9 research outputs found
DeepSQLi: Deep Semantic Learning for Testing SQL Injection
Security is unarguably the most serious concern for Web applications, to
which SQL injection (SQLi) attack is one of the most devastating attacks.
Automatically testing SQLi vulnerabilities is of ultimate importance, yet is
unfortunately far from trivial to implement. This is because the existence of a
huge, or potentially infinite, number of variants and semantic possibilities of
SQL leading to SQLi attacks on various Web applications. In this paper, we
propose a deep natural language processing based tool, dubbed DeepSQLi, to
generate test cases for detecting SQLi vulnerabilities. Through adopting deep
learning based neural language model and sequence of words prediction, DeepSQLi
is equipped with the ability to learn the semantic knowledge embedded in SQLi
attacks, allowing it to translate user inputs (or a test case) into a new test
case, which is semantically related and potentially more sophisticated.
Experiments are conducted to compare DeepSQLi with SQLmap, a state-of-the-art
SQLi testing automation tool, on six real-world Web applications that are of
different scales, characteristics and domains. Empirical results demonstrate
the effectiveness and the remarkable superiority of DeepSQLi over SQLmap, such
that more SQLi vulnerabilities can be identified by using a less number of test
cases, whilst running much faster
BiLO-CPDP: Bi-Level Programming for Automated Model Discovery in Cross-Project Defect Prediction
Cross-Project Defect Prediction (CPDP), which borrows data from similar
projects by combining a transfer learner with a classifier, have emerged as a
promising way to predict software defects when the available data about the
target project is insufficient. How-ever, developing such a model is challenge
because it is difficult to determine the right combination of transfer learner
and classifier along with their optimal hyper-parameter settings. In this
paper, we propose a tool, dubbedBiLO-CPDP, which is the first of its kind to
formulate the automated CPDP model discovery from the perspective of bi-level
programming. In particular, the bi-level programming proceeds the optimization
with two nested levels in a hierarchical manner. Specifically, the upper-level
optimization routine is designed to search for the right combination of
transfer learner and classifier while the nested lower-level optimization
routine aims to optimize the corresponding hyper-parameter settings.To
evaluateBiLO-CPDP, we conduct experiments on 20 projects to compare it with a
total of 21 existing CPDP techniques, along with its single-level optimization
variant and Auto-Sklearn, a state-of-the-art automated machine learning tool.
Empirical results show that BiLO-CPDP champions better prediction performance
than all other 21 existing CPDP techniques on 70% of the projects, while be-ing
overwhelmingly superior to Auto-Sklearn and its single-level optimization
variant on all cases. Furthermore, the unique bi-level formalization
inBiLO-CPDP also permits to allocate more budget to the upper-level, which
significantly boosts the performance