Description:DESCRIPTION
TECHNICAL FIELD
[0001] This disclosure relates generally to security vulnerabilities, and more particularly to method and system of identifying false positives of security vulnerabilities in a codebase.
BACKGROUND
[0002] Security vulnerabilities are weaknesses or flaws in a system of an organization which can be exploited by an attacker to gain unauthorized access, disrupt services, and the like. Further, the methods of infiltration opted by the attacker may include pre-texting, tailgating, denial-of-Service, Distributed DOS, on-path attacks, and the like. Therefore, the organizations use various scanning tools to identify and remediate security vulnerabilities in the system such as software, network, and the like. Such tools are be categorized based on purpose, such as network scanning, web application scanning, cloud security scanning, and compliance auditing. For example, SonarQube – SAST for code quality and security, Lynis – Unix/Linux security auditing tool, snort/Suricata – Network intrusion detection (IDS/IPS), and the like. Such scanning tools may generate false positives or false negatives. However, not every security vulnerability may impact the system, while some real vulnerabilities might go undetected. In some another scenario, the false positives may lead to unnecessary alerts and investigation efforts, while false negatives may result in undetected security threats.
[0003] However, a significant limitation of Lynis and similar tools lies in their inability to effectively distinguish between true security threats and false positives. Lynis operates primarily using rule-based logic and known security benchmarks, flagging deviations from predefined standards. While this approach is effective in identifying certain classes of known vulnerabilities, it lacks the contextual intelligence necessary to accurately interpret the operational environment or business logic of the target system.
[0004] As a result, Lynis frequently reports false positives—alerts that indicate a potential vulnerability or misconfiguration when, in fact, the reported condition is either benign or intentionally configured for operational requirements. For example, a non-standard file permission or service configuration may be flagged as a risk despite being a part of a secure, customized deployment. These false positives generate unnecessary noise, leading to alert fatigue, wasted resources, and delays in addressing genuine security threats.
[0005] Therefore, there is a requirement to identify relevant false positives of security vulnerabilities in the codebase corresponding to the component.
SUMMARY OF THE INVENTION
[0006] In an embodiment, a method of identifying false positives of security vulnerabilities in a codebase of a system is disclosed. The method may include determining, by a processor, at least one function corresponding to a plurality of components vulnerable to security risk. The plurality of components may be in a plurality of configurations of the system. The method may further include extracting, by the processor, a plurality of parameters corresponding to the at least one function by using a machine learning engine. The method may further include analysing, by the processor, the codebase with the plurality of parameters of the at least one function to determine if at least one parameter from the plurality of parameters of the at least one function exists within the codebase to identify a security vulnerability. The method may further include determining, by the processor with the machine learning engine, a non-existence of the plurality of parameters of the at least one function in the at least one parameter of the component within the codebase. The method may further include identifying, by the processor, a false positive of the security vulnerability of the component of the codebase is identified.
[0007] In another embodiment, a system of identifying false positives of security vulnerabilities in a codebase is disclosed. The system may include a processor, and a memory communicatively coupled to the processor. The memory stores processor-executable instructions, which when executed by the processor, cause the processor to determine at least one function corresponding to a plurality of components vulnerable to security risk. The plurality of components may be in a plurality of configurations. The processor-executable instructions may cause the processor to extract a plurality of parameters corresponding to the at least one function by using a machine learning engine. The processor-executable instructions may cause the processor to analyse the codebase with the plurality of parameters of the at least one function to determine if at least one parameter of the at least one function exists within the codebase to identify a security vulnerability. The processor-executable instructions may cause the processor to determine a non-existence of the plurality of parameters of the at least one function in the at least one parameter of the component within the codebase. The processor-executable instructions may cause the processor to identify a false positive of the security vulnerability of the component of the codebase is identified.
[0008] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles.
[0010] FIG. 1 is a block diagram of a system of identifying security vulnerabilities in a codebase, in accordance with an embodiment of the present disclosure.
[0011] FIG. 2 is a functional block diagram of a computing device of the system of FIG.1, in accordance with an embodiment of the present disclosure.
[0012] FIG. 3 illustrates a flowchart of a method of identifying false positives of security vulnerabilities in the codebase, in accordance with an embodiment of the present disclosure.
[0013] FIG. 4 illustrates a block diagram of an exemplary computer system for implementing embodiments consistent with the present disclosure.
DETAILED DESCRIPTION OF THE DRAWINGS
[0014] Exemplary embodiments are described with reference to the accompanying drawings. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope being indicated by the following claims. Additional illustrative embodiments are listed.
[0015] Further, the phrases “in some embodiments”, “in accordance with some embodiments”, “in the embodiments shown”, “in other embodiments”, and the like, mean a particular feature, structure, or characteristic following the phrase is included in at least one embodiment of the present disclosure and may be included in more than one embodiment. In addition, such phrases do not necessarily refer to the same embodiments or different embodiments. It is intended that the following detailed description be considered exemplary only, with the true scope and spirit being indicated by the following claims.
[0016] For example, the security vulnerabilities may not apply to specific products or components of the system due to no impact on the undescribed functionality or operation thereof. Further, the security vulnerability may exist in a library/software version of the product or the component, but there exists the possibility of the component not including the vulnerable feature. In other words, the flaw may require a configuration that may not be enabled by the component i.e., false positives. The false positive vulnerabilities are benign and may not impose any malicious threat.
[0017] Despite advancements in testing automations, conventional tools still fall short in several areas like it requires manual effort, especially configuring the tools to meet specific organizational requirements may be complex and may require customization of test profiles and rules, which can be time-consuming and may require expertise. This necessity often results in increased time and effort, particularly for less experienced users. Further, conventional tools may be resource-intensive, especially when dealing with high network traffic. This may require powerful hardware to ensure optimal performance without introducing significant latency.
[0018] Accordingly, the present disclosure provides a method and system of identifying false positives of security vulnerabilities in a codebase of the system.
[0019] Referring now to FIG. 1, a block diagram of a system 100 of identifying false positives of security vulnerabilities in a codebase is illustrated, in accordance with an embodiment of the current disclosure. The system 100 may include a computing device 102, an attack surface 112, a database 114, and a data server 116 communicably coupled to each other through a wired or wireless communication network 118. The computing device 102 may include a processor 104, a memory 106, an input/output (I/O) device 108, and a machine learning (ML) engine 110 communicably coupled to each other. Further, the attack surface 112 may include a plurality of components 120.
[0020] In an embodiment, examples of processor(s) 104 may include but are not limited to, a complex instruction set computer (CISC), a reduced instruction set computer (RISC), a very long instruction word (VILW), a General-purpose Processors (GPPs), microcontrollers (MCUs), a Graphics Processing Units (GPUs), Application-Specific Integrated Circuits (ASICs), a Ultra-Low-Power (IoT/Embedded), and the like, on a chip processors or other future processors.
[0021] In an embodiment, the memory 106 may store instructions that, when executed by the processor 104, and cause the processor 104 to identify false positives of security vulnerabilities in the codebase of the system 100, as will be discussed in greater details herein below. In an embodiment, the memory 106 may be a non-volatile memory or a volatile memory. Examples of non-volatile memory may include but are not limited to, a flash memory, a Read Only Memory (ROM), a Programmable ROM (PROM), Erasable PROM (EPROM), and Electrically EPROM (EEPROM) memory. Further, examples of volatile memory may include but are not limited to, Dynamic Random Access Memory (DRAM), and Static Random-Access memory (SRAM).
[0022] In an embodiment, the I/O device 108 may include a variety of interface(s), for example, interfaces for data input and output devices, and the like. The I/O device 108 may facilitate inputting of instructions by a user communicating with the computing device 102 to enable identification of the false positives of the security vulnerabilities. In an embodiment, the I/O device 108 may be wirelessly connected to the computing device 102 through wireless network interfaces such as Bluetooth®, infrared, or any other wireless radio communication known in the art. In an embodiment, the I/O device 108 may be connected to a communication pathway for one or more components of the computing device 102 to facilitate the transmission of inputted instructions and output results of data generated by various components such as, but not limited to, processor(s) 104 and memory 106.
[0023] In an embodiment, the ML engine 110 may include computational modules configured to perform tasks including, but not limited to, identification of false positives of the security vulnerabilities, data flow, pattern recognition, predictive analytics, and decision making based on learned input-output mappings in the codebase. By way of example, the codebase may be written in Java, JaveScript, PHP, C, C++, etc. Further, the ML engine 110 may include a security engine and an identification engine. It is to be noted that the identification engine may be communicably connected to the security engine.
[0024] In an embodiment, the security engine may be configured to perform security-related operations to protect the system 100. The security engine may be a hardware module in the memory 106, or a software module, or a combination thereof configured to perform security-related operations to enhance the security of the attack surface 112. The security-related operations may include a wide range of activities designed to protect the system 100 from unauthorized access, attacks, and other security threats. The security engine may perform tasks such as but not limited to monitoring and detection network traffic, incident response for identifying and confirming security incidents, threat intelligence for identifying and analyzing potential threats, vulnerability management, and the like. By way of example, the security engine may be a standalone system or may be integrated with an Intrusion Detection System (IDS), an Intrusion Prevention System (IPS), an Endpoint Detection and Response (EDR), support incident response workflows, and the like.
[0025] The identification engine may be an autonomous or semi-autonomous module powered by artificial intelligence, designed to generate, optimize, analyze, or refactor source code. The identification engine may utilize natural language processing, machine learning processing, or program synthesis techniques to perform operations such as bug detection, code completion, dependency analysis, functional validation, and the like, as specified by the user. Further, the identification engine of the ML engine 110 may be implemented using different learning paradigms such supervised learning, unsupervised learning, semi-supervised learning, or reinforcement learning, and the like. The identification engine may employ a variety of algorithmic models including, but not limited to, Large Language Models (LLMs), decision trees, support surface machines (SVM), k-nearest neighbors (k-NN), naïve Bayes classifiers, neural networks (e.g., feedforward, convolutional, recurrent, transformer-based architectures), ensemble methods (e.g., random forests, gradient boosting), or probabilistic graphical models. In an embodiment, the ML engine 110 may be executed by the processor 104. In some implementations, the ML engine 110 may be integrated as a software module within the system 100.
[0026] In an embodiment, the attack surface 112 may include a plurality of components 120 configured to perform various tasks in the system 100. Each component 120 may be vulnerable to exploitation by an attacker. The plurality of components 120 may include a hardware component or a software component, where security vulnerabilities may be determined. The plurality of components 120 may include networking components such as routers and switches, firewalls, VPN servers, endpoints such as workstations, mobile devices, server and database infrastructure, operating system (OS), web applications, cloud environments, embedded and IoT systems, identity and access management (IAM) systems, industrial control systems (ICS) and/or SCADA, application programming interfaces (APIs), virtualization and hypervisors, and the like. Additionally, the component may include at least a third-party component or a proprietary code component within the codebase. For example, an organization may opt for the third-party component or the proprietary code component based on a set of requirements. The third-party component may be open source, and proprietary, or commercially licensed. Therefore, the third-party components may be vulnerable to exploitation by attacker.
[0027] In an embodiment, a database 114 may be coupled with the computing device 102 via the communication network 118. The database 114 may be an On-Device (Embedded) Database, client server architecture, a National Vulnerability Database (NVD), a Common Vulnerabilities and Exposure (CVE) database, and the like. In another embodiment, the database 114 may be a machine learning (ML) engine database which may be configured to store trained data by the ML engine 110.
[0028] In an embodiment, the data server 116 may be enabled in a remote cloud server or a co-located server and may be communicably coupled to the database 114 to store an application, the LLM of the machine learning processing and other data necessary for the system 100 to perform identification of the false positives of the security vulnerabilities. In an embodiment, the data server 116 may store testing inputs by the I/O device 108 (i.e. payloads, scripts) or output generated by the computing device 102 (e.g., false positives corresponding to each component 120).
[0029] In an embodiment, the communication network 118 may be a wired or a wireless network or a combination thereof. The communication network 118 can be implemented as one of the different types of networks, such as but not limited to, ethernet IP network, intranet, local area network (LAN), wide area network (WAN), the internet, Wi-Fi, LTE network, CDMA network, 5G and the like. Further, the communication network 118 can either be a dedicated network or a shared network. The shared network represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like, to communicate with one another. Further the communication network 118 can include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
[0030] In an embodiment, the computing device 102 may receive a user input for determining at least one function corresponding to the plurality of components 120 vulnerable to security risk. The plurality of components 120 such as the OS, the web applications, servers, network components, cloud environments, and the like may be included in a plurality of configurations.
[0031] By way of example, the security risk may correspond to the security vulnerabilities in the attack surface 112. Therefore, the APIs may be susceptible to unauthorized access, packet sniffing, denial-of-service (DoS) attacks, or man-in-the-middle (MitM) interception. Further, the router and switches may be susceptible to security vulnerabilities such as default passwords, poor segmentation, misconfigurations, and unpatched firmware. The endpoints may be vulnerable due to malware infections, outdated software or hardware version, unpatched OS, and the like. The web applications may be vulnerable from weak authentication, insecure storage, poor access controls, weak API security, unpatched vulnerabilities, and the like. Further, The IAM may be vulnerable due to misconfigurations, inadequate sessions management, improper configurations, insufficient segregation of duties and the like. The servers may be vulnerable to running outdated version, misconfiguration, directory traversal, remote code execution, and the like. Accordingly, each component 120 may require context-specific security controls, monitoring, and hardening procedures to mitigate associated risks. However, the security risks may remain undetected due to non-determination of the false positives. Therefore, identification of the false positives aids in enhancing efficiency of the system 100.
[0032] Each component 120 may be in a plurality of configurations. By way of example, the plurality of configurations may include access-control configurations, network configurations, service configurations, authentication and encryption settings, software dependency and versioning configurations, resource configurations, and logging and monitoring configurations. Each configuration of the plurality of components 120 within the attack surface 112 may include an impacted configuration and a remediated configuration. The impacted configuration may include the analysis of the component 120 which enables identification of misconfigured, vulnerable, or exploitable states of the plurality of the components 120. Similarly, the remediated configuration may include identification of a corrected configuration, hardened, or policy-compliant states of the plurality of components 120.
[0033] In an embodiment, the computing device 102 and the attack surface 112 may be a computing system, including but not limited to, a smart phone, a laptop computer, a desktop computer, a notebook, a workstation, a server, a portable computer, a handheld, or a mobile device. In an embodiment, the computing device 102 may be, but not limited to, in-built into the attack surface 112 or may be a standalone computing device.
[0034] In an embodiment, the computing device 102 may perform various processing in order to determine at least one function corresponding to the plurality of components 120 vulnerable to the security risk. Each function may include a Common Vulnerabilities and Exposure Identifier (CVE ID), a Common Vulnerability Scoring System (CVSS) score, a plurality of behavior descriptions, and a Common Weakness Enumeration (CWE) assigned to each component 120. By way of an example, the computing device 102 may retrieve the CVE ID, CWE, the plurality of behavior descriptions, and the plurality of configuration of each component 120 within the attack surface 112. Such data may be analyzed by the computing device 102 by using the database 114 such as CVE database or repositories to detect known misconfigurations, exposure points, or anomalous behavior from the plurality of behavior descriptions. By way of example, the plurality of behavior descriptions may include a User Behaviour Descriptions (UEBA), process behaviour, network behaviour, malware behaviour (TTPs), system-level behaviour, endpoint behaviour, application behaviour, and the like.
[0035] The computing device 102 may be configured to extract a plurality of parameters corresponding to the at least one function by using the security engine of the machine learning engine 110. The plurality of parameters may include an impacted component identifier, an impacted component version (TLS version, cipher suites), an impacted function name, and a severity threshold assigned to the plurality of configurations of each component 120. For example, the security engine may utilize the IDS/IPS system to scan the at least one function against the database 114. Moreover, the IDS/IPS system may utilize the plurality of behaviour descriptions associated with the function of the plurality of components 120 to determine the plurality of parameters associated therewith. The plurality of parameters may be configured to determine the security risk associated with each component 120. For example, the IDS/IPS system may build a predefined baseline of normal behavior for each behavior description such as the network behaviour, the malware behaviour (TTPs), the system-level behaviour, and the like. Further, the IDS/IPS system may flag the plurality of behavior descriptions or at least one behavior description which may deviate from the predefined baseline. It is to be appreciated that, the IDS/IPS system may be a customized ML-based IDS/IPS system.
[0036] In an embodiment, the computing device 102 may be configured to analyze the codebase with the plurality of parameters of the at least one function to determine if at least one parameter from the plurality of parameters of the at least one function exists within the codebase to identify the security vulnerabilities. It is to be noted that, the security vulnerabilities may include a plurality of application-level vulnerabilities, a plurality of network-level vulnerabilities, a plurality of system-level vulnerabilities, and a plurality of hardware vulnerabilities. The application-level vulnerabilities may refer flaws in the software application layer of the attack surface 112 that can be exploited by the attacker to compromise the confidentiality, integrity, or availability of the application. Accordingly, the behavior description associated with the application-level vulnerability may be stored in the database 114. The plurality of network-level vulnerabilities may refer to flaws within the attack surface 112 that may be exploited to disrupt communication, gain unauthorized access, or launch attacks against a computing environment. The plurality of system-level vulnerabilities may represent flaws within the OS of the attack surface 112 which may be exploited by the attacker to compromise the functionality, security, or integrity of the system 100. Further, the plurality of hardware vulnerabilities refers to physical components or architecture of the attack surface 112 which may be exploited to the functionality of the system 100, access sensitive data, or execute unauthorized actions.
[0037] The computing device 102 may be configured to determine a non-existence of the plurality of parameters of the at least one function in the at least one parameter of the component 120 within the codebase by the identification engine of the ML engine 110. The identification engine may utilize natural language processing, machine learning processing, or program synthesis techniques to scan the at least one function corresponding to plurality of components 120 through the database 114 of the codebase. Particularly, the identification engine may execute a Large Learning Model (LLM) such as, but are not limited to, zephyr, code LLAMA, GPT, and the like.
[0038] In an embodiment, the computing device 102 may identify a false positive of the security vulnerability of the component 120 of the codebase when the at least function may be non-existent within the codebase. The computing device 102 may save the CVE ID corresponding to the function as the false positive to the database 114 of the machine learning engine 110 when the at least function is non-existent within the codebase. Further, the computing device 102 may determine a corrected version from the impacted version of the component 120 of the codebase based on identification of security vulnerability based on the plurality of configurations. It is to be noted that, the corrected version corresponds to the remediated configuration of the component.
[0039] FIG. 2 illustrates a functional block diagram of the computing device 102, in accordance with an embodiment of the present disclosure. FIG. 2 is explained in conjunction with FIG. 1. In an embodiment, the computing device 102 may include the processor 104, the memory 106, and the I/O device 108. The memory 106 may include the machine learning engine 110. The machine learning engine 110 may include a security engine 202 and an identification engine 204. Further, security engine 202 may include a function determination module 206 and a parameter extraction module 208. Further, the identification engine 204 may include a codebase analyzing module 210, a mapping module 212, an identification module 214, a CVE ID saving module 216, and a version correction module 218. Further, the parameter extraction module 208 may include an impact identifier 220.
[0040] The function determination module 206 may determine at least one function corresponding to the plurality of components 120 vulnerable to the security risk. The function may include the CVE ID, CWE, CVSS score assigned to each component 120. Further, the function of the corresponding component 120 may be included in the plurality of configurations, operational states (i.e. an active state, idle state, standby state, failed state and the like), or telemetry metrics (CPU usage, memory utilization, responsiveness, latency, error) within the attack surface 112.
[0041] By way of example, the CVE ID may include a standardized and unique identifier assigned to a publicly disclosed cybersecurity vulnerability or exposure of each component 120. Accordingly, the CVE ID may be configured to unambiguously reference security vulnerabilities across the database 114 such as, a National Vulnerability Database (NVD), a CVE database, and the like. By way of another example, the CWE ID refers to a standardized identifier associated with a specific type of software or hardware weakness, as cataloged in the database 114 of the CWE. The CWE may be configured to classify and describe the underlying causes of vulnerabilities, such as associated with CVE ID, and provide a taxonomy for identifying, remediating, and preventing common software weaknesses.
[0042] Based on the retrieved data, the function determination module 206 in conjunction with the security engine 202 may analyze the retrieved data using the database 114. Further, the function determination module 206 may determine the function vulnerable to the security risk based on the CVSS score and the behavior description of the function. By way of example, the CVSS score may refer to a standardized numerical value from 0 to 10 assigned to each component 120 in order to quantify the severity and assess the potential impact on the attack surface 112. The CVSS score may be maintained by the Forum of Incident Response and Security Teams (FIRST) and may be widely adopted across the cybersecurity industry for prioritizing remediation efforts and communicating risk. In some other embodiments, the plurality of deviations from the expected behavior description may be used to detect faults, performance degradation, or security anomalies.
[0043] By way of example, the function determination module 206 may determine the CVE ID of the at least one function assigned to each component 120 and the behavior description of the CVE ID. For example, the component 120 may be the third-party component i.e., an Open SSL 1.0 2zg with the CVE ID CVE-2023-0464. Further, the behavior description may define the vulnerability associated to the CVE-2023-0464 which may be “a security vulnerability has been identified in all supported versions of OpenSSL related to verification of X.509 certificate chains that include policy constraints”. The attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources leading to a denial-of-service (DOS) attack on the affected systems. Policy processing is disabled by default but can be enabled by bypassing the ‘policy argument to the command line utilities or by calling the ‘X509_verify_param_set1_policies()’ function”. The function determination module 206 may be configured to determine if an attacker uses the function ‘the X509_verify_param_set1_policies()’ from the Open SSL 1.0 2zg in the attack surface 112, the vulnerability may be flagged. Further, the component Open SSL 1.0 2zg may be vulnerable to the security risk.
[0044] Further, the Open SSL 1.0 2zg may be utilized by an Apache HTTP server to establish the secure configuration. Therefore, the function associated with the Apache HTTP server ‘SSLVerifyClient’ may define the configuration from the plurality of the configurations. The Apache HTTP server may configure the behavior which the Open SSL 1.0 2zg may be implemented. For example, a user may configure ‘SSLVerifyClient’ in the Apache HTTP server and based on the configuration, the Apache HTTP server may provide a verification certificate to the Open SSL 1.0 2zg. Further, the Open SSL 1.0 2zg may validate the verification certificate by using policies executed by ‘the X509_verify_param_set1_policies()’.
[0045] In an embodiment, the at least function determined may be utilized by the processor 104 to identify the security vulnerabilities which may be applied to the component 120. It is to be noted that, the security vulnerabilities may not be relevant to the system 100 i.e., the attack surface 112. For example, a specific feature or the function that may be vulnerable may not be enabled or utilized in the component 120. Further, the component 120 may be configured in such a way that the vulnerability may be neutralized, or the operating conditions required to exploit the vulnerability may not be present in the component 120. Therefore, in the present disclosure, the at least one function may be configured to determine the impacted configuration of the component 120 and the remediated configuration corresponding to the impacted configuration. The determination of the remediated configuration corresponding to the component vulnerable to the security risk is explained in greater details hereinafter.
[0046] The parameter extraction module 208 may extract the plurality of parameters corresponding to the at least one function by using the security engine 202. The security engine 202 may be the ML-based IDS/IPS system, or may work in conjunction with the IDS system to collect traffic data using network tap, SPAN port, and the like. The IDS/IPS system may be a network or host-based security mechanism which may be configured to flag or monitor the function in the codebase to extract the plurality of parameters.
[0047] To elaborate further, the plurality of parameters may include the impacted component identifier, the impacted component version, the impacted function name and the severity threshold assigned to the plurality of configurations of each component 120. Further, the impact identifier 220 in conjunction with the security engine 202 may be configured to receive the function such as ‘X509_verify_param_set1_policies()’ with the CVE ID as ‘CVE-2023-0464’ as input and may map the function to specific IP addresses, ports, service endpoints, or hostnames and cross-references with database 114 to annotate the plurality of parameters.
[0048] By way of example, the impacted component version may be specified by the impact identifier 220 embedded in the database 114. The impacted component version may be a specific version of the plurality of components such as software, firmware, or hardware which may be determined to be affected by a detected intrusion, vulnerability, or attack. It is to be appreciated by the person skilled in the art, the impacted component version data may be configured to correlate threat with the CVE ID of the corresponding component 120 and prioritize the remediated configuration of the impacted configuration of the corresponding component 120.
[0049] For example, the IDS/IPS system may flag suspicious behavior targeting the function ‘X509_verify_param_set1_policies()’ and the Apache HTTP server, based on the suspicion, the version retrieved corresponding to the component 120 may be retrieved such as query system registry or inventory, parse banners, metadata, and logs. Further, the impact component identifier may check version against the database 114 which may be NVD or CVE. Further, the impacted function name may be determined as one parameter from the plurality of parameters which may be referred as the identifier or label assigned to a specific function or method which determines the effects or consequences of the threat on the attack surface 112. Further, the impacted function name may be associated with the vulnerable version of the component 120 such as but not limited to an Apache 2.4.49 of the Apache HTTP server.
[0050] Thus, the codebase analyzing module 210 may analyse the codebase with the determined plurality of parameters of the function ‘X509_verify_param_set1_policies()’, the impacted component version, the impacted function name such as such as the Apache 2.4.49, and the severity threshold assigned to the plurality of configurations of each component 120. The data of the plurality of parameters may be retrieved by the identification engine 204 to traverse the plurality of parameters through the codebase by using the machine learning processes or Natural Learning Process (NLP). The codebase analyzing module 210 may operate in conjunction with the identification engine 204 to determine if at least one parameter from the plurality of parameters of the at least one function exists within the codebase to identify the security vulnerability.
[0051] The mapping module 212 may validate the plurality of parameters against the codebase to look-up for the impacted configuration of the component 120. The validation may include mapping of the plurality of parameters such as the component name, the impacted version, the plurality of configuration, the configuration state, and runtime metadata against the codebase to identify impacted configurations. The identification engine 204 may initially process the plurality of parameters using techniques like pattern recognition, the NLP, or graph-based learning to extract relevant contextual features and normalize the data of the parameters. Further, the mapping module 212 correlates the determined parameters with elements in the codebase, such as function definitions, configuration files, or dependency metadata.
[0052] Upon matching the determined parameters to specific versions, code paths, or settings, the system may accurately determine the impacted configuration of the component 120 i.e., the ‘SSLVerifyClient’ of the Apache 2.4.49. In other words, the component 120 may be affected by the detected anomaly or threat, enabling precise and context-aware impact assessment.
[0053] The identification module 214 with the identification engine 204 may be configured to determine a non-existence of the plurality of parameters of the at least one function in the at least one parameter of the component 120 within the codebase. Each function may be assigned to the CVE ID, CVSS score, CWE, and the like. In other words, if no parameter exists, the identification module 214 may validate the codebase using the function name. Further, if none of the at least one functions may be referenced in the codebase, the security vulnerability may be marked as the false positive. Therefore, the false positive may be identified as the security vulnerability of the component 120 in the codebase based on the non-existence of the plurality of parameters in the at least one function of the component 120.
[0054] It is to be noted that, if the plurality of parameters corresponding to the component 120 may be validated against the codebase and upon determining the existence of the parameter, the identification module 214 may determine the valid security vulnerability. Further, the valid security vulnerability may be marked in the database 114 for future reference as historical data.
[0055] Further, the CVE ID saving module 216 may save the CVE ID corresponding to the function as the false positive to the database 114 of the identification engine 204 when the at least function is non-existent within the codebase. The CVE ID corresponding to the function may be saved in the database 114 to prevent iteration of the validation process. The CVE ID may be stored as the historical data which may be utilized to enhance the efficiency of the attack surface 112 and may enable detection of unwanted and updated attacks thereon. Further, the identification engine 204 may sporadically verify the saved false positives against the codebase to ensure the change in configuration of the false positive into the impacted configuration i.e., may prevent false positive from converting into the security vulnerability. Further, in case the false positive may be converted into the security vulnerability, the identification engine 204 may remove the security vulnerability from database 114 as the false positive.
[0056] Further, the version correction module 218 may determine the corrected version of the codebase based on identification of security vulnerability based on the plurality of configurations. The corrected version corresponds to the remediated configuration. In another embodiment, the at least function corresponding to the plurality of the component 120 may be non-existent within the codebase. In such scenario, the component 120 from the plurality of the component 120 may be vulnerable. The version correction module 218 may determine the impacted configuration corresponding to the component 120. Further, the identification engine 204 may be configured to determine the corrected version of the component 120. Therefore, the remediate configuration corresponding to the impacted configuration may be determined.
[0057] For example, the impacted configuration of the component ‘Apache 2.4.49’ may be identified by mapping current or historical system settings against a known remediated configuration i.e., a configuration state verified to be secure or free from a specific security vulnerability. When the remediated configuration is defined (e.g., after applying a patch, updating a library, or modifying system settings), it serves as a baseline or reference model. The system 100, using the mapping module 212 and the identification engine 204, performs a differential analysis between the remediated configuration and the current configuration state (collected from logs, system metadata, or runtime parameters). By way of example, the impacted configuration may be the Apache 2.4.49, and the SSL Protocol allows TLSv1.0. The remediated configuration may be the Apache 2.4.54, and the SSL Protocol set to TLSv1.2 or higher. The Apache 2.4.49 may be identified as the impacted configuration due to outdated version and insecure TLS settings.
[0058] It should be noted that all such aforementioned modules 206–220 may be represented as a single module or a combination of different modules. Further, as will be appreciated by those skilled in the art, each of the modules 206–220 may reside, in whole or in parts, on one device or multiple devices in communication with each other. In some embodiments, each of the modules 206–220 may be implemented as dedicated hardware circuit comprising custom application-specific integrated circuit (ASIC) or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. Each of the modules 206–220 may also be implemented in a programmable hardware device such as a field programmable gate array (FPGA), programmable array logic, programmable logic device, and so forth. Alternatively, each of the modules 206–220 may be implemented in software for execution by various types of processors (e.g., processor 104). An identified module of executable code may, for instance, include one or more physical or logical blocks of computer instructions, which may, for instance, be organized as an object, procedure, function, or other construct. Nevertheless, the executables of an identified module or component need not be physically located together but may include disparate instructions stored in different locations which, when joined logically together, include the module and achieve the stated purpose of the module. Indeed, a module of executable code could be a single instruction, or many instructions, and may even be distributed over several different code segments, among different applications, and across several memory devices.
[0059] As will be appreciated by one skilled in the art, a variety of processes may be employed for optimizing resource utilization in cloud-based data processing platforms. For example, the system 100 and the processor 104 may determine reference to dynamic values for performing load testing by the processes discussed herein. In particular, as will be appreciated by those of ordinary skill in the art, control logic and/or automated routines for performing the techniques and steps described herein may be implemented by the system 100 and the associated computing device 102 either by hardware, software, or combinations of hardware and software. For example, suitable code may be accessed and executed by the one or more processors on the system 100 to perform some or all of the techniques described herein. Similarly, application specific integrated circuits (ASICs) configured to perform some, or all of the processes described herein may be included in the one or more processors on the system 100.
[0060] Referring now to FIG. 3, a flowchart of a method 300 of identifying false positives of security vulnerabilities in the codebase of the system 100 is illustrated, in accordance with an embodiment of the present disclosure. FIG. 3 is explained in conjunction with FIGs. 1 and 2. In an embodiment, the method may include a plurality of steps. Each step of the flowchart may be executed by various modules, same as the modules of the computing device 102 so as to identify the false positives of the security vulnerability in a codebase to enhance and optimize the security wall of the attack surface 112.
[0061] At step 302, the computing device 102 may determine at least one function corresponding to a plurality of components vulnerable to security risk. In an embodiment, the at least one function may be determined by a user via the I/O device 108 from an external device. For example, the user may input command to enable identification of the security vulnerability within the attack surface 112. In an embodiment, the at least one function may include the CVE ID, the CVSS score, the plurality of behaviour descriptions, and the CWE assigned to each component 120. The CVE ID assigned to the at least one function may be utilized to determine the false positive of the security vulnerability associated with the corresponding component 120. By way of example, each component 120 may be at the risk of security vulnerability which is referred to as the impacted configuration. Further, each component may be remediated corresponding to the impacted configuration. Database
[0062] Further, at step 304, the computing device 102 may further extract the plurality of parameters corresponding to the at least one function by using the security engine 202 of the machine learning engine 110. In an embodiment, the security engine 202 may utilize the CVE ID, the CVSS score, the plurality of behaviour descriptions, and the CWE assigned to each component 120 as input. The security engine 202 may execute natural language processing to traverse through the CVE ID in the database 114 and may excerpt the plurality of parameters such as the impacted component version details, the impacted function name and the severity threshold assigned to the plurality of configurations of each component 120. It is to be noted that, the plurality of components 120 may be at least one of third party component and the proprietary code component within the codebase.
[0063] Thus, at step 306, the computing device 102 in conjunction with the identification engine 204 may analyze the codebase with the plurality of parameters of the at least one function. As explained earlier, the CVE ID, the impacted component version, the impacted function name may be utilized as the input by the identification engine 204 to traverse through the codebase by using the NLP to determine if at least one parameter from the plurality of parameters of the at least one function exists within the codebase. Therefore, a security vulnerability associated with the component 120 may be identified.
[0064] It is to be noted that, the security vulnerability may be an unwanted target by grey hat hackers, black hat hackers, organized hackers, or white hat hackers. Further, when the attack is executed by the white hat attackers, the attack surface 112 may be utilized to identify the weakness of the system 100 and to improve the security of the system 100. Therefore, at step 308, the computing device 102 may further determine the non-existence of the plurality of parameters of the at least one function in the at least one parameter of the component 120 within the codebase. The identification engine 204 may be executed by the computing device 102 to traverse the determined parameters through the codebase and upon non-existence of the plurality of parameters of the at least one function in order to identify the false positive. The identification engine 204 may traverse the CVE ID of the corresponding component 120 through the codebase. Further, the determination of the non-existence of the plurality of parameters corresponding to the function depicts the function being used in the codebase which may be the security vulnerability infiltrated on the attack surface 112.
[0065] Further, at step 310, the computing device 102 may further identify the false positive of the security vulnerability of the component 120 of the codebase. It is to be noted that the false positive may be validated based on the utilization of the function within the codebase.
[0066] At step 312, the computing device 102 may save the CVE ID corresponding to the function as the false positive to the database 114 of identification engine 204 when the at least function is non-existent within the codebase. The database 114 may be the NVD, the CVE database, the security advisories from vendors, the exploit the database, the commercial vulnerable database, and the like. Further, when none of the at least one functions may be referenced in the codebase, the security vulnerability may be marked as the false positive. Therefore, the false positive may be identified as the security vulnerability of the component 120 in the codebase based on the non-existence of the plurality of parameters in the at least one function of the component 120. Further, at step 314, the computing device 102 may further determine the corrected version of the codebase based on identification of security vulnerability based on the plurality of configurations. This is already explained in conjunction with FIG. 2.
[0067] The disclosed methods and systems may be implemented on a conventional or a general-purpose computer system, such as a personal computer (PC) or server computer. Referring now to FIG. 4, an exemplary computing system 400 that may be employed to implement processing functionality for various embodiments (e.g., as a SIMD device, client device, server device, one or more processors, or the like) is illustrated. Those skilled in the relevant art will also recognize how to implement the invention using other computer systems or architectures. The computing system 400 may represent, for example, a user device such as a desktop, a laptop, a mobile phone, personal entertainment device, DVR, and so on, or any other type of special or general-purpose computing device as may be desirable or appropriate for a given application or environment. The computing system 400 may include one or more processors, such as a processor 402 that may be implemented using a general or special purpose processing engine such as, for example, a microprocessor, microcontroller or other control logic. In this example, the processor 402 is connected to a bus 404 or other communication medium. In some embodiments, the processor 402 may be an Artificial Intelligence (AI) processor, which may be implemented as a Tensor Processing Unit (TPU), or a graphical processor unit, or a custom programmable solution Field-Programmable Gate Array (FPGA).
[0068] The computing system 400 may also include a memory 406 (main memory), for example, Random Access Memory (RAM) or other dynamic memory, for storing information and instructions to be executed by the processor 402. The memory 406 also may be used for storing temporary variables or other intermediate information during execution of instructions to be executed by the processor 402. The computing system 400 may likewise include a read only memory (“ROM”) or other static storage device coupled to bus 404 for storing static information and instructions for the processor 402.
[0069] The computing system 400 may also include a storage devices 408, which may include, for example, a media drive 410 and a removable storage interface. The media drive 410 may include a drive or other mechanism to support fixed or removable storage media, such as a hard disk drive, a floppy disk drive, a magnetic tape drive, an SD card port, a USB port, a micro USB, an optical disk drive, a CD or DVD drive (R or RW), or other removable or fixed media drive. A storage media 412 may include, for example, a hard disk, magnetic tape, flash drive, or other fixed or removable medium that is read by and written to by the media drive 410. As these examples illustrate, the storage media 412 may include a computer-readable storage medium having stored therein particular computer software or data.
[0070] In alternative embodiments, the storage devices 408 may include other similar instrumentalities for allowing computer programs or other instructions or data to be loaded into the computing system 400. Such instrumentalities may include, for example, a removable storage unit 414 and a storage unit interface 416, such as a program cartridge and cartridge interface, a removable memory (for example, a flash memory or other removable memory module) and memory slot, and other removable storage units and interfaces that allow software and data to be transferred from the removable storage unit 414 to the computing system 400.
[0071] The computing system 400 may also include a communications interface 418. The communications interface 418 may be used to allow software and data to be transferred between the computing system 400 and external devices. Examples of the communications interface 418 may include a network interface (such as an Ethernet or other NIC card), a communications port (such as for example, a USB port, a micro USB port), Near field Communication (NFC), etc. Software and data transferred via the communications interface 418 are in the form of signals which may be electronic, electromagnetic, optical, or other signals capable of being received by the communications interface 418. These signals are provided to the communications interface 418 via a channel 420. The channel 420 may carry signals and may be implemented using a wireless medium, wire or cable, fiber optics, or other communications medium. Some examples of the channel 420 may include a phone line, a cellular phone link, an RF link, a Bluetooth link, a network interface, a local or wide area network, and other communications channels.
[0072] The computing system 400 may further include Input/Output (I/O) devices 422. Examples may include, but are not limited to a display, keypad, microphone, audio speakers, vibrating motor, LED lights, etc. The I/O devices 422 may receive input from a user and also display an output of the computation performed by the processor 402. In this document, the terms “computer program product” and “computer-readable medium” may be used generally to refer to media such as, for example, the memory 406, the storage devices 408, the removable storage unit 414, or signal(s) on the channel 420. These and other forms of computer-readable media may be involved in providing one or more sequences of one or more instructions to the processor 402 for execution. Such instructions, generally referred to as “computer program code” (which may be grouped in the form of computer programs or other groupings), when executed, enable the computing system 400 to perform features or functions of embodiments of the present invention.
[0073] In an embodiment where the elements are implemented using software, the software may be stored in a computer-readable medium and loaded into the computing system 400 using, for example, the removable storage unit 414, the media drive 410 or the communications interface 418. The control logic (in this example, software instructions or computer program code), when executed by the processor 402, causes the processor 402 to perform the functions of the invention as described herein i.e., the processor 402 may be configured to identify a false positive of the security vulnerability of the component 120 of the codebase.
[0074] As will be appreciated by those skilled in the art, the system described in various embodiment discussed above are not routine, or conventional or well understood in the art. The system discussed above may be capable of offering several advantages. Firstly, the disclosed method and system try to overcome the technical problem of identifying and remediating the security vulnerabilities associated with the plurality of components, specifically when the security vulnerabilities may not apply to the plurality of components. Such vulnerabilities are identified as false positives. The false positive vulnerabilities are benign and have not imposed any malicious threat. Therefore, the system and the method as disclosed may automate the process of identifying the false positives. As a result, the efficiency of the system may be improved, and the security may be enhanced.
[0075] Secondly, the disclosed method and the system may utilize the machine learning engine to enhance the process of determining the function corresponding to the plurality of components which is vulnerable to security risk. Further, the machine learning engine may efficiently search within the database of the codebase for the identifying false positives.
[0076] Thirdly, the disclosed method and system significantly improves the capability of the system to enhance security by identifying the false positives and store the false positives for future reference. The ML engine may be trained based on the false positives and the remediated configuration corresponding to the impacted configuration may be determined such that the system remains updated than the attackers.
[0077] Further, the disclosed method and the system may significantly be used to improve the attack surface from serious repercussions by determining the false positives and storing them to improve the cybersecurity efficiency and capabilities of the organization
[0078] In light of the above-mentioned advantages and the technical advancements provided by the disclosed method and system, the claimed steps as discussed above are not routine, conventional, or well understood in the art, as the claimed steps enable the following solutions to the existing problems in conventional technologies. Further, the claimed steps bring an improvement in the functioning of the device itself as the claimed steps provide a technical solution to a technical problem.
[0079] The specification has described the method and the system for identifying false positives of security vulnerabilities in the codebase of the system. The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments.
[0080] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[0081] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.
, Claims:I/We Claim:
1. A method for identifying false positives of security vulnerabilities in a codebase of a system, the method comprising:
determining, by a processor, at least one function corresponding to a plurality of components vulnerable to security risk, wherein the plurality of components is in a plurality of configurations of the system;
extracting, by the processor, a plurality of parameters corresponding to the at least one function by using a machine learning engine;
analysing, by the processor, the codebase with the plurality of parameters of the at least one function to determine if at least one parameter from the plurality of parameters of the at least one function exists within the codebase to identify a security vulnerability;
determining, by the processor with the machine learning engine, a non-existence of the plurality of parameters of the at least one function in the at least one parameter of the component within the codebase; and
identifying, by the processor, a false positive of the security vulnerability of the component of the codebase based on the non-existence of the plurality of parameters in the at least one function of the component.
2. The method as claimed in claim 1, wherein the security vulnerabilities comprises:
a plurality of application-level vulnerabilities;
a plurality of network-level vulnerabilities;
a plurality of system-level vulnerabilities; and
a plurality of hardware vulnerabilities.

3. The method as claimed in claim 1, wherein the plurality of configurations comprises:
an impacted configuration; and
a remediated configuration.
4. The method as claimed in claim 3, wherein:
in the remediated configuration:
identifying, by the processor, the false positive of the security vulnerability associated with the function of the corresponding component.

5. The method as claimed in claim 4, wherein each function comprises a Common Vulnerabilities and Exposure Identifier (CVE ID), a Common Vulnerability Scoring System (CVSS) score, a plurality of behaviour descriptions, and a Common Weakness Enumeration (CWE) assigned to each component.
6. The method as claimed in claim 5, comprising:
saving, by the processor, the CVE ID corresponding to the function as the false positive to a database of the machine learning engine when the at least function is non-existent within the codebase; and
determining, by the processor, a corrected version of the codebase based on identification of security vulnerability based on the plurality of configurations, wherein the corrected version corresponds to the remediated configuration.
7. The method as claimed in claim 1, wherein the plurality of parameters comprises:
an impacted component identifier;
an impacted component version;
an impacted function name; and
a severity threshold assigned to the plurality of configurations of each component.

8. The method as claimed in claim 1, wherein the plurality of component comprises at least one of:
a third-party component; and
a proprietary code component within the codebase.
9. A system of identifying false positives of security vulnerabilities in a codebase, the system comprising:
a processor; and
a memory coupled to the processor, wherein the memory stores processor-executable instructions, which when executed by the processor, cause the processor to:
determine at least one function corresponding to a plurality of components vulnerable to security risk, wherein the plurality of components is in a plurality of configurations;
extract a plurality of parameters corresponding to the at least one function by using a machine learning engine;
analyse the codebase with the plurality of parameters of the at least one function to determine if at least one parameter of the at least one function exists within the codebase to identify a security vulnerability;
determine a non-existence of the plurality of parameters of the at least one function in the at least one parameter of the component within the codebase; and
identify a false positive of the security vulnerability of the component of the codebase based on the non-existence of the plurality of parameters in the at least one function of the component.
10. The system as claimed in claim 9, wherein the security vulnerabilities comprises:
a plurality of application-level vulnerabilities;
a plurality of network-level vulnerabilities;
a plurality of system-level vulnerabilities; and
a plurality of hardware vulnerabilities.

11. The system as claimed in claim 9, wherein the plurality of configurations comprises:
an impacted configuration; and
a remediated configuration.
12. The system as claimed in claim 11, wherein:
in the remediated configuration:
identify the false positive of the security vulnerability associated with the function of the corresponding component.
13. The system as claimed in claim 12, wherein each function comprises a Common Vulnerabilities and Exposure Identifier (CVE ID), a Common Vulnerability Scoring System (CVSS) score, a plurality of behaviour descriptions, and a Common Weakness Enumeration (CWE) assigned to each component.
14. The system as claimed in claim 13, wherein the processor is configured to:
save the CVE ID corresponding to the function as the false positive to a database of the machine learning engine when the at least function is non-existent within the codebase; and
determine a corrected version of the codebase based on identification of security vulnerability based on the plurality of configurations, wherein the corrected version corresponds to the remediated configuration.
15. The system as claimed in claim 9, wherein the plurality of parameters comprises:
an impacted component identifier;
an impacted component version;
an impacted function name; and
a severity threshold assigned to the plurality of configurations of each component.

16. The system as claimed in claim 9, wherein the plurality of components comprises at least one of:
a third-party component; and
a proprietary code component within the codebase.