{"id":"https://openalex.org/W4385080315","doi":"https://doi.org/10.1109/sp46215.2023.10179442","title":"Improving Developers\u2019 Understanding of Regex Denial of Service Tools through Anti-Patterns and Fix Strategies","display_name":"Improving Developers\u2019 Understanding of Regex Denial of Service Tools through Anti-Patterns and Fix Strategies","publication_year":2023,"publication_date":"2023-05-01","ids":{"openalex":"https://openalex.org/W4385080315","doi":"https://doi.org/10.1109/sp46215.2023.10179442"},"language":"en","primary_location":{"id":"doi:10.1109/sp46215.2023.10179442","is_oa":false,"landing_page_url":"http://dx.doi.org/10.1109/sp46215.2023.10179442","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5053419040","display_name":"Sk Adnan Hassan","orcid":"https://orcid.org/0000-0002-7042-8446"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Sk Adnan Hassan","raw_affiliation_strings":["Virginia Tech,Blacksburg,VA,USA","Virginia Tech, Blacksburg, VA, USA"],"affiliations":[{"raw_affiliation_string":"Virginia Tech,Blacksburg,VA,USA","institution_ids":["https://openalex.org/I859038795"]},{"raw_affiliation_string":"Virginia Tech, Blacksburg, VA, USA","institution_ids":["https://openalex.org/I859038795"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072251016","display_name":"Zainab Aamir","orcid":null},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zainab Aamir","raw_affiliation_strings":["Stony Brook University,Stony Brook,NY,USA","Stony Brook University, Stony Brook, NY, USA"],"affiliations":[{"raw_affiliation_string":"Stony Brook University,Stony Brook,NY,USA","institution_ids":["https://openalex.org/I59553526"]},{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY, USA","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5065310265","display_name":"Dongyoon Lee","orcid":"https://orcid.org/0000-0002-2240-3316"},"institutions":[{"id":"https://openalex.org/I59553526","display_name":"Stony Brook University","ror":"https://ror.org/05qghxh33","country_code":"US","type":"education","lineage":["https://openalex.org/I59553526"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Dongyoon Lee","raw_affiliation_strings":["Stony Brook University,Stony Brook,NY,USA","Stony Brook University, Stony Brook, NY, USA"],"affiliations":[{"raw_affiliation_string":"Stony Brook University,Stony Brook,NY,USA","institution_ids":["https://openalex.org/I59553526"]},{"raw_affiliation_string":"Stony Brook University, Stony Brook, NY, USA","institution_ids":["https://openalex.org/I59553526"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5013948143","display_name":"James C. Davis","orcid":"https://orcid.org/0000-0003-2495-686X"},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"James C. Davis","raw_affiliation_strings":["Purdue University,West Lafayette,IN,USA","Purdue University, West Lafayette, IN, USA"],"affiliations":[{"raw_affiliation_string":"Purdue University,West Lafayette,IN,USA","institution_ids":["https://openalex.org/I219193219"]},{"raw_affiliation_string":"Purdue University, West Lafayette, IN, USA","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5039701716","display_name":"Francisco Servant","orcid":"https://orcid.org/0000-0002-6493-9389"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Francisco Servant","raw_affiliation_strings":["University of Málaga,Málaga,Spain"],"affiliations":[{"raw_affiliation_string":"University of Málaga,Málaga,Spain","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5053419040"],"corresponding_institution_ids":["https://openalex.org/I859038795"],"apc_list":null,"apc_paid":null,"fwci":1.8356,"has_fulltext":false,"cited_by_count":4,"citation_normalized_percentile":{"value":0.88183904,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":96},"biblio":{"volume":"32","issue":null,"first_page":"1238","last_page":"1255"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9991000294685364,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/regular-expression","display_name":"Regular expression","score":0.8283978700637817},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8213902711868286},{"id":"https://openalex.org/keywords/usability","display_name":"Usability","score":0.7547560930252075},{"id":"https://openalex.org/keywords/soundness","display_name":"Soundness","score":0.6531422138214111},{"id":"https://openalex.org/keywords/precision-and-recall","display_name":"Precision and recall","score":0.5120521187782288},{"id":"https://openalex.org/keywords/ambiguity","display_name":"Ambiguity","score":0.4969384968280792},{"id":"https://openalex.org/keywords/denial-of-service-attack","display_name":"Denial-of-service attack","score":0.41439518332481384},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3766274154186249},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.3018162250518799},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.1858978569507599},{"id":"https://openalex.org/keywords/human\u2013computer-interaction","display_name":"Human\u2013computer interaction","score":0.16140905022621155},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.10920113325119019},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.0823637843132019}],"concepts":[{"id":"https://openalex.org/C121329065","wikidata":"https://www.wikidata.org/wiki/Q185612","display_name":"Regular expression","level":2,"score":0.8283978700637817},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8213902711868286},{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.7547560930252075},{"id":"https://openalex.org/C39920170","wikidata":"https://www.wikidata.org/wiki/Q693083","display_name":"Soundness","level":2,"score":0.6531422138214111},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.5120521187782288},{"id":"https://openalex.org/C2780522230","wikidata":"https://www.wikidata.org/wiki/Q1140419","display_name":"Ambiguity","level":2,"score":0.4969384968280792},{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.41439518332481384},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3766274154186249},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3018162250518799},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.1858978569507599},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.16140905022621155},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.10920113325119019},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.0823637843132019}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/sp46215.2023.10179442","is_oa":false,"landing_page_url":"http://dx.doi.org/10.1109/sp46215.2023.10179442","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/10","score":0.4099999964237213,"display_name":"Reduced inequalities"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":78,"referenced_works":["https://openalex.org/W87129872","https://openalex.org/W171406816","https://openalex.org/W578092267","https://openalex.org/W1491178396","https://openalex.org/W1563402047","https://openalex.org/W1570445666","https://openalex.org/W1578526383","https://openalex.org/W1601674470","https://openalex.org/W1813069714","https://openalex.org/W1857789879","https://openalex.org/W1969483186","https://openalex.org/W1986152782","https://openalex.org/W1991079201","https://openalex.org/W2054801208","https://openalex.org/W2058269846","https://openalex.org/W2059200976","https://openalex.org/W2072102045","https://openalex.org/W2072607050","https://openalex.org/W2111487235","https://openalex.org/W2134646643","https://openalex.org/W2156429182","https://openalex.org/W2296795551","https://openalex.org/W2460699391","https://openalex.org/W2480448195","https://openalex.org/W2506796853","https://openalex.org/W2603401210","https://openalex.org/W2606344517","https://openalex.org/W2734941459","https://openalex.org/W2752340395","https://openalex.org/W2760683747","https://openalex.org/W2805375386","https://openalex.org/W2888047193","https://openalex.org/W2898689050","https://openalex.org/W2899462170","https://openalex.org/W2922478741","https://openalex.org/W2922634639","https://openalex.org/W2930957955","https://openalex.org/W2955138751","https://openalex.org/W2968339949","https://openalex.org/W2985661840","https://openalex.org/W2999135213","https://openalex.org/W3000250989","https://openalex.org/W3005362731","https://openalex.org/W3091491979","https://openalex.org/W3094387502","https://openalex.org/W3100164117","https://openalex.org/W3104260925","https://openalex.org/W3106010854","https://openalex.org/W3127558385","https://openalex.org/W3155666085","https://openalex.org/W3156471679","https://openalex.org/W3156862845","https://openalex.org/W3157035424","https://openalex.org/W4233410239","https://openalex.org/W4234221848","https://openalex.org/W4253813365","https://openalex.org/W4284670904","https://openalex.org/W4285275532","https://openalex.org/W4287634532","https://openalex.org/W4290991688","https://openalex.org/W4385080315","https://openalex.org/W6633864067","https://openalex.org/W6638296606","https://openalex.org/W6646916282","https://openalex.org/W6676145601","https://openalex.org/W6704473023","https://openalex.org/W6721628585","https://openalex.org/W6748330667","https://openalex.org/W6752006691","https://openalex.org/W6754216381","https://openalex.org/W6754357002","https://openalex.org/W6780135897","https://openalex.org/W6785013043","https://openalex.org/W6792804783","https://openalex.org/W6794598612","https://openalex.org/W6800343060","https://openalex.org/W6846851077","https://openalex.org/W7052126637"],"related_works":["https://openalex.org/W2374992565","https://openalex.org/W2434671519","https://openalex.org/W4312415035","https://openalex.org/W4316506193","https://openalex.org/W4308325377","https://openalex.org/W4285157290","https://openalex.org/W3120934607","https://openalex.org/W3212974263","https://openalex.org/W4311730107","https://openalex.org/W4385080315"],"abstract_inverted_index":{"Regular":[0],"expressions":[1],"are":[2],"used":[3],"for":[4,111,142,247],"diverse":[5],"purposes,":[6],"including":[7],"input":[8],"validation":[9],"and":[10,42,53,91,102,114,127,151,168,179,190,210,221,256,276],"firewalls.":[11],"Unfortunately,":[12],"they":[13],"can":[14],"also":[15,227],"lead":[16],"to":[17,39,51,89,120,145,270,281],"a":[18,30,75,115,131,139,202],"security":[19],"vulnerability":[20],"called":[21],"ReDoS":[22],"(Regular":[23],"Expression":[24],"Denial":[25],"of":[26,44,77,86,105,117,134,153,160,185,188,205,216,233,250],"Service),":[27],"caused":[28],"by":[29],"super-linear":[31],"worst-case":[32],"execution":[33],"time":[34],"during":[35],"regex":[36,135],"matching.":[37],"Due":[38],"the":[40,84,149,158,186,214,217,231,234,248,251],"severity":[41],"prevalence":[43],"ReDoS,":[45],"past":[46],"work":[47],"proposed":[48],"automatic":[49,62,166,263],"tools":[50,58,88,264],"detect":[52,90],"fix":[54,92,103,118,121,128,180,257],"regexes.":[55],"Although":[56],"these":[57],"were":[59,199,226],"evaluated":[60,157,174],"in":[61,164],"experiments,":[63],"their":[64],"usability":[65,71,85],"has":[66,72],"not":[67,73],"yet":[68],"been":[69,74],"studied;":[70],"focus":[76],"prior":[78],"work.":[79],"Our":[80,193,224],"insight":[81],"is":[82],"that":[83,196],"existing":[87],"regexes":[93,143,206],"will":[94],"improve":[95,182],"if":[96],"we":[97,173],"complement":[98],"them":[99,243],"with":[100],"anti-patterns":[101,110,126,178,198,225,255],"strategies":[104,119,129,181,258],"vulnerable":[106,112,144],"regexes.We":[107],"developed":[108],"novel":[109,132],"regexes,":[113],"collection":[116],"them.":[122,287],"We":[123,147,156],"derived":[124],"our":[125,154,161,177,197,254],"from":[130,266,277],"theory":[133],"infinite":[136],"ambiguity":[137],"\u2014":[138],"necessary":[140],"condition":[141],"ReDoS.":[146],"proved":[148],"soundness":[150],"completeness":[152],"theory.":[155],"effectiveness":[159],"anti-patterns,":[162],"both":[163],"an":[165],"experiment":[167],"when":[169,236,273,285],"applied":[170,237,242],"manually.":[171],"Then,":[172],"how":[175],"much":[176],"developers\u2019":[183,260],"understanding":[184,261],"outcome":[187],"detection":[189],"fixing":[191,286],"tools.":[192],"evaluation":[194],"found":[195],"effective":[200,229],"over":[201],"large":[203],"dataset":[204],"(N=209,188):":[207],"100%":[208,240],"precision":[209,220],"99%":[211],"recall,":[212],"improving":[213],"state":[215,232,249],"art":[218,235],"50%":[219,246],"87%":[222],"recall.":[223],"more":[228],"than":[230],"manually":[238],"(N=20):":[239],"developers":[241],"effectively":[244],"vs.":[245],"art.":[252],"Finally,":[253],"increased":[259],"using":[262],"(N=9):":[265],"median":[267,271,278,282],"\"Very":[268,279,283],"weakly\"":[269,280],"\"Strongly\"":[272],"detecting":[274],"vulnerabilities,":[275],"strongly\"":[284]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":1}],"updated_date":"2025-12-21T01:58:51.020947","created_date":"2025-10-10T00:00:00"}