Advertisement

Security and Trustworthiness Threats to Composite Services: Taxonomy, Countermeasures, and Research Directions

  • Per Håkon Meland
  • Muhammad Asim
  • Dhouha Ayed
  • Fabiano Dalpiaz
  • Edith Félix
  • Paolo Giorgini
  • Susana Gonzáles
  • Brett Lempereur
  • John Ronan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8900)

Abstract

This chapter studies not only how traditional threats may affect composite services, but also some of the new challenges that arise from the emerging Future Internet. For instance, while atomic services may, in isolation, comply with privacy requirements, a composition of the same services could lead to violations due to the combined information they manipulate. Furthermore, with volatile services and evolving laws and regulations, a composite service that seemed secure enough at deployment time, may find itself unacceptably compromised some time later. Our main contributions are a taxonomy of threats for composite services in the Future Internet, which organises thirty-two threats within seven categories, and a corresponding taxonomy of thirty-three countermeasures. These results have been devised from analysing service scenarios and their possible abuse with participants from seventeen organisations from industry and academia.

Keywords

Threats taxonomy countermeasures service composition security trustworthiness 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    CAPEC, the Common Attack Pattern Enumeration and Classification, http://capec.mitre.org/
  2. 2.
    CWE (Classified Weakness Enumeration), http://cwe.mitre.org/
  3. 3.
    Forward project, http://www.ict-forward.eu/
  4. 4.
  5. 5.
    Think-Trust project, http://www.think-trust.eu/
  6. 6.
    WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats), http://www.wombat-project.eu/
  7. 7.
    Babar, S., Mahalle, P., Stango, A., Prasad, N., Prasad, R.: Proposed security model and threat taxonomy for the internet of things (IoT). In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds.) CNSA 2010. CCIS, vol. 89, pp. 420–429. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Berizzi, A.: The Italian 2003 blackout (June 2004)Google Scholar
  9. 9.
    Corsi, S., Sabelli, C.: General blackout in Italy Sunday September 28, 2003 (June 2004)Google Scholar
  10. 10.
    Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover Security Design Flaws Using The STRIDE Approach, http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
  11. 11.
    Hoffman, K., Zage, D., Nita-Rotaru, C.: A survey of attack and defense techniques for reputation systems. ACM Comput. Surv. 42, 1:1–1:31 (2009), http://doi.acm.org/10.1145/1592451.1592452
  12. 12.
    Im, G.P., Baskerville, R.L.: A longitudinal study of information system threat categories: The enduring problem of human error. SIGMIS Database 36(4), 68–79 (2005), http://doi.acm.org/10.1145/1104004.1104010 CrossRefGoogle Scholar
  13. 13.
    Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. ACM Comput. Surv. 26(3), 211–254 (1994), http://doi.acm.org/10.1145/185403.185412 CrossRefGoogle Scholar
  14. 14.
    Mirkovic, J., Reiher, P.: A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004), http://doi.acm.org/10.1145/997150.997156 CrossRefGoogle Scholar
  15. 15.
    Mármol, F.G., Pérez, G.M.: Security threats scenarios in trust and reputation models for distributed systems. Computers & Security 28(7), 545–556 (2009), http://www.sciencedirect.com/science/article/pii/S0167404809000534 CrossRefGoogle Scholar
  16. 16.
    CSRC - NIST: Glossary of Key Information Security Terms, http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf
  17. 17.
    Papadimitriou, D.: Future Internet–The Cross-ETP Vision Document (2009), http://www.future-internet.eu/fileadmin/documents/reports/Cross-ETPs_FI_Vision_Document_v1_0.pdf
  18. 18.
    Shirey, R.: Internet Security Glossary, Version 2 (RFC4949) (2007), http://www.rfc-base.org/rfc-4949.html
  19. 19.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems recommendations of the national institute of standards and technology. Nist Special Publication 800(30), 55 (2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Google Scholar
  20. 20.
    Wang, H., Wang, C.: Taxonomy of security considerations and software quality. Commun. ACM 46(6), 75–78 (2003), http://doi.acm.org/10.1145/777313.777315 CrossRefGoogle Scholar
  21. 21.
    Weber, S., Karger, P.A., Paradkar, A.: A software flaw taxonomy: Aiming tools at security. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005), http://doi.acm.org/10.1145/1082983.1083209 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Per Håkon Meland
    • 1
  • Muhammad Asim
    • 2
  • Dhouha Ayed
    • 3
  • Fabiano Dalpiaz
    • 4
  • Edith Félix
    • 3
  • Paolo Giorgini
    • 5
  • Susana Gonzáles
    • 6
  • Brett Lempereur
    • 2
  • John Ronan
    • 7
  1. 1.SINTEF ICTNorway
  2. 2.Liverpool John Moores UniversityUK
  3. 3.Thales ServicesFrance
  4. 4.Utrecht UniversityThe Netherlands
  5. 5.University of TrentoItaly
  6. 6.ATOSFrance
  7. 7.Waterford Institute of TechnologyIreland

Personalised recommendations