nach oben

Education and Information Technologies

Erschienen in:

07.08.2023

WebHOLE: Developing a web-based hands-on learning environment to assist beginners in learning web application security

verfasst von: Jun-Ming Su

Erschienen in: Education and Information Technologies | Ausgabe 6/2024

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

With the rapid growth of web applications, web application security (WAS) has become an important cybersecurity issue. For effective WAS protection, it is necessary to cultivate and train personnel, especially beginners, to develop correct concepts and practical hands-on abilities through cybersecurity education. At present, many methods offer vulnerable web environments to support practical hands-on training, including large-scale “Capture the Flag” mode (e.g., Cyber Range), pre-configured virtual machine images (e.g., Mutillidae), pre-built stand-alone applications (e.g., WebGoat), and web-based system (e.g., Damn Vulnerable Web Application). However, beginners need not only hands-on training tools and systems but also assistance to support effective learning. Moreover, pre-built training content and exercises are usually not easy to modify and thus lack the flexibility to meet specific teaching needs. Therefore, this study proposed and developed the Web-based Hands-On Learning Environment (WebHOLE) to efficiently assist beginners in learning WAS. To improve the flexibility of the training content, a web-based authoring tool was developed in WebHOLE to create customized hands-on learning exercises. Accordingly, learners can learn and practice the WAS training content online with learning assistance provided by the hands-on learning system. The hands-on abilities of the learners can be efficiently assessed by the hands-on testing system using online exams with progressive hints and automatic grading. Furthermore, to improve the effectiveness of teaching and testing, a portfolio analysis scheme using a data mining technique was developed to identify learning barriers and problematic test items. WebHOLE was applied to an actual beginner-level WAS course for undergraduate students. The experimental results showed the benefits of WebHOLE on WAS learning, with a significant improvement in learning outcomes. Students expressed high satisfaction with WebHOLE's learning assistance, rating it with average satisfaction scores above 4.0 out of 5.0. The portfolio analysis scheme also showed the effectiveness of WebHOLE in identifying learning problems and refining test items.

Vorheriger Artikel When the push and pull factors in digital educational resources backfire: the role of digital leader in digital educational resources usage

Nächster Artikel A “live” and E-education in a frontier area in China under the perspective of the philosophy of technology

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Alzouebi, K. (2020). Electronic portfolio development and narrative reflections in higher education: Part and parcel of the culture? Education and Information Technologies, 25, 997–1011. https://doi.org/10.1007/s10639-019-09992-2CrossRef

Beuran, R., Tang, D., Pham, C., Chinen, K. I., Tan, Y., & Shinoda, Y. (2018). Integrated framework for hands-on cybersecurity training: CyTrONE. Computers & Security, 78, 43–59. https://doi.org/10.1016/j.cose.2018.06.001CrossRef

Beuran, R., Tang, D., Tan, Z., et al. (2019). Supporting cybersecurity education and training via LMS integration: CyLMS. Education and Information Technologies, 24, 3619–3643. https://doi.org/10.1007/s10639-019-09942-yCrossRef

Burket. J., Chapman, P., Becker, T., et al. (2015). Automatic problem generation for Capture-the-Flag competitions. In: Proceedings of 2015 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 15); 2015, August.

Cabaj, K., Domingos, D., Kotulski, Z., & Respício, A. (2018). Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security, 75, 24–35. https://doi.org/10.1016/j.cose.2018.01.015CrossRef

Chen, P., Zhao, M., Wang, J. H., et al. (2019). Exploration and practice of the experiment teaching of web application security course. In: Proceedings of the 2019 10th International Conference on Information Technology in Medicine and Education (ITME), 2019, 381–384. https://doi.org/10.1109/ITME.2019.00092

Chowdhury, N., & Gkioulos, V. (2021). Cyber security training for critical infrastructure protection: A literature review. Computer Science Review, 40, 100361. https://doi.org/10.1016/j.cosrev.2021.100361CrossRef

Chowdhury, N., Katsikas, S., & Gkioulos, V. (2022). Modeling effective cybersecurity training frameworks: A delphi method-based study. Computers & Security, 113, 102551. https://doi.org/10.1016/j.cose.2021.102551CrossRef

Conte de Leon, D., Goes, C. E., Haney, M. A., & Krings, A. W. (2018). ADLES: Specifying, deploying, and sharing hands-on cyber-exercises. Computers & Security, 74, 12–40. https://doi.org/10.1016/j.cose.2017.12.007CrossRef

Deljkic, Z., Pale, P., & Petrovic, J. (2019). Computer-based methods for assessing information security competencies. In: Proceedings of 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO 2019); 2019, 1457–1462. https://doi.org/10.23919/MIPRO.2019.8757201

Demertzi, V., Demertzis, S., & Demertzis, K. (2022). An overview of cyber threats, attacks, and countermeasures on the primary domains of smart cities. arXiv:2207.04424 . Retrieved October 15, 2022, from https://doi.org/10.48550/arXiv.2207.04424

Diogenes Y, & Ozkaya E. (2018). Cybersecurity–Attack and Defense Strategies: Infrastructure security with Red Team and Blue Team tactics. Packt, 2018.

Du, W. (2010). SEED: Hands-on lab exercises for computer security education. IEEE Security & Privacy, 09, 70–73.CrossRef

DVWA. (2022). Damn Vulnerable Web Application. Retrieved October 15, 2022, from https://www.vulnhub.com/entry/damn-vulnerable-web-application-dvwa-107,43/

EduRange. (2022). Retrieved October 15, 2022, from http://www.edurange.org/

Han, S., & Bhattacharya, K. (2001). Constructionism, Learning by design, and project based learning. In M. Orey (Ed.), Emerging perspectives on learning, teaching, and technology. Retrieved October 15, 2022, from https://pirun.ku.ac.th/~btun/papert/design.pdf

Kim, B. H., Kim, K. C., Hong, S. E., et al. (2017). Development of cyber information security education and training system. Multimedia Tools and Applications, 76, 6051–6064. https://doi.org/10.1007/s11042-016-3495-yCrossRef

Koehler, M. J., Mishra, P., Kereluik, K., Shin, T.S., & Graham, C. R. (2014). The Technological Pedagogical Content Knowledge Framework. In: J. Spector, M. Merrill, J. Elen, & M. Bishop (Eds.), Handbook of Research on Educational Communications and Technology. Springer. https://doi.org/10.1007/978-1-4614-3185-5_9

Koivisto, J. M., Niemi, H., Multisilta, J., et al. (2017). Nursing students’ experiential learning processes using an online 3D simulation game. Education and Information Technologies, 22, 383–398. https://doi.org/10.1007/s10639-015-9453-xCrossRef

Kolb, D. A. (1984). Experiential learning. Experience as the source of learning and development. Prentice-Hall.

Konak, A., Clark, T. K., & Nasereddin, M. (2014). Using Kolb’s experiential learning cycle to improve student learning in virtual computer laboratories. Computers & Education, 72, 11–22.CrossRef

Korucu-Kış, S. (2021). Preparing student teachers for real classrooms through virtual vicarious experiences of critical incidents during remote practicum: A meaningful-experiential learning perspective. Education and Information Technologies, 26, 6949–6971. https://doi.org/10.1007/s10639-021-10555-7CrossRef

Kwon, M. J., Kwak, G., Jun, S., Kim, H. J., & Lee, H. Y. (2017). Enriching Security Education Hands-on Labs with Practical Exercises. In: Proceedings of 2017 International Conference on Software Security and Assurance (ICSSA), Altoona, PA, Jul. 2017, 100–103. https://doi.org/10.1109/ICSSA.2017.8

Maki, N., Nakata, R., Toyoda, S., Kasai, Y., Shin, S., & Seto, Y. (2020). An effective cybersecurity exercises platform CyExec and its training contents. International Journal of Information and Education Technology, 10(3), 215–221. https://doi.org/10.18178/ijiet.2020.10.3.1366CrossRef

Metasploitable. (2022). Retrieved October 15, 2022, from https://github.com/rapid7/metasploitable3

Mishra, P., & Koehler, M. J. (2006). Technological pedagogical content knowledge: A framework for teacher knowledge. Teachers College Record, 108(6), 1017–1054.CrossRef

Mutillidae. (2022). Retrieved October 15, 2022, from https://github.com/webpwnized/mutillidae

NICE Challenge Project. (2022). Retrieved October 15, 2022, fromhttps://nice-challenge.com/

OWASP. (2022). Retrieved October 15, 2022, from https://owasp.org/

Papert, S. (1990). Introduction: Constructionist Learning. MIT Media Laboratory.

Parker, J., Hicks, M., Ruef, A., et al. (2020). Build it, break it, fix it: Contesting secure development. ACM Transactions on Privacy and Security, 23(2), 1–36. https://doi.org/10.1145/3383773CrossRef

Pei, J., Han, J., Mortazavi-Asl, B., Pinto, H., Chen, Q., Dayal, U., & Hsu, M. C. (2001). PrefixSpan- mining sequential patterns efficiently by prefix-projected pattern growth. In: Proceedings of 17th International Conference on Data Engineering, 2–6 April, 2001, 215–224.

Schreuders, Z. C., Shaw, T., Shan-A-Khuda, M., Ravichandran, G., Keighley, J., & Ordean, M. (2017). Security Scenario Generator (SecGen): a framework for generating randomly vulnerable rich-scenario VMs for learning computer security and hosting CTF events. In: Proceedings of 2017 USENIX Workshop on Advances in Security Education (ASE 17), 2017.

SEED Labs. (2022). Retrieved October 15, 2022, from https://seedsecuritylabs.org/

Shin, S., & Seto, Y. (2020). CyExec-training platform for cybersecurity education based on a virtual environment. International Journal of Learning Technologies and Learning Environments., 3(1), 1–20.CrossRef

Švábenský, V., Čeleda, P., Vykopal, J., & Brišáková, S. (2021). Cybersecurity knowledge and skills taught in capture the fag challenges. Computers & Security, 102, 102154. https://doi.org/10.1016/j.cose.2020.102154

Švábenský, V., Vykopal, J., Čeleda, P., et al. (2022a). Student assessment in cybersecurity training automated by pattern mining and clustering. Education and Information Technologies, 27, 9231–9262. https://doi.org/10.1007/s10639-022-10954-4CrossRef

Švábenský, V., Vykopal, J., Čeleda, P., et al. (2022b). Applications of educational data mining and learning analytics on data from cybersecurity training. Education and Information Technologies, 27, 12179–12212. https://doi.org/10.1007/s10639-022-11093-6CrossRef

Tan, Z., Beuran, R., Hasegawa, S., et al. (2020). Adaptive security awareness training using linked open data datasets. Education and Information Technologies, 25, 5235–5259. https://doi.org/10.1007/s10639-020-10155-xCrossRef

Tzafilkou, K., Protogeros, N., & Chouliara, A. (2020). Experiential learning in web development courses: Examining students’ performance, perception and acceptance. Education and Information Technologies, 25, 5687–5701. https://doi.org/10.1007/s10639-020-10211-6CrossRef

Valtonen, T., Eriksson, M., Kärkkäinen, S., et al. (2023). (2023) Emerging imbalance in the development of TPACK - A challenge for teacher training. Education and Information Technologies, 28, 5363–5383. https://doi.org/10.1007/s10639-022-11426-5CrossRef

Venter, I. M., Blignaut, R. J., Renaud, K., et al. (2019). Cyber security education is as essential as “the three R’s.” Heliyon, 5(12), E02855.CrossRef

Vulnhub. (2022). Retrieved October 15, 2022, from https://www.vulnhub.com/

Vykopal, J., & Barták, M. (2016). On the design of security games: from frustrating to engaging learning. In: Proceedings of 2016 USENIX workshop on Advances in Security Education; 2016, August.

WebGoat. (2022). Retrieved October 15, 2022, from https://owasp.org/www-project-webgoat/

Wieringa, R. J. (2014). The design cycle. In: Design Science Methodology for Information Systems and Software Engineering (pp. 27–34). Springer. Retrieved July 12, 2023, from https://doi.org/10.1007/978-3-662-43839-8_3

Yamin, M. M., & Katt, B. (2022). Modeling and executing cyber security exercise scenarios in cyber ranges. Computers & Security, 116, 102635. https://doi.org/10.1016/j.cose.2022.102635CrossRef

Zhou, Y., & Wang, P. (2019). An ensemble learning approach for XSS attack detection with domain knowledge and threat intelligence. Computers & Security, 82, 261–269. https://doi.org/10.1016/j.cose.2018.12.016CrossRef

Titel: WebHOLE: Developing a web-based hands-on learning environment to assist beginners in learning web application security
verfasst von: Jun-Ming Su
Publikationsdatum: 07.08.2023
Verlag: Springer US
Erschienen in: Education and Information Technologies / Ausgabe 6/2024
Print ISSN: 1360-2357
Elektronische ISSN: 1573-7608
DOI: https://doi.org/10.1007/s10639-023-12090-z

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 6/2024

Optimizing learning return on investment: Identifying learning strategies based on user behavior characteristic in language learning applications

What motivate learners to continue a professional development program through Massive Open Online Courses (MOOCs)?: A lens of self-determination theory

Combining intelligent tutoring systems and gamification: a systematic literature review

ChatGPT: Empowering lifelong learning in the digital age of higher education

Toward a new educational reality: A mapping review of the role of e-assessment in the new digital context

Exploring the relationship between pre-service teachers’ TPACK and blended teaching readiness levels: a path analysis

Premium Partner