A study on Web security incidents in China by analyzing vulnerability disclosure platforms

Understanding the nature of a country's World Wide Web security can allow analysts to evaluate the security awareness of local organizations, the technology employed by researchers, and the defense capabilities of the whole country. In this paper, we put forward a new framework to evaluate the security situation in China with real vulnerability disclosure platforms. The focus of this research is to analyze the current situation of Chinese websites using 57,112 Web vulnerability incidents submitted by 5371 researchers from 2012 to 2015. The dataset is distributed into four types of organizations, including listed companies, government institutions, educational institutions, and startups. We present an approach, based on machine learning and natural language processing technologies, to classify the vulnerability type for each incident. Furthermore, our experimental results show that the vulnerability distribution and response speed toward important issues are so different among the four types of organizations that researchers at various levels of experience begin to take part in submitting vulnerabilities to public disclosure platforms. Based on the results, we propose security some best-practices for organizations and show that the security situation of Chinese websites has changed quickly in the last three years but is still facing several big problems.

[1]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[2]  Pavol Zavarsky,et al.  Trend Analysis of the CVE for Software Vulnerability Management , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[3]  Jan Tudor,et al.  Web Application Vulnerability Statistics 2013 , 2013 .

[4]  Lionel C. Briand,et al.  Black-box SQL Injection Testing , 2014 .

[5]  Miguel Correia,et al.  Automatic detection and correction of web application vulnerabilities using data mining to predict false positives , 2014, WWW.

[6]  Ping Chen,et al.  Security Analysis of the Chinese Web: How well is it protected? , 2014, SafeConfig '14.

[7]  A. Tripathi,et al.  Taxonomic analysis of classification schemes in vulnerability databases , 2012, 2011 6th International Conference on Computer Sciences and Convergence Information Technology (ICCIT).

[8]  Lwin Khin Shar,et al.  Predicting common web application vulnerabilities from input validation and sanitization code patterns , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[9]  Patrick Cousot,et al.  Andromeda: Accurate and Scalable Security Analysis of Web Applications , 2013, FASE.

[10]  Cheng Yang,et al.  An analysis view on password patterns of Chinese internet users , 2013 .

[11]  Thomas Zimmermann,et al.  Security Trend Analysis with CVE Topic Models , 2010, 2010 IEEE 21st International Symposium on Software Reliability Engineering.

[12]  Dongho Won,et al.  Detection and Mitigation of Web Application Vulnerabilities Based on Security Testing , 2012, NPC.

[13]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[14]  Qi Xiong,et al.  Similar vulnerability query based on text mining , 2011, 2011 11th International Symposium on Communications & Information Technologies (ISCIT).

[15]  Ryan K. L. Ko,et al.  Escrow: A Large-Scale Web Vulnerability Assessment Tool , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[16]  K. Raghuveer,et al.  An Effective Technique for Intrusion Detection Using Neuro-Fuzzy and Radial SVM Classifier , 2013 .

[17]  Wouter Joosen,et al.  Large-Scale Security Analysis of the Web: Challenges and Findings , 2014, TRUST.

[18]  Christopher Ke,et al.  Analysis of the Australian web threat landscape , 2013 .

[19]  Wenyuan Xu,et al.  A Large-Scale Empirical Analysis of Chinese Web Passwords , 2014, USENIX Security Symposium.