Abstract
A service cloud architecture that allows web service compositions to answer complex requests improves the accessibility and flexibility of web services from different vendors. However, security issues exist in the service cloud, including both vulnerabilities of traditional web service communications and new issues brought by inter-cloud communications. Cloud-wide auditing to uncover security issues is a complex task due to the large scale and decentralized structure of the cloud environment. Existing security standards, protocols and auditing mechanisms can provide audit logs, but in most cases, these logs cannot pinpoint type, location, and impact of threats. Given a cloud architecture that specifies the scope of audit logs and a definition of the expected auditable events in the cloud providing evidence of potential threats, we define Vulnerability Diagnostic Trees (VDTs) to formally manifest vulnerability patterns across several audit trails generated within the service cloud. Our attack examples are based on the allocation of services to a web service composition that answers a client request through end-to-end round trip messaging.
“Approved for Public Release; Distribution Unlimited: 88ABW-2013-0074, 09-Jan-2013”
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andrekanic, A., Gamble, R.: Architecting web service attack detection handlers. In: Proceedings of the 19th International Conference on Web Services, ICWS’12, Honolulu, pp. 130–137. IEEE Computer Society, Washington, DC (2012). doi:10.1109/ICWS.2012.69
Andrikopoulos, V., Plebani, P.: Retrieving compatible web services. In: Proceedings of the 2011 IEEE International Conference on Web Services, ICWS’11, Washington, DC, pp. 179–186. IEEE Computer Society, Washington, DC (2011). doi:10.1109/ICWS.2011.24
Beaton, J.K., Myers, B.A., Stylos, J., Jeong, S.Y., Xie, Y.: Usability evaluation for enterprise SOA APIs. In: Proceedings of the 2nd International Workshop on Systems Development in SOA Environments, SDSOA’08, Leipzig, pp. 29–34. ACM, New York (2008). doi:10.1145/1370916.1370924
Bell, M.: Service-Oriented Modeling: Service Analysis, Design, and Architecture. Wiley, Hoboken, New Jersey (2008)
Benameur, A., Kadir, F.A., Fenet, S.: XML rewriting attacks: existing solutions and their limitations. In: IADIS Applied Computing, Algarve (2008). doi:abs/0812.4181
Bishop, M.A.: The Art and Science of Computer Security. Addison-Wesley Longman, Boston (2002)
Bistarelli, S., Fioravanti, F., Peretti, P.: Defense trees for economic evaluation of security investments. In: Proceedings of the 1st International Conference on Availability, Reliability and Security, ARES’06, Algarve, pp. 416–423. IEEE Computer Society, Washington, DC (2006). doi:10.1109/ARES.2006.46
Bleikertz, S., Schunter, M., Probst, C.W., Pendarakis, D., Eriksson, K.: Security audits of multi-tier virtual infrastructures in public infrastructure clouds. In: Proceedings of the 2010 ACM Workshop on Cloud Computing Security, CCSW’10, Chicago, pp. 93–102. ACM, New York (2010). doi:10.1145/1866835.1866853
Celesti, A., Tusa, F., Villari, M., Puliafito, A.: How to enhance cloud architectures to enable cross-federation. In: Proceedings of the 3rd IEEE International Conference on Cloud Computing, CLOUD’10, Miami, pp. 337–345. IEEE Computer Society, Washington, DC (2010). doi:10.1109/CLOUD.2010.46
Cellary, W., Strykowski, S.: E-government based on cloud computing and service-oriented architecture. In: Proceedings of the 3rd International Conference on Theory and Practice of Electronic Governance, ICEGOV’09, Bogota, pp. 5–10. ACM, New York (2009). doi:10.1145/1693042.1693045
Chen, Z., Yoon, J.: It auditing to assure a secure cloud computing. In: Proceedings of the 6th World Congress on Services, SERVICES’10, Miami, pp. 253–259. IEEE Computer Society, Washington, DC (2010). doi:10.1109/SERVICES.2010.118
commoncriteriaportal.org: Common criteria for information technology security evaluation 3.1R4. http://goo.gl/IeC55 (2012)
Doelitzscher, F., Fischer, C., Moskal, D., Reich, C., Knahl, M., Clarke, N.: Validating cloud infrastructure changes by cloud audits. In: Proceedings of the 8th IEEE World Congress on Services, SERVICES’12, Honolulu, pp. 377–384. IEEE Computer Society, Washington, DC (2012). doi:10.1109/SERVICES.2012.12
dtic.mil: DoDI 8500.2, information assurance (IA) implementation. http://goo.gl/pwd2p (2003)
Esmaeilsabzali, S., Larson, K.: Service allocation for composite web services based on quality attributes. In: Proceedings of the 7th IEEE International Conference on E-Commerce Technology Workshops, CECW’05, Munich, pp. 71–82. IEEE Computer Society, Washington, DC (2005). doi:10.1109/CECW.2005.19
gictf.jp: Intercloud interface specification draft. http://goo.gl/SW4IS (2009)
Hale, M.L., Gamble, R.: Secagreement: advancing security risk calculations in cloud services. In: Proceedings of the 8th IEEE World Congress on Services, SERVICES’12, Honolulu, pp. 133–140. IEEE Computer Society, Washington, DC (2012). doi:10.1109/SERVICES.2012.31
Hamlen, K., Kantarcioglu, M., Khan, L., Thuraisingham, B.: Security issues for cloud computing. Int. J. Inf. Secur. Priv. 4(2), 36–48 (2010)
Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secur. Comput. 9(1), 75–85 (2012). doi:10.1109/TDSC.2010.61
Ion, M., Pop, F., Dobre, C., Cristea, V.: Dynamic resources allocation in grid enviroments. In: Proceedings of the 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC’09, Timisoara, pp. 213–220. IEEE Computer Society, Washington, DC (2009). doi:10.1109/SYNASC.2009.20
jboss.org: JBoss application server 7. http://goo.gl/0Hg9z (2011)
Jensen, M., Meyer, C.: Expressiveness considerations of XML signatures. In: Proceedings of 35th IEEE Annual Computer Software and Applications Conference Workshops, COMPSACW’11, Munich, pp. 392–397. IEEE Computer Society, Washington, DC (2011). doi:10.1109/COMPSACW.2011.72
Jensen, M., Gruschka, N., Herkenhoner, R., Luttenberger, N.: SOA and web services: new technologies, new standards – new attacks. In: Proceedings of the 5th European Conference on Web Services, ECOWS’07, Halle, pp. 35–44. IEEE Computer Society, Washington, DC (2007). doi:10.1109/ECOWS.2007.24
Jureta, I., Faulkner, S., Achbany, Y., Saerens, M.: Dynamic web service composition within a service-oriented architecture. In: IEEE International Conference on Web Services, Salt Lake City, pp. 304–311. IEEE Computer Society, Los Alamitos (2007). doi:http://doi.ieeecomputersociety.org/10.1109/ICWS.2007.79
Ko, R.K.L., Jagadpramana, P., Mowbray, M., Pearson, S., Kirchberg, M., Liang, Q., Lee, B.S.: TrustCloud: a framework for accountability and trust in cloud computing. In: Proceedings of the 7th IEEE World Congress on Services, SERVICES’11, Washington, DC, pp. 584–588. IEEE Computer Society, Washington, DC (2011). doi:10.1109/SERVICES.2011.91
Lakshminarayanan, S.: Interoperable security standards for web services. IT Prof. 12(5), 42–47 (2010). doi:10.1109/MITP.2010.98
Lilien, L., Bhargava, B.: A scheme for privacy-preserving data dissemination. IEEE Trans. Syst. Man Cybern. A 36(3), 503–506 (2006). doi:10.1109/TSMCA.2006.871655
Mainka, C., Somorovsky, J., Schwenk, J.: Penetration testing tool for web services security. In: Proceedings of the 2012 IEEE Eighth World Congress on Services, SERVICES’12, Honolulu, pp. 163–170. IEEE Computer Society, Washington, DC (2012). doi:10.1109/SERVICES.2012.7
nist.gov: NIST SP800-53: security and privacy controls for federal information systems and organizations. http://goo.gl/wBWYh (2012)
Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, VizSEC/DMSEC’04, Washington, DC, pp. 109–118. ACM, New York (2004). doi:10.1145/1029208.1029225
oasis-open.org: WS-SecureConversation 1.3. http://goo.gl/90BYS (2007)
oasis-open.org: WS-Trust 1.3. http://goo.gl/Tv5OP (2007)
Phan, K.A., Tari, Z., Bertok, P.: A benchmark on soap’s transport protocols performance for mobile applications. In: Proceedings of the 2006 ACM Symposium on Applied Computing, SAC’06, Dijon, pp. 1139–1144. ACM, New York (2006). doi:10.1145/1141277.1141548
Rahaman, M.A., Schaad, A., Rits, M.: Towards secure SOAP message exchange in a SOA. In: Proceedings of the 3rd ACM Workshop on Secure Web Services, SWS’06, Alexandria, pp. 77–84. ACM, New York (2006). doi:10.1145/1180367.1180382
Saha, D.: Extending logical attack graphs for efficient vulnerability analysis. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08, Alexandria, pp. 63–74. ACM, New York (2008). doi:10.1145/1455770.1455780
Schneier, B.: Attack trees – modeling security threats (1999). http://goo.gl/ZKRkz
Sengupta, S., Kaulgud, V., Sharma, V.S.: Cloud computing security–trends and research directions. In: Proceedings of the 7th IEEE World Congress on Services, SERVICES’11, pp. 524–531. IEEE Computer Society, Washington, DC (2011). doi:10.1109/SERVICES.2011.20
She, W., Yen, I.L., Thuraisingham, B., Bertino, E.: The SCIFC model for information flow control in web service composition. In: Proceedings of the 2009 IEEE International Conference on Web Services, ICWS’09, pp. 1–8. IEEE Computer Society, Washington, DC (2009). doi:10.1109/ICWS.2009.13
She, W., Yen, I.L., Thuraisingham, B., Huang, S.Y.: Rule-based run-time information flow control in service cloud. In: Proceedings of the 2011 IEEE International Conference on Web Services, ICWS’11, pp. 524–531. IEEE Computer Society, Washington, DC (2011). doi:10.1109/ICWS.2011.35
Sidharth, N., Liu, J.: Intrusion resistant soap messaging with iapf. In: Proceedings of the 2008 IEEE Asia-Pacific Services Computing Conference, APSCC’08, pp. 856–862. IEEE Computer Society, Washington, DC (2008). doi:10.1109/APSCC.2008.221
Sundareswaran, S., Squicciarini, A., Lin, D., Huang, S.: Promoting distributed accountability in the cloud. In: Proceedings of the 4th IEEE International Conference on Cloud Computing, CLOUD’11, pp. 113–120. IEEE Computer Society, Washington, DC (2011). doi:10.1109/CLOUD.2011.57
Tndel, I.A., Jensen, J., Rstad, L.: Combining misuse cases with attack trees and security activity models. In: Proceedings of the 5th International Conference on Availability, Reliability and Security, ARES’10, pp. 438–445. IEEE Computer Society (2010). doi:10.1109/ARES.2010.101
w3.org: SOAP version 1.2 part 1: messaging framework (second edition). http://goo.gl/A2agX (2007)
Wei, Y., Blake, M.B.: Service-oriented computing and cloud computing: challenges and opportunities. IEEE Internet Comput. 14(6), 72–75 (2010). doi:10.1109/MIC.2010.147
Wilde, N., Simmons, S., Pressel, M., Vandeville, J.: Understanding features in soa: some experiences from distributed systems. In: Proceedings of the 2nd International Workshop on Systems Development in SOA Environments, SDSOA’08, pp. 59–62. ACM, New York (2008). doi:10.1145/1370916.1370931
Xie, R.: Manifesting security issues in a service cloud structure through auditing. M.S. Thesis, Tandy School of Computer Science, University of Tulsa, Tulsa (2012)
Xie, R., Gamble, R.: An architecture for cross-cloud auditing of service cloud. In: Proceedings of the 8th Cyber Security and Information Intelligence Research Workshop (2012)
Xie, R., Gamble, R.: A tiered strategy for auditing in the cloud. In: Proceedings of the 5th IEEE International Conference on Cloud Computing, CLOUD’12, pp. 945–946. IEEE Computer Society, Washington, DC (2012). doi:10.1109/CLOUD.2012.144
Acknowledgements
This material is based on research sponsored in part by the Air Force Office of Scientific Research (AFOSR) grant FA-9550-09-1-0409, the Air Force Research Laboratory (AFRL) grant FA8750-10-2-0143 and the AFOSR/AFRL LRIR 11RI01COR. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied of the AFOSR, AFRL, or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer Science+Business Media New York
About this chapter
Cite this chapter
Xie, R., Gamble, R., Ahmed, N. (2014). Diagnosing Vulnerability Patterns in Cloud Audit Logs. In: Han, K., Choi, BY., Song, S. (eds) High Performance Cloud Auditing and Applications. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-3296-8_5
Download citation
DOI: https://doi.org/10.1007/978-1-4614-3296-8_5
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-3295-1
Online ISBN: 978-1-4614-3296-8
eBook Packages: EngineeringEngineering (R0)