{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T14:29:13Z","timestamp":1774967353447,"version":"3.50.1"},"reference-count":36,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2021,5,13]],"date-time":"2021-05-13T00:00:00Z","timestamp":1620864000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,5,13]],"date-time":"2021-05-13T00:00:00Z","timestamp":1620864000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100009567","name":"Budapest University of Technology and Economics","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100009567","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2022,4]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Technologies for integrating enterprise web applications have improved rapidly over the years. The OAuth framework provides authentication and authorization using the users\u2019 profile and credentials in an existing identity provider. This makes it possible for attackers to exploit any vulnerability arising from exchange of data with the provider. Vulnerability in OAuth authorization flow allows an attacker to alter the normal flow sequence of the OAuth protocol. In this paper, a machine learning-based approach was applied in the detection of potential vulnerability in the OAuth authentication and authorization flow by analyzing the relationship between changes in the OAuth parameters and the final output. This research models the OAuth protocol as a supervised learning problem where seven classification models were developed, tuned and evaluated. Exploratory Data Analytics (EDA) techniques were applied in the extraction and analysis of specific OAuth features so that each output class could be evaluated to determine the effect of the identified OAuth features. The models developed in this research were trained, tuned and tested. A performance accuracy above 90% was attained for detection of vulnerabilities in the OAuth authentication and authorization flow. Comparison with known vulnerability resulted in a 54% match.<\/jats:p>","DOI":"10.1007\/s10207-021-00551-w","type":"journal-article","created":{"date-parts":[[2021,5,13]],"date-time":"2021-05-13T09:02:51Z","timestamp":1620896571000},"page":"223-237","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":20,"title":["Machine learning approach to vulnerability detection in OAuth 2.0 authentication and authorization flow"],"prefix":"10.1007","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2892-9925","authenticated-orcid":false,"given":"Kindson","family":"Munonye","sequence":"first","affiliation":[]},{"given":"Martinek","family":"P\u00e9ter","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,5,13]]},"reference":[{"key":"551_CR1","doi-asserted-by":"publisher","first-page":"1204","DOI":"10.1145\/2976749.2978385","volume":"24\u201328","author":"D Fett","year":"2016","unstructured":"Fett, D., K\u00fcsters, R., Schmitz, G.: A comprehensive formal security analysis of OAuth 20. Proc. ACM Conf. Comput. Commun. Secur. 24\u201328, 1204\u20131215 (2016). https:\/\/doi.org\/10.1145\/2976749.2978385","journal-title":"Proc. ACM Conf. Comput. Commun. Secur."},{"issue":"1","key":"551_CR2","doi-asserted-by":"publisher","first-page":"73","DOI":"10.1108\/ICS-12-2013-0089","volume":"23","author":"E Ferry","year":"2015","unstructured":"Ferry, E., Raw, J.O., Curran, K.: Security evaluation of the OAuth 2.0 framework. Inf. Comput. Secur. 23(1), 73\u2013101 (2015). https:\/\/doi.org\/10.1108\/ICS-12-2013-0089","journal-title":"Inf. Comput. Secur."},{"key":"551_CR3","unstructured":"\u201cRFC 6749 - The OAuth 2.0 Authorization Framework. Accessed Jun. 07, 2020 https:\/\/tools.ietf.org\/html\/rfc6749"},{"key":"551_CR4","doi-asserted-by":"publisher","unstructured":"Li, W., and Mitchell, C. J.: Security issues in OAUTH 2.0 SSO implementations. Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 8783, no. August, pp. 529\u2013541, (2014). doi: https:\/\/doi.org\/10.1007\/978-3-319-13257-0","DOI":"10.1007\/978-3-319-13257-0"},{"key":"551_CR5","doi-asserted-by":"crossref","unstructured":"Li, W., Mitchell, C. J., and Chen, T.: Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect. pp. 1\u201318, 2018, [Online]. Available: http:\/\/arxiv.org\/abs\/1801.07983","DOI":"10.1109\/PST.2018.8514180"},{"key":"551_CR6","doi-asserted-by":"crossref","unstructured":"Laurie, B., Langley, A., and Kasper, E.: RFC 6962: certificate transparency. RFC, pp. 1\u201327, (2013).","DOI":"10.17487\/rfc6962"},{"key":"551_CR7","unstructured":"Harer, J. A. et al.: Automated software vulnerability detection with machine learning. (2018), [Online]. Available: http:\/\/arxiv.org\/abs\/1803.04497"},{"key":"551_CR8","doi-asserted-by":"publisher","first-page":"450","DOI":"10.1109\/COMPSAC.2015.78","volume":"2","author":"BM Padmanabhuni","year":"2015","unstructured":"Padmanabhuni, B.M., Tan, H.B.K.: Buffer overflow vulnerability prediction from x86 executables using static analysis and machine learning. Proc. Int. Comput. Softw. Appl. Conf. 2, 450\u2013459 (2015). https:\/\/doi.org\/10.1109\/COMPSAC.2015.78","journal-title":"Proc. Int. Comput. Softw. Appl. Conf."},{"key":"551_CR9","doi-asserted-by":"publisher","DOI":"10.1145\/3230833.3230856","author":"J Kronjee","year":"2018","unstructured":"Kronjee, J., Hommersom, A., Vranken, H.: Discovering software vulnerabilities using data-flow analysis and machine learning. ACM Int. Conf. Proc. Ser. (2018). https:\/\/doi.org\/10.1145\/3230833.3230856","journal-title":"ACM Int. Conf. Proc. Ser."},{"key":"551_CR10","doi-asserted-by":"publisher","unstructured":"Guo, X., Jin, S., Zhang, Y.: XSS vulnerability detection using optimized attack vector repertory. In: Proceedings of 2015 International Conference Cyber-Enabled Distribute Computer Knowledge Discover CyberC 2015, pp. 29\u201336, (2015). doi: https:\/\/doi.org\/10.1109\/CyberC.2015.50","DOI":"10.1109\/CyberC.2015.50"},{"key":"551_CR11","doi-asserted-by":"publisher","unstructured":"Russell, R. et al.: Automated vulnerability detection in source code using deep representation learning. In: Proceedings of 17th IEEE International Conference Machine Learning Application ICMLA 2018, pp. 757\u2013762, (2019). doi: https:\/\/doi.org\/10.1109\/ICMLA.2018.00120","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"551_CR12","doi-asserted-by":"publisher","unstructured":"Medeiros, I., Neves, N. F., and Correia, M.: Automatic detection and correction of Web application vulnerabilities using data mining to predict false positives. In: WWW 2014\u2014Proceedings of 23rd International Conference World Wide Web, pp. 63\u201373, (2014). doi: https:\/\/doi.org\/10.1145\/2566486.2568024","DOI":"10.1145\/2566486.2568024"},{"key":"551_CR13","unstructured":"Gu, T., Dolan-Gavitt, B., and Garg, S.: BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. (2017). [Online]. Available: http:\/\/arxiv.org\/abs\/1708.06733"},{"key":"551_CR14","doi-asserted-by":"publisher","unstructured":"Medeiros, I., Neves, N., and Correia, M.: DEKANT: a static analysis tool that learns to detect web application vulnerabilities. In: ISSTA 2016\u2014Proceedings of 25th International Symposium Software Testing Analysis, pp. 1\u201311, (2016). doi: https:\/\/doi.org\/10.1145\/2931037.2931041","DOI":"10.1145\/2931037.2931041"},{"key":"551_CR15","doi-asserted-by":"publisher","unstructured":"Medeiros, I., Neves, N., and Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining k-nearest neighbor LFI local file inclusion LR logistic regression MLP multi-layer perceptron Nb Naive Bayes OSCI OS command injection PHPCI PHP command injection. pp. 1\u201316, (2015). doi: https:\/\/doi.org\/10.1109\/TR.2015.2457411","DOI":"10.1109\/TR.2015.2457411"},{"key":"551_CR16","doi-asserted-by":"publisher","unstructured":"Hovsepyan, A., Scandariato, R., Joosen, W., and Walden, J.: Software vulnerability prediction using text analysis techniques. In: MetriSec\u201912\u2014Proceedings of 4th International Work Secure Measure Metrics, pp. 7\u20139, (2012). doi: https:\/\/doi.org\/10.1145\/2372225.2372230","DOI":"10.1145\/2372225.2372230"},{"key":"551_CR17","doi-asserted-by":"publisher","unstructured":"Dhaya, R., and Poongodi, M.: Detecting software vulnerabilities in android using static analysis. In: Proceedings of 2014 IEEE International Conference Advance Communication Control Computing Technology ICACCCT 2014, no. 978, pp. 915\u2013918, (2015). doi: https:\/\/doi.org\/10.1109\/ICACCCT.2014.7019227","DOI":"10.1109\/ICACCCT.2014.7019227"},{"key":"551_CR18","doi-asserted-by":"publisher","unstructured":"Pellegrino, G., Johns, M., Koch, S., Backes, M., and Rossow, C.: Deemon: Detecting CSRF with dynamic analysis and property graphs. In: Proceedings of ACM Conference Computing Communication Secure, no. October 2017, pp. 1757\u20131771, (2017). doi: https:\/\/doi.org\/10.1145\/3133956.3133959","DOI":"10.1145\/3133956.3133959"},{"issue":"3","key":"551_CR19","doi-asserted-by":"publisher","first-page":"387","DOI":"10.1109\/TITB.2004.834406","volume":"8","author":"A Meyer-Baese","year":"2004","unstructured":"Meyer-Baese, A., Wismueller, A., Lange, O.: Comparison of two exploratory data analysis methods for fMRI: Unsupervised clustering versus independent component analysis. IEEE Trans. Inf. Technol. Biomed. 8(3), 387\u2013398 (2004). https:\/\/doi.org\/10.1109\/TITB.2004.834406","journal-title":"IEEE Trans. Inf. Technol. Biomed."},{"key":"551_CR20","unstructured":"\u201cRFC 6749 - The OAuth 2.0 Authorization Framework. Accessed Jun. 12, 2020 https:\/\/tools.ietf.org\/html\/rfc6749"},{"key":"551_CR21","unstructured":"Wang, Y., Jia, P., Liu, L., and Liu, J.: A systematic review of fuzzing based on machine learning techniques"},{"key":"551_CR22","doi-asserted-by":"publisher","unstructured":"Grieco, G., Grinblat, G. L., Uzal, L., Rawat, S., Feist, J., and Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: CODASPY 2016\u2014Proceedings of 6th ACM Conerence Data Application Security and Privacy, pp. 85\u201396, (2016). doi: https:\/\/doi.org\/10.1145\/2857705.2857720.","DOI":"10.1145\/2857705.2857720"},{"key":"551_CR23","unstructured":"Cheng, L. et al.: Optimizing seed inputs in fuzzing with machine learning. Accessed: Jan. 17, 2021. [Online]. Available: https:\/\/github.com\/karpathy\/char-rnn"},{"key":"551_CR24","unstructured":"List of Strategies omniauth\/omniauth Wiki. Accessed Jun. 10, 2020 https:\/\/github.com\/omniauth\/omniauth\/wiki\/List-of-Strategies"},{"key":"551_CR25","unstructured":"OWIN and Katana | Microsoft Docs. Accessed Jun. 10, 2020 https:\/\/docs.microsoft.com\/en-us\/aspnet\/aspnet\/overview\/owin-and-katana\/"},{"key":"551_CR26","doi-asserted-by":"crossref","unstructured":"Katoen, J. P.: Stochastic model checking. In: Stochastic Hybrid Systems, CRC Press, pp. 79\u2013106, (2006)","DOI":"10.1201\/9781420008548.ch4"},{"issue":"1","key":"551_CR27","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1145\/2786984.2786995","volume":"19","author":"G Varoquaux","year":"2015","unstructured":"Varoquaux, G., Buitinck, L., Louppe, G., Grisel, O., Pedregosa, F., Mueller, A.: Scikit-learn. GetMobile Mob. Comput. Commun. 19(1), 29\u201333 (2015). https:\/\/doi.org\/10.1145\/2786984.2786995","journal-title":"GetMobile Mob. Comput. Commun."},{"key":"551_CR28","unstructured":"\u201cNVD - Vulnerabilities.\u201d https:\/\/nvd.nist.gov\/vuln (accessed Jan. 16, 2021)."},{"key":"551_CR29","unstructured":"Vulnerability Database. Accessed Jan. 16, 2021 https:\/\/vuldb.com\/"},{"key":"551_CR30","unstructured":"Open Source Vulnerability Database|WhiteSource. Accessed Jan. 16, 2021 https:\/\/www.whitesourcesoftware.com\/vulnerability-database\/"},{"key":"551_CR31","unstructured":"Walden, J., Stuckman, J., and Scandariato, R.: Predicting vulnerable components: software metrics vs text mining"},{"issue":"1","key":"551_CR32","doi-asserted-by":"publisher","first-page":"343","DOI":"10.1007\/s00500-014-1511-6","volume":"20","author":"FA Narudin","year":"2016","unstructured":"Narudin, F.A., Feizollah, A., Anuar, N.B., Gani, A.: Evaluation of machine learning classifiers for mobile malware detection. Soft Comput. 20(1), 343\u2013357 (2016). https:\/\/doi.org\/10.1007\/s00500-014-1511-6","journal-title":"Soft Comput."},{"key":"551_CR33","doi-asserted-by":"publisher","DOI":"10.1186\/s13673-017-0116-3","author":"J Singh","year":"2017","unstructured":"Singh, J., Singh, G., Singh, R.: Optimization of sentiment analysis using machine learning classifiers. Human-centric Comput. Inf. Sci. (2017). https:\/\/doi.org\/10.1186\/s13673-017-0116-3","journal-title":"Human-centric Comput. Inf. Sci."},{"issue":"9","key":"551_CR34","doi-asserted-by":"publisher","first-page":"4754","DOI":"10.1007\/s00330-019-06244-2","volume":"29","author":"M Antonelli","year":"2019","unstructured":"Antonelli, M., et al.: Machine learning classifiers can predict Gleason pattern 4 prostate cancer with greater accuracy than experienced radiologists. Eur. Radiol. 29(9), 4754\u20134764 (2019). https:\/\/doi.org\/10.1007\/s00330-019-06244-2","journal-title":"Eur. Radiol."},{"key":"551_CR35","unstructured":"Fichman, M.: Variance explained: Why Size Does Not (Always) Matter. (1999). Accessed: Jun. 11, 2020. [Online]. Available: http:\/\/repository.cmu.edu\/tepper"},{"key":"551_CR36","unstructured":"Lorenzo-Seva, U.: How to report the percentage of explained common variance in exploratory factor analysis. Accessed: Jun. 11, (2020). [Online]. Available: http:\/\/psico.fcep.urv.cat\/utilitats\/factor\/"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00551-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-021-00551-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00551-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,3,21]],"date-time":"2022-03-21T08:05:47Z","timestamp":1647849947000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-021-00551-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5,13]]},"references-count":36,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2022,4]]}},"alternative-id":["551"],"URL":"https:\/\/doi.org\/10.1007\/s10207-021-00551-w","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,5,13]]},"assertion":[{"value":"21 April 2021","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 May 2021","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}