2016 International Conference on Global Trends in Signal Processing, Information Computing and Communication
Study and Design of Ontology for Cloud Based Web Services Attacks: A Survey S.M.Chavan
Dr.S.C.Tamane
Assistant Professor Dept of IT Government Engineering College Aurangabad
[email protected]
Associate Professor Dept of IT MGM’s Jawaharlal Nehru Engineering College Aurangabad
[email protected]
Semantic information which focuses on special kind of data, nature of commands which are dangerous. Thus system will detect complicated attacks much more efficient way by analyzing the user requests for finding attacks possibility. Proposed system in paper [2] highlights hi ghlights semantic analysis of the HTTP traffic about network flow but can be extended for other application protocols such as SMTP, HTTPS, FTP and others. Many times ontological representations can be easily shared, refined, reused between entities in a domain. We can develope model of ontology with description logic that is conceptual knowledge which was defined by the web ontology language. The Horn Logic declarations are inference rules given in the paper are implemented using the Jena Apache API. By using Jena Apache API system is platform and technology independent. Paper [3] author Chang Choi, Junho Choi and Pankoo Kim focuses on access control model based on ontology called as Onto-ACM which describes dynamic access control. In Onto-ACM semantic analysis model given that address differences in the specified limit between different service providers with users. Gurupreetsingh et.al (2013) has done the comparison of all available encryption algorithms like RSA, DES, 3DES, AES for information security purposes. The generation, updation and transfer of keys have been done by the described algorithms. The paper[4] Gurupreetsingh and Supriya find different terms about speed and that gives advantage of using cloud computing resources for implementing security algorithms which are used in businesses to secure large number of data. They used different kinds of algorithms like an asymmetric algorithm RSA, a hashing algorithm MD5 and an asymmetric algorithm AES .Vijay Varadharajan and Udaya Tupakula [11] described techniques based on range of attacks and malicious content against specific services like DNS, database and web servers within a same domain. Attack range between the virtual machines in different domains, in this paper near about twenty papers survey is done. Discussions are made according to the survey.A further section compares actual work, methodologies and comparative work among the different papers.
— Among the various applications of high Abstract performance computing, security of cloud c loud computing c omputing is very essential and greater awareness in India. Security issues in cloud are very challenging, as the data are roaming without any control. The need to keep the security as well as privacy of the information in the cloud becomes a critical issue. On the basis of cloud architectures we can specify the security rules for the web application attacks. In this paper we go through study, design and purpose of ontology containing encryption algorithms. Here ontology describes the security rule specification. Encryption algorithm describes comparision of performance among different algorithms. The main focus of this kind of work is to present a study of cloud security policy using some encryption algorithm based on ontology. This study will follow the ontology framework build for security policy rules. This paper also discusses cloud based web services attacks, design of semantic rules, and detection of malicious traffic over internet as well as tools for handling ontology. Keywords— Cloud computing; vulnerability; ontology; data encryption; security management.
I. I NTRODUCTION Cloud computing have three types of cloud service models. First one is Infrastructure as a service, second is platform as a service and third is software as a service.High performance computing supports for the three cloud models as public cloud, private cloud as well as hybrid cloud. We can describe ontology as specification of a conceptualization, reality models in the different system combined together with their properties. Pascal Meunier [1] in his book defined meaningfully to represent, or broadcast knowledge about vulnerabilities, vu lnerabilities, attacks, because of that we require ontology. Paper [2] Abdul Razzaq et al. (2014) proposed security ontology which provides different taxonomies for malacious contents includes threats, vulnerabilities as well as types of attacks. Paper states ontology is a precise design which captures its context. There is need of special kind of system like semantic system which describes a complete overview and can recognize the depth of application with its data for attacks. Validation based on overview that is
978-1-5090-0467-6/16/$31.00 ©2016 IEEE
24
II. RELATED WORK Abdul Razzaq et al.[2] discusses intrusion detection system based on anomaly which will find out the behavior of the incoming stream that is request against specified profile and organize all content as malicious. He used different kinds of intrusion detection systems like signature based was previously recognized vulnerabilities or attacks and applies algorithms as raw pattern matching to detect threats from security. Such type of mechanisms for detection is applied at the level called network level, by analyzing network traffic and at application level, by monitoring server logs. Various attacks Signatures are often effectiveless while preventing attacks like zero day. A statistical IDS technique for anomaly detection uses taxonomy for the detection of various types attacks based on web application using statistical methods. Role-based access control model in reference paper [3] is versatile and confirms closely to the organizational model used in various fields. Classification by Role meets such type of requirement by separating roles by users. Rights by access given to roles are different depending on users. Context-aware access control based on roles model is an extension of traditional access control based on roles model that permits security related administrators which define policies like context oriented access control enriched with purposes. Access control by role is to take care of access which is illegal for various kinds of systems in all computing types. Gurupreetsingh et.al (2013) describe to find terms about ration of speed which is benefiecial for the use of resources by cloud for implementing security algorithms described in the paper. Different kinds of algorithms are used first one is RSA an asymmetric encryption algorithm, next is MD5 a hashing algorithm and AES symmetric encryption algorithm. The comparison with nine factors of all above mentioned algorithms DES, 3DES and AES by cipher type, key length, security, block size, different keys by addition of ASCII keys, character keys and computing Time to check all keys per second. Study of paper [4] shows that AES is better than DES and 3DES. It has been seen that the system strength depends on the management of key, type of cryptography public or private keys, how many number of keys, calculate bits number within a key. Larger length of the key, more secure transmission. Jinho Seol et.al (2016) described keys are formulated upon how the mathematical equations or formulas are used for the flow of data. Computation time depends upon the number of keys used as per the time for the encryption of available data. Threats of security by cloud administrators are critical and feasible. Service providers of cloud are mainly described with threats of security from external attacks instead of internal attacks. This focus obstructs the importance of cloud computing. Proposed system was presented a cloud system architecture which consists of small applications through virtual machine to stop cloud administrators of guest VMs from affecting the security [6]. Vijay Varadharajan et.al (2016) have developed an integrated security architecture which integrates access control security, intrusion detection techniques and trusted computing technologies for securing distributed virtual machine based systems. Vijay varadharajam
and Udaya Tupakaula [7] implemented how integrated model is able to detect a range of attacks. Proposed system described the integrated architecture implementation. System showed in detail how architecture can be used to counteract a range of attack scenarios such as privilege escalation attacks and using the compromised machines to generate further attacks, exploiting vulnerabilities in security tools with attacks on tenant online services. Dimitris Zissis et.al (2012) given introduction of third party which is trusted, scheduled with specific security characteristics within a cloud infrastructure or cloud domain. The given solution identifies SSO or LDAP, operating cryptography for public key infrastructure in connection to ensure the confidentiality, authentication, integrity of involved communications and data.The solution, presents a level of service called horizontal, which is available for all implicated entities, which realizes a network of securityfrom which essential trustful environment is maintained. Authors identified cloud environments generic design principles for which base is the requirement to control applicable threats and vulnerabilities. To work like systems design information approaches and software engineering were adopted. Cloud environment security requires a systemic point of view, from which trustful security should be maintained for the mitigating of protection to a trusted third party [8]. Research survey of paper [9] provides all about MAC security policy usage. III. METHODOLOGY Vijay Varadharajanet al. (2016) describes example scenarios like zero day attacks, signature and anomaly based attacks, offline anomaly detection analysis discussed in paper [11]. A. Models of ontology for web security Protocol ontology (Ex-HTTP) provides the foundation for developing an attack ontology model. It is important in detecting attack like scenario attack vulnerability. Several important security aspects are given by Ontology. It contains a number of concepts like web application attacks, communication protocols used by the attack encoding methods which provide the binding to attack using ontology. Malicious input exploits Vulnerabilities. Components of system affected by these types of attacks .The cost of each attack and control applied to mitigate such attacks [2] . B. Semantic web application security System uses a defense in depth strategy by providing detection methods at multiple layers. The first layer called as initial of resistance uses the ontological model of the communication protocol. This model provides protection for the protocol specification and related attacks. The second layer normalizes the requests from the user by decoding them in a standardized format which helps to mitigate encoding based on attacks. The next layer will use an ontological model of well known attacks against a negative security model and the last layer gives the knowledge of application profiles through a positivesecuritymodel.[2].
25
C. Frameworks The paper [3] uses frameworks like context analysis engine, access control module, inference engine, ontology handler, policy checker, abstraction description in cloud computing environments. R. Sivakumar et al. (2011) proposed Protégé tool is popular for the ontology revelation called protégé tool applied for further improvement in various regulations for better understanding of domain knowledge. The purpose of this work is to present a study on application of different methods. These techniques are used for the improvement of different kinds of protégé revelation tools and classify their quality and aspects. In the area of ontology visualization it is supportive method selection and encourages future research [20].
interoperability rules could be interchanged b etween this system and other security applications which are not possible. Reference paper [3] proposes onto ACM called Ontology- based access control model, analysis model called semantic which address in difference with given access control of users and service providers. System provides intelligent context aware access model for positively applying the access level of resource based on semantic analysis method ontology reasoning. Semantic analysis model classify differences in the given limit between users and service providers. communication interface access control module ,cloud service providers.,Provider’s context analysis engine, tools like ontology handler provides locality of all resources that can be viewed based on their context information and role ex. transaction list for access demand, approval of rules with OWL for analyzing context information and gathering Problem solved in this system are better for protecting and insider intrusions prevention like role based and context based,which provides dynamic access control. Advantages of the system are convenience and efficient for policy management by admin and users, disadvantages of the system, if ontology handler does not recognize specific rules or policy for context data then only data flow is there without any control. System can be useful in organizations and data centers.Paper[4] makes algorithm comparisons while considering all parameters depending on memory usage computation time and output byte. Survey is given to combine all the techniques which are helpful for real-time applications. The system can add combination of algorithms both ways applied as sequentially or parallel, to buildup much more secure environment for storing data and retrieving data. In paper [6] the proposed architecture defends against wide attack vectors and also accomplishes a tiny TCM target cloud model (low cost embedded processor). System propose architecture of cloud in which critical processes and data affecting on VMs .the guest VMs security are isolated from specified domains and administrators of cloud. The environment called as cryptographic for the encryption and integrity checking should be separated from specified domains. Used cryptographic key and integrity with hash data of VM images should be isolated from administrators of cloud to prevent potential threats of security. System provides secure management, secure storage, good scalability and performance of I/O. problems solved in the system are, the data of cloud users from cloud administrators is isolated by using architecture. The data of cloud users are protected with malicious cloud administrators, compromised specified domain or malicious specified domain. The proposed system offers functionality of security against wide attack vectors .It shows I/O performance, showing its feasibility on cloud. Disadvantages of the system are service providers cloud is mainly related with security threats from external attack types rather than internal attack types. Vijay varadharajam and Udaya Tupakaula [7] gives policy based access control like through some firewalls with ID techniques and trustful computing technologies for security of distributed applications
D. Semantic web application security Harshal A. Karande et al. paper [12] proposes syntax based validation provides the size where validation is semantic based will focus on format, specific data, and understand potentially dangerous commands. Proposed system is able to address all these facts through usally updating of knowledge base. Also proposed systems mitigate the different types of attacks like web application successfully and easily able of overcome the existing strategy of original management of treats and attacks by hackers. Protocol ontology in this system we have focused on the HTTP protocol because it is establishment of data communication for World Wide Web. Logic based context reasoning can be employed based on functionality. Rule based reasoning specify semantic rules which can be defined that will manipulate the ontology logic. Standard rule languages are used for defining rules or can be written in a variant of a language supported by a specific reasoner. E. Algorithms Gurupreetsingh et.al (2013) describes the key updation, generation, and transportation which are done by the encryption algorithm. These types of algorithms are called as cryptographic algorithm. Many security algorithms existing in the market to encrypt means to hide the data. The power of encryption algorithm basically depends on computer system which can be used for the key generation. Key generation procedure, encryption and decryption for each and every algorithm are described.
III.COMPARATIVE ANALYSIS In reference paper [2] proposed method is of detecting and classifying web application attacks. Solution is an ontology based method. It specifies attacks based on semantic rules web application, the situation of significance and the requirements of application protocols. The model of ontology was generated using logic description that is the Web Ontology Language. Horn logic statements with inference rules which can be implemented using the API of apache JENA structure. Problem solved like performance of system and detection capability is significantly good than old solutions.Work effectively detects attacks based on web application at the same time as generating few false positives. Disadvantages of the system are generic rule generation mechanism with
26
on virtualized system that is on distributed computing. Secure communication of applications and VM in different distributed servers.Tenat Virtual domain that is TVD allows security policy based grouping like same kind of virtual machines running on distributed machine. There is cloud cluster domain. Attacks such as SQL injection, buffer overflow, and cross site scripting are detected. Advantages of system, organizations TVD can be used describing security policies and usage of domain. System detect attacks by monitoring any violations of access control policies that is RBACP, limitations of the system are it cannot support for more range of attacks ,authors can extend it to more range of attacks. Further it can extend to test on multiple software’s instead of only one. Paper [9] described range of Information flow control models, data protection of tenants and providers, MAC security policy, security labels with data and principles at Information flow control, protection in hardware and OS. System makes provision of Information flow control with three cloud services. Paper also discusses about Policy specification, translation, enforcement, audit logging. System can overcome problems with sensitive data. Disadvantages of the system are Mac security policy is used for all users but specifically it is for only sensitive type of information. Reference paper [15] focused to apply the idea in other areas to examine the automatic verification of the results. These types of areas can use medical case studies and law documents which uses multiple descriptors from different views. The automatic construction of an ontology which can classify, assist, and retrieve relevant services, without any preparation by previously developed methods. This work gives bootstrapping process of ontology for web services. It generates the advantage that web services always consist of WSDL and free text descriptors. The WSDL descriptor is seen using two methods first is term Frequency or Inverse document frequency and second is web context generation. Given ontology bootstrapping process integrates the results of both methods and applies a second method to confirm the concepts using the service free text descriptor, thereby offering a more accurate definition of ontologies. The bootstrapping process of ontology is based on analyzing a web service using three different methods; each method will represent a different point of view of the web service. Result is the process provides a correct definition of the ontology and give better results. Web Service annotation ontology creation and evolution Ontology Evolution of Web Services.
80.28
HTTP R EQUEST SMUGGLING
78.69
CACHE POISONING
85.90
CROSS USER DEFACEMENT
85.20
DOS
84.44
This attack analysis can lead to XSS, web cache poisoning, cross user defacement, browser cache poisoning and cloud cluster poisoning. Injection types are Cross site scripting attacks in which malicious scripts are injected. First attacker will use XSS to send a script which is malicious to an unsuspecting user. When data enters a web application XSS attack can occur through an untrusted source, like web request. The data is included as a dynamic content which is sent to a web user without any validatation for malicious content, consider example cookie grabber. Different targets are used In HTTP splitting which can use different techniques to decide when the first starting HTTP message ends and when the second starts. Some targets consider message will be carried out by packets, some will use message boundaries. The request will send by using POST as a substitute of GET considers several application servers which allow these functions. HTTP smuggling leverages the different ways that a usually HTTP message can be parsed and interpreted by agents like web caches, browsers, application firewalls. Consider Example is bypass of an application firewall. Web cache poisoning is a new attack. The attacker simply forces the target for example to send a request to force the target as cache server to cache the response of second request which is fully controlled by the attacker. Single user, single page, and temporary defacement are the Cross defacement attacks in which the target can share the same connection of TCP with the server among large number of users. The attacker to deface the site for a single page local as well as temporary requested by single user.DoS attacks are more damaging. Paper [13] defines ontologies are at the heart of research and numerous vulnerability evaluation projects. A formal explicit description of ideas in a domain of discourse, properties of every idea describing various features and attributes of the concept, and limits on properties called Ontology. Conceptualization of a domain of interest is called ontology. Examples of vul- nerabilities are session riding, hijacking, virtual machine escape, and insecure or obsolete cryptography. One possibility that an attacker might successfully escape from a virtualized environment lies in virtualization’s environment. Consider this vulnerability as intrinsic to virtualization and highly relevant to (HPC) cloud computing. Another is, web application technologies must overcome the problem that, by design, a
IV. DISCUSSIONS Authors of article [10] describe study of HTTP vulnerability attacks and private port attack as shown in table [1]. Table 1 Attack Analysis Traditional Ontology Based IDs
HTTP R ESPONSE SPLITTING
DR
27
Stateless protocol called as the HTTP protocol, exactly opposite is Web applications which require some kind of session state [14]. Vaishali Singh et al. (2014) proposes following types of ontologies
By Analysis we can overview the effectiveness of proposed threats and evaluation of actual effects after they are actually used [17].
A. Generalized Security Ontologies This type of ontologies aim and binding all security aspects as well as creates explicit terminology of the domain.this will agree with various stakeholders to develop and contribute to a general perceptive of knowledge like logical. B. Specific Security Ontologies – This type of ontologies were proposed in diverse computational models, which give a common terminology for describing truths related to web services, network, requirements of risk, security and application based security etc.
Fig.1. Vulnerability Structure
C. Network Security Ontologies –
This type of ontologies are imperfection in networks and applications are becoming gradually more important, and the distribution of errors and attacks defined may not be stationary [16].
Cloud architecture SaaS classifies vulnerabilities into web application and simple vulnerabilities. Web application vulnerabilities contain XSS attacks or malicious file execution. Simple vulnerability contains malicious input, common vulnerability scoring system (CVSS) classifies the vulnerabilities into low, medium, high as in table [2].This kind of vulnerability structure is used to design ontology for vulnerabilities[18].
D. Vulnerability ontology Vulnerability information given from various resources such as in table2.Important key factor is security vulnerability in clouds. Vulnerability is a well-known feature of risk that a given threat will develop vulnerabilities of a group of assets and cause destruction to the association. Vulnerability describes probability that’s benefit will be unable to oppose the agent actions of threat. It exists when force is applied by both way by agent or Vulnerability. Its analysis also called as assessment of vulnerability which is a process that identifies and classifies the holes related to security as vulnerabilities in a computer, networking, or communications infrastructure.
E. Protocol ontology System considers HTTP protocol structure for designing protocol ontology. Message contains HTTP request and HTTP response. GET method or by POST method HTTP request can be applied and is by writing URL into web browser valid.URL is extracted from the HTTP header .Request header contains cookies, paravalue, malicious input which causes vulnerability. HTTP response contains status line, header, content.status line have zero or more header or empty line. Three digit integer is Status code element describes the class of response is first digit of the status code and not have any categorization role are last two digits.
Table 2 Vulnerability Analysis
SOURCES
VULNERABILITY INFORMATION
NATIONAL VULNERABILITY DATABASE (NVD)
SOFTWARE
OWASP (OPEN WEB APPLICATION SECURITY PROJECT)
LIST OF TOP 10 MOST CRITICAL
CWE (COMMON WEAKNESS E NUMERATION)
WEAKNESSES IN SOURCE CODE AND OPERATIONAL SYSTEMS ,
VULNERABILITY
INFORMATION
USEFUL
NO
YES
RABILITIES
NO
RELATED TO ARCHITECTURE AND DESIGN
SEVERITY OF THE COMMON VULNERABILITY SCORING SYSTEM(CVSS)
VULNERABILITY CLASSIFY INTO HIGH, MEDIUM AND LOW
YES Fig. 2. Protocol Structure
28
10.1109/TCC.2016.2535320, 2016.
[8]
Dimitrios Zissis , Dimitrios Lekkas,”Addressing cloud computing security issues Future Generation Computer Systems” 28, ELSEVIER. 583–592, 2012. [9] Jean Bacon, David Eyers, Thomas F. J.-M.Pasquier, Jatinder Singh, Ioannis Papagiannis, and Peter Pietzuch, “Information Flow Control for Secure Cloud Computing”.,IEEE Transactions on network and service management VOL. 11, NO. 1, 76-89, 2014. [10] Randy Marchany, “Cloud Computing Security Issues NIST cloud working group”. [11] Vijay Varadharajan and Udaya Tupakula,”Securing Services in Networked Cloud Infrastructures”, IEEE Transactions on Cloud Computing,DOI10.1109/TCC,2570752,pp.1-14,2016. [12] Mr. Harshal A. Karande1, Miss. Pooja A. Kulkarni2, Prof. Shyam S. Gupta3, Prof. Deepak Gupta4,” Security against Web Application Attacks Using Ontology Based Intrusion Detection System”, International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056 Volume: 03 Issue: 01, pp.89-92, Jan2016. [13] Srujan Kotikela1; a, Krishna Kavi2; a, and Mahadevan Gomathisankaran,”Vulnerability Assessment In Cloud Computing”, pp.1-7. [14] Understanding Cloud Computing Vulnerabilities Published by the IEEE computer and relibility socities 15407993/11/$26.00 © 2011 IEEE MARCH/APRIL 2011. [15] Aviv Segev, Member, IEEE , and Quan Z. Sheng,” Bootstrapping Ontologies for Web Services”, IEEE TRANSACTIONS ON SERVICES COMPUTING, VOL. 5, NO. 1, pp. 33-44, JANUARY-MARCH 2012. [16] Vaishali Singh S. K. Pandey,” Revisiting Security Ontologies “,International Journal of Computer Science Issues, Volume 11, Issue 6, No 1,pp. 150-159, November 2014. [17] “CloudComputing”, http://en.wikipedia.org/wiki/Cloud_computing [18] Stefan Fenz. “Security Ontology” http://stefan.fenz.at/research/security-ontology/ [19] JoaquínLasheras, Rafael Valencia-García, JesualdoTomásFernández-Breis and AmbrosioToval, “Modelling Reusable Security Requirements based on an Ontology Framework” http://ws.acs.org.au/jrpit/JRPITVolumes/JRPIT41/JRPI T41.2.119.pdf [20] R.Sivakumar and P.V.Arivoli,”Ontology visualization protégé tools – A review“, International Journal of Advanced Information Technology (IJAIT) Vol. 1, No. 4, pp.1-11, August 2011.
V. FUTURE WORK Future research will use HTTP request in virtual domain. This work can be extended by using encryption algorithms while data transmission. For the validation purpose system may identify attacks semantically, identify traffic. System may use ontology based model with cloud domain with admins and users. VI. CONCLUSION As per survey of reference papers, implementation of ontology captures context of important web application attacks, various techniques used by the hackers, source and target of the attack vulnerabilities.This controls the policies for mitigation of these attacks.This ontological model of attack detection allows to successfully capturing the input which is important in designing and developing mechanisms against web attacks. Ontology generation system can propose open source tools like Protégé tool. Implementation of new encryption algorithm can be proposed to provide high level of security for cloud traffic.System can propose resources provisioning and optimization techniques through soft computing methods.Thus System can able to develop ERP for any organization or industry.
References [1]
[2]
[3]
[4]
[5] [6]
[7]
Pascal Meunier, “ Technical a r t i c l e Wiley Handbook of Science and Technology for Homeland Security Classes of Vulnerabilities and Attacks “Article ID: CS03. Abdul Razzaq, Khalid Latif, H. Farooq Ahmad, Ali Hur, Zahid Anwar, Peter Charles, “Semantic security against web attacks” A. Razzaq et al. / Information Sciences 254. 19-38,2014 Chang Choi, Junho Choi, Pankoo Kim, “Ontology-based access control model for security policy reasoning in cloud computing.” ©Springer Business Media New York.711.10.1007/s11227-013-0980-1, 2013. Gurupreetsingh and Supriya,”A Study of Encryption Algorithm (RSA, DES, 3DES, AES)”, International Journal of Computer Applications. (0975-8887) volume 67 No 19. 33-38, 2013. E-book soft computing techniques. Jinho Seol, Student Member, Seongwook Jin, Student Membe, Daewoo Lee, Jaehyuk Huh, and Seungryoul Maeng, “A Trusted IaaS Environment with Hardware Security Module”IEEE transaction on service computing. VOL. 9, NO. 3. 343-356, 2016. Vijay Varadharajan, Senior Member, IEEE, and Udaya Tupakula, “On the Design and Implementation of an Integrated Security Architecture for Cloud With Improved Resilience “IEEE Transactions on Cloud Computing DOI
29
