Skip to Main content Skip to Navigation

Identification automatique des vulnérabilités de sécurité dans les systèmes logiciels

Abstract : The threat caused by software vulnerabilities is growing exponentially. This phenomenon is due, on the one hand, to the omnipresence of software, and on the other hand, to the large number of existing vulnerabilities. To deal with this problem, several strategies have been developed over time. Some aim to establish good development practices and integrate them right from the design phase, while others consist of carrying out security inspections by identifying vulnerable areas. This thesis is related to the second category of work and focuses on the construction of vulnerability prediction models. The creation of the latter raises various problems. The most important one is the lack of data on software vulnerabilities. For this purpose, we are setting up a complete processing chain from the creation and annotation of a security corpus to the construction and evaluation of vulnerability prediction models. The first contribution of this thesis focuses more on the corpus construction approach than on the corpus itself. The approach is based on the design of vulnerability meta-scanners allowing to identify code vulnerabilities efficiently. This consists in combining several static analysis tools based on their individual performance for each category of vulnerabilities. Our second contribution corresponds to the SecureQualitas corpus which consists of a corpus of Java applications annotated with the vulnerabilities they contain. We build this corpus using a meta- scanner built with three vulnerability analysis tools. Finally, our third contribution is to build a prediction model of vulnerable code. We opted and studied the use of quality metrics to characterize code and we have studied the performance of the models both on categories of vulnerabilities learned by the models and on categories not yet known by the model. The results of our experiments showed the efficiency of the models on both populations of vulnerabilities: known and unknown.
Document type :
Complete list of metadata
Contributor : ABES STAR :  Contact
Submitted on : Thursday, August 26, 2021 - 10:19:28 AM
Last modification on : Monday, June 27, 2022 - 3:06:19 AM
Long-term archiving on: : Saturday, November 27, 2021 - 6:20:23 PM


Version validated by the jury (STAR)


  • HAL Id : tel-03326519, version 1


Raounak Benabidallah. Identification automatique des vulnérabilités de sécurité dans les systèmes logiciels. Cryptographie et sécurité [cs.CR]. Université de Bretagne Sud, 2020. Français. ⟨NNT : 2020LORIS573⟩. ⟨tel-03326519⟩



Record views


Files downloads