Ontology-driven Security Testing of Web Applications

Josip Bozic*, Yihao Li, Franz Wotawa

*Korrespondierende/r Autor/-in für diese Arbeit

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

Vulnerabilities in existing software systems represent
a great challenge for security assurance, where well known
attacks like cross-site scripting (XSS) or SQL injections (SQLI)
still represent a common threat for today’s web applications. Failure
to cover these issues in verification might result in unforeseen
consequences for users of such software systems. For this reason,
we have to come up with a rigorous testing approach should
that should combine knowledge about common attacks and the
system under test. Ontologies, which is a concept originating
from philosophy and also considered in AI research, provide
means for formalizing such knowledge from which we want to
obtain test cases in an automated fashion. In this paper, we follow
this idea and present a security testing approach that relies on
ontologies of attacks and the system under test. In particular,
the used ontology depicts information from the domain of web
applications as well as their communication protocol. Actually,
such a model represents an attack ontology that serves as the
initial step in a test generation process. In turn, the inferred
output is used in order to test a SUT for vulnerabilities. The test
case generation process converts ontologies into input models for
combinatorial testing (CT), from which we obtain abstract test
cases that can be automatically mapped to concrete ones. Besides
outlining the foundations behind this approach, we also show its
applicability considering case studies from the domain of web
applications.
Originalspracheenglisch
TitelProceedings - 2020 IEEE International Conference on Artificial Intelligence Testing, AITest 2020
Herausgeber (Verlag)IEEE Publications
Seiten115-122
Seitenumfang8
ISBN (elektronisch)978-1-7281-6984-2
DOIs
PublikationsstatusVeröffentlicht - Aug. 2020
VeranstaltungIEEE International Conference on Artificial Intelligence Testing: AITest 2020 - Keble College, Oxford University, Virtuell, Großbritannien / Vereinigtes Königreich
Dauer: 3 Aug. 20206 Aug. 2020

Konferenz

KonferenzIEEE International Conference on Artificial Intelligence Testing
KurztitelAITest 2020
Land/GebietGroßbritannien / Vereinigtes Königreich
OrtVirtuell
Zeitraum3/08/206/08/20

ASJC Scopus subject areas

  • Artificial intelligence
  • Sicherheit, Risiko, Zuverlässigkeit und Qualität
  • Angewandte Informatik
  • Modellierung und Simulation

Dieses zitieren