Alqahtani, Sultan (2018) Enhancing Trust –A Unified Meta-Model for Software Security Vulnerability Analysis. PhD thesis, Concordia University.
Preview |
Text (application/pdf)
4MBAlqahtani_PhD_F2018.pdf - Accepted Version |
Abstract
Over the last decade, a globalization of the software industry has taken place which has facilitated the sharing and reuse of code across existing project boundaries. At the same time, such global reuse also introduces new challenges to the Software Engineering community, with not only code implementation being shared across systems but also any vulnerabilities it is exposed to as well. Hence, vulnerabilities found in APIs no longer affect only individual projects but instead might spread across projects and even global software ecosystem borders. Tracing such vulnerabilities on a global scale becomes an inherently difficult task, with many of the resources required for the analysis not only growing at unprecedented rates but also being spread across heterogeneous resources. Software developers are struggling to identify and locate the required data to take full advantage of these resources. The Semantic Web and its supporting technology stack have been widely promoted to model, integrate, and support interoperability among heterogeneous data sources.
This dissertation introduces four major contributions to address these challenges: (1) It provides a literature review of the use of software vulnerabilities databases (SVDBs) in the Software Engineering community. (2) Based on findings from this literature review, we present SEVONT, a Semantic Web based modeling approach to support a formal and semi-automated approach for unifying vulnerability information resources. SEVONT introduces a multi-layer knowledge model which not only provides a unified knowledge representation, but also captures software vulnerability information at different abstract levels to allow for seamless integration, analysis, and reuse of the modeled knowledge. The modeling approach takes advantage of Formal Concept Analysis (FCA) to guide knowledge engineers in identifying reusable knowledge concepts and modeling them. (3) A Security Vulnerability Analysis Framework (SV-AF) is introduced, which is an instantiation of the SEVONT knowledge model to support evidence-based vulnerability detection. The framework integrates vulnerability ontologies (and data) with existing Software Engineering ontologies allowing for the use of Semantic Web reasoning services to trace and assess the impact of security vulnerabilities across project boundaries.
Several case studies are presented to illustrate the applicability and flexibility of our modelling approach, demonstrating that the presented knowledge modeling approach cannot only unify heterogeneous vulnerability data sources but also enables new types of vulnerability analysis.
Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Computer Science and Software Engineering |
---|---|
Item Type: | Thesis (PhD) |
Authors: | Alqahtani, Sultan |
Institution: | Concordia University |
Degree Name: | Ph. D. |
Program: | Computer Science |
Date: | 30 August 2018 |
Thesis Supervisor(s): | Juergen, Rilling |
Keywords: | vulnerability analysis; software engineering; vulnerability databases; knowledge model; |
ID Code: | 984378 |
Deposited By: | SULTAN ALQAHTANI |
Deposited On: | 31 Oct 2018 17:44 |
Last Modified: | 02 Apr 2019 15:41 |
References:
[1] P. Vermesan, Ovidiu and Friess, Internet of things: converging technologies for smart environments and integrated ecosystems. River Publishers, 2013.[2] C. Jones, “Globalization of software supply and demand,” IEEE Softw., pp. 17--24, 1994.
[3] E. and A. Dolstra, “NixOS: A purely functional Linux distribution,” ACM Sigplan Not., vol. 43, pp. 367--378, 2008.
[4] P. T. Devanbu and S. Stubblebine, “Software engineering for security,” in ICSE ’00 Proceedings of the Conference on The Future of Software Engineering, 2000, pp. 227–239.
[5] I. Gutzmer, “Equifax Announces Cybersecurity Incident Involving Consumer Information,” 2017. [Online]. Available: https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628. [Accessed: 01-Jun-2018].
[6] A. Goldestein, “The Equifax Breach: Who’s to Blame?,” 2017. [Online]. Available: https://resources.whitesourcesoftware.com/blog-whitesource/the-equifax-breach-who-s-to-blame. [Accessed: 01-Jun-2018].
[7] Snyk, “The State of Open Source Security,” 2017. [Online]. Available: https://snyk.io/stateofossecurity/. [Accessed: 01-Jun-2018].
[8] Sonatype, “2018 DevSecOps Community Survey,” 2018. [Online]. Available: https://www.sonatype.com/2018survey. [Accessed: 01-Jun-2018].
[9] M. Korolov, “Open source software security challenges persist,” 2018. [Online]. Available: https://www.csoonline.com/article/3157377/application-development/open-source-software-security-challenges-persist.html. [Accessed: 01-Jun-2018].
[10] T. R. Gruber, “A translation approach to portable ontology specifications,” Knowl. Acquis., vol. 5, no. 2, pp. 199–220, Jun. 1993.
[11] R. Laurini, “Pre-consensus Ontologies and Urban Databases,” 2007, pp. 27–36.
[12] F. Baader, I. Horrocks, and U. Sattler, “Description Logics as Ontology Languages for the Semantic Web,” in Mechanizing Mathematical Reasoning, 2005, pp. 228–248.
[13] T. Berners-Lee, J. Hendler, and O. Lassila, “The Semantic Web,” Sci. Am., vol. 284, no. 5, pp. 34–43, May 2001.
[14] W. O. W. Group, “OWL 2 Web Ontology Language Document Overview (Second Edition),” 2012. [Online]. Available: http://www.w3.org/TR/owl2-overview/. [Accessed: 01-Dec-2014].
[15] C. J. H. Mann, “The Description Logic Handbook – Theory, Implementation and Applications,” Kybernetes, vol. 32, no. 9/10, Dec. 2003.
[16] S. Chabot, “A Review of ‘A Semantic Web Primer,’” J. Web Librariansh., vol. 4, no. 1, pp. 97–98, Mar. 2010.
[17] Apache, “Apache Jena,” 2000. [Online]. Available: https://jena.apache.org/. [Accessed: 10-Jan-2015].
[18] O. Software, “OpenLink,” 1992. [Online]. Available: http://virtuoso.openlinksw.com/. [Accessed: 10-Jan-2015].
[19] J. Aasman, “Allegro graph: RDF triple database,” 2006. [Online]. Available: http://franz.com/agraph/allegrograph/. [Accessed: 10-Jan-2015].
[20] M. Würsch, G. Ghezzi, M. Hert, G. Reif, and H. C. Gall, “SEON: a pyramid of ontologies for software evolution and its applications,” Computing, vol. 94, no. 11, pp. 857–885, Nov. 2012.
[21] M. Uschold and M. Gruninger, “Ontologies: principles, methods and applications,” Knowl. Eng. Rev., vol. 11, no. 02, p. 93, Jun. 1996.
[22] O. Corcho, M. Fernández-López, and A. Gómez-Pérez, “Ontological Engineering: Principles, Methods, Tools and Languages,” in Ontologies for Software Engineering and Software Technology, Springer Berlin Heidelberg, 2006, pp. 1–48.
[23] F. Ruiz and J. R. Hilera, “Using Ontologies in Software Engineering and Technology,” in Ontologies for Software Engineering and Software Technology, Springer Berlin Heidelberg, 2006, pp. 49–102.
[24] B. Decker, J. Rech, E. Ras, B. Klein, and C. Hoecht, “Selforganized Reuse of Software Engineering Knowledge Supported by Semantic Wikis,” in Proceedings of the Workshop on Semantic Web Enabled Software Engineering (SWESE), 2005, p. 76.
[25] Y. Zhang, J. Rilling, and V. Haarslev, “An Ontology-Based Approach to Software Comprehension - Reasoning about Security Concerns,” in 30th Annual International Computer Software and Applications Conference (COMPSAC’06), 2006, pp. 333–342.
[26] B. Wouters, D. Deridder, and E. Van Paesschen, “The use of ontologies as a backbone for use case management,” in European Conference on Object-Oriented Programming (ECOOP 2000), Workshop: Objects and Classifications, a natural convergence, 2000.
[27] U. Nonnenmann and J. K. Eddy, “KITSS-a functional software testing system using a hybrid domain model,” in Proceedings Eighth Conference on Artificial Intelligence for Applications, pp. 136–142.
[28] A. Ankolekar, K. Sycara, J. Herbsleb, R. Kraut, and C. Welty, “Supporting online problem-solving communities with the semantic web,” Proc. 15th Int. Conf. World Wide Web - WWW ’06, p. 575, 2006.
[29] H. Hans-Jörg, A. Korthaus, S. Seedorf, and P. Tomczyk, “KOntoR: An Ontology-enabled Approach to Software Reuse,” in Proceedings of 18th International Conference on Software Engineering and Knowledge Engineering, 2006.
[30] D. Jin and J. R. Cordy, “A service sharing approach to integrating program comprehension tools,” in Proceedings of the European Software Engineering Conference, Helsinki, Finland, 2003.
[31] B. Henderson-Sellers, “Bridging metamodels and ontologies in software engineering,” J. Syst. Softw., vol. 84, no. 2, pp. 301–313, Feb. 2011.
[32] R. Witte, Y. Zhang, and J. Rilling, “LNCS 4519 - Empowering Software Maintainers with Semantic Web Technologies,” pp. 37–52.
[33] and K. K. A. C. M. Gutheil, “On the Relationship of Ontologies and Models,” in Proceedings of the 2nd International Workshop on Meta-Modelling (WoMM), 2006, pp. 47–60.
[34] B. Ganter and R. Wille, Formal Concept Analysis. Berlin, Heidelberg, Heidelberg: Springer Berlin Heidelberg, 1999.
[35] M. Shiri, J. Hassine, and J. Rilling, “A Requirement Level Modification Analysis Support Framework,” in Third International IEEE Workshop on Software Evolvability 2007, 2007, pp. 67–74.
[36] S. O. Kuznetsov and J. Poelmans, “Knowledge representation and processing with formal concept analysis,” Wiley Interdiscip. Rev. Data Min. Knowl. Discov., vol. 3, no. 3, pp. 200–215, May 2013.
[37] J. Vacca, Computer and Information Security Handbook. elsevier, 2013.
[38] M. Karlsson, “The Edit History of the National Vulnerability Database and similar Vulnerability Databases,” 2012.
[39] Carlos Vazques, “Auditing Using Vulnerability Tools to Identify Today’s Threats to Business Performance,” 2014.
[40] B. Liu, L. Shi, Z. Cai, and M. Li, “Software Vulnerability Discovery Techniques: A Survey,” in 2012 Fourth International Conference on Multimedia Information Networking and Security, 2012, pp. 152–156.
[41] T. U. of Maryland., “FindBugs,” 2004. [Online]. Available: http://findbugs.sourceforge.net/. [Accessed: 10-Mar-2015].
[42] S. S. Jeremy Long, “OWASP Dependency Check,” 2015. [Online]. Available: https://www.owasp.org/index.php/OWASP_Dependency_Check. [Accessed: 10-Mar-2015].
[43] A. Williams, Jeff and Dabirsiaghi, “The unfortunate reality of insecure libraries,” Asp. Secur. Inc, no. March, pp. 1--26, 2012.
[44] S. S. Alqahtani, E. E. Eghan, and J. Rilling, “SV-AF — A Security Vulnerability Analysis Framework,” in 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE), 2016, pp. 219–229.
[45] J. Luszcz, “Apache Struts 2: how technical and development gaps caused the Equifax Breach,” Netw. Secur., vol. 2018, no. 1, pp. 5–8, Jan. 2018.
[46] Schumacher, M. and Haul, C. and Hurler, M. and Buchmann, and Alejandro, “Data Mining in Vulnerability Databases,” Comput. Sci., vol. 12, 2000.
[47] S. S. Alqahtani and J. Rilling, “Survey Dataset,” 2018. [Online]. Available: https://github.com/isultane/Survey-dateset. [Accessed: 10-May-2018].
[48] T.-H. Chen, S. W. Thomas, and A. E. Hassan, “A survey on the use of topic models when mining software repositories,” Empir. Softw. Eng., vol. 21, no. 5, pp. 1843–1919, Oct. 2016.
[49] W. Martin, F. Sarro, Y. Jia, Y. Zhang, and M. Harman, “A Survey of App Store Analysis for Software Engineering,” IEEE Trans. Softw. Eng., vol. 43, no. 9, pp. 817–847, Sep. 2017.
[50] K. Petersen, R. Feldt, S. Mujtaba, and M. Mattsson, “Systematic Mapping Studies in Software Engineering,” in 12th International Conference on Evaluation and Assessment in Software Engineering (EASE), 2008, pp. 68--77.
[51] C. Wohlin, “Guidelines for snowballing in systematic literature studies and a replication in software engineering,” in Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering - EASE ’14, 2014, pp. 1–10.
[52] L. Sampaio and A. Garcia, “Exploring context-sensitive data flow analysis for early vulnerability detection,” J. Syst. Softw., vol. 113, pp. 337–361, Mar. 2016.
[53] N. Palsetia, G. Deepa, F. Ahmed Khan, P. S. Thilagam, and A. R. Pais, “Securing native XML database-driven web applications from XQuery injection vulnerabilities,” J. Syst. Softw., vol. 122, pp. 93–109, Dec. 2016.
[54] J. Bozic, B. Garn, D. E. Simos, and F. Wotawa, “Evaluation of the IPO-Family algorithms for test case generation in web security testing,” in 2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW), 2015, pp. 1–10.
[55] J. Walden, J. Stuckman, and R. Scandariato, “Predicting Vulnerable Components: Software Metrics vs Text Mining,” in 2014 IEEE 25th International Symposium on Software Reliability Engineering, 2014, pp. 23–33.
[56] N. Mendes, H. Madeira, and J. Duraes, “Security Benchmarks for Web Serving Systems,” in 2014 IEEE 25th International Symposium on Software Reliability Engineering, 2014, pp. 1–12.
[57] D. E. Perry, A. A. Porter, and L. G. Votta, “Empirical studies of software engineering,” in Proceedings of the conference on The future of Software engineering - ICSE ’00, 2000, pp. 345–355.
[58] B. J. Berger, K. Sohr, and R. Koschke, “Extracting and Analyzing the Implemented Security Architecture of Business Applications,” in 2013 17th European Conference on Software Maintenance and Reengineering, 2013, pp. 285–294.
[59] J. D. Meier, A. Mackman, and B. Wastell, “Threat Modeling Web Applications,” Microsoft Corporation, 2005. .
[60] A. Chatzipoulidis, D. Michalopoulos, and I. Mavridis, “Information infrastructure risk prediction through platform vulnerability analysis,” J. Syst. Softw., vol. 106, pp. 28–41, Aug. 2015.
[61] R. Scandariato, J. Walden, A. Hovsepyan, and W. Joosen, “Predicting Vulnerable Software Components via Text Mining,” IEEE Trans. Softw. Eng., vol. 40, no. 10, pp. 993–1006, Oct. 2014.
[62] L. K. Shar, H. Beng Kuan Tan, and L. C. Briand, “Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis,” in 2013 35th International Conference on Software Engineering (ICSE), 2013, pp. 642–651.
[63] N. Ilo, J. Grabner, T. Artner, M. Bernhart, and T. Grechenig, “Combining software interrelationship data across heterogeneous software repositories,” in 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), 2015, pp. 571–575.
[64] Y. Wu, H. Siy, and R. Gandhi, “Empirical results on the study of software vulnerabilities,” in Proceeding of the 33rd international conference on Software engineering - ICSE ’11, 2011, p. 964.
[65] N. H. Pham, T. T. Nguyen, H. A. Nguyen, X. Wang, A. T. Nguyen, and T. N. Nguyen, “Detecting recurring and similar software vulnerabilities,” in Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - ICSE ’10, 2010, vol. 2, p. 227.
[66] P. Anbalagan and M. Vouk, “Towards a Unifying Approach in Understanding Security Problems,” in 2009 20th International Symposium on Software Reliability Engineering, 2009, pp. 136–145.
[67] H. Cavusoglu, H. Cavusoglu, and S. Raghunathan, “Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge,” IEEE Trans. Softw. Eng., vol. 33, no. 3, pp. 171–185, Mar. 2007.
[68] E. S. Pasaribu, Y. Asnar, and M. M. I. Liem, “Input injection detection in Java code,” in 2014 International Conference on Data and Software Engineering (ICODSE), 2014, pp. 1–6.
[69] Y. Zheng and X. Zhang, “Path sensitive static analysis of web applications for remote code execution vulnerability detection,” in 2013 35th International Conference on Software Engineering (ICSE), 2013, pp. 652–661.
[70] A. Møller and M. Schwarz, “Automated Detection of Client-State Manipulation Vulnerabilities,” ACM Trans. Softw. Eng. Methodol., vol. 23, no. 4, pp. 1–30, Sep. 2014.
[71] H. Shahriar and M. Zulkernine, “Client-Side Detection of Cross-Site Request Forgery Attacks,” in 2010 IEEE 21st International Symposium on Software Reliability Engineering, 2010, pp. 358–367.
[72] G. Wassermann and Z. Su, “Static detection of cross-site scripting vulnerabilities,” in Proceedings of the 13th international conference on Software engineering - ICSE ’08, 2008, p. 171.
[73] J. Thome, L. K. Shar, and L. Briand, “Security slicing for auditing XML, XPath, and SQL injection vulnerabilities,” in 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), 2015, pp. 553–564.
[74] R. Wang, P. Liu, L. Zhao, Y. Cheng, and L. Wang, “deExploit: Identifying misuses of input data to diagnose memory-corruption exploits at the binary level,” J. Syst. Softw., vol. 124, pp. 153–168, Feb. 2017.
[75] F. Gao, L. Wang, and X. Li, “BovInspector: automatic inspection and repair of buffer overflow vulnerabilities,” in Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering - ASE 2016, 2016, pp. 786–791.
[76] M. Ceccato, C. D. Nguyen, D. Appelt, and L. C. Briand, “SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities,” in Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering - ASE 2016, 2016, pp. 167–177.
[77] V.-T. Pham, M. Böhme, and A. Roychoudhury, “Model-based whitebox fuzzing for program binaries,” in Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering - ASE 2016, 2016, pp. 543–553.
[78] B. Stivalet and E. Fong, “Large Scale Generation of Complex and Faulty PHP Test Cases,” in 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST), 2016, pp. 409–415.
[79] B. Min and V. Varadharajan, “A New Technique for Counteracting Web Browser Exploits,” in 2014 23rd Australian Software Engineering Conference, 2014, pp. 132–141.
[80] E. Pek and R. Lammel, “A Literature Survey on Empirical Evidence in Software Engineering,” Comput. Res. Repos., vol. abs/1304.1, 2013.
[81] M. Hafiz and M. Fang, “Game of detections: how are security vulnerabilities discovered in the wild?,” Empir. Softw. Eng., vol. 21, no. 5, pp. 1920–1959, Oct. 2016.
[82] N. Munaiah, F. Camilo, W. Wigham, A. Meneely, and M. Nagappan, “Do bugs foreshadow vulnerabilities? An in-depth study of the chromium project,” Empir. Softw. Eng., Aug. 2016.
[83] T. Ye, L. Zhang, L. Wang, and X. Li, “An Empirical Study on Detecting and Fixing Buffer Overflow Bugs,” in 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST), 2016, pp. 91–101.
[84] M. di Biase, M. Bruntink, and A. Bacchelli, “A Security Perspective on Code Review: The Case of Chromium,” in 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2016, pp. 21–30.
[85] M. Jimenez, M. Papadakis, and Y. Le Traon, “Vulnerability Prediction Models: A Case Study on the Linux Kernel,” in 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2016, pp. 1–10.
[86] S. S. Murtaza, W. Khreich, A. Hamou-Lhadj, and A. B. Bener, “Mining trends and patterns of software vulnerabilities,” J. Syst. Softw., vol. 117, pp. 218–228, Jul. 2016.
[87] F. Camilo, A. Meneely, and M. Nagappan, “Do Bugs Foreshadow Vulnerabilities? A Study of the Chromium Project,” in 2015 IEEE/ACM 12th Working Conference on Mining Software Repositories, 2015, pp. 269–279.
[88] M. Fang and M. Hafiz, “Discovering buffer overflow vulnerabilities in the wild,” in Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement - ESEM ’14, 2014, pp. 1–10.
[89] L. Tan, C. Liu, Z. Li, X. Wang, Y. Zhou, and C. Zhai, “Bug characteristics in open source software,” Empir. Softw. Eng., vol. 19, no. 6, pp. 1665–1705, Dec. 2014.
[90] J. Stuckman and J. Purtilo, “Mining Security Vulnerabilities from Linux Distribution Metadata,” in 2014 IEEE International Symposium on Software Reliability Engineering Workshops, 2014, pp. 323–328.
[91] F. Massacci and V. H. Nguyen, “An Empirical Methodology to Evaluate Vulnerability Discovery Models,” IEEE Trans. Softw. Eng., vol. 40, no. 12, pp. 1147–1162, Dec. 2014.
[92] D. Wijayasekara, M. Manic, and M. McQueen, “Vulnerability identification and classification via text mining bug databases,” in IECON 2014 - 40th Annual Conference of the IEEE Industrial Electronics Society, 2014, pp. 3612–3618.
[93] A. Meneely, H. Srinivasan, A. Musa, A. R. Tejeda, M. Mokary, and B. Spates, “When a Patch Goes Bad: Exploring the Properties of Vulnerability-Contributing Commits,” in 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, 2013, pp. 65–74.
[94] A. Meneely and S. Lucidi, “Vulnerability of the Day: Concrete demonstrations for software engineering undergraduates,” in 2013 35th International Conference on Software Engineering (ICSE), 2013, pp. 1154–1157.
[95] D. Y. Lee, M. Vouk, and L. Williams, “Using software reliability models for security assessment - Verification of assumptions,” in 2013 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2013, pp. 23–24.
[96] M. Shahzad, M. Z. Shafiq, and A. X. Liu, “A large scale exploratory analysis of software vulnerability life cycles,” in 2012 34th International Conference on Software Engineering (ICSE), 2012, pp. 771–781.
[97] K. Goseva-Popstojanova, G. Anastasovski, and R. Pantev, “Using Multiclass Machine Learning Methods to Classify Malicious Behaviors Aimed at Web Systems,” in 2012 IEEE 23rd International Symposium on Software Reliability Engineering, 2012, pp. 81–90.
[98] Q. Liu, Y. Zhang, Y. Kong, and Q. Wu, “Improving VRSS-based vulnerability prioritization using analytic hierarchy process,” J. Syst. Softw., vol. 85, no. 8, pp. 1699–1708, Aug. 2012.
[99] D. Wijayasekara, M. Manic, J. L. Wright, and M. McQueen, “Mining Bug Databases for Unidentified Software Vulnerabilities,” in 2012 5th International Conference on Human System Interactions, 2012, pp. 89–96.
[100] A. Austin and L. Williams, “One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques,” in 2011 International Symposium on Empirical Software Engineering and Measurement, 2011, pp. 97–106.
[101] B. Smith and L. Williams, “Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities,” in 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation, 2011, pp. 220–229.
[102] S. Zhang, D. Caragea, and X. Ou, “An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities,” 2011, pp. 217–231.
[103] S. Zaman, B. Adams, and A. E. Hassan, “Security versus performance bugs,” in Proceeding of the 8th working conference on Mining software repositories - MSR ’11, 2011, p. 93.
[104] T. Huynh and J. Miller, “An empirical investigation into open source web applications’ implementation vulnerabilities,” Empir. Softw. Eng., vol. 15, no. 5, pp. 556–576, Oct. 2010.
[105] T. Zimmermann, N. Nagappan, and L. Williams, “Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista,” in 2010 Third International Conference on Software Testing, Verification and Validation, 2010, pp. 421–428.
[106] S. Neuhaus and T. Zimmermann, “Security Trend Analysis with CVE Topic Models,” in 2010 IEEE 21st International Symposium on Software Reliability Engineering, 2010, pp. 111–120.
[107] A. Mauczka, C. Schanes, F. Fankhauser, M. Bernhart, and T. Grechenig, “Mining security changes in FreeBSD,” in 2010 7th IEEE Working Conference on Mining Software Repositories (MSR 2010), 2010, pp. 90–93.
[108] J. Wal, M. Doyle, G. A. Welch, and M. Whelan, “Security of open source web applications,” in 2009 3rd International Symposium on Empirical Software Engineering and Measurement, 2009, pp. 545–553.
[109] P. Anbalagan and M. Vouk, “On mining data across software repositories,” in 2009 6th IEEE International Working Conference on Mining Software Repositories, 2009, pp. 171–174.
[110] P. Anba and M. Vouk, “An empirical study of security problem reports in Linux distributions,” in 2009 3rd International Symposium on Empirical Software Engineering and Measurement, 2009, pp. 481–484.
[111] G. Vache, “Vulnerability analysis for a quantitative security evaluation,” in 2009 3rd International Symposium on Empirical Software Engineering and Measurement, 2009, pp. 526–534.
[112] R. Telang and S. Wattal, “An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price,” IEEE Trans. Softw. Eng., vol. 33, no. 8, pp. 544–557, Aug. 2007.
[113] O. Alhazmi and Y. Malaiya, “Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers,” in 2006 17th International Symposium on Software Reliability Engineering, 2006, pp. 343–352.
[114] S. Frei, M. May, U. Fiedler, and B. Plattner, “Large-scale vulnerability analysis,” in Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense - LSAD ’06, 2006, pp. 131–138.
[115] O. H. Alhazmi and Y. K. Malaiya, “Modeling the Vulnerability Discovery Process,” in 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05), 2005, pp. 129–138.
[116] J. D. Musa and K. Okumoto, “A logarithmic poisson execution time model for software reliability measurement,” in ICSE ’84 Proceedings of the 7th international conference on Software engineering, 1984, pp. 230–238.
[117] X.-F. Team, “IBM Internet Security Systems X-Force Threat Insight Quarterly,” 2009.
[118] FIRST SIG, “Common Vulnerability Scoring System SIG,” 2018. [Online]. Available: https://www.first.org/cvss/. [Accessed: 10-May-2018].
[119] Q. Liu and Y. Zhang, “VRSS: A new system for rating and scoring vulnerabilities,” Comput. Commun., vol. 34, no. 3, pp. 264–273, Mar. 2011.
[120] R. France and B. Rumpe, “Model-driven Development of Complex Software: A Research Roadmap,” in Future of Software Engineering (FOSE ’07), 2007, pp. 37–54.
[121] P. Morrison, “Building a security practices evaluation framework,” in Proceedings of the 2015 Symposium and Bootcamp on the Science of Security - HotSoS ’15, 2015, pp. 1–2.
[122] S. S. Murtaza, A. Hamou-Lhadj, W. Khreich, and M. Couture, “Total ADS: Automated Software Anomaly Detection System,” in 2014 IEEE 14th International Working Conference on Source Code Analysis and Manipulation, 2014, pp. 83–88.
[123] A. Milenkoski, B. D. Payne, N. Antunes, M. Vieira, and S. Kounev, “Experience Report: An Analysis of Hypercall Handler Vulnerabilities,” in 2014 IEEE 25th International Symposium on Software Reliability Engineering, 2014, pp. 100–111.
[124] M. Almorsy, J. Grundy, and A. S. Ibrahim, “Automated software architecture security risk analysis using formalized signatures,” in 2013 35th International Conference on Software Engineering (ICSE), 2013, pp. 662–671.
[125] L. K. Shar and H. B. K. Tan, “Predicting common web application vulnerabilities from input validation and sanitization code patterns,” in Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering - ASE 2012, 2012, p. 310.
[126] M. Almorsy, J. Grundy, and A. S. Ibrahim, “Supporting automated vulnerability analysis using formalized vulnerability signatures,” in Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering - ASE 2012, 2012, p. 100.
[127] F. Gauthier and E. Merlo, “Fast Detection of Access Control Vulnerabilities in PHP Applications,” in 2012 19th Working Conference on Reverse Engineering, 2012, pp. 247–256.
[128] D. Xu and K. E. Nygard, “Threat-driven modeling and verification of secure software using aspect-oriented Petri nets,” IEEE Trans. Softw. Eng., vol. 32, no. 4, pp. 265–278, Apr. 2006.
[129] D. Byers, S. Ardi, N. Shahmehri, and C. Duma, “Modeling Software VulnerabilitiesWith Vulnerability Cause Graphs,” in 2006 22nd IEEE International Conference on Software Maintenance, 2006, pp. 411–422.
[130] Y. Wu, R. A. Gandhi, and H. Siy, “Using semantic templates to study vulnerabilities recorded in large software repositories,” in Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems - SESS ’10, 2010, pp. 22–28.
[131] OWASP, “Application Threat Modeling,” 2017. [Online]. Available: https://www.owasp.org/index.php/Application_Threat_Modeling. [Accessed: 10-May-2018].
[132] OWASP, “Source Code Analysis Tools,” 2018. [Online]. Available: https://www.owasp.org/index.php/Source_Code_Analysis_Tools. [Accessed: 10-May-2018].
[133] V. H. Nguyen, S. Dashevskyi, and F. Massacci, “An automatic method for assessing the versions affected by a vulnerability,” Empir. Softw. Eng., Dec. 2015.
[134] J. Ming, D. Wu, J. Wang, G. Xiao, and P. Liu, “StraightTaint: decoupled offline symbolic taint analysis,” in Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering - ASE 2016, 2016, pp. 308–319.
[135] C. Theisen, K. Herzig, P. Morrison, B. Murphy, and L. Williams, “Approximating Attack Surfaces with Stack Traces,” in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 2015, pp. 199–208.
[136] S. Renatus, C. Bartelheimer, and J. Eichler, “Improving prioritization of software weaknesses using security models with AVUS,” in 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2015, pp. 259–264.
[137] Z. Coker and M. Hafiz, “Program transformations to fix C integers,” in 2013 35th International Conference on Software Engineering (ICSE), 2013, pp. 792–801.
[138] E. Ofuonye and J. Miller, “Securing web-clients with instrumented code and dynamic runtime monitoring,” J. Syst. Softw., vol. 86, no. 6, pp. 1689–1711, Jun. 2013.
[139] A. R. Bernat and B. P. Miller, “Structured Binary Editing with a CFG Transformation Algebra,” in 2012 19th Working Conference on Reverse Engineering, 2012, pp. 9–18.
[140] N. DuPaul, “Static Testing vs. Dynamic Testing,” veracode, 2017. [Online]. Available: https://www.veracode.com/blog/2013/12/static-testing-vs-dynamic-testing. [Accessed: 10-May-2018].
[141] R. Auger, “XML Injection,” Web Application Security Consortium Project, 2010. [Online]. Available: http://projects.webappsec.org/w/page/13247004/XML Injection. [Accessed: 10-May-2018].
[142] R. Auger, “XPath Injection,” Web Application Security Consortium Project, 2010. [Online]. Available: http://projects.webappsec.org/w/page/13247005/XPath Injection. [Accessed: 10-May-2018].
[143] R. Dev, A. Jääskeläinen, and M. Katara, “Model-Based GUI Testing: Case Smartphone Camera and Messaging Development,” 2012, pp. 65–122.
[144] J. Nordholm, “Model-Based Testing: An Evaluation,” 2010.
[145] L. Pesante, “Introduction to Information Security,” US-CERT, 2008. [Online]. Available: https://www.us-cert.gov/security-publications/introduction-information-security. [Accessed: 10-May-2018].
[146] D. Appelt, C. D. Nguyen, and L. Briand, “Behind an Application Firewall, Are We Safe from SQL Injection Attacks?,” in 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST), 2015, pp. 1–10.
[147] V.-T. Pham, W. B. Ng, K. Rubinov, and A. Roychoudhury, “Hercules: Reproducing Crashes in Real-World Application Binaries,” in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 2015, pp. 891–901.
[148] A. Aydin, M. Alkhalaf, and T. Bultan, “Automated Test Generation from Vulnerability Signatures,” in 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation, 2014, pp. 193–202.
[149] K. Hossen, R. Groz, C. Oriat, and J.-L. Richier, “Automatic Generation of Test Drivers for Model Inference of Web Applications,” in 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops, 2013, pp. 441–444.
[150] A. Blome, M. Ochoa, K. Li, M. Peroli, and M. T. Dashti, “VERA: A Flexible Model-Based Vulnerability Testing Tool,” in 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation, 2013, pp. 471–478.
[151] F. Lebeau, B. Legeard, F. Peureux, and A. Vernotte, “Model-Based Vulnerability Testing for Web Applications,” in 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops, 2013, pp. 445–452.
[152] M. Buchler, J. Oudinet, and A. Pretschner, “SPaCiTE -- Web Application Testing Engine,” in 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation, 2012, pp. 858–859.
[153] D. Zhang, D. Liu, Y. Lei, D. Kung, C. Csallner, N. Nystrom, and W. Wang, “SimFuzz: Test case similarity directed deep fuzzing,” J. Syst. Softw., vol. 85, no. 1, pp. 102–111, Jan. 2012.
[154] H. Shahriar and M. Zulkernine, “MUTEC: Mutation-based testing of Cross Site Scripting,” in 2009 ICSE Workshop on Software Engineering for Secure Systems, 2009, pp. 47–53.
[155] A. El-Ahmad and H. Arafeh, “The Influence of Software Risk Management on Software Project Success,” 2017.
[156] H. Plate, S. E. Ponta, and A. Sabetta, “Impact assessment for vulnerabilities in open-source software libraries,” in 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), 2015, pp. 411–420.
[157] Y. Yu, V. N. L. Franqueira, T. Than Tun, R. J. Wieringa, and B. Nuseibeh, “Automated analysis of security requirements through risk-based argumentation,” J. Syst. Softw., vol. 106, pp. 102–116, Aug. 2015.
[158] J. Cox, E. Bouwers, M. van Eekelen, and J. Visser, “Measuring Dependency Freshness in Software Systems,” in 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 2015, pp. 109–118.
[159] R. Kannavara, “Assessing the Threat Landscape for Software Libraries,” in 2014 IEEE International Symposium on Software Reliability Engineering Workshops, 2014, pp. 71–76.
[160] R. Kannavara, “Securing Opensource Code via Static Analysis,” in 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation, 2012, pp. 429–436.
[161] S. H. Houmb, V. N. L. Franqueira, and E. A. Engum, “Quantifying security risk level from CVSS estimates of frequency and impact,” J. Syst. Softw., vol. 83, no. 9, pp. 1622–1634, Sep. 2010.
[162] C. Fruhwirth and T. Mannisto, “Improving CVSS-based vulnerability prioritization and response with context information,” in 2009 3rd International Symposium on Empirical Software Engineering and Measurement, 2009, pp. 535–544.
[163] M. Boldt, B. Carlsson, and R. Martinsson, “Software Vulnerability Assessment Version Extraction and Verification,” in International Conference on Software Engineering Advances (ICSEA 2007), 2007, pp. 59–59.
[164] M. Cadariu, E. Bouwers, J. Visser, and A. van Deursen, “Tracking known security vulnerabilities in proprietary software systems,” in IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2015, pp. 516–519.
[165] S. S. Alqahtani, E. E. Eghan, and J. Rilling, “Tracing known security vulnerabilities in software repositories – A Semantic Web enabled modeling approach,” Sci. Comput. Program., vol. 121, pp. 153–175, Jun. 2016.
[166] S. S. Alqahtani, E. E. Eghan, and J. Rilling, “Recovering Semantic Traceability Links between APIs and Security Vulnerabilities: An Ontological Modeling Approach,” in 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST), 2017, pp. 80–91.
[167] S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, “Predicting vulnerable software components,” in Proceedings of the 14th ACM conference on Computer and communications security - CCS ’07, 2007, p. 529.
[168] S. Neuhaus, T. Zimmermann, and T. Zimmermann, “The Beauty and the Beast: Vulnerabilities in Red Hat’s Packages,” in Proceedings of the 2009 USENIX Annual Technical Conference (USENIX ATC), 2009, pp. 383–396.
[169] F. Massacci, S. Neuhaus, and V. H. Nguyen, “After-Life Vulnerabilities: A Study on Firefox Evolution, Its Vulnerabilities, and Fixes,” 2011, pp. 195–208.
[170] V. Mulwad, W. Li, A. Joshi, T. Finin, and K. Viswanathan, “Extracting Information about Security Vulnerabilities from Web Text,” in IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, 2011, pp. 257–260.
[171] A. Joshi, R. Lal, T. Finin, and A. Joshi, “Extracting Cybersecurity Related Linked Data from Text,” in IEEE Seventh International Conference on Semantic Computing, 2013, pp. 252–259.
[172] J. A. Wang and M. Guo, “OVM: an ontology for vulnerability management,” in Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research Cyber Security and Information Intelligence Challenges and Strategies - CSIIRW ’09, 2009, p. 1.
[173] I. Souag, Amina and Salinesi, Camille and Comyn-Wattiau, A. Souag, C. Salinesi, I. Comyn-Wattiau, and I. Souag, Amina and Salinesi, Camille and Comyn-Wattiau, “Ontologies for Security Requirements: A Literature Survey and Classification,” in Advanced Information Systems Engineering Workshops, Springer, 2012, pp. 61–69.
[174] C. Blanco, J. Lasheras, R. Valencia-Garc, E. Fern, A. Toval, M. Piattini, and M. Blanco, Carlos and Lasheras, Joaquin and Valencia-Garc{\’\i}a, Rafael and Fern{\’a}ndez-Medina, Eduardo and Toval, Ambrosio and Piattini, “A systematic review and comparison of security ontologies,” in Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, 2008, pp. 813--820.
[175] M.-A. Sicilia, E. García-Barriocanal, J. Bermejo-Higuera, and S. Sánchez-Alonso, “What are Information Security Ontologies Useful for?,” 2015, pp. 51–61.
[176] S. Alqahtani, “Knowledge Modeling Survey dataset,” 2018. [Online]. Available: https://github.com/isultane/KM-survey-dataset. [Accessed: 20-May-2018].
[177] S. Seedorf and F. F. I. U. Mannheim, “Applications of Ontologies in Software Engineering,” in In 2nd International Workshop on Semantic Web Enabled Software Engineering (SWESE 2006), 2006.
[178] D. Dermeval, J. Vilela, I. I. Bittencourt, J. Castro, S. Isotani, P. Brito, and A. Silva, “Applications of ontologies in requirements engineering: a systematic review of the literature,” Requir. Eng., vol. 21, no. 4, pp. 405–437, Nov. 2016.
[179] W. Kang and Y. Liang, “A Security Ontology with MDA for Software Development,” in 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, 2013, pp. 67–74.
[180] G. Elahi, E. Yu, and N. Zannone, “A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations,” 2009, pp. 99–114.
[181] F. den Braber, T. Dimitrakos, B. A. Gran, M. S. Lund, K. Stolen, and J. O. Aagedal, “The CORAS Methodology,” in UML and the Unified Process, IGI Global, 2003, pp. 332–357.
[182] R. Matulevičius, N. Mayer, H. Mouratidis, E. Dubois, P. Heymans, and N. Genon, “Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development,” in Advanced Information Systems Engineering, Berlin, Heidelberg, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 541–555.
[183] A. Souag, C. Salinesi, R. Mazo, and I. Comyn-Wattiau, “A Security Ontology for Security Requirements Elicitation,” 2015, pp. 157–177.
[184] P. El Khoury, A. Mokhtari, E. Coquery, and M.-S. Hacid, “An Ontological Interface for Software Developers to Select Security Patterns,” in 2008 19th International Conference on Database and Expert Systems Applications, 2008, pp. 297–301.
[185] P. W. Singer and A. Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know. 2014.
[186] J. Undercoffer, A. Joshi, T. Finin, and J. Pinkston, “A Target-Centric Ontology for Intrusion Detection,” in Proceedings of the IJCAI-03 Workshop on Ontologies and Distributed Systems, 2004, pp. 47--58.
[187] J. Undercoffer, A. Joshi, and J. Pinkston, “Modeling Computer Attacks: An Ontology for Intrusion Detection,” in Recent Advances in Intrusion Detection, 2003, pp. 113–135.
[188] J. B. Kopena and W. C. Regli, “DAMLJessKB: A Tool for Reasoning with the Semantic Web,” in Second International Semantic Web Conference, 2003, pp. 628–643.
[189] S. More, M. Matthews, A. Joshi, and T. Finin, “A Knowledge-Based Approach to Intrusion Detection Modeling,” in IEEE Symposium on Security and Privacy Workshops, 2012, pp. 75–81.
[190] P. N. Mendes, M. Jakob, A. García-Silva, and C. Bizer, “DBpedia spotlight: shedding light on the web of documents,” in Proceedings of the 7th International Conference on Semantic Systems - I-Semantics ’11, 2011, pp. 1–8.
[191] Z. Syed, A. Padia, T. Finin, M. L. Mathews, and A. Joshi, “UCO: A Unified Cybersecurity Ontology,” in AAAI Workshop: Artificial Intelligence for Cyber Security, 2016.
[192] M. Iannacone, S. Bohn, G. Nakamura, J. Gerth, K. Huffer, R. Bridges, E. Ferragut, and J. Goodall, “Developing an Ontology for Cyber Security Knowledge Graphs,” in Proceedings of the 10th Annual Cyber and Information Security Research Conference, 2015, pp. 1–4.
[193] P. Kamongi, S. Kotikela, K. Kavi, M. Gomathisankaran, and A. Singhal, “VULCAN: Vulnerability Assessment Framework for Cloud Computing,” in 2013 IEEE 7th International Conference on Software Security and Reliability, 2013, pp. 218–226.
[194] A. Steele, “Ontological Vulnerability Assessment,” in Web Information Systems Engineering – WISE 2008 Workshops, Berlin, Heidelberg, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 24–35.
[195] K. Srujan and K. K. G. Mahadevan, “Vulnerability Assessment In Cloud Computing,” in Proceedings of the International Conference on Security and Management (SAM), 2012, pp. 1–7.
[196] A. Gyrard, C. Bonnet, and K. Boudaoud, “An Ontology-Based Approach for Helping to Secure the ETSI Machine-to-Machine Architecture,” in 2014 IEEE International Conference on Internet of Things(iThings), and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom), 2014, pp. 109–116.
[197] A. Gyrard, C. Bonnet, and K. Boudaoud, “The STAC (security toolbox: attacks & countermeasures) ontology,” in Proceedings of the 22nd International Conference on World Wide Web - WWW ’13 Companion, 2013, pp. 165–166.
[198] J. A. Wang and M. Guo, “Security Data Mining in an Ontology for Vulnerability Management,” in 2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing, 2009, pp. 597–603.
[199] J. A. Wang, M. Guo, H. Wang, M. Xia, and L. Zhou, “Environmental Metrics for Software Security Based on a Vulnerability Ontology,” in 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement, 2009, pp. 159–168.
[200] J. A. Wang, M. Guo, H. Wang, M. Xia, and L. Zhou, “Ontology-based security assessment for software products,” in Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research Cyber Security and Information Intelligence Challenges and Strategies - CSIIRW ’09, 2009, p. 1.
[201] J. A. Wang, H. Wang, M. Guo, L. Zhou, and J. Camargo, “Ranking Attacks Based on Vulnerability Analysis,” in 2010 43rd Hawaii International Conference on System Sciences, 2010, pp. 1–10.
[202] J. A. Wang, L. Zhou, M. Guo, H. Wang, and J. Camargo, “Measuring Similarity for Security Vulnerabilities,” in 2010 43rd Hawaii International Conference on System Sciences, 2010, pp. 1–10.
[203] I. Kotenko, A. Chechulin, E. Doynikova, and A. Fedorchenko, “Ontological Hybrid Storage for Security Data,” 2018, pp. 159–171.
[204] A. V. Fedorchenko, I. V. Kotenko, E. V. Doynikova, and A. A. Chechulin, “The ontological approach application for construction of the hybrid security repository,” in 2017 XX IEEE International Conference on Soft Computing and Measurements (SCM), 2017, pp. 525–528.
[205] R. Montesino and S. Fenz, “Automation Possibilities in Information Security Management,” in 2011 European Intelligence and Security Informatics Conference, 2011, pp. 259–262.
[206] G. Jiang, K. Ogasawara, A. Endoh, and T. Sakurai, “Context-based ontology building support in clinical domains using formal concept analysis,” Int. J. Med. Inform., vol. 71, no. 1, pp. 71–81, Aug. 2003.
[207] G. Fu, “FCA based ontology development for data integration,” Inf. Process. Manag., vol. 52, no. 5, pp. 765–782, Sep. 2016.
[208] J. Nanda, T. W. Simpson, S. R. T. Kumara, and S. B. Shooter, “A Methodology for Product Family Ontology Development Using Formal Concept Analysis and Web Ontology Language,” J. Comput. Inf. Sci. Eng., vol. 6, no. 2, p. 103, 2006.
[209] L. He and Q. Wang, “Construction of Ontology Information System Based on Formal Concept Analysis,” 2011, pp. 83–88.
[210] X. Bai and X. Zhou, “Development of Ontology-Based Information System Using Formal Concept Analysis and Association Rules,” 2011, pp. 121–126.
[211] N. Noy and D. McGuinness, “Ontology Development 101: A Guide to Creating Your First Ontology,” 2001.
[212] I. V. Krsul, “Software vulnerability analysis,” Purdue University, 1998.
[213] D. Kosutic, “ISO 27001/ISO 22301 Knowledge base,” ISO 27001/ISO 22301, 2017. [Online]. Available: https://advisera.com/27001academy/knowledgebase/. [Accessed: 14-May-2018].
[214] A. Vorobiev and Jun Han, “Security Attack Ontology for Web Services,” in Second International Conference on Semantics, Knowledge and Grid, 2006, pp. 42–42.
[215] S. S. Alqahtani, E. E. Eghan, and J. Rilling, “SE-GPS,” 2015. [Online]. Available: http://aseg.cs.concordia.ca/segps. [Accessed: 26-Sep-2017].
[216] S. O. Kuznetsov, “Stability as an Estimate of the Degree of Substantiation of Hypotheses on the Basis of Operational Similarity,” Sci. Tech. Inf. Ser. 2, vol. 24, pp. 21–29, 1990.
[217] S. O. Kuznetsov, “On stability of a formal concept,” Ann. Math. Artif. Intell., vol. 49, no. 1–4, pp. 101–115, Aug. 2007.
[218] B. L. Bullough, A. K. Yanchenko, C. L. Smith, and J. R. Zipkin, “Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data,” in Proceedings of the 3rd ACM on International Workshop on Security And PrivacyAnalytics - IWSPA ’17, 2017, pp. 45–53.
[219] A. Kimmig, S. Bach, M. Broecheler, B. Huang, and L. Getoor, “A short introduction to Probabilistic Soft Logic.,” in Proceedings of NIPS Workshop on Probabilistic Programming: Foundations and Applications (NIPS Workshop-12), 2012.
[220] A. M. Project, “Maven Central Repository.” [Online]. Available: http://search.maven.org/. [Accessed: 15-Dec-2014].
[221] NIST, “National Vulnerability Database,” 2007. [Online]. Available: http://web.nvd.nist.gov/view/vuln/search. [Accessed: 15-Dec-2014].
[222] V. Livshits and M. Lam, “Finding security vulnerabilities in Java applications with static analysis,” … 14th Conf. USENIX Secur. …, pp. 1–17, 2005.
[223] OWASP, “Using Components with Known Vulnerabilities,” 2013. [Online]. Available: https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities. [Accessed: 23-Sep-2016].
[224] OWASP, “Top 10,” 2013. [Online]. Available: https://www.owasp.org/index.php/Top_10_2013-Top_10. [Accessed: 23-Sep-2016].
[225] Y. M. Mileva, V. Dallmeier, M. Burger, and A. Zeller, “Mining trends of library usage,” in Proceedings of the joint international and annual ERCIM workshops on Principles of software evolution (IWPSE) and software evolution (Evol) workshops, 2009, pp. 57--62.
[226] M. Potamias, F. Bonchi, A. Gionis, and G. Kollios, “k-nearest neighbors in uncertain graphs,” Proc. VLDB Endow., vol. 3, no. 1–2, pp. 997–1008, Sep. 2010.
[227] A. V. Aho, M. R. Garey, and J. D. Ullman, “The Transitive Reduction of a Directed Graph,” SIAM J. Comput., vol. 1, no. 2, pp. 131–137, Jun. 1972.
[228] S. Skiena, Implementing Discrete Mathematics: Combinatorics and Graph Theory with Mathematica. Addison-Wesley, 1990.
[229] D. Movshovitz-Attias, S. E. Whang, N. Noy, and A. Halevy, “Discovering Subsumption Relationships for Web-Based Ontologies,” in Proceedings of the 18th International Workshop on Web and Databases - WebDB’15, 2010, pp. 62–69.
[230] Y. Mileva, V. Dallmeier, and A. Zeller, “Mining API popularity,” Testing--Practice Res. Tech., pp. 173–180, 2010.
[231] A. Hmood, I. Keivanloo, and J. Rilling, “SE-EQUAM - An Evolvable Quality Metamodel,” in 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops, 2012, pp. 334–339.
[232] J. Z. Gao, C. Chen, Y. Toyoshima, and D. K. Leung, “Engineering on the Internet for global software production,” Computer (Long. Beach. Calif)., vol. 32, no. 5, pp. 38–47, May 1999.
[233] F. Thung, D. Lo, and J. Lawall, “Automated library recommendation,” Proc. - Work. Conf. Reverse Eng. WCRE, no. October, pp. 182–191, 2013.
[234] M. M. Rahman, C. K. Roy, and D. Lo, “RACK: Automatic API Recommendation Using Crowdsourced Knowledge,” in 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2016, pp. 349–359.
[235] C. Teyton, J.-R. Falleri, and X. Blanc, “Mining Library Migration Graphs,” in 2012 19th Working Conference on Reverse Engineering, 2012, pp. 289–298.
[236] A. Hora, A. Hora, and M. T. Valente, “apiwave : Keeping Track of API Popularity and Migration,” no. JANUARY, pp. 321–323, 2015.
[237] S. Raemaekers, A. van Deursen, and J. Visser, “Measuring software library stability through historical version analysis,” in 2012 28th IEEE International Conference on Software Maintenance (ICSM), 2012, pp. 378–387.
[238] F. McCarey, M. Ó. Cinnéide, and N. Kushmerick, “Rascal: A Recommender Agent for Agile Reuse,” Artif. Intell. Rev., vol. 24, no. 3–4, pp. 253–276, Nov. 2005.
[239] D. L. Parnas, “Software aging,” in ICSE ’94 Proceedings of the 16th international conference on Software engineering, 1994, pp. 279–287.
[240] F. S. Foundation, “Various Licenses and Comments About Them,” GNU Project, 2014. .
[241] L. Xavier, A. Brito, A. Hora, and M. T. Valente, “Historical and impact analysis of API breaking changes: A large-scale study,” in 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), 2017, pp. 138–147.
[242] S. Raemaekers, A. Van Deursen, and J. Visser, “Semantic versioning versus breaking changes: A study of the maven repository,” Proc. - 2014 14th IEEE Int. Work. Conf. Source Code Anal. Manip. SCAM 2014, pp. 215–224, 2014.
[243] O. Seneviratne, L. Kagal, D. Weitzner, H. Abelson, T. Berners-Lee, and N. Shadbolt, “Detecting creative commons license violations on images on the world wide web,” WWW2009, April, 2009.
[244] A. Hmood, Philipp Schugerl1, J. Rilling, and Philippe Charland, “OntEQAM – A Methodology for Assessing Evolvability as a Quality Factor in Software Ecosystems,” in Defence R&D Canada - Valcartier, Valcartier QUE (CAN), 2010, p. 8.
[245] J. A. McCall, P. K. Richards, and G. F. Walters, “Factors in Software Quality. Volume I. Concepts and Definitions of Software Quality,” 1977.
[246] A. Bergel, S. Denier, S. Ducasse, J. Laval, F. Bellingard, P. Vaillergues, F. Balmas, and K. Mordal-Manet, “SQUALE - Software QUALity Enhancement,” in 2009 13th European Conference on Software Maintenance and Reengineering, 2009, pp. 285–288.
[247] H. Kagdi, S. Yusuf, and J. I. Maletic, “Mining sequences of changed-files from version histories,” in Proceedings of the 2006 international workshop on Mining software repositories - MSR ’06, 2006, p. 47.
[248] H. Kagdi, M. L. Collard, and J. I. Maletic, “Comparing Approaches to Mining Source Code for Call-Usage Patterns,” in Fourth International Workshop on Mining Software Repositories (MSR’07:ICSE Workshops 2007), 2007, pp. 20–26.
[249] T. Kamiya, S. Kusumoto, and K. Inoue, “CCFinder: a multilinguistic token-based code clone detection system for large scale source code,” IEEE Trans. Softw. Eng., vol. 28, no. 7, pp. 654–670, Jul. 2002.
[250] Y. Zhang, R. Witte, J. Rilling, and V. Haarslev, “Ontological approach for the semantic recovery of traceability links between software artefacts,” IET Softw., vol. 2, no. 3, p. 185, 2008.
[251] I. Keivanloo, C. Forbes, J. Rilling, and P. Charland, “Towards sharing source code facts using linked data,” Proceeding 3rd Int. Work. Search-driven Dev. users, infrastructure, tools, Eval. - SUITE ’11, pp. 25–28, 2011.
[252] M. F. Bertoa, A. Vallecillo, and F. García, “An Ontology for Software Measurement,” in Ontologies for Software Engineering and Software Technology, Springer Berlin Heidelberg, 2006, pp. 175–196.
[253] R. Robbes, M. Lungu, and D. Röthlisberger, “How do developers react to API deprecation?,” in Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering - FSE ’12, 2012, p. 1.
[254] B. E. Cossette and R. J. Walker, “Seeking the Ground Truth: A Retroactive Study on the Evolution and Migration of Software Libraries,” Proc. ACM SIGSOFT 20th Int. Symp. Found. Softw. Eng., p. 55:1--55:11, 2012.
[255] P. Kapur, B. Cossette, and R. J. Walker, “Refactoring references for library migration,” ACM SIGPLAN Not., vol. 45, no. 10, p. 726, 2010.
[256] L. A. Zadeh, “The concept of a linguistic variable and its application to approximate reasoning-III,” Inf. Sci. (Ny)., vol. 9, no. 1, pp. 43–80, Jan. 1975.
[257] I. E. Commission, “Programmable Controllers - Part 7: Fuzzy Control Programming,” 2000.
[258] P. Cingolani and J. Alcala-Fdez, “jFuzzyLogic: a robust and flexible Fuzzy-Logic inference system language implementation,” in 2012 IEEE International Conference on Fuzzy Systems, 2012, pp. 1–8.
[259] I. Samoladas, G. Gousios, D. Spinellis, and I. Stamelos, “The SQO-OSS Quality Model: Measurement Based Open Source Software Evaluation,” in Open Source Development, Communities and Quality, Boston, MA: Springer US, 2008, pp. 237–248.
[260] B. M. Kuhn, A. K. Sebro, and D. Gingerich, “Chapter 10 The Lesser GPL,” Free Software Foundation & Software Freedom Law Center, 2016. .
[261] V. del Bianco, L. Lavazza, S. Morasca, and D. Taibi, “Quality of Open Source Software: The QualiPSo Trustworthiness Model,” 2009, pp. 199–212.
[262] T. Boland, C. Cleraux, and E. Fong, “Toward a Preliminary Framework for Assessing the Trustworthiness of Software,” 2010.
[263] R. Jagarlamudi, Jagadeesh and Daum III, Hal and Udupa, “Incorporating lexical priors into topic models,” in Proceedings of the 13th Conference of the European Chapter of the Association for Computational Linguistics, 2012, pp. 204--213.
[264] M. I. Blei, David M and Ng, Andrew Y and Jordan, “Latent dirichlet allocation,” J. Mach. Learn. Res., vol. 3, pp. 993--1022, 2003.
[265] S. S. Alqahtani and J. Rilling, “An Ontology-Based Approach to Automate Tagging of Software Artifacts,” in 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), 2017, pp. 169–174.
Repository Staff Only: item control page