{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,21]],"date-time":"2025-12-21T06:26:22Z","timestamp":1766298382397,"version":"3.40.3"},"publisher-location":"Cham","reference-count":47,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030878719"},{"type":"electronic","value":"9783030878726"}],"license":[{"start":{"date-parts":[[2021,9,22]],"date-time":"2021-09-22T00:00:00Z","timestamp":1632268800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,9,22]],"date-time":"2021-09-22T00:00:00Z","timestamp":1632268800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-030-87872-6_20","type":"book-chapter","created":{"date-parts":[[2021,9,21]],"date-time":"2021-09-21T04:02:39Z","timestamp":1632196959000},"page":"203-213","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["A Survey on the State of the Art of\u00a0Vulnerability Assessment Techniques"],"prefix":"10.1007","author":[{"given":"Eva","family":"Sotos Mart\u00ednez","sequence":"first","affiliation":[]},{"given":"Nora M.","family":"Villanueva","sequence":"additional","affiliation":[]},{"given":"Lilian Adkinson","family":"Orellana","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,9,22]]},"reference":[{"key":"20_CR1","unstructured":"Samonas, S., Coss, D.: The cia strikes back: redefining confidentiality, integrity and availability in security. J. Inf. Syst. Securi. 10(3), 21\u201345 (2014)"},{"issue":"4","key":"20_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3092566","volume":"50","author":"SM Ghaffarian","year":"2017","unstructured":"Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. (CSUR) 50(4), 1\u201336 (2017)","journal-title":"ACM Comput. Surv. (CSUR)"},{"issue":"5","key":"20_CR3","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1145\/502059.502041","volume":"35","author":"D Engler","year":"2001","unstructured":"Engler, D., Chen, D.Y., Hallem, S., Chou, A., Chelf, B.: Bugs as deviant behavior: a general approach to inferring errors in systems code. ACM SIGOPS Oper. Syst. Rev. 35(5), 57\u201372 (2001)","journal-title":"ACM SIGOPS Oper. Syst. Rev."},{"issue":"5","key":"20_CR4","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1145\/1095430.1081755","volume":"30","author":"Z Li","year":"2005","unstructured":"Li, Z., Zhou, Y.: PR-Miner: automatically extracting implicit programming rules and detecting violations in large software code. ACM SIGSOFT Softw. Eng. Not. 30(5), 306\u2013315 (2005)","journal-title":"ACM SIGSOFT Softw. Eng. Not."},{"key":"20_CR5","doi-asserted-by":"crossref","unstructured":"Wasylkowski, A., Zeller, A., Lindig, C.: Detecting object usage anomalies. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (2007)","DOI":"10.1145\/1287624.1287632"},{"key":"20_CR6","doi-asserted-by":"crossref","unstructured":"Gruska, N., Wasylkowski, A., Zeller, A.: Learning from 6,000 projects: lightweight cross-project anomaly detection. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, pp. 119\u2013130 (2010)","DOI":"10.1145\/1831708.1831723"},{"key":"20_CR7","doi-asserted-by":"crossref","unstructured":"Acharya, M., Xie, T., Pei, J., Xu, J.: Mining API patterns as partial orders from source code: from usage scenarios to specifications. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (2007)","DOI":"10.1145\/1287624.1287630"},{"issue":"5","key":"20_CR8","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1109\/TSE.2008.24","volume":"34","author":"RY Chang","year":"2008","unstructured":"Chang, R.Y., Podgurski, A., Yang, J.: Discovering neglected conditions in software by mining dependence graphs. IEEE Trans. Soft. Eng. 34(5), 579\u2013596 (2008)","journal-title":"IEEE Trans. Soft. Eng."},{"key":"20_CR9","doi-asserted-by":"crossref","unstructured":"Thummalapenta, S., Xie, T.: Alattin: mining alternative patterns for detecting neglected conditions. In: 2009 IEEE\/ACM International Conference on Automated Software Engineering, pp. 283\u2013294. IEEE (2009)","DOI":"10.1109\/ASE.2009.72"},{"issue":"5","key":"20_CR10","doi-asserted-by":"publisher","first-page":"296","DOI":"10.1145\/1095430.1081754","volume":"30","author":"B Livshits","year":"2005","unstructured":"Livshits, B., Zimmermann, T.: Dynamine: finding common error patterns by mining software revision histories. ACM SIGSOFT Softw. Eng. Not. 30(5), 296\u2013305 (2005)","journal-title":"ACM SIGSOFT Softw. Eng. Not."},{"key":"20_CR11","doi-asserted-by":"crossref","unstructured":"Yamaguchi, F., Lottmann, M., Rieck, K.: Generalized vulnerability extrapolation using abstract syntax trees. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 359\u2013368 (2012)","DOI":"10.1145\/2420950.2421003"},{"key":"20_CR12","doi-asserted-by":"crossref","unstructured":"Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590\u2013604. IEEE (2014)","DOI":"10.1109\/SP.2014.44"},{"key":"20_CR13","doi-asserted-by":"crossref","unstructured":"Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: 2015 IEEE Symposium on Security and Privacy, pp. 797\u2013812. IEEE (2015)","DOI":"10.1109\/SP.2015.54"},{"issue":"10","key":"20_CR14","doi-asserted-by":"publisher","first-page":"1767","DOI":"10.1016\/j.infsof.2013.04.002","volume":"55","author":"LK Shar","year":"2013","unstructured":"Shar, L.K., Tan, H.B.K.: Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns. Inf. Softw. Technol. 55(10), 1767\u20131780 (2013)","journal-title":"Inf. Softw. Technol."},{"issue":"6","key":"20_CR15","doi-asserted-by":"publisher","first-page":"688","DOI":"10.1109\/TDSC.2014.2373377","volume":"12","author":"LK Shar","year":"2014","unstructured":"Shar, L.K., Briand, L.C., Tan, H.B.K.: Web application vulnerability prediction using hybrid program analysis and machine learning. IEEE Trans. Depend. Secure Comput. 12(6), 688\u2013707 (2014)","journal-title":"IEEE Trans. Depend. Secure Comput."},{"key":"20_CR16","doi-asserted-by":"crossref","unstructured":"Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 85\u201396 (2016)","DOI":"10.1145\/2857705.2857720"},{"key":"20_CR17","doi-asserted-by":"crossref","unstructured":"Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. Trans. Depen. Secure Comput. (2021)","DOI":"10.1109\/TDSC.2021.3051525"},{"key":"20_CR18","doi-asserted-by":"crossref","unstructured":"Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. arXiv preprintarXiv:1801.01681 (2018)","DOI":"10.14722\/ndss.2018.23158"},{"key":"20_CR19","doi-asserted-by":"crossref","unstructured":"Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529\u2013540 (2007)","DOI":"10.1145\/1315245.1315311"},{"key":"20_CR20","doi-asserted-by":"crossref","unstructured":"Schr\u00f6ter, A., Zimmermann, T., Zeller, A.: Predicting component failures at design time. In: Proceedings of the 2006 ACM\/IEEE International Symposium on Empirical Software Engineering, pp. 18\u201327 (2006)","DOI":"10.1145\/1159733.1159739"},{"key":"20_CR21","doi-asserted-by":"crossref","unstructured":"Shin, Y., Williams, L.: An empirical model to predict security vulnerabilities using code complexity metrics. In: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 315\u2013317 (2008)","DOI":"10.1145\/1414004.1414065"},{"issue":"6","key":"20_CR22","doi-asserted-by":"publisher","first-page":"772","DOI":"10.1109\/TSE.2010.81","volume":"37","author":"Y Shin","year":"2010","unstructured":"Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans. Softw. Eng. 37(6), 772\u2013787 (2010)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"20_CR23","doi-asserted-by":"crossref","unstructured":"Gegick, M., Williams, L., Osborne, J., Vouk, M.: Prioritizing software security fortification throughcode-level metrics. In: Proceedings of the 4th ACM Workshop on Quality of Protection, pp. 31\u201338 (2008)","DOI":"10.1145\/1456362.1456370"},{"key":"20_CR24","doi-asserted-by":"crossref","unstructured":"Morrison, P., Herzig, K., Murphy, B., Williams, L.: Challenges with applying vulnerability prediction models. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, pp. 1\u20139 (2015)","DOI":"10.1145\/2746194.2746198"},{"key":"20_CR25","doi-asserted-by":"crossref","unstructured":"Zimmermann, T., Nagappan, N., Williams, L.: Searching for a needle in a haystack: predicting security vulnerabilities for windows vista. In: 2010 3rd International Conference on Software Testing, Verification and Validation. IEEE (2010)","DOI":"10.1109\/ICST.2010.32"},{"key":"20_CR26","doi-asserted-by":"crossref","unstructured":"Younis, A., Malaiya, Y., Anderson, C., Ray, I.: To fear or not to fear that is the question: code characteristics of a vulnerable function with an existing exploit. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (2016)","DOI":"10.1145\/2857705.2857750"},{"key":"20_CR27","doi-asserted-by":"publisher","first-page":"150672","DOI":"10.1109\/ACCESS.2020.3016774","volume":"8","author":"Z Bilgin","year":"2020","unstructured":"Bilgin, Z., Ersoy, M.A., Soykan, E.U., Tomur, E., \u00c7omak, P., Kara\u00e7ay, L.: Vulnerability prediction from source code using machine learning. IEEE Access 8, 150672\u2013150684 (2020)","journal-title":"IEEE Access"},{"key":"20_CR28","doi-asserted-by":"crossref","unstructured":"Hastie, T., Tibshirani, R., Friedman, J.: The elements of statistical learning: data mining, inference, and prediction. Springer Science & Business Media (2009)","DOI":"10.1007\/978-0-387-84858-7"},{"issue":"1","key":"20_CR29","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1007\/s10664-011-9190-8","volume":"18","author":"Y Shin","year":"2013","unstructured":"Shin, Y., Williams, L.: Can traditional fault prediction models be used for vulnerability prediction? Empirical Softw. Eng. 18(1), 25\u201359 (2013)","journal-title":"Empirical Softw. Eng."},{"key":"20_CR30","unstructured":"Jacobs, J., Romanosky, S., Edwards, B., Roytman, M., Adjerid, I.: Exploit prediction scoring system (epss). arXiv preprintarXiv:1908.04856 (2019)"},{"issue":"2","key":"20_CR31","doi-asserted-by":"publisher","first-page":"648","DOI":"10.1002\/qre.2754","volume":"37","author":"N Bhatt","year":"2021","unstructured":"Bhatt, N., Anand, A., Yadavalli, V.S.S.: Exploitability prediction of software vulnerabilities. Qual. Ability Eng. Int. 37(2), 648\u2013663 (2021)","journal-title":"Qual. Ability Eng. Int."},{"key":"20_CR32","doi-asserted-by":"crossref","unstructured":"Chen, H., Liu, R., Park, N., Subrahmanian, V.S.: Using twitter to predict when vulnerabilities will be exploited. In: Proceedings of the 25th ACM SIGKDD Internacional Conference on Knowledge Discovery & Data Mining, pp. 3143\u20133152 (2019)","DOI":"10.1145\/3292500.3330742"},{"issue":"4","key":"20_CR33","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3196884","volume":"21","author":"KA Farris","year":"2018","unstructured":"Farris, K.A., Shah, A., Cybenko, G., Ganesan, R., Jajodia, S.: Vulcon: a system for vulnerability prioritization, mitigation, and management. ACM Trans. Priv. Secur. (TOPS) 21(4), 1\u201328 (2018)","journal-title":"ACM Trans. Priv. Secur. (TOPS)"},{"key":"20_CR34","doi-asserted-by":"crossref","unstructured":"Edkrantz, M., Said, A.: Predicting cyber vulnerability exploits with machine learning. In: SCAI, pp. 48\u201357 (2015)","DOI":"10.1109\/CSCloud.2015.56"},{"key":"20_CR35","doi-asserted-by":"crossref","unstructured":"Almukaynizi, M., Nunes, E., Dharaiya, K., Senguttuvan, M., Shakarian, J., Shakarian, P.: Proactive identification of exploits in the wild through vulnerability mentions online. In: 2017 International Conference on Cyber Conflict (CyCon US), pp. 82\u201388. IEEE (2017)","DOI":"10.1109\/CYCONUS.2017.8167501"},{"key":"20_CR36","unstructured":"Sabottke, C., Suciu, O., Dumitra\u015f, T.: Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In: 24th $$\\{$$USENIX$$\\}$$ Security Symposium ($$\\{$$USENIX$$\\}$$ Security 2015), pp. 1041\u20131056 (2015)"},{"key":"20_CR37","unstructured":"Hassan, A.E., Holt, R.C.: Predicting change propagation in software systems. In: 20th IEEE International Conference on Software Maintenance. Proceedings. IEEE (2004)"},{"key":"20_CR38","doi-asserted-by":"crossref","unstructured":"Li, B., Sun, X., Leung, H., Zhang, S.: A survey of code-based change impact analysis techniques. Softw. Test. Verif. Reliab. 23(8) (2013)","DOI":"10.1002\/stvr.1475"},{"key":"20_CR39","doi-asserted-by":"crossref","unstructured":"Cadariu, M., Bouwers, E., Visser, J., van Deursen, A.: Tracking known security vulnerabilities in proprietary software systems. In: IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER). IEEE (2015)","DOI":"10.1109\/SANER.2015.7081868"},{"key":"20_CR40","doi-asserted-by":"crossref","unstructured":"Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411\u2013420. IEEE(2015)","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"20_CR41","unstructured":"Christiansen, T., Wall, L., Orwant, J., et al.: Programming Perl: Unmatched Power for Text Processing and Scripting. O\u2019Reilly Media, Inc. (2012)"},{"key":"20_CR42","doi-asserted-by":"crossref","unstructured":"Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: 21st Annual Computer Security Applications Conference (ACSAC 2005). IEEE (2005)","DOI":"10.1109\/CSAC.2005.21"},{"key":"20_CR43","unstructured":"Abadi, M., Jalili, S.: An ant colony optimization algorithm for network vulnerability analysis. Iran. J. Electr. Electron. Eng. 2(3) (2006)"},{"key":"20_CR44","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1016\/j.ins.2013.02.036","volume":"256","author":"N Feng","year":"2014","unstructured":"Feng, N., Wang, H.J., Li, M.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57\u201373 (2014)","journal-title":"Inf. Sci."},{"key":"20_CR45","doi-asserted-by":"crossref","unstructured":"Hu, W., Wang, Y., Liu, X., Sun, J., Gao, Q., Huang, Y.: Open source software vulnerability propagation analysis algorithm based on knowledge graph. In: IEEE International Conference on Smart Cloud (SmartCloud), pp. 121\u2013127. IEEE (2019)","DOI":"10.1109\/SmartCloud.2019.00030"},{"issue":"4","key":"20_CR46","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1543405.1543411","volume":"34","author":"A Agrawal","year":"2009","unstructured":"Agrawal, A., Khan, R.A.: Impact of inheritance on vulnerability propagation at design phase. ACM SIGSOFT Soft. Eng. Notes 34(4), 1\u20135 (2009)","journal-title":"ACM SIGSOFT Soft. Eng. Notes"},{"key":"20_CR47","doi-asserted-by":"crossref","unstructured":"Garg, U., Sikka, G., Awasthi, L.K.: Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities. Comput. Secur. 77 (2018)","DOI":"10.1016\/j.cose.2018.04.006"}],"container-title":["Advances in Intelligent Systems and Computing","14th International Conference on Computational Intelligence in Security for Information Systems and 12th International Conference on European Transnational Educational (CISIS 2021 and ICEUTE 2021)"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-87872-6_20","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,8]],"date-time":"2024-09-08T16:31:15Z","timestamp":1725813075000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-87872-6_20"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,9,22]]},"ISBN":["9783030878719","9783030878726"],"references-count":47,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-87872-6_20","relation":{},"ISSN":["2194-5357","2194-5365"],"issn-type":[{"type":"print","value":"2194-5357"},{"type":"electronic","value":"2194-5365"}],"subject":[],"published":{"date-parts":[[2021,9,22]]},"assertion":[{"value":"22 September 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CISIS - ICEUTE","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Computational Intelligence in Security for Information Systems Conference","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Bilbao","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Spain","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 September 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24 September 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"cisis-spain2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/2021.iceuteconference.eu\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}