Abstract: A method, system, and apparatus configured to identify discriminating features in a plurality of applications, determine via code analysis, when a first application is subjected to classification, positions of the first application's code that correspond to the discriminating features, and forward to a classification algorithm, such that according to its output the code fragments corresponding to the discriminating features are reported.

Abstract: A method, system and computer readable program are disclosed for managing data in a computing network. In an embodiment, the invention provides a method comprising obtaining specified data from a database in the computing network, aggregating the specified data in a defined data structure stored in the computing network, and specifying in the data structure properties over the data aggregated in the data structure. In an embodiment, a plurality of services in the computing network use the data in the data structure in accordance with the properties specified in the data structure. In an embodiment, one or more of the services modifies one or more of the properties specified in the data structure based on a transformation by the one or more of the services of the data aggregated in the data structure.

Abstract: Black-box security testing for a Web application includes identifying infrastructure supporting the Web application, obtaining vulnerability data for the Web application from an external data source according to the infrastructure, deriving a test payload from the vulnerability data using a processor, and determining a type of vulnerability exploited by the test payload. An existing validation operation of a testing system is selected for validating a response from the Web application to the test payload according to the type of vulnerability.

Abstract: Techniques for generating a warning filter to filter the warnings output from a static program analysis tool are provided. In one example, a computer-implemented method comprises determining feature vector data for a set of warnings, wherein the set of warnings is generated in response to static analysis of a computer program, and wherein the feature vector data comprises a feature vector indicative of an attribute of a warning of the set of warnings. The computer-implemented method also comprises determining a warning filter that identifies a first subset of the set of warnings as representing true positives based on the feature vector data and classified warning data, and wherein the classified warning data represents a second subset of the set of warnings that have been classified to indicate whether respective members of the second subset are indicative of true positives.

Abstract: Black-box security testing for a Web application includes identifying infrastructure supporting the Web application, obtaining vulnerability data for the Web application from an external data source according to the infrastructure, deriving a test payload from the vulnerability data using a processor, and determining a type of vulnerability exploited by the test payload. An existing validation operation of a testing system is selected for validating a response from the Web application to the test payload according to the type of vulnerability.

Abstract: Protecting a runtime Web service application. A web service application is instrumented to log its operation and allow recreation of its execution trace. Trace point vulnerabilities are identified using one or more data payloads. Candidate trace point operations associated with the trace point vulnerabilities are identified. Supplementary candidate operations are computed based on the existing trace point operations and the one or more data payloads. The Web service application is further instrumented with the one or more supplementary candidate operations.

Abstract: A method, including identifying over a set of classified applications a set of discriminating features, determining via code analysis, when a first application is subjected to classification, positions of the first application's code that correspond to discriminating features, and forwarding to a classification algorithm, such that according to its output the code fragments corresponding to the discriminating features are reported beyond a determination itself of the discriminating features.

Abstract: A system and method for static detection and categorization of information-flow downgraders includes transforming a program stored in a memory device by statically analyzing program variables to yield a single assignment to each variable in an instruction set. The instruction set is translated to production rules with string operations. A context-free grammar is generated from the production rules to identify a finite set of strings. An information-flow downgrader function is identified by checking the finite set of strings against one or more function specifications.

Abstract: A program is executed that includes multiple script functions. For a selected script function, the following are performed during program execution. It is determined whether the selected script function should or should not be executed based on a utility corresponding to the selected script function. The utility was determined prior to determining whether the selected script function should be executed. The selected script function is executed in response to a determination the selected script function should be executed. Execution of the selected script function is skipped in response to a determination the selected script function should not be executed. These techniques may be applied in real-time to crawl a program such as a webpage or may be applied using offline learning followed by a real-time crawling of the program. Apparatus, methods, and program products are disclosed.

Abstract: A method for performing program analysis includes receiving programs of a first platform that have been assigned a first label and programs of the first platform that have been assigned a second label. Each of the programs of the first platform is expressed as platform-independent logical features. A discriminatory model or classifier is trained, using machine learning, based on the expression of the programs of the first platform as platform-independent logical features, to distinguish between programs of the first label and programs of the second label. An unlabeled program of a second platform is received and is expressed as platform-independent logical features. The trained discriminatory model or classifier is used to determine if the unlabeled program warrants the first label or the second label, based on the expression of the unlabeled program as platform-independent logical features.

Abstract: Synthesizing sanitization code for applications based upon a probabilistic prediction model includes receiving a set of applications. The set of applications is partitioned into a first subset of applications and a second subset of applications. The first subset has one or more malicious payloads associated therewith, and the second subset has one or more non-malicious payloads associated therewith. A probabilistic prediction model is computed based upon the malicious payloads associated with the first subset of applications. One or more predicted malicious payloads are predicted from the probabilistic prediction model.

Abstract: A method for performing program analysis includes receiving programs of a first platform that have been assigned a first label and programs of the first platform that have been assigned a second label. Each of the programs of the first platform is expressed as platform-independent logical features. A discriminatory model or classifier is trained, using machine learning, based on the expression of the programs of the first platform as platform-independent logical features, to distinguish between programs of the first label and programs of the second label. An unlabeled program of a second platform is received and is expressed as platform-independent logical features. The trained discriminatory model or classifier is used to determine if the unlabeled program warrants the first label or the second label, based on the expression of the unlabeled program as platform-independent logical features.

Abstract: An improved information tracking procedure is provided. A precise information tracking procedure is performed for a sensitive value when an application is predicted to modify the sensitive value prior to the sensitive value reaching a data sink. The sensitive value comprises an attribute that may be linked to external knowledge to reveal sensitive information about an individual. In response to the application not being predicted to modify the sensitive value prior to the sensitive value reaching the data sink, a value-based information tracking procedure is performed. The value-based information tracking procedure comprises storing one or more values that are observed at a data source, and then determining whether or not each of these one or more values are observed at the data sink.

Abstract: Techniques for identifying computer program security access control violations using static program analysis are provided. In one example, a computer-implemented method comprises generating, by a device operatively coupled to a processor, a mathematical model of a computer program product, wherein the mathematical model defines data flows through nodes of the computer program product that reach a secure node corresponding to a secure resource. The computer implemented method further comprises evaluating, by the device, a security protocol of the computer program product using static program analysis of the mathematical model to determine whether any of the data flows provides access to the secure node without proceeding through one or more security nodes corresponding to the security protocol, wherein the one or more security nodes are included in the nodes of the computer program product.

Abstract: Preliminary program analysis of an executable may be performed. A security vulnerability level of a portion of the executable may be determined based on the preliminary program analysis. The security vulnerability level of the portion may be compared to a security vulnerability threshold. The precision of runtime monitoring of the portion may be tuned based on the comparison.

Abstract: A presentation document specifying a graphical layout of a user interface is received. A processor extracts a first user interface graphical feature from the presentation document. The extracted first user interface graphical feature is matched to one or more first candidate user interface graphical features to determine a first selected candidate user interface graphical feature. A user interface code representation of the user interface is synthesized based upon the first selected candidate user interface graphical feature.

Abstract: Privacy violation detection of a mobile application program is disclosed. Regular histories of the mobile application are mined. A call-graph representation of the mobile application program can be created and sequences of events of interest according to the platform specification of the mobile application can be collected. A plurality of learnable features are extracted from the regular histories. The plurality of learnable features are combined into a single feature vector which is fed into a machine-learning-based classification algorithm. Whether the mobile application program includes one or more permissions for accessing unauthorized privacy data of a mobile application user is determined based on a machine learning classification of the single feature vector. The collected sequences can be reduced into a plurality of feature vectors which can include at least one of a happens-before feature and a multiplicity of occurrences feature.

Abstract: In one embodiment, a computer-implemented method for comparing first and second descriptions of a web service includes computing a distance between each type used as a parameter in the first description and each type used as a parameter in the second description. A distance is calculated between methods in each of two or more pairs of methods. Each pair includes a method in the first description and a method in the second description. The calculating is performed by comparing the parameters of the first set of methods and the second set of methods using the computed distances between types. To the calculated distance between each pair of methods is added the distance between the names of the compared methods and the distance between the returned types of the compared methods. For each method in the first description, the method in the second description with the lowest calculated distance is output.

Abstract: A method, apparatus, system, and computer program product for performing security testing. Information about successful payloads in payloads is determined by a computer system using crowd-sourced data in which a successful payload is a payload used in a successful attack. A set of popular payloads is determined by a computer system from the payloads using information about the successful payloads determined using the crowd-sourced data. Testing is focused by the computer system on the set of popular payloads based on a set of key features for the set of popular payloads.

Abstract: A computer-implemented method for detecting malware based on asymmetry includes receiving, via a processor, an application to be tested. The method includes computing, via the processor, a static call graph for the application. The method also includes generating, via the processor, an interprocedural control-flow graph (ICFG) based on the static call graph. The method further includes detecting, via the processor, symbolic path conditions and executable operations along different paths of conditional branches in the ICFG. The method further includes detecting, via the processor, asymmetries based on the symbolic path conditions and the executable operations. The method includes detecting, via the processor, a malicious block based on the detected asymmetries. The method further includes modifying, via the processor, the application based on the detected malicious block.