Revealing Business Relationships - Eavesdropping Cross-organizational Collaboration in the Internet of Services

The Internet of Services is envisioned as a global Serviceoriented Architecture enabling collaboration across organizational boundaries. However, by monitoring communication endpoints, attackers can create detailed profiles of service consumers and providers even if typical security mechanisms such as message encryption are used. In a business context, this traffic analysis threatens the relationship anonymity of the participants and can reveal sensitive information about an organization’s underlying business processes or a service provider’s client base. In this paper, we discuss the simulation-based evaluation of different attack scenarios regarding the identification of the service compositions an organization uses. Thus, we offer insights regarding the limits of anonymity for cross-organizational collaboration in the Internet of Services.

[1]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[2]  Raj Jain,et al.  The Art of Computer Systems Performance Analysis : Tech-niques for Experimental Design , 1991 .

[3]  Raj Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[4]  Li Fan,et al.  Web caching and Zipf-like distributions: evidence and implications , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[5]  G. Zipf The Psycho-Biology Of Language: AN INTRODUCTION TO DYNAMIC PHILOLOGY , 1999 .

[6]  Jean-François Raymond,et al.  Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[7]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[8]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[9]  Dakshi Agrawal,et al.  Limits of Anonymity in Open Environments , 2002, Information Hiding.

[10]  Mike P. Papazoglou,et al.  Service-oriented computing: concepts, characteristics and directions , 2003, Proceedings of the Fourth International Conference on Web Information Systems Engineering, 2003. WISE 2003..

[11]  G Danezis,et al.  Statistical disclosure attacks: Traffic confirmation in open environments , 2003 .

[12]  Riccardo Bettati,et al.  A quantitative analysis of anonymous communications , 2004, IEEE Transactions on Reliability.

[13]  Jothy Rosenberg,et al.  Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption , 2004 .

[14]  Barbara Carminati,et al.  Towards standardized Web services privacy technologies , 2004 .

[15]  Nick Mathewson,et al.  Practical Traffic Analysis: Extending and Resisting Statistical Disclosure , 2004, Privacy Enhancing Technologies.

[16]  George Yee,et al.  Privacy policy compliance for Web services , 2004 .

[17]  Hinrich Schütze,et al.  Introduction to information retrieval , 2008 .

[18]  I. V. Ramakrishnan,et al.  A Framework for Building Privacy-Conscious Composite Web Services , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[19]  Vitaly Shmatikov,et al.  Measuring relationship anonymity in mix networks , 2006, WPES '06.

[20]  Christoph Schroth The internet of services: Global industrialization of information intensive services , 2007, 2007 2nd International Conference on Digital Information Management.

[21]  Carmela Troncoso,et al.  Two-Sided Statistical Disclosure Attack , 2007, Privacy Enhancing Technologies.

[22]  Charles M. Macal,et al.  Managing Business Complexity: Discovering Strategic Solutions with Agent-Based Modeling and Simulation , 2007 .

[23]  Claudia Eckert,et al.  IT Sicherheit : Konzepte, Verfahren, Protokolle , 2007 .

[24]  Alistair Moffat,et al.  Rank-biased precision for measurement of retrieval effectiveness , 2008, TOIS.

[25]  Prasad A. Chodavarapu,et al.  SOA SECURITY , 2008 .

[26]  Jorge S. Cardoso,et al.  Service Engineering for the Internet of Services , 2008, ICEIS.

[27]  Carmela Troncoso,et al.  Perfect Matching Disclosure Attacks , 2008, Privacy Enhancing Technologies.

[28]  Despina Polemi,et al.  A holistic anonymity framework for web services , 2008, PETRA '08.

[29]  Bülent Yener,et al.  On anonymity in an electronic society: A survey of anonymous communication systems , 2009, CSUR.

[30]  Ralf Steinmetz,et al.  Cross-Organizational Security - The Service-Oriented Difference , 2009, ICSOC/ServiceWave Workshops.

[31]  Ralf Steinmetz,et al.  Attacks on the Internet of Services – The Security Impact of Cross-organizational Service-based Collaboration , 2010 .

[32]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .