Defending Against XML-Based Attacks Using State-Based XML Firewall

With the proliferation of service-oriented systems and cloud computing, web services security has gained much attention in recent years. Web service attacks, called XML-based attacks, typically occur at the SOAP message level, thus they are not readily handled by existing security mechanisms such as a conventional firewall. In order to provide effective security mechanisms for service-oriented systems, XML firewalls have recently been introduced as one of the major means for web services security. In this paper, we present a framework for state-based XML firewall, called S-Wall, which supports dynamic role-based access control (D-RBAC) and detection of XML-based attacks in real-time. We provide a detailed design of the S-Wall security model by defining state-based information, user information, access control policies, and detection and verification (D&V) rules. The D&V rules are modularized into separate units, which support real-time detection and verification of various types of attacks using state-based information. To illustrate the effectiveness of our approach, we develop a prototype S-Wall, and utilize a case study to demonstrate how S-Wall can be used to efficiently detect and defend against XML-based attacks.

[1]  P. O. Pablos Intellectual capital reporting in Spain: a comparative view , 2003 .

[2]  B. Wernerfelt,et al.  A Resource-Based View of the Firm , 1984 .

[3]  Xiaodong Liu,et al.  A Model-driven Approach to Flexible Multi-Level Customization of SaaS Applications , 2010, SEKE.

[4]  Marc Dacier,et al.  Intrusion detection , 1999, Comput. Networks.

[5]  George Kesidis,et al.  Secure routing in ad hoc networks and a related intrusion detection problem , 2003, IEEE Military Communications Conference, 2003. MILCOM 2003..

[6]  Haiping Xu,et al.  Visual Specification of Layered Bidding Strategies for Autonomous Bidding Agents , 2010, J. Comput..

[7]  Christian Artigues,et al.  Insertion techniques for static and dynamic resource-constrained project scheduling , 2003, Eur. J. Oper. Res..

[8]  Heikki Karjaluoto,et al.  Factors influencing consumers' willingness to accept mobile advertising: a conceptual model , 2005, Int. J. Mob. Commun..

[9]  Eduardo B. Fernández,et al.  Two Patterns for Web Services Security , 2004, International Conference on Internet Computing.

[10]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[11]  Glenn Cater,et al.  Service Oriented Architecture (SOA) , 2011, Encyclopedia of Information Assurance.

[12]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Ralph D. Ellis,et al.  Comparing Schedule Generation Schemes in Resource-Constrained Project Scheduling Using Elitist Genetic Algorithm , 2010 .

[14]  Mark O'Neill,et al.  Web Services Security , 2003 .

[15]  Haiping Xu,et al.  Reasoning under Uncertainty for Shill Detection in Online Auctions Using Dempster-Shafer Theory , 2010, Int. J. Softw. Eng. Knowl. Eng..

[16]  Sherif El-Kassas,et al.  Nedgty: Web services firewall , 2005, IEEE International Conference on Web Services (ICWS'05).

[17]  Rolf H. Möhring,et al.  Resource-constrained project scheduling: Notation, classification, models, and methods , 1999, Eur. J. Oper. Res..

[18]  Hyoseop Shin,et al.  Ranking user-created contents by search user's inclination in online communities , 2009, WWW '09.

[19]  James A. Whittaker,et al.  How to Break Web Software: Functional and Security Testing of Web Applications and Web Services , 2006 .

[20]  Moritz Y. Becker Cassandra: flexible trust management and its application to electronic health records , 2005 .

[21]  Ute-Christine Klehe,et al.  Attracting Applicants on the Web: PO Fit, Industry Culture Stereotypes, and Website Design , 2011 .

[22]  Colin Seymour-Ure,et al.  Content Analysis in Communication Research. , 1972 .

[23]  Haiping Xu,et al.  Securing Service-oriented Systems Using State-Based XML Firewall , 2008, SEKE.

[24]  Menno Holtkamp The role of XML Firewalls for Web services , 2004 .

[25]  Nargiza Bekmamedova,et al.  An Ontology Framework for Managing Security Attacks and Defences in Component Based Software Systems , 2008, 19th Australian Conference on Software Engineering (aswec 2008).

[26]  Rainer Kolisch,et al.  Efficient priority rules for the resource-constrained project scheduling problem , 1996 .

[27]  Haiping Xu,et al.  Formal modelling and analysis of XML firewall for service-oriented systems , 2008, Int. J. Secur. Networks.

[28]  International Human Genome Sequencing Consortium Initial sequencing and analysis of the human genome , 2001, Nature.

[29]  Dong Cheng,et al.  Is Value Sufficient? Empirical Research on the Impact of Value and Trust on Intention , 2011, J. Softw..

[30]  Rai-Fu Chen,et al.  Measuring customer satisfaction with internet banking: an exploratory study , 2007 .

[31]  MengChu Zhou,et al.  Automated Modeling of Dynamic Reliability Block Diagrams Using Colored Petri Nets , 2010, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[32]  Jun Han,et al.  An Ontology Framework for Managing Security Attacks and Defences in Component Based Software Systems , 2008 .

[33]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[34]  Liam Rourke,et al.  Validity in quantitative content analysis , 2004 .

[35]  Hsiu-Fen Lin,et al.  Applicability of the Extended Theory of Planned Behavior in Predicting Job Seeker Intentions to Use Job-Search Websites , 2010 .

[36]  Bo Zhou,et al.  A framework for intrusion detection in heterogeneous environments , 2006, CCNC 2006. 2006 3rd IEEE Consumer Communications and Networking Conference, 2006..

[37]  M. Parashar,et al.  Context-aware Dynamic Access Control for Pervasive Applications , 2004 .

[38]  Cyril Briand A new any-order schedule generation scheme for resource-constrained project scheduling , 2009, RAIRO Oper. Res..

[39]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[40]  Proceedings of the 2010 International Conference on Artificial Intelligence, ICAI 2010, July 12-15, 2010, Las Vegas Nevada, USA, 2 Volumes , 2010, IC-AI.

[41]  Neel Sundaresan,et al.  Mining tag clouds and emoticons behind community feedback , 2008, WWW.

[42]  Carlos Flavián,et al.  Consumer trust, perceived security and privacy policy: Three basic elements of loyalty to a web site , 2006, Ind. Manag. Data Syst..

[43]  Manas Ranjan Patra,et al.  A Service Oriented Architectural Design for Building Intrusion Detection Systems , 2009 .

[44]  Haiping Xu,et al.  A Framework for Agent-Based Trust Management in Online Auctions , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[45]  T. Tollington,et al.  Intellectual capital: literature review , 2012 .

[46]  Rainer Kolisch,et al.  PSPLIB - a project scheduling problem library , 1996 .

[47]  Laks V. S. Lakshmanan,et al.  Discovering leaders from community actions , 2008, CIKM '08.

[48]  Matthew Richardson,et al.  Yes, there is a correlation: - from social networks to personal behavior on the web , 2008, WWW.

[49]  Ernesto Damiani,et al.  An XML-based approach to combine firewalls and web services security specifications , 2003, XMLSEC '03.

[50]  Haiping Xu,et al.  Formal modeling and analysis of XML firewall for service-oriented systems , 2007 .

[51]  M Abdel Moneim,et al.  Create superior customer values: new direction for Middle Eastern airlines , 2008 .

[52]  Philip M. Wolfe,et al.  Multiproject Scheduling with Limited Resources: A Zero-One Programming Approach , 1969 .

[53]  K. Bouleimen,et al.  A new efficient simulated annealing algorithm for the resource-constrained project scheduling problem and its multiple mode version , 2003, Eur. J. Oper. Res..

[54]  Thomas L. Saaty,et al.  How to Make a Decision: The Analytic Hierarchy Process , 1990 .

[55]  Ahmed Patel,et al.  A service-centric model for intrusion detection in next-generation networks , 2005, Comput. Stand. Interfaces.

[56]  Elisa Bertino,et al.  Security for Web Services and Service-Oriented Architectures , 2009 .

[57]  Edward Y. Chang,et al.  Combinational collaborative filtering for personalized community recommendation , 2008, KDD.

[58]  M. Nair Understanding and measuring the value of social media , 2011 .

[59]  Chris Anley,et al.  Advanced SQL Injection In SQL Server Applications , 2002 .

[60]  Christian Artigues,et al.  A polynomial activity insertion algorithm in a multi-resource schedule with cumulative constraints and multiple modes , 2000, Eur. J. Oper. Res..

[61]  Sönke Hartmann,et al.  A competitive genetic algorithm for resource-constrained project scheduling , 1998 .

[62]  Haiping Xu,et al.  An Empirical Evaluation on the Relationship Between Final Auction Price and Shilling Activity in Online Auctions , 2010, SEKE.

[63]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[64]  David S. Linthicum,et al.  Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide , 2009 .

[65]  Yonggui Wang,et al.  An Integrated Framework for Service Quality, Customer Value, Satisfaction: Evidence from China's Telecommunication Industry , 2004, Inf. Syst. Frontiers.

[66]  J. Roos,et al.  Intellectual Capital: Navigating in the New Business Landscape , 1997 .

[67]  Munmun De Choudhury,et al.  Connecting content to community in social media via image content, user tags and user communication , 2009, 2009 IEEE International Conference on Multimedia and Expo.

[68]  Rainer Kolisch,et al.  Characterization and generation of a general class of resource-constrained project scheduling problems , 1995 .

[69]  Stephen Burgess,et al.  The Perceived Value of Website Features: An Exploratory Study of Small Regional Accommodation Providers in Australia , 2005 .

[70]  A Riahi Belkaoui INTELLECTUAL CAPITAL AND FIRM PERFORMANCE OF US MULTINATIONAL FIRMS: A STUDY OF THE RESOURCE-BASED AND STAKEHOLDER VIEWS , 2003 .

[71]  Esmiralda Moradian,et al.  Possible attacks on XML Web Services , 2006 .

[72]  Xiaojin Zhu,et al.  Building Community Wikipedias: A Machine-Human Partnership Approach , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[73]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[74]  Xiao Su,et al.  J-Honeypot: a Java-based network deception tool with monitoring and intrusion detection , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..