By Topic

A testbed for the evaluation of web intrusion prevention systems

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Jeff Stuckman ; Dept. of Comput. Sci., Univ. of Maryland, College Park, MD, USA ; James Purtilo

Web intrusion prevention systems are popular for defending web applications against common attacks, such as SQL injection and cross-site scripting, but a standardized methodology to evaluate and benchmark such systems is not available. We outline several requirements for a testing and evaluation framework for these systems, and we introduce the concept of a benchmarking testbed, which automatically performs the evaluation in a standardized and reproducible way. By allowing benchmarks to draw from a corpus of installable modules which can be based on actual security vulnerabilities, members of the security community can continuously maintain and improve the benchmark, allowing it to be updated as threats and defenses evolve. We developed a prototype of this testbed and determined that the testbed should automate several common web testing tasks on behalf of its modules in order to ease module development. Although our experiences with the prototype suggest that developing such a testbed is viable, we identified several open questions related to benchmark coverage and performance measurement that should be resolved in order for the resulting benchmark to be useful to end users.

Note: As originally published there was an error in this document. Due to a production error final versions of the papers were not submitted. The corrected final article PDF is now provided.  

Published in:

2011 Third International Workshop on Security Measurements and Metrics

Date of Conference:

21-21 Sept. 2011