the software life cycle. In: Proceedings of the Twelfth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETIC’03), IEEE Press, Allahabad, India

  18. Ren J, Cai B, He H and Hu C 2011 A method for detecting software vulnerabilities based on clustering and model analyzing. J. Comput. Inf. Syst. 7(4): 1065–1073

    Google Scholar 

  19. Wang Y, Wang Y and Ren J 2011 Software vulnerabilities detection using rapid density-based clustering. J. Inf. Comput. Sci. 8(14): 3295–3302

    Google Scholar 

  20. Alves-Foss J and Barbosa S 1995 Assessing computer security vulnerability. ACM SIGOPS Oper. Syst. Rev. 29: 3–13

    Article  Google Scholar 

  21. Wang C and Wulf W A 1997 A framework for security measurement. In: Proceedings of the National Information System Security Conference (NISSC’97), pp. 522–533

  22. Gilliam D, Powell J, Bishop J and Kelly M 2001 Reducing software security risk through an integrated approach. In: Proceedings of the NASA IV&V Symposium, September 4–7

  23. Butler S A 2002 Security attribute evaluation method: a cost–benefit approach. In: Proceedings of the International Conference on Software Engineering (ICSE 2002), ACM Press, Orlando, Florida, pp. 232–240, doi:10.1145/581339.581370

  24. Halkidis S T Chatzigeorgiou A and Stephanides G 2004 A qualitative evaluation of security patterns. In: Proceedings of ICICS 2004, Lecture Notes in Computer Science 3269, Springer-Verlag, Málaga, Spain, pp. 132–144

  25. Hallberg J, Hunstad A and Peterson M 2005 A framework for system security assessment. In: Proceedings of the 6th Annual IEEE System, Man and Cybernetics (SMC) Information Assurance Workshop, IEEE Press, Budapest, pp. 224–231, doi:10.1109/IAW.2005.1495956

  26. Alhazmi O A, Malaiya Y K and Ray I 2005 Security vulnerabilities in software systems: a quantitative perspective. In: Proceedings of Data and Applications Security 2005, Lecture Notes in Computer Science 3654, pp. 281–294, doi:10.1007/11535706

  27. Chandra S, Khan R A and Agrawal A 2009 Security estimation framework: design phase perspective. In: Proceedings of the Sixth International Conference on Information Technology, New Generations, ITNG 2009, 27–29 April, IEEE Computer Society, pp. 254–259

  28. Chen Y, Boehm B and Sheppard L 2007 Value driven security threat modeling based on attack path analysis. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS’07), 3–6 January, IEEE Press, Big Island, Hawaii, p. 280

  29. Chowdhury I, Chan B and Zulkernine M 2008 Security metrics for source code structures. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, Germany: ACM

  30. Alshammari B, Fidge C and Corney D 2009 Security metrics for object-oriented class designs. In: Proceedings of the 9th Quality Software International Conference, QSIC ‘09,, 24–25 August, pp. 11–20, doi:10.1109/QSIC.2009.11

  31. Agrawal A and Khan R A 2009 An algorithm to measure attribute vulnerability ratio of an object oriented design. Int. J. Recent Trends Eng. 2(3): 61–63

    Google Scholar 

  32. Alkussayer A and Allen W H 2010 A scenario-based framework for the security evaluation of software architecture. In: Proceedings of the International Conference on Computer Science and Information Technology (ICCSIT’10), 9–11 July, IEEE Press, Chengdu, China, pp. 687–695

  33. Alberts C, Allen J and Stoddard R 2010 Integrated measurement and analysis framework for software security. Technical Report, CMU/SEI-2010-TN-025, CERT® Program, Software Engineering Institute, http://www.sei.cmu.edu/library/abst

  34. Agrawal A and Khan R A 2010 A vulnerability metric for the design phase of object oriented software. In: Proceedings of the Conference on Communications in Computer and Information Science

  35. Agrawal A and Khan R A 2011 Assessing and improving encapsulation for minimizing vulnerability of an object oriented design. In: Communication in Computer and Information Science, vol. 250, Springer-Verlag, pp. 531–533

  36. Alhazmi O H, Malaiya Y K and Ray I 2015 Measuring, analyzing and predicting security vulnerabilities in software systems. Comput. Security 26(3): 219–228

    Article  Google Scholar 

  37. Khan K M and Jun Han J 2002 Composing security-aware software. IEEE Softw. 19(1): 34–41

    Article  Google Scholar 

  38. Wang J A, Wang H, Guo M, Zhou L and Camargo J 2010 Ranking attacks based on vulnerability analysis. In: Proceedings of the 43rd Hawaii International Conference on System Sciences (HICSS’10), 5–8 January, IEEE Press, Hawai, USA, pp. 1–10

  39. Agrawal A and Khan R A 2011 A framework for vulnerability minimization—object oriented design perspective. In: Proceedings of the 2nd International Conference on Computer and Communication Technology, ICCCT, 15–17 September, IEEE Computer Society, pp. 499–504

  40. Agrawal A and Khan R A 2009 A framework to detect and analyze software vulnerabilities—development phase perspective. Int. J. Recent Trends Eng. 2(2): 82–84

    Google Scholar 

  41. Ahuja K and Dangey H 2014 Autonomic computing: an emerging perspective and issues. In: Proceedings of the International Conference on Issues and Challenges in Intelligent Computing Techniques (ICICT), Ghaziabad, pp. 471–475

Download references

Author information

Authors and Affiliations

  1. University Teaching Department of Computer Science and Application, Makhanlal Chaturvedi National University of Journalism and Communication, Bhopal, 462011, India

    Manoj Kumar

  2. Department of Information Technology, Indira Gandhi Delhi Technical University for Women, Delhi, 110006, India

    Arun Sharma

Authors
  1. Manoj Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arun Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manoj Kumar.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kumar, M., Sharma, A. An integrated framework for software vulnerability detection, analysis and mitigation: an autonomic system. Sādhanā 42, 1481–1493 (2017). https://doi.org/10.1007/s12046-017-0696-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12046-017-0696-7

Keywords

Search

Navigation