Deep learning applied on Web security : statically identifying Web vulnerabilities using deep learning ; Apprentissage en profondeur appliqué à la sécurité du Web : identifier statiquement des vulnérabilités Web en utilisant des algorithmes d’apprentissage profond
Uloženo v:
| Název: | Deep learning applied on Web security : statically identifying Web vulnerabilities using deep learning ; Apprentissage en profondeur appliqué à la sécurité du Web : identifier statiquement des vulnérabilités Web en utilisant des algorithmes d’apprentissage profond |
|---|---|
| Autoři: | Maurel, Héloïse |
| Přispěvatelé: | Secure Diffuse Programming (INDES), Centre Inria d'Université Côte d'Azur, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Université Côte d'Azur (UniCA), Université Côte d'Azur, Tamara Rezk |
| Zdroj: | https://theses.hal.science/tel-04025922 ; Artificial Intelligence [cs.AI]. Université Côte d'Azur, 2022. English. ⟨NNT : 2022COAZ4059⟩. |
| Informace o vydavateli: | CCSD |
| Rok vydání: | 2022 |
| Sbírka: | HAL Université Côte d'Azur |
| Témata: | Web application, Web language programming, Data base, Programming language processing, Cross-Site Scripting (XSS), Code injection, Vulnerabilities detection, Deep learning, Natural language processing, Web security, Application Web, Langage de programmation Web, Base de données, Traitement automatique des langages de programmation, Traitement automatique du langage naturel, Injection de code, Faille de sécurité Web, Apprentissage en profondeur, Sécurité du Web, [INFO.INFO-AI]Computer Science [cs]/Artificial Intelligence [cs.AI], [INFO.INFO-CL]Computer Science [cs]/Computation and Language [cs.CL], [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], [INFO.INFO-DB]Computer Science [cs]/Databases [cs.DB], [INFO.INFO-LG]Computer Science [cs]/Machine Learning [cs.LG], [INFO.INFO-WB]Computer Science [cs]/Web |
| Popis: | Cross-site Scripting (XSS) is ranked number two in the top 25 of the Common Weaknesses Enumeration (2021) and places this vulnerability as one of the most dangerous among programming errors.XSS occurs when a web application improperly neutralizes user-controllable input before it is placed in the output, used on a web page that is served to other users. With this type of vulnerability, an attacker can perform malicious activities such as transferring private information from the victim's browser, send malicious requests to a website on behalf of the victim, emulate trusted websites and inciting victims to enter private information, compromise the victim's website account, etc.On the first part of this manuscript, we investigate detection of XSS vulnerabilities using deep learning algorithms.In particular, we compare two code representations based on natural language processing (NLP) and programming language processing (PLP) in two server-side languages, PHP and Node.js.We rebuild the PHP NIST generator, fix inconsistencies related to OWAPS rules to prevent XSS vulnerabilities, and extend the database. We build a new server-side code generator for Node.js.We also compare the PHP results obtained on two types of database distributions. The NLP representation has a better recall when HTML, JavaScript and CSS are included as code.We compare the results obtained by our deep learning models capable of detecting XSS vulnerabilities with three well-known static XSS vulnerability scanners for PHP code, ProgPilot, Pixy and RIPS and a well-known scanner for Nodejs, AppScan. The results of our analysers overcome the results of existing tools in all cases.We also compare XSS vulnerability detection in Node.js and a multi-tier JavaScript-based language called Hop.js using the PLP deep learning technique.In this sense, we build a new generator for Hop.js, and we create a database for this language. With deep learning models trained to detect XSS on Hop.js, we obtain better recalls than Node.js models depiste the lower ... |
| Druh dokumentu: | doctoral or postdoctoral thesis |
| Jazyk: | English |
| Relation: | NNT: 2022COAZ4059 |
| Dostupnost: | https://theses.hal.science/tel-04025922 https://theses.hal.science/tel-04025922v3/document https://theses.hal.science/tel-04025922v3/file/2022COAZ4059.pdf |
| Rights: | info:eu-repo/semantics/OpenAccess |
| Přístupové číslo: | edsbas.BEE1E709 |
| Databáze: | BASE |
Nájsť tento článok vo Web of Science | Abstrakt: | Cross-site Scripting (XSS) is ranked number two in the top 25 of the Common Weaknesses Enumeration (2021) and places this vulnerability as one of the most dangerous among programming errors.XSS occurs when a web application improperly neutralizes user-controllable input before it is placed in the output, used on a web page that is served to other users. With this type of vulnerability, an attacker can perform malicious activities such as transferring private information from the victim's browser, send malicious requests to a website on behalf of the victim, emulate trusted websites and inciting victims to enter private information, compromise the victim's website account, etc.On the first part of this manuscript, we investigate detection of XSS vulnerabilities using deep learning algorithms.In particular, we compare two code representations based on natural language processing (NLP) and programming language processing (PLP) in two server-side languages, PHP and Node.js.We rebuild the PHP NIST generator, fix inconsistencies related to OWAPS rules to prevent XSS vulnerabilities, and extend the database. We build a new server-side code generator for Node.js.We also compare the PHP results obtained on two types of database distributions. The NLP representation has a better recall when HTML, JavaScript and CSS are included as code.We compare the results obtained by our deep learning models capable of detecting XSS vulnerabilities with three well-known static XSS vulnerability scanners for PHP code, ProgPilot, Pixy and RIPS and a well-known scanner for Nodejs, AppScan. The results of our analysers overcome the results of existing tools in all cases.We also compare XSS vulnerability detection in Node.js and a multi-tier JavaScript-based language called Hop.js using the PLP deep learning technique.In this sense, we build a new generator for Hop.js, and we create a database for this language. With deep learning models trained to detect XSS on Hop.js, we obtain better recalls than Node.js models depiste the lower ... |
|---|