How to build a vulnerability benchmark to overcome cyber security attacks

How to build a vulnerability benchmark to overcome cyber security attacks

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Cybercrimes are on a dramatic rise worldwide. The crime rate is growing day by day in every field or department which is directly or indirectly connected to the internet including Government, business or any individual. The main objective of this study is to evaluate the vulnerabilities in different software systems at the source code level by tracing their patch files. The authors have collected the source code of different types of vulnerabilities at a different level of granularities. They have proposed different ways to collect or trace the vulnerability code, which can be very helpful for security experts, organisations and software developers to maintain security measures. By following their proposed method, you can build your own vulnerability data-set and can detect vulnerabilities in any system by using suitable code clone detection technique. The study also includes a discussion of reasons for the rise in cybercrimes including zero-day exploits. A case study has been discussed with results and research questions to show the effectiveness of this study. This study concludes with the effective key findings of published and non-published vulnerabilities and the ways to prevent from different security attacks to overcome cybercrimes.


    1. 1)
      • 1. Avery, J., Wallrabenstein, J.R.: ‘Formally modeling deceptive patches using a game-based approach’, Comput. Secur., 2018, 75, pp. 182190.
    2. 2)
      • 2. Kim, S., Woo, S., Lee, H., et al: ‘VUDDY: A scalable approach for vulnerable code clone discovery’. 2017 IEEE Symp. on Security and Privacy (SP), San Jose, CA, USA, 2017, pp. 595614.
    3. 3)
      • 3. Jang, J., Agrawal, A., Brumley, D.: ‘Redebug: finding unpatched code clones in entire OS distributions’. 2012 IEEE Symp. on Security and Privacy (SP), San Jose, CA, USA, 2012, pp. 4862.
    4. 4)
      • 4. Brumley, D., Poosankam, P., Song, D., et al: ‘Automatic patch-based exploit generation is possible: techniques and implications’. IEEE Symp. on Security and Privacy, 2008 (SP 2008), Oakland, CA, USA, 2008, pp. 143157.
    5. 5)
      • 5. Alhazmi, O.H., Malaiya, Y.K., Ray, I.: ‘Measuring, analyzing and predicting security vulnerabilities in software systems’, Comput. Secur., 2007, 26, (3), pp. 219228.
    6. 6)
      • 6. Gorbenko, A., Romanovsky, A., Tarasyuk, O., et al: ‘Experience report: study of vulnerabilities of enterprise operating systems’. 2017 IEEE 28th Int. Symp. on Software Reliability Engineering (ISSRE), Toulouse, France, 2017, pp. 205215.
    7. 7)
      • 7. Guo, H., Wang, Y.Y., Pan, Z.L., et al: ‘Research on detecting windows vulnerabilities based on security patch comparison’. 2016 Sixth Int. Conf. on Instrumentation & Measurement, Computer, Communication and Control (IMCCC), Harbin, People's Republic of China, 2016, pp. 366369.
    8. 8)
      • 8. Charalampidou, S., Ampatzoglou, A., Chatzigeorgiou, A., et al: ‘Assessing code smell interest probability: a case study’, Proceedings of the XP2017 Scientific Workshops, New York, NY, USA, 2017.
    9. 9)
      • 9. Svajlenko, J., Roy, C.K.: ‘Fast and flexible large-scale clone detection with cloneworks’. Proc. 39th Int. Conf. on Software Engineering Companion, Buenos Aires, Argentina, 2017, pp. 2730.
    10. 10)
      • 10. Akram, J., Shi, Z., Mumtaz, M., et al: ‘DroidCC: a scalable clone detection approach for android applications to detect similarity at source code level’. 2018 IEEE 42nd Annual Computer Software and Applications Conf. (COMPSAC), Tokyo, Japan, 2018, pp. 100105.
    11. 11)
      • 11. Matsushita, T., Sasano, I.: ‘Detecting code clones with gaps by function applications’. 2017 ACM SIGPLAN Workshop on Partial Evaluation and Program Manipulation, PEPM 2017, New York, NY, USA, 2017.
    12. 12)
      • 12. Su, F.H., Bell, J., Harvey, K., et al: ‘Code relatives: detecting similarly behaving software’. Proc. 2016 24th ACM SIGSOFT Int. Symp. on Foundations of Software Engineering, New York, NY, USA, 2016, pp. 702714.
    13. 13)
      • 13. Al-Omari, F., Roy, C.K.: ‘Is code cloning in games really different?’. Proc. 31st Annual ACM Symp. on Applied Computing, Pisa, Italy, 2016, pp. 15121519.
    14. 14)
      • 14. Keuning, H., Heeren, B., Jeuring, J.: ‘Code quality issues in student programs’, UU BETA ICS Departement Informatica, No. UU-CS-2017-006. ISSN 0924-3275, Aberdeen, UK, 2017.
    15. 15)
      • 15. Mondal, M., Roy, C.K., Schneider, K.A.: ‘Identifying code clones having high possibilities of containing bugs’. Proc. 25th Int. Conf. on Program Comprehension, Buenos Aires, Argentina, 2017, pp. 99109.
    16. 16)
      • 16. Hatano, T., Matsuo, A.: ‘Removing code clones from industrial systems using compiler directives’. 2017 IEEE/ACM 25th Int. Conf. on Program Comprehension (ICPC), Buenos Aires, Argentina, 2017, pp. 336345.
    17. 17)
      • 17. Krutz, D.E., Mirakhorl, M.: ‘Architectural clones: toward tactical code reuse’. Proc. 31st Annual ACM Symp. on Applied Computing, New York, NY, USA, 2016, pp. 14801485.
    18. 18)
      • 18. Taibi, D., Janes, A., Lenarduzzi, V.: ‘How developers perceive smells in source code: a replicated study’, Inf. Softw. Technol., 2017, 92, pp. 223235.
    19. 19)
      • 19. Tekchandani, R., Bhatia, R., Singh, M.: ‘Code clone genealogy detection on e-health system using Hadoop’, Comput. Electr. Eng., 2017, 61, pp. 1530.
    20. 20)
      • 20. Abdalkareem, R., Shihab, E., Rilling, J.: ‘On code reuse from StackOverflow: an exploratory study on android apps’, Inf. Softw. Technol., 2017, 88, pp. 148158.
    21. 21)
      • 21. Alam, S., Qu, Z., Riley, R., et al: ‘Droidnative: automating and optimizing detection of android native code malware variants’, Comput. Secur., 2017, 65, pp. 230246.
    22. 22)
      • 22. Akram, J., Shi, Z., Mumtaz, M., et al: ‘DCCD: an efficient and scalable distributed code clone detection technique for big code’. The 30th Int. Conf. on Software Engineering and Knowledge Engineering PROCEEDINGS SEKE 2018, San Francisco Bay, CA, USA, 2018, pp. 354359.
    23. 23)
      • 23. Lerums, J.E., Poe, L.D., Dietz, J.E.: ‘Simulation modeling cyber threats, risks, and prevention costs’. 2018 IEEE Int. Conf. on Electro/Information Technology (EIT), Rochester, MI, USA, 2018, pp. 00960101.
    24. 24)
      • 24. Srinivas, J., Das, A.K., Kumar, N.: ‘Government regulations in cyber security: framework, standards and recommendations’, Future Gener. Comput. Syst., 2019, 92, pp. 178188.
    25. 25)
      • 25. Bolbot, V., Theotokatos, G., Bujorianu, M.L., et al: ‘Vulnerabilities and safety assurance methods in cyber-physical systems: a comprehensive review’, Reliab. Eng. Syst. Saf., 2019, 182, pp. 179193.
    26. 26)
      • 26. Smith, H., Morrison, H.: ‘Ethical hacking: a comprehensive beginners guide to learn and master ethical hacking’ (CreateSpace Independent Publishing Platform, Scotts Valley, CA, USA, 2018).
    27. 27)
      • 27. Prasad, Y.K., Reddy, D.V.S.: ‘Review on phishing attack and ethical hacking’, Int. J. Res., 2019, 6, (3), pp. 853858.
    28. 28)
      • 28. Kumar, S., Agarwal, D.: ‘Hacking attacks, methods, techniques and their protection measures’, Int. J. Adv. Res. Comput. Sci. Manage., 2018, 4, (4), pp. 23532358.
    29. 29)
      • 29. Payne, B., Fagan, B.: ‘Ethical hacking: teaching cyber safety from a hacker's point of view’, 2019.
    30. 30)
      • 30. Akram, J., Liang, Q., Ping, L.: ‘VCIPR: vulnerable code is identifiable when a patch is released (hacker's perspective)’. 2019 12th IEEE Conf. on Software Testing, Validation and Verification (ICST), Xian, People's Republic of China, 2019, pp. 402413.
    31. 31)
      • 31. Chiew, K.L., Yong, K.S.C., Tan, C.L.: ‘A survey of phishing attacks: their types, vectors and technical approaches’, Expert Syst. Appl., 2018, 106, pp. 120.
    32. 32)
      • 32. Khatun, F., Islam, M.R.: ‘Security in cloud computing-based mobile commerce’. Advances in Electronics, Communication and Computing, Rome, Italy, 2018, pp. 191198.
    33. 33)
      • 33. Eling, M., Wirfs, J.: ‘What are the actual costs of cyber risk events?’, Eur. J. Oper. Res., 2019, 272, (3), pp. 11091119. Available at
    34. 34)
      • 34. Adams, S., Carter, B., Fleming, C., et al: ‘Selecting system specific cybersecurity attack patterns using topic modeling’. 2018 17th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications/12th IEEE Int. Conf. on Big Data Science and Engineering (TrustCom/BigDataSE), New York, NY, USA, 2018, pp. 490497.
    35. 35)
      • 35. Sevis, K.N., Seker, E.: ‘Cyber warfare: terms, issues, laws and controversies’. 2016 Int. Conf. on Cyber Security and Protection of Digital Services (Cyber Security), London, UK, 2016, pp. 19.
    36. 36)
      • 36. Sheneamer, A., Kalita, J.: ‘A survey of software clone detection techniques’, Int. J. Comput. Appl., 2016, 137, pp. 121.
    37. 37)
      • 37. Liu, Z., Wei, Q., Cao, Y.: ‘VFDETECT: a vulnerable code clone detection system based on vulnerability fingerprint’. 2017 IEEE 3rd Information Technology and Mechatronics Engineering Conf. (ITOEC), Chongqing, People's Republic of China, 2017, pp. 548553.
    38. 38)
      • 38. Jiang, L., Misherghi, G., Su, Z., et al: ‘DECKARD: scalable and accurate tree-based detection of code clones’. Proc. 29th Int. Conf. on Software Engineering, Minneapolis, MN, USA, 2007, pp. 96105.
    39. 39)
      • 39. Kim, D., Tao, Y., Kim, S., et al: ‘Where should we fix this bug? A two-phase recommendation model’, IEEE Trans. Softw. Eng., 2013, 39, (11), pp. 15971610.
    40. 40)
      • 40. Nappa, A., Johnson, R., Bilge, L., et al: ‘The attack of the clones: a study of the impact of shared code on vulnerability patching’. 2015 IEEE Symp. on Security and Privacy (SP), San Jose, CA, USA, 2015, pp. 692708.
    41. 41)
      • 41. Kim, S., Lee, H.: ‘Software systems at risk: an empirical study of cloned vulnerabilities in practice’, Comput. Secur., 2018, 77, pp. 720736.
    42. 42)
      • 42. Li, Z., Zou, D., Xu, S., et al: ‘VulPecker: an automated vulnerability detection system based on code similarity analysis’. Proc. 32nd Annual Conf. on Computer Security Applications, Los Angeles, CA, USA, 2016, pp. 201213.
    43. 43)
      • 43. Zhou, Y., Sharma, A.: ‘Automated identification of security issues from commit messages and bug reports’, Proceedings of 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, Paderborn, Germany, September 4–8, 2017 (ESEC/FSE'17)], Paderborn, Germany, 2017, pp. 914919.
    44. 44)
      • 44. Walden, J., Stuckman, J., Scandariato, R.: ‘Predicting vulnerable components: software metrics vs text mining’. 2014 IEEE 25th Int. Symp. on Software Reliability Engineering, Naples, Italy, 2014, pp. 2333.
    45. 45)
      • 45. Akram, J., Mumtaz, M., Gul, J., et al: ‘DroidMD: an efficient and scalable android malware detection approach at source code level’, Int. J. Inf. Comput. Secur., 2019, 11, (1), p. 1.
    46. 46)
      • 46. Balzarotti, D., Monga, M., Sicari, S.: ‘Assessing the risk of using vulnerable components’. Quality of Protection, Boston, MA, USA, 2006, pp. 6577.
    47. 47)
      • 47. Pang, Y., Xue, X., Namin, A.S.: ‘Predicting vulnerable software components through N-gram analysis and statistical feature selection’. 2015 IEEE 14th Int. Conf. on Machine Learning and Applications (ICMLA), Miami, FL, USA, 2015, pp. 543548.

Related content

This is a required field
Please enter a valid email address