Security and Trustworthiness Threats to Composite Services: Taxonomy, Countermeasures, and Research Directions

  • Per Håkon Meland
  • Muhammad Asim
  • Dhouha Ayed
  • Fabiano Dalpiaz
  • Edith Félix
  • Paolo Giorgini
  • Susana Gonzáles
  • Brett Lempereur
  • John Ronan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8900)


This chapter studies not only how traditional threats may affect composite services, but also some of the new challenges that arise from the emerging Future Internet. For instance, while atomic services may, in isolation, comply with privacy requirements, a composition of the same services could lead to violations due to the combined information they manipulate. Furthermore, with volatile services and evolving laws and regulations, a composite service that seemed secure enough at deployment time, may find itself unacceptably compromised some time later. Our main contributions are a taxonomy of threats for composite services in the Future Internet, which organises thirty-two threats within seven categories, and a corresponding taxonomy of thirty-three countermeasures. These results have been devised from analysing service scenarios and their possible abuse with participants from seventeen organisations from industry and academia.


Threats taxonomy countermeasures service composition security trustworthiness 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    CAPEC, the Common Attack Pattern Enumeration and Classification,
  2. 2.
    CWE (Classified Weakness Enumeration),
  3. 3.
    Forward project,
  4. 4.
  5. 5.
    Think-Trust project,
  6. 6.
    WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats),
  7. 7.
    Babar, S., Mahalle, P., Stango, A., Prasad, N., Prasad, R.: Proposed security model and threat taxonomy for the internet of things (IoT). In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds.) CNSA 2010. CCIS, vol. 89, pp. 420–429. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Berizzi, A.: The Italian 2003 blackout (June 2004)Google Scholar
  9. 9.
    Corsi, S., Sabelli, C.: General blackout in Italy Sunday September 28, 2003 (June 2004)Google Scholar
  10. 10.
    Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover Security Design Flaws Using The STRIDE Approach,
  11. 11.
    Hoffman, K., Zage, D., Nita-Rotaru, C.: A survey of attack and defense techniques for reputation systems. ACM Comput. Surv. 42, 1:1–1:31 (2009),
  12. 12.
    Im, G.P., Baskerville, R.L.: A longitudinal study of information system threat categories: The enduring problem of human error. SIGMIS Database 36(4), 68–79 (2005), CrossRefGoogle Scholar
  13. 13.
    Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. ACM Comput. Surv. 26(3), 211–254 (1994), CrossRefGoogle Scholar
  14. 14.
    Mirkovic, J., Reiher, P.: A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004), CrossRefGoogle Scholar
  15. 15.
    Mármol, F.G., Pérez, G.M.: Security threats scenarios in trust and reputation models for distributed systems. Computers & Security 28(7), 545–556 (2009), CrossRefGoogle Scholar
  16. 16.
    CSRC - NIST: Glossary of Key Information Security Terms,
  17. 17.
    Papadimitriou, D.: Future Internet–The Cross-ETP Vision Document (2009),
  18. 18.
    Shirey, R.: Internet Security Glossary, Version 2 (RFC4949) (2007),
  19. 19.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems recommendations of the national institute of standards and technology. Nist Special Publication 800(30), 55 (2002), Google Scholar
  20. 20.
    Wang, H., Wang, C.: Taxonomy of security considerations and software quality. Commun. ACM 46(6), 75–78 (2003), CrossRefGoogle Scholar
  21. 21.
    Weber, S., Karger, P.A., Paradkar, A.: A software flaw taxonomy: Aiming tools at security. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005), CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Per Håkon Meland
    • 1
  • Muhammad Asim
    • 2
  • Dhouha Ayed
    • 3
  • Fabiano Dalpiaz
    • 4
  • Edith Félix
    • 3
  • Paolo Giorgini
    • 5
  • Susana Gonzáles
    • 6
  • Brett Lempereur
    • 2
  • John Ronan
    • 7
  1. 1.SINTEF ICTNorway
  2. 2.Liverpool John Moores UniversityUK
  3. 3.Thales ServicesFrance
  4. 4.Utrecht UniversityThe Netherlands
  5. 5.University of TrentoItaly
  6. 6.ATOSFrance
  7. 7.Waterford Institute of TechnologyIreland

Personalised recommendations