Semi-formal transformation of secure business processes into analysis class and use case models: An MDA approach

ContextModel-Driven Development (MDD) is an alternative approach for information systems development. The basic underlying concept of this approach is the definition of abstract models that can be transformed to obtain models near implementation. One fairly widespread proposal in this sphere is that of Model Driven Architecture (MDA). Business process models are abstract models which additionally contain key information about the tasks that are being carried out to achieve the company’s goals, and two notations currently exist for modelling business processes: the Unified Modelling Language (UML), through activity diagrams, and the Business Process Modelling Notation (BPMN).ObjectiveOur research is particularly focused on security requirements, in such a way that security is modelled along with the other aspects that are included in a business process. To this end, in earlier works we have defined a metamodel called secure business process (SBP), which may assist in the process of developing software as a source of highly valuable requirements (including very abstract security requirements), which are transformed into models with a lower abstraction level, such as analysis class diagrams and use case diagrams through the approach presented in this paper.MethodWe have defined all the transformation rules necessary to obtain analysis class diagrams and use case diagrams from SBP, and refined them through the characteristic iterative process of the action-research method.ResultsWe have obtained a set of rules and a checklist that make it possible to automatically obtain a set of UML analysis classes and use cases, starting from SBP models. Our approach has additionally been applied in a real environment in the area of the payment of electrical energy consumption.ConclusionsThe application of our proposal shows that our semi-automatic process can be used to obtain a set of useful artifacts for software development processes.     

Consistency and repair for XML write-access control policies

XML access control policies involving updates may contain security flaws, here called inconsistencies, in which a forbidden operation may be simulated by performing a sequence of allowed operations. This article investigates the problem of deciding whether a policy is consistent, and if not, how its inconsistencies can be repaired. We consider total and partial policies expressed in terms of annotated schemas defining which operations are allowed or denied for the XML trees that are instances of the schema. We show that consistency is decidable in PTIME for such policies and that consistent partial policies can be extended to unique least-privilege consistent total policies. We also consider repair problems based on deleting privileges to restore consistency, show that finding minimal repairs is NP-complete, and give heuristics for finding repairs. Finally, we experimentally evaluate these algorithms in comparison with an exact approach based on answer-set programming.     

A policy-based process mining framework: mining business policy texts for discovering process models

Many organizations use business policies to govern their business processes, often resulting in huge amounts of policy documents. As new regulations arise such as Sarbanes-Oxley, these business policies must be modified to ensure their correctness and consistency. Given the large amounts of business policies, manually analyzing policy documents to discover process information is very time-consuming and imposes excessive workload. In order to provide a solution to this information overload problem, we propose a novel approach named Policy-based Process Mining (PBPM) to automatically extracting process information from policy documents. Several text mining algorithms are applied to business policy texts in order to discover process-related policies and extract such process components as tasks, data items, and resources. Experiments are conducted to validate the extracted components and the results are found to be very promising. To the best of our knowledge, PBPM is the first approach that applies text mining towards discovering business process components from unstructured policy documents. The initial research results presented in this paper will require more research efforts to make PBPM a practical solution.     

A synergy between context-aware policies and AOP to achieve highly adaptable Web services

Modern service-based systems are frequently required to be highly adaptable in order to cope with rapid changes and evolution of business goals, requirements, as well as physical context in a dynamic business environment. Unfortunately, adaptive systems are still difficult to build due to their high complexity. In this paper, we propose a new approach for developing highly adaptable Web services based on a synergy between context-aware Web service policies and Aspect-Oriented Programming. This synergy is achieved through the elaboration of an innovative extension of the Web Service Policy Language (WSPL), which allows for context specification at both policy and rule levels. In addition, we provide a tool for the development of aspect-oriented policies, including an option to translate WSPL policies into aspect-oriented policies. These policies can be automatically woven into composite Web services (e.g., a BPEL process). The elaborated synergy between context, policies, and aspects allows service providers to increase the level of adaptability of Web services at different layers of applications.     

基于GMF的WS-Security安全策略配置工具研究与实现

现有的基于WS-Security(Web服务安全)的安全工具在技术层面上提供了Web服务安全的基础设施,但是这些工具需要用户拥有丰富的安全知识,并且没有提供展现业务上下文的手段,给业务用户对安全设施的使用带来了困难。基于MDA的思想设计了一个与业务流程结合的安全策略模型。在这个安全模型中,将描述业务流程的应用模型和描述协同应用安全信息的安全模型结合起来,并基于安全模型使用GMF框架实现了相应的配置工具。业务人员可以在可视化的业务流程之上,基于预定义的安全策略模型,配置Web服务安全策略。工具自动将配置的安全策略转换为WS-Security Policy规范文档。     

Automated analysis of security-design models

We have previously proposed SecureUML, an expressive UML-based language for constructing security-design models, which are models that combine design specifications for distributed systems with specifications of their security policies. Here, we show how to automate the analysis of such models in a semantically precise and meaningful way. In our approach, models are formalized together with scenarios that represent possible run-time instances. Queries about properties of the security policy modeled are expressed as formulas in UML’s Object Constraint Language. The policy may include both declarative aspects, i.e., static access-control information such as the assignment of users and permissions to roles, and programmatic aspects, which depend on dynamic information, namely the satisfaction of authorization constraints in a given scenario. We show how such properties can be evaluated, completely automatically, in the context of the metamodel of the security-design language. We demonstrate, through examples, that this approach can be used to formalize and check non-trivial security properties. The approach has been implemented in the SecureMOVA tool and all of the examples presented have been checked using this tool.     

Derivation of trust federation for collaborative business processes

Service Oriented Architecture (SOA) is considered to be an important enabler of Internet of Services. By adopting SOA in development, business services can be offered, mediated, and traded as web services, so as to support agile and dynamic business collaborations on the Internet. Business collaboration is often implemented as cross-enterprise processes and involves more than one business entity which agrees to join the collaboration. To enable trustworthy and secure provision of services and service composition across enterprise boundaries, trust between business participants must be established, that is, user identities and access rights must be federated, to support business functions defined in the business processes. This paper proposes an approach which derives trust federation from formally described business process models, such as BPMN and WS-CDL processes, to automate security configuration of business collaborations. The result of the derivation is trust policies which identify trust relationships between business participants and can be enforced in enterprises’ service runtimes with support of a policy deployment infrastructure.     

Conflicts in policy-based distributed systems management

Modern distributed systems contain a large number of objects and must be capable of evolving, without shutting down the complete system, to cater for changing requirements. There is a need for distributed, automated management agents whose behavior also has to dynamically change to reflect the evolution of the system being managed. Policies are a means of specifying and influencing management behavior within a distributed system, without coding the behavior into the manager agents. Our approach is aimed at specifying implementable policies, although policies may be initially specified at the organizational level and then refined to implementable actions. We are concerned with two types of policies. Authorization policies specify what activities a manager is permitted or forbidden to do to a set of target objects and are similar to security access-control policies. Obligation policies specify what activities a manager must or must not do to a set of target objects and essentially define the duties of a manager. Conflicts can arise in the set of policies. Conflicts may also arise during the refinement process between the high level goals and the implementable policies. The system may have to cater for conflicts such as exceptions to normal authorization policies. The paper reviews policy conflicts, focusing on the problems of conflict detection and resolution. We discuss the various precedence relationships that can be established between policies in order to allow inconsistent policies to coexist within the system and present a conflict analysis tool which forms part of a role based management framework. Software development and medical environments are used as example scenarios     

Enabling automated threat response through the use of a dynamic security policy

Information systems security issues are currently being addressed using different techniques, such as authentication, encryption and access control, through the definition of security policies, but also using monitoring techniques, in particular intrusion detection systems. We can observe that security monitoring is currently totally decorrelated from security policies, that is security requirements are not linked with the means used to control their fulfillment. Most of the time, security operators have to analyze monitoring results and manually react to provide countermeasures to threats compromising the security policy. The response process is far from trivial, since it both relies on the relevance of the threat analysis and on the adequacy of the selected countermeasures. In this paper, we present an approach aiming at connecting monitoring techniques with security policy management in order to provide response to threat. We propose an architecture allowing to dynamically and automatically deploy a generic security policy into concrete policy instances taking into account the threat level characterized thanks to intrusion detection systems. Such an approach provides means to bridge the gap between existing detection approaches and new requirements, which clearly deal with the development of intrusion prevention systems, enabling a better protection of the resources and services.     

基于良基语义的安全策略表达与验证方法

提出了一种基于一阶逻辑的安全策略管理框架.首先,研究安全策略的语法和语义,给出将安全策略转换成扩展型逻辑程序的算法,进而构造出安全策略基本查询算法;其次,给出将安全策略复杂查询转换成基本查询的算法,进而构造出安全策略验证算法.在良基语义下,上述算法是可终止的、可靠的和完备的,且计算复杂度都是多项式级的.该框架可以在统一的良基语义下实现安全策略表达、语义查询和验证,保证安全策略验证的有效性.此外,该框架不仅兼容现有主流的安全策略语言,还能够管理具有非单调和递归等高级特性的安全策略.     

Designing business capability-aware configurable process models

Process Aware Information Systems manage processes within organisations on the basis of business process models. These models can be created either from scratch or by reusing exiting reference process models.Particular types of reference models are configurable process models that are created by merging multiple models into a single one that can be customized to the needs of the business experts. Using those models presents two main challenges: their creation and their configuration.In this paper, we focus on the first challenge and propose a novel algorithm for merging process models into a configurable process model. The difference in our work is the pre-annotated process models with their business capabilities that report on what actions each process element achieves. Our algorithm generates configurable models that are also annotated with their capabilities that can be used to face the second challenge of these models: the configuration phase.We tested our algorithm using real-world process models to evaluate the required creation time and resulting compression rate after merging the input models. The results show that the models can be created in few milliseconds and achieving a compression rate of 50%. We further carried out interviews with domain experts to assess the usefulness and the level of maturity of this work. The results show the importance of the automation of process merging using a tool support that we proposed. However, further adaptation efforts are required to integrate this work in the working environments of the interviewed experts.     

Business process modelling challenges and solutions: a literature review

We have presented a review of the challenges facing business PM. These challenges are categorized into three challenges: (1) between business and IT, difficulty of deriving IT goals from business goals challenges; (2) security issues on business PM challenges; and (3) managing customer power, the rapidly changing business environment and business process (BP) challenges. Also, it presents the limitations of existing business PM frameworks. For example, in the first challenge, the existing literature is limited because they fail to capture the real business environment. Also, it is hard for IT analysts to understand BPs. In the second challenges, the existing methods of IS development fail to successfully integrate security during all development process stages and only deal with specific security requirements, goals and constraints. In the third challenges, no research has been conducted in the area of separating customers into different priority groups to provide services according to their required delivery time, payment history and feedback. Finally, we outline possible further research directions in the business PM domain. A systematic literature review method was used. Our review reports on academic publications on business PM challenges over the 13 years from 2000 to 2012. There are 31 journals as well as the IEEE and ACM databases being searched to identify relevant papers. Our systematic literature review results in that there are 53 journal papers as being the most relevant to our topic. In conclusion, it is not easy to create a good business PM. However, the research have to pay much attention on the area of creating successful business PM by creating secure business PM, manage customer power and create business PM where IT goals can be easily derived from business goals.     

Beyond soundness: on the verification of semantic business process models

The verification of control-flow soundness is well understood as an important step before deploying business process models. However, the control flow does not capture what the process activities actually do when they are executed. Semantic annotations offer the opportunity to take this into account. Inspired by semantic Web service approaches such as OWL-S and WSMO, we consider process models in which the individual activities are annotated with logical preconditions and effects, specified relative to an ontology that axiomatizes the underlying business domain. Verification then addresses the overall process behavior, arising from the interaction between control-flow and behavior of individual activities. To this end, we combine notions from the workflow community with notions from the AI actions and change literature. We introduce a formal execution semantics for annotated business processes. We point out four verification tasks that arise, concerning precondition/effect conflicts, reachability, and executability. We examine the borderline between classes of processes that can, or cannot, be verified in polynomial time. For precondition/effect conflicts, we show that the borderline is the same as that of the logic underlying the ontology axioms. For reachability and executability, we identify a class of processes that can be verified in polynomial time by a fixpoint algorithm which we design for that purpose. We show that this class of processes is maximal in the sense that, when generalizing it in any of the most relevant directions, the validation tasks become computationally hard.     

一种基于域内的访问控制策略提炼模型及其实现

以CERNET的管理为应用背景，从分析策略管理系统的关键技术和难点问题入手，提出了一种新的策略提炼模型。其原理是利用ACL的特性，将不同策略语言表示的策略映射到ACL，再分发给不同的网络设备运行。该方案简化了传统策略提炼过程中复杂的转换逻辑问题，使基于域内的安全和访问控制管理完全实现自动化。     

Toward balanced and sustainable job scheduling for production supercomputers

Job scheduling on production supercomputers is complicated by diverse demands of system administrators and amorphous characteristics of workloads. Specifically, various scheduling goals such as queuing efficiency and system utilization are usually conflicting and thus need to be balanced. Also, changing workload characteristics often impact the effectiveness of the deployed scheduling policies. Thus it is challenging to design a versatile scheduling policy that is effective in all circumstances. In this paper, we propose a novel job scheduling strategy to balance diverse scheduling goals and mitigate the impact of workload characteristics. First, we introduce metric-aware scheduling, which enables the scheduler to balance competing scheduling goals represented by different metrics such as job waiting time, fairness, and system utilization. Second, we design a scheme to dynamically adjust scheduling policies based on feedback information of monitored metrics at runtime. We evaluate our design using real workloads from supercomputer centers. The results demonstrate that our scheduling mechanism can significantly improve system performance in a balanced, sustainable fashion.     

Pattern-driven green adaptation of process-based applications and their runtime infrastructure

Business processes are a key aspect of modern organization. In recent years, business process management and optimization has been applied to different cross-cutting concerns such as security, compliance, or Green IT, for example. Based on the ecological characteristics of a business process, proper environmentally sustainable adaptation strategies can be chosen to improve the total environmental impact of the business process. We use ecological sustainable adaptation strategies that are described as green business process patterns. The application of such a green business process pattern, however, affects the business process layer, the application component and the infrastructure layer. This implies that changes in the application infrastructure also need to be considered. Hence, we use best practices of cloud application architectures which are described as Cloud patterns. To guide developers through the adaptation process we propose a pattern-based approach in this work. We correlate Cloud patterns relevant for sustainable business processes to green business process patterns and organize them within a classification. To provide concrete implementation support we further annotate these Cloud patterns to application component models that are described with the topology and orchestration specification for cloud applications (TOSCA). Using these annotations, we describe a method that provides the means to optimize business processes based on green business process patterns through adapting the implementation of application components with concrete TOSCA implementation models.     

The SemSPM approach: fine integration of WS-SecurityPolicy semantics to enhance matching security policies in SOA

The lack of semantics in WS-SecurityPolicy standard hampers the effectiveness of matching security policies. To resolve this problem, we present a semantic approach for matching Web service security policies. The approach consists in the transformation of WS-SP into an OWL-DL ontology and the definition of a set of rules which automatically generate semantic relations that can exist between the provider and requestor security requirements. We show how these relations lead to more correct and refined matching of security policies. We also describe the implementation details of our approach and its validation through a real-world use case.     

Cybersecurity policy verification with declarative programming

Cybersecurity is a growing concern in today’s society. Security policies have been developed to ensure that data and assets remain protected for legitimate users, but there must be a mechanism to verify that these policies can be enforced. This paper addresses the verification problem of security policies in role-based access control of enterprise software. Most existing approaches employ traditional logic or procedural programming that tends to involve complex expressions or search with backtrack. These can be time-consuming, and hard to understand, and update, especially for large-scale security verification problems. Declarative programming paradigms such as “Answer Set” programming have been widely used to alleviate these issues by ways of elegant and flexible modeling for complex search problems. However, solving problems using these paradigms can be challenging due to the nature and limitation of the declarative problem solver. This paper presents an approach to automated security policy verification using Answer Set programming. In particular, we investigate how the separation of duty security policy in role-based access control can be verified. Our contribution is a modeling approach that maps this verification problem into a graph-coloring problem to facilitate the use of generate-and-test in a declarative problem-solving paradigm. The paper describes a representation model and rules that drive the Answer Set Solver and illustrates the proposed approach to securing web application software to assist the hiring process in a company.