research-article

Exploring the Use of Deprecated PHP Releases in the Wild Internet: Still a LAMP Issue?

Authors:

Jukka Ruohonen,

Sami Hyrynsalmi,

Ville LeppänenAuthors Info & Claims

WIMS '16: Proceedings of the 6th International Conference on Web Intelligence, Mining and Semantics

Article No.: 26, Pages 1 - 12

https://doi.org/10.1145/2912845.2912851

Published: 13 June 2016 Publication History

Abstract

Many web sites utilize deprecated software products that are no longer maintained by the associated software producers. This paper explores the question of whether an existing big data collection can be used to predict the likelihood of deprecated PHP releases based on different abstract components in modern web deployment stacks. Building on web intelligence, software security, and data-based industry rationales, the question is examined by focusing on the most popular domains in the contemporary web-facing Internet. Logistic regression is used for classification. Although statistical classification performance is modest, the results indicate that deprecated PHP releases are associated with Linux and other open source software components. Geographical variation is small. Besides these results, the paper contributes to the web intelligence research by evaluating the feasibility of existing big data collections for mass-scale fingerprinting.

References

[1]

Alexa Internet, Inc. The Top Million Websites. Data feed available online in April 2016: http://s3.amazonaws.com/alexa-static/top-1m.csv.zip, 2016.

[2]

W. D. Berry, J. H. R. DeMerritt, and J. Esarey. Testing for Interaction in Binary Logit and Probit Models: Is a Product Term Essential? American Journal of Political Science, 54(1):248--266, 2010.

[3]

M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita. Surveying Port Scans and Their Detection Methodologies. The Computer Journal, 54(10):1565--1581, 2011.

Digital Library

[4]

E. Bou-Harb, M. Debbabi, and C. Assi. On Fingerprinting Probing Activities. Computers & Security, 43:35--48, 2014.

[5]

M. Brydon and A. R. Vining. Adoption, Improvement, and Disruption: Predicting the Impact of Open Source Applications in Enterprise Software Markets. Journal of Database Management, 19(3):73--94, 2008.

[6]

M. Campbell-Kelly and D. D. Garcia-Swartz. The Move to the Middle: Convergence of the Open-Source and Proprietary Software Industries. International Journal of the Economics of Business, 17(2):223--252, 2010.

[7]

C. Chipperfield and S. Furnell. From Security Policy to Practice: Sending the Right Messages. Computer Fraud & Security, (3):13--19, 2010.

[8]

I. Chowdhury and M. Zulkerine. Using Complexity, Coupling, and Cohesion Metrics as Early Indicators of Vulnerabilities. Journal of Systems Architecture, 57(3):294--313, 2011.

Digital Library

[9]

CVE Details. Vendor, Product and Version Search (PHP). Available online in December 2015: http://www.cvedetails.com/version-search.php?vendor=&product=PHP&version=, 2015.

[10]

DataNyze.com. Load Balancers Market Share in the Alexa Top 1M. Available in December 2015: https://www.datanyze.com/market-share/load-balancers/, 2015.

[11]

Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-Wide Scanning and Its Security Applications. In Proceedings of the 22nd USENIX Security Symposium, pages 605--620, Washington, D.C., 2013. USENIX.

Digital Library

[12]

B. Eshete, A. Villafiorita, K. Weldemariam, and M. Zulkernine. Confeagle: Automated Analysis of Configuration Vulnerabilities in Web Applications. In Proceedings of the IEEE 7th International Conference on Software Security and Reliability (SERE 2013), pages 188--197, Gaithersburg, 2013. IEEE.

Digital Library

[13]

L. Finos, C. Brombin, and L. Salmaso. Adjusting Stepwise p-Values in Generalized Linear Models. Communications in Statistics --0 Theory and Methods, 39(10):1832--1846, 2010.

[14]

H. Fryer, S. Stalla-Bourdillon, and T. Chown. Malicious Web Pages: What If Hosting Providers Could Actually Do Something... Computer Law & Security Review, 31(4):490--505, 2015.

[15]

V. Grover and K. Lyytinen. New State of Play in Information Systems Research: The Push to the Edges. MIS Quarterly, 39(2):271--296, 2015.

Digital Library

[16]

T. Hastie, R. Tibshirani, and J. Friedman. The Elements of Statistical Learning: Data Mining, Inference, and Prediction. Springer-Verlag, New York, 2011.

[17]

HTTP Archive. Downloads (1 December 2015 crawl, requests with IE user agent). Available online in December 2015: http://httparchive.org/downloads/httparchive_Dec_1_2015_requests.csv.gz, 2015.

[18]

Y. Huang and A. K. Ghosh. Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services. In S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang, editors, Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, pages 131--151. Springer-Verlag, New York, 2011.

[19]

P. Hudson. PHP in a Nutshell: A Desktop Quick Reference. O'Reilly, Beijing, 2006.

[20]

C. Kleiber and A. Zeileis. Applied Econometrics with R. Springer-Verlag, Berlin, 2010.

[21]

M. Kozina, M. Golub, and S. Groš. A Method for Identifying Web Applications. International Journal of Information Security, 8(6):455--467, 2009.

Digital Library

[22]

J. S. Long. Regression Models for Categorical and Limited Dependent Variables. Sage, Thousand Oaks, 1997.

[23]

Netcraft. PHP Just Grows & Grows. Available online in December 2015: http://news.netcraft.com/archives/2013/01/31/php-just-grows-grows.html, 2013.

[24]

Netcraft. Microsoft Neck and Neck with Amazon in Windows Hosting. Available online in December 2015: http://news.netcraft.com/archives/2014/02/26/microsoft-neck-and-neck-with-amazon-in-windows-hosting.html, 2014.

[25]

Netcraft. August 2015 Web Server Survey. Available online in December 2015: http://news.netcraft.com/archives/2015/08/13/august-2015-web-server-survey.html, 2015.

[26]

S. Neuhaus and T. Zimmermann. Security Trend Analysis with CVE Topic Models. In Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering (ISSRE 2010), pages 111--120, San Jose, 2010. IEEE.

Digital Library

[27]

OWASP. Testing for Web Application Fingerprint (OWASP-IG-004). Available online in December 2015: https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_(OWASP-IG-004).

[28]

P. Pant, V. Heikkinen, I. Korpela, M. Hauta-Kasari, and T. Tokola. Logistic Regression-Based Spectral Band Selection for Tree Species Classification: Effects of Spatial Scale and Balance in Training Samples. IEEE Geoscience and Remote Sensing Letters, 11(9):1604--1608, 2014.

[29]

S. Raemaekers, A. van Deursen, and J. Visser. Measuring Software Library Stability Through Historical Version Analysis. In Proceedings of the 28th IEEE International Conference on Software Maintenance (ICSM 2012), pages 378--387, Trento, 2012. IEEE.

Digital Library

[30]

C. R. Rao and H. Toutenburg. Linear Models: Least Squares and Alternatives. Springer-Verlag, New York, 1995.

Digital Library

[31]

J. Ruohonen, S. Hyrynsalmi, and V. Leppänen. The Sigmoidal Growth of Operating System Security Vulnerabilities: An Empirical Revisit. Computers & Security, 55:1--20, 2015.

Digital Library

[32]

N. Seixas, J. Fonseca, M. Vieira, and H. Madeira. Looking at Web Security Vulnerabilities from the Programming Language Perspective: A Field Study. In Proceedings of the 20th International Symposium on Software Reliability Engineering (ISSRE 2009), pages 129--135, Mysuru, Karnataka, 2009. IEEE.

Digital Library

[33]

H. Shono. Is Model Selection Using Akaike's Information Criterion Appropriate for Catch Per Unit Effort Standardization in Large Samples? Fisheries Science, 71(5):978--986, 2005.

[34]

B. Singh and P. Agarwal. Algorithm for Web Server Security. IETE Journal of Research, 57(5):413--422, 2011.

[35]

S. W. Smith and E. H. Spafford. Grand Challenges in Information Security: Process and Output. Security & Privacy, 2(1):69--71, 2004.

Digital Library

[36]

D. Spinellis and V. Giannikas. Organizational Adoption of Open Source Software. Journal of Systems and Software, 85(3):666--682, 2012.

Digital Library

[37]

B. Suleiman, S. Sakr, R. Jeffery, and A. Liu. On Understanding the Economics and Elasticity Challenges of Deploying Business Applications on Public Cloud Infrastructure. Journal of Internet Services and Applications, 3(2):173--193, 2012.

[38]

The PHP Group. Request for Comments: Release Process. Available online in December 2015: https://wiki.php.net/rfc/releaseprocess, 2015.

[39]

The PHP Group. Unsupported Branches. Available online in December 2015: https://secure.php.net/eol/, 2015.

[40]

W3Techs. W3techs -- World Wide Web Technology Surveys. Available online in December 2015: http://w3techs.com/, 2015.

[41]

K. Yang, L. Hu, N. Zhang, Y. Huo, and K. Zhao. Improving the Defence Against Web Server Fingerprinting by Eliminating Compliance Variation. In Proceedings of the Fifth International Conference on Frontier of Computer Science and Technology (FCST 2010), pages 227--232, Changchun, 2010. IEEE.

Digital Library

[42]

X. Zeng and T. R. Martinez. Distribution-Balanced Stratified Cross-Validation for Accuracy Estimation. Journal of Experimental & Theoretical Artificial Intelligence, 12(1):1--12, 2000.

[43]

J. Zhao and R. Gong. New Framework of Security Vulnerabilities Detection in PHP Web Applications. In Proceedings of the 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS 2015), pages 271--276, Blumenau, 2015. IEEE.

[44]

P. Zhou, X. Gu, and R. K. C. Chang. Harvesting File Download Exploits in the Web: A Hacker's View. The Computer Journal. Published online in September 2015.

Cited By

Ruohonen JAli SGarousi V(2019)A Demand-Side Viewpoint to Software Vulnerabilities in WordPress PluginsProceedings of the 23rd International Conference on Evaluation and Assessment in Software Engineering10.1145/3319008.3319029(222-228)Online publication date: 15-Apr-2019
https://dl.acm.org/doi/10.1145/3319008.3319029

Index Terms

Exploring the Use of Deprecated PHP Releases in the Wild Internet: Still a LAMP Issue?
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

Exploring how deprecated Python library APIs are (not) handled
ESEC/FSE 2020: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

In this paper, we present the first exploratory study of deprecated Python library APIs to understand the status quo of API deprecation in the realm of Python libraries. Specifically, we aim to comprehend how deprecated library APIs are declared and ...
Current challenges in web crawling
ICWE'13: Proceedings of the 13th international conference on Web Engineering

Web crawling, a process of collecting web pages in an automated manner, is the primary and ubiquitous operation used by a large number of web systems and agents starting from a simple program for website backup to a major web search engine. Due to an ...
API Document Quality for Resolving Deprecated APIs
APSEC '14: Proceedings of the 2014 21st Asia-Pacific Software Engineering Conference - Volume 02

Using deprecated APIs often results in security vulnerability or performance degradation. Thus, invocations to deprecated APIs should be immediately replaced by alternative APIs. To resolve deprecated APIs, most developers rely on API documents provided ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WIMS '16: Proceedings of the 6th International Conference on Web Intelligence, Mining and Semantics

June 2016

309 pages

ISBN:9781450340564

DOI:10.1145/2912845

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 June 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Tekes

Conference

WIMS '16

WIMS '16: International Conference on Web Intelligence, Mining and Semantics

June 13 - 15, 2016

Nîmes, France

Acceptance Rates

WIMS '16 Paper Acceptance Rate 36 of 53 submissions, 68%;

Overall Acceptance Rate 140 of 278 submissions, 50%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
115
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ruohonen JAli SGarousi V(2019)A Demand-Side Viewpoint to Software Vulnerabilities in WordPress PluginsProceedings of the 23rd International Conference on Evaluation and Assessment in Software Engineering10.1145/3319008.3319029(222-228)Online publication date: 15-Apr-2019
https://dl.acm.org/doi/10.1145/3319008.3319029

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents