Formal Behavioral Modeling and Compliance Analysis for Service-Oriented Systems

In this paper, we present a framework for formal modeling and verification of service-based business processes with focus on their compliance to external regulations such as Segregation of Duties (SoD) or privacy protection policies. In our framework, control/data flow is modeled using the exogenous coordination language Reo. Reo process models are designed from scratch or (semi-)automatically obtained from BPMN, UML or WS-BPEL specifications. Constraint automata (CA), a semantic model for Reo, provide state-based representations of process workflows and enable their verification by means of model checking technology. Various extensions of CA make it possible to analyze time-, resource- and Quality-of-Service (QoS) process models.

[1]  Christel Baier,et al.  A Uniform Framework for Modeling and Verifying Components and Connectors , 2009, COORDINATION.

[2]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[3]  Yong Xiao,et al.  Verifying web services composition based on hierarchical colored petri nets , 2005, IHIS '05.

[4]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[5]  Christel Baier,et al.  Checking Equivalence for Reo Networks , 2008, FACS.

[6]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[7]  Marcello M. Bonsangue,et al.  Formal Methods for Components and Objects, 7th International Symposium, FMCO 2008, Sophia Antipolis, France, October 21-23, 2008, Revised Lectures , 2009, FMCO.

[8]  Farhad Arbab,et al.  Synthesis of Connectors from Scenario-Based Interaction Specifications , 2008, CBSE.

[9]  Santhosh Kumaran,et al.  From business process model to consistent implementation: a case for formal verification methods , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[10]  Henrik Stormer,et al.  Modeling and Analyzing Separation of Duties in Workflow Environments , 2001, SEC.

[11]  Farhad Arbab,et al.  On Resource-Sensitive Timed Component Connectors , 2007, FMOODS.

[12]  Remco M. Dijkman,et al.  Semantics and analysis of business process models in BPMN , 2008, Inf. Softw. Technol..

[13]  Priya Narasimhan,et al.  Service-Oriented Computing - ICSOC 2007, Fifth International Conference, Vienna, Austria, September 17-20, 2007, Proceedings , 2007, ICSOC.

[14]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[15]  Andreas Schaad,et al.  A model-checking approach to analysing organisational controls in a loan origination process , 2006, SACMAT '06.

[16]  Farhad Arbab,et al.  Coordination Models and Languages , 1998, Adv. Comput..

[17]  Tom Chothia,et al.  Q-Automata: Modelling the Resource Usage of Concurrent Components , 2007, FOCLASA.

[18]  Jan Vanthienen,et al.  Designing Compliant Business Processes with Obligations and Permissions , 2006, Business Process Management Workshops.

[19]  Farhad Arbab,et al.  Applying Reo to service coordination in long-running business transactions , 2009, SAC '09.

[20]  Aditya K. Ghose,et al.  Auditing Business Process Compliance , 2007, ICSOC.

[21]  Nawal Guermouche,et al.  Timed Specification For Web Services Compatibility Analysis , 2008, Electron. Notes Theor. Comput. Sci..

[22]  Farhad Arbab,et al.  Component Connectors with QoS Guarantees , 2007, COORDINATION.

[23]  Jerry den Hartog,et al.  Audit-based compliance control , 2007, International Journal of Information Security.

[24]  Ajitha Rajan,et al.  Requirements Coverage as an Adequacy Measure for Conformance Testing , 2008, ICFEM.

[25]  Boualem Benatallah,et al.  A Petri Net-based Model for Web Service Composition , 2003, ADC.

[26]  Nora Cuppens-Boulahia,et al.  Security policy compliance with violation management , 2007, FMSE '07.

[27]  Farhad Arbab,et al.  Towards Using Reo for Compliance-Aware Business Process Modeling , 2008, ISoLA.

[28]  Jan Friso Groote,et al.  Transformation of BPMN Models for Behaviour Analysis , 2007, MSVVEIS.

[29]  Mohsen Vakilian,et al.  Modeling Web Service Interactions Using the Coordination Language Reo , 2007, WS-FM.

[30]  Emmanuel Coquery,et al.  Verification of Privacy Timed Properties in Web Service Protocols , 2008, 2008 IEEE International Conference on Services Computing.

[31]  Manuel Mazzara,et al.  A pi-calculus based semantics for WS-BPEL , 2007, J. Log. Algebraic Methods Program..

[32]  Harald Störrle,et al.  Towards a Formal Semantics of UML 2.0 Activities , 2005, Software Engineering.

[33]  Armin Haller,et al.  Formal frameworks for workflow modelling , 2005 .

[34]  Shazia Wasim Sadiq,et al.  Compliance checking between business processes and business contracts , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[35]  Farhad Arbab,et al.  Reo: A Channel-based Coordination Model for Component Composition , 2005 .

[36]  Andreas Schaad,et al.  Task-based entailment constraints for basic workflow patterns , 2008, SACMAT '08.

[37]  Christel Baier,et al.  Modeling component connectors in Reo by constraint automata , 2004, Sci. Comput. Program..

[38]  Christel Baier,et al.  Symbolic Model Checking for Channel-based Component Connectors , 2007, FOCLASA.

[39]  Jeremy Gibbons,et al.  A Process Semantics for BPMN , 2008, ICFEM.

[40]  Christel Baier,et al.  Models and temporal logics for timed component connectors , 2004, Proceedings of the Second International Conference on Software Engineering and Formal Methods, 2004. SEFM 2004..

[41]  Saikat Mukherjee,et al.  Logic Based Approaches to Workflow Modeling and Verification , 2003, Logics for Emerging Applications of Databases.

[42]  Farhad Arbab,et al.  From Coordination to Stochastic Models of QoS , 2009, COORDINATION.

[43]  Guido Governatori,et al.  Compliance aware business process design , 2008 .

[44]  Hye-Young Paik,et al.  Conceptual Modeling of Privacy-Aware Web Service Protocols , 2007, CAiSE.

[45]  Alan Bundy,et al.  Constructing Induction Rules for Deductive Synthesis Proofs , 2006, CLASE.

[46]  Farhad Arbab,et al.  Modeling, Testing and Executing Reo Connectors with the Eclipse Coordination Tools , 2008 .

[47]  Anthony Finkelstein,et al.  Checking Complex Compositions of Web Services Against Policy Constraints , 2007, MSVVEIS.

[48]  Niels Lohmann,et al.  A Feature-Complete Petri Net Semantics for WS-BPEL 2.0 , 2007, WS-FM.

[49]  Wil M. P. van der Aalst,et al.  Formal semantics and analysis of control flow in WS-BPEL , 2007, Sci. Comput. Program..

[50]  Christel Baier,et al.  Models and temporal logical specifications for timed component connectors , 2007, Software & Systems Modeling.

[51]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[52]  Joseph Y. Halpern,et al.  Using First-Order Logic to Reason about Policies , 2008, TSEC.

[53]  Kazuya Koyama,et al.  Workload-aware Business Process Simulation with Statistical Service Analysis and Timed Petri Net , 2007, IEEE International Conference on Web Services (ICWS 2007).

[54]  Mathias Weske,et al.  Efficient Compliance Checking Using BPMN-Q and Temporal Logic , 2008, BPM.