The Research Of Attack Effect Evaluation For SOA System

With the rapid growth of software complexity, the traditional development modelcan not meet the requirement on the processing speed and easily use, and in this case,service-oriented architecture appears. Because of its high reuse rate, strong expansibilityand loose coupling, SOA has gradually become the key architecture in the softwaredevelopment. However, its security issues have become an important reason restrictingits development.In order to solve the security problems of SOA, security policy should beestablished.To carry on an attack effect evaluation on SOA system is an effective wayto verify its security. In this way, the weakness of SOA system can be found and thesecurity strategy can be evolved. But the current attack effect evaluation has severalproblems, such as pertinence absence of the most attack methods, the indices selectionbased on general index, the weights determination based on subjective weightingmethods. Therefore, it is important and significant to study attack effect evaluation forSOA system.During the research, by the study of SOA architecture and its core implementationtechnology–Web Service, combining with denial of service attack, as the representativeattack method for Web Service, the SOAP flooding attack and XML nested attack areselected as the attack methods, which can reflect SOA system state and system changesrelevantly under attack. On the basis, with analyzing the changes of performance andfunction when the SOA systems under attack, the evaluation indices are established forthe two attack methods respectively. Meanwhile, with analyzing and comparing thecharacteristics and limitations of subjective weighting, objective weighting andcomprehensive weighting methods, the comprehensive weighting method based on AHPmethod and entropy method, is selected as the weight calculation method for SOAsystem, and the process of weight determination can not only reflect the suggestion ofpolicymakers, but also reflect the objective information of data. Further, attack testingsystem based on SOA is implemented, the corresponding evaluation index data andinformation are collected, and the effects of two attack methods are evaluated with the gray comprehensive evaluation method.