Security Vulnerabilities Detection Using Model Inference for Applications and Security Protocols

"Internet of Services" (IoS) is a vision of the Internet of the Future where applications are built by combining services provided by a variety of service providers over the network. They are deployed as needed and consumed at run-time in a demand-driven and flexible way. Model-based testing is one method for testing security of applications but it needs formal models and most of the time service providers are not able to provide them. For that, model inference methods adapted to security testing can be used. This document tries to give some directions in order to combine enhanced model inference and model testing to ensure security of services automatically.

[1]  M. P. Vasilevskii Failure diagnosis of automata , 1973 .

[2]  Yannick Chevalier,et al.  A High Level Protocol Specification Language for Industrial Security-Sensitive Protocols , 2004 .

[3]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[4]  David Lee,et al.  Testing Security Properties of Protocol Implementations - a Machine Learning Based Approach , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[5]  Alexandre Petrenko,et al.  Inferring Behavioural Models from Traces of Business Applications , 2009, 2009 IEEE International Conference on Web Services.

[6]  Keqin Li,et al.  Modular System Verification by Inference, Testing and Reachability Analysis , 2008, TestCom/FATES.

[7]  Oliver Niese,et al.  An integrated approach to testing complex systems , 2003 .

[8]  Roland Groz,et al.  Using Invariant Detection Mechanism in Black Box Inference , 2007, ISoLA.

[9]  Fides Aarts,et al.  Generating Models of Infinite-State Communication Protocols Using Regular Inference with Abstraction , 2010, ICTSS.

[10]  Michael Backes,et al.  Tailoring the Dolev-Yao abstraction to web services realities , 2005, SWS '05.

[11]  Roland Groz,et al.  Inferring Mealy Machines , 2009, FM.

[12]  Gavin Lowe Analysing Protocol Subject to Guessing Attacks , 2004, J. Comput. Secur..

[13]  Keqin Li,et al.  Integration Testing of Distributed Components Based on Learning Parameterized I/O Models , 2006, FORTE.

[14]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[15]  Keqin Li,et al.  Model-Checking Driven Security Testing of Web-Based Applications , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[16]  Bengt Jonsson,et al.  Regular Inference for State Machines Using Domains with Equality Tests , 2008, FASE.