International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure their information. Web Services security could be guaranteed by employing security standards, which is the main focus of this search. Every suggested model related to security design should put in the account the securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The proposed model describes SOAP messages and the way to secure their contents. Due to the reason that SOAP message is the core of the exchanging information in Web Services, this research has developed a security model needed to ensure e-business security. The essence of our model depends on XML encryption and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a high speed of transaction and a strong level of security without jeopardizing the performance of transmission information.
Rapid increases in information technology also changed the existing markets and transformed them into emarkets
(e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to
recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of
the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and
recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized
access. This causes the security technology implementation of E-commerce very difficult at other
engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the
flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects,
this editorial also suggested an implementation design of the logical security framework for SOA supported
E-commerce system.
This document discusses security considerations for service-oriented architectures (SOAs). It begins by defining SOA and some common SOA technologies like SOAP, WSDL, and UDDI. It then covers important security concepts like confidentiality, integrity, non-repudiation, authentication, authorization, and availability. Specific security standards and approaches are discussed for each concept, such as encryption for confidentiality and digital signatures for integrity and non-repudiation. Authentication methods like digital certificates and SAML are also described. The document advocates for defining clear security policies and separating policy enforcement from decision making. It concludes by discussing threats to XML and debates between using REST vs SOAP/WS-Security approaches.
The document summarizes security measures for SafeNet Authentication Service, including:
1) A multi-tenant architecture with data separation between customers and encryption of user data.
2) Two geographically separate Points of Presence (PoPs) that are mirrored for redundancy.
3) Regular testing of disaster recovery plans and annual auditing of security and availability.
Cloud computing provides resources like hardware, software, and bandwidth over the network to consumers worldwide. However, cloud computing faces security issues. This document discusses four security issues: denial of service attacks which prevent consumers from accessing cloud services; XML signature element wrapping attacks which manipulate SOAP messages; cloud malware injection which introduces malicious applications into the cloud; and browser security issues which make authentication vulnerable. The document proposes countermeasures like access authorization, cryptographic protocols, integrity checks, and applying WS-Security in browsers.
Secure and efficient handover authentication and detection of spoofing attackeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Semantic Web Services (Standards, Monitoring, Testing and Security)Reza Gh
This document discusses semantic web services, including an introduction, life cycle, foundation standards, and monitoring and security. It provides an outline and overview of key concepts such as semantic web service concepts, life cycle phases including service modeling, discovery, definition and delivery. It also summarizes foundation standards for web services including HTTP, WSDL, SOAP and UDDI, and for semantic web services including OWL-S and SAWSDL. It discusses monitoring of semantic web services and security aspects including message protection, privacy, authentication and authorization.
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure their information. Web Services security could be guaranteed by employing security standards, which is the main focus of this search. Every suggested model related to security design should put in the account the securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The proposed model describes SOAP messages and the way to secure their contents. Due to the reason that SOAP message is the core of the exchanging information in Web Services, this research has developed a security model needed to ensure e-business security. The essence of our model depends on XML encryption and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a high speed of transaction and a strong level of security without jeopardizing the performance of transmission information.
Rapid increases in information technology also changed the existing markets and transformed them into emarkets
(e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to
recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of
the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and
recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized
access. This causes the security technology implementation of E-commerce very difficult at other
engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the
flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects,
this editorial also suggested an implementation design of the logical security framework for SOA supported
E-commerce system.
This document discusses security considerations for service-oriented architectures (SOAs). It begins by defining SOA and some common SOA technologies like SOAP, WSDL, and UDDI. It then covers important security concepts like confidentiality, integrity, non-repudiation, authentication, authorization, and availability. Specific security standards and approaches are discussed for each concept, such as encryption for confidentiality and digital signatures for integrity and non-repudiation. Authentication methods like digital certificates and SAML are also described. The document advocates for defining clear security policies and separating policy enforcement from decision making. It concludes by discussing threats to XML and debates between using REST vs SOAP/WS-Security approaches.
The document summarizes security measures for SafeNet Authentication Service, including:
1) A multi-tenant architecture with data separation between customers and encryption of user data.
2) Two geographically separate Points of Presence (PoPs) that are mirrored for redundancy.
3) Regular testing of disaster recovery plans and annual auditing of security and availability.
Cloud computing provides resources like hardware, software, and bandwidth over the network to consumers worldwide. However, cloud computing faces security issues. This document discusses four security issues: denial of service attacks which prevent consumers from accessing cloud services; XML signature element wrapping attacks which manipulate SOAP messages; cloud malware injection which introduces malicious applications into the cloud; and browser security issues which make authentication vulnerable. The document proposes countermeasures like access authorization, cryptographic protocols, integrity checks, and applying WS-Security in browsers.
Secure and efficient handover authentication and detection of spoofing attackeSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Semantic Web Services (Standards, Monitoring, Testing and Security)Reza Gh
This document discusses semantic web services, including an introduction, life cycle, foundation standards, and monitoring and security. It provides an outline and overview of key concepts such as semantic web service concepts, life cycle phases including service modeling, discovery, definition and delivery. It also summarizes foundation standards for web services including HTTP, WSDL, SOAP and UDDI, and for semantic web services including OWL-S and SAWSDL. It discusses monitoring of semantic web services and security aspects including message protection, privacy, authentication and authorization.
This presentation examines architectural patterns for SOA security according the externalization of the cross-cutting concerns of authorization and authentication as well as the integration of identity federation. Conceptual building blocks for SOA security are sketched and assessed with respect to classical security means. Web services-based SOA systems are considered in particular. The analysis considers the native security functionality of common Web service stacks (e.g. Apache Axis, Microsoft WCF, Sun JAX-WS RI/WSIT).
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationJaipal Naidu
The document describes an approach for testing security aspects of service-oriented architecture (SOA) based applications. It focuses on testing specifications such as WS-Security, SAML, WS-Trust, WS-SecureConversation, and WS-Security Policy. The approach involves writing customized test assertion documents based on specifications, capturing SOAP messages at interfaces, and comparing messages to test assertions to generate test results.
Trust Based Management with User Feedback Service in Cloud EnvironmentIRJET Journal
The document proposes a trust-based management system using user feedback in cloud environments. It introduces challenges with trust and security in cloud computing due to the dynamic and distributed nature of clouds. The proposed system uses an RSA algorithm to encrypt data and build trust between clouds and users based on customer feedback. It aims to detect misleading feedback through collusion detection and identify Sybil attacks by verifying user identities. The system evaluates feedback through data analysis to determine the credibility of trust information and protect cloud services from malicious users.
International Journal of Engineering and Science Invention (IJESI)inventionjournals
This document proposes a framework to establish trust in cloud environments through improved accountability and transparency. It discusses how current cloud systems have limited accountability that prevents full transparency of user activities. The proposed framework uses a logging mechanism to generate detailed logs of all file and network access within virtual machines. The logs are encrypted at the kernel level before being sent to a trusted third party for secure storage. Storing logs with an independent third party prevents tampering by the cloud service provider and allows users to access accurate logs through the third party. The framework aims to improve trust in cloud computing by providing full transparency of user activities and protecting log integrity.
Introducing CAS 3.0 Protocol: Security and PerformanceAmin Saqi
In this document we review the security and performance of the Central Authentication Service (CAS) protocol. CAS is a single-sign-on / single-sign-off (SSO) protocol for the web originally created by Yale University to provide a trusted way for an application to authenticate a user. It permits a user to access multiple applications while providing their credentials (such as USERID and PASSWORD) only once to a central CAS Server application.
Narrative of digital signature technology and moving forwardConference Papers
1) The document discusses the development of a digital signature solution for web browsers over time, addressing changing technologies and standards.
2) Three key technology curves impacted the solution's design: the evolution of web extensions, compatibility across browsers, and digital certificate issuance standards.
3) The final solution released uses a client-server architecture with a web script to simplify digital signatures as a service, addressing challenges around cross-browser compatibility and changing extension technologies in browsers like Internet Explorer, Firefox and Chrome over the past 20 years.
The document describes vulnerabilities in SSL certificate validation in non-browser software. The authors found that SSL certificate validation is completely broken in many security-critical applications and libraries. A man-in-the-middle attacker can exploit these vulnerabilities to impersonate servers and intercept encrypted communications, even when certificates are signed by legitimate certificate authorities. The root causes are poorly designed SSL library APIs that expose low-level details and lead developers to misimplement certificate validation, along with a lack of proper security testing. This validates SSL connections against the intended threat model.
This document discusses security requirements for mobile governance (m-governance) projects. It analyzes security issues with different m-governance delivery channels like SMS, mobile applications, and proposes a security architecture with features like user authentication, authorization, data encryption, transaction security, alerting/logging/auditing. It also presents a case study of Aadhaar's e-KYC API, describing its authentication, key exchange and encryption mechanisms. The goal is to help identify real security needs and offer measures to secure request/response data transmitted over mobile channels for m-governance implementations.
Survey on reliable sla based monitoring for billing scheme in cloud computingeSAT Journals
Abstract The facility to record and keep report of the usage of cloud resources in reliable and certifiable manner is a pioneer to both cloud service provider and to users too. Because usage information is potentially susceptible and must be verifiably correct. This is critical job because in an attempt to provide mutually integrated approach to the system, we come to know that computational overhead increase due to use of traditional asymmetric key operations which lead the system bottleneck. The success of any billing system depends upon factors like integrity, non repudiation. The traditional billing systems are restricted in the security capabilities. To overcome this drawback, paper introduces the billing system called THEMIS. This new billing system introduces some new attributes which provides security facilities to the billing transactions. This system brings new concept called Cloud Notary Authority (CNA) which administer the billing transactions and make it good enough to accept by users and cloud service provider. The Cloud Notary Authority generates the binding information which helps system to solve the future conflicts between users and cloud service provider. SLA (service level agreement) monitoring approach is introduced to provide forgery resistance which doesn’t allow to modify the information even by supervisor of the cloud service provider. The service level agreement monitoring approach is improved with TPM (Trusted Platform Module) which sort the information in very secure manner. Keywords - Cloud Notary Authority, Cloud server provider, verification, transaction processing, resource allotment.
Identity based cryptography for client side security in web applications (web...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technologyis an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Privacy preserving distributed profile matching in proximity-based mobile soc...IEEEFINALYEARPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09849539085, 09966235788 or mail us - ieeefinalsemprojects@gmail.co¬m-Visit Our Website: www.finalyearprojects.org
IRJET- ESBA based Privacy Protection in OSCSIRJET Journal
This document proposes a novel method called ESBA (Encryption Scheme Based on Attributes) to address privacy and security issues in online social communication systems (OSCS). It first discusses existing problems with OSCS privacy protection methods. It then describes the proposed approach, which uses ESBA encryption along with hierarchy genetic algorithm and radial based administration to preprocess and encrypt user information in the OSCS. The document outlines the initialization, encryption, key generation and decryption processes used in the ESBA method. It also provides results from implementing and analyzing the proposed approach, showing improvements over existing methods in terms of encryption accuracy, data loss and secret key generation time.
The document summarizes OAuth 2.0, an open standard for authorization. It describes the traditional client-server authentication model and its limitations that OAuth addresses. OAuth defines four roles in the authorization process and four grant types. It explains the authorization code grant type in five steps: the client requests authorization, the user authorizes access, the client receives an authorization code, the client requests an access token, and receives the access token. The document provides homework on further reading about OAuth authorization code flow and other grant types.
Key-exposure resistance has always been an important issue for in-depth cyber defence in many security applications. Recently, how to deal with the key exposure problem in the settings of cloud storage auditing has been proposed and studied. To address the challenge, existing solutions all require the client to update his secret keys in every time period, which may inevitably bring in new local burdens to the client, especially those with limited computation resources such as mobile phones. In this paper, we focus on how to make the key updates as transparent as possible for the client and propose a new paradigm called cloud storage auditing with verifiable outsourcing of key updates. In this paradigm, key updates can be safely outsourced to some authorized party, and thus the key-update burden on the client will be kept minimal. Specifically, we leverage the third party auditor (TPA) in many existing public auditing designs, let it play the role of authorized party in our case, and make it in charge of both the storage auditing and the secure key updates for key-exposure resistance. In our design, TPA only needs to hold an encrypted version of the client’s secret key, while doing all these burdensome tasks on behalf of the client. The client only needs to download the encrypted secret key from the TPA when uploading new files to cloud. Besides, our design also equips the client with capability to further verify the validity of the encrypted secret keys provided by TPA. All these salient features are carefully designed to make the whole auditing procedure with key exposure resistance as transparent as possible for the client. We formalize the definition and the security model of this paradigm. The security proof and the performance simulation show that our detailed design instantiations are secure and efficient.
Hacia un marketing ágil. Revista Marketing + Ventas 11/2014Joan Sardà
¿Qué tienen en común las empresas grandes y pequeñas con mayores tasas de crecimiento en sus mercados? Con o sin
crisis, ante un entorno en permanente cambio las empresas que están obteniendo mejores resultados en todo el mundo son
las que interiorizan una estrategia de profunda orientación al cliente, o customer-centricity, y una capacidad operativa fundamental, la agilidad.
Artículo publicado en la revista Marketing + Ventas de Noviembre de 2014
Artificial intelligence (AI) is everywhere, promising self-driving cars, medical breakthroughs, and new ways of working. But how do you separate hype from reality? How can your company apply AI to solve real business problems?
Here’s what AI learnings your business should keep in mind for 2017.
The document proposes an algorithm to secure SOAP-based web services from WSDL scanning attacks. The algorithm uses existing security standards like PKI, digital signatures, and XML encryption/decryption. It encrypts critical portions of the WSDL using symmetric encryption before publishing it to the UDDI registry. The encrypted WSDL contains a digital signature and hash to validate integrity. Clients must decrypt the WSDL using the service provider's public key before binding to prevent attacks from interpreting the WSDL contents. The algorithm was implemented and tested using Java with real banking data, with minimal performance overhead.
This presentation examines architectural patterns for SOA security according the externalization of the cross-cutting concerns of authorization and authentication as well as the integration of identity federation. Conceptual building blocks for SOA security are sketched and assessed with respect to classical security means. Web services-based SOA systems are considered in particular. The analysis considers the native security functionality of common Web service stacks (e.g. Apache Axis, Microsoft WCF, Sun JAX-WS RI/WSIT).
Soa Testing An Approach For Testing Security Aspects Of Soa Based ApplicationJaipal Naidu
The document describes an approach for testing security aspects of service-oriented architecture (SOA) based applications. It focuses on testing specifications such as WS-Security, SAML, WS-Trust, WS-SecureConversation, and WS-Security Policy. The approach involves writing customized test assertion documents based on specifications, capturing SOAP messages at interfaces, and comparing messages to test assertions to generate test results.
Trust Based Management with User Feedback Service in Cloud EnvironmentIRJET Journal
The document proposes a trust-based management system using user feedback in cloud environments. It introduces challenges with trust and security in cloud computing due to the dynamic and distributed nature of clouds. The proposed system uses an RSA algorithm to encrypt data and build trust between clouds and users based on customer feedback. It aims to detect misleading feedback through collusion detection and identify Sybil attacks by verifying user identities. The system evaluates feedback through data analysis to determine the credibility of trust information and protect cloud services from malicious users.
International Journal of Engineering and Science Invention (IJESI)inventionjournals
This document proposes a framework to establish trust in cloud environments through improved accountability and transparency. It discusses how current cloud systems have limited accountability that prevents full transparency of user activities. The proposed framework uses a logging mechanism to generate detailed logs of all file and network access within virtual machines. The logs are encrypted at the kernel level before being sent to a trusted third party for secure storage. Storing logs with an independent third party prevents tampering by the cloud service provider and allows users to access accurate logs through the third party. The framework aims to improve trust in cloud computing by providing full transparency of user activities and protecting log integrity.
Introducing CAS 3.0 Protocol: Security and PerformanceAmin Saqi
In this document we review the security and performance of the Central Authentication Service (CAS) protocol. CAS is a single-sign-on / single-sign-off (SSO) protocol for the web originally created by Yale University to provide a trusted way for an application to authenticate a user. It permits a user to access multiple applications while providing their credentials (such as USERID and PASSWORD) only once to a central CAS Server application.
Narrative of digital signature technology and moving forwardConference Papers
1) The document discusses the development of a digital signature solution for web browsers over time, addressing changing technologies and standards.
2) Three key technology curves impacted the solution's design: the evolution of web extensions, compatibility across browsers, and digital certificate issuance standards.
3) The final solution released uses a client-server architecture with a web script to simplify digital signatures as a service, addressing challenges around cross-browser compatibility and changing extension technologies in browsers like Internet Explorer, Firefox and Chrome over the past 20 years.
The document describes vulnerabilities in SSL certificate validation in non-browser software. The authors found that SSL certificate validation is completely broken in many security-critical applications and libraries. A man-in-the-middle attacker can exploit these vulnerabilities to impersonate servers and intercept encrypted communications, even when certificates are signed by legitimate certificate authorities. The root causes are poorly designed SSL library APIs that expose low-level details and lead developers to misimplement certificate validation, along with a lack of proper security testing. This validates SSL connections against the intended threat model.
This document discusses security requirements for mobile governance (m-governance) projects. It analyzes security issues with different m-governance delivery channels like SMS, mobile applications, and proposes a security architecture with features like user authentication, authorization, data encryption, transaction security, alerting/logging/auditing. It also presents a case study of Aadhaar's e-KYC API, describing its authentication, key exchange and encryption mechanisms. The goal is to help identify real security needs and offer measures to secure request/response data transmitted over mobile channels for m-governance implementations.
Survey on reliable sla based monitoring for billing scheme in cloud computingeSAT Journals
Abstract The facility to record and keep report of the usage of cloud resources in reliable and certifiable manner is a pioneer to both cloud service provider and to users too. Because usage information is potentially susceptible and must be verifiably correct. This is critical job because in an attempt to provide mutually integrated approach to the system, we come to know that computational overhead increase due to use of traditional asymmetric key operations which lead the system bottleneck. The success of any billing system depends upon factors like integrity, non repudiation. The traditional billing systems are restricted in the security capabilities. To overcome this drawback, paper introduces the billing system called THEMIS. This new billing system introduces some new attributes which provides security facilities to the billing transactions. This system brings new concept called Cloud Notary Authority (CNA) which administer the billing transactions and make it good enough to accept by users and cloud service provider. The Cloud Notary Authority generates the binding information which helps system to solve the future conflicts between users and cloud service provider. SLA (service level agreement) monitoring approach is introduced to provide forgery resistance which doesn’t allow to modify the information even by supervisor of the cloud service provider. The service level agreement monitoring approach is improved with TPM (Trusted Platform Module) which sort the information in very secure manner. Keywords - Cloud Notary Authority, Cloud server provider, verification, transaction processing, resource allotment.
Identity based cryptography for client side security in web applications (web...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technologyis an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Privacy preserving distributed profile matching in proximity-based mobile soc...IEEEFINALYEARPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09849539085, 09966235788 or mail us - ieeefinalsemprojects@gmail.co¬m-Visit Our Website: www.finalyearprojects.org
IRJET- ESBA based Privacy Protection in OSCSIRJET Journal
This document proposes a novel method called ESBA (Encryption Scheme Based on Attributes) to address privacy and security issues in online social communication systems (OSCS). It first discusses existing problems with OSCS privacy protection methods. It then describes the proposed approach, which uses ESBA encryption along with hierarchy genetic algorithm and radial based administration to preprocess and encrypt user information in the OSCS. The document outlines the initialization, encryption, key generation and decryption processes used in the ESBA method. It also provides results from implementing and analyzing the proposed approach, showing improvements over existing methods in terms of encryption accuracy, data loss and secret key generation time.
The document summarizes OAuth 2.0, an open standard for authorization. It describes the traditional client-server authentication model and its limitations that OAuth addresses. OAuth defines four roles in the authorization process and four grant types. It explains the authorization code grant type in five steps: the client requests authorization, the user authorizes access, the client receives an authorization code, the client requests an access token, and receives the access token. The document provides homework on further reading about OAuth authorization code flow and other grant types.
Key-exposure resistance has always been an important issue for in-depth cyber defence in many security applications. Recently, how to deal with the key exposure problem in the settings of cloud storage auditing has been proposed and studied. To address the challenge, existing solutions all require the client to update his secret keys in every time period, which may inevitably bring in new local burdens to the client, especially those with limited computation resources such as mobile phones. In this paper, we focus on how to make the key updates as transparent as possible for the client and propose a new paradigm called cloud storage auditing with verifiable outsourcing of key updates. In this paradigm, key updates can be safely outsourced to some authorized party, and thus the key-update burden on the client will be kept minimal. Specifically, we leverage the third party auditor (TPA) in many existing public auditing designs, let it play the role of authorized party in our case, and make it in charge of both the storage auditing and the secure key updates for key-exposure resistance. In our design, TPA only needs to hold an encrypted version of the client’s secret key, while doing all these burdensome tasks on behalf of the client. The client only needs to download the encrypted secret key from the TPA when uploading new files to cloud. Besides, our design also equips the client with capability to further verify the validity of the encrypted secret keys provided by TPA. All these salient features are carefully designed to make the whole auditing procedure with key exposure resistance as transparent as possible for the client. We formalize the definition and the security model of this paradigm. The security proof and the performance simulation show that our detailed design instantiations are secure and efficient.
Hacia un marketing ágil. Revista Marketing + Ventas 11/2014Joan Sardà
¿Qué tienen en común las empresas grandes y pequeñas con mayores tasas de crecimiento en sus mercados? Con o sin
crisis, ante un entorno en permanente cambio las empresas que están obteniendo mejores resultados en todo el mundo son
las que interiorizan una estrategia de profunda orientación al cliente, o customer-centricity, y una capacidad operativa fundamental, la agilidad.
Artículo publicado en la revista Marketing + Ventas de Noviembre de 2014
Artificial intelligence (AI) is everywhere, promising self-driving cars, medical breakthroughs, and new ways of working. But how do you separate hype from reality? How can your company apply AI to solve real business problems?
Here’s what AI learnings your business should keep in mind for 2017.
The document proposes an algorithm to secure SOAP-based web services from WSDL scanning attacks. The algorithm uses existing security standards like PKI, digital signatures, and XML encryption/decryption. It encrypts critical portions of the WSDL using symmetric encryption before publishing it to the UDDI registry. The encrypted WSDL contains a digital signature and hash to validate integrity. Clients must decrypt the WSDL using the service provider's public key before binding to prevent attacks from interpreting the WSDL contents. The algorithm was implemented and tested using Java with real banking data, with minimal performance overhead.
A Survey on Authorization Systems for Web Applicationsiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
This document provides a survey of various authorization systems that have been proposed for web applications and web services. It begins with an introduction to web services and common security issues and attacks. It then describes several existing authorization models and frameworks that have been used for web services, including attribute-based access control, role-based access control using LDAP, and interactive access control. The document compares these different authorization techniques based on factors like separation of duties, fine-grained authorization, nature of the system, and performance. It concludes that most proposed systems authorize based on role models but few can dynamically authorize requests or integrate well with service-oriented architectures.
The project work explores in detail, the security issues in a SOA environment and also describes the various approaches to these issues. The different approaches to SOA security (i.e. message level security, security as a service and policy driven security) are not standalone solutions, but can be deployed as mix and match solutions. A SOA security solution can make use of all the approaches to address specific security concerns. Finally the project work describes a generic SOA security model which acts as a reference model to identify security vulnerabilities in enterprise application integration (EAI). These vulnerabilities can then be addressed by the different approaches to security.
Secure Architecture Evaluation for Agent Based Web Service DiscoveryIDES Editor
The document proposes an agent-based architecture for secure web service discovery. It evaluates using agents to negotiate a mutually acceptable security policy between a service consumer and provider based on their security requirements. The architecture includes a discovery agent that finds services matching a consumer's criteria. A security agent describes the provider's security needs. The process involves the consumer and provider combining their security policies and the discovery agent returning matched services. The document evaluates the architecture using the ATAM method, identifying quality attributes, risks, and tradeoffs.
This document discusses metadata, security, transactions, and reliable messaging specifications for web services. It provides an overview of key specifications such as WSDL, WS-Security, WS-Transactions, and WS-Reliable Messaging that define standards for describing, securing, and coordinating web services and messages. The document also covers standards for integrating mobile devices into a service-oriented architecture.
International Journal on Web Service Computing (IJWSC)ijwscjournal
Web Service is a reusable component which has set of related functionalities that service requesters can
programmatically access from the service provider and manipulate through the Web. One of the main
security issue is to secure web services from the malicious requesters. Since trust plays an important role in
many kinds of human communication, it allows people to work under insecurity and with the risk of
negative cost, many researchers have proposed different trust based web services access control model to
prevent malicious requesters. In this literature review, various existing trust based web services access
control model have been studied also investigated how the concept of a trust level is used in the access
control policy of a service provider to allow service requester to access the web services
A Literature Review on Trust Management in Web Services Access Controlijwscjournal
This document discusses trust-based access control models for web services. It provides an overview of web services and security issues, then reviews existing access control models including role-based access control and attribute-based access control. It also discusses concepts of trust management and how trust is used in various trust-based web services access control models to determine whether to grant access to requesters based on their trust level. Finally, it examines how trust levels are calculated and how policies are represented in these trust-based models.
A Literature Review on Trust Management in Web Services Access Controlijwscjournal
Web Service is a reusable component which has set of related functionalities that service requesters can programmatically access from the service provider and manipulate through the Web. One of the main security issue is to secure web services from the malicious requesters. Since trust plays an important role in many kinds of human communication, it allows people to work under insecurity and with the risk of negative cost, many researchers have proposed different trust based web services access control model to prevent malicious requesters. In this literature review, various existing trust based web services access control model have been studied also investigated how the concept of a trust level is used in the access control policy of a service provider to allow service requester to access the web services.
This document discusses security considerations for web services. It begins by defining key terms like web services, SOAP, WSDL, UDDI, and ebXML. It then discusses the goals of security like confidentiality, integrity, accountability and availability. Next, it covers requirements for web services security like authentication, authorization, cryptography, and accountability. It introduces the concept of Enterprise Application Security Integration (EASI) to provide a common security framework across different tiers. EASI requires perimeter security between clients and web servers, mid-tier security between application components, and back-office security for databases. The document concludes that web services should be designed according to enterprise application security architecture principles.
XML Encryption and Signature for Securing Web ServicesCSEIJJournal
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure
their information. Web Services security could be guaranteed by employing security standards, which is the
main focus of this search. Every suggested model related to security design should put in the account the
securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The
proposed model describes SOAP messages and the way to secure their contents. Due to the reason that
SOAP message is the core of the exchanging information in Web Services, this research has developed a
security model needed to ensure e-business security. The essence of our model depends on XML encryption
and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a
high speed of transaction and a strong level of security without jeopardizing the performance of
transmission information.
XML ENCRYPTION AND SIGNATURE FOR SECURING WEB SERVICESijcsit
In this research, we have focused on the most challenging issue that Web Services face, i.e. how to secure their information. Web Services security could be guaranteed by employing security standards, which is the main focus of this search. Every suggested model related to security design should put in the account the securities' objectives; integrity, confidentiality, non- repudiation, authentication, and authorization. The proposed model describes SOAP messages and the way to secure their contents. Due to the reason that SOAP message is the core of the exchanging information in Web Services, this research has developed a security model needed to ensure e-business security. The essence of our model depends on XML encryption
and XML signature to encrypt and sign SOAP message. The proposed model looks forward to achieve a high speed of transaction and a strong level of security without jeopardizing the performance of transmission information.
This document summarizes previous research on securing SOA (Service Oriented Architecture). It discusses frameworks and models that have been proposed for SOA security, including SAVT, ISOAS, and FIX. It also discusses approaches using automata, data mining, and attack graphs. The proposed model in this document is a secure web-based SOA that uses three layers of services (IT services, security policy infrastructure, and business services) with an embedded security module based on PKI (Public Key Infrastructure) to provide encryption and authentication. The model aims to provide both security and flexibility while maintaining interoperability.
A SECURITY FRAMEWORK FOR SOA APPLICATIONS IN MOBILE ENVIRONMENTIJNSA Journal
This document proposes a security framework for developing SOA (Service Oriented Architecture) applications on mobile devices. The framework aims to provide tools to securely develop and provide services in the mobile environment. It includes components for service description, communication interfaces, security features like cryptography and digital signatures. The framework also defines layers for networking, event handling, service provision, storage, security and management. It allows developers to easily create and securely provide services from mobile devices.
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...idescitation
Cloud computing is a model for enabling convenient, on-demand network access
to a shared pool of configurable computing resources. Reliability in compute cloud is an
important aspect in Quality of Service which needs to be addressed in order to foster the
adoption of compute cloud. In today’s integrated environment the distributed systems is
employed to carry out computational intensive task at a faster rate without much
investment. The Cloud is a multitenant architecture which allows faster computation with
high scalability at a lower cost thereby the users can share the same physical infrastructure.
Individual customers deploy their applications in such environment will occupy the virtual
partitions on the platform. This paper describes a straightforward procedure to analyze the
reliability of the application from the view point of the resource provider. A trust
component is implemented to provide preventive control and to mitigate the occurrence of
any non-permissible action by using the detective mechanism. Such mechanisms are used to
identify the privacy risk and it further prevents from utilization. Hence, in this paper trust
assessment is performed before the user is allowed to share the multitenant infrastructure.
The cloud can provide scalable and reliable service for the legitimate users. The proposed
work is tested using tools Aneka and Globus Toolkit.
This document compares the advantages of using Windows Communication Foundation (WCF) over traditional web services for building distributed applications. WCF supports multiple transport protocols like HTTP, TCP and named pipes, while web services only support HTTP. WCF uses an endpoint-based model for communication between services and clients, where endpoints define address, binding and contract. This provides more flexibility than web services. Performance tests show that a WCF service using TCP transport is significantly faster than a web service using HTTP, as TCP is more efficient than HTTP and WCF allows binary encoding. The document concludes that WCF is advantageous over web services and older Microsoft technologies like .NET remoting and replaces them as the preferred approach.
This document provides an overview of Service Oriented Architecture (SOA) and its enabling technologies. It discusses key SOA principles like loose coupling, standardized service contracts, and service reusability. The document also covers major SOA objectives, benefits, architecture layers, and the differences between SOA and web services. Web services are described as a standardized way for applications to communicate over the web using XML, SOAP, WSDL and other standards. The document contrasts SOA with public-subscribe and pull-based vs push-based messaging architectures.
Designing A Logical Security Framework for E-Commerce System Based on SOA ijsc
Rapid increases in information technology also changed the existing markets and transformed them into emarkets (e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized access. This causes the security technology implementation of E-commerce very difficult at other engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects, this editorial also suggested an implementation design of the logical security framework for SOA supported E-commerce system.
Advanced Web Services incorporate standards like SOAP, WSDL, UDDI, as well as more complex security standards like WS-Security. They deal with asynchronous behavior and parallelism through standards like WS-ReliableMessaging. The Web Services Interoperability Organization (WS-I) promoted interoperability between web services specifications and joined the OASIS standards body. WS-Federation and related standards help establish trust relationships between security domains.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Best 20 SEO Techniques To Improve Website Visibility In SERP
W4502140150
1. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 140 | P a g e
Security Based Service Oriented Architecture in Cloud
Environment
Asha N. Chaudhary, Prof. Hitesh A. Bheda
M.tech (CE) Researcher Scholar RK University, India.
Department of computer Engineering. RK University, India.
ABSTRACT
Service Oriented Architecture is appropriate model for distributed application development in the recent
explosion of Internet services and cloud computing.SOA introduces new security challenges which are not
present in the single hop client server architectures due to the involvement of multiple service providers in a
service request. The interaction of independent services in SOA could break service policies. User in SOA
system has no control what happens in the chain of service invocations. Even if the establishment of trust across
all involved partners is required as a precondition to ensure secure interactions, still a new end to end security
auditing mechanism is needed to verify the actual service invocation. We provide solution for end-to-end
security auditing in service oriented architecture. This security architecture introduces two new components
called taint analysis and trust broker. It also taking advantage of WS-security and WS-Trust standards. These
components maintain session auditing and dynamic trust among services. The solution of these services allows
auditing of inheritance services without modification. We also implemented model of the future approach. We
also established its efficiency in Amazon EC2 and multi tenancy cloud computing infrastructure.
Keywords: Service Oriented Architecture, Cloud Computing, Web Services, Security, Multi tenancy,
Performance.
I. INTRODUCTION
Cloud computing means is a way of using
computational resources such as storage, operating
systems etc. Which are located remotely and are
provided as a service over internet [1].The service
oriented architecture is an idea of received significant
attention and concern from the software design and
development [2].
In software engineering, service oriented
architecture is a new model in which is characterized
by loose Coupling among software components,
called services. SOA permit fast design of new
applications by composing smaller special purpose
and mixed services [3]. To ass mixed services
components in both project and military environment,
SOA can provides as the unifying layer [3]. Web
service is a proven manufacturing technology that
can be used to implement SOA application.
The basic necessities of SOA are: (1) the
user must be able to control between different clouds
as long as they are well-matched. An example would
be if a client running an OS on an IaaS cloud. They
should be capable in the direction of convey their
transformation to the new cloud provider they want
to control to [4]. (2) The user must be wanted to
create a group of resources. An instance would be
two cloud providers work jointly at providing their
mutual resources through the same source [4].
Due to a sequence of principles that have been
created based on standard extensible Markup
language, web services allow interoperability of
applications [2].We can say that the most important
advantage of using the model of SOA is
interoperability which is achieved by the use of
typical XML, which permit not only communication
of straight usage in the web, but communication
between devices ranging from small sensor to a
complicated family machine, marketable or
manufacturing [2].
To ensure security in this surroundings, new
security mechanism must be measured, such
as[5],(1)WS-security is a standard of Organization
for Advancement of Structured Information
Standards in order to SOAP messaging security and
providing honesty and confidentiality.(2)Security
Assertion Markup Language is another OASIS
standard based on XML for exchanging security
information.(3)Web Services Business Process
Execution Language is an XML based language that
is used to organize web service in single business
process.
The SOAP-Simple Object Access Protocol
is main important protocol which is used for web
service to connect and is transported over the HTTP-
Hyper Text Transfer Protocol [6]. Due to be short of
end to end authentication and authorization, security
is a demanding matter in service oriented
RESEARCH ARTICLE OPEN ACCESS
2. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 141 | P a g e
architecture. Attackers are not able to stop
unnecessary interception of messages. It is also not
possible to secure the unidentified third parties in
SOA because of the architecture’s open nature [3].
Present Service Oriented Architecture security
solution and web service security standards have the
following restriction :( 1) Web service principles are
concentrating on transaction between only two
communicating service end points. Web service
standards do not consider service composition. (2)
Outside services are not confirmed or validated
dynamically means uniformed assortment of services
by user. (3) User has no manage on outside service
invocation through a service in another service
domain. (4)Violation and malicious activities in a
trusted service domain remain hidden.
The remainder of this paper is organized as follows:
in section II we sketch out the proposed architecture
for SOA system. In section III, we explain our model
implementation. It also concludes a security and
performance evaluation of the model. In section IV,
we explain future work. In section V, we explain
related work and finally in section VI, we explain
conclusion of the paper.
II. PROPOSED ARCHITECTURE FOR
SOA SYSTEM
2.1 End-to-End SOA Structure
The end-to-end SOA architecture consists in
two steps: (1) client build request to the initial trusted
domain (2) that services can make a service call to
another service from trusted domain or an untrusted
public domain.
Taint analysis and trust broker are two new
components in current end-to-end security auditing
architecture. Trust broker maintain information about
trustworthiness of services and categorizes them.
Trust broker is also used for dynamic validation and
verification of services and keeps track of history of
service invocation. Taint analysis module intercepts
the communication.
Figure.1 End-to-End Service Oriented Architecture
In figure 1, the information sequence
depicted is as follows:
1) UDDI (Universal Description, Discovery and
integration) Registry request.
2) Forwarding the service list to Trust Broker and
receive a categorized list.
3) Invoking a selected service.
4) Second invocation by service in domain A.
5) Invoking a service in public service domain.
6) End points reply to user.
2.2 Integration of Web Service Standards
The advantage of Web Service standard in
our model which is used to achieve end-to-end
security in our system: WS-Security and WS-Trust.
2.2.1 WS-Security
WS Security model specifies how integrity
and confidentiality can be enforced on message, and
allow the communication of various security token
formats, such as SAML (Security Assertion Markup
Language) and X.509 [9].Its main focus is the use of
Extensible Markup Language (XML) signature and
Extensible Markup Language (XML) encryption to
provide end-to-end security.WS-Security incorporate
security features in the header of a SOAP (Simple
Object Access Protocol message), specifying how to
sign and encrypt SOAP (Simple Object Access
Protocol) messages. There are two ways to handle the
record management by WS-Security. First it defines a
special element, Username Token, which pass the
username and password if the web service is using
custom authentication.WS-Security also provide
binary authentication tokens such as Kerberos
Tickets and X.509 certification: Binary Security
Token. Figure 2 explain the flow of WS-Securiy.
3. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 142 | P a g e
Figure.2 Message Flow of WS-Security.
The implementation of WS-Security uses
the Apache CXF framework leveragingWSS4J to
provide WS-Security functionalities.WSS4J security
is triggered through interceptors that are added to the
services and clients.
2.2.2 WS-Trust
It defines the concept of security token
request and response message as well as ways to
establish, assess the presence of, and broker trust
relationships between participants in a secure
message exchange.
Elements of WS-Trust
1) Security Token Service is a web service that
issues, cancels, renews and validates security
tokens as defined in the WS-Security
specification.2) Security token request and
response message format. And 3) Key-exchange
mechanism.
The implementation of WS-Trust within
web-service libraries which provided by vendors or
by open Source cooperative efforts.
2.3 Trust Broker Formation
Trust Broker is trusted third party
accountable for maintain end-to-end security in a
chain of service invocation based on request of a
client. It can also mediating security serious
interactions between clients and services. The most
important three function of Trust broker is as follows:
1) Trust Broker maintain list of licensed services.,2)
Trust Broker evaluates the trust level of given service
using formula which are integrate various parameter
like history of communication with that service. And
3) Trust Broker maintains an end-to-end session of
service invocation where the different services
invoked from the start to the end of that session are
logged by Trust Broker.
The Trust Broker was implemented as a web
service in the java 7.0 platform and deployed on
boston.cs.purdue.edu. Trust Broker which stores all
data concerning session and services in MySQL
database that is setup on same machine. The Trust
Broker web service offers the following public
method:
1) Get Trust Level (servicekey):-This method gives
the key of a service which is registered in UDDI
and returns the trust level which is calculated by
the trust evaluation module.
2) Create Session (trustclass, invokedservice):-This
method returns a single session identifier which
needs to be along from client to the invoked
service and from one service to other in the
whole chain of service invocation.
3) Get Session History (sessionID):-This method
returns the register of warnings which is used for
service invocation for session identified with
sessionId.
4) Remove Session (sessionID):-This method
removes the session identifier with session ID
from the trust Broker database.
5) Session Feedback:-This method is used to
connect taint analysis module with trust broker.
4. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 143 | P a g e
Figure 3. Trust broker structure and its interface with user.
2.3.1 Trust Broker Database
The trust broker database consists of two
tables: Services which are used to maintain the trust
levels and certification information of services. Client
Sessions which are used to maintain an end-to-end
session of service invocations for a client.
2.3.2 Trust Evaluation module
The trust evaluation module of the trust
broker which is used to calculate trust level of given
service that is based on three things:
1) History of earlier service runs.2) Feedback from
taint analysis module. And 3) WS-supports specified
in service level agreement.
TEM queries the UDDI for calculating trust value of
service which is used following equation:
Ts (t) =β * [α * Ts (t-1) + (1 - α) * F] + (1- β) * L,
Where α < 0.5,
Β is the constant which is weight for the
properties of the service. For the model system,the
values for these constants were chosen arbitrarily so
experiments should be performed to determine the
optimal values for them. The trust value Ts for a
service s, F is feedback parameter is service level
agreement trust value.
In this equation feedback parameter has
values in the interval [-1, 0) when the services in
question misbehaves and values in the interval (0, 1]
when the service behaves as promised. The result of
this equation in the interval [0,1].
2.4 Taint Analysis Module
The work of this module monitors the
activity of services at runtime. It also examines the
data replace between them to identify certain events.
2.4.1 Monitoring Runtime Services
One of the major design requirements of
taint analysis module is transparency to the user
means users are not required to change their
programs or deployment. If we want to achieve this
goal, program instrumentation and extra
instrumentation are automatically added service
implementation.
2.4.2 AOP Framework
Aspect Oriented Programming [7] model
define some specific PCD (point cut designator)
which are included in program execution. The
fundamental point cut designators are chosen
somewhat practically, they must be really helpful to
an aspect programmer, but they must also be
comparatively useful to implement in the AOP
system.
2.4.3 Features of JBoss AOP
JBoss Aspect Oriented Programming [8] is
used to operate an event framework.
5. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 144 | P a g e
JBoss Aspect Oriented Programming also
used to provide dynamic AOP and hot deployment.
JBoss Aspect Oriented Programming
framework used to support both compile time and
runtime class instrumentation.
2.4.4 Implementation of Taint Analysis
Implementation of Taint Analysis, we
selected JBoss AOP framework. When we use JBoss
AOP, we can almost all classes and methods in the
JBoss AS/ESB servers. This mechanism is very
efficient by using granular point cut. We implement
communication methods inside an action pipeline.
Figure.4 Using Taint Analysis to detect Service Invocations
As shown in the figure 4, all external service
invocation are monitored and reported to the trust
broker. Monitoring services are done for two
activities. First is to check the compliance of those
domains to their registered SLA agreement as
advertised in the public UDDI registry. Second is the
utilization of their data into the trusted service
domain. The function of reporting to the TB is
accomplished by web service invocation to the TB
server. Trust Broker invokes the sessionFeedback()
method.
Figure.5 The interface of taint analysis with trust broker.
6. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 145 | P a g e
Following method are used when we want to
realize the connection between trust brokers and taint
analysis. This method is also used the API of TB was
extend.
Session Feedback (sessionID, invoker
Service, invokedService):-This method are used for
the taint analysis module for service reports to trust
broker an invocation of invoked service by invoker
Service for the session identified with session ID.
III. RESULTS AND DISCUSSION
This section provides the details of
prototype evaluation and measurements.
3.1 Security Evaluation
SOAP messages are prone to attacks that
can guide to several consequences such as
unauthorized access, disclosure of information which
is based on an on-the-fly modification of SOAP
messages, referred as XML rewriting attacks [10].
The Denial of Service attack technology has
continued to evolve and continues to be used to
attack and impact internet infrastructure. The
implemented model was evaluated in terms of its
effectiveness in justifying XML rewriting
attacks[11][12].Generally, Service Oriented
Architecture systems are susceptible to in transit
sniffing or spoofing.XML rewriting attack refers to
the class of attacks, which involve modifying the
SOAP messages.
We focused in three scenarios and did
different types of XML rewriting attacks.
1) We generated a basic XML replay attack in
which the new message was entirely replaced by
the old message captured by our attack tool.
2) Performing a XML message replay attack when
there are security headers present in the web
service messages.
3) Performing XML message redirect attack when
there are security headers present in the web
service message.
Figure 6. Attack Scenario Setting.
3.2 Performance Measurement in Multi Tenant
Cloud Server
Multitenancy was used to study the impact
of migration of the proposed end to end security
solution to the cloud. In order to ensure that different
services were deployed on different physical
machines,large machine object were launched in
different availability zones of multi tenancy in the
East region as seen in the figures below.[2 figure]
Figure below reports the average response times for
the first 400 request to the Evacuation Timer Service
for the baseline and taint analysis cases. As seen in
the graph.
7. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 146 | P a g e
Figure.7 Baseline Experiment Setup in the Multi tenant Cloud Server
Figure 8. Taint Analysis Experiment Setup in the Multi tenant Cloud Server
Figure 9 reports the average response times
for the first 400 request to the Evacuation Timer
Service for the baseline and taint analysis cases. In
this graph the response time are still very close up to
4 requests. The overhead is larger but acceptable for
8 and 16 requests.
8. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 147 | P a g e
Figure 9. Average response time for the first 400 requests in multi-tenant cloud server.
We also conducted experiments to calculate
the performance of the trust broker under growing
loads for the session feedback method. A large
machine instance in the Multi-tenant cloud server
East region was used to host the trust broker for these
experiments. In Figure 10, we shows that the rate of
requests was kept fixed by setting the delay between
consecutive requests by a single thread to 100
milliseconds and increasing the delay proportional to
the number of simultaneous threads. The results for
these experiments show that the Trust Broker is able
to handle 64 simultaneous requests in around 150
milliseconds and 128 requests in around 200
milliseconds.
Figure 10. Average Response Time for Fixed Rate Session Feedback Requests
In the second set of experiments, bursts of
requests were sent at increasing rates, i.e. the delay
between the consecutive requests of all client threads
was set to 100 milliseconds. The results of these
experiments show that the increase in the rate of
requests causes a small overhead in the response time
up to 64 client threads; however there is a big jump in
the overhead after 128 client threads, at which point
load balancing should be considered.
9. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 148 | P a g e
Figure.11 Average Response Time for Fixed Rate Session Feedback Requests
IV. DISSCUSSION AND FUTURE
WORK
4.1 Security procedure Enforcement:
The main goal of this paper has been to
design a security auditing architecture. So it takes a
retroactive approach for external service calls and
only reports the external invocation events back to
the TB. However, it can easily be converted into a
proactive mechanism to enforce client’s policy. This
could be realized by adding a policy engine XACMl
[14] to TB and employing TA module proactively.
Another variation could be sending the upcoming
service invocation to the TB and requiring services in
an invocation chain to get a confirmation for the next
service they will invoke.
Extension of Cloud Computing: The proposed
architecture partly mitigates the threats posed by
multi-tenancy too, as in the case of a certified service
being under attack, the TA module deployed on the
server will report malicious behavior to the TB. Even
in the case of a TA module under attack, it will be
possible to detect that attack with a slight
modification in the architecture. For that, the TB
would need to wait on feedback from the TA module
of every certified service, which is known to be
invoked by a previous service and update the session
history for that service call with a warning after a
time out period during which no feedback is received.
Investigating new threats for SOA-based systems in
cloud computing environments: Deploying services
in the Cloud brings up the question of potential
security threats due to multi-tenancy. In future work,
we will investigate the possible effects of multi-
tenancy on the proper functioning of the proposed
solution with session history parameter. Experiments
will be performed with multi-tenant Cloud servers,
where attacks will be targeted from one virtual
machine to another to disrupt the functioning of the
TA component and solutions to the problems will be
investigated.
V. RELATED WORK
Many researchers has been studied security
of service oriented architectures. We address the
security issues in SOA by focusing on web service
standards[13][14].We identify the complexity of
certifying SOA services due to the difficulty in
representation of security controls in web services
standards specifications in a constant manner for
verification. In [15] and [16] the identification of
trusted services and dynamic trust assessment in SOA
are studied. We introduce a framework called
RATEWeb for trust-based service selection and work
based on peer feedback. It is based on a set of
decentralized techniques for evaluating reputation-
based trust with ratings from peers. However they do
not take into account initial service invocations and
the secondary services in compositions.
Approaches like [15] and [16] are not
suitable for SOAs with a lot of services because the
monitoring system would need to collect demanding
information from a lot of peers and consumers, which
would make it very expensive. Generally, taint
analysis has been a low level mechanism which has
been used for binary program analysis [19]. But, on
the other hand, low level taint analysis mechanisms
lead to a considerable overhead which is not suitable
for real world services. Moreover, they are dependent
on specific hardware architectures which are not
suitable for real world deployment.DIFC
(Decentralized Information Flow Control) has been
an active area of research in the past few years.
Researchers in [18] [19] [20] have proposed different
labeling mechanisms to secure applications from
untrusted codes. Their approach needs a complete
redesign of the OS which is not practical in the
federated SOA settings. To overcome this problem,
10. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 149 | P a g e
we [21] propose a language level solution for
information flow control which assigns labels to
every program object that incurs a substantial
overhead. In both mechanisms, we have to change
the source codes of the services. Therefore, we lose
transparency which is a key factor in implementation
of a technology by industry.
VI. CONCLUSION
In this project we proposed an end-to-end
security solution for SOA, which is based on the
introduction of two new security components, i.e. the
“Taint Analysis” module and the “Trust Broker”
service. By providing the ability to track external
service invocations in the completion of a service
request and maintaining dynamic trust values for
services, the proposed architecture allows clients to
be informed about the full chain of service
invocations in a request and possible misbehavior by
services involved in the request. This architecture
both makes it possible to judge the quality of the
response received by the client and increase the
chances of selecting trustworthy services using the
reputation based system. Although the security
architecture described above seems to take more of a
retroactive approach for external service calls, it can
easily be converted into a proactive one by either the
prevention of external service calls to untrusted
services by the TA or by requiring services in an
invocation chain to contact the TB to get
confirmation for the next service they will invoke.
The latter approach will introduce additional delays
in the response for the clients, but may be preferred
for preventive security.
The proposed end-to-end security
architecture is fully compatible with common Web
services standards, as the services and data
communication protocol are not affected by the
security related modifications in the general SOA
structure. The minimal set of web service standards
basic to overcome the security challenges along with
the proposed security components TA and TB were
identified as WS-Security to ensure client and service
authenticity as well as message level security through
encryption and signing; and WS-Trust for the
generation of security tokens required for
authentication. By securing the communication
between the taint analysis modules and the trust
broker using Web Service-Security, the proposed
system ensures authenticity of session feedbacks,
hence preventing unfair increase/decrease of trust
values of services due to targeted feedback from
malicious parties.
Experiments performed in the multi tenant
cloud server suggest that the proposed solution
causes small overhead in terms of the service
response time up to a certain load on the server, at
which point load distribution should be considered.
The same argument holds for the Trust Broker
service as well; i.e. to avoid being a single point of
failure prone to denial of service attacks, the TB
should distribute its load over multiple servers. This
makes the Cloud the best option for hosting the TB
service. With elastic load balancing achieved by on-
the-fly allocation of resources and creation of virtual
machines, a TB service in the Cloud will be able to
meet the demands for different service request loads
and prevent waste of resources in the case of
decreased service traffic.
REFERENCES
[1] Sun Microsystems, Inc.”Introduction to
cloud computing architecture “White Paper
1st
Editor, June 2009.
[2] Douglas Rodrigues, J.C.Estrella, R.L
Kalinka. J.C.Branco, “Analysis of security
and Performance aspects in service oriented
architecture”,International Journal of
security and its application,vol. 5,No
.1,January 2011.
[3] Mehdi Azarmi,Bharat Bhargava,Pelin
Angin,Rohit Ranchal,Normed
Ahmed,Xiangyu Zhang,Asher Sinclair,Mark
Lindermany, Lotfi Ben Othmanez, “An End-
to-End Security Auditing Approach for
Service Oriented Architectures”,Air force
research laboratory Rome,2012.
[4] Asher J.Vitek,”Service Oriented Cloud
Computing Architecture”, UMM CSci
Senior Seminar Conference Morris, MN.
[5] E. Ort. “Service-Oriented Architecture and
Web Services: Concepts, Technologies,and
Tools”,2005.
[6] J. Hutchinson, G. Kotonya, J. Walkerdine,
P. Sawyer, G. Dobson, and V. Onditi,
“Evolving existing systems to service
oriented architectures:Perspective and
challenges,” in IEEE International
Conference on Web Services (ICWS’07),
pp. 896–903.
[7] G. Kiczales, J. Lamping, A. Mendhekar, C.
Maeda, C. Lopes, J. Loingtier, and J. Irwin,
“Aspect-oriented programming,” European
Conference on Object-Oriented
Programming (ECOOP’97), pp. 220–
242,1997.
[8] “JBoss AOP framework,”
http://www.jboss.org/jbossaop, [Online;
Accessed Apr. 2012.].
[9] “Web Service Specifications,”
http://en.wikipedia.org/wiki/List of web
service specifications, [Online; Accessed
Apr. 2012.].
11. Asha N. Chaudhary et al Int. Journal of Engineering Research and Applications www.ijera.com
ISSN : 2248-9622, Vol. 4, Issue 5( Version 2), May 2014, pp.140-150
www.ijera.com 150 | P a g e
[10] A. Ouda, D. Allison, and M. Capretz,
“Security protocols in service oriented
architecture,” in 6th World Congress on
Services, 2010, pp. 185–186.
[11] M. Rahaman and A. Schaad, “Soap-based
secure conversation and collaboration,” in
IEEE International Conference on Web
Services (ICWS’07), 2007, pp. 471–480.
[12] A. Benameur, F. Kadir, and S. Fenet, “Xml
rewriting attacks: Existing solutions and
their limitations,” Arxiv preprint
arXiv:0812.4181, 2008.
[13] R. Baird and R. Gamble, “Developing a
security meta-language framework,”in
Hawaii International Conference on System
Sciences (HICSS 2011), pp. 1–10.
[14] R. Baird and R. F. Gamble, “Security
controls applied to web service
architectures,”in 19th International
Conference on Software Engineering and
Data Engineering, 2010.
[15] Z. Malik, “Rateweb: Reputation assessment
for trust establishment among web services,”
VLDB, vol. 18, no. 4, pp. 885–911, 2009.
[16] G. Spanoudakis and S. LoPresti, “Web
service trust: Towards a dynamic assessment
framework,” in IEEE International
Conference on Availability, Reliability and
Security (ARES 2009), 2009, pp. 33–40.
[17] J. Newsome and D. Song, “Dynamic taint
analysis for automatic detection, analysis,
and signature generation of exploits on
commodity software,” 2005.
[18] N. Zeldovich, S. Boyd-Wickizer, E. Kohler,
and D. Mazi`eres, “Making information
flow explicit in histar,” in Proceedings of the
7th USENIX Symposium on Operating
Systems Design and Implementation, 2006,
pp. 19–19.
[19] P. Efstathopoulos, M. Krohn, S.
VanDeBogart, C. Frey, D. Ziegler,E.
Kohler, D. Mazieres, F. Kaashoek, and R.
Morris, “Labels and event processes in the
asbestos operating system,” ACM SIGOPS
Operating Systems Review, vol. 39, no. 5,
pp. 17–30, 2005.
[20] M. Krohn, A. Yip, M. Brodsky, N. Cliffer,
M. Kaashoek, E. Kohler, and R. Morris,
“Information flow control for standard os
abstractions,” in ACM SIGOPS Operating
Systems Review, vol. 41, no. 6. ACM,
2007,pp. 321–334.
[21] A. Sabelfeld and A. Myers, “Language-
based information-flow security,” Selected
Areas in Communications, IEEE Journal on,
vol. 21, no. 1, pp. 5–19, 2003.