Is the future Web more insecure? Distractions and solutions of new-old security issues and measures

The world of information and communication technology is experiencing changes that, regardless of some skepticism, are bringing to life the concept of \utility computing". The nostalgics observed a parallel between the emerging paradigm of cloud computing and the traditional time-sharing era, depicting clouds as the modern reincarnation of mainframes available on a pay-per-use basis, and equipped with virtual, elastic, disks-asa-service that replace the old physical disks with quotas. This comparison is fascinating, but more importantly, in our opinion, it prepares the ground for constructive critiques regarding the security of such a computing paradigm and, especially, one of its key components: web services. In this paper we discuss our position about the current countermeasures (e.g., intrusion detection systems, anti-malware), developed to mitigate well-known web security threats. By reasoning on said affinities, we focus on the simple case study of anomaly-based approaches, which are employed in many modern protection tools, not just in intrusion detectors. We illustrate our position by the means of a simple running example and show that attacks against injection vulnerabilities, a widespread menace that is easily recognizable with ordinary anomaly-based checks, can be difficult to detect if web services are protected as they were regular web applications. Along this line, we concentrate on a few, critical hypotheses that demand particular attention. Although in this emerging landscape only a minority of threats qualify as novel, they could be difficult to recognize with the current countermeasures and thus can expose web services to new attacks. We conclude by proposing simple modifications to the current countermeasures to cope with the aforesaid security issues.

[1]  Randy H. Katz,et al.  Above the Clouds: A Berkeley View of Cloud Computing , 2009 .

[2]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[3]  Chris Kanich,et al.  Botnet Judo: Fighting Spam with Itself , 2010, NDSS.

[4]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[5]  Andrew D. Gordon,et al.  Validating a web service security abstraction by typing , 2002, XMLSEC '02.

[6]  Michiaki Tatsubori,et al.  Model-driven security based on a Web services security architecture , 2005, 2005 IEEE International Conference on Services Computing (SCC'05) Vol-1.

[7]  Алексей Вячеславович Бердник Проблемы безопасности облачных вычислений. Анализ методов защиты облаков от cloud Security Alliance , 2013 .

[8]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[9]  F. Maggi,et al.  Integrated Detection of Attacks Against Browsers, Web Applications and Databases , 2009, 2009 European Conference on Computer Network Defense.

[10]  Luis Rodero-Merino,et al.  A break in the clouds: towards a cloud definition , 2008, CCRV.

[11]  Colin de la Higuera,et al.  Grammatical Inference: Learning Automata and Grammars , 2010 .

[12]  Scott Shenker,et al.  Replay debugging for distributed applications , 2006 .

[13]  Sergio M. Savaresi,et al.  Unsupervised learning techniques for an intrusion detection system , 2004, SAC '04.

[14]  Andrew D. Gordon,et al.  An advisor for web services security policies , 2005, SWS '05.

[15]  Darren Duc Dao,et al.  Live debugging of distributed systems , 2009, CC.

[16]  Stefano Zanero,et al.  Detecting Intrusions through System Call Sequence and Argument Analysis , 2010, IEEE Transactions on Dependable and Secure Computing.

[17]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[18]  Amin Vahdat,et al.  Pip: Detecting the Unexpected in Distributed Systems , 2006, NSDI.

[19]  Yanpei Chen,et al.  What's New About Cloud Computing Security? , 2010 .

[20]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[21]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[22]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[23]  Walter Daelemans Colin de la Higuera: Grammatical inference: learning automata and grammars , 2011, Machine Translation.

[24]  Jeffrey Carr,et al.  Inside Cyber Warfare: Mapping the Cyber Underworld , 2009 .

[25]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[26]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[27]  Mark O'Neill,et al.  Web Services Security , 2003 .

[28]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[29]  Timothy W. Finin,et al.  Security for DAML Web Services: Annotation and Matchmaking , 2003, SEMWEB.

[30]  Martin Naedele Standards for XML and Web Services Security , 2003, Computer.

[31]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.