Towards secure web services : performance analysis, decision making and steganography approaches

Alrouh, Bachar

January 2011

Web services provide a platform neutral and programming language independent technology that supports interoperable machine-to-machine interaction over a network. Clients and other systems interact with Web services using a standardised XML messaging system, such as the Simple Object Access Protocol (SOAP), typically conveyed using HTTP with an XML serialisation in conjunction with other related Web standards. Nevertheless, the idea of applications from different parties communicating together raises a security threat. The challenge of Web services security is to understand and consider the risks of securing a Web-based service depending on the existing security techniques and simultaneously follow evolving standards in order to fill the gap in Web services security. However, the performance of the security mechanisms is fraught with concerns due to additional security contents in SOAP messages, the higher number of message exchanges to establish trust, as well as the extra CPU time to process these additions. As the interaction between service providers and requesters occurs via XML-based SOAP messages, securing Web services tends to make these messages longer than they would be otherwise and consequently requires interpretation by XML parsers on both sides, which reduces the performance of Web services. The work described in this thesis can be broadly divided into three parts, the first of which is studying and comparing the performance of various security profiles applied on a Web service tested with different initial message sizes. The second part proposes a multi-criteria decision making framework to aid Web services developers and architects in selecting the best suited security profile that satisfies the different requirements of a given application during the development process in a systematic, manageable, and effective way. The proposed framework, based on the Analytical Hierarchy Process (AHP) approach, incorporates not only the security requirements, but also the performance considerations as well as the configuration constraints of these security profiles. The framework is then validated and evaluated using a scenario-driven approach to demonstrate situations where the decision making framework is used to make informed decisions to rank various security profiles in order to select the most suitable one for each scenario. Finally, the last part of this thesis develops a novel steganography method to be used for SOAP messages within Web services environments. This method is based on changing the order of XML elements according to a secret message. This method has a high imperceptibility; it leaves almost no trail because it uses the communication protocol as a cover medium, and keeps the structure and size of the SOAP message intact. The method is empirically validated using a feasible scenario so as to indicate its utility and value.

621.382

Database analysis and managing large data sets in a trading environment

Månsson, Per

January 2014

Start-up companies today tend to find a need to scale up quickly and smoothly, to cover quickly increasing demands for the services they create. It is also always a necessity to save money and finding a cost-efficient solution which can meet the demands of the company. This report uses Amazon Web Services for infrastructure. It covers hosting databases on Elastic Computing Cloud, the Relational Database Serviceas well as Amazon DynamoDB for NoSQL storage are compared, benchmarked and evaluated.

Amazon Web Services

Databases

Startup

Computer Engineering

Datorteknik

How can business partners establish a relationship of trust in order to share Web Services? / Hur kan företags partners skapa en pålitlig relation när Web Services används?

Andersson, Thomas, Arnevill, Anita

January 2003

Introduction Web Services is a relatively new concept to distributed data systems. It provides a new way for companies to easily integrate with other companies. With UDDI, companies are able to host their services in a wider market and also connect to other companies. However, with business expansion also follows trust issues. In order to share Web Services in a business partner relationship it is necessary to have a relation of trust. Purpose The purpose of this thesis is to investigate about this issue, i.e. how Web Services with the use of UDDI can be made as a “network of trust” and additionally obtain an idea about how the use of these two will look like in the future. The question of trust between partners sharing Web Services is still open. There has therefore been an interest to look at this problem. The aim for this thesis is to find possible solutions that can be used to address the problem. Method To investigate this we chose to do a literature study and continue with a survey consisted by interviews and questionnaires. Interviews were used to find which solutions that are available in reality and the questionnaires provide information about to what extent Web services and the found solutions are used. The questionnaire was done on random Swedish companies and was sent by e-mails. The interviews were done on two global Swedish companies, Volvo and Ericsson. This way information was found and could be compared in how the issue is dealt with in the literature and what is actually done in reality. Conclusion The outcome of the entire investigation is that Web Services today, even though it exists in most companies, is still in testing phase. As for this, the use of UDDI has had little attention and so has the issues regarding trust. The solution we found to the most applicable to create a network of trust is the Liberty Alliance Project. Web Services, UDDI, trust / Web Services är ett relativt nytt concept vad gäller distribuerade system. Det skapar ett nytt sätt att integrera mellan företag. Med UDDI så kan företag registerar sina tjänster på en bredare marknad och kan även ansluta sig till andra tjänster och företag. När dessa tjänster (Web Services) delas i affärspartners syfte så är det nödvändigt att företagen har en pålitlig relation. Problemet är om denna pålitlighet finns i företagen, vilket är utforskat i denna uppsats.

Web Services

UDDI

trust

Computer Sciences

Datavetenskap (datalogi)

Analysis and implementation of remote support for ESAB’s welding systems : using WeldPoint and web services / Analys och implementation av fjärrsupport för ESABs svetssystem : med WeldPoint och web services

Öh, Rickard

January 2009

This thesis was written on behalf of ESAB Research and Development department, in LaxåSweden. One of ESAB’s product areas is developing various welding systems.Today if ESAB’s customers experience a problem with one of their welding systems they callESAB’s service center. If the problem seems to have been caused by software, or if it requireslog files to be analyzed, ESAB needs a way to get this system information from the customer’swelding system to ESAB’s employees.One of the goals with this project thesis was to perform an analysis answering how the systeminformation should be sent, stored and what unit in the customer’s welding system that shouldsend it. Another goal was to implement the solution that the analysis presented.The analysis shows that WeldPoint in combination with a web service is the best way to sendthe system information from the customer’s welding system. WeldPoint is a PC control and logsoftware connected to the customer’s welding system. A web service provides a serviceinterface enabling clients to interact with a web server. Clients communicate with the webservice using HTTP, this means that clients can easily communicate across firewalls and othernetwork obstacles.The thesis work resulted in three different applications written in C#.NET. The first applicationis a simple form called WeldPoint Remote Support (WRS). This form extracts customerinformation, welding system information and log files from the customer and the customer’swelding system. All this information is called a case. The case is received by ESAB using thesecond application, WeldPoint Web service (WWS). WWS stores the received case in adatabase. The third application is called WeldPoint Remote Support Center (WRSC). Thisapplication is used by the ESAB employee’s to view the case sent from the customer’s weldingsystem.The above implementation has been tested and supports a robust and secure way to send andview the system information from the customer’s welding system. The conclusions showed thatall goals and requirements set by ESAB were met.

web services

weldpoint

Internet

Computer Sciences

Datavetenskap (datalogi)

Multi Agent Systems and Web Services : Adaptive Workflow in E-Commerce

Roomi, Farash

January 2007

In Multi-agent System (MAS), all agents communicate with each other by sending messages to each other in an expressive agent communication language. Agent communication language (ACL) [12], defines type of messages and their meaning that agents can exchange. Messages that agents communicate have semantic meanings which can be proposition, rules or actions [27]. In other words, multi-agent system is an association of synchronized, autonomous agents, which interact with each other in achieving common goals (objectives). On the other hand, Web services are the services in the shape of software components accessible on the internet, which provide useful information to users, businesses and organizations. The Web service model uses WSDL, an XML format responsible for the service interfaces description along with the binding details to specific protocols. UDDI, a protocol responsible for publishing and finding services, services details and descriptions etc. SOAP, an XML message based envelop format which has the bindings to specific protocols (e.g. HTTP, SMTP etc). These services are invoked over the www (World Wide Web) using the SOAP/XMLP protocol. A Workflow can be defined as “The automation of a business process, in whole or part, during which documents, information or tasks are passed from one participant to another for action, according to a set of procedural rules” [21]. It has many advantages like improved efficiency, better process control, improved customer service, flexibility and business process improvement [7]. Due to rapid advancements in technology and growing needs of business environment, there is a need of adaptive workflow, which could accommodate itself with the changes that occur in the business processes. Traditionally, workflow management systems have not been designed for dynamic environments requiring adaptive response. Currently, the need for adaptive workflow is being driven by the demands of e-commerce in both B2B and B2C space. Adaptive workflows respond to changing conditions through adaptive change. The aim of this thesis is to suggest an adaptive work flow model that can help in eliminating problems in e-commerce domain by using agent based approach. In e-commerce there is always a problem of searching the right item (e.g.construction material) in less time without involving the contractors etc who search for the items with the specifications told by the customers, as the current system does not support the good search. The customers search each time for the required items (e.g. construction material) and stop their search when they have found the desired item according to their budget, cost and quality attributes with up to date market cost about the required items to purchase (construction material). In e-commerce workflow system, in purchasing the required items (construction material), there are processes involved (Order Capture, Order Process, Order Fulfillment) which do not address the adaptability attribute in case of exception [38] or when there is a change in business environment which make changes in the business processes, consequences of which can be in the shape of failure of business objective (unsuccessful business transaction). The proposed approach somehow can eliminate the problem described above and suggests an adaptive workflow system by introducing agents with each of the processes (Order Capture, Order, Process, and Order Fulfillment). A proposed way to design adaptive work flow is explained with the help of agents. Some work is done to relate this framework with web services to provide refined search and purchasing in order to take care of user needs. But still there is need of more research to explore this area of e-commerce workflow system.

Adaptive Work Flow

Agent

Web Services

Computer Sciences

Datavetenskap (datalogi)

Motivations- och problemfaktorer vid införandet av Web Services i svenska företag

Smigan, Jan

January 2005

Från litteraturen påverkar införandet av Web Services hos 25 storföretag och 3 myndigheter i Sverige. Undersökningen utfördes genom en enkät där motivations- och problemfaktorerna indelades i tre kategorier: innovation, organisation och miljö/omgivning och dessa graderades sedan på en femgradig skala. Den viktigaste kategorin enligt respondenterna var organisation. Dessutom lämnades möjlighet till att lämna egna faktorer och kommentarer. Inom kategorin innovation graderade respondenterna som högsta motivationsfaktorn att Web Services fungerar bra ihop med kommande standarder och som näst viktigast faktorn fördelar med plattformsoberoende. En av de högst graderade problemfaktorerna var säkerhetsproblem. Under kategorin organisation blev den viktigaste faktorn mer flexibla affärslösningar medan den högsta problemfaktorn var otillräcklig kunskap. Under kategorin miljö/omgivning graderades motivationsfaktorn att partners och leverantörer använder sig av tekniken högst och som högsta problemfaktorn att det råder tröghet hos omgivningen. Resultatet av detta arbete visar att faktorerna framtagna ifrån litteraturen är relevanta för de studerade svenska företag och myndigheter och i varierande grad inverkar på införandet av Web Services hos dem.

Computer Sciences

Datavetenskap (datalogi)

Hur hanteras web services inom fastighetsautomation?

Elmqvist, Mattias

January 2003

Detta examensarbete är en studie kring hur säkerhetsaspekter för web services hanteras inom fastighetsautomationsbranschen utifrån W3C:s riktlinjer. W3C är en organisation som godkänner och administerar nya Internetstandarder. Dessa riktlinjer omfattar säkerhet inom web services, men kan även fungera som en mall för både utveckling och användning. Dessa riktlinjer låg till grund för de intervjufrågor som skapades för undersökningen. Undersökningen genomfördes på sex organisationer med en intervjustudie, på grund av arbetets begränsningar användes telefonintervjuer. Studien syftar till att ge en närmare inblick i säkerhetstänkandet samt de för- och nackdelar som kan associeras till web services, samt utvecklingen av tekniken inom fastighetsautomationsbranschen. Studien visar att synen på säkerheten och tillämpningarna skilde sig mellan organisationerna och att riktlinjerna inte direkt kunde uppfyllas. Orsaken till detta är skillnaderna mellan organisationerna. Det framkom att det fanns stora potentiella fördelar med web services och organisationerna tror att utvecklingen av web services inom branschen kommer att öka.

Web services

Organisation

Internet

Fastighetsautomation

Säkerhet

Computer Sciences

Datavetenskap (datalogi)

Web Services och säkerhet : - en studie i tekniker för att säkra Web Services

Schwarz, Michael

January 2006

Användandet av Web Services har ökat de senaste åren, det är relativt lätt att utveckla dessa tjänster och de kan användas i de allra flesta miljöer. Ett bekymmer är dock säkerhetsfrågan. Denna uppsats studerar de vanligaste teknikerna för att säkra Web Services, beskriver hur de kan användas samtidigt diskuterar fördelar och nackdelar med flera av dem. Till sist ges förslag på hur Web Services i olika typer av miljöer kan säkras. / The usage of Web Services has increased during recent years, its relatively easy to develop and can be used in almost any environment. One concern however is the security aspect. This essay studies the most common techniques for securing Web Services and describes how they can be used. It also discusses some pros and cons about them. Finally this paper suggests some ways to secure Web Services used in different environment.

Web Services

säkerhet

XML

Information Systems

Using information visualization techniques to support web service discovery

Beets, Simone

January 2011

The increasing number of web services published over the Web highlights the need for an effective method for users to find appropriate web services. Existing web service discovery methods do not effectively aid a user in finding suitable web services. The current methods provide textual lists of web services that the user is required to explore and manually evaluate. Thus, these methods lead to time-consuming and ineffective web service discovery. The aim of this research was to investigate using information visualization (IV) techniques to effectively support web service discovery. The node-and-link network IV technique was selected as the most appropriate IV technique to visualize web service collections. A prototype, called SerViz, was developed as a tool for interactive visualization of web service collections incorporating the node-and-link IV technique and an alphabetical list-based technique. SerViz used the Programmable Web web service collection as the sample web service collection. A usability evaluation was conducted to compare these techniques. Ninety percent of participants preferred the network IV technique for visualizing web service collections. The network IV technique was also faster for browsing. Several usability problems were identified with the network IV technique. This motivated a need for implementing an alternative IV technique in SerViz. The node-and-link tree IV technique was selected as it was more structured than the network IV technique. A usability evaluation was conducted to compare the network and tree IV techniques. Participants slightly preferred the tree IV technique as the technique to visualize web service collections. The tree IV technique was faster for browsing the web service collection while the network IV technique was faster for searching and filtering. This research has determined that IV techniques can be used to effectively support web service discovery. Future work will involve using IV techniques to support collaborative web service discovery. Keywords: Web Service Discovery, Information Visualization, Web Service Collections, Information Visualization Techniques.

Information visualization

Web services

Enhanced visualisation techniques to support access to personal information across multiple devices

Beets, Simone Yvonne

January 2014

The increasing number of devices owned by a single user makes it increasingly difficult to access, organise and visualise personal information (PI), i.e. documents and media, across these devices. The primary method that is currently used to organise and visualise PI is the hierarchical folder structure, which is a familiar and widely used means to manage PI. However, this hierarchy does not effectively support personal information management (PIM) across multiple devices. Current solutions, such as the Personal Information Dashboard and Stuff I’ve Seen, do not support PIM across multiple devices. Alternative PIM tools, such as Dropbox and TeamViewer, attempt to provide a means of accessing PI across multiple devices, but these solutions also suffer from several limitations. The aim of this research was to investigate to what extent enhanced information visualisation (IV) techniques could be used to support accessing PI across multiple devices. An interview study was conducted to identify how PI is currently managed across multiple devices. This interview study further motivated the need for a tool to support visualising PI across multiple devices and identified requirements for such an IV tool. Several suitable IV techniques were selected and enhanced to support PIM across multiple devices. These techniques comprised an Overview using a nested circles layout, a Tag Cloud and a Partition Layout, which used a novel set-based technique. A prototype, called MyPSI, was designed and implemented incorporating these enhanced IV techniques. The requirements and design of the MyPSI prototype were validated using a conceptual walkthrough. The design of the MyPSI prototype was initially implemented for a desktop or laptop device with mouse-based interaction. A sample personal space of information (PSI) was used to evaluate the prototype in a controlled user study. The user study was used to identify any usability problems with the MyPSI prototype. The results were highly positive and the participants agreed that such a tool could be useful in future. No major problems were identified with the prototype. The MyPSI prototype was then implemented on a mobile device, specifically an Android tablet device, using a similar design, but supporting touch-based interaction. Users were allowed to upload their own PSI using Dropbox, which was visualised by the MyPSI prototype. A field study was conducted following the Multi-dimensional In-depth Long-term Case Studies approach specifically designed for IV evaluation. The field study was conducted over a two-week period, evaluating both the desktop and mobile versions of the MyPSI prototype. Both versions received positive results, but the desktop version was slightly preferred over the mobile version, mainly due to familiarity and problems experienced with the mobile implementation. Design recommendations were derived to inform future designs of IV tools to support accessing PI across multiple devices. This research has shown that IV techniques can be enhanced to effectively support accessing PI across multiple devices. Future work will involve customising the MyPSI prototype for mobile phones and supporting additional platforms.

Information visualisation

Database management

Web services

Personal information management