Chan a parametric technique using the Gaussian model

Chan et al. (2016) presented
a fuzzy association rule-based (FAR) and fuzzy associative pattern-based (FAP)
intrusion detection and prevention (IDP) systems in defending against web
service attacks. In this work, authors extend their investigation on the use of
fuzzy logic, associative pattern matching and association rules for the
detection and prevention of existing attacks (signature-based), as well as
prediction of new attacks (anomaly-based) to a web service based e-commerce
application deployed over an internet. The FAR IDP and FAP IDP systems are able
to detect, prevent and predict web service attacks such as SQL injection, XML injection,
DoS and oversized SOAP close to real-time, with detection rate not lower than
99%. Meanwhile, the FAR IDP system provides close to 95% service availability
to normal transactions.

Loganathan and Ramesh (2015) proposed
a filter mechanism. The proposed filter used Behavior based technique to avoid
web service DoS vulnerabilities. Behavior based is a recent technique, which
can capture behavior of a web service user and compare the behavior to those of
normal users. If the behavior diverge from the normal user of web service
components then the particular user can be blocked based on some parameters
such as user attitudes.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

Chana et al. (2015) proposed an intrusion detection system based on
fuzzy rule-based intrusion detection and prevention system (FAR IDP)
implemented within an e-commerce web service. This system compares the
effectiveness and efficiency of the use of 20 fuzzy association rules compared
with 366 fuzzy patterns (FAP) to identify and grant access to normal
transactions, determine suspicious transactions, and completely block transactions
with malicious XML code. The proposed model covers attacks such as SQL, XML
injection, and DoS.

Utsai and Joshi (2014) proposed application layer filters to provide
detection and mitigation of DoS attack. This work provides satisfactory results
in detecting XDoS attacks but it requires extra computational time for
retrieval of attributes from request message, insertion, updating of data to
and from databases, and so on. However, prevention and the ability to predict
new kinds of attacks are not in real-time.

Vissers et al. (2014) propose a parametric technique
using the Gaussian model to defend against application layer DDoS attacks on
cloud web services, which use malicious XML content contained in a SOAP. Normal
profile is presented by means and standard deviations of several features, such
as content-length, number of elements, nesting depth, longest element,
attribute and namespace. These models are based on datasets constructed from
the logged features of previous requests. During detection, there will be
several phases. In the first phase, HTTP header inspection will be carried out
to prevent HTTP flooding. It also undertakes SOAP action check and size outlier
inspection. In the next phase, the XML content is processed before checking if
request SOAPAction is/are spoofed by consulting previous maps. The authors aims
to cover HTTP request limiting, SOAP Action and WS Addressing spoofing

Gaik-Yee et al. (2013) proposed a framework to mitigate XML/SOAP
attacks at the Application Layer. This framework comprises of two models: the
policy-enhanced adaptive neuro-fuzzy inference system (PeANFIS) and fuzzy
association rule mining (FARM) model. The authors used input values, input size
and SOAP size features to validate input packets. The validated values are then
matched with 15 fuzzy rules obtained from the PeANFIS or the 20 fuzzy
association rules obtained from the FARM model. In this way, any violation to
normal profile is dynamically identified and immediate decision is taken to
allow or deny access to the backend application or database. Based on the decision,
further right action is taken to block, reject the request, terminate the
subsequent activity or grant an alternative action. Performance evaluation of
each model indicates detection rate of greater than 99% and false alarm rate of
less than 1%.

Santhi (2013) introduces a distributed defense filter called
XDetector. Deterministic Packet Marking (DPM) methodology is applied to the
service-oriented traceback mark (SOTA) framework by placing the
service-oriented traceback mark (SOTM) within web service messages. If any
other web security services are already employed, SOTM would replace the token
that has the client identification. Real source message identifications are
stored within SOTM and located inside the SOAP message. The structure of SOTM
is made up of one XML tag so as not to weigh down the message and stored within
a SOAP header. Upon discovery of an XDoS or DXDoS attack, SOTM can be used to
identify the true source of fake messages. In this architecture, service
oriented trace back mark is available. It contains a proxy that marks the
incoming packets with source message identification to identify the real
client. Then, the SOAP message travels via XDetector. The XDetector is used to
monitor and filter DDoS attacks such as HTTP and XML DDoS attack. Finally, the
filtered real client message is transmitted to the cloud service provider, and
the corresponding services are given to the client in a secure way.

Sarhadi and Ghafori (2013) proposed Cloud Service Queuing Defender (CSQD)
to detect XML vulnerabilities, which should be placed close to the ingress
router. This scheme uses a trace back solution to detect the attack source and
when an attack is launched against the server, it adds the information of
request to its database to prevent the future attacks. When a client sends a
request, it is checked whether the server is up or not. For normal conditions,
the request is forwarded to the XML Vulnerability Detection System to check the
request for XML attacks. Afterwards, when no negative response is received, it
is directed to the request scheduling. When an attack is detected, it is sent
to the Response System. This system prepares a suitable message and inserts the
sender’s IP address into the blacklist database. After request processing, the
web service directs the results to check response, which accredits the response
and deletes the processed request from its list.

In Anitha and Malliga (2013), XDoS attacks can be detected using the rule
set-based detection, called CLASSIE. Also, the packet marking method is used to
avoid the spoofing attack. CLASSIE should place one hop away from the host, and
its rule set should be created over time to recognize the known HTTP denial of
service (H-DoS) and X-DoS messages. CLASSIE is able to identify the attributes
of known HX-DoS attacks such as XML injection attack or XML Payload Overload
attack. The packet that matches the rules is dropped by the CLASSIE upon the
detection of HX-DoS. After tested by CLASSIE, packets are marked on the edge
and core routers. At the edge router, one bit is required for demonstrating
that the packet and a few other bits for marking code are marked.

Karnwal et al. (2012) proposed a Filtering Tree and Trace Back
approach. The approach uses filtering tree technique to filter suspicious IP
addresses. Suspicious IP addresses are stored in a Trace-Back module. A Cloud
Defender then detects for HTTP or XML DDoS attacks. The approach focuses on
detection of web service vulnerabilities, e.g. SOAP coercive parsing, HTTP, and
XML DDoSattacks. No preventive measure being mentioned and no performance
evaluation results are discussed.

Chonka and Abawajy (2012) proposed an Intrusion Detection System (IDS).
The authors implemented Pre-Decision, Advance Decision, Learning System (ENDER)
approach. ENDER use a pre-mark decision method to detect attack traffic and
label the attack. Decision making and update methods are used to make another
decision about the possibility of the message not being classified correctly.
The labeled message is then removed before damage is done. The IDS detects
HTTP-DoS and XML-DoS with 99% detection accuracy and 1% false positive rate.
There is preventive measure in protecting the victim. However, defense
techniques against XML injection and SOAP oversized payload is not discussed.

Ficco and Rak
proposed an intrusion tolerant
approach that aims at mitigating application-level low-rate DoS attacks from
generating a service unavailability. This study mainly focuses on countering
XDoS or coercive parsing attack. In this study, the target machine’s anomalous
resource consumption is monitored and information gathered is correlated with
some attack symptoms. When an attack occurs, the system resource consumption shall
exceed a critical level and some malicious requests to the WS are observed.
Filtering is then applied based on the threshold for Quality of Service (QoS)
to be dynamically adapted during the attack. Their experiments do show
satisfactory results but the main drawback is that excessive reduction of the
threshold can produce false positives, where correct messages are filtered as

Karthigeyan et al. (2012) explain that an acceptable
solution to prevent attackers from exhausting the victims’ network bandwidth
and computing power is to route the requests to the service providers only once
they have been authenticated and validated. First, limit the payload size.
Then, limit the time allocated to a SOAP request. Third, limit the number of
requests a particular user can send within a given time frame. Packets that do
not match those criteria are discarded and the service is blocked for the user
for a certain period of time. They also propose to impose limits for the XML
parser. For example, limit the number of attributes an element can have, the
quantity of bytes in a XML message, the depth of nested elements and the size
of all nodes in the XML document. Furthermore, to minimize the impact on the
QoS for the end user in terms of delays for instance, this could take place
only when the system is under attack, which is detected by the service

Chelliah et al. (2016) suggested a model that provides a way to
maintain the verification and security mechanism of the application logic that
does not modify the current functionality. The model combines all security
allocated as a single verification unit before hitting business logic. In this
work, the authors used the token-based system, checking attempts and verifying

Murugan and Vivekanandan (2015) proposed an approach that uses the concepts of
Validate Handler for the input request based on input data criteria and request
timestamps from the selected host. It applies the “Totient encryption
algorithm” in the form of XML injection attacks where the source attributes
are monitored cleanly. This is achieved with a dynamic graphic technique that
overcomes dominant injections and DDos attacks in service-oriented structure.

Altmeier et al. (2015) suggested an adaptive algorithm for testing web
services by analyzing incoming XML messages for DoS attacks. They used the
black box approach based on server response times. Therefore, this tool only
detects XDoS attacks.

Falkenberg et al. (2013) inspected the automated components on the basis
of testing black box, and suggest evaluating DoS attacks on web services. They
suggested a plug-in for penetration testing tool which simulates known Dos