Top

Service Oriented Computing and Applications

Published in:

27-11-2017 | Original Research Paper

Adaptive security architecture for protecting RESTful web services in enterprise computing environment

Authors: Mohamed Ibrahim Beer, Mohd Fadzil Hassan

Published in: Service Oriented Computing and Applications | Issue 2/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In this modern era of enterprise computing, the enterprise application integration (EAI) is a well-known industry-recognized architectural principle that is built based on loosely coupled application architecture, where service-oriented architecture (SOA) is the architectural pattern for the implementation of EAI, whose computational elements are called as “services.” Though SOA can be implemented in a wide range of technologies, the web services implementation of SOA becomes the current selective choice due to its simplicity that works on basic Internet protocols. Web service technology defines several supporting protocols and specifications such as SOAP and WSDL for communication with client and server for data interchange. A new architectural paradigm has emerged in SOA in recent years called REpresentational State Transfer (REST) that is also used to integrate loosely coupled service components, named RESTful web services, by system integration consortiums. This SOA implementation does not possess adequate security solutions within it, and its security is completely dependent on network/transport layer security that is obsolete owing to latest web technologies such as Web 2.0 and its upgraded version, Web 3.0. Vendor security products have major implementation constraints such as they need secured organizational environment and breach to SOA specifications, hence introducing new vulnerabilities. Herein, we examine the security vulnerabilities of RESTful web services in the view of popular OWASP rating methodologies and analyze the gaps in the existing security solutions. We hence propose an adaptive security solution for REST that uses public key infrastructure techniques to enhance the security architecture. The proposed security architecture is constructed as an adaptive way-forward Internet-of-Things (IoT) friendly security solution that is comprised of three cyclic parts: learn, predict and prevent. A novel security component named “intelligent security engine” is introduced which learns the possible occurrences of security threats on SOA using artificial neural networks learning algorithms, then it predicts the potential attacks on SOA based on obtained results by the developed theoretical security model, and the written algorithms as part of security solution prevent the SOA attacks. This paper is written to present one of such algorithms to prevent SOA attacks on RESTful web services along the discussion on the obtained results of the conducted proof-of-concept on the real-time SOA environment. A comparison of the proposed system with other competing solutions demonstrates its superiority.

previous article Spatial-aware service management in a pervasive environment

next article Adaptive reallocation of cybersecurity analysts to sensors for balancing risk between sensors

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Sheng Z, Xiaoqiang Q, Athanasios V, Claudia S, Scott B, Xiaofei X (2014) Web services composition: a decade’s overview. Inf Sci 280:218–238CrossRef

AlShahwan F, Maha F, Godwin A (2016) Security framework for RESTful mobile cloud computing web services. J Ambient Intell Humaniz Comput 7:649–659CrossRef

Sepulveda C, Rosa A, Jesus B (2015) QoS aware descriptions for RESTful service composition: security domain. World Wide Web 18(4):767–794CrossRef

Fielding R (2000) Architectural styles and the design of network-based software architectures. Ph.D. Dissertation, University of California, Irvine

Xu B, Tianbo L, Xiaoqin W, Lingling Z, Xiaoyan Z, Wanjiang H (2013) A synthetic solution scheme for SOA security assurance. In: Proceedings of the international conference on security and management (SAM), computer engineering and applied computing (WorldComp)

Liu L, Wang D, Zhao J, Huang M (2013) SA4WSs: a security architecture for web services. In: Mustofa K, Neuhold EJ, Tjoa AM, Weippl E, You I (eds) Information and communication technology. Springer, Berlin, pp 306–311

Masood A (2013) Cyber security for service oriented architectures in a Web 2.0 world: an overview of SOA vulnerabilities in financial services. In: IEEE international conference on technologies for homeland security (HST), pp 1–6

Jacqui C, Marijke C (2010) Towards an information security framework for service-oriented architecture. In: IEEE information security conference. South Africa, pp 1–8

Kou H (2010) A study on the security mechanism for web services. In: Proceedings of the world congress on engineering and computer science, vol I, USA

10.

Baghdadi Youcef (2013) A comparison framework for service-oriented software engineering approaches: issues and solutions. Int J Web Inf Syst 9(4):279–316CrossRef

11.

OWASP (2013) Top 10 web application vulnerabilities. Report on the ten most critical web application security risks

12.

Wang Shengwei, Zhengyuan Xu, Cao Jiannong, Zhang Jianping (2007) A middleware for web service-enabled integration and interoperation of intelligent building systems. Autom Constr 16(1):112–121CrossRef

13.

Kim SK, Han S-Y (2006) Performance comparison of DCOM, CORBA and web service. In: Parallel and distributed processing techniques and applications conference, pp 106–112

14.

Henning Michi (2006) The rise and fall of CORBA. ACM Queue 4(5):28–34CrossRef

15.

Jones D (2015) Cost of cyber crime study: United States. Hewlett Packard Enterprise. http://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states. Accessed 1 Mar 2017

16.

Symantec (2016) Internet security threat report, vol 21. https://www.symantec.com/security-center/threat-report Accessed 1 Mar 2017

17.

WhiteHat Security (2016) Web applications security statistics report. https://www.whitehatsec.com/info/website-stats-report-2016-wp. Accessed 1 Mar 2017

18.

National Vulnerability Database (2016) Vulnerability metrics, National Institute of Standards and Technology, USA. https://nvd.nist.gov. Accessed 1 Mar 2017

19.

McAfee Labs (2016) Threats report. https://www.mcafee.com/au/resources/reports/rp-quarterly-threats-dec-2016.pdf. Accessed 1 Mar 2017

20.

Hardt D (2012) The OAuth 2.0 authorization framework. RFC 6749 (Proposed Standard), http://tools.ietf.org/html/rfc6749. Accessed 1 Mar 2017

21.

Recordon D, Drummond R (2006) OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the second ACM workshop on digital identity management. ACM, pp 11–16

22.

Russell M (2014) Secure RESTful interface profile security analysis and guidance. The MITRE Corporation, Bedford

23.

Mladenov V, Christian M, Jorg S (2015) On the security of modern Single Sign-On Protocols: second-order vulnerabilities in OpenID connect. arXiv:1508.04324

24.

Ibrahim B, Fadzil MH (2016) Construction of customizable SOA security framework using artificial neural networks. J Teknol 78(12–3):69–75

25.

Gartner (2016) Top 10 strategic technology trends for 2016. http://www.itbusinessedge.com/slideshows/top-10-strategic-technology-trends-for-2016-08.html. Accessed 1 Mar 2017

26.

Neha L, Jwalant B (2014) DDoS prevention on REST based web services. Int J Comput Sci Inf Technol 5(6):7314–7317

27.

Lee H, Mayur R (2014) Defense against REST-based web service attacks for enterprise systems. Commun IIMA 13:57–68

28.

Sungchul L, Ju-Yeon J, Yoohwan K (2015) Method for secure RESTful web service. In: 14th IEEE international conference on computer and information science (ICIS)

29.

Orellana F, Marko N (2012) Distributed computing with RESTful web services. In: Seventh international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC), pp 103–110

30.

Serme G, Anderson S, Julien M, Yves R (2012) Enabling message security for RESTful services. In: IEEE 19th international conference on web services (ICWS), pp 114–121

31.

Sudhakar A (2011) Techniques for securing REST. CA Technology Exchange, New York, p 32

32.

Malisetti R (2011) Securing RESTful services with token-based authentication. CA Technology Exchange, New York, pp 43–48

33.

Adamczyk P, Patrick S, Ralph J, Munawar H (2011) REST and web services: in theory and in practice. In: Wilde E, Pautasso C (eds) REST: from research to practice. Springer, New York, pp 35–57

34.

Brachmann E, Gero D, Klaus S (2012) Simplified authentication and authorization for RESTful services in trusted environments. In: European conference on service-oriented and cloud computing. Springer, Berlin, pp 244–258

35.

Pan G, Yongbin W (2012) Securing RESTful WCF services with XAuth and service authorization manager—a practical way for user authorization and server protection. In: Fifth IEEE international joint conference on computational sciences and optimization (CSO), pp 651–653

36.

Pai S, Yash S, Sunil K, Radhika P, Sanjay S (2011) Formal verification of OAuth 2.0 using alloy framework. In: IEEE international conference on communication systems and network technologies (CSNT), pp 655–659

Title: Adaptive security architecture for protecting RESTful web services in enterprise computing environment
Authors: Mohamed Ibrahim Beer
Mohd Fadzil Hassan
Publication date: 27-11-2017
Publisher: Springer London
Published in: Service Oriented Computing and Applications / Issue 2/2018
Print ISSN: 1863-2386
Electronic ISSN: 1863-2394
DOI: https://doi.org/10.1007/s11761-017-0221-1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 2/2018

A Web service search engine for large-scale Web service discovery based on the probabilistic topic modeling and clustering

A multi-agent-based framework for cloud service discovery and selection using ontology

Non-functional parameters and automatic generation and publishing for Web service description improvement

Associate multi-task scheduling algorithm based on self-adaptive inertia weight particle swarm optimization with disruption operator and chaos operator in cloud environment

Spatial-aware service management in a pervasive environment

Adaptive reallocation of cybersecurity analysts to sensors for balancing risk between sensors

Premium Partner