“…To answer RQ2, we collected time consumption/memory consumption (TC/MC) data presented in the evaluation and information about whether some steps of the method are automatic (Auto) to measure the efficiency of the WAVD approaches. For measuring effectiveness, in addition to popular metrics [156] listed in Table B.1 in Appendix B, such as false positive rate (FPR), false negative rate (FNR), true negative rate (TNR), true positive rate (TPR), precision (P), accuracy (Acc), Recall (R), F-measure/F1-score, code coverage (CC) [124], detection rate (DR) (i.e., number of attacks detected as attacks / number of attacks [131,150]), metrics such as p-value and effect size [20], area under the receiver operating characteristic curve (AUC) [14], and fitness [123,131], are also presented in the evaluation of the WAVD approaches and are therefore summarized and compared. Seventy-eight out of the 105 studies focus on injection vulnerabilities, probably because injection vulnerabilities are top listed in OWASP 2013 and OWASP 2017.…”