Affiliation:
1. Kennesaw State University, USA
Abstract
This paper addresses the problem of assessing risk in web application due to implementation level vulnerabilities. In particular, the authors address the common research challenge of finding enough historical data to compute the probability of vulnerabilities and exploitations. They develop a Fuzzy Logic based System (FLS)1 to compute the risk uniformly and to address the diversity of risks. The authors propose a set of crisp metrics that are used to define fuzzy sets. They also develop a set of rule-bases to assess the risk level. The proposed FLS can be a useful tool to aid application developers and industry practitioners to assess the risk and plan ahead for employing necessary mitigation approaches. The authors evaluate their proposed approach using three real-world web applications implemented in PHP, and apply it to four types of common vulnerabilities. The initial results indicate that the proposed FLS approach can effectively discover high risk applications.
Reference42 articles.
1. Aburrous, M., Hossain, M., Dahal, K. and Thabtah, F. (2010). Intelligent Phishing Detection System for E-banking using Fuzzy Data Mining. Journal of Expert Systems with Applications, 37(12), 7913-7921.
2. Automated Security Analysis of Dynamic Web Applications through Symbolic Code Execution
3. Broken Authentication and Session Management. (2015). Retrieved from https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management
4. Using parse tree validation to prevent SQL injection attacks
5. Chen, S., & Chen, S. (2003). Fuzzy Risk Analysis Based on Similarity Measures of Generalized Fuzzy Numbers. IEEE Transactions of Fuzzy Systems, 11(1), 45-56.