Enhancing Java Web Application Security: Injection Vulnerability Detection via Interprocedural Analysis and Deep Learning

IF 5.7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

IEEE Transactions on Reliability Pub Date : 2025-01-07 DOI:10.1109/TR.2024.3521381

Bing Zhang;Xu Zhi;Meng Wang;Rong Ren;Jun Dong

{"title":"Enhancing Java Web Application Security: Injection Vulnerability Detection via Interprocedural Analysis and Deep Learning","authors":"Bing Zhang;Xu Zhi;Meng Wang;Rong Ren;Jun Dong","doi":"10.1109/TR.2024.3521381","DOIUrl":null,"url":null,"abstract":"Injection attacks exploit vulnerabilities in how applications handle user input, allowing malicious code to infiltrate the execution environment of web applications, leading to severe consequences, such as data leaks and system crashes. Traditional dynamic and static detection methods suffer from limitations in manual rule or pattern design and intraprocedural analysis, lacking the capability to automatically learn complex features. Meanwhile, deep learning models encounter challenges, such as feature redundancy and inefficiency, in processing long code sequences. Here, we propose a prototype for detecting <underline>I</u>njection <underline>V</u>ulnerabilities in Java web applications based on <underline>I</u>nterprocedural analysis and the bidirectional encoder representations from transformers <underline>B</u>ERT-BiLSTM-CRF model (IVIB), effectively transforming vulnerability detection into text sequence annotation. IVIB employs interprocedural analysis to trace complete program data flow, control flow, method and class dependencies, reducing redundancy through a system dependency graph. Then, we develop intermediate language representation rules and conversion mechanisms specifically for Java programs, symbolically representing code snippets and annotating them to construct a corpus. IVIB achieves remarkable results, with over 96% accuracy, precision, recall, and F1-score in binary classification, surpassing other state-of-the-art models in multiclassification performance. Evaluation on real-world projects demonstrates IVIB's effectiveness, detecting 28 vulnerabilities out of 30 vulnerable slices with low false positives and no false negatives.","PeriodicalId":56305,"journal":{"name":"IEEE Transactions on Reliability","volume":"74 3","pages":"3642-3656"},"PeriodicalIF":5.7000,"publicationDate":"2025-01-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Reliability","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10830291/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Injection attacks exploit vulnerabilities in how applications handle user input, allowing malicious code to infiltrate the execution environment of web applications, leading to severe consequences, such as data leaks and system crashes. Traditional dynamic and static detection methods suffer from limitations in manual rule or pattern design and intraprocedural analysis, lacking the capability to automatically learn complex features. Meanwhile, deep learning models encounter challenges, such as feature redundancy and inefficiency, in processing long code sequences. Here, we propose a prototype for detecting Injection Vulnerabilities in Java web applications based on Interprocedural analysis and the bidirectional encoder representations from transformers BERT-BiLSTM-CRF model (IVIB), effectively transforming vulnerability detection into text sequence annotation. IVIB employs interprocedural analysis to trace complete program data flow, control flow, method and class dependencies, reducing redundancy through a system dependency graph. Then, we develop intermediate language representation rules and conversion mechanisms specifically for Java programs, symbolically representing code snippets and annotating them to construct a corpus. IVIB achieves remarkable results, with over 96% accuracy, precision, recall, and F1-score in binary classification, surpassing other state-of-the-art models in multiclassification performance. Evaluation on real-world projects demonstrates IVIB's effectiveness, detecting 28 vulnerabilities out of 30 vulnerable slices with low false positives and no false negatives.

查看原文本刊更多论文

增强Java Web应用程序安全性：通过过程间分析和深度学习检测注入漏洞

注入攻击利用应用程序处理用户输入的漏洞，允许恶意代码渗透到web应用程序的执行环境中，导致数据泄露和系统崩溃等严重后果。传统的动态和静态检测方法受到人工规则或模式设计和过程内分析的限制，缺乏自动学习复杂特征的能力。与此同时，深度学习模型在处理长代码序列时遇到了特征冗余和效率低下等挑战。本文提出了一种基于过程间分析和转换BERT-BiLSTM-CRF模型（IVIB）双向编码器表示的Java web应用注入漏洞检测原型，将漏洞检测有效地转化为文本序列注释。IVIB采用过程间分析来跟踪完整的程序数据流、控制流、方法和类依赖关系，通过系统依赖关系图减少冗余。然后，我们开发了专门针对Java程序的中间语言表示规则和转换机制，象征性地表示代码片段并对其进行注释以构建语料库。IVIB取得了显著的成绩，在二元分类中准确率、精密度、召回率和f1得分均超过96%，在多分类性能上超越了其他最先进的模型。对实际项目的评估证明了IVIB的有效性，在30个漏洞切片中检测出28个漏洞，假阳性率很低，没有假阴性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Reliability 工程技术-工程：电子与电气

CiteScore

12.20

自引率

8.50%

发文量

153

审稿时长

7.5 months

期刊介绍： IEEE Transactions on Reliability is a refereed journal for the reliability and allied disciplines including, but not limited to, maintainability, physics of failure, life testing, prognostics, design and manufacture for reliability, reliability for systems of systems, network availability, mission success, warranty, safety, and various measures of effectiveness. Topics eligible for publication range from hardware to software, from materials to systems, from consumer and industrial devices to manufacturing plants, from individual items to networks, from techniques for making things better to ways of predicting and measuring behavior in the field. As an engineering subject that supports new and existing technologies, we constantly expand into new areas of the assurance sciences.