This paper is in the series of continuing research and proposes an approach to predicting possible attack paths from application security vulnerability-based attack trees. The attack trees are formed by stringing together weaknesses discovered in an application code and a group of applications within a domain. The Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) linked together as a string of vulnerabilities in the attack trees can be visualized as pathways for attacks. These pathways become potential attacks that can spread vertically and horizontally leading to a multi-path attack that can involve multiple software applications. With more data, and huge number of vulnerabilities, it will become impossible to identify all attack paths unless a full-scale implementation of an autonomous processing mechanism is in place. Machine Learning (ML) and Deep Learning (DL) techniques have been adopted in the cybersecurity space for decades, however all the studies have been around networks, endpoints, and device monitoring. This paper focuses on application security and building on earlier work cited, the use of a vulnerability map that uses attack vectors in a Deep Learning (DL) method implementing a Multi-Layer Perceptron (MLP) forms the basis for developing a predictive model that relates a set of linked vulnerabilities to an attack path. The results are encouraging, and this approach will help in identifying successful or failed attack paths involving multiple applications, isolated or grouped, and will help focus on the right applications and the vulnerabilities associated as priority for remediation.
| Published in | American Journal of Software Engineering and Applications (Volume 12, Issue 1) |
| DOI | 10.11648/j.ajsea.20241201.14 |
| Page(s) | 23-35 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2024. Published by Science Publishing Group |
Attack Surface, Attack Path, Attack Vector, Vulnerability Map, Deep Learning, Artificial Neural Network, Multi-Layer Perceptron
| [1] | Berman, D. S., Buczak, A. L., Chavis, J. S., and Corbett, C. L. (2019), “A Survey of Deep Learning Methods for Cyber Security”, Information 2019, 10(4), 122; Machine Learning for Cyber-Security, Available from: |
| [2] | David, O. E. and Netanyahu, N. S. (2015) "DeepSign: Deep learning for automatic malware signature generation and classification”, in 2015 International Joint Conference on Neural Networks, IJCNN 2015, Article 7280815 (Proceedings of the International Joint Conference on Neural Networks; Vol. 2015-September). Institute of Electrical and Electronics Engineers Inc., Available from: |
| [3] | Fukushima, K. (1980). “Neocognitron: A Self-organizing Neural Network Model for a Mechanism of Pattern Recognition Unaffected by Shift in Position”, Biol Cybernetics 36, 193-302 (1980). |
| [4] | Pascanu, R., Mikolov, T. and Bengio, Y. (2013). “On the difficulty of training recurrent neural networks”, In Proceedings of the 30th International Conference on Machine Learning, 28(3): 1310-1318, Available from |
| [5] | Kasturi, S., Li, X., Pickard, J., and Li, P. (2023) “Understanding Statistical Correlation of Application Security Vulnerability Data from Detection and Monitoring Tools”, 2023 33rd International Telecommunication Networks and Applications Conference, Melbourne, Australia, 2023, pp. 289-296, |
| [6] | Kasturi, S., Li, X., Li, P., Pickard, J. (2024). “A Proposed Approach to Integrate Application Security Vulnerability Data with Incidence Response Systems”, American Journal of Networks and Communications, 13(1), 19-29. |
| [7] | Kasturi, S., Li, X., Pickard, J., Li, P. (2024). “Prioritization of Application Security Vulnerability Remediation Using Metrics, Correlation Analysis, and Threat Model”, American Journal of Software Engineering and Applications, 12(1), 5-13. |
| [8] | Torres, P.; Catania, C.; Garcia, S.; Garino, C. G. (2016). “An Analysis of Recurrent Neural Networks for Botnet Detection Behavior”, In Proceedings of the 2016 IEEE Biennial Congress of Argentina (ARGENCON), Buenos Aires, Argentina, 15–17 June 2016; pp. 1–6, |
| [9] | Hajrić, A., Smaka, T., Baraković, S., and Husić, J. B. (2020) “Methods, Methodologies, and Tools for Threat Modeling with Case Study”, Telfor Journal, Vol. 12, No. 1, 2020. |
| [10] | Xiong, W., Legrand, E., Aberg, O., and Lagerstrom, R. (2022). “Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix”, Software and Systems Modeling (2022) 21: 157–177 |
| [11] | SÜT, N., and ÇELİK, Y. (2012). "Prediction of mortality in stroke patients using multilayer perceptron neural networks”, In Turkish Journal of Medical Sciences: Vol. 42: No. 5, Article 20. |
| [12] | Kanakogi, K., Washizaki, H., Fukazawa, Y., Ogata, S., Okubo, T., Kato, T., Kanuka, H., Hazeyama, A., Yoshioka, N. (2021). "Tracing CVE Vulnerability Information to CAPEC Attack Patterns Using Natural Language Processing Techniques", Information 2021, 12, 298. |
| [13] |
Reversing Labs. (2023). “How to Evaluate Threat Intelligence Feeds, eBook-How-to-Evaluate-Threat-Intelligence-Feeds”, Reversing Labs, Available from:
https://www.reversinglabs.com/resources/how-to-evaluate-threat-intelligence-feeds |
| [14] | Sevri, M., & Karacan, H. (2022). "Two Stage Deep Learning Based Stacked Ensemble Model for Web Application Security," In KSII Transactions on Internet and Information Systems, vol. 16, no. 2, pp. 632-657, 2022, |
| [15] | Suskailo, V., Opirskyy, I., and Vasilylyshyn, S. (2020). "Analysis of the attack vectors used by threat actors during the pandemic," 2020 IEEE 15th International Conference on Computer Sciences and Information Technologies (CSIT), Zbarazh, Ukraine, 2020, pp. 261-264, |
| [16] | Karantzas, G., and Patsakis, C. (2021). “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent ThreatsWidely Used Attack Vectors”, J. Cybersecur. Priv. 2021, 1, 387–421. |
| [17] | Tiwari, V. K., and Dwivedi, R. (2016). "Analysis of cyber attack vectors," 2016 International Conference on Computing, Communication and Automation (ICCCA), Greater Noida, India, 2016, pp. 600-604 |
| [18] | Mern, J., Hatch, K., Silva, R., Hickert, C., Sookoor, T., and Kochenderfer, M. J. (2022) "Autonomous Attack Mitigation for Industrial Control Systems," In 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), Baltimore, MD, USA, 2022, pp. 28-36, Available from: |
| [19] | Kalogeraki, E.-M., Papastergiou, S., and Panayiotopoulos, T. (2022). “An Attack Simulation and Evidence Chains Generation Model for Critical Information Infrastructures”. Electronics 2022, 11, 404. |
| [20] | Lohmann, P., Albuquerque, C., and Machado, R. C. S. (2023). “Systematic Literature Review of Threat Modeling Concepts”, In Researchgate Conference Paper, March 2023 |
| [21] | MITRE. (2023). “CWE Top 25 Most Dangerous Software Weaknesses”, MITRE, CWE - 2023 CWE Top 25 Most Dangerous Software Weaknesses mitre.org |
| [22] |
MITRE. (2023). “2023 On the Cusp”-Other Dangerous Software Weaknesses”, MITRE,
https://cwe.mitre.org/top25/archive/2023/2023_onthecusp_list.html#top25list |
| [23] | OWASP (2021). “OWASP Top 10. OWASP”, |
| [24] | MITRE. (2018) “Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules”, MITRE, |
| [25] | Mell, P., Scarfone, K., and Romanosky, S. (2007). "A Complete Guide to the Common Vulnerability Scoring System Version 2.0", National Institute of Standards and Technology (NIST) and Carnegie Mellon University, |
| [26] |
First. (2019). "Common Vulnerability Scoring System version 3.1Specification Document Revision 1", by FIRST. Org, Inc.,
https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf |
| [27] | CISA. (2021). “Reducing the Significant Risk of Known Exploited Vulnerabilities”, Cybersecurity and Infrastructure Security Agency (CISA), |
| [28] | Miller, L. (2023). “Attack Surface Management For Dummies”, Palo Alto Networks Special Edition, 2023 by John Wiley & Sons, Inc., Hoboken, New Jersey. |
| [29] | Liu, P., Ye, W., Duan, H., Li, X., Zhang, S., Yao, C., and Li, Y. (2023).” Graph neural network based approach to automatically assigning common weakness enumeration identifiers for vulnerabilities”, In Cybersecurity 6, 29(2023). |
| [30] |
Popescu, M-C., Balas, V., & Perescu-Popescu, L., and Mastorakis, N. (2009). “Multilayer perceptron and neural networks”, In WSEAS Transactions on Circuits and Systems, Vol 8, Issue 7, pp. 579-588, Available from:
https://www.researchgate.net/publication/228340819_Multilayer_perceptron_and_neural_networks |
| [31] |
Özkan, C., and Erbek, D.S. (2003) "The Comparison of Activation Functions for Multispectral Landsat TM Image Classification", American Society for Photogrammetry and Remote Sensing (ASPRS),
https://www.asprs.org/wp-content/uploads/pers/2003journal/november/2003_nov_1225-1234.pdf |
| [32] | Karrach, L., and Pivarčiová, E. (2023). “Using Different Types of Artificial Neural Networks to Classify 2D Matrix Codes and Their Rotations - A Comparative Study”, J. Imaging 2023, 9, 188. |
| [33] |
IBM. (2021). “IBM SPSS Statistics”, IBM Corporation North Castle Drive, MD-NC119 Armonk, NY 10504-1785 US, Available from:
https://www.ibm.com/docs/en/SSLVMB_29.0.0/pdf/IBM_SPSS_Neural_Network.pdf |
| [34] | Vartouni, A. M., Teshnehlab, M., and Kashi, S. S. (2019). “Leveraging deep neural networks for anomaly-based web application firewall”, IET Information Security, |
| [35] | Kasturi, S., Li, X., Li, P., and Pickard, J. (2024). "On the Benefits of Vulnerability Data Consolidation in Application Security", Vol. 19 No. 1(2024): In Proceedings of The 19th International Conference on Cyber Warfare and Security, pp. 455-462, |
APA Style
Kasturi, S., Li, X., Li, P., Pickard, J. (2024). Predicting Attack Paths from Application Security Vulnerabilities Using a Multi-Layer Perceptron. American Journal of Software Engineering and Applications, 12(1), 23-35. https://doi.org/10.11648/j.ajsea.20241201.14
ACS Style
Kasturi, S.; Li, X.; Li, P.; Pickard, J. Predicting Attack Paths from Application Security Vulnerabilities Using a Multi-Layer Perceptron. Am. J. Softw. Eng. Appl. 2024, 12(1), 23-35. doi: 10.11648/j.ajsea.20241201.14
AMA Style
Kasturi S, Li X, Li P, Pickard J. Predicting Attack Paths from Application Security Vulnerabilities Using a Multi-Layer Perceptron. Am J Softw Eng Appl. 2024;12(1):23-35. doi: 10.11648/j.ajsea.20241201.14
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ajsea.20241201.14,
author = {Santanam Kasturi and Xiaolong Li and Peng Li and John Pickard},
title = {Predicting Attack Paths from Application Security Vulnerabilities Using a Multi-Layer Perceptron
},
journal = {American Journal of Software Engineering and Applications},
volume = {12},
number = {1},
pages = {23-35},
doi = {10.11648/j.ajsea.20241201.14},
url = {https://doi.org/10.11648/j.ajsea.20241201.14},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajsea.20241201.14},
abstract = {This paper is in the series of continuing research and proposes an approach to predicting possible attack paths from application security vulnerability-based attack trees. The attack trees are formed by stringing together weaknesses discovered in an application code and a group of applications within a domain. The Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) linked together as a string of vulnerabilities in the attack trees can be visualized as pathways for attacks. These pathways become potential attacks that can spread vertically and horizontally leading to a multi-path attack that can involve multiple software applications. With more data, and huge number of vulnerabilities, it will become impossible to identify all attack paths unless a full-scale implementation of an autonomous processing mechanism is in place. Machine Learning (ML) and Deep Learning (DL) techniques have been adopted in the cybersecurity space for decades, however all the studies have been around networks, endpoints, and device monitoring. This paper focuses on application security and building on earlier work cited, the use of a vulnerability map that uses attack vectors in a Deep Learning (DL) method implementing a Multi-Layer Perceptron (MLP) forms the basis for developing a predictive model that relates a set of linked vulnerabilities to an attack path. The results are encouraging, and this approach will help in identifying successful or failed attack paths involving multiple applications, isolated or grouped, and will help focus on the right applications and the vulnerabilities associated as priority for remediation.
},
year = {2024}
}
TY - JOUR T1 - Predicting Attack Paths from Application Security Vulnerabilities Using a Multi-Layer Perceptron AU - Santanam Kasturi AU - Xiaolong Li AU - Peng Li AU - John Pickard Y1 - 2024/05/30 PY - 2024 N1 - https://doi.org/10.11648/j.ajsea.20241201.14 DO - 10.11648/j.ajsea.20241201.14 T2 - American Journal of Software Engineering and Applications JF - American Journal of Software Engineering and Applications JO - American Journal of Software Engineering and Applications SP - 23 EP - 35 PB - Science Publishing Group SN - 2327-249X UR - https://doi.org/10.11648/j.ajsea.20241201.14 AB - This paper is in the series of continuing research and proposes an approach to predicting possible attack paths from application security vulnerability-based attack trees. The attack trees are formed by stringing together weaknesses discovered in an application code and a group of applications within a domain. The Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) linked together as a string of vulnerabilities in the attack trees can be visualized as pathways for attacks. These pathways become potential attacks that can spread vertically and horizontally leading to a multi-path attack that can involve multiple software applications. With more data, and huge number of vulnerabilities, it will become impossible to identify all attack paths unless a full-scale implementation of an autonomous processing mechanism is in place. Machine Learning (ML) and Deep Learning (DL) techniques have been adopted in the cybersecurity space for decades, however all the studies have been around networks, endpoints, and device monitoring. This paper focuses on application security and building on earlier work cited, the use of a vulnerability map that uses attack vectors in a Deep Learning (DL) method implementing a Multi-Layer Perceptron (MLP) forms the basis for developing a predictive model that relates a set of linked vulnerabilities to an attack path. The results are encouraging, and this approach will help in identifying successful or failed attack paths involving multiple applications, isolated or grouped, and will help focus on the right applications and the vulnerabilities associated as priority for remediation. VL - 12 IS - 1 ER -
Department of Technology Management, Indiana State University, Terre Haute, USA
Department of Electronics and Computer Engineering, Indiana State University, Terre Haute, USA
Department of Technology Systems, East Carolina University, Greenville, USA
Department of Technology Systems, East Carolina University, Greenville, USA
