International Journal of Computer Applications (0975 – 8887) Volume 182 – No. 25, November- 2018 12 A Theoretical Framework for Software Vulnerability Detection based on Cascaded Refinement Network Richard Amankwah Presbyterian College of Education P. O Box 27 Akropong-Akuapem Ghana Patrick Kwaku Kudjo Sch. of Comp. Sci. Datalink Institute P.O. Box CO2481 Beatrice Korkor Agyemang Presbyterian College of Education P. O Box 27 Akropong-Akuapem Ghana Kofi Mensah Presbyterian College of Education P. O Box 27 Akropong-Akuapem Ghana Bright Brew Presbyterian College of Education P. O Box 27 Akropong-Akuapem Ghana Samuel Yeboah Antwi Presbyterian College of Education P. O Box 27 Akropong-Akuapem Ghana ABSTRACT Software vulnerability detection is an active area of research in the software engineering domain. This is partly due to the continuous disclosure of security vulnerabilities. Although previous studies demonstrate the usefulness of employing several detection techniques, models, tools in detecting software vulnerabilities, the improvement of effectiveness of these detection models and tools is still a major challenge to researchers and practitioners. Cascaded Refinement Network (CRN) is novel model that has been successfully applied in several domains of studies such as image analysis, however its application to the field of vulnerability analysis has not been investigated. Motivated by the model effectiveness in these fields of studies, we investigate its feasibility within the domain of vulnerability detection using a theoretical framework. The analysis involves first presenting a general overview of the static analysis tools, and then an overview of the theoretical framework for vulnerability detection based on the CRN. The preliminary findings show that the concept is feasible within the domain of vulnerability detection. General Terms Software Engineering, Information Security Keywords Software Vulnerability; Static Analysis; Cascaded Refinement Network 1. INTRODUCTION The existence of vulnerabilities in software products are catalyst for attack. Although there is no universal definition for software vulnerability, previous studies have given varied explanation of the concept. Kanga et al. [1] defined software vulnerability as the fault that can be viciously cause damage to software systems. In another study, Krsul [2] describe software vulnerability as defects in software systems that allows an attacker to violate an explicit or implicit security policy to achieve some impact. Jimenez et al. [3] as well defined software vulnerability as a flaw, weakness and errors in software systems that can be exploited by an attacker in order to alter the normal behavior of the system. The aforementioned definitions clearly show that software errors are the main causes of information security breaches. It is worth noting that if these vulnerabilities are not detected and corrected it creates an avenue for attackers to exploit that weakness and break into the software product, hence the need to investigate the various strategies and techniques that can be used in detecting and fixing these weaknesses. Recently, several models, techniques and tools have been proposed to find such weaknesses, the most widely applied tool are the static analysis tools. The static analysis involves analyzing the source code of a program without executing the actual programs, thus avoiding the risk associated with the execution of the malicious programs [4]. According to Black and Fong [5] static analysis techniques are software security assurance tools that detect flaws at various stage of the software development life cycle. Additionally, the static analysis techniques and tools are very effective in bug identification because of its rapidity, simplicity [6]. Generally, the static analysis tools detect security vulnerabilities by scanning the program source code. It is important to reiterate here that, researchers and practitioners often expend more efforts to detect and analysis static vulnerabilities in software application written in high-level language, such as C, C++, C#, Java, or PHP because it often involves the analysis of several hundreds of source codes. This makes the detection of vulnerability in source code a very difficult task. Hence the need to investigate other alternative techniques and tools that can effectively be applied for improved vulnerability detection. Although researchers have used static analysis tools to detect a lot of loopholes in software in recent years and published them in major databases [7],[8],[9], challenges still exist in relation to its effectiveness and efficiency. In this study, we investigate the feasibility of apply the cascaded refinement network for improved vulnerability detection. Cascaded Refinement Network is a semantic label map that produces an image with photographic appearance that conforms to an input layout. We chose the Cascaded Refinement Network because a combination of these methods have achieved state-of-the-art performance in other areas [10],[11]. The proposed method would (1) enable developers, users and all stakeholders to pay attention to the severe weakness and deal with it (2) resolve the problem of false positive associated with static analysis tools (3) reduce cost associated with bug management. The study makes the following contributions: i. We present a general overview of the static analysis tools and methods ii. We present a theoretical framework for software vulnerability detection method based on cascaded refinement network The remaining sections of the paper are structured as follows. Section 2 presents a review of the static analysis. Section 3 presents a detailed overview of the static analysis tools and