Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00268
Nicolas Six, Claudia Negri Ribalta, Nicolas Herbaut, C. Salinesi
Blockchain has been praised for its capacity to hold data in a decentralized and tamper-proof way. It also supports the execution of code through blockchain's smart contracts, adding automation of actions to the network with high trustability. However, as smart contracts are visible by anybody on the network, the business data and logic may be at risk, thus companies could be reluctant to use such technology. This paper aims to propose a pattern that allows the execution of automatable legal contract clauses, where its execution states are stored in an on-chain smart-contract and the logic needed to enforce it wraps it off-chain. An engine completes this pattern by running a business process that corresponds to the legal contract. We then propose a pattern-based solution based on a real-life use case: transportation of refrigerated goods. We argue that this pattern guarantees companies pseudonymity and data confidentiality while ensuring that an audit trail can be reconstituted through the blockchain smart-contract to identify misbehavior or errors. This paper paves the way for a future possible implementation of the solution described, as well as its evaluation.
{"title":"A blockchain-based pattern for confidential and pseudo-anonymous contract enforcement","authors":"Nicolas Six, Claudia Negri Ribalta, Nicolas Herbaut, C. Salinesi","doi":"10.1109/TrustCom50675.2020.00268","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00268","url":null,"abstract":"Blockchain has been praised for its capacity to hold data in a decentralized and tamper-proof way. It also supports the execution of code through blockchain's smart contracts, adding automation of actions to the network with high trustability. However, as smart contracts are visible by anybody on the network, the business data and logic may be at risk, thus companies could be reluctant to use such technology. This paper aims to propose a pattern that allows the execution of automatable legal contract clauses, where its execution states are stored in an on-chain smart-contract and the logic needed to enforce it wraps it off-chain. An engine completes this pattern by running a business process that corresponds to the legal contract. We then propose a pattern-based solution based on a real-life use case: transportation of refrigerated goods. We argue that this pattern guarantees companies pseudonymity and data confidentiality while ensuring that an audit trail can be reconstituted through the blockchain smart-contract to identify misbehavior or errors. This paper paves the way for a future possible implementation of the solution described, as well as its evaluation.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123227205","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00244
Jack Pye, B. Issac, N. Aslam, Husnain Rafiq
In recent years the number and sophistication of Android malware have increased dramatically. A prototype framework which uses static analysis methods for classification is proposed which employs two feature sets to classify Android malware, permissions declared in the Androidmanifest.xml and Android classes used from the Classes.dex file. The extracted features were then used to train a variety of machine learning algorithms including Random Forest, SGD, SVM and Neural networks. Each machine learning algorithm was subsequently optimised using optimisation algorithms, including the use of bio-inspired optimisation algorithms such as Particle Swarm Optimisation, Artificial Bee Colony optimisation (ABC), Firefly optimisation and Genetic algorithm. The prototype framework was tested and evaluated using three datasets. It achieved a good accuracy of 95.7 percent by using SVM and ABC optimisation for the CICAndMal2019 dataset, 94.9 percent accuracy (with fl-score of 96.7 percent) using Neural network for the KuafuDet dataset and 99.6 percent accuracy using an SGD classifier for the Andro-Dump dataset. The accuracy could be further improved through better feature selection.
{"title":"Android Malware Classification Using Machine Learning and Bio-Inspired Optimisation Algorithms","authors":"Jack Pye, B. Issac, N. Aslam, Husnain Rafiq","doi":"10.1109/TrustCom50675.2020.00244","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00244","url":null,"abstract":"In recent years the number and sophistication of Android malware have increased dramatically. A prototype framework which uses static analysis methods for classification is proposed which employs two feature sets to classify Android malware, permissions declared in the Androidmanifest.xml and Android classes used from the Classes.dex file. The extracted features were then used to train a variety of machine learning algorithms including Random Forest, SGD, SVM and Neural networks. Each machine learning algorithm was subsequently optimised using optimisation algorithms, including the use of bio-inspired optimisation algorithms such as Particle Swarm Optimisation, Artificial Bee Colony optimisation (ABC), Firefly optimisation and Genetic algorithm. The prototype framework was tested and evaluated using three datasets. It achieved a good accuracy of 95.7 percent by using SVM and ABC optimisation for the CICAndMal2019 dataset, 94.9 percent accuracy (with fl-score of 96.7 percent) using Neural network for the KuafuDet dataset and 99.6 percent accuracy using an SGD classifier for the Andro-Dump dataset. The accuracy could be further improved through better feature selection.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123704376","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Vulnerabilities in software will not only lead to security problems of the software itself, but also cause the spread of vulnerabilities through code clones. It is important to detect and locate vulnerabilities among the source code to facilitate the fix. Although many methods are proposed to detect code clones in source code, most of them fail to detect code clones that involve statement addition and deletion effectively or are not suitable for vulnerability detection. In this paper, we propose a method that can detect vulnerabilities caused by code clones. Program slices are used to filter statements that are not related to vulnerabilities and extract important vulnerable statements in function. Hash function and bitvector are applied to improve efficiency during the detection. The results are displayed in html, among which the vulnerable statements are highlighted to help subsequent patching work. Our method is evaluated on open source software (Openssl, Linux Kernel, FFmpeg and QEMU). The results of experiments show that our method detects 12.72% more vulnerable clones in acceptable time compared with Vuddy, proving the effectiveness of our method.
软件中的漏洞不仅会导致软件本身的安全问题,还会通过代码克隆导致漏洞的传播。检测和定位源代码中的漏洞以促进修复非常重要。虽然提出了许多方法来检测源代码中的代码克隆,但大多数方法都不能有效地检测到涉及语句添加和删除的代码克隆,或者不适合进行漏洞检测。本文提出了一种检测代码克隆漏洞的方法。程序切片用于过滤与漏洞无关的语句,并提取函数中重要的漏洞语句。采用哈希函数和位向量来提高检测效率。结果以html格式显示,其中易受攻击的语句会被高亮显示,以帮助后续的修补工作。我们的方法在开源软件(Openssl, Linux Kernel, FFmpeg和QEMU)上进行了评估。实验结果表明,与Vuddy相比,我们的方法在可接受的时间内检测出的脆弱克隆多12.72%,证明了我们方法的有效性。
{"title":"Program Slice based Vulnerable Code Clone Detection","authors":"Xiaonan Song, Aimin Yu, Haibo Yu, Shirun Liu, Xin Bai, Lijun Cai, Dan Meng","doi":"10.1109/TrustCom50675.2020.00049","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00049","url":null,"abstract":"Vulnerabilities in software will not only lead to security problems of the software itself, but also cause the spread of vulnerabilities through code clones. It is important to detect and locate vulnerabilities among the source code to facilitate the fix. Although many methods are proposed to detect code clones in source code, most of them fail to detect code clones that involve statement addition and deletion effectively or are not suitable for vulnerability detection. In this paper, we propose a method that can detect vulnerabilities caused by code clones. Program slices are used to filter statements that are not related to vulnerabilities and extract important vulnerable statements in function. Hash function and bitvector are applied to improve efficiency during the detection. The results are displayed in html, among which the vulnerable statements are highlighted to help subsequent patching work. Our method is evaluated on open source software (Openssl, Linux Kernel, FFmpeg and QEMU). The results of experiments show that our method detects 12.72% more vulnerable clones in acceptable time compared with Vuddy, proving the effectiveness of our method.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124466240","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00259
R. Cents, Nhien-An Le-Khac
Today traditional communication methods, such as SMS or phone calls, are used less often and are replaced by the use of chat applications. WhatsApp is one of the most popular chat applications nowadays. WhatsApp offers different ways of communicating, which include sending text messages and making phone calls. The implementation of encryption makes WhatsApp more challenging for law enforcement agencies to identify when a suspect is sending or receiving messages via this chat application. Most research in literature focused on the analysis of WhatsApp data by obtaining information from a physical device, such as a seized mobile device. However, it is not always possible to extract the data needed from a mobile device for the analysis of the WhatsApp data because of the encryption, or no devices have been seized yet. In addition, the current techniques for real time analysis of WhatsApp messages show that there is a high risk of detection by the suspect. Alternative methods are needed to understand the communication patterns of a suspect and criminal organizations. In this paper, we focused on identifying when a suspect is receiving or sending WhatsApp messages using only wiretap data. Therefore, no seized devices are needed. The pattern analysis has been used to identify patterns of data sent to and received from the WhatsApp servers. The identified patterns were tested against a large dataset created with different mobile devices to determine if the patterns are consistent. By using the technique described in this paper, investigators will obtain more information if and with whom a suspect is communicating.
{"title":"Towards A New Approach to Identify WhatsApp Messages","authors":"R. Cents, Nhien-An Le-Khac","doi":"10.1109/TrustCom50675.2020.00259","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00259","url":null,"abstract":"Today traditional communication methods, such as SMS or phone calls, are used less often and are replaced by the use of chat applications. WhatsApp is one of the most popular chat applications nowadays. WhatsApp offers different ways of communicating, which include sending text messages and making phone calls. The implementation of encryption makes WhatsApp more challenging for law enforcement agencies to identify when a suspect is sending or receiving messages via this chat application. Most research in literature focused on the analysis of WhatsApp data by obtaining information from a physical device, such as a seized mobile device. However, it is not always possible to extract the data needed from a mobile device for the analysis of the WhatsApp data because of the encryption, or no devices have been seized yet. In addition, the current techniques for real time analysis of WhatsApp messages show that there is a high risk of detection by the suspect. Alternative methods are needed to understand the communication patterns of a suspect and criminal organizations. In this paper, we focused on identifying when a suspect is receiving or sending WhatsApp messages using only wiretap data. Therefore, no seized devices are needed. The pattern analysis has been used to identify patterns of data sent to and received from the WhatsApp servers. The identified patterns were tested against a large dataset created with different mobile devices to determine if the patterns are consistent. By using the technique described in this paper, investigators will obtain more information if and with whom a suspect is communicating.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122167703","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00261
Monika Di Angelo, G. Salzer
Like most programs, smart contracts offer their functionality via entry points that constitute the interface. Interface standards, e.g. for tokens contracts, foster interoperability. Ethereum is the most prominent platform for smart contracts. The number of contract deployments approaches 30 million, corresponding to roughly 300 000 distinct contract codes. In view of these numbers, it is necessary to develop automated methods for classifying contracts regarding their purpose, if one aims at a qualitative and quantitative understanding of what blockchain applications are used for at large. We approach the task by considering contracts as similar if their interfaces are. We encode interfaces and their interrelationships as graphs and explore several algorithms regarding their ability to find clusters of functionally similar contracts. Our evaluation of the quality of clustering relies on a ground truth of token and wallet contracts identified in earlier work. Our analysis is based on the bytecodes deployed on the main chain of Ethereum up to block 10.5 million, mined on July 21, 2020.
{"title":"Assessing the Similarity of Smart Contracts by Clustering their Interfaces","authors":"Monika Di Angelo, G. Salzer","doi":"10.1109/TrustCom50675.2020.00261","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00261","url":null,"abstract":"Like most programs, smart contracts offer their functionality via entry points that constitute the interface. Interface standards, e.g. for tokens contracts, foster interoperability. Ethereum is the most prominent platform for smart contracts. The number of contract deployments approaches 30 million, corresponding to roughly 300 000 distinct contract codes. In view of these numbers, it is necessary to develop automated methods for classifying contracts regarding their purpose, if one aims at a qualitative and quantitative understanding of what blockchain applications are used for at large. We approach the task by considering contracts as similar if their interfaces are. We encode interfaces and their interrelationships as graphs and explore several algorithms regarding their ability to find clusters of functionally similar contracts. Our evaluation of the quality of clustering relies on a ground truth of token and wallet contracts identified in earlier work. Our analysis is based on the bytecodes deployed on the main chain of Ethereum up to block 10.5 million, mined on July 21, 2020.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122685216","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00269
Yu-Chih Wei, You-Xin Lai, Hai-Po Su, Yu-Wen Yen
It has been estimated that the global gaming market is worth nearly US$150 billion. Its consumer chargeback services often end up being used by some online gamers as a tool to commit fraud, causing a huge adverse impact on the industry. A gaming company in Taiwan found itself falling victim of malicious chargeback fraud. Nearly NT$10 million of fraudulent chargebacks were made during the period from January to April 2019 alone, making a huge dent in the revenue of the company. To counter chargeback fraud, some gaming companies resorted to manually checking for and blocking malicious accounts of their users, incurring huge labor cost in the process. Manual checking might have alleviated the problems to some extent; however, when new games came online, gaming companies would see a surge of malicious chargebacks, causing subsequent exponential increases in losses. To help reduce labor cost incurred by manual account checking, potential human errors and potential losses that may be caused by malicious chargebacks, this study proposed a k-NN model to detect malicious chargebacks by analysing online gamers' transactional records and gameplay data. The numbers of times and the amounts of prepayment, the numbers of times of chargebacks, and the times of the transactions that the gamers of our study gaming company made were used as characteristics for our k-NN model. The use of these characteristics enabled us to score a minimum of 0.81 in F1-Measure. In addition, three SMOTE (Synthetic Minority Over-sampling Technique) sampling methods were used to deal with the imbalance data provided by our study company and improve the F1-Measure of our proposed k-NN model (scoring up to 0.89 in our experiments). It is hoped that the use of our k-NN model can help reduce potential losses of online gaming companies that may be caused by malicious chargeback fraud, deter to malicious gamers against illegal gains, and prevent the online gaming ecosystem from being sabotaged by malicious chargebacks.
{"title":"Detecting Online Game Malicious Chargeback by using k-NN","authors":"Yu-Chih Wei, You-Xin Lai, Hai-Po Su, Yu-Wen Yen","doi":"10.1109/TrustCom50675.2020.00269","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00269","url":null,"abstract":"It has been estimated that the global gaming market is worth nearly US$150 billion. Its consumer chargeback services often end up being used by some online gamers as a tool to commit fraud, causing a huge adverse impact on the industry. A gaming company in Taiwan found itself falling victim of malicious chargeback fraud. Nearly NT$10 million of fraudulent chargebacks were made during the period from January to April 2019 alone, making a huge dent in the revenue of the company. To counter chargeback fraud, some gaming companies resorted to manually checking for and blocking malicious accounts of their users, incurring huge labor cost in the process. Manual checking might have alleviated the problems to some extent; however, when new games came online, gaming companies would see a surge of malicious chargebacks, causing subsequent exponential increases in losses. To help reduce labor cost incurred by manual account checking, potential human errors and potential losses that may be caused by malicious chargebacks, this study proposed a k-NN model to detect malicious chargebacks by analysing online gamers' transactional records and gameplay data. The numbers of times and the amounts of prepayment, the numbers of times of chargebacks, and the times of the transactions that the gamers of our study gaming company made were used as characteristics for our k-NN model. The use of these characteristics enabled us to score a minimum of 0.81 in F1-Measure. In addition, three SMOTE (Synthetic Minority Over-sampling Technique) sampling methods were used to deal with the imbalance data provided by our study company and improve the F1-Measure of our proposed k-NN model (scoring up to 0.89 in our experiments). It is hoped that the use of our k-NN model can help reduce potential losses of online gaming companies that may be caused by malicious chargeback fraud, deter to malicious gamers against illegal gains, and prevent the online gaming ecosystem from being sabotaged by malicious chargebacks.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"84 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122754856","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00221
Xiaohan Hao, Wei Ren, Wenwen Zheng, Tianqing Zhu
The application of blockchain has moved beyond cryptocurrencies, to applications such as credentialing and smart contracts. The smart contract allows ones to achieve fair exchange for values without relying on a centralized entity. However, as the smart contract can be automatically executed with token transfers, an attacker can seek to exploit vulnerabilities in smart contracts for illicit profits. Thus, this paper proposes a support vector machine (SVM)-based scanning system for vulnerabilities on smart contracts. Our evaluation on Ethereum demonstrate that we achieve a identification rate of over 90% based on several popular attacks.
{"title":"SCScan: A SVM-based Scanning System for Vulnerabilities in Blockchain Smart Contracts","authors":"Xiaohan Hao, Wei Ren, Wenwen Zheng, Tianqing Zhu","doi":"10.1109/TrustCom50675.2020.00221","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00221","url":null,"abstract":"The application of blockchain has moved beyond cryptocurrencies, to applications such as credentialing and smart contracts. The smart contract allows ones to achieve fair exchange for values without relying on a centralized entity. However, as the smart contract can be automatically executed with token transfers, an attacker can seek to exploit vulnerabilities in smart contracts for illicit profits. Thus, this paper proposes a support vector machine (SVM)-based scanning system for vulnerabilities on smart contracts. Our evaluation on Ethereum demonstrate that we achieve a identification rate of over 90% based on several popular attacks.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125260212","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00185
Tomoaki Mimoto, S. Kiyomoto, K. Kitamura, A. Miyaji
A huge number of documents such as news articles, public reports, and personal essays has been released on websites and social media. Once documents including privacy-sensitive information are published, the risk of privacy breaches increases; thus, documents should be carefully checked before publication. In many cases, human experts redact or sanitize documents before publishing; however, this approach is sometimes inefficient with regard to its cost and accuracy. Furthermore, critical privacy risks may remain in the documents. In this paper, we present a generalized adversary model and apply it to document data. This paper devises an attack algorithm for documents, which uses a web search engine, and proposes a privacy-preserving algorithm against the attacks. We evaluate the privacy risks for real accident reports from schools and court documents. As experiments using the real reports, we show that human-sanitized documents still include privacy risks, and our proposal would contribute to risk reduction.
{"title":"A Practical Privacy-Preserving Algorithm for Document Data","authors":"Tomoaki Mimoto, S. Kiyomoto, K. Kitamura, A. Miyaji","doi":"10.1109/TrustCom50675.2020.00185","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00185","url":null,"abstract":"A huge number of documents such as news articles, public reports, and personal essays has been released on websites and social media. Once documents including privacy-sensitive information are published, the risk of privacy breaches increases; thus, documents should be carefully checked before publication. In many cases, human experts redact or sanitize documents before publishing; however, this approach is sometimes inefficient with regard to its cost and accuracy. Furthermore, critical privacy risks may remain in the documents. In this paper, we present a generalized adversary model and apply it to document data. This paper devises an attack algorithm for documents, which uses a web search engine, and proposes a privacy-preserving algorithm against the attacks. We evaluate the privacy risks for real accident reports from schools and court documents. As experiments using the real reports, we show that human-sanitized documents still include privacy risks, and our proposal would contribute to risk reduction.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125366422","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00107
Yuqing Pan, Xi Xiao, Guangwu Hu, Bin Zhang, Qing Li, Haitao Zheng
Automatic fault localization plays a significant role in assisting developers to fix software bugs efficiently. Although existing approaches, e.g., static methods and dynamic ones, have greatly alleviated this problem by analyzing static features in source code and diagnosing dynamic behaviors in software running state respectively, the fault localization accuracy still does not meet user requirements. To improve the fault locating ability with statement granularity, this paper proposes ALBFL, a novel neural ranking model that involves the attention mechanism and the LambdaRank model, which can integrate the static and dynamic features and achieve very high accuracy for identifying software faults. ALBFL first introduces a transformer encoder to learn the semantic features from software source code. Also, it leverages other static statistical features and dynamic features, i.e., eleven Spectrum-Based Fault Localization (SBFL) features, three mutation features, to evaluate software together. Specially, the two types of features are integrated through a self-attention layer, and fed into the LambdaRank model so as to rank a list of possible fault statements. Finally, thorough experiments are conducted on 5 open-source projects with 357 faulty programs in Defects4J. The results show that ALBFL outperforms 11 traditional SBFL methods (by three times) and 2 state-of-the-art approaches (by 13%) on ranking faulty statements in the first position.
{"title":"ALBFL: A Novel Neural Ranking Model for Software Fault Localization via Combining Static and Dynamic Features","authors":"Yuqing Pan, Xi Xiao, Guangwu Hu, Bin Zhang, Qing Li, Haitao Zheng","doi":"10.1109/TrustCom50675.2020.00107","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00107","url":null,"abstract":"Automatic fault localization plays a significant role in assisting developers to fix software bugs efficiently. Although existing approaches, e.g., static methods and dynamic ones, have greatly alleviated this problem by analyzing static features in source code and diagnosing dynamic behaviors in software running state respectively, the fault localization accuracy still does not meet user requirements. To improve the fault locating ability with statement granularity, this paper proposes ALBFL, a novel neural ranking model that involves the attention mechanism and the LambdaRank model, which can integrate the static and dynamic features and achieve very high accuracy for identifying software faults. ALBFL first introduces a transformer encoder to learn the semantic features from software source code. Also, it leverages other static statistical features and dynamic features, i.e., eleven Spectrum-Based Fault Localization (SBFL) features, three mutation features, to evaluate software together. Specially, the two types of features are integrated through a self-attention layer, and fed into the LambdaRank model so as to rank a list of possible fault statements. Finally, thorough experiments are conducted on 5 open-source projects with 357 faulty programs in Defects4J. The results show that ALBFL outperforms 11 traditional SBFL methods (by three times) and 2 state-of-the-art approaches (by 13%) on ranking faulty statements in the first position.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125813441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2020-12-01DOI: 10.1109/TrustCom50675.2020.00073
Nan Messe, Vanea Chiprianov, Nicolas Belloir, Jamal El Hachem, Régis Fleurquin, Salah Sadou
Threat modeling is recognized as one of the most important activities in software security. It helps to address security issues in software development. Several threat modeling processes are widely used in the industry such as the one of Microsoft SDL. In threat modeling, it is essential to first identify assets before enumerating threats, in order to diagnose the threat targets and spot the protection mechanisms. Asset identification and threat enumeration are collaborative activities involving many actors such as security experts and software architects. These activities are traditionally carried out in brainstorming sessions. Due to the lack of guidance, the lack of a sufficiently formalized process, the high dependence on actors' knowledge, and the variety of actors' background, these actors often have difficulties collaborating with each other. Brainstorming sessions are thus often conducted sub-optimally and require significant effort. To address this problem, we aim at structuring the asset identification phase by proposing a systematic asset identification process, which is based on a reference model. This process structures and identifies relevant assets, facilitating the threat enumeration during brainstorming. We illustrate the proposed process with a case study and show the usefulness of our process in supporting threat enumeration and improving existing threat modeling processes such as the Microsoft SDL one.
{"title":"Asset-Oriented Threat Modeling","authors":"Nan Messe, Vanea Chiprianov, Nicolas Belloir, Jamal El Hachem, Régis Fleurquin, Salah Sadou","doi":"10.1109/TrustCom50675.2020.00073","DOIUrl":"https://doi.org/10.1109/TrustCom50675.2020.00073","url":null,"abstract":"Threat modeling is recognized as one of the most important activities in software security. It helps to address security issues in software development. Several threat modeling processes are widely used in the industry such as the one of Microsoft SDL. In threat modeling, it is essential to first identify assets before enumerating threats, in order to diagnose the threat targets and spot the protection mechanisms. Asset identification and threat enumeration are collaborative activities involving many actors such as security experts and software architects. These activities are traditionally carried out in brainstorming sessions. Due to the lack of guidance, the lack of a sufficiently formalized process, the high dependence on actors' knowledge, and the variety of actors' background, these actors often have difficulties collaborating with each other. Brainstorming sessions are thus often conducted sub-optimally and require significant effort. To address this problem, we aim at structuring the asset identification phase by proposing a systematic asset identification process, which is based on a reference model. This process structures and identifies relevant assets, facilitating the threat enumeration during brainstorming. We illustrate the proposed process with a case study and show the usefulness of our process in supporting threat enumeration and improving existing threat modeling processes such as the Microsoft SDL one.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130043712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: