Open Access

ARTICLE

Systematic Security Guideline Framework through Intelligently Automated Vulnerability Analysis

Dahyeon Kim¹, Namgi Kim², Junho Ahn^2,*

1 Computer Information Technology, Korea National University of Transportation, Chungju, 27469, Korea
2 Department of AI Computer Science and Engineering, Kyonggi University, Suwon, 16227, Korea

* Corresponding Author: Junho Ahn. Email:

Computers, Materials & Continua 2024, 78(3), 3867-3889. https://doi.org/10.32604/cmc.2024.046871

Received 17 October 2023; Accepted 25 January 2024; Issue published 26 March 2024

Abstract

This research aims to propose a practical framework designed for the automatic analysis of a product’s comprehensive functionality and security vulnerabilities, generating applicable guidelines based on real-world software. The existing analysis of software security vulnerabilities often focuses on specific features or modules. This partial and arbitrary analysis of the security vulnerabilities makes it challenging to comprehend the overall security vulnerabilities of the software. The key novelty lies in overcoming the constraints of partial approaches. The proposed framework utilizes data from various sources to create a comprehensive functionality profile, facilitating the derivation of real-world security guidelines. Security guidelines are dynamically generated by associating functional security vulnerabilities with the latest Common Vulnerabilities and Exposure (CVE) and Common Vulnerability Scoring System (CVSS) scores, resulting in automated guidelines tailored to each product. These guidelines are not only practical but also applicable in real-world software, allowing for prioritized security responses. The proposed framework is applied to virtual private network (VPN) software, wherein a validated Level 2 data flow diagram is generated using the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege (STRIDE) technique with references to various papers and examples from related software. The analysis resulted in the identification of a total of 121 vulnerabilities. The successful implementation and validation demonstrate the framework’s efficacy in generating customized guidelines for entire systems, subsystems, and selected modules.

---

Keywords

---