Refining Traceability Links Between Vulnerability and Software Component in a Vulnerability Knowledge Graph
Authors: 
Dongdong Du, Xingzhang Ren, Yupeng Wu, Jien Chen, Wei Ye, Jinan Sun, Xiangyu Xi, Qing Gao, Shikun ZhangAuthors Info & Claims
Dongdong Du, Xingzhang Ren, Yupeng Wu, Jien Chen, Wei Ye, Jinan Sun, Xiangyu Xi, Qing Gao, Shikun ZhangAuthors Info & ClaimsPages 33 - 49
Abstract
Software vulnerabilities and their corresponding software components information are usually stored in different locations with different representations. Building accurate traceability links between them to form a unified knowledge graph can be very helpful for vulnerability spreading analysis, component dependency management, and relationship inference. In this paper, we first propose a software vulnerability knowledge graph model which integrates CVE (Common Vulnerabilities and Exposures) information, Java Component metadata in Maven repository and project collaboration data on Github. To construct the knowledge graph, we then propose two ontology matching approaches. The first one links Maven project and Github project in a URL text-matching way. The second one introduces random forests algorithm to link CVE project version and Maven project version based on 16 well-defined features. Experimental results show that matching between CVE project version and Maven project version are highly promising with an accuracy rate as high as 99.8%. The traceability links between vulnerabilities and software components can be more accurate based on our approach.
References
[1]
Akbari, I., Fathian, M., Badie, K.: An improved MLMA+ and its application in ontology matching. In: Innovative technologies in intelligent systems and industrial applications, CITISIA 2009, pp. 56–60. IEEE (2009)
[2]
Aleksovski, Z., ten Kate, W., van Harmelen, F.: Using multiple ontologies as background knowledge in ontology matching. In: CISWeb Workshop, pp. 35–49 (2008)
[3]
Alqahtani SS, Eghan EE, and Rilling J Tracing known security vulnerabilities in software repositories-a semantic web enabled modeling approach Sci. Comput. Program. 2016 121 153-175
[4]
Apache-Software-Foundation: Maven central repository. http://central.maven.org/maven2/. Accessed December 2017
[5]
Cruz IF, Antonelli FP, and Stroe C Agreementmaker: efficient matching for large real-world schemas and ontologies Proc. VLDB Endow. 2009 2 2 1586-1589
[6]
Doan A and Halevy AY Semantic integration research in the database community: a brief survey AI Mag. 2005 26 1 83
[7]
Doan A, Madhavan J, Domingos P, and Halevy A Staab S and Studer R Ontology matching: a machine learning approach Handbook on Ontologies 2004 Heidelberg Springer 385-403
[8]
Github: Github.com. https://github.com/. Accessed December 2017
[9]
Gracia, J., Bernad, J., Mena, E.: Ontology matching with cider: evaluation report for OAEI 2011. In: Ontology Matching, p. 126 (2011)
[10]
He W, Yang X, and Huang D Xiong H and Lee WB A hybrid approach for measuring semantic similarity between ontologies based on WordNet Knowledge Science, Engineering and Management 2011 Heidelberg Springer 68-78
[11]
Jean-Mary YR, Shironoshita EP, and Kabuka MR Ontology matching with semantic verification Web Semant. Sci. Serv. Agents World Wide Web 2009 7 3 235-251
[12]
Joslyn, C.A., Paulson, P., White, A.: Measuring the structural preservation of semantic hierarchy alignments. In: Proceedings of the 4th International Conference on Ontology Matching, vol. 551, pp. 61–72. CEUR-WS. org (2009)
[13]
Kotis, K., Katasonov, A., Leino, J.: aUTOMSV2 results for OAEI 2012. In: Ontology Matching, p. 124 (2012)
[14]
Loia, V., Fenza, G., De Maio, C., Salerno, S.: Hybrid methodologies to foster ontology-based knowledge management platform. In: 2013 IEEE Symposium on Intelligent Agent (IA), pp. 36–43. IEEE (2013)
[15]
Mascardi V, Locoro A, and Rosso P Automatic ontology matching via upper ontologies: a systematic evaluation IEEE Trans. Knowl. Data Eng. 2010 22 5 609
[16]
Ngo, D.H.: Enhancing ontology matching by using machine learning, graph matching and information retrieval techniques. Ph.D. thesis, Université Montpellier II-Sciences et Techniques du Languedoc (2012)
[17]
Ngo, D., Bellahsene, Z., Coletta, R.: Yam++-a combination of graph matching and machine learning approach to ontology alignment task. J. Web Semant. 16 (2012)
[18]
NIST: National vulnerability database. https://nvd.nist.gov/vuln/search. Accessed December 2017
[19]
Otero-Cerdeira L, Rodríguez-Martínez FJ, and Gómez-Rodríguez A Ontology matching: a literature review Expert Syst. Appl. 2015 42 2 949-971
[20]
Sánchez-Ruiz AA, Ontanón S, González-Calero PA, and Plaza E Measuring similarity in description logics using refinement operators Case Based Reason. Res. Dev. 2011 6880 289-303
[21]
Scharffe F, Zamazal O, and Fensel D Ontology alignment design patterns Knowl. Inf. Syst. 2014 40 1 1-28
[22]
Shvaiko P and Euzenat J Ontology matching: state of the art and future challenges IEEE Trans. Knowl. Data Eng. 2013 25 1 158-176
Recommendations
KVS: a tool for knowledge-driven vulnerability searching
ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software EngineeringIt is difficult to quickly locate and search for specific vulnerabilities and their solutions because vulnerability information is scattered in the existing vulnerability management library. To alleviate this problem, we extract knowledge from ...
Software vulnerability management
Recently, a widely publicised news report revealed that tens of thousands of computers could have been exposed to hacker threats due to malicious online advertisements that ran on major media companies' websites, including the BBC.1 These incidents are ...
Comments
Information & Contributors
Information
Published In
Jun 2018
481 pages
ISBN:978-3-319-91661-3
DOI:10.1007/978-3-319-91662-0
- Editors:
- Tommi Mikkonen,
- Ralf Klamma,
- Juan Hernández
© Springer International Publishing AG, part of Springer Nature 2018.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 05 June 2018
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 09 Nov 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in