Abstract
Vulnerabilities in existing software systems represent
a great challenge for security assurance, where well known
attacks like cross-site scripting (XSS) or SQL injections (SQLI)
still represent a common threat for today’s web applications. Failure
to cover these issues in verification might result in unforeseen
consequences for users of such software systems. For this reason,
we have to come up with a rigorous testing approach should
that should combine knowledge about common attacks and the
system under test. Ontologies, which is a concept originating
from philosophy and also considered in AI research, provide
means for formalizing such knowledge from which we want to
obtain test cases in an automated fashion. In this paper, we follow
this idea and present a security testing approach that relies on
ontologies of attacks and the system under test. In particular,
the used ontology depicts information from the domain of web
applications as well as their communication protocol. Actually,
such a model represents an attack ontology that serves as the
initial step in a test generation process. In turn, the inferred
output is used in order to test a SUT for vulnerabilities. The test
case generation process converts ontologies into input models for
combinatorial testing (CT), from which we obtain abstract test
cases that can be automatically mapped to concrete ones. Besides
outlining the foundations behind this approach, we also show its
applicability considering case studies from the domain of web
applications.
a great challenge for security assurance, where well known
attacks like cross-site scripting (XSS) or SQL injections (SQLI)
still represent a common threat for today’s web applications. Failure
to cover these issues in verification might result in unforeseen
consequences for users of such software systems. For this reason,
we have to come up with a rigorous testing approach should
that should combine knowledge about common attacks and the
system under test. Ontologies, which is a concept originating
from philosophy and also considered in AI research, provide
means for formalizing such knowledge from which we want to
obtain test cases in an automated fashion. In this paper, we follow
this idea and present a security testing approach that relies on
ontologies of attacks and the system under test. In particular,
the used ontology depicts information from the domain of web
applications as well as their communication protocol. Actually,
such a model represents an attack ontology that serves as the
initial step in a test generation process. In turn, the inferred
output is used in order to test a SUT for vulnerabilities. The test
case generation process converts ontologies into input models for
combinatorial testing (CT), from which we obtain abstract test
cases that can be automatically mapped to concrete ones. Besides
outlining the foundations behind this approach, we also show its
applicability considering case studies from the domain of web
applications.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - 2020 IEEE International Conference on Artificial Intelligence Testing, AITest 2020 |
| Publisher | IEEE Publications |
| Pages | 115-122 |
| Number of pages | 8 |
| ISBN (Electronic) | 978-1-7281-6984-2 |
| DOIs | |
| Publication status | Published - Aug 2020 |
| Event | IEEE International Conference on Artificial Intelligence Testing: AITest 2020 - Keble College, Oxford University, Virtuell, United Kingdom Duration: 3 Aug 2020 → 6 Aug 2020 |
Conference
| Conference | IEEE International Conference on Artificial Intelligence Testing |
|---|---|
| Abbreviated title | AITest 2020 |
| Country/Territory | United Kingdom |
| City | Virtuell |
| Period | 3/08/20 → 6/08/20 |
Keywords
- combinatorial testing
- model-based testing
- Ontology-based testing
- security testing
- testing web applications
ASJC Scopus subject areas
- Artificial Intelligence
- Safety, Risk, Reliability and Quality
- Computer Science Applications
- Modelling and Simulation