A Cost-effective Approach to evaluating Security Vulnerability Scanner

Abstract

Web applications are exposed to various threats and attacks, and therefore numerous tools are developed for detecting web application vulnerabilities. Many studies have focused on evaluating vulnerability scanners. An efficient evaluation approach for detection tools is essential and can be extremely helpful to the users. In this paper, we propose a cost-effective approach to evaluating vulnerability scanners by considering redundant vulnerability alert problem. We define the redundant alert problem in scanner evaluation with our motivational example and propose the advanced confusion matrix by extending two defined attributes, true duplication (TD) and false duplication (FD). Then we apply our proposed cost-effective evaluation approach and build up the web Vulnerability Scanner Testbed.