31-08-2012, 03:38 PM
Forensic Web Services Framework
1Forensic Web.pdf (Size: 4.17 MB / Downloads: 38)
Web services are a popular appl
ication of service-oriented
architecture (SOA) for many
organizations for financial, government,
and military purposes. They seamlessly
integrate different organizations’ services
over the Internet using choreographies, orchestrations,
dynamic invocations, and brokers. They
also now include transactions involving more
than two participants (multiparty activities).
These service-level compositional techniques
create complex interdependencies between different
organizations’ Web services that attackers
can exploit by finding some localized or compositional
flaws. Such attacks can affect multiple
servers and organizations, resulting in financial
loss or infrastructural damage.1–3 Furthermore,
it’s difficult to investigate such incidents.
However, if a neutral third party was securely
retaining dependencies between service
invocations, investigators could recreate the
alleged activity and present evidence to support
prosecution. Material evidence currently extractable
from Web servers—such as log records or
XML firewall alerts from endpoint services—
don’t have any forensic value because defendants
can rightfully claim that they didn’t send the
message or that the plaintiff fabricated or altered
the log record. We propose implementing Forensic
Web Services (FWS), a participant neutral,
nonrefutable set of services that gathers forensically
valid evidence for SOAs.
Web Service Misuses
Web services communicate with each other using
message exchange patterns (MEPs) mostly in one
direction or in a request-response manner. Additionally,
these simple MEPs construct collaboration
scenarios using the appropriate composition
model. For example, using an orchestration model
recipient service checks the content,
the malicious data can pass between
the systems. Our previous work describes
a detailed cross-site scripting
attack scenario that leaves sufficient
evidence to identify the attacker.
Business Misuses
Attackers can also misuse Web service choreographies
to conduct illegal business. An
orchestrator creates a large business scheme that
abuses legal constraints in producing profits
without abusing the underlying choreography
or attacking the infrastructure. Sometimes, a
business-level malicious actor is a partner in a
choreography that deviates from the originally
specified choreography. A choreography can deviate
from its specification if one of the transaction
participants doesn’t behave as specified, thus potentially
leading to an undue advantage.
FWS Functions
Organizations that are tightly integrated with
each other through Web transactions and processes
can benefit from FWS in two ways. First,
FWS can help organizations hold their partner
Web services accountable for malicious activity
that affects overall efficiency, consistency, and
availability. Second, organizations can use the
detailed explanation of the malicious activity
to determine the severity of the punishment or
amount of monetary compensation.
We thus propose extending the model to maintain
instance correlations through both hierarchical
and conversational compositions. This
requires adding a layer (called WS-Evidence) with
XML schema for handling messages and storing
records.