Abstract
This chapter studies not only how traditional threats may affect composite services, but also some of the new challenges that arise from the emerging Future Internet. For instance, while atomic services may, in isolation, comply with privacy requirements, a composition of the same services could lead to violations due to the combined information they manipulate. Furthermore, with volatile services and evolving laws and regulations, a composite service that seemed secure enough at deployment time, may find itself unacceptably compromised some time later. Our main contributions are a taxonomy of threats for composite services in the Future Internet, which organises thirty-two threats within seven categories, and a corresponding taxonomy of thirty-three countermeasures. These results have been devised from analysing service scenarios and their possible abuse with participants from seventeen organisations from industry and academia.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
CAPEC, the Common Attack Pattern Enumeration and Classification, http://capec.mitre.org/
CWE (Classified Weakness Enumeration), http://cwe.mitre.org/
Forward project, http://www.ict-forward.eu/
SysSec project, http://www.syssec-project.eu/
Think-Trust project, http://www.think-trust.eu/
WOMBAT (Worldwide Observatory of Malicious Behaviors and Attack Threats), http://www.wombat-project.eu/
Babar, S., Mahalle, P., Stango, A., Prasad, N., Prasad, R.: Proposed security model and threat taxonomy for the internet of things (IoT). In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds.) CNSA 2010. CCIS, vol. 89, pp. 420–429. Springer, Heidelberg (2010)
Berizzi, A.: The Italian 2003 blackout (June 2004)
Corsi, S., Sabelli, C.: General blackout in Italy Sunday September 28, 2003 (June 2004)
Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Uncover Security Design Flaws Using The STRIDE Approach, http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
Hoffman, K., Zage, D., Nita-Rotaru, C.: A survey of attack and defense techniques for reputation systems. ACM Comput. Surv. 42, 1:1–1:31 (2009), http://doi.acm.org/10.1145/1592451.1592452
Im, G.P., Baskerville, R.L.: A longitudinal study of information system threat categories: The enduring problem of human error. SIGMIS Database 36(4), 68–79 (2005), http://doi.acm.org/10.1145/1104004.1104010
Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws. ACM Comput. Surv. 26(3), 211–254 (1994), http://doi.acm.org/10.1145/185403.185412
Mirkovic, J., Reiher, P.: A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004), http://doi.acm.org/10.1145/997150.997156
Mármol, F.G., Pérez, G.M.: Security threats scenarios in trust and reputation models for distributed systems. Computers & Security 28(7), 545–556 (2009), http://www.sciencedirect.com/science/article/pii/S0167404809000534
CSRC - NIST: Glossary of Key Information Security Terms, http://csrc.nist.gov/publications/nistir/ir7298-rev1/nistir-7298-revision1.pdf
Papadimitriou, D.: Future Internet–The Cross-ETP Vision Document (2009), http://www.future-internet.eu/fileadmin/documents/reports/Cross-ETPs_FI_Vision_Document_v1_0.pdf
Shirey, R.: Internet Security Glossary, Version 2 (RFC4949) (2007), http://www.rfc-base.org/rfc-4949.html
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems recommendations of the national institute of standards and technology. Nist Special Publication 800(30), 55 (2002), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Wang, H., Wang, C.: Taxonomy of security considerations and software quality. Commun. ACM 46(6), 75–78 (2003), http://doi.acm.org/10.1145/777313.777315
Weber, S., Karger, P.A., Paradkar, A.: A software flaw taxonomy: Aiming tools at security. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005), http://doi.acm.org/10.1145/1082983.1083209
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Meland, P.H. et al. (2014). Security and Trustworthiness Threats to Composite Services: Taxonomy, Countermeasures, and Research Directions. In: Brucker, A.D., Dalpiaz, F., Giorgini, P., Meland, P.H., Rios, E. (eds) Secure and Trustworthy Service Composition. Lecture Notes in Computer Science, vol 8900. Springer, Cham. https://doi.org/10.1007/978-3-319-13518-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-13518-2_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13517-5
Online ISBN: 978-3-319-13518-2
eBook Packages: Computer ScienceComputer Science (R0)