A General Method for Assessment of Security in Complex Services

We focus on the assessment of the security of business processes. We assume that a business process is composed of abstract services, each of which has several concrete instantiations. Essential peculiarity of our method is that we express security metrics used for the evaluation of security properties as semirings. First, we consider primitive decomposition of the business process into a weighted graph which describes possible implementations of the business process. Second, we evaluate the security using semiring-based methods for graph analysis. Finally, we exploit semirings to describe the mapping between security metrics which is useful when different metrics are used for the evaluation of security properties of services.

[1]  Tao Yu,et al.  A broker-based framework for QoS-aware Web service composition , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[2]  Indrajit Ray,et al.  Security Provisioning in Pervasive Environments Using Multi-objective Optimization , 2008, ESORICS.

[3]  Mehryar Mohri,et al.  Semiring Frameworks and Algorithms for Shortest-Distance Problems , 2002, J. Autom. Lang. Comb..

[4]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[5]  Fabio Massacci,et al.  Modelling Quality of Protection in Outsourced Business Processes , 2007 .

[6]  Cynthia E. Irvine,et al.  Quality of security service , 2001, NSPW '00.

[7]  Tony Andrews Business Process Execution Language for Web Services Version 1.1 , 2003 .

[8]  Fabio Massacci,et al.  An algorithm for the appraisal of assurance indicators for complex business processes , 2007, QoP '07.

[9]  Fabio Martinelli,et al.  Formal approach to security metrics.: what does "more secure" mean for you? , 2010, ECSA '10.

[10]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[11]  Fabio Martinelli,et al.  Risk-Based Usage Control for Service Oriented Architecture , 2010, 2010 18th Euromicro Conference on Parallel, Distributed and Network-based Processing.

[12]  Gero Mühl,et al.  QoS aggregation in Web service compositions , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[13]  Nicola Mazzocca,et al.  An AHP-Based Framework for Quality and Security Evaluation , 2009, 2009 International Conference on Computational Science and Engineering.

[14]  Ronda R. Henning,et al.  Security service level agreements: quantifiable security for the enterprise? , 1999, NSPW '99.

[15]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[16]  Fabio Martinelli,et al.  Formal Analysis of Security Metrics and Risk , 2011, WISTP.

[17]  Francesca Rossi,et al.  Semiring-based constraint satisfaction and optimization , 1997, JACM.

[18]  Francesca Rossi,et al.  Abstracting soft constraints: Framework, properties, examples , 2002, Artif. Intell..

[19]  Josef Stoer,et al.  Numerische Mathematik 1 , 1989 .

[20]  Antonino Mazzeo,et al.  A SLA evaluation methodology in Service Oriented Architectures , 2006, Quality of Protection.

[21]  Matjaz B. Juric,et al.  Business process execution language for web services , 2004 .

[22]  Patel,et al.  Information Security: Theory and Practice , 2008 .

[23]  Claudia Kocian,et al.  Geschäftsprozessmodellierung mit BPMN 2.0 - Business Process Model and Notation im Methodenvergleich. , 2011 .

[24]  Philip Robinson,et al.  Security and Trust in IT Business Outsourcing: a Manifesto , 2007, STM.