Enhancing Cybersecurity: Design of an Automated Penetration Testing Framework for Common Vulnerabilities and Exposures (CVE)

Nur Rohman Rosyid; Anni Karimatul Fauziyyah; Yoan Navie Ananda

doi:10.30595/juita.v13i3.26938

Authors

Nur Rohman Rosyid Universitas Gadjah Mada
Anni Karimatul Fauziyyah Universitas Gadjah Mada
Yoan Navie Ananda Universitas Gadjah Mada

DOI:

https://doi.org/10.30595/juita.v13i3.26938

Keywords:

automated penetration testing, cybersecurity, design patterns, CVE

Abstract

The progression of digital transformation has increased cybersecurity concerns, primarily due to the growing prevalence of system vulnerabilities. Penetration testing (pentesting) is an essential technique for identifying and assessing vulnerabilities; however, conventional methods are labor-intensive and heavily reliant on expert participation. This study proposes the development of an automated penetration testing framework that utilizes Common Vulnerabilities and Exposures (CVE) to enhance efficiency and reduce reliance on manual processes. The framework utilizes software engineering design patterns, namely the Template Method and Abstract Factory, to guarantee modularity, scalability, and maintainability. The implementation and evaluation reveal the system's capacity to reliably perform CVE-based penetration testing activities with consistent performance across multiple iterations. Comparative testing demonstrates that the suggested framework attains superior consistency in execution time and resource utilization compared to monolithic solutions. In conclusion, the established methodology offers a dependable basis for automated CVE-based security evaluations and facilitates continuous adaptation to forthcoming cybersecurity issues.

References

[1] Kurtz George, “Crowdstrike Global Treat Report,” 2024. Accessed: Aug. 12, 2025. [Online]. Available: https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf

[2] Horowitz Maya, “Cyber Security Report 2024,” 2024. Accessed: Aug. 13, 2025. [Online]. Available: https://engage.checkpoint.com/2024-forrester-wave-enterprise-firewall-solutions-report/featured/2024-cyber-security-report?fw=a372d

[3] P. Doshi, “Cybersecurity Considerations 2024: Supercharge Security with Automation,” 2024. Accessed: Apr. 02, 2024. [Online]. Available: https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2024/01/cyber-considerations-report.pdf

[4] G. Bueermann and M. Rohrs, “Global Cybersecurity Outlook 2024,” Jan. 2024. Accessed: Aug. 12, 2025. [Online]. Available: https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2024.pdf

[5] J. Siswanto, I. Sembiring, A. Setiawan, and I. Setyawan, “Number of Cyber Attacks Predicted With Deep Learning Based LSTM Model,” JUITA: Jurnal Informatika, vol. 12, no. 1, pp. 39–48, May 2024, doi: 10.30595/juita.v12i1.20210.

[6] HAYS, “Hays 2024 Global Cyber Security Report,” 2024. Accessed: Apr. 02, 2024. [Online]. Available: https://www.hays.co.uk/market-insights/global-cyber-security-report

[7] R. Mazzolin and A. Madni, “An Overview of Cyber Security Considerations and Vulnerabilities in Critical Infrastructure Systems and Potential Automated Mitigation - A Review,” Journal of Engineering Research and Sciences, vol. 1, no. 4, pp. 9–21, 2022, doi: 10.55708/js0104002.

[8] N. B. Y. Ben Souayeh and A. Bouhoula, “A Fully Automatic Approach for Fixing Firewall Misconfigurations,” in 2011 IEEE 11th International Conference on Computer and Information Technology, 2011, pp. 461–466. doi: 10.1109/CIT.2011.84.

[9] D. Bringhenti, G. Marchetto, R. Sisto, F. Valenza, and J. Yusupov, “Automated Firewall Configuration in Virtual Networks,” IEEE Trans Dependable Secure Comput, vol. 20, no. 2, pp. 1559–1576, 2023, doi: 10.1109/TDSC.2022.3160293.

[10] H. M. Z. Al Shebli and B. D. Beheshti, “A study on penetration testing process and tools,” in 2018 IEEE Long Island Systems, Applications and Technology Conference (LISAT), 2018, pp. 1–7. doi: 10.1109/LISAT.2018.8378035.

[11] Y. Khera, D. Kumar, Sujay, and N. Garg, “Analysis and Impact of Vulnerability Assessment and Penetration Testing,” in 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), 2019, pp. 525–530. doi: 10.1109/COMITCon.2019.8862224.

[12] M. Bishop, “About penetration testing,” IEEE Secur Priv, vol. 5, no. 6, 2007, doi: 10.1109/MSP.2007.159.

[13] E. A. Altulaihan, A. Alismail, and M. Frikha, “A Survey on Web Application Penetration Testing,” 2023. doi: 10.3390/electronics12051229.

[14] J. Creasey, “A guide for running an effective Penetration Testing programme,” Crest, no. April, 2017, Accessed: Aug. 13, 2025. [Online]. Available: https://www.crest-approved.org/wp-content/uploads/2022/04/CREST-Penetration-Testing-Guide-1.pdf

[15] F. Abu-Dabaseh and E. Alshammari, “Automated Penetration Testing : An Overview,” 2018. doi: 10.5121/csit.2018.80610.

[16] A. Akkiraju, D. Gabay, H. B. Yesilyurt, H. Aksu, and S. Uluagac, “Cybergrenade: Automated Exploitation of Local Network Machines via Single Board Computers,” in 2017 IEEE 14th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), IEEE, Oct. 2017, pp. 580–584. doi: 10.1109/MASS.2017.95.

[17] O. Valea and C. Oprisa, “Towards Pentesting Automation Using the Metasploit Framework,” in Proceedings - 2020 IEEE 16th International Conference on Intelligent Computer Communication and Processing, ICCP 2020, 2020. doi: 10.1109/ICCP51029.2020.9266234.

[18] A. AlMajali, L. Al-Abed, K. M. A. Yousef, B. J. Mohd, Z. Samamah, and A. A. Shhadeh, “Automated Vulnerability Exploitation Using Deep Reinforcement Learning,” Applied Sciences, 2024, [Online]. Available: https://api.semanticscholar.org/CorpusID:273445441

[19] A. U. H, B. S. Anavi, B. Goyal, S. P. Kasturi, and P. Agarwal, “Advanced Reinforcement Learning Based Penetration Testing,” in 2024 International Conference on Electronics, Computing, Communication and Control Technology (ICECCC), 2024, pp. 1–6. doi: 10.1109/ICECCC61767.2024.10593902.

[20] G. M. Roberts and G. L. Peterson, “Automated Computer Network Exploitation with Bayesian Decision Networks,” in Proceedings of the International Florida Artificial Intelligence Research Society Conference, FLAIRS, 2022. doi: 10.32473/flairs.v35i.130610.

[21] C. P. Varun and R. Agarwal, “Automation of Server Security Assessment,” in 4th International Conference on Circuits, Control, Communication and Computing, I4C 2022, 2022. doi: 10.1109/I4C57141.2022.10057759.

[22] S. Chaudhary, A. O’Brien, and S. Xu, “Automated Post-Breach Penetration Testing through Reinforcement Learning,” in 2020 IEEE Conference on Communications and Network Security, CNS 2020, 2020. doi: 10.1109/CNS48642.2020.9162301.

[23] V. R. Saraswathi, I. S. Ahmed, S. M. Reddy, S. Akshay, V. M. Reddy, and S. M. Reddy, “Automation of Recon Process for Ethical Hackers,” in 2022 International Conference for Advancement in Technology, ICONAT 2022, 2022. doi: 10.1109/ICONAT53423.2022.9726077.

[24] A. K. Singh and G. Kumar, “AUTOMATION IN MANUAL PENETRATION TESTING USING BASH SHELL SCRIPT,” International Research Journal of Modernization in Engineering Technology and Science, 2023, doi: 10.56726/irjmets40392.

[25] P. Gahlyan and S. Narayan Singh, “Analysis of Catalogue of GoF Software Design Patterns,” in 2018 8th International Conference on Cloud Computing, Data Science & Engineering (Confluence), 2018, pp. 814–818. doi: 10.1109/CONFLUENCE.2018.8442878.

[26] D. Budgen, “Design Patterns: Magic or Myth?,” IEEE Softw, vol. 30, no. 2, pp. 87–90, 2013, doi: 10.1109/MS.2013.26.

[27] P. Nawalramka, “Memory profiling in Python with tracemalloc,” Apr. 2022. [Online]. Available: https://www.red-gate.com/simple-talk/development/python/memory-profiling-in-python-with-tracemalloc/

[28] C. Bala Priya, “How To Trace Memory Allocation in Python,” Sep. 2024. [Online]. Available: https://www.kdnuggets.com/how-to-trace-memory-allocation-in-python

[29] Sunny Solanki, “tracemalloc - How to Profile Memory Usage By Python Code.” [Online]. Available: https://coderzcolumn.com/tutorials/python/tracemalloc-how-to-trace-memory-usage-in-python-code

[30] X. Wu, W. Zheng, X. Chen, F. Wang, and D. Mu, “CVE-assisted large-scale security bug report dataset construction method,” Journal of Systems and Software, vol. 160, p. 110456, 2020, doi: https://doi.org/10.1016/j.jss.2019.110456.

[31] Y. Wei, L. Bo, X. Sun, B. Li, T. Zhang, and C. Tao, “Automated event extraction of CVE descriptions,” Inf Softw Technol, vol. 158, p. 107178, 2023, doi: https://doi.org/10.1016/j.infsof.2023.107178.

[32] A. N. Kia, F. Murphy, B. Sheehan, and D. Shannon, “A cyber risk prediction model using common vulnerabilities and exposures,” Expert Syst Appl, vol. 237, p. 121599, 2024, doi: https://doi.org/10.1016/j.eswa.2023.121599.