Service composition with consideration of interdependent security objectives

Abstract Current approaches for service composition consider security as either a single Quality of Service (QoS) attribute or as several mutually independent quality properties. This view is, however, not adequate, as security objectives are no singletons but are subject to interdependence. Another drawback of these approaches is that partial fulfillment of security objectives, either due to technical or organizational constraints cannot be captured. Formal methods on the other hand are usually limited to a fixed set of security objectives. To bridge this gap, we present an approach to assess the quality of service compositions with regards to interdependent security objectives. Our approach utilizes the notion of structural decomposition which estimates the impact of single quality attributes on a security goal. This allows for the definition of domain models for an arbitrary set of security objectives. As the fulfillment of each security objective is individually measured by a utility value, interdependencies between security objectives can be expressed by a single measure. Furthermore, it allows to express partial fulfillment of security objectives. As each security objective is modeled as a utility function on its own, the model resembles a Multi-Objective Optimization (MOO) problem. We present first evaluation results of transforming domain models into MOO problems and tackling them with state-of-the-art genetic algorithms. Furthermore, we give an overview of a support tool for our approach.

[1]  M. E. Kabay,et al.  Computer Security Handbook , 2002 .

[2]  Arthur H. M. ter Hofstede,et al.  What's in a service? Towards accurate description of non-functional service properties , 2002 .

[3]  Elisa Bertino,et al.  Policy-Driven Service Composition with Information Flow Control , 2010, 2010 IEEE International Conference on Web Services.

[4]  Kalyanmoy Deb,et al.  A fast and elitist multiobjective genetic algorithm: NSGA-II , 2002, IEEE Trans. Evol. Comput..

[5]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[6]  William A. Wulf,et al.  TOWARDS A FRAMEWORK FOR SECURITY MEASUREMENT , 1997 .

[7]  Francesca Rossi,et al.  Semiring-based constraint satisfaction and optimization , 1997, JACM.

[8]  Barbara Pernici,et al.  A framework for QoS-based Web service contracting , 2009, TWEB.

[9]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[10]  Jeffrey O. Kephart,et al.  The Vision of Autonomic Computing , 2003, Computer.

[11]  Gero Mühl,et al.  QoS aggregation for Web service composition using workflow patterns , 2004 .

[12]  Stefan Edelkamp,et al.  Cost-Algebraic Heuristic Search , 2005, AAAI.

[13]  Athman Bouguettaya,et al.  Genetic Algorithm Based QoS-Aware Service Compositions in Cloud Computing , 2011, DASFAA.

[14]  Anil K. Jain,et al.  Algorithms for Clustering Data , 1988 .

[15]  Habtamu Abie,et al.  Identification of Basic Measurable Security Components for a Distributed Messaging System , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[16]  Kalyanmoy Deb,et al.  Multi-objective optimization using evolutionary algorithms , 2001, Wiley-Interscience series in systems and optimization.

[17]  Javier López,et al.  Security and QoS Tradeoffs: Towards a FI Perspective , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[18]  Gero Muehl,et al.  QoS-based Selection of Services: The Implementation of a Genetic Algorithm , 2011 .

[19]  Lothar Thiele,et al.  Multiobjective evolutionary algorithms: a comparative case study and the strength Pareto approach , 1999, IEEE Trans. Evol. Comput..

[20]  Fatih Karatas,et al.  Towards Visual Configuration Support for Interdependent Security Goals , 2013, HCI.

[21]  Gary B. Lamont,et al.  Evolutionary Algorithms for Solving Multi-Objective Problems , 2002, Genetic Algorithms and Evolutionary Computation.

[22]  Ching-Lai Hwang,et al.  Multiple attribute decision making : an introduction , 1995 .

[23]  Tao Yu,et al.  Efficient algorithms for Web services selection with end-to-end QoS constraints , 2007, TWEB.

[24]  Maria Luisa Villani,et al.  An approach for QoS-aware service composition based on genetic algorithms , 2005, GECCO '05.

[25]  Antonio J. Nebro,et al.  jMetal: A Java framework for multi-objective optimization , 2011, Adv. Eng. Softw..

[26]  Arthur H. M. ter Hofstede,et al.  What's in a Service? , 2002, Distributed and Parallel Databases.

[27]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms (Working Paper) , 1971, SWAT.

[28]  Andreas Pfitzmann,et al.  Properties of protection goals and their integration into a user interface , 2000, Comput. Networks.

[29]  Gary B. Lamont,et al.  Evolutionary Algorithms for Solving Multi-Objective Problems (Genetic and Evolutionary Computation) , 2006 .

[30]  Quan Z. Sheng,et al.  Quality driven web services composition , 2003, WWW '03.

[31]  Stephen S. Yau,et al.  An Adaptive Tradeoff Model for Service Performance and Security in Service-Based Systems , 2009, 2009 IEEE International Conference on Web Services.

[32]  Marcelo Schneck de Paula Pessôa,et al.  Prioritization of software security intangible attributes , 2012, ACM SIGSOFT Softw. Eng. Notes.

[33]  T. Saaty How to Make a Decision: The Analytic Hierarchy Process , 1990 .

[34]  S S Stevens,et al.  On the Theory of Scales of Measurement. , 1946, Science.

[35]  Joachim Biskup Security in Computing Systems - Challenges, Approaches and Solutions , 2008 .

[36]  Dogan Kesdogan,et al.  Technical challenges of network anonymity , 2006, Comput. Commun..

[37]  Paolo Traverso,et al.  Service-Oriented Computing: State of the Art and Research Challenges , 2007, Computer.

[38]  Francesca Rossi,et al.  Soft Constraint Logic Programming and Generalized Shortest Path Problems , 2002, J. Heuristics.

[39]  Eckart Zitzler,et al.  Indicator-Based Selection in Multiobjective Search , 2004, PPSN.

[40]  Leonard R. Sussman,et al.  Nominal, Ordinal, Interval, and Ratio Typologies are Misleading , 1993 .

[41]  Min Chen,et al.  Anytime QoS optimization over the PlanGraph for web service composition , 2012, SAC '12.

[42]  Massimo Mecella,et al.  Verification of Access Control Requirements in Web Services Choreography , 2008, 2008 IEEE International Conference on Services Computing.

[43]  Barbara Carminati,et al.  Security Conscious Web Service Composition , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[44]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[45]  Thomas F. Lawrence,et al.  Taxonomy for QoS specifications , 1997, Proceedings Third International Workshop on Object-Oriented Real-Time Dependable Systems.

[46]  Gian Luigi Ferrari,et al.  Security Issues in Service Composition , 2006, FMOODS.

[47]  João L. Sobrinho Algebra and algorithms for QoS path computation and hop-by-hop routing in the internet , 2002, TNET.