2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing

A Multi-Layer Secure Prevention Scheme for Improving E-commerce Security

Sen-Tarng Lai

Fang-Yie Leu, William Cheng-Chung Chu

Dept. of Information Technology and Management,

Shih Chien University,
Taipei, 10462, Taiwan
e-mail: stlai@mail.usc.edu.tw

Dept. of Computer Science,

Tunghai University
Taichung, 40704, Taiwan
e-mail: leufy@thu.edu.tw
defects of the system caused user significant loss, how to
improve e-commerce security has become a critical issue.
Security event of e-commerce often was indirectly or
passively discovered. Delayed discovery security event
always makes organization great loses and system recovers
with difficulty. The security event cant be detected timely
may cause e-commerce system loss impact expanded. For
this, the paper investigates security prevention measure and
based on the measure, applies active test and detect ecommerce security defects to increase e-commerce security.
E-commerce system is necessary concerned issue for the
business transaction activity and commercial behavior. For
increasing transaction security, the e-commerce system must
care and enhance system security. In this paper, discusses the
e-commerce security related issues, explores e-commerce
security requirement and analyzes the routine security testing
and security event detection for e-commerce operation
process. Based on security requirement, security defects
identification and event detection activity, the paper proposes
a Multi-Layer Secure Prevention Scheme (MLSPS). MLSPS
can enhance the e-commerce security and effectively reduce
e-commerce personal data security risk. First layer of
MLSPS is the well-defined security requirement, second and
third layer of MLSPS are the routine security testing and the
security event detection procedure. This paper is divided into
five sections. In Section II, discusses e-commerce security
issues and necessary e-commerce security requirement items.
In Section III, security requirement, routine security testing
operation and security event detection are deeply analyzed.
In Section IV, combined security requirement, routine
security testing and security event detection, proposes the
MLSPS. In Section V, evaluates the MLSPS advantages for
reducing the e-commerce security risk. In Section VI,
discusses the contribution of MLSPS for security event
prevention, and does a conclusion of the paper.

AbstractIn the information and network age, e-commerce is

an important system for business transaction behavior.
However, the network intrusion, malicious users, virus attack
and system security vulnerabilities have continued to threaten
the operation of the e-commerce, making e-commerce security
encounter serious test. How to improve e-commerce security
has become a topic worthy of further exploration. Combining
security requirement, routine security testing and security
event detection procedure, this paper proposes the Multi-Layer
Secure Prevention Scheme (MLSPS). First layer of MLSPS is
the well-defined security requirement. Second layer of MLSPS
is the routine security testing procedure. Third layer of
MLSPS is the security event detection procedure. Applying
data recording and event detection technologies timely
discovers the abnormal security event. MLSPS can enhance
the e-commerce security and effectively reduce e-commerce
personal data security risk.
Keywords- e-commerce, security requirement, event detection,
security event, MLSPS

I.

INTRODUCTION

Business behaviors always are the pursuit of high

efficiency and high-profit pioneers. So, business behaviors
are actively and rapidly being developed and promoted, all
commercial activities conducted through the Internet are
collectively referred to as e-commerce (Electric Commerce)
[1]. According to the research firm eMarketer survey data
show that the global e-commerce sales for the first time
exceeded one trillion dollars, and e-commerce sales in 2013
expected to grow to 1.3 trillion dollars, of which sales in the
Asia Pacific region will surpass North America [2].
According to the "new era of e-commerce network
development plan," the survey shows that in 2011 China's
B2C market was NT 322600 million, forecast to 2013 is
expected to reach NT 478100 million [3]. However, Gartner
research report pointed out that as consumers worried about
security issues, thus making e-commerce sales of as much as
$2 billion shortage [4]. From the study, the e-commerce sales
will continue to grow, however, e-commerce security is a
key factor to affect sales growth.
Network facility is a major advantage of e-commerce
system. However, network application also causes many ecommerce system issues. One of the critical factors is
transaction and personal information security. Impact of ecommerce security defect has overtaken function and
performance problems. In order to avoid security flaws and
978-1-4799-4331-9/14 $31.00 2014 IEEE
DOI 10.1109/IMIS.2014.73

II.

IMPORTANCE OF E-COMMERCE SECURITY

Internet age changes the commercial transaction style and

brings many business opportunities to the e-commerce.
However, the security also becomes the critical issues of ecommerce system.
A. E-commerce security issues
In the internet age, the e-commerce becomes an
important system for the business transaction activity. All ecommerce activities always involve customer personal data

505

and transaction information. The critical data and

information become secret worry of e-commerce. According
to 104 market research center investigated result for network
transaction security and impact, discovery 84% people
concerned personal data may be stolen (shown as Fig. 1) [5].
And, 42% people occurred personal data lost or happened
fraud event [5]. In recently, personal data lost and transaction
security issues occurred frequently. In 2011, hacker intruded
into PlayStation Network of Sony Corporation Japan, 77,000
thousands PS3 and Qriocity music on demand service
customer personal data were stolen [6]. Therefore, famous
corporation and organization very concerned on information
security and used all approaches to defense hacker intrusion
and protect customer personal data. Firewall, Intrusion
Detection and Prevention (IDP) and related prevention
devices [7], [8] are major tools for network security
prevention. Several software prevention and detection
technologies, include vulnerability scanning, penetration
testing and human inspection, also are the important
approaches for increasing Web App security and reduce
personal data security risk.
Not worried

15%

Many international groups and organizations (SANS,

Open Web Application Security Project (OWASP)) very
cared about the Web App security issues. Continued
announce Web App and information system security
vulnerability and security flaw: SANS Top-20 Security Risks
and OWASP Top 10 [10], attempted to reduce software
system security risk. According to SANS Top-20 Security
Risk [11], OWASP Top 10 [10] and Holcombe proposed
four security requirements [1], software security
vulnerability are divided into five classes:
(1) Authorization: E-commerce system maintenance and
operation personnel must have standardized procedure
and clear permissions. If the system unable to control
the permissions of personnel, it will cause serious
security defects and vulnerabilities.
(2) Integrity: Integrity: In the e-commerce operation process,
the system must ensure that information or data does not
to be arbitrarily changed or stolen. The system must
ensure data integrity otherwise it will become a critical
defect of e-commerce security.
(3) Privacy: In e-commerce system, user personal data and
transaction information is an important privacy. The
system must have the ability to protect user personal
data and transaction information. When leaked user
personal data and transaction information will form
serious security incidents.
(4) Non-Repudiation: E-commerce system must be
documented in detail all transactions information. In the
event of transaction disputes, the system should ability
to analyze and determine the implementation details of
transactions to achieve non-repudiation, otherwise, will
form the transaction disputes events and security issues.
(5) Attack and Intrusion manner: Hacker or malicious user
uses many approaches to attack or intrude information
system. The method of attack is varied, such as wireless
network
intrusion
methods
(packet
sniffer,
intermediaries intercept, access denied, fake base station
attack ... etc.), or phishing, etc., are common attack or
invasion tactics.

Very not worried

1%

Very worried

34%

Worried

50%
Figure 1. In network transaction, 84% people concerned personal data been
stolen.

B. Security requirement of e-commerce

Information security vulnerabilities and defects have
become an important issue for the commercial behavior of
enterprise and organization. Enterprise or organization does
not concern the information security issues will lose
customer confidence and recognition. In the internet age, ecommerce is a special and critical system for the commercial
transaction activity. E-commerce security issue should be
concerned specially. Holcombe considered any e-commerce
system should satisfy four security requirements [1]:
(1) Authorization: The registered user of e-commerce
system has to ensure his using privilege in system
operation process.
(2) Integrity: In e-commerce information exchange process,
the system must ensure information does not be arbitrary
delete or revise to protect information integrity.
(3) Privacy: In e-commerce information exchange process,
the system must avoid non authorization personnel to
attend or contact the information exchange operation. In
e-commerce system development process, it is necessary
to build the privacy into e-commerce system and
services [9].
(4) Non-Reputation: All e-commerce transaction activities
must able concretely proof and record exchange
information to achieve non-reputation transaction.

III.

SECURITY REQUIREMENT, TESTING AND EVENT

DETECTION

E-commerce security should concern three layer

operations which include security requirement, security
vulnerability testing [12] and security event detection.
A. Critical security requirement of e-commerce
In order to satisfy four indivisible security requirements
and vulnerability defense capability, e-commerce should
have three ways security requirements as follows:
(1) Customer personal data security: Personal data is
necessary item to make e-commerce be able to normal
operation. Customer provides personal data that is basic
condition to create trust each other. E-commerce
transactions always need customer critical personal data.
Therefore, how to suitably collect, handle and use
personal data and protect personal data is an important
mission. E-commerce security must provide a perfect

506

detailed describe testing execution procedure and

record identified security vulnerability and defect. The
follow security repair operation and improvement
activity also can entrust to consulting organization to
enhance Web app security.
VS tools and PT do not ensure all security vulnerability and
defect can be identified and repaired. Therefore, in order to
identify residual security vulnerability and defect, it is
necessary to create an e-commerce security checklist of
human inspection [20]. According to e-commerce security,
Racquel proposed human inspection checklist [16]. Based
on 5 compared items, advantages and disadvantages of VS,
PT and human inspection items are summarized into Table 1.

personal data protection mechanism.

(2) E-commerce system operation security: Network
environment is an important advantage and facility for
the e-commerce system. The Internet is completely no
limitation for regional, national and time. Therefore,
anytime anywhere, e-commerce can handle a variety of
transactions with high convenience. However, the
cybercrime is increased continuously. Many new crime
skills can quickly intrude e-commerce system to steal
customer personal data and critical transaction record in
any time. Some skills can steal the transmission data in
network environment to cause customer, organization
and enterprise lost in spirit and financial. Security
requirement of e-commerce has to propose a perfect
security prevention mechanism to create the trust of the
buyer and seller transaction behaviors.
(3) E-commerce transaction security: Each transaction
activity has to be jointly recognized by the buyer and
seller. After transactions accomplished, transaction
activity must clearly and completely record for assuring
transaction behavior security and avoiding future
disputes. So, transaction behavior should build a
standard operation procedure (SOP) and provide a
complete and reliable transaction behavior logged
mechanism to reach e-commerce transaction behavior
non-repudiation.

TABLE I. VS, PT and auditing comparison table

Approaches
VS
PT
Human auditing
Features
3~6 months
Half/a year
Half/a year
Frequency
short
long
long
Periods
low
high
middle
Cost
System
Quality Assurance
Professional
Personnel
maintainer
Group
Maintainer
Consultant
Maintainer
Improvement

C. Security event detection

Security testing can effectively increase e-commerce
security, but does not guarantee the system will not be
intruded by hacker or malicious user. E-commerce system
completed security testing also cant avoid security event
occurrence. Therefore, the e-commerce system should plan
a security event detection procedure to discover timely
security event and to reduce effectively the event extension.
Security event detection should collect all kinds security
event occurrence situation. In order to timely detecting the
security event and reducing damage, it is necessary to
collect all kinds logging data, analyze all possible events
and quickly determine the affected severity and range. The
architecture of e-commerce system can be divided into four
major items that include client site, application server, data
base server and external entity. For analyzing all kinds
security event, the interface between application server and
others items should insert interface data collector (shown as
Fig. 2). In addition, critical interfaces of e-commerce
application software modules also should insert interface
data collector. In e-commerce system operation process,
interface data collector can collect and log all e-commerce
transaction data. According to the history data abnormal
situation event judgment rules, the security event can be
timely identified and proceed the follow improvement
measure. To finish this difficult mission, three critical
technologies, which include data collection, data
classification and event dectection, have to be combined.
The purpose of security event detection procedure is to
timely detect the security event and reduce damage of the ecommerce system. For this, the paper combines data
collector and classification with event monitoring
technologies to create the Security Event Detection

B. Routine security testing

E-commerce system must develop a routine security
testing to ensure e-commerce activities have security
operational environment. Security testing has two major
manners:
(1) Vulnerability Scan (VS): VS belongs to system internal
security vulnerability and defect inspection [13], [14].
In general, e-commerce software maintainer should
take responsibility for the VS and execute once every
six months at least. VS tools can help identify ecommerce security vulnerability and defect to assist
software maintainers process the follow repair
operation. However, VS tools just only inspect source
code existed security vulnerability and defect, but
cannot inspect the overall e-commerce environment
security. Therefore, inspection range and improvement
effect have limitation. In order to compensate VS
deficiencies, penetration test become an important and
indispensable task for security preventions [10], [15],
[16].
(2) Penetration Test (PT): PT is a formal security
vulnerabilities and defects inspection activity [17], [18],
[19]. In order to discover and identify Web app security
defects, PT simulates attack approach of hacker or
malicious users. In general, PT is entrusted to
technology consulting organization and processed by
security testing professionals. Period of testing relates
to the inspection range and items. However, it needs
take five work days at least. PT final report should

507

Framework (SEDF). Applying the SEDF, security event

detection procedure can timely detect security event, and
assist follow repair. The SEDF can enhance e-commerce
security effectively and reduce e-commerce security risk.

procedure for identifying security vulnerability and defect

before security event occurrence. The routine security
testing operation should execute once VS at least every six
months and execute once PT at least every 12 months.
Security testing operation can timely identify security
vulnerability and defect and assists the follow security
repair operation.
Third layer is the security event detection and remedy
operation after security event occurrence. E-commerce is a
nonstop business information process system. Therefore,
any system abnormal security event may occur in any time
and always impacts e-commerce operation and may affect
customer personal data and transaction information. In order
to protect customer personal data and transaction
information, e-commerce system should develop the
security event detection and remedy operation. The
detection and remedy operation is a nonstop procedure. In
abnormal security event occurred, the detection and remedy
operation can actively and timely detect security event. And,
based on the event situation, procedure estimates affected
scope and processes the follow remedy operation for
reducing event damage. The security prevention strategy
combines security requirement, security testing and security
event detection operation, this paper defines as the MultiLayer Security Prevention Scheme (MLSPS). Security
testing operation timely identifies security vulnerability and
defect and assists the follow security repair operation. In
abnormal security event occurred, the security event
detection operation can actively and timely detect security
event. And, based on the event situation, procedure
estimates affected scope and processes the follow remedy
operation to reduce security event damage.

External
Entity
E-commerce
Application
Server
External
Entity
Client Site
E-commerce
Data Base

D
C
Data Collector

Figure 2. E-commerce security event detection architecture

Analyzing history data, event log records and expert

knowledge can help generate the security event judgment
rule. In event detection procedure should have high
flexibility to adjustment the judgment rules. Based on
security event occurred situation, the judgment rules can be
appended, modified and deleted. All kinds security event can
timely be identified, the severity of event impact can be
reduced. E-commerce security can be effectively improved.
IV.

MLSPS AND OPERATION FLOW

In this section, applied routine security testing and

security event detection proposes the MLSPS.
A. Security prevention scheme
Enterprise or organization should develop a well security
prevention strategy to protect e-commerce personal data and
transaction information and increase customer privacy. First
layer is drawn up an e-commerce system security
requirement.
E-commerce
system
should
satisfy
authorization, integrity, privacy and non-reputation four
security requirements. Security requirement is more
important than security testing and event detection because
paying attention to security requirement in the early stages
of the software life cycle potentially saves more cost and
effect [21]. In order to verify the e-commerce system
security, security requirement quality assurance activities
become the critical task.
Second layer is the security testing and repair operation
before security event occurrence. In the internet age,
network and information facilities change quickly. In
addition new products or environments are continuously
proposed. For adapting new the products and environments,
e-commerce system must continuously upgrade and
maintain to satisfy user and market requirement. In addition,
hacker and malicious user intrude manner and information
stealing technology are renewed continuously. Making ecommerce system must develop a routine security testing

Start

Feedback

Security
Requirements
Requirement
validation
Routine Security
testing

Security Event
Detection

Terminal
Figure 3. MLSPS operation flow chart

B. MLSPS Operation flow

MLSPS operation flow is shown as Fig. 3. First layer of
MLSPS is drawn up e-commerce system security

508

technologies) timely discovers the abnormal security event.

The security event needs further identify and recognize to
determine the impacted situation and range. In order to
reduce event affect extension, the recovery and repair
measure must be developed according to impacted situation
and range. Two kind security events describe as follows:
x Lightly event is meaning a security event that affected
range is small. Lightly event generally belongs to unitary
event of individual or specific user. After recognized the
security event cause, the suitable recovery and repair
method should be planned.
x Seriously event is meaning a security event that affected
range is large. Seriously event generally belongs to the
case of malicious user or hacker intrusion system.
Temporarily terminate e-commerce operation is
necessary to reduce event affected range extension
continuously.
The security event detection procedure (shown as the Fig. 5
that integrates SEDF, recovery and repair operations is
described as follows:

requirement.
E-commerce
system
should
satisfy
authorization, integrity, privacy and non-reputation four
security requirements. The requirement validation activities
are used to control and manage the e-commerce system
security. Second layer of MLSPS is a routine security
testing procedure. Using VS tools and PT strategy identifies
e-commerce security vulnerability and defect. Before
security event occurred, e-commerce security vulnerability
and defect can be timely identified and repaired to reduce
security event risk. The hacker, malicious user intrusion and
abnormal security event can be concretely reduced. The
routine security testing procedure includes four phases and
describes as follows (shown as Fig. 4):
(1) Test presetting phase
x Fully collect and parse the high frequency security
vulnerability and defect.
x According to the routine security testing operation,
prepares a well-defined security testing plan.
(2) Test execution phase
x According to security testing plan and test cases,
execute security testing and identify security
vulnerability and defect.
(3) Problem identification phase
x Verify the identified security vulnerability and defect.
x Isolate the affected environment items or software
functional modules.
(4) Repair phase
x Repair the security vulnerability and defect.
x Evaluate the result of security improvement.

Security Event
Detection
Procedure

DC inserting phase

Event detection phase

Event recognition phase

Routine
Security testing

Security event
judgment rule
Lightly

Seriously
Temporary terminate phase

Test presetting phase

Recovery phase
Test execution phase

Figure 5. Security event detection operation flow chart

Vulnerability

Penetration Testing

(1) Data collector inserting phase

x According to the e-commerce system operating
environment and software architecture, the data collector
is inserted to the subsystem, external entity and critical
function module interface.
(2) Event detection phase:
x In the e-commerce operation process, nonstop monitor
all kind transaction behaviors and data transformation
activities.
x According to the predefined event judgment rules,
identify all possible security events.
(3) Event recognition phase
x Analyze security events and confirm real security events.
x Parsing security events severity and influence.
(4) Temporary terminate phase

Problem identification
phase

Repair phase

Figure 4. Security testing procedure flow chart

Enterprise or organization should do their best

responsibility to protect customer personal data and
transaction information. Second layer of MLSPS is a
security event detection procedure. Applying SEDF,
(includes data collection, classification and detection

509

x According to severity, decide to shut down some

functions or system.
x According to the identified security vulnerability and
defect, develop and plan security vulnerability repair and
e-commerce system recovery strategy.
(5) Recovery phase
x Analyze and judge the cause of security events and
develop vulnerability repair strategy and define ecommerce system recovery measure.
x Recovery e-commerce system normal operations.
V.

security operation can achieve complementary effect to

effectively reduce the risk of e-commerce security.
ACKNOWLEDGEMENTS
This research was supported by the Shih Chien
University 2013 research project funds (Project No.: 102-0504005)
REFERENCES
[1]
[2]

EFFICIENCY EVALUATION OF MLSPS

Combining security requirement, routine security testing

and security event detection procedure, the paper proposes a
Multi-Layer Security Prevention Scheme (MLSPS). In ecommerce system development process, the system security
requirement must be drawn up to increase e-commerce
system security. Routine security testing procedure can
effectively identify security vulnerability and defect to
enhance e-commerce security. Based on the SEDF, security
event detection procedure can timely identify abnormal
security event to reduce e-commerce system damage impact
and increase customer personal data and transaction
information security. MLSPS has four advantages as
follows:
x Draw up e-commerce security requirement may
concretely reduce e-commerce system security risk.
x Before security event occurrence, routine security testing
procedure can effectively identify and repair security
vulnerability and defect to enhance e-commerce security.
x After security event occurred, security event detection
procedure can timely identify abnormal security event to
reduce e-commerce system damage impact.
x Multi-layer
prevention
scheme
can
achieve
complementary effect to effectively reduce the risk of ecommerce security.
VI.

[3]

[4]

[5]

[6]

[7]

[8]

[9]
[10]
[11]
[12]

CONCLUSION
[13]

E-commerce is an important system in the internet age.

However, the network intrusion, malicious users, virus
attack and system security vulnerabilities have continued to
threaten the operation of the e-commerce, making ecommerce security encounter serious test. In order to avoid
security flaws and defects of the system caused user
significant loss, how to improve e-commerce security has
become a topic worthy of further exploration. The security
prevention strategy should consider security requirement,
and combine security testing and security event detection
two critical procedures. For this, the paper proposes a MultiLayer Secure Prevention Scheme (MLSPS). Security
requirement can enhance e-commerce system security.
Security testing procedure concretely improves e-commerce
system security vulnerability and defect. Security event
detection procedure timely identify security event and fully
reduce event extension. Based on MLSPS, three phases

[14]

[15]
[16]

[17]
[18]
[19]
[20]
[21]

510

C. Holcombe, Advanced Guide to eCommerce, LitLangs Publishing,

2007.
eMarketer: 2012 global e-commerce sales for the first time exceeded
one
trillion
dollars
(2013),
cnyes.com
(http://news.cnyes.com/Content/20130206/KH61SLNTNB00N.shtml)
2012 Yearbook of the Republic of China e-commerce (2011), ecommerce
development
status
(in
Chinese)
(http://ecommercetaiwan.blogspot.tw/2012/10/blog-post_29.html)
S. Evan, Gartner: $2 Billion in E-Commerce Sales Lost Because of
Security
Fears,
2006/11/27,
pcmag
com
(http://www.pcmag.com/article2/0,2817,2064021,00.asp)
J.X. Gun, Eighty percent people, fearing online shopping experience
fraud,
104survey.com,
2010.
(in
Chinese)
(http://www.104survey.com/faces/newportal/viewPointCtx.xhtml;jses
sionid=70AFB339F7F99D2503FBD40CBF199DD4.svyweb202?rese
archId=254)
J. Pepitone, Massive hack blows crater in Sony brand, staff reporter
CNNMoney
Tech.,
2011.
(http://money.cnn.com/2011/05/10/technology/sony_hack_fallout/ind
ex.htm)
J. Kim, et al. Vulnerability to Flash Controller for Secure USB
Drives, Journal of Internet Services and Information Security, vol.
3,Issue 3/4, November 2013, pp. 136-145.
K.L. Tsai, et al., A Secure ECC-based Electronic Medical Record
System, Journal of Internet Services and Information Security, vol.
4,Issue 1, February 2014,. pp. 47-57.
Tina R. Knuston, Building Privacy into Software Products and
Services, IEEE Security and Privacy, vol. 5, no. 2, 2007, pp.72-74.
OWASP Top 10. (https://www.owasp.org/index.php/Top_10_2013Table_of_Contents)
SANS Top-20 Security Risks. (http://www.sans.org/critical-securitycontrols/)(2013)
B. Potter, G. McGraw, Software security testing, IEEE Security and
Privacy, vol. 2, no. 5, 2004, pp. 32-36.
S. Kals, E. Kirda, C. Kruegel, & N. Jovanovic, Secubat: a web
vulnerability scanner, Proceedings of the 15th international
conference on World Wide Web, 2006, pp. 247-256.
Y.P. Lai & P.L. Hsia Using the vulnerability information of
computer systems to improve the network security, Computer
Communications, vol. 30, issue 9, 2007, pp.2032-2047.
G. McGraw, Software Security, IEEE Security & Privacy, vol. 2,
no. 2, 2004, pp. 80-83.
Racquel, 15 Point e-Commerce Security Checklist,2013/3
(https://www.swipehq.com/blog/post/15-point-e-commerce-securitychecklist/1395)
B. Arkin, S. Stender, & G. McGraw, Software penetration testing,
IEEE Security & Privacy, vol. 3, no. 1, 2005, pp. 84-87.
M. Bishop, About penetration testing, IEEE Security & Privacy, vol.
5, no. 6, 2007, pp. 84-87.
HH, Thompson Application Penetration Testing, IEEE Security &
Privacy, vol. 3, no. 1, 2005, pp. 66-69.
G. Garzoglio, A Code Inspection Process for security reviews,
Journal of Physics: Conference Series, vol. 219, 2010.
P. Hope, and White, P., Software Security Requirements, Cigital, Inc.,
2007.