Вы находитесь на странице: 1из 6

2016 International Conference on Global Trends in Signal Processing, Information Computing and Communication

Study and Design of Ontology for Cloud Based


Web Services Attacks: A Survey
S.M.Chavan Dr.S.C.Tamane
Assistant Professor Associate Professor
Dept of IT Dept of IT
Government Engineering College MGMs Jawaharlal Nehru Engineering
Aurangabad College Aurangabad
rathod.sb@gmail.com Sharvaree73@yahoo.com

Abstract Among the various applications of high Semantic information which focuses on special kind of data,
performance computing, security of cloud computing is very nature of commands which are dangerous. Thus system will
essential and greater awareness in India. Security issues in detect complicated attacks much more efficient way by
cloud are very challenging, as the data are roaming without any analyzing the user requests for finding attacks possibility.
control. The need to keep the security as well as privacy of the Proposed system in paper [2] highlights semantic analysis of the
information in the cloud becomes a critical issue. On the basis of HTTP traffic about network flow but can be extended for other
cloud architectures we can specify the security rules for the web application protocols such as SMTP, HTTPS, FTP and others.
application attacks. In this paper we go through study, design Many times ontological representations can be easily shared,
and purpose of ontology containing encryption algorithms. Here
refined, reused between entities in a domain. We can develope
ontology describes the security rule specification. Encryption
algorithm describes comparision of performance among different
model of ontology with description logic that is conceptual
algorithms. The main focus of this kind of work is to present a knowledge which was defined by the web ontology language.
study of cloud security policy using some encryption algorithm The Horn Logic declarations are inference rules given in the
based on ontology. This study will follow the ontology framework paper are implemented using the Jena Apache API. By using
build for security policy rules. This paper also discusses cloud Jena Apache API system is platform and technology
based web services attacks, design of semantic rules, and independent. Paper [3] author Chang Choi, Junho Choi and
detection of malicious traffic over internet as well as tools for Pankoo Kim focuses on access control model based on ontology
handling ontology. called as Onto-ACM which describes dynamic access control.
In Onto-ACM semantic analysis model given that address
Keywords Cloud computing; vulnerability; ontology; data differences in the specified limit between different service
encryption; security management. providers with users. Gurupreetsingh et.al (2013) has done the
comparison of all available encryption algorithms like RSA,
DES, 3DES, AES for information security purposes. The
I. INTRODUCTION generation, updation and transfer of keys have been done by
Cloud computing have three types of cloud service models. the described algorithms. The paper[4] Gurupreetsingh and
First one is Infrastructure as a service, second is platform as a Supriya find different terms about speed and that gives
service and third is software as a service.High performance advantage of using cloud computing resources for
computing supports for the three cloud models as public cloud, implementing security algorithms which are used in
private cloud as well as hybrid cloud. We can describe ontology businesses to secure large number of data. They used different
as specification of a conceptualization, reality models in kinds of algorithms like an asymmetric algorithm RSA, a
the different system combined together with their properties. hashing algorithm MD5 and an asymmetric algorithm AES
Pascal Meunier [1] in his book defined meaningfully to .Vijay Varadharajan and Udaya Tupakula [11] described
represent, or broadcast knowledge about vulnerabilities, attacks, techniques based on range of attacks and malicious content
because of that we require ontology. Paper [2] Abdul Razzaq et against specific services like DNS, database and web servers
al. (2014) proposed security ontology which provides different within a same domain. Attack range between the virtual
taxonomies for malacious contents includes threats, machines in different domains, in this paper near about twenty
vulnerabilities as well as types of attacks. Paper states ontology papers survey is done. Discussions are made according to the
is a precise design which captures its context. There is need survey.A further section compares actual work, methodologies
of special kind of system like semantic system which and comparative work among the different papers.
describes a complete overview and can recognize the depth of
application with its data for attacks. Validation based on
overview that is

978-1-5090-0467-6/16/$31.00 2016 IEEE 24


II. RELATED WORK
Abdul Razzaq et al.[2] discusses intrusion detection system
and Udaya Tupakaula [7] implemented how integrated model
based on anomaly which will find out the behavior of the
is able to detect a range of attacks. Proposed system described
incoming stream that is request against specified profile and
the integrated architecture implementation. System showed in
organize all content as malicious. He used different kinds of
detail how architecture can be used to counteract a range of
intrusion detection systems like signature based was
attack scenarios such as privilege escalation attacks and using
previously recognized vulnerabilities or attacks and applies
the compromised machines to generate further attacks,
algorithms as raw pattern matching to detect threats from
exploiting vulnerabilities in security tools with attacks on tenant
security. Such type of mechanisms for detection is applied at
online services. Dimitris Zissis et.al (2012) given introduction
the level called network level, by analyzing network traffic
of third party which is trusted, scheduled with specific security
and at application level, by monitoring server logs. Various
characteristics within a cloud infrastructure or cloud domain.
attacks Signatures are often effectiveless while preventing
The given solution identifies SSO or LDAP, operating
attacks like zero day. A statistical IDS technique for anomaly
cryptography for public key infrastructure in connection to
detection uses taxonomy for the detection of various types
ensure the confidentiality, authentication, integrity of involved
attacks based on web application using statistical methods.
communications and data.The solution, presents a level of
Role-based access control model in reference paper [3] is
service called horizontal, which is available for all implicated
versatile and confirms closely to the organizational model used
entities, which realizes a network of securityfrom which
in various fields. Classification by Role meets such type of
essential trustful environment is maintained. Authors identified
requirement by separating roles by users. Rights by access
cloud environments generic design principles for which base is
given to roles are different depending on users. Context-aware
the requirement to control applicable threats and
access control based on roles model is an extension of
vulnerabilities. To work like systems design information
traditional access control based on roles model that permits
approaches and software engineering were adopted. Cloud
security related administrators which define policies like
environment security requires a systemic point of view, from
context oriented access control enriched with purposes. Access
which trustful security should be maintained for the mitigating
control by role is to take care of access which is i l le g a l f o r
of protection to a trusted third party [8]. Research survey of
various kinds of systems in all computing types. Gurupreetsingh
paper [9] provides all about MAC security policy usage.
et.al (2013) describe to find terms about ration of speed
which is benefiecial for the use of resources by cloud for
implementing security algorithms described in the paper. III. METHODOLOGY
Different kinds of algorithms are used first one is RSA an Vijay Varadharajanet al. (2016) describes example
asymmetric encryption algorithm, next is MD5 a hashing scenarios like zero day attacks, signature and anomaly based
algorithm and AES symmetric encryption algorithm. The attacks, offline anomaly detection analysis discussed in paper
comparison with nine factors of all above mentioned [11].
algorithms DES, 3DES and AES by cipher type, key length,
security, block size, different keys by addition of ASCII keys, A. Models of ontology for web security
character keys and computing Time to check all keys per Protocol ontology (Ex-HTTP) provides the foundation for
second. Study of paper [4] shows that AES is better than DES developing an attack ontology model. It is important in
and 3DES. It has been seen that the system strength depends detecting attack like scenario attack vulnerability. Several
on the m a n a g e m e n t of key, type of cryptography p u b l i c or important security aspects are given by Ontology. It contains a
private keys, how many number of keys, calculate bits number number of concepts like web application attacks,
within a key. Larger length of the key, more secure communication protocols used by the attack encoding methods
transmission. Jinho Seol et.al (2016) described keys are which provide the binding to attack using ontology. Malicious
formulated upon how the mathematical equations or formulas input exploits Vulnerabilities. Components of system affected
are used for the flow of data. Computation time depends upon by these types of attacks .The cost of each attack and control
the number of keys used as per the time for the encryption of applied to mitigate such attacks [2].
available data. Threats of security by cloud administrators are
critical and feasible. Service providers of cloud are mainly B. Semantic web application security
described with threats of security from external attacks instead System uses a defense in depth strategy by providing
of internal attacks. This focus obstructs the importance of cloud detection methods at multiple layers. The first layer called as
computing. Proposed system was presented a cloud system initial of resistance uses the ontological model of the
architecture which consists of small applications through virtual communication protocol. This model provides protection for the
machine to stop cloud administrators of guest VMs from protocol specification and related attacks. The second layer
affecting the security [6]. Vijay Varadharajan et.al (2016) have normalizes the requests from the user by decoding them in a
developed an integrated security architecture which integrates standardized format which helps to mitigate encoding based on
access control security, intrusion detection techniques and attacks. The next layer will use an ontological model of well
trusted computing technologies for securing distributed virtual known attacks against a negative security model and the last
machine based systems. Vijay varadharajam layer gives the knowledge of application profiles through a
positivesecuritymodel.[2].

25
C. Frameworks
The paper [3] uses frameworks like context analysis engine,
access control module, inference engine, ontology handler, interoperability rules could be interchanged between this system
policy checker, abstraction description in cloud computing and other security applications which are not possible.
environments. R. Sivakumar et al. (2011) proposed Protg Reference paper [3] proposes onto ACM called Ontology- based
tool is popular for the ontology revelation called protg tool access control model, analysis model called semantic which
applied for further improvement in various regulations for better address in difference with given access control of users and
understanding of domain knowledge. The purpose of this service providers. System provides intelligent context aware
work is to present a study on application of different methods. access model for positively applying the access level of
These techniques are used for the improvement of different resource based on semantic analysis method ontology
kinds of protg revelation tools and classify their quality and reasoning. Semantic analysis model classify differences in the
aspects. In the area of ontology visualization it is supportive given limit between users and service providers. communication
method selection and encourages future research [20]. interface access control module ,cloud service
providers.,Providers context analysis engine, tools like
D. Semantic web application security ontology handler provides locality of all resources that can be
Harshal A. Karande et al. paper [12] proposes syntax based viewed based on their context information and role ex.
validation provides the size where validation is semantic based transaction list for access demand, approval of rules with
will focus on format, specific data, and understand potentially OWL for analyzing context information and gathering
dangerous commands. Proposed system is able to address all Problem solved in this system are better for protecting and
these facts through usally updating of knowledge base. Also insider intrusions prevention like role based and context
proposed systems mitigate the different types of attacks like based,which provides dynamic access control. Advantages of
web application successfully and easily able of overcome the the system are convenience and efficient for policy management
existing strategy of original management of treats and attacks by admin and users, disadvantages of the system, if ontology
by hackers. Protocol ontology in this system we have focused handler does not recognize specific rules or policy for context
on the HTTP protocol because it is establishment of data data then only data flow is there without any control. System
communication for World Wide Web. Logic based context can be useful in organizations and data centers.Paper[4] makes
reasoning can be employed based on functionality. Rule based algorithm comparisons while considering all parameters
reasoning specify semantic rules which can be defined that depending on memory usage computation time and output
will manipulate the ontology logic. Standard rule languages byte. Survey is given to combine all the techniques which are
are used for defining rules or can be written in a variant of a helpful for real-time applications. The system can add
language supported by a specific reasoner. combination of algorithms both ways applied as sequentially or
parallel, to buildup much more secure environment for storing
E. Algorithms data and retrieving data. In paper [6] the proposed architecture
Gurupreetsingh et.al (2013) describes the key updation, defends against wide attack vectors and also accomplishes a
generation, and transportation which are done by the tiny TCM target cloud model (low cost embedded processor).
encryption algorithm. These types of algorithms are called as System propose architecture of cloud in which critical
cryptographic algorithm. Many security algorithms existing in processes and data affecting on VMs .the guest VMs security
the market to encrypt means to hide the data. The power of are isolated from specified domains and administrators of cloud.
encryption algorithm basically depends on computer system The environment called as cryptographic for the encryption and
which can be used for the key generation. Key generation integrity checking should be separated from specified
procedure, encryption and decryption for each and every domains. Used cryptographic key and integrity with hash data
algorithm are described. of VM images should be isolated from administrators of cloud
to prevent potential threats of security. System provides secure
III.COMPARATIVE ANALYSIS management, secure storage, good scalability and performance
In reference paper [2] proposed method is of detecting and of I/O. problems solved in the system are, the data of cloud
classifying web application attacks. Solution is an ontology users from cloud administrators is isolated by using
based method. It specifies attacks based on semantic rules web architecture. The data of cloud users are protected with
application, the situation of significance and the requirements of malicious cloud administrators, compromised specified domain
application protocols. The model of ontology was generated or malicious specified domain. The proposed system offers
using logic description that is the Web Ontology Language. functionality of security against wide attack vectors .It shows
Horn logic statements with inference rules which can be I/O performance, showing its feasibility on cloud.
implemented using the API of apache JENA structure. Problem Disadvantages of the system are service providers cloud is
solved like performance of system and detection capability is mainly related with security threats from external attack types
significantly good than old solutions.Work effectively detects rather than internal attack types. Vijay varadharajam and
attacks based on web application at the same time as generating Udaya Tupakaula [7] gives policy based access control like
few false positives. Disadvantages of the system are generic through some firewalls with ID techniques and trustful
rule generation mechanism with computing technologies for security of distributed applications

26
on virtualized system that is on distributed computing. Secure
communication of applications and VM in different distributed HTTP RESPONSE SPLITTING 80.28
servers.Tenat Virtual domain that is TVD allows security policy
based grouping like same kind of virtual machines running on
distributed machine. There is cloud cluster domain. Attacks HTTP REQUEST SMUGGLING 78.69
such as SQL injection, buffer overflow, and cross site scripting
are detected. Advantages of system, organizations TVD can be
used describing security policies and usage of domain. System CACHE POISONING 85.90
detect attacks by monitoring any violations of access control
policies that is RBACP, limitations of the system are it cannot
support for more range of attacks ,authors can extend it to more CROSS USER DEFACEMENT 85.20
range of attacks. Further it can extend to test on multiple
softwares instead of only one. Paper [9] described range of
Information flow control models, data protection of tenants and DOS 84.44
providers, MAC security policy, security labels with data and
principles at Information flow control, protection in hardware
and OS. System makes provision of Information flow control
with three cloud services. Paper also discusses about Policy This attack analysis can lead to XSS, web cache poisoning,
specification, translation, enforcement, audit logging. System cross user defacement, browser cache poisoning and cloud
can overcome problems with sensitive data. Disadvantages of cluster poisoning. Injection types are Cross site scripting attacks
the system are Mac security policy is used for all users but in which malicious scripts are injected. First attacker will use
specifically it is for only sensitive type of information. XSS to send a script which is malicious to an unsuspecting user.
Reference paper [15] focused to apply the idea in other areas to When data enters a web application XSS attack can occur
examine the automatic verification of the results. These types of through an untrusted source, like web request. The data is
areas can use medical case studies and law documents which included as a dynamic content which is sent to a web user
uses multiple descriptors from different views. The automatic without any validatation for malicious content, consider
construction of an ontology which can classify, assist, and example cookie grabber. Different targets are used In HTTP
retrieve relevant services, without any preparation by previously splitting which can use different techniques to decide when the
developed methods. This work gives bootstrapping process of first starting HTTP message ends and when the second starts.
ontology for web services. It generates the advantage that web Some targets consider message will be carried out by packets,
services always consist of WSDL and free text descriptors. The some will use message boundaries. The request will send by
WSDL descriptor is seen using two methods first is term using POST as a substitute of GET considers several
Frequency or Inverse document frequency and second is application servers which allow these functions. HTTP
web context generation. Given ontology bootstrapping process smuggling leverages the different ways that a usually HTTP
integrates the results of both methods and applies a second message can be parsed and interpreted by agents like web
method to confirm the concepts using the service free text caches, browsers, application firewalls. Consider Example is
descriptor, thereby offering a more accurate definition of bypass of an application firewall. Web cache poisoning is a
ontologies. The bootstrapping process of ontology is based on new attack. The attacker simply forces the target for example
analyzing a web service using three different methods; each to send a request to force the target as cache server to cache the
method will represent a different point of view of the web response of second request which is fully controlled by the
service. Result is the process provides a correct definition of the attacker. Single user, single page, and temporary defacement
ontology and give better results. Web Service annotation are the Cross defacement attacks in which the target can share
ontology creation and evolution Ontology Evolution of Web the same connection of TCP with the server among large
Services. number of users. The attacker to deface the site for a single page
local as well as temporary requested by single user.DoS attacks
are more damaging. Paper [13] defines ontologies are at the
IV. DISCUSSIONS
heart of research and numerous vulnerability evaluation
Authors of article [10] describe study of HTTP vulnerability
projects. A formal explicit description of ideas in a domain of
attacks and private port attack as shown in table [1].
discourse, properties of every idea describing various features
Table 1 Attack Analysis and attributes of the concept, and limits on properties called
Ontology. Conceptualization of a domain of interest is called
Traditional Ontology Based IDs DR ontology. Examples of vul- nerabilities are session riding,
hijacking, virtual machine escape, and insecure or obsolete
cryptography. One possibility that an attacker might
successfully escape from a virtualized environment lies in
virtualizations environment. Consider this vulnerability as
intrinsic to virtualization and highly relevant to (HPC) cloud
computing. Another is, web application technologies must
overcome the problem that, by design, a

27
Stateless protocol called as the HTTP protocol, exactly By Analysis we can overview the effectiveness of proposed
opposite is Web applications which require some kind of threats and evaluation of actual effects after they are actually
session state [14]. Vaishali Singh et al. (2014) proposes used [17].
following types of ontologies

A. Generalized Security Ontologies


This type of ontologies aim and binding all security aspects
as well as creates explicit terminology of the domain.this will
agree with various stakeholders to develop and contribute to a
general perceptive of knowledge like logical.

B. Specific Security Ontologies


This type of ontologies were proposed in diverse
computational models, which give a common terminology for
describing truths related to web services, network,
requirements of risk, security and application based security
etc. Fig.1. Vulnerability Structure

C. Network Security Ontologies


This type of ontologies are imperfection in networks and
applications are becoming gradually more important, and the Cloud architecture SaaS classifies vulnerabilities into web
distribution of errors and attacks defined may not be stationary application and simple vulnerabilities. Web application
[16]. vulnerabilities contain XSS attacks or malicious file
execution. Simple vulnerability contains malicious input,
common vulnerability scoring system (CVSS) classifies the
D. Vulnerability ontology vulnerabilities into low, medium, high as in table [2].This kind
Vulnerability information given from various resources such of vulnerability structure is used to design ontology for
as in table2.Important key factor is security vulnerability in vulnerabilities[18].
clouds. Vulnerability is a well-known feature of risk that a
given threat will develop vulnerabilities of a group of assets E. Protocol ontology
and cause destruction to the association. Vulnerability System considers HTTP protocol structure for designing
describes probability thats benefit will be unable to oppose protocol ontology. Message contains HTTP request and HTTP
the agent actions of threat. It exists when force is applied by response. GET method or by POST method HTTP request can
both way by agent or Vulnerability. Its analysis also called as be applied and is by writing URL into web browser valid.URL
assessment of vulnerability which is a process that identifies is extracted from the HTTP header .Request header contains
and classifies the holes related to security as vulnerabilities in cookies, paravalue, malicious input which causes vulnerability.
a computer, networking, or communications infrastructure. HTTP response contains status line, header, content.status line
have zero or more header or empty line. Three digit integer is
Table 2 Vulnerability Analysis Status code element describes the class of response is first
digit of the status code and not have any categorization role are
SOURCES VULNERABILITY USEFUL
last two digits.
INFORMATION

NATIONAL SOFTWARE VULNERABILITY


NO
INFORMATION
VULNERABILITY
DATABASE (NVD)

OWASP (OPEN WEB LIST OF TOP 10 MOST CRITICAL YES


APPLICATION ERABILITIES
SECURITY PROJECT)

CWE (COMMON WEAKNESSES IN SOURCE CODE


WEAKNESS AND OPERATIONAL SYSTEMS, NO
ENUMERATION) RELATED TO ARCHITECTURE
AND DESIGN

SEVERITY OF THE
COMMON VULNERABILITY CLASSIFY YES
VULNERABILITY INTO HIGH, MEDIUM AND LOW
SCORING
SYSTEM(CVSS) Fig. 2. Protocol Structure

28
10.1109/TCC.2016.2535320, 2016.

[8] Dimitrios Zissis , Dimitrios Lekkas,Addressing cloud


V. FUTURE WORK computing security issues Future Generation Computer Systems
Future research will use HTTP request in virtual domain. 28, ELSEVIER. 583592, 2012.
This work can be extended by using encryption algorithms [9] Jean Bacon, David Eyers, Thomas F. J.-M.Pasquier, Jatinder
while data transmission. For the validation purpose system may Singh, Ioannis Papagiannis, and Peter Pietzuch, Information
Flow Control for Secure Cloud Computing.,IEEE Transactions
identify attacks semantically, identify traffic. System may use on network and service management VOL. 11, NO. 1, 76-89,
ontology based model with cloud domain with admins and 2014.
users. [10] Randy Marchany, Cloud Computing Security Issues NIST
cloud working group.
[11] Vijay Varadharajan and Udaya Tupakula,Securing Services in
VI. CONCLUSION Networked Cloud Infrastructures, IEEE Transactions on Cloud
As per survey of reference papers, implementation of Computing,DOI10.1109/TCC,2570752,pp.1-14,2016.
ontology captures context of important web application attacks, [12] Mr. Harshal A. Karande1, Miss. Pooja A. Kulkarni2, Prof.
various techniques used by the hackers, source and target of the Shyam S. Gupta3, Prof. Deepak Gupta4, Security against Web
Application Attacks Using Ontology Based Intrusion Detection
attack vulnerabilities.This controls the policies for mitigation System, International Research Journal of Engineering and
of these attacks.This ontological model of attack detection Technology (IRJET) e-ISSN: 2395 -0056 Volume: 03 Issue: 01,
allows to successfully capturing the input which is important in pp.89-92, Jan2016.
designing and developing mechanisms against web attacks. [13] Srujan Kotikela1; a, Krishna Kavi2; a, and Mahadevan
Ontology generation system can propose open source tools Gomathisankaran,Vulnerability Assessment In Cloud
Computing, pp.1-7.
like Protg tool. Implementation of new encryption algorithm [14] Understanding Cloud Computing Vulnerabilities
can be proposed to provide high level of security for cloud Published by the IEEE computer and relibility socities 1540-
traffic.System can propose resources provisioning and 7993/11/$26.00 2011 IEEE MARCH/APRIL 2011.
optimization techniques through soft computing methods.Thus [15] Aviv Segev, Member, IEEE, and Quan Z. Sheng,
System can able to develop ERP for any organization or Bootstrapping Ontologies for Web Services, IEEE
TRANSACTIONS ON SERVICES COMPUTING, VOL. 5, NO.
industry. 1, pp. 33-44, JANUARY-MARCH 2012.
[16] Vaishali Singh S. K. Pandey, Revisiting Security
Ontologies ,International Journal of Computer Science Issues,
References Volume 11, Issue 6, No 1,pp. 150-159, November 2014.
[17] CloudComputing,
http://en.wikipedia.org/wiki/Cloud_computing
[1] Pascal Meunier, Technical a r t i c l e Wiley Handbook of Science and [18] Stefan Fenz. Security Ontology
Technology for Homeland Security Classes of Vulnerabilities and Attacks http://stefan.fenz.at/research/security-ontology/
Article ID: CS03. [19] JoaqunLasheras, Rafael Valencia-Garca,
[2] Abdul Razzaq, Khalid Latif, H. Farooq Ahmad, Ali Hur, Zahid JesualdoTomsFernndez-Breis and AmbrosioToval, Modelling
Anwar, Peter Charles, Semantic security against web Reusable Security Requirements based on an Ontology
attacks A. Razzaq et al. / Information Sciences 254. 19-38,2014 Framework
[3] Chang Choi, Junho Choi, Pankoo Kim, Ontology-based access http://ws.acs.org.au/jrpit/JRPITVolumes/JRPIT41/JRPI
control model for security policy reasoning in cloud T41.2.119.pdf
computing. Springer Business Media New York.711- [20] R.Sivakumar and P.V.Arivoli,Ontology visualization
.10.1007/s11227-013-0980-1, 2013. protg tools A review, International Journal of Advanced
[4] Gurupreetsingh and Supriya,A Study of Encryption Algorithm Information Technology (IJAIT) Vol. 1, No. 4, pp.1-11, August
(RSA, DES, 3DES, AES), International Journal of Computer 2011.
Applications. (0975-8887) volume 67 No 19. 33-38, 2013.
[5] E-book soft computing techniques.
[6] Jinho Seol, Student Member, Seongwook Jin, Student Membe,
Daewoo Lee, Jaehyuk Huh, and Seungryoul Maeng, A Trusted IaaS
Environment with Hardware Security ModuleIEEE transaction on
service computing. VOL. 9, NO. 3. 343-356, 2016.
[7] Vijay Varadharajan, Senior Member, IEEE, and Udaya Tupakula,
On the Design and Implementation of an Integrated Security
Architecture for Cloud With Improved Resilience IEEE Transactions
on Cloud Computing DOI

29