Skip to main content
SpringerLink
Log in

Adaptive security architecture for protecting RESTful web services in enterprise computing environment

  • Original Research Paper
  • Published:
Service Oriented Computing and Applications Aims and scope Submit manuscript

Abstract

In this modern era of enterprise computing, the enterprise application integration (EAI) is a well-known industry-recognized architectural principle that is built based on loosely coupled application architecture, where service-oriented architecture (SOA) is the architectural pattern for the implementation of EAI, whose computational elements are called as “services.” Though SOA can be implemented in a wide range of technologies, the web services implementation of SOA becomes the current selective choice due to its simplicity that works on basic Internet protocols. Web service technology defines several supporting protocols and specifications such as SOAP and WSDL for communication with client and server for data interchange. A new architectural paradigm has emerged in SOA in recent years called REpresentational State Transfer (REST) that is also used to integrate loosely coupled service components, named RESTful web services, by system integration consortiums. This SOA implementation does not possess adequate security solutions within it, and its security is completely dependent on network/transport layer security that is obsolete owing to latest web technologies such as Web 2.0 and its upgraded version, Web 3.0. Vendor security products have major implementation constraints such as they need secured organizational environment and breach to SOA specifications, hence introducing new vulnerabilities. Herein, we examine the security vulnerabilities of RESTful web services in the view of popular OWASP rating methodologies and analyze the gaps in the existing security solutions. We hence propose an adaptive security solution for REST that uses public key infrastructure techniques to enhance the security architecture. The proposed security architecture is constructed as an adaptive way-forward Internet-of-Things (IoT) friendly security solution that is comprised of three cyclic parts: learn, predict and prevent. A novel security component named “intelligent security engine” is introduced which learns the possible occurrences of security threats on SOA using artificial neural networks learning algorithms, then it predicts the potential attacks on SOA based on obtained results by the developed theoretical security model, and the written algorithms as part of security solution prevent the SOA attacks. This paper is written to present one of such algorithms to prevent SOA attacks on RESTful web services along the discussion on the obtained results of the conducted proof-of-concept on the real-time SOA environment. A comparison of the proposed system with other competing solutions demonstrates its superiority.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Sheng Z, Xiaoqiang Q, Athanasios V, Claudia S, Scott B, Xiaofei X (2014) Web services composition: a decade’s overview. Inf Sci 280:218–238

    Article  Google Scholar 

  2. AlShahwan F, Maha F, Godwin A (2016) Security framework for RESTful mobile cloud computing web services. J Ambient Intell Humaniz Comput 7:649–659

    Article  Google Scholar 

  3. Sepulveda C, Rosa A, Jesus B (2015) QoS aware descriptions for RESTful service composition: security domain. World Wide Web 18(4):767–794

    Article  Google Scholar 

  4. Fielding R (2000) Architectural styles and the design of network-based software architectures. Ph.D. Dissertation, University of California, Irvine

  5. Xu B, Tianbo L, Xiaoqin W, Lingling Z, Xiaoyan Z, Wanjiang H (2013) A synthetic solution scheme for SOA security assurance. In: Proceedings of the international conference on security and management (SAM), computer engineering and applied computing (WorldComp)

  6. Liu L, Wang D, Zhao J, Huang M (2013) SA4WSs: a security architecture for web services. In: Mustofa K, Neuhold EJ, Tjoa AM, Weippl E, You I (eds) Information and communication technology. Springer, Berlin, pp 306–311

  7. Masood A (2013) Cyber security for service oriented architectures in a Web 2.0 world: an overview of SOA vulnerabilities in financial services. In: IEEE international conference on technologies for homeland security (HST), pp 1–6

  8. Jacqui C, Marijke C (2010) Towards an information security framework for service-oriented architecture. In: IEEE information security conference. South Africa, pp 1–8

  9. Kou H (2010) A study on the security mechanism for web services. In: Proceedings of the world congress on engineering and computer science, vol I, USA

  10. Baghdadi Youcef (2013) A comparison framework for service-oriented software engineering approaches: issues and solutions. Int J Web Inf Syst 9(4):279–316

    Article  Google Scholar 

  11. OWASP (2013) Top 10 web application vulnerabilities. Report on the ten most critical web application security risks

  12. Wang Shengwei, Zhengyuan Xu, Cao Jiannong, Zhang Jianping (2007) A middleware for web service-enabled integration and interoperation of intelligent building systems. Autom Constr 16(1):112–121

    Article  Google Scholar 

  13. Kim SK, Han S-Y (2006) Performance comparison of DCOM, CORBA and web service. In: Parallel and distributed processing techniques and applications conference, pp 106–112

  14. Henning Michi (2006) The rise and fall of CORBA. ACM Queue 4(5):28–34

    Article  Google Scholar 

  15. Jones D (2015) Cost of cyber crime study: United States. Hewlett Packard Enterprise. http://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states. Accessed 1 Mar 2017

  16. Symantec (2016) Internet security threat report, vol 21. https://www.symantec.com/security-center/threat-report Accessed 1 Mar 2017

  17. WhiteHat Security (2016) Web applications security statistics report. https://www.whitehatsec.com/info/website-stats-report-2016-wp. Accessed 1 Mar 2017

  18. National Vulnerability Database (2016) Vulnerability metrics, National Institute of Standards and Technology, USA. https://nvd.nist.gov. Accessed 1 Mar 2017

  19. McAfee Labs (2016) Threats report. https://www.mcafee.com/au/resources/reports/rp-quarterly-threats-dec-2016.pdf. Accessed 1 Mar 2017

  20. Hardt D (2012) The OAuth 2.0 authorization framework. RFC 6749 (Proposed Standard), http://tools.ietf.org/html/rfc6749. Accessed 1 Mar 2017

  21. Recordon D, Drummond R (2006) OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the second ACM workshop on digital identity management. ACM, pp 11–16

  22. Russell M (2014) Secure RESTful interface profile security analysis and guidance. The MITRE Corporation, Bedford

    Google Scholar 

  23. Mladenov V, Christian M, Jorg S (2015) On the security of modern Single Sign-On Protocols: second-order vulnerabilities in OpenID connect. arXiv:1508.04324

  24. Ibrahim B, Fadzil MH (2016) Construction of customizable SOA security framework using artificial neural networks. J Teknol 78(12–3):69–75

    Google Scholar 

  25. Gartner (2016) Top 10 strategic technology trends for 2016. http://www.itbusinessedge.com/slideshows/top-10-strategic-technology-trends-for-2016-08.html. Accessed 1 Mar 2017

  26. Neha L, Jwalant B (2014) DDoS prevention on REST based web services. Int J Comput Sci Inf Technol 5(6):7314–7317

  27. Lee H, Mayur R (2014) Defense against REST-based web service attacks for enterprise systems. Commun IIMA 13:57–68

  28. Sungchul L, Ju-Yeon J, Yoohwan K (2015) Method for secure RESTful web service. In: 14th IEEE international conference on computer and information science (ICIS)

  29. Orellana F, Marko N (2012) Distributed computing with RESTful web services. In: Seventh international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC), pp 103–110

  30. Serme G, Anderson S, Julien M, Yves R (2012) Enabling message security for RESTful services. In: IEEE 19th international conference on web services (ICWS), pp 114–121

  31. Sudhakar A (2011) Techniques for securing REST. CA Technology Exchange, New York, p 32

    Google Scholar 

  32. Malisetti R (2011) Securing RESTful services with token-based authentication. CA Technology Exchange, New York, pp 43–48

    Google Scholar 

  33. Adamczyk P, Patrick S, Ralph J, Munawar H (2011) REST and web services: in theory and in practice. In: Wilde E, Pautasso C (eds) REST: from research to practice. Springer, New York, pp 35–57

  34. Brachmann E, Gero D, Klaus S (2012) Simplified authentication and authorization for RESTful services in trusted environments. In: European conference on service-oriented and cloud computing. Springer, Berlin, pp 244–258

  35. Pan G, Yongbin W (2012) Securing RESTful WCF services with XAuth and service authorization manager—a practical way for user authorization and server protection. In: Fifth IEEE international joint conference on computational sciences and optimization (CSO), pp 651–653

  36. Pai S, Yash S, Sunil K, Radhika P, Sanjay S (2011) Formal verification of OAuth 2.0 using alloy framework. In: IEEE international conference on communication systems and network technologies (CSNT), pp 655–659

Download references

Author information

Authors and Affiliations

  1. Department of Computer & Information Sciences, Universiti Teknologi PETRONAS, 32610, Seri Iskandar, Perak Darul Ridzuan, Malaysia

    Mohamed Ibrahim Beer & Mohd Fadzil Hassan

Authors
  1. Mohamed Ibrahim Beer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohd Fadzil Hassan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed Ibrahim Beer.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Beer, M.I., Hassan, M.F. Adaptive security architecture for protecting RESTful web services in enterprise computing environment. SOCA 12, 111–121 (2018). https://doi.org/10.1007/s11761-017-0221-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11761-017-0221-1

Keywords

Search

Navigation