Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00017
Charilaos Skandylas, Narges Khakpour, Javier Cámara
Given the increasing complexity of softwareintensive systems as well as the sophistication and high frequency of cyber-attacks, automated and sound approaches to select countermeasures are required to effectively protect software systems. In this paper, we propose a formal architecturecentered approach to analyze the security of a software-intensive component-based system to find cost-efficient countermeasures that consider both the system architecture and its behavior. We evaluate our approach by applying it on a case study.
{"title":"Security Countermeasure Selection for Component-Based Software-Intensive Systems","authors":"Charilaos Skandylas, Narges Khakpour, Javier Cámara","doi":"10.1109/QRS57517.2022.00017","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00017","url":null,"abstract":"Given the increasing complexity of softwareintensive systems as well as the sophistication and high frequency of cyber-attacks, automated and sound approaches to select countermeasures are required to effectively protect software systems. In this paper, we propose a formal architecturecentered approach to analyze the security of a software-intensive component-based system to find cost-efficient countermeasures that consider both the system architecture and its behavior. We evaluate our approach by applying it on a case study.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"71 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115407825","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00044
M. Carrero, Elena Enamorado-Díaz, J. A. García-García, María José Escalona Cuaresma
Over the last decade, clinical practice guidelines (CPGs) have become an important asset for daily life in healthcare organizations. Efficient CPG management and digitization can improve the quality of patient care and healthcare by reducing variability. CPG digitization, however, is a difficult, complex task because such guidelines are usually expressed as text, and this often results in the development of partial software solutions. There are currently many CPG suites (CPGS) for managing the CPG lifecycle, but they do not all provide full support for this lifecycle, making it more difficult to choose the one which will best meet the specific needs and requirements of a healthcare organization. This paper proposes a quality model which makes it possible to compare CPGs by highlighting each phase of the lifecycle. The research was conducted using a methodology that combined a systematic literature review with quality models. The paper also discusses how the proposed model was instantiated to evaluate and compare several current CPG-based execution systems.
{"title":"Proposing a Quality Model for Evaluating and Identifying Opportunities in Clinical Practice Guideline Engines","authors":"M. Carrero, Elena Enamorado-Díaz, J. A. García-García, María José Escalona Cuaresma","doi":"10.1109/QRS57517.2022.00044","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00044","url":null,"abstract":"Over the last decade, clinical practice guidelines (CPGs) have become an important asset for daily life in healthcare organizations. Efficient CPG management and digitization can improve the quality of patient care and healthcare by reducing variability. CPG digitization, however, is a difficult, complex task because such guidelines are usually expressed as text, and this often results in the development of partial software solutions. There are currently many CPG suites (CPGS) for managing the CPG lifecycle, but they do not all provide full support for this lifecycle, making it more difficult to choose the one which will best meet the specific needs and requirements of a healthcare organization. This paper proposes a quality model which makes it possible to compare CPGs by highlighting each phase of the lifecycle. The research was conducted using a methodology that combined a systematic literature review with quality models. The paper also discusses how the proposed model was instantiated to evaluate and compare several current CPG-based execution systems.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124855693","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00087
Yuhao Wei, Song Huang, Yu Wang, Ruilin Liu, Chunyan Xia
In recent years, deep neural networks (DNNs) have made great progress in people’s daily life since it becomes easier for data accessing and labeling. However, DNN has been proven to behave uncertainly, especially when facing small perturbations in their input data, which becomes a limitation for its application in self-driving and other safety-critical fields. Those human-made attacks like adversarial attacks would cause extremely serious consequences. In this work, we design and evaluate a safety testing method for DNNs based on mutation testing, and propose an adversarial training method based on testing results and joint optimization. First, we conduct an adversarial mutation on the test datasets and measure the performance of models in response to the adversarial samples by mutation scores. Next, we evaluate the validity of mutation scores as a quantitative indicator of safety by comparing DNN models and their updated versions. Finally, we construct a joint optimization problem with safety scores for adversarial training, thus improving the safety of the model as well as the generalizability of the defense capability.
{"title":"Mutation Testing based Safety Testing and Improving on DNNs","authors":"Yuhao Wei, Song Huang, Yu Wang, Ruilin Liu, Chunyan Xia","doi":"10.1109/QRS57517.2022.00087","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00087","url":null,"abstract":"In recent years, deep neural networks (DNNs) have made great progress in people’s daily life since it becomes easier for data accessing and labeling. However, DNN has been proven to behave uncertainly, especially when facing small perturbations in their input data, which becomes a limitation for its application in self-driving and other safety-critical fields. Those human-made attacks like adversarial attacks would cause extremely serious consequences. In this work, we design and evaluate a safety testing method for DNNs based on mutation testing, and propose an adversarial training method based on testing results and joint optimization. First, we conduct an adversarial mutation on the test datasets and measure the performance of models in response to the adversarial samples by mutation scores. Next, we evaluate the validity of mutation scores as a quantitative indicator of safety by comparing DNN models and their updated versions. Finally, we construct a joint optimization problem with safety scores for adversarial training, thus improving the safety of the model as well as the generalizability of the defense capability.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123951791","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00059
Pengnan Hao, Zhuguo Li, Cui Liu, Yu Wen, Fanming Liu
Source code authorship attribution addresses the problems of copyright infringement disputes and plagiarism detection. However, most software projects are collaborative development projects. It is necessary to study multiple authorship attribution. Existing methods are not reliable in the domain of multiple authorship attribution. The reasons are as follows: i) It is a challenge to divide the code boundaries of different authors in a sample; ii) code segments belonging to different authors in a sample are usually small or incomplete. This paper proposes a method to address these challenges. We first divide the code sample into multiple lines, then integrate the code lines with similar author styles into code segments using Siamese networks. Finally, we use a path-based code representation and machine learning to identify authors. Experimental results show the method achieves an accuracy of 87.35% on C/C++ dataset and 91.35% on Java dataset, which performs better than existing methods.
{"title":"Towards Improving Multiple Authorship Attribution of Source Code","authors":"Pengnan Hao, Zhuguo Li, Cui Liu, Yu Wen, Fanming Liu","doi":"10.1109/QRS57517.2022.00059","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00059","url":null,"abstract":"Source code authorship attribution addresses the problems of copyright infringement disputes and plagiarism detection. However, most software projects are collaborative development projects. It is necessary to study multiple authorship attribution. Existing methods are not reliable in the domain of multiple authorship attribution. The reasons are as follows: i) It is a challenge to divide the code boundaries of different authors in a sample; ii) code segments belonging to different authors in a sample are usually small or incomplete. This paper proposes a method to address these challenges. We first divide the code sample into multiple lines, then integrate the code lines with similar author styles into code segments using Siamese networks. Finally, we use a path-based code representation and machine learning to identify authors. Experimental results show the method achieves an accuracy of 87.35% on C/C++ dataset and 91.35% on Java dataset, which performs better than existing methods.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124248710","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00057
Jia Yan, Xiangkun Jia, Lingyun Ying, Purui Su
Machine learning techniques are promising for malware classification, but there is a neglected problem of label bias in the annotation process which decreases the performance in practice. To understand the label bias problems and existing solutions, we conduct an empirical study based on two Portable Executable (PE) malware sample datasets (i.e., open-sourced BODMAS with 52,793 samples and a new collected MAIN dataset of 153,811 samples), and 67 anti-virus engines in VirusTotal. We first show the two ways of label bias problems, including chaotic naming rules and annotation inconsistency. Then we present the effects of two solutions (i.e., electing one reputable AV engine and aggregating multiple labels based on majority voting) and find they face the problems of feature preference and engine independence. Finally, we propose some recommendations for improvements and get a 7.79% increase in the F1 score (i.e., from 84.83% to 92.62%). The dataset will be open-source for further study.
{"title":"Understanding and Mitigating Label Bias in Malware Classification: An Empirical Study","authors":"Jia Yan, Xiangkun Jia, Lingyun Ying, Purui Su","doi":"10.1109/QRS57517.2022.00057","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00057","url":null,"abstract":"Machine learning techniques are promising for malware classification, but there is a neglected problem of label bias in the annotation process which decreases the performance in practice. To understand the label bias problems and existing solutions, we conduct an empirical study based on two Portable Executable (PE) malware sample datasets (i.e., open-sourced BODMAS with 52,793 samples and a new collected MAIN dataset of 153,811 samples), and 67 anti-virus engines in VirusTotal. We first show the two ways of label bias problems, including chaotic naming rules and annotation inconsistency. Then we present the effects of two solutions (i.e., electing one reputable AV engine and aggregating multiple labels based on majority voting) and find they face the problems of feature preference and engine independence. Finally, we propose some recommendations for improvements and get a 7.79% increase in the F1 score (i.e., from 84.83% to 92.62%). The dataset will be open-source for further study.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121211792","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00019
Bohan Zhang, Yafan Huang, Guanpeng Li
This paper proposes Salus, a data-driven real-time safety monitor, that detects and mitigates safety violations of an autonomous vehicle (AV). The key insight is that traffic situations that lead to AV safety violations fall into patterns and can be identified by learning from the safety violations of the AV. Our approach is to use machine learning (ML) techniques to model the traffic behaviors that result in safety violations in the AV, characterize their early symptoms for training a preemptive model, hence deploy and detect real-time safety violations before the actual crashes happen to the AV. In order to train our ML model, we leverage a pipeline of fuzzing techniques to tailor AV-specific safety violation symptoms and generate the training data via data argumentation techniques. Our evaluation demonstrates our proposed technique is effective in reducing over 97.2% of safety violations in industry-level autonomous driving systems, such as Baidu Apollo, with no more than 0.018 false positive values.
{"title":"Salus: A Novel Data-Driven Monitor that Enables Real-Time Safety in Autonomous Driving Systems","authors":"Bohan Zhang, Yafan Huang, Guanpeng Li","doi":"10.1109/QRS57517.2022.00019","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00019","url":null,"abstract":"This paper proposes Salus, a data-driven real-time safety monitor, that detects and mitigates safety violations of an autonomous vehicle (AV). The key insight is that traffic situations that lead to AV safety violations fall into patterns and can be identified by learning from the safety violations of the AV. Our approach is to use machine learning (ML) techniques to model the traffic behaviors that result in safety violations in the AV, characterize their early symptoms for training a preemptive model, hence deploy and detect real-time safety violations before the actual crashes happen to the AV. In order to train our ML model, we leverage a pipeline of fuzzing techniques to tailor AV-specific safety violation symptoms and generate the training data via data argumentation techniques. Our evaluation demonstrates our proposed technique is effective in reducing over 97.2% of safety violations in industry-level autonomous driving systems, such as Baidu Apollo, with no more than 0.018 false positive values.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132468803","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00065
Felicien Ihirwe, Davide Di Ruscio, Simone Gianfranceschi, A. Pierantonio
Over the last few years, industry and academia have proposed several Low-Code and Model-driven Engineering (MDE) platforms to ease the engineering process of the Internet of things (IoT) systems. However, deciding whether such engineering platforms meet the minimum required software quality standards is not straightforward. Software quality can be defined as the degree to which a software system achieves its intended goal. Various software quality standards have been established to aid in the software quality assessment process; however, due to the nature of engineering IoT platforms, such models may not entirely suit the IoT domain. This paper presents a model for assessing the software quality of Low-Code and MDE platforms for engineering IoT platforms. The proposed software quality model is based on and extends the ISO/IEC 25010:2011 software product quality model standard. It is intended to assist IoT practitioners in assessing and establishing quality requirements for engineering IoT platforms. To determine the effectiveness of the proposed model, we used it to evaluate the quality of 17 IoT engineering platforms, and the results obtained are promising.
{"title":"Assessing the Quality of Low-Code and Model-Driven Engineering Platforms for Engineering IoT Systems","authors":"Felicien Ihirwe, Davide Di Ruscio, Simone Gianfranceschi, A. Pierantonio","doi":"10.1109/QRS57517.2022.00065","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00065","url":null,"abstract":"Over the last few years, industry and academia have proposed several Low-Code and Model-driven Engineering (MDE) platforms to ease the engineering process of the Internet of things (IoT) systems. However, deciding whether such engineering platforms meet the minimum required software quality standards is not straightforward. Software quality can be defined as the degree to which a software system achieves its intended goal. Various software quality standards have been established to aid in the software quality assessment process; however, due to the nature of engineering IoT platforms, such models may not entirely suit the IoT domain. This paper presents a model for assessing the software quality of Low-Code and MDE platforms for engineering IoT platforms. The proposed software quality model is based on and extends the ISO/IEC 25010:2011 software product quality model standard. It is intended to assist IoT practitioners in assessing and establishing quality requirements for engineering IoT platforms. To determine the effectiveness of the proposed model, we used it to evaluate the quality of 17 IoT engineering platforms, and the results obtained are promising.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130177314","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00024
Lin Wang, F. Li, Yunfei Xie, Leyi Shi
In order to protect information privacy and ensure user information security, in view of the obvious centralization of the existing identity authentication technologies such as Public Key Infrastructure(PKI) and Identity-Based Encrypted(IBE), this paper proposes an efficient authentication strategy that applies Cryptography Fundamental Logics(CFL) identity authentication technology to Mobile Crowd Sensing(MCS) system, which can complete the authentication between Task Publisher, Cluster Head and Task Participant without the participation of a third-party center. Firstly, this paper introduces to use CFL technology to solve the problem of identity authentication relying on the central server; Secondly, an algorithm combined with MCS system is proposed to solve the decentralization of authentication process; Finally, the Average System Response Time and System Throughput of the three technologies are obtained through simulation experiments, analyzed and compared. The result shows that: this strategy has obvious advantages, it can faster and more secure the identity authentication.
{"title":"Identity Authentication Strategy of Mobile Crowd Sensing based on CFL","authors":"Lin Wang, F. Li, Yunfei Xie, Leyi Shi","doi":"10.1109/QRS57517.2022.00024","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00024","url":null,"abstract":"In order to protect information privacy and ensure user information security, in view of the obvious centralization of the existing identity authentication technologies such as Public Key Infrastructure(PKI) and Identity-Based Encrypted(IBE), this paper proposes an efficient authentication strategy that applies Cryptography Fundamental Logics(CFL) identity authentication technology to Mobile Crowd Sensing(MCS) system, which can complete the authentication between Task Publisher, Cluster Head and Task Participant without the participation of a third-party center. Firstly, this paper introduces to use CFL technology to solve the problem of identity authentication relying on the central server; Secondly, an algorithm combined with MCS system is proposed to solve the decentralization of authentication process; Finally, the Average System Response Time and System Throughput of the three technologies are obtained through simulation experiments, analyzed and compared. The result shows that: this strategy has obvious advantages, it can faster and more secure the identity authentication.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"603 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134327702","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Concurrency vulnerabilities caused by synchronization problems will occur in the execution of multi-threaded programs, and the emergence of concurrency vulnerabilities often cause great threats to the system. Once the concurrency vulnerabilities are exploited, the system will suffer various attacks, seriously affecting its availability, confidentiality and security. In this paper, we extract 839 concurrency vulnerabilities from Common Vulnerabilities and Exposures (CVE), and conduct a comprehensive analysis of the trend, classifications, causes, severity, and impact. Finally, we obtained some findings: 1) From 1999 to 2021, the number of concurrency vulnerabilities disclosures show an overall upward trend. 2) In the distribution of concurrency vulnerability, race condition accounts for the largest proportion. 3) The overall severity of concurrency vulnerabilities is medium risk. 4) The number of concurrency vulnerabilities that can be exploited for local access and network access is almost equal, and nearly half of the concurrency vulnerabilities (377/839) can be accessed remotely. 5) The access complexity of 571 concurrency vulnerabilities is medium, and the number of concurrency vulnerabilities with high or low access complexity is almost equal. The results obtained through the empirical study can provide more support and guidance for research in the field of concurrency vulnerabilities.
在多线程程序的执行过程中会出现由同步问题引起的并发漏洞,并发漏洞的出现往往会对系统造成很大的威胁。一旦并发漏洞被利用,系统将遭受各种攻击,严重影响系统的可用性、保密性和安全性。本文从CVE (Common vulnerabilities and Exposures)中抽取了839个并发漏洞,对并发漏洞的趋势、分类、原因、严重性和影响进行了综合分析。结果表明:1)1999 - 2021年,并发漏洞披露数量总体呈上升趋势。2)并发漏洞分布中,竞态条件所占比例最大。3)并发漏洞的整体严重程度为中等风险。4)可用于本地访问和网络访问的并发漏洞数量几乎相等,近一半的并发漏洞(377/839)可用于远程访问。5) 571个并发漏洞的访问复杂度中等,高、低访问复杂度并发漏洞数量基本相等。通过实证研究得到的结果可以为并发漏洞领域的研究提供更多的支持和指导。
{"title":"A Comprehensive Analysis of NVD Concurrency Vulnerabilities","authors":"Lili Bo, Xing Meng, Xiaobing Sun, Jingli Xia, Xiaoxue Wu","doi":"10.1109/QRS57517.2022.00012","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00012","url":null,"abstract":"Concurrency vulnerabilities caused by synchronization problems will occur in the execution of multi-threaded programs, and the emergence of concurrency vulnerabilities often cause great threats to the system. Once the concurrency vulnerabilities are exploited, the system will suffer various attacks, seriously affecting its availability, confidentiality and security. In this paper, we extract 839 concurrency vulnerabilities from Common Vulnerabilities and Exposures (CVE), and conduct a comprehensive analysis of the trend, classifications, causes, severity, and impact. Finally, we obtained some findings: 1) From 1999 to 2021, the number of concurrency vulnerabilities disclosures show an overall upward trend. 2) In the distribution of concurrency vulnerability, race condition accounts for the largest proportion. 3) The overall severity of concurrency vulnerabilities is medium risk. 4) The number of concurrency vulnerabilities that can be exploited for local access and network access is almost equal, and nearly half of the concurrency vulnerabilities (377/839) can be accessed remotely. 5) The access complexity of 571 concurrency vulnerabilities is medium, and the number of concurrency vulnerabilities with high or low access complexity is almost equal. The results obtained through the empirical study can provide more support and guidance for research in the field of concurrency vulnerabilities.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131295179","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}