A fuzzy outranking approach in risk analysis of web service security
Risk analysis is considered as an important process to identify the known and potential vulnerabilities and threats in the web services security. It is quite difficult for users to collect adequate events to estimate the full vulnerabilities and probability of threats in the Web, due to the rapid change of the malicious attacks and the new computer’s vulnerabilities. In this paper, a fuzzy risk assessment model is developed in order to evaluate the risk of web services in a situation where complete information is not available. The proposed model extends Pseudo-Order Preference Model (POPM) to estimate the imprecise risk based on richness of information and to determine their ranking using a weighted additive rule. A case study of a number of web services is presented in order to test the proposed approach.
KeywordsFuzzy outranking Risk analysis Web services security Pseudo-order POPM
Unable to display preview. Download preview PDF.
- 1.2005 CSI/FBI Computer crime and security survey. www.usdoj.gov/criminal/cybercrime/FBI2005.pdf, May 2006
- 2.William, S.: In: Cryptography and Network Security: Principles and Practice, 2nd edn., pp. 441–473. Prentice Hall, London (1999) Google Scholar
- 3.Maiwald, E.: Network Security: a Beginner’s Guide. McGraw-Hill, New York (2001) Google Scholar
- 4.Damiani, E., Vimercati, S.D.C., Samarati, P.: Towards securing XML web services. In: Proceedings of the 2002 ACM Workshop on XML security, November, 2002 Google Scholar
- 6.Kraft, R.: Designing a distributed access control processor for network services on the Web. In: Proceedings of the 2002 ACM Workshop on XML security, November, 2002 Google Scholar
- 7.Bhargavan, K., Corin, R., Fournet, C., Gordon, A.D.: Secure sessions for web services. In: Proceedings of the 2004 Workshop on Secure Web Service (SWS ’04), October, 2004 Google Scholar
- 9.ISO/IEC 13335-1:2004: Management of information and communications technology security—Part 1: Concepts and models for information and communications technology security management Google Scholar
- 12.Koller, G.R.: Risk Assessment and Decision Making in Business and Industry: a Practical Guide. CRC, London (2000) Google Scholar
- 21.Holgersson, J., Soderstrom, E.: Web service security—vulnerabilities and threats within the context of WS-security. In: The 4th Conference on Standardization and Innovation in Information Technology, September 2005, pp. 138–146 Google Scholar
- 22.BS 7799-1:2000: Information security management—Part 1: Code of practice for information security management. British Standards Institution, London Google Scholar
- 24.Web services activity, http://www.w3.org/2002/ws/