University of Missouri - Kansas City

 

School of Science and Engineering

Dr. Dianxiang Xu

Professor and Director
Division of Computing, Analytics and Mathematics
School of Science and Engineering
816-235-6218
dxu AT umkc.edu

Research Areas

Software security

Software Security Engineering: A Threat-Driven Approach

Software is a major source of security risks. Sufficient protection of software applications from attacks is beyond the capabilities of network-level and operating system-level security approaches (e.g. cryptography, firewall, and intrusion detection, to name a few) because they lack knowledge of application semantics.

Our research explores the threat-driven approach to addressing various issues of secure software engineering. At the core of this approach is the identification and mitigation of security threats, which are potential misuses and anomalies that violate security goals or policies. Security threats determine where and how to apply security features or assurance techniques. Different from traditional security modeling and analysis methods that rely on the formalization of security properties, the threat-driven approach explicitly identifies the behaviors of security threats.

A Perspective on Software Security

  1. Dianxiang Xu, Software Security, Wiley Encyclopedia of Computer Science and Engineering, W. Wah (Editor-In-Chief), Volume 5, pages 2703-2716, John Wiley & Sons, Inc., Hoboken, NJ, January 2009.

Machine Learning for Vulnerability Prediction

  1. Yu Luo, Weifeng Xu, and Dianxiang Xu, Compact Abstract Graphs for Detecting Code Vulnerability with GNN Models, Proc. of the Annual Computer Security Applications Conference (ACSAC’22), December 2022.
  2. Yu Luo, Weifeng Xu, and Dianxiang Xu. Predicting Integer Overflow Errors via Supervised Learning, International Journal on Artificial Intelligence Tools. In press.
  3. Yu Luo, Weifeng Xu, and Dianxiang Xu, Detecting Integer Overflow Errors in Java Source Code via Machine Learning, Proc. of the 33rd IEEE International Conference on Tools with Artificial Intelligence (ICTAI’2021), November 2021.

Threat Modeling and Verification

  1. Omar El Ariss, Jianfei Wu, Dianxiang Xu. Towards an Enhanced Design Level Security Integrating Attack Trees with Statecharts, Proc. of the 5th IEEE International Conference on Secure Software Integration and Reliability Improvement (SSIRI11), Jeju Island, South Korea, June 2011.
  2. Omar El Ariss, Dianxiang Xu. Modeling Security Attacks with Statecharts, Proc. of the 2nd International ACM SigSoft Symposium on Architecting Critical Systems (ISARCS 2011), Federated with CompArch 2011, Boulder, Colorado, USA, June 2011.
  3. Jun Kong, Dianxiang Xu, and Xiaoqin Zeng. UML-based Modeling and Analysis of Security Threats. International Journal of Software Engineering and Knowledge Engineering, 20(6):875-897, Sept. 2010. (expanded version of the COMPSAC’08 paper)
  4. Jun Kong and Dianxiang Xu. A UML-based Framework for Design and Analysis of Secure Software, Proc. of the 32nd IEEE Computer Software and Applications Conference (COMPSAC 2008), July 2008, Turku, Finland.
  5. Dianxiang Xu and Kendall E. Nygard. Threat-Driven Modeling and Verification of Secure Software Using Aspect-Oriented Petri Nets. IEEE Transactions on Software Engineering. Vol. 32, No. 4, pp. 265-278, April 2006. (expanded version of the ASE’05 paper)
  6. Dianxiang Xu and Kendall Nygard. A Threat-Driven Approach to Modeling and Verifying Secure Software. Proc. of the 2005 IEEE/ACM International Conference on Automated Software Engineering (ASE 2005), pp. 342-346, November 7-11, 2005. California, USA.

Testing for Security

  1. Dianxiang Xu, Manghui Tu, Michael Sanford, Lijo Thomas, Daniel Woodraska, and Weifeng Xu, Automated Security Test Generation with Formal Threat Models, IEEE Transactions on Dependable and Secure Computing. Vol. 9, No.4, July/August 2012, pp. 525-539.
  2. Aaron Marback, Hyunsook Do, Ke He, Samuel Kondamarri, Dianxiang Xu, A Threat Model-based Approach to Security Testing, Software: Practice and Experience, Vol. 43, No.2, pp. 241-258, Feb. 2013.
  3. Lijo Thomas, Weifeng Xu, Dianxiang Xu. Mutation Analysis of Magento for Evaluating Threat Model-Based Security Testing, Proc. of the 3rd IEEE International Workshop on Software Test Automation (STA11), in conjunction with COMPSAC 2011, Munich, Germany, July 2011.
  4. Michael Sanford, Daniel Woodraska, Dianxiang Xu. Security Analysis of FileZilla Server Using Threat Models. Proc. of the 23rd International Conf. on Software Engineering and Knowledge Engineering (SEKE11), Miami, July 2011.
  5. Daniel Woodraska, Michael Sanford, Dianxiang Xu, Security Mutation Testing of the FileZilla FTP Server, Proc. of the 26th ACM Symposium on Applied Computing (SAC’11), Software Engineering Track, Taiwan, March 2011.
  6. Aaron Marback, Hyunsook Do, Ke He, Samuel Kondamarri, Dianxiang Xu, Security Test Generation using Threat Trees, Fourth International Workshop on the Automation of Software Test (AST09), in conjunction with ICSE’09, Vancouver, Canada, May 2009.
  7. Linzhang Wang, W. Eric Wong, and Dianxiang Xu. A Threat Model Driven Approach for Security Testing, The 3rd International Workshop on Software Engineering for Secure Systems (SESS’07), in conjunction with ICSE07, Minneapolis. May 2007.

Secure Architecture Design

  1. Dianxiang Xu and Joshua Pauli. Threat-Driven Design and Analysis of Secure Software Architectures. Journal of Information Assurance and Security, Vol.1, No. 3, pp. 171-180, 2006.
  2. Joshua Pauli and Dianxiang Xu. Misuse Case-based Analysis of Secure Software Architecture, Proc. of ITCC’05, April 2005.
  3. Joshua Pauli and Dianxiang Xu. Threat-Driven Architectural Design of Secure Information Systems. Proc. of ICEIS05, Miami, May 2005.

Security Requirements Analysis

  1. Dianxiang Xu, Vivek Goel, Kendall Nygard, and W. Eric Wong. Aspect-Oriented Specification of Threat-Driven Security Requirements, International Journal of Computer Applications in Technology, Special Issue on Concern Oriented Software Evolution. Vol. 31, Nos. 1/2, pp. 131-140, 2008.  (expanded version of the COMPSAC’06 paper)
  2. Dianxiang Xu, Vivek Goel, and Kendall Nygard. An Aspect-Oriented Approach to Security Requirements Analysis. Proc. of COMPSAC’06.
  3. Josh Pauli and Dianxiang Xu. Integrating Functional and Security Requirements with Use Case Decomposition. In Proc. of the 11th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS06), USA, August 2006.
  4. Josh Pauli and Dianxiang Xu. Ensuring Consistent Use/Misuse Case Decomposition for Secure Systems. Proc. of the 18th International Conference on Software Engineering and Knowledge Engineering (SEKE’06), CA., USA, July 2006.
  5. Josh Pauli and Dianxiang Xu. Trade-off Analysis of Misuse Case-based Secure Software Architectures: A Case Study. In Proc. of the 3rd International Workshop on Modeling, Simulation, Verification and Validation of Enterprise Information Systems (MSVVEIS05).

Access control

Access Control

Access control is a fundamental security mechanism for managing sensitive information and resources. An access control policy defines the conditions under which access to resources can be granted and to whom.  Our research focuses on verification and validation of attribute-based access control (ABAC) policies, role-based access control (RBAC) policies, and obligations (i.e., strings attached to access privileges).

  1. Dianxiang Xu, Roshan Shrestha, Yunpeng Zhang, and Ning Shen. Towards a Theory on Testing XACML Policies, Proc. of the 27th ACM Symposium on Access Control Models and Technologies (SACMAT’22), pp. 103-114, June 2022.
  2. Erzhuo Chen, Vladislav Dubrovenski, Dianxiang Xu. Mutation Analysis of NGAC Policies. Proc. of the 26h ACM Symposium on Access Control Models and Technologies (SACMAT’21), pp.71-82, June 2021.
  3. Dianxiang Xu, Roshan Shrestha, Ning Shen. Automated Strong Mutation Testing of XACML Policies, Proc. of the 25th ACM Symposium on Access Control Models and Technologies (SACMAT’20), June 2020.
  4. Dianxiang Xu, Roshan Shrestha, Ning Shen. Automated Coverage-Based Testing of XACML Policies, Proc. of the 23rd ACM Symposium on Access Control Models and Technologies (SACMAT’18), Indianapolis, USA, June 2018. Best Paper Award
  5. Samer Khamaiseh, Patrick Chapman, Dianxiang Xu. Model-Based Testing of Obligatory ABAC Systems, Proc. of the 18th International Conference on Software Quality, Reliability and Security (QRS’18), Lisbon, Portugal. July 2018.
  6. Roshan Shrestha, Shuai Peng, Turner Lehmbecker, Dianxiang Xu, XPA: An Open Source IDE for XACML Policies, Proc. of the 30th International Conference on Software Engineering and Knowledge Engineering (SEKE’18), San Francisco Bay, July 2018.
  7. Dianxiang Xu and Shuai Peng. Towards Automatic Repair of Access Control Policies. Proc. of the 14th IEEE Conference on Privacy, Security and Trust (PST’16), Auckland, New Zealand, December 2016.
  8. Sung-Ju Fan Chiang, Daniel Chen and Dianxiang Xu. Conformance Testing of Balana: An Open Source Implementation of the XACML3.0 Standard. Proc. of the 28th International Conf. on Software Engineering and Knowledge Engineering (SEKE’16), San Francisco Bay, July 2016.
  9. Dianxiang Xu, Zhenyu Wang, Shuai Peng, Ning Shen. Automated Fault Localization of XACML Policies, Proc. of the 21st ACM Symposium on Access Control Models and Technologies (SACMAT’16), pp. 137-147, Shanghai, China, June 2016.
  10. Sandeep Lakkaraju, Dianxiang Xu, Yong Wang. Analysis of Healthcare Workflows in Accordance with Access Control Policies, International Journal of Healthcare Information Systems and Informatics (IJHISI), vol. 11, no. 1, pp.1-20, 2016.
  11. Dianxiang Xu, Yunpeng Zhang, Ning Shen. Formalizing Semantic Differences between Combining Algorithms in XACML 3.0 Policies, Proc. of the 2015 International Conference on Software Quality, Reliability and Security (QRS15), Vancouver, Canada. August 2015. Honorable Recognition of Paper.
  12. Dianxiang Xu, Ning Shen, Yunpeng Zhang. Fault-Based Testing of Combining Algorithms in XACML3.0 Policies. Proc. of the 27th International Conf. on Software Engineering and Knowledge Engineering (SEKE15), Pittsburg, July 2015.
  13. Dianxiang Xu, Michael Kent, Lijo Thomas, Tejeddine Mouelhi, and Yves Le Traon. Automated Model-Based Testing of Role-Based Access Control Using Predicate/Transition Nets. IEEE Transactions on Computers, Vo. 64, No. 9, pp. 2490-2505, September 2015.
  14. Dianxiang Xu, Yunpeng Zhang. Specification and Analysis of Attribute-Based Access Control Policies: An Overview. Proc. of the International Workshop on Information Assurance, in conjunction with SERE’14. San Francisco, CA. June 2014.
  15. Sandeep Lakkaraju and Dianxiang Xu, Integrated Modeling and Analysis of Attribute based Access Control Policies and Workflows in Healthcare, Proc. of the 1st International Conference on Trustworthy Systems and Their Applications (TSA’14), Taiwan, June 2014.
  16. Dianxiang Xu, Michael Sanford, Zhaoliang Liu, Mark Emry, Brad Brockmueller, Spencer Johnson, Michael To. Testing Access Control and Obligation Policies, Proc. of the 2013 International Conference on Computing, Networking and Communications (ICNC’13), San Diego, January 2013.
  17. Dianxiang Xu, Lijo Thomas, Michael Kent, Tejeddine Mouelhi, and Yves Le Traon. A Model-Based Approach to Automated Testing of Access Control Policies. Proc. of the 17th ACM Symposium on Access Control Models and Technologies (SACMAT12), Newark, USA, June 2012.
Software testing

MISTA: Model-based Integration and System Test Automation

Github: https://github.com/dianxiangxu/MISTA

MISTA 1.0: Executable, Source Code

MISTA supports automated generation of executable test code. It is suitable for function testing, acceptance testing, GUI testing, security testing, and programmer testing.

  • It uses visual notations for building test models, such as function nets and finite state machines. Function nets, which are lightweight high-level Petri nets, can specify both control-oriented and data-oriented test models. They can be animated and verified.
  • It provides test generators for comprehensive coverage criteria of test models, including reachability coverage, reachability with sneak paths, state coverage, transition coverage, depth coverage, goal coverage, random walk, counterexamples of model checking, deadlock/termination state coverage, and given sequences. Pairwise and partial order techniques are options for reducing the size of test suites.
  •  It supports a number of languages (Java, C, C++, C#, PHP, Python, HTML, and VB) and test frameworks (e.g., xUnit, Selenium IDE, and Robot Framework) for offline test execution.
  • It supports on-the-fly testing and online execution of generated tests through Selenium WebDriver or a RPC protocol (JSON-RPC or XML-RPC).

YouTube Demos

Selected Publications

  1. Dianxiang Xu, Weifeng Xu, Manghui Tu, Ning Shen, William Chu, Chih-Hung Chang. Automated Integration Testing Using Logical Contracts, IEEE Transactions on Reliability, Vol. 65, No. 3, pp.1205-1222, Sept. 2016.
  2. Dianxiang Xu, Weifeng Xu, Michael Kent, Lijo Thomas, Linzhang Wang. An Automated Test Generation Technique for Software Quality Assurance, IEEE Transactions on Reliability, Vol. 64, No. 1, pp. 247-268, March 2015.
  3. Dianxiang Xu, Michael Kent, Lijo Thomas, Tejeddine Mouelhi, and Yves Le Traon. Automated Model-Based Testing of Role-Based Access Control Using Predicate/Transition Nets. IEEE Transactions on Computers, Vo. 64, No. 9, pp. 2490-2505, September 2015.
  4. Dianxiang Xu, Manghui Tu, Michael Sanford, Lijo Thomas, Daniel Woodraska, and Weifeng Xu, Automated Security Test Generation with Formal Threat Models, IEEE Transactions on Dependable and Secure Computing. Vol. 9, No.4, July/August 2012, pp. 525-539.
  5. Dianxiang Xu, Weifeng Xu, Bharath K Bavikati, and Eric W. Wong. Mining Executable Specifications of Web Applications from Selenium IDE Tests. Proc. of the Sixth IEEE International Conference on Software Security and Reliability (SERE12), Washington DC, USA, June 2012.
  6. Dianxiang Xu, A Tool for Automated Test Code Generation from High-Level Petri Nets, Proc. of the 32nd International Conference on Application and Theory of Petri Nets and Concurrency (Petri Nets 2011), Newcastle upon Tyne, UK, June 2011.

Data analytics

Data Analytics

Our research focuses on applications of data analytics and machine learning to various problem domains, such as blockchain (e.g., bitcoin) transactions, social networks (e.g., LinkedIn and Facebook), network intrusion detection, source code analysis, and software vulnerability prediction.

  1. Yan Wu, Nitish Dhakal, Dianxiang Xu, Jin-Hee Cho. Analysis and Prediction of Endorsement-based Skill Assessment in LinkedIn. Proc. of the 42nd IEEE Computer Software and Applications Conference (COMPSAC’18), Tokyo, Japan, July 2018.
  2.  Weifeng Xu, Dianxiang Xu, Abdulrahman Alatawi, Omar El Ariss, and Yunkai Liu. Statistical Unigram Analysis for Source Code Repository. International Journal of Semantic Computing, Vol. 12, No. 2, pp. 237-260, 2018.
  3. Nitish Dhakal, Francesca Spezzano, Dianxiang Xu. Predicting Friendship Strength for Privacy Preserving: A Case Study on Facebook. International Symposium on Foundations of Open Source Intelligence and Security Informatics (FOSINT-SI’17), in conjunction with IEEE/ACM International Conference on Social Networks Analysis and Mining (ASONAM 2017), Sydney, Australia, 2017.
  4. Abdulrahman Alatawi, Weifeng Xu, Dianxiang Xu. Bayesian Unigram-Based Inference for Expanding Abbreviations in Source Code. Proc. of the 29th IEEE International Conference on Tools with Artificial Intelligence (ICTAI’17), Boston, MA, November 2017.
  5. Weifeng Xu, Dianxiang Xu, Lin Deng. Measurement of Source Code Readability Using Word Concreteness and Memory Retention of Variable Names. Proc. of the 41st IEEE Computer Software and Applications Conference (COMPSAC’17), Torino, Italy, July 2017.
  6. Weifeng Xu, Dianxiang Xu, Omar El Ariss, Abdulrahman Alatawi. Ultra-Large-Scale Analysis of Unigrams Collected from Source Code Repository. Proc. of the Third IEEE International Conference on Multimedia Big Data (BigMM’2017), Laguna Hills, California, USA, April 2017.
  7.  Jin-Hee Cho, Izzat Alsmadi, Dianxiang Xu. Privacy and Social Capital in Online Social Networks, IEEE GLOBECOM’16, Washington, DC, USA, December 2016.
  8. Izzat Alsmadi, Dianxiang Xu and Jin-Hee Cho. Interaction-Based Reputation Model in Online Social Networks, Proc. of the 2nd International Conference on Information Systems Security and Privacy (ICISSP’16), pp. 265-272, Short paper. Feb. 2016, Rome, Italy.
Digital forensics
  1. Weifeng Xu and Dianxiang. Visualizing and Reasoning about Presentable Digital Forensic Evidence with Knowledge Graphs. Proc. of the 19th IEEE Conference on Privacy, Security and Trust (PST’22), Fredericton, Canada, August 2022.
  2. Weifeng Xu, Lin Deng, and Dianxiang Xu. Towards Designing Shared Digital Forensics Instructional Materials. Proc. of the IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC’22), July 2022.
Software-defined networking

Software-Defined Networks

Our research focuses SDN security and SDN for high performance computing.

Publications

  1. Samer Khamaiseh, Edoardo Serra, and Dianxiang Xu, vSwitchGuard: Defending OpenFlow Switches against Saturation Attacks. Proc. of the 2020 IEEE Computers, Software, and Applications Conference (COMPSAC’2020).
  2. Zhiyuan Li, Weijia Xing, Samer Khamaiseh, and Dianxiang Xu, Detecting Saturation Attacks Based on Self-Similarity of OpenFlow Traffic, IEEE Transactions on Network and Service Management, Vol. 17, No. 1, March 2020, pp. 607 – 621.
  3. Samer Khamaiseh, Edoardo Serra, Zhiyuan Li, Dianxiang Xu, Detecting Saturation Attacks in SDN via Machine Learning, Proc. of the 4th IEEE International Conference on Computing, Communications and Security (ICCCS 2019), Rome, Italy, October 2019. Runner Up for the Best Paper Award.
  4. Zhiyuan Li, Weijia Xing and Dianxiang Xu, Detecting Saturation Attacks in Software-Defined Networks, Proc. of the 2018 IEEE Conference on Intelligence and Security Informatics (ISI’18), Miami, Florida, November 2018.
  5. IzzatAlsmadi, Abdallah Khreishah, Dianxiang Xu. Network Slicing to Improve Multicasting in HPC Clusters. Cluster Computing, Vol. 21, No. 3, pp.1493-1506, 2018, Springer.
  6. IzzatAlsmadi, SamerKhamaiseh, Dianxiang Xu. Network Parallelization in HPC Clusters. The 2016 International Conference on Computational Science and Computational Intelligence (CSCI’16), Symposium of Parallel and Distributed Computing and Computational Science CSCI-ISPD). December 15-17, 2016, Las Vegas, USA.
  7. IzzatAlsmadi and Dianxiang Xu, Security of Software Defined Networks: A Survey, Computers and Security, 53(2015)79-108.
  8. IzzatAlsmadi, Milson Munakami, Dianxiang Xu. Model-Based Testing of SDN Firewalls: A Case Study, Proc. of the Second International Conference on Trustworthy Systems and Their Applications (TSA’15), Taiwan, July 2015.
Intelligent agents

Publications

Teaching

CS 5551 Advanced Software Engineering

CS 449 Foundations of Software Engineering

CS 458 Software Testing and Verification

CV