Assessing and Comparing Vulnerability Detection Tools for Web Services: Benchmarking Approach and Examples

Antunes, Nuno; Vieira, Marco

doi:10.1109/tsc.2014.2310221

Cited by 57 publications

(41 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Services that can generate a high F-measure mean they are better services [27]. If a service obtains a precision of 0.6 means it can detect vulnerability with 60%.…”

Section: A Penetration Testingmentioning

confidence: 99%

“…The combination of precision, recall and F-measure can determine the quality of the security services. We reproduce the experiments conducted by [27] and then compare results of CCAF multi-layered security with VS1, VS2, VS3 and VS4 tools due to similarities with CCAF technologies except each is single layered security. Results in Table 2 show that the CCAF multi-layered security can provide a much better service since all the true vulnerabilities can be detected with precision as 1.…”

Section: A Penetration Testingmentioning

confidence: 99%

See 1 more Smart Citation

Cloud computing adoption framework: A security framework for business clouds

Chang

Kuo

Ramachandran

2016

Future Generation Computer Systems

265

100

View full text Add to dashboard Cite

This paper presents a Cloud Computing Adoption Framework (CCAF) security suitable for business clouds. CCAF multi-layered security is based on the development and integration of three major security technologies: firewall, identity management and encryption based on the development of Enterprise File Sync and Share technologies. This paper presents our motivation, related work and our views on security framework. Core technologies have been explained in details and experiments were designed to demonstrate the robustness of the CCAF multi-layered security. In penetration testing, CCAF multi-layered security could detect and block 99.95% viruses and trojans and could maintain 85% and above of blocking for 100 hours of continuous attacks. Detection and blocking took less than 0.012 second per trojan and viruses. A full CCAF multi-layered security protection could block all SQL injection providing real protection to data. CCAF multi-layered security had 100% rate of not reporting false alarm. All F-measures for CCAF test results were 99.75% and above. How CCAF multi-layered security can blend with policy, real services and blend with business activities have been illustrated. Research contributions have been justified and CCAF multi-layered security can offer added value for volume, velocity and veracity for Big Data services operated in the Cloud.

show abstract

“…Services that can generate a high F-measure mean they are better services [27]. If a service obtains a precision of 0.6 means it can detect vulnerability with 60%.…”

Section: A Penetration Testingmentioning

confidence: 99%

Section: A Penetration Testingmentioning

confidence: 99%

Cloud computing adoption framework: A security framework for business clouds

Chang

Kuo

Ramachandran

2016

Future Generation Computer Systems

265

100

View full text Add to dashboard Cite

show abstract

“…Antunes and Vieira [34] use four types of tools for penetration testing, explain the use of precision, recall and F-measure to justify the validity of their results. Amongst all the four tools for penetration testing, all results were very low.…”

Section: Metrics Analysis and Comparisonmentioning

confidence: 99%

Towards Achieving Data Security with the Cloud Computing Adoption Framework

Chang

Ramachandran

2016

IEEE Trans. Serv. Comput.

250

View full text Add to dashboard Cite

Abstract-Offering real-time data security for petabytes of data is important for Cloud Computing. A recent survey on cloud security states that the security of users' data has the highest priority as well as concern. We believe this can only be able to achieve with an approach that is systematic, adoptable and well-structured. Therefore, this paper has developed a framework known as Cloud Computing Adoption Framework (CCAF) which has been customized for securing cloud data. This paper explains the overview, rationale and components in the CCAF to protect data security. CCAF is illustrated by the system design based on the requirements and the implementation demonstrated by the CCAF multi-layered security. Since our Data Center has 10 petabytes of data, there is a huge task to provide real-time protection and quarantine. We use Business Process Modeling Notation (BPMN) to simulate how data is in use. The use of BPMN simulation allows us to evaluate the chosen security performances before actual implementation. Results show that the time to take control of security breach can take between 50 and 125 hours. This means that additional security is required to ensure all data is well-protected in the crucial 125 hours. This paper has also demonstrated that CCAF multi-layered security can protect data in real-time and it has three layers of security: 1) firewall and access control; 2) identity management and intrusion prevention and 3) convergent encryption. To validate CCAF, this paper has undertaken two sets of ethical-hacking experiments involved with penetration testing with 10,000 trojans and viruses. The CCAF multi-layered security can block 9,919 viruses and trojans which can be destroyed in seconds and the remaining ones can be quarantined or isolated. The experiments show although the percentage of blocking can decrease for continuous injection of viruses and trojans, 97.43% of them can be quarantined. Our CCAF multi-layered security has an average of 20% better performance than the single-layered approach which could only block 7,438 viruses and trojans. CCAF can be more effective when combined with BPMN simulation to evaluate security process and penetrating testing results.

show abstract

“…These scenarios can be divided in web-based applications and systems , web services [34][35][36][37][38][39] network protocols and devices [11,14,[40][41][42][43][44][45][46][47][48][49][50][51][52], software and desktop applications [61], and process control system [62]. Figure 4 shows the different target scenarios that have a diversity in relation to the number of studies, and as mentioned before, most of the studies are related to web-based applications, network devices, and protocols contexts.…”

Section: Rq2-what Are the Target-scenarios In Pentest?mentioning

confidence: 99%

“…Black-box, in contrast, assume that there is no prior knowledge about the environment. Most of the studies and research papers, mainly around vulnerability discovery tools, perform black box tests [32,34,64]. Gray box test represents the middle ground between black box and white box, in which the amount of information about the target is not complete but it is also not non-existent.…”

Section: Rq3-what Are the Models Of Pentest?mentioning

confidence: 99%

Overview and open issues on penetration test

Bertoglio

Zorzo

2017

J Braz Comput Soc

View full text Add to dashboard Cite

Several studies regarding security testing for corporate environments, networks, and systems were developed in the past years. Therefore, to understand how methodologies and tools for security testing have evolved is an important task. One of the reasons for this evolution is due to penetration test, also known as Pentest. The main objective of this work is to provide an overview on Pentest, showing its application scenarios, models, methodologies, and tools from published papers. Thereby, this work may help researchers and people that work with security to understand the aspects and existing solutions related to Pentest. A systematic mapping study was conducted, with an initial gathering of 1145 papers, represented by 1090 distinct papers that have been evaluated. At the end, 54 primary studies were selected to be analyzed in a quantitative and qualitative way. As a result, we classified the tools and models that are used on Pentest. We also show the main scenarios in which these tools and methodologies are applied to. Finally, we present some open issues and research opportunities on Pentest.

show abstract

Assessing and Comparing Vulnerability Detection Tools for Web Services: Benchmarking Approach and Examples

Cited by 57 publications

References 21 publications

Cloud computing adoption framework: A security framework for business clouds

Cloud computing adoption framework: A security framework for business clouds

Towards Achieving Data Security with the Cloud Computing Adoption Framework

Overview and open issues on penetration test

Contact Info

Product

Resources

About