{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,26]],"date-time":"2026-02-26T15:24:39Z","timestamp":1772119479189,"version":"3.50.1"},"reference-count":39,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2024,5,9]],"date-time":"2024-05-09T00:00:00Z","timestamp":1715212800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,5,9]],"date-time":"2024-05-09T00:00:00Z","timestamp":1715212800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Kristiania University College"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2024,8]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    The proliferation of the Internet of Things (IoT) paradigm has ushered in a new era of connectivity and convenience. Consequently, rapid IoT expansion has introduced unprecedented security challenges , among which source code vulnerabilities present a significant risk. Recently, machine learning (ML) has been increasingly used to detect source code vulnerabilities. However, there has been a lack of attention to IoT-specific frameworks regarding both tools and datasets. This paper addresses potential source code vulnerabilities in some of the most commonly used IoT frameworks. Hence, we introduce\n                    <jats:italic>IoTvulCode\u00a0<\/jats:italic>\n                    - a novel framework consisting of a dataset-generating tool and ML-enabled methods for detecting source code vulnerabilities and weaknesses as well as the initial release of an IoT vulnerability dataset. Our framework contributes to improving the existing coding practices, leading to a more secure IoT infrastructure. Additionally,\n                    <jats:italic>IoTvulCode\u00a0<\/jats:italic>\n                    provides a solid basis for the IoT research community to further explore the topic.\n                  <\/jats:p>","DOI":"10.1007\/s10207-024-00848-6","type":"journal-article","created":{"date-parts":[[2024,5,9]],"date-time":"2024-05-09T11:01:57Z","timestamp":1715252517000},"page":"2677-2690","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["IoTvulCode: AI-enabled vulnerability detection in software products designed for IoT applications"],"prefix":"10.1007","volume":"23","author":[{"given":"Guru Prasad","family":"Bhandari","sequence":"first","affiliation":[]},{"given":"Gebremariam","family":"Assres","sequence":"additional","affiliation":[]},{"given":"Nikola","family":"Gavric","sequence":"additional","affiliation":[]},{"given":"Andrii","family":"Shalaginov","sequence":"additional","affiliation":[]},{"given":"Tor-Morten","family":"Gr\u00f8nli","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,5,9]]},"reference":[{"key":"848_CR1","unstructured":"Akula, B.S.: Vulnerability Management in DevSecOps.(2023) https:\/\/dzone.com\/articles\/vulnerability-management-in-devsecops"},{"issue":"1","key":"848_CR2","doi-asserted-by":"publisher","first-page":"17086","DOI":"10.1038\/s41598-022-21325-x","volume":"12","author":"A Al-Boghdady","year":"2022","unstructured":"Al-Boghdady, A., El-Ramly, M., Wassif, K.: iDetect for vulnerability detection in internet of things operating systems using machine learning. Sci. Rep. 12(1), 17086 (2022). https:\/\/doi.org\/10.1038\/s41598-022-21325-x","journal-title":"Sci. Rep."},{"issue":"3","key":"848_CR3","doi-asserted-by":"publisher","first-page":"1502","DOI":"10.25046\/aj0203188","volume":"2","author":"SM Alnaeli","year":"2017","unstructured":"Alnaeli, S.M., Sarnowski, M., Aman, M.S., Abdelgawad, A., Yelamarthi, K.: Source code vulnerabilities in IoT software systems. Adv. Sci. Technol. Eng. Syst. J. 2(3), 1502\u20131507 (2017). https:\/\/doi.org\/10.25046\/aj0203188","journal-title":"Adv. Sci. Technol. Eng. Syst. J."},{"issue":"2","key":"848_CR4","doi-asserted-by":"publisher","first-page":"298","DOI":"10.3390\/electronics12020298","volume":"12","author":"G Bhandari","year":"2023","unstructured":"Bhandari, G., Lyth, A., Shalaginov, A., Gr\u00f8nli, T.M.: Distributed deep neural-network-based middleware for cyber-attacks detection in smart IoT Ecosystem: a novel framework and performance evaluation approach. Electronics 12(2), 298 (2023). https:\/\/doi.org\/10.3390\/electronics12020298","journal-title":"Electronics"},{"key":"848_CR5","doi-asserted-by":"publisher","unstructured":"Bhandari, G., Naseer, A., Moonen, L.: CVEfixes: automated collection of vulnerabilities and their fixes from open-source software. In: Proceedings of the 17th international conference on predictive models and data analytics in software engineering, PROMISE 2021, pp. 30\u201339. Association for Computing Machinery, New York, NY, USA (2021). https:\/\/doi.org\/10.1145\/3475960.3475985","DOI":"10.1145\/3475960.3475985"},{"key":"848_CR6","doi-asserted-by":"publisher","unstructured":"Blinowski, G.J., Piotrowski, P.: CVE Based Classification of Vulnerable IoT Systems. In: W.\u00a0Zamojski, J.\u00a0Mazurkiewicz, J.\u00a0Sugier, T.\u00a0Walkowiak, J.\u00a0Kacprzyk (eds.) Theory and applications of dependable computer systems, advances in intelligent systems and computing, pp. 82\u201393. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-48256-5_9","DOI":"10.1007\/978-3-030-48256-5_9"},{"key":"848_CR7","unstructured":"Celik, Z.B., Babun, L., Sikder, A.K., Aksu, H., Tan, G., McDaniel, P., Uluagac, A.S.: Sensitive Information Tracking in Commodity IoT. 27th USENIX Security Symposium (2018)"},{"issue":"9","key":"848_CR8","doi-asserted-by":"publisher","first-page":"3280","DOI":"10.1109\/TSE.2021.3087402","volume":"48","author":"S Chakraborty","year":"2021","unstructured":"Chakraborty, S., Krishna, R., Ding, Y., Ray, B.: Deep learning based vulnerability detection: are we there yet? IEEE Trans. Softw. Eng. 48(9), 3280\u20133296 (2021)","journal-title":"IEEE Trans. Softw. Eng."},{"key":"848_CR9","doi-asserted-by":"publisher","unstructured":"Chen, Y., Ding, Z., Chen, X., Wagner, D.: DiverseVul: a new vulnerable source code dataset for deep learning based vulnerability detection (2023). https:\/\/doi.org\/10.48550\/arXiv.2304.00409","DOI":"10.48550\/arXiv.2304.00409"},{"key":"848_CR10","doi-asserted-by":"publisher","unstructured":"Collard, M.L., Decker, M.J., Maletic, J.I.: srcML: an infrastructure for the exploration, analysis, and manipulation of source code: a tool demonstration. In: 2013 IEEE International conference on software maintenance, pp. 516\u2013519 (2013). https:\/\/doi.org\/10.1109\/ICSM.2013.85","DOI":"10.1109\/ICSM.2013.85"},{"key":"848_CR11","unstructured":"Cppcheck2.1: a tool for static C\/C++ code analysis. (2021) https:\/\/cppcheck.sourceforge.io\/"},{"key":"848_CR12","unstructured":"CVSS: NVD - Vulnerability Metrics. (2022) https:\/\/nvd.nist.gov\/vuln-metrics\/cvss"},{"key":"848_CR13","unstructured":"CWE: CWE - Common weakness enumeration. (2023) https:\/\/cwe.mitre.org\/index.html"},{"key":"848_CR14","unstructured":"dwheeler: Flawfinder v. 2.0.11. (2021) https:\/\/dwheeler.com\/flawfinder\/"},{"key":"848_CR15","doi-asserted-by":"crossref","unstructured":"Fan, J., Li, L., Wang, S., Nguyen, T.N.: A C\/C++ Code vulnerability dataset with code changes and CVE Summaries. In: International conference on mining software repositories (MSR), p.\u00a05 (2020)","DOI":"10.1145\/3379597.3387501"},{"key":"848_CR16","doi-asserted-by":"crossref","unstructured":"Ferrag, M.A., Friha, O., Hamouda, D., Maglaras, L., Janicke, H.: Edge-IIoTset: a new comprehensive realistic cyber security dataset of IoT and IIoT applications for centralized and federated learning. IEEE Access 10 (2022)","DOI":"10.36227\/techrxiv.18857336"},{"issue":"2","key":"848_CR17","doi-asserted-by":"publisher","first-page":"971","DOI":"10.1109\/TII.2019.2947432","volume":"17","author":"J Gao","year":"2021","unstructured":"Gao, J., Yang, X., Jiang, Y., Song, H., Choo, K.K.R., Sun, J.: Semantic learning based cross-platform binary vulnerability search For IoT devices. IEEE Trans. Industr. Inf. 17(2), 971\u2013979 (2021). https:\/\/doi.org\/10.1109\/TII.2019.2947432","journal-title":"IEEE Trans. Industr. Inf."},{"key":"848_CR18","unstructured":"GitHub: code security documentation. (2023) https:\/\/docs.github.com\/code-security"},{"key":"848_CR19","doi-asserted-by":"publisher","unstructured":"Hanif, H., Maffeis, S.: VulBERTa: Simplified source code pre-training for vulnerability detection. In: 2022 International joint conference on neural networks (IJCNN), pp. 1\u20138 (2022). https:\/\/doi.org\/10.1109\/IJCNN55064.2022.9892280","DOI":"10.1109\/IJCNN55064.2022.9892280"},{"key":"848_CR20","doi-asserted-by":"publisher","unstructured":"Ibrahim, A., El-Ramly, M., Badr, A.: Beware of the vulnerability! How vulnerable are GitHub\u2019s Most Popular PHP Applications? In: 2019 IEEE\/ACS 16th international conference on computer systems and applications (AICCSA), pp. 1\u20137 (2019). https:\/\/doi.org\/10.1109\/AICCSA47632.2019.9035265","DOI":"10.1109\/AICCSA47632.2019.9035265"},{"key":"848_CR21","doi-asserted-by":"publisher","first-page":"2023","DOI":"10.1016\/j.procs.2020.04.217","volume":"171","author":"A Kaur","year":"2020","unstructured":"Kaur, A., Nayyar, R.: A comparative study of static code analysis tools for vulnerability detection in C\/C++ and JAVA source code. Procedia Comput. Sci. 171, 2023\u20132029 (2020). https:\/\/doi.org\/10.1016\/j.procs.2020.04.217","journal-title":"Procedia Comput. Sci."},{"key":"848_CR22","doi-asserted-by":"crossref","unstructured":"Li, Z., Zou, D., Xu, S., Ou, X., Jin, H., Wang, S., Deng, Z., Zhong, Y.: VulDeePecker: a deep learning-based system for vulnerability detection. In: Network and distributed system security symposium (2018)","DOI":"10.14722\/ndss.2018.23158"},{"issue":"10","key":"848_CR23","doi-asserted-by":"publisher","first-page":"1825","DOI":"10.1109\/JPROC.2020.2993293","volume":"108","author":"G Lin","year":"2020","unstructured":"Lin, G., Wen, S., Han, Q.L., Zhang, J., Xiang, Y.: Software vulnerability detection using deep neural networks: a survey. Proc. IEEE 108(10), 1825\u20131848 (2020). https:\/\/doi.org\/10.1109\/JPROC.2020.2993293","journal-title":"Proc. IEEE"},{"key":"848_CR24","doi-asserted-by":"publisher","unstructured":"Liu, Y., Ott, M., Goyal, N., Du, J., Joshi, M., Chen, D., Levy, O., Lewis, M., Zettlemoyer, L., Stoyanov, V.: RoBERTa: a robustly optimized bert pretraining approach (2019). https:\/\/doi.org\/10.48550\/arXiv.1907.11692","DOI":"10.48550\/arXiv.1907.11692"},{"key":"848_CR25","doi-asserted-by":"publisher","unstructured":"McLean, R.K.: Comparing static security analysis tools using open source software | IEEE Conference Publication | IEEE Xplore. In: 2012 IEEE Sixth international conference on software security and reliability companion. IEEE, Gaithersburg, MD, USA (2012). https:\/\/doi.org\/10.1109\/SERE-C.2012.16","DOI":"10.1109\/SERE-C.2012.16"},{"key":"848_CR26","unstructured":"MITRE: Common Vulnerability and Enumerations (CVE). (2023) https:\/\/cve.mitre.org\/index.html"},{"key":"848_CR27","doi-asserted-by":"publisher","unstructured":"Naeem, H., Alalfi, M.H.: Identifying vulnerable IoT applications using deep learning. In: 2020 IEEE 27th International conference on software analysis, evolution and reengineering (SANER), pp. 582\u2013586. IEEE, London, ON, Canada (2020). https:\/\/doi.org\/10.1109\/SANER48275.2020.9054817","DOI":"10.1109\/SANER48275.2020.9054817"},{"key":"848_CR28","doi-asserted-by":"crossref","unstructured":"Nikitopoulos, G., Dritsa, K., Louridas, P., Mitropoulos, D.: CrossVul: a cross-language vulnerability dataset with commit data. In: Joint meeting on european software engineering conference and symposium on the foundations of software engineering, pp. 1565\u20131569. ACM, New York, NY, USA (2021). DOIurl:10\/gmvfdq","DOI":"10.1145\/3468264.3473122"},{"key":"848_CR29","unstructured":"Oracle: what is the internet of things (IoT)? (2023) https:\/\/www.oracle.com\/internet-of-things\/what-is-iot\/"},{"key":"848_CR30","unstructured":"OWASP: OWASP internet of things | OWASP Foundation. (2023) https:\/\/owasp.org\/www-project-internet-of-things\/"},{"issue":"5","key":"848_CR31","doi-asserted-by":"publisher","first-page":"3930","DOI":"10.1109\/JIOT.2021.3100755","volume":"9","author":"SI Popoola","year":"2022","unstructured":"Popoola, S.I., Ande, R., Adebisi, B., Gui, G., Hammoudeh, M., Jogunola, O.: Federated Deep Learning for Zero-Day Botnet Attack Detection in IoT-Edge Devices. IEEE Internet Things J. 9(5), 3930\u20133944 (2022). https:\/\/doi.org\/10.1109\/JIOT.2021.3100755","journal-title":"IEEE Internet Things J."},{"key":"848_CR32","unstructured":"RATS: rough auditing tool for security. (2021) https:\/\/security.web.cern.ch\/recommendations\/en\/ codetools\/rats.shtml"},{"key":"848_CR33","doi-asserted-by":"crossref","unstructured":"Russell, R., Kim, L., Hamilton, L., Lazovich, T., Harer, J., Ozdemir, O., Ellingwood, P., McConley, M.: Automated vulnerability detection in source code using deep representation learning. In: International conference on machine learning and applications (ICMLA), pp. 757\u2013762. IEEE, Orlando, FL (2018). DOIurl:10\/ggssk7","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"848_CR34","doi-asserted-by":"publisher","unstructured":"Russell, R.L., Kim, L., Hamilton, L.H., Lazovich, T., Harer, J.A., Ozdemir, O., Ellingwood, P.M., McConley, M.W.: Automated vulnerability detection in source code using deep representation learning (2018). https:\/\/doi.org\/10.48550\/arXiv.1807.04320","DOI":"10.48550\/arXiv.1807.04320"},{"key":"848_CR35","unstructured":"Somda, Y.: Guesslang - Detect the programming language of a source code (2021)"},{"issue":"2","key":"848_CR36","doi-asserted-by":"publisher","first-page":"1557","DOI":"10.1007\/s11277-021-09420-0","volume":"124","author":"D Swessi","year":"2022","unstructured":"Swessi, D., Idoudi, H.: A Survey on Internet-of-Things Security: Threats and Emerging Countermeasures. Wireless Pers. Commun. 124(2), 1557\u20131592 (2022). https:\/\/doi.org\/10.1007\/s11277-021-09420-0","journal-title":"Wireless Pers. Commun."},{"key":"848_CR37","doi-asserted-by":"publisher","unstructured":"Viega, J., Bloch, J., Kohno, Y., McGraw, G.: ITS4: a static vulnerability scanner for C and C++ code. In: Proceedings 16th annual computer security applications conference (ACSAC\u201900), pp. 257\u2013267 (2000). https:\/\/doi.org\/10.1109\/ACSAC.2000.898880","DOI":"10.1109\/ACSAC.2000.898880"},{"key":"848_CR38","doi-asserted-by":"publisher","first-page":"1943","DOI":"10.1109\/TIFS.2020.3044773","volume":"16","author":"H Wang","year":"2021","unstructured":"Wang, H., Ye, G., Tang, Z., Tan, S.H., Huang, S., Fang, D., Feng, Y., Bian, L., Wang, Z.: Combining graph-based learning with automated data collection for code vulnerability detection. IEEE Trans. Inf. Forensics Secur. 16, 1943\u20131958 (2021). https:\/\/doi.org\/10.1109\/TIFS.2020.3044773","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"848_CR39","unstructured":"Zhou, Y., Liu, S., Siow, J., Du, X., Liu, Y.: Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: International Conference on Neural Information Processing Systems (NeurIPS), p.\u00a011. Curran Associates, Inc., Vancouver, Canada. (2018)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00848-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-024-00848-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00848-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,14]],"date-time":"2024-07-14T23:14:22Z","timestamp":1720998862000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-024-00848-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,5,9]]},"references-count":39,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2024,8]]}},"alternative-id":["848"],"URL":"https:\/\/doi.org\/10.1007\/s10207-024-00848-6","relation":{"has-preprint":[{"id-type":"doi","id":"10.21203\/rs.3.rs-3764575\/v1","asserted-by":"object"}]},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,5,9]]},"assertion":[{"value":"9 May 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}