Template of Manuscripts for IREE

International Review on Computers and Software (I.RE.CO.S.), Vol. xx, n. x

Analysis on Countering XML-based Attacks in Web Services M.Priyadharshini1, R.Baskaran2, N.Balaji3, M.S.Saleem Basha4

Abstract – Cloud Computing is found to be today’s most commonly used Service Oriented Architecture (SOA) implementation. Cloud utilizes XML-based technologies like Web Services for accessing and controlling the cloud, these are of particular importance for the security assessment of cloud systems. XML usage in Web Service introduces various vulnerabilities which affects basic security factors such as Confidentiality, Integrity and Availability. Various frameworks aiming at countering the XML based attacks were designed and developed. The Analysis of the frameworks available for countering the XML-based attacks simulated in the SOAP messages is presented benefiting the future researchers and also provides insight of various attack simulations and the countermeasures respectively. The parameters responsible for evaluating the strength of the frameworks were also specified and discussed as part of this work.

Keywords: Web Services Security, XML Security, SOAP, Cloud Computing, Service Oriented Architecture

I.

Introduction

Web Service has become an integral part of any commercial application today, whereas it also serves as base for cloud computing too. This makes security of web services as an important aspect of today‟s application security. Distributed functional components serves as source of information for many enterprise applications [16]. The request and response for invoking the distributed functional components is created using XML based on SOAP protocol. XML requests and responses when traversed through open network is been altered leading to various attacks which need to be countered by the underlying framework of the web service architectures. W3C and OASIS adopts various WS-* standards addressing various aspects of the web services such as reliable messaging, routing, transactions and particularly WS-Security standard for security that provides measures to secure web service request and response parameters as well as the information in header which is meant to be used for processing request and response parameters. WS-Security provides confidentiality and integrity, whereas XML processing done to provide confidentiality and integrity leaves Denial of Service attack[17] leading to un availability of services. Many security frameworks were developed handling the above said security issues though it is not an easy task to uncover all the attacks and make a web service invocation secure. In Section 2 discussion on methods to simulate various XML based attacks is presented with the respective counter measures. Section 3 has various

Manuscript received January 20__, revised January 20__

frameworks formulated to implement the counter measures of attacks discussed in Section 2. Section 5 presents evaluations of frameworks along with parameters that could prove the effectiveness of the counter measures. Finally Section 6 specifies the future research directions.

II.

Attacks and Countermeasures

XML based attacks that could likely be simulated in Web service request and response are classified based on the effects they create in web service invocation are presented with the respective countermeasures. II.1.

Coercive Parsing

Coercive parsing [14], [2], [8] is an attack that is intended to exhaust the system resources of the attacked web service. This attack is simulated by introducing large number of namespace declarations, oversized prefix names or namespace URIs or very deeply nested XML structures. The Coercive parsing attack is simulated by including continuous sequence of opening tags as in Listing 1, this attack causes the resources to be continuously occupied maximizing CPU usage and even in cases of lower bandwidth the attack would perform well.

Copyright © 20__ Praise Worthy Prize S.r.l. - All rights reserved

M.Priyadharshini, R.Baskaran, N.Balaji, M.S.Saleem Basha

………………………. 45 Listing 1 “Coercive Parsing attack”

The attack in the Listing 1 could be countered by strict schema validation; we could specify the type of element (simple/complex) so as given below in the Listing 2.

Oversized Body and Envelope respectively. In the body, in case of repetitive elements more number of elements than required for the operation is introduced as in Listing 3b. In oversized envelope, tags are introduced outside the Header or Body tags as in Listing 3c 45 35 25 …………………………………………

Listing 2 Excerpt of a XML Schema for the tag "x" Listing 3b Oversized Body attack

Introducing large number of namespace declarations, oversized prefix names or namespace URIs could not be countered as there is no provision in the schema which imposes the restriction to filter such messages. II.2.

Over Size Payload

Over Size payload [14], [2], [3], [8] attack simulates a very large SOAP message to the attacked web service and makes the parser of the message to run out of memory. This oversized content could be introduced in the SOAP header, body or envelope. M7ABhvXBNUMUINde56J6lfT Pa0oUDYxPBHkmOXV7……… ………………............................ …………………….. r532MZ42Fds 45000 Listing 3a Oversized Header

The above Listing 3a includes the Oversized Header element, whereas Listing 3b and 3c represents the


…………………………………………… 45 35 25 …………………………………………….. 45 35 Listing 3c Oversized Envelope attack

Countering the Oversized payload could be done by adding a detailed description of the elements, attributes and data types used at one end and the other end by strict schema validation. In case of Body elements specify limit of number of occurrences of a particular element as in Listing 4. Listing 4 Excerpt of a XML Schema for the tag "x"

In case of Header, size of elements could be limited by Schema Hardening, restricting the Header elements and the size of contents in the header as below in case if listing 3b

minOccurs=”0”

International Review on Computers and Software, Vol. xx, n. x


Listing 5 Hardened Schema Header Element

In case of SOAP Envelope oversize payload attack Schema Hardening could restrict the introduction of elements inside envelope outside header or body in case if Listing 3c. II.3.

Over Size Cryptography

This type of attack [14], [8] is simulated by generating a very long or unlimited chain of encrypted keys or encrypted elements. In case of encrypted keys for retrieving key for cryptographic operation, decryption of the key using the previous key and this process till done until the final key is retrieved. This attack increases the memory consumption when buffering the keys in case of chain of encrypted keys, also public key algorithms consumes more time. In case of encrypted elements also memory and time consumption is more since repeated decryption process is needed. II.4.

Parameter Tampering

Parameter tampering attack [14] involves SQL injection as well as Cross-side scripting. The input parameter for the service being received from the Requestor application then formulated as SOAP request. This value passed as SOAP input parameter is tampered and changed causing more resource exhaustion and in some cases abnormal execution of services. SQL injection could be simulated as in Listing 6 below: 20 Listing 6 SQL Injection

In Listing 6 the value passed as parameter is 20. Where as the value sent is a variable of size 4 bits and hence value could be 0 to 15. Passing 20 may cause buffer overflow and application logic could not handle this exception. This type of attack could be resolved by input and output validation for correct input where as schema


validation is done in general as a counter attack. The schema for countering should represent parameter details regarding data type, maximum and minimum value if any as in Listing 7. Listing 7 Schema Hardened for Input

Cross side scripting [14], [15] or XSS attack could cause significant damage by distributing the confidential information to unreliable parties in system. CDATA section in XML is inserted with a java script and inserted within the operation parameter. CDATA section is ignored by XML parser and hence malicious java code could be injected as java script in CDATA section as below in the Listing 8. Here the java web service method is public boolean addContent(String content);

This service is attacked by the request as given in Listing 8. script type=”text/javascript” alert(„maliciousscript„) ; ……………… /script Listing 8 Cross side scripting Attack

Cross side scripting or XSS could be countered by validating input in the SOAP request against schema definition. II.5.

XML Injection

XML injection attack [14], [15], [8] modifies the structure of XML SOAP message by inserting XML tags or modifying existing tags inside operation parameters leading to undesired effects. The change in XML structure involves overriding the value or resetting the value of operation parameters. The listing 9 depicts overriding and 10 depicts resetting value 15000.00 1234-5678-9876-1234 5000.00 1234-5678-9876-1234 456 International Review on Computers and Software, Vol. xx, n. x


12102013 Listing 9 Overriding Attack

15000.00 1234-5678-9876-1234 456 12102013 Listing 10 Resetting Value

The XML injection attack focusing change in XML structure could be countered by defining the operations parameter correctly and validating incoming request against WSDL.

other networks and few internally from the local network. WSDL generated from tools never disclose the internal and external operations separately, also Web service endpoint is externally accessible leading to WSDL Scanning. For example in Purchase System placeOrder is a service meant for external clients to place the order whereas, internal clients can view the amount of sales made by invoking viewSales service. The attacker with the knowledge of accessing placeOrder service can easily find and invoke the viewSales service also. Countering the WSDL Scanning is by schema hardening and removing non-public operations from the schema inside the WSDL. II.8.

II.6.

Attack Obfuscation

Attack obfuscation [8] as such cannot be termed as an attack, where as it is a process which gives way for other attacks to be introduced. Confidentiality of the attachment is ensured by encryption. The original message content is replaced with the resultant cipher text. The encrypted content may contain attacks like oversized payload, coercive parsing or XML injection. Obfuscated SOAP message will be of the form as given in the Listing 11 below AXS34mRsEXXM7ABhvXBNUINde56J6lf TPa0oUDYxPVHkm7XV8………………… Listing 11 Attack Obfuscation

If message validation is done after decryption it may lead system to get affected by the intended attack. If message validation is done before decryption then it may pass the message validation. Countering this attack obfuscation could be done by stepwise decryption and validation, which could lead to less memory consumption and earlier detection of intended attack. II.7.

WSDL Scanning

WSDL scanning [14], [3] is the attack by which the external clients guess and invoke the omitted operations meant for internal clients. WSDL is the XML file used to describe the set of operations including parameters, data type and network bindings. Among the set of operations few are meant to be accessed externally from Copyright © 20__ Praise Worthy Prize S.r.l. - All rights reserved

Signature Wrapping Attack

XML Encryption [1], [11] and XML Signature are two standards that are specified by WS-Security standard for providing confidentiality and integrity of the SOAP message. They can be applied in the SOAP message in any order. and are two mandatory elements in XML Signature. The element includes an element Id-reference pointing to the SOAP body and a digest value computed over the referenced element. element is secured by attaching element which is the computed signature value of the element. This is typically done by a publickey algorithm such as RSA or DSA. The SOAP message is processed in two steps first step is to search for element specified in ID-referencing of element. The digest value of element found and compared with value in ………………………………………………………………. element. Then in second step value is verified against .Once these processing is over function defined in the SOAP body is executed. The attacker who eaves drops the SOAP message moves original SOAP body to the SOAP header and attaches a new SOAP body and enforces a new service and not the original one. As ID of original SOAP body remains same and passes the digest value and signature value verification. But the function execution is done based on the new SOAP body attached by the attacker, as specified in the Listing 12 where deleteUser service is replaced by upgradeRights. .... .....



John John Listing 12 Signature Wrapping Attack

To counter the above attack the schema definition can be hardened as in the Listing 13 to restrict number of occurrences of Header and Body Listing 13 Schema Hardening for fending Signature Wrapping Attack

III. Security Frameworks M Jenson et al.,[11] presented an experimental analysis of the work that focused on effectiveness of XML Schema Validation for countering XML Signature Wrapping Attacks. The system with Schema Validation against Hardened Schema was capable of fending XML Signature wrapping attacks even though it had some pitfalls and disadvantages. Schema Validation was found to fend doubling of body element by restricting maxOccurs of body element to 1, but schema validation could not serve as an effective counter measure due to the presence of certain potential weakness indicators present in the schema definitions. This flexible and permissive nature of schemata leads to various other security issues. The presence of following elements in the listing found in the schemata is the reason for such security issues.  Element: presence of this may allow attacker to insert any arbitrary elements not defined by the schema.  Attribute: namespace=”##any” this attribute value pair allow usage of elements independent of their namespace.  Attribute: namespace=”##other” this attribute value pair allows only namespaces different from that of the parent namespace


 Attribute: processContents=”skip” disables schema validation of child elements  Attribute: processContents=”lax” enables parser to try for fetching schema definition , failing of which will skip the validation The Schema validation could fend the signature wrapping attacks and other XML based attacks only if validation is done using a hardened schema without the weakness indicators listed above. Based on WS-* specifications unused and used extension points leading to attacks are removed using hardening of schema. Here in the Listing 14 we have XMLSignature schema declaration of containing arbitrary XML contents from arbitrary namespaces which represents XML fragment signed by XML signature instance. WSSecurity explicitly says XML signature in SOAP messages may reside anywhere outside the XMLSignature meta block, hence need not contain the XML fragment represented as arbitrary contents usually used for realizing signature. In the Hardened schema element is removed where as other tags in remains though it becomes useless leading the unused extension point to be closed as in Listing 15 below. Listing 14 XML Schema of Object element from XML Signature

Listing 15 Hardened XML Schema of Object element from XML Signature

In the we have to enable meta data from many other WS-* specification which give rise attackers to simulate signature wrapping attacks by adding child elements to element. This is a used extension point and this could be removed and all the possible child elements are determined and defined in the hardened schema.



J Somorovsky et al., [13] proposed architecture to provide security for web services at client side as well as at server side by placing WS-Security Gateway. In this architecture Signature creation and verification is done using streaming based approach. WS-Security Gateway is formulated based on event pipeline pattern. The pipeline consists of SAX parser with series of handlers. SAX parser in the pipeline generates new events and pushes them into the handler sequence in the pipeline. There are six handlers in the sequence which ensures the security of service invocation by incorporating security parameters at client side and effectively processing them server side before function logic or service is executed. The functionality of each handler is described as below:  SecurityExceptionHandler is used to handle the security exception raised by ReferenceIDHandler. On receiving the exception, handler can decide how to proceed with the processing whether to ignore the exception or log a warning or interrupt the XML processing. This leads to a centralized exception handling task.  SOAPMessageHandler checks the SOAP message structure  ReferenceXPathHandler does XPath transformation and computes the digest value of Referenced elements  ReferenceIDHandler finds the referenced ID element and computes the corresponding digest values  SignatureHandler does XML Signature verification  SerializationHandler handles the serialization of incoming events, reconstruction and buffering of SOAP messages A Lightweight exclusive XML canonicalization is done before the signature processing in ReferenceXPathHandler and ReferenceIDHandler with the help of three basic SAX events namely startElement, endElement and characters. ReferenceXpathHandler uses SPEX engine for event based XPath parsing and provides rewriting of XPath expressions into forward only navigation axes. N Gruschka et al., [12] created a stream based WSSecurity engine with following capabilities:  Processing of XML Signature using backward references  Handling any order and number of encryption and signature  Conformance to WS-I Security Profile  WS-security policy evaluation along with XPath evaluation  Handling access control decision too This engine is made available at the server side and named CHECKWAY with four handlers for handling incoming WS-Security enriched SOAP request.


 WS-SecurityHeaderProcessingHandler is responsible for processing WS-Security header, this handler pushes the signed and encrypted blocks to the Dispatcher Handler  DispatcherHandler detects the sequence of Signature Handler and Encryption Handler to be inserted into processing chain dynamically  SignatureHandler before calculating the digest value does the canonicalization (WS-I Basic Secuirty Profile only includes C14N canonocalization algorithm) and hashing of the ds:signedinfo block. The verification of digest decides whether to proceed with the handler chain else raises an exception.  EncryptionHandler reads the encryption algorithm, ds:keyinfo element which gives hint of key pairs and then does the decryption process to obtain the messge been sent as a part of SOAP request. The dynamically included signature and encryption handlers in the handler chain are removed on completion of each signature verification and decryption. V Patel et al.,[15] proposed a security framework which works based on a self-adaptive schema hardening algorithm which results in a fine-tuned schema that could perform schema validation more effectively. A mitigation technique that counters attacks using MIME / DIME attachments. A message validator is added as an attachment in the server that has web services which validates the SOAP message against the schema in schema repository. Schema repository holds schemas derived from WSDL or hand coded schemas. SOAPAction header that is used to uniquely identify the service operation is used to choose the right schema from the corpus of available schemas. On Validation a log with tuple is logged and used for further fine tuning schemas. SOAP messages with common features are put in same bucket which helps in isolating attack vectors as well as malformed requests. To enable an easy identification of common features XSDs domains are considered for schema hardening algorithm instead of XML domains. The output schema classes represent good messages where the remaining schemas are possible instances of attack vectors.

IV.

Evaluation of Frameworks

Evaluation Parameters: Processing time vs. document size/number of elements: This parameter represents the time taken for processing SOAP request i.e., XML processing. Memory Usage vs. document size/number of elements: This parameter represents the memory



consumption needed for processing SOAP request i.e., XML processing. Both of these parameter if are at higher end leads to Denial-of-Service attack leading to un-availability of services. The Hardening process done by M Jenson et al., [11] architecture, on evaluation found to be time consuming in terms of XML Document Processing but the restriction on deeply nesting the elements and arbitrarily defining elements is a healthy measure to fend against Signature Wrapping and DOS attacks bringing the application to have a higher security level. Processing time of XML document is more for validation done using Hardened Schema when compared to XML with WS-* Schema and XML without Schema. WeSSeGa proposed by J Somorovsky et al., [13] consists of handlers in form of event pipeline at client side and at server side of web services that serves as a security gateway. On testing it is found that the evaluation time increases linearly but very less than the DOM approach. By increasing the elements in XML message the memory usage of WeSSeGa stays constant. Similarly the Heap memory consumption is also found to be very less when compared with JAVA XML Digital Signature API. N Gruschka et al., [12] proposed a streaming based security system “CHECKWAY”. The system when TABLE I SUMMARY OF SECURITY FRAMEWORKS AND EVALUATION Framework Schema Hardening (By M Jenson et al.,)

WSSeGa (By J Somorovsky et al.,)

Techniques Schema Hardening Schema Validation Schema Validation XML Canonicalisati on

Adaptive Schema Hardening

Evaluation

Schema Definition

Higher Tp

Digital Signature

Digital Signature

Schema Hardening

Encryption

Streaming –Server Side

Access Control

Schema Hardening

Malicious Attachments CSRF-Cross Side Request Forgery

Schema Validation

V. Tp = a Sd + b; Tp (WSSeGa) < T p (DOM)

Streaming –Client & Server Side Schema Validation

CHECKWA Y (By N Gruschka et al.,)

Security Elements

Rampart whereas the memory consumption is better. The message with encrypted parts containing policy violation of oversized message leading to attack obfuscation is tested and it was found that the overall memory and runtime can be limited not depending on the message due to the usage of streaming XML processor. Early detection of access control decision on testing concludes that the run time and memory consumption is independent of message size. Adaptive Schema Hardening System proposed by Vipul Patel[15] is evaluated as a first stage by directing requests to IIS without intervention of Paros. In second stage, Paros is run on the same machine as IIS and introduced in between client and IIS. In the third stage, Paros and IIS are run on separate machines. Client sends the request with attachment directly to IIS bypassing Paros. Increase in size of did not result in a noticeable increase in response time. Increase in response time was very marginal when requests were sent directly to IIS. Adaptive schema hardening system also is tested for Cross side request forgery and found to have lesser time for checking and cleansing when Paros and IIS are run on separate machine. Finally various frameworks are evaluated for security and it is found that Schema Hardening, Schema Validation could fend various attacks leading space to DOS attacks which could be solved by Streaming SOAP messages. Table I summarizes the evaluation of various frameworks with methodologies fending XML based attacks in web services, where Tp represent Processing time, Sd represents Document size and Mc represents Memory consumption.

Mc (WSSeGa) < Mc (JavaXMLDigital SignatureAPI) For Encryption: Tp (Checkway) > Tp (Apache Rampart-DOM) Mc (Checkway) < Mc (Apache Rampart-DOM)) For Access Control Decision: Tp , Mc !α Sd

The evaluation of Frameworks clearly demonstrates that the security frameworks developed were aimed at various security elements and no single framework could lend security for web services against XML based attacks in all aspects. A hybrid framework incorporating the techniques aforementioned in the frameworks discussed could be organized when developed could serve as the best security solution for web services against XML based attacks. The hybrid framework could be aimed at providing security without increasing processing time and memory consumption.

References [1]

Gajek, S., M. Jensen, L. Liao, and J. Schwenk, Analysis of Signature Wrapping Attacks and Countermeasures. Proceedings of 2009 IEEE International Conference on Web Services. Washington, DC, USA: IEEE Computer Society,(Page No.575-582 Year of Publication 2009).

[2]

Gruschka ,N. and N. Luttenberger, Protecting Web Services from DoS Attacks by SOAP Message Validation. Proceedings of IFIP International Federation of Information Processing,(Page No.171182 Year of Publication 2006).

Tp !α Sd

tested with more number of encrypted parts was found to have slightly higher runtime compared to Apache


Future Directions



[3]

Gruschka, N., N. Luttenberger, and R. Herkenhöner, Event-based SOAP Message Validation for WS-SecurityPolicy-enriched Web Services. Proceedings of 2006 International Conference on Semantic Web & Web Services, (PageNo.80-86 Year of Publication: 2006).

[4]

Gruschka, N., M. Jensen, and T. Dziuk, Event-based Application of WS-Security Policy on SOAP Messages. Proceedings of SWS, , (PageNo.1-8 Year of Publication: 2007).

[5]

Gruschka.N., and L .Lo Iacono, Vulnerable Cloud: SOAP Message Security Validation Revisited, Proceedings of IEEE International Conference on Web Services, (PageNo.625-631 Year of Publication: 2009).

[6]

Gruschka ,N., M. Jensen, and L Iacono, .A Design Pattern for Event-Based Processing of Security-Enriched SOAP Messages. Proceedings of Second International Workshop on Security Aspects in Grid and Cloud Computing (SAGC ‟10), (PageNo.410-415 Year of Publication: 2010).

[7]

Imamura .T, A. Clark, and H Maruyama, 2002. A Stream-Based Implementation of XML Encryption. Proceedings of ACM Workshop XML Security (XMLSEC ‟02), (PageNo.11-17 Year of Publication: 2002).

[8]

Jensen, M., N. Gruschka, and R. Herkenhöner, A survey of attacks on web services. Computer Science - Research and Development (CSRD) (PageNo.185-197 Year of Publication: 2009).

[9]

Lu, W., K. Chiu, A, Slominski, and D Gannon, 2005.A Streaming Validation Model for SOAP Digital Signature. Proceedings of the 14th IEEE International Symposium High Performance Distributed Computing (HPDC‟05) (PageNo.243-252 Year of Publication: 2005).

[10] McIntosh ,M. and P. Austel, 2005. XML signature element wrapping attacks and countermeasures. Proceedings of 2005 workshop on Secure web services. New York, NY, USA: ACM Press ( Page No.20-27 Year of Publication:2005). [11] Meiko Jensen, Christopher Meyer, Juraj Somorovsky, and Jörg Schwenk. On the Effectiveness of XML Schema Validation for Countering XML Signature Wrapping Attacks. Proceedings of International Workshop on Secured Services in the Cloud, IWSSC (Page: 7-13 Year of Publication: 2011). . [12] Nils Gruschka, Meiko Jensen, Luigi Lo Iacono, and Norbert Luttenberger, Server-Side Streaming Processing of WS-Security. IEEE Transactions On Services Computing, Vol. 4, n. 4, 2011. [13] Somorovsky,J., M. Jensen, and J.Schwenk 2010. Streaming-Based Verification of XML Signatures in SOAP Messages. Proceedings of the 2010 6th World Congress on Services (SERVICES ‟10) (Page: 637-644 Year of Publication: 2010). [14] Tiwari,S. and P. Singh, 2011. Survey of potential attacks on web services and web service compositions. Proceedings of 3rd International conference on Electronics Computer Technology (ICECT) (Page: 47-51 Year of Publication: 2011).

[15] Vipul patel, Radhesh Mohandas and Alwyn R. Pais 2010. Attacks on web services and mitigation schemes. Proceeding of the 2010 Intenational conference on security and cryptography (SECRYPT) (Page: 1-6 Year of Publication: 2010). [16] N. Kakanakov, M. Shopov, I. Stankov, G. Spasov Web Service and Data Integration in Distributed Automation and Information Systems in Internet Environment, International Review on Computers and Software, Vol. 1, n. 3, pp. 194-201, 2006.


[17] S. Igni Sabasti Prabhu, V. Jawahar Senthil Kumar, Entropy Based Approach to Prevent the DDoS Attacks for Secured Web Services, International Review on Computers and Software, Vol. 8, n. 4, pp. 888-891, 2013.

Authors’ information Ms. M.Priyadharshini received her B.E in Computer Science and Engineering, Bharathiar University, Master Degree in Software Engineering, Anna University in the years 1998 and 2005 respectively. She is pursuing her Doctorate in the area of Web Services Security. She is now working as Teaching Fellow in Department of Information Science and Technology, College of Engineering, Guindy, Anna University, Chennai. Her other areas of interest includes Enterprise technologies, Web technologies, Databases, Object Oriented System Development and Design Patterns.

Dr. R. Baskaran received his B.Tech in Electrical and Electronics Engineering, Master Degree in Computer Science and Engineering, Madras University and Doctorate from Anna University in the years 2000, 2001, and 2007 respectively. He is now working as an Associate Professor in Department of Computer Science and Engineering, College of Engineering Guindy, Anna University Chennai.His present research includes Database, Data mining and warehousing and Image Retrieval. He presented more than 80+ Special Lectures in National, International Seminars, Workshops and Development Programs. He is an expert in Data mining. He has published 90+ papers in International, National Journals and Conferences. He is a reviewer in IEEE/ ACM JSAC, Elsevier and many international journals. He is a life member of Institution of Electronics and Telecommunication Engineers (IETE), Indian Society for Technical Education (ISTE), and International Association for Engineers (IAEng). N. Balaji is a research scholar, pursuing Ph.D. in the Department of Computer Science, Pondicherry University, Pondicherry, India. He has completed his B.Tech. in Information Technology and M.E. in Computer Science and Engineering from Thiruvalluvar College of Engineering & Technology is affiliated to Anna University, Tamil Nadu, India.

Dr. M.S. Saleem Basha is working as the Assistant Professor in the Department of Computer Science, Pondicherry University, Puducherry, India. He has obtained B.E in the field of Electrical and Electronics Engineering, Bangalore University, Bangalore, India and M.E in the field of Computer Science and Engineering, Anna University, Chennai, India. He completed his Ph.D. in Computer Science and Engineering, Pondicherry University, Puducherry. He has a total of 12 years experience in the teaching and research and published more than 50 research articles. He is currently working in the areas of Web Service Security and Modeling Systems.
