RADIOELECTRONIC AND COMPUTER SYSTEMS

Penetration testing is conducted to detect and further to fix the security problems of the Web application. During testing, tools are actively used that allows to avoid performing a large number of monotonous operations by the tester. The problem with selecting the tools is that there are a number of similar tools for testing the same class of security problems, and it is not known which tool is most suitable for a particular case. Such a problem is most often found among novice testers, more experienced testers use their own sets of tools to find specific security problems. Such kits are formed during the work, and each tester finds the most suitable tools for him. The goal of the paper is to create a method that will help to choose a tool for a particular case, based on the experience of experts in security testing of Web applications. To achieve the goal, it is proposed to create a Web service that will use the neural net-work to solve the problem of choice. Data for training a neural network in the form of a matrix of tools and their criteria are provided by experts in the field of security testing of Web applications. To find the most suitable tool, a vector of requirements should be formed, i.e. the user of service must specify the criteria for the search. As a result of the search, several most suitable for the request tools are shown to the user. Also, the user can save the result of his choice, if it differs from the proposed one. In this way, a set of learning examples can be extended. It is advisable to have two neural networks, the first one is trained only on data from experts; the second one is trained on data from experts and on data of users who have retained their choice. The usage of neural networks allows to realize correspondence between several input data sets to the one output data set. The described method can be used to select software in various applications.

Vieira, M., Antunes, N., Madeira, H. Using web security scanners to detect vulnerabilities in web services. Dependable Systems & Networks, 2009. DSN'09. IEEE/IFIP International Conference, IEEE, 2009, pp. 566-571.

Austin, A., Williams, L. One Technique is Not Enough: A Comparison of Vulnerability Discovery Techniques. 2011 International Symposium on Empirical Software Engineering and Measurement, IEEE, 2011, pp. 97-106.

Awang, N., Manaf, A. Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing. Advances in Security of Information and Communication Networks, Springer, Berlin, Heidelberg, 2013, pp. 230-239.

Kali Linux Penetration Testing Tools. Available at: https://tools.kali.org (accessed 10.10.2018).

Kennedy, D., O'gorman, J., Kearns, D., Aharoni, M. Metasploit: the penetration tester's guide. San Francisco, No Starch Press, 2011. 328 p.

Engebretson, P. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Syngress, 2013. 225 p.

Khari, M., Singh, N. An Overview of Black Box Web Vulnerability Scanners. International Journal of Advanced Research in Computer and Software Engineering, IJARCSSE, 2014, vol. 4, pp. 1527-1535.

Doupé, A., Cova, M., Vigna, G. Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, Berlin, Heidelberg, 2010, pp. 111-131.

Mirjalili, M., Nowroozi, A., Alidoosti, M. A survey on web penetration test. Advances in Computer Science: an International Journal, Los Alamitos, CA, 2014, vol. 3, no. 6, pp. 107-121.

Rutkovskaya, D., Pilin'skii, M., Rutkovskii, L. Neironnye seti, geneticheskie algoritmy i nechetkie sistemy [Neural networks, genetic algorithms and fuzzy systems]. Мoscow, “Goryachaya liniya – Telekom” Publ., 2006. 452 p.

Fast Artificial Neural Network Library (FANN). Available at: http://leenissen.dk/fann/html/files/fann-h.html (accessed 10.10.2018).

Masters, T. Practical neural network recipes in C++. Morgan Kaufmann Publ., 1993. 493 p.