Abstract
We focus on the assessment of the security of business processes. We assume that a business process is composed of abstract services, each of which has several concrete instantiations. Essential peculiarity of our method is that we express security metrics used for the evaluation of security properties as semirings. First, we consider primitive decomposition of the business process into a weighted graph which describes possible implementations of the business process. Second, we evaluate the security using semiring-based methods for graph analysis. Finally, we exploit semirings to describe the mapping between security metrics which is useful when different metrics are used for the evaluation of security properties of services.
This work was partly supported by EU-FP7-ICT NESSoS and EU-FP7-ICT ANIKE-TOS projects.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Business process execution language for web services version 1.1 (2003), http://public.dhe.ibm.com/software/dw/specs/ws-bpel/ws-bpel.pdf (April 13, 2011)
Business process model and notation (bpmn) version 2.0 (January 2011), http://www.omg.org/spec/BPMN/2.0 (May 19, 2011)
Bistarelli, S., Codognet, P., Rossi, F.: Abstracting soft constraints: Framework, properties, examples. Artificial Intelligence 139, 175–211 (2002)
Bistarelli, S., Montanari, U., Rossi, F.: Semiring-based constraint satisfaction and optimizatio. Journal of ACM 44(2), 201–236 (1997)
Casola, V., Fasolino, A.R., Mazzocca, N., Tramontana, P.: An ahp-based framework for quality and security evaluation. In: Proceedings of 12th IEEE International Conference on Computational Science and Engineering. IEEE, Los Alamitos (2009)
Casola, V., Mazzeo, A., Mazzocca, N., Rak, M.: A SLA evaluation methodology in Service Oriented Architectures. In: Quality of Protection, Part 3. Advances in Information Security, vol. 23, pp. 119–130. Springer, Heidelberg (2005)
Cheng, F., Gamarnik, D., Jengte, N., Min, W., Ramachandran, B.: Modelling operational risks in business process. Technical Report RC23872, IBM (July 2005)
Dewri, R., Ray, I., Ray, I., Whitley, D.: Security provisioning in pervasive environments using multi-objective optimization. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 349–363. Springer, Heidelberg (2008)
Dijkstra, E.W.: A note on two problems in connexion with graphs. Numerische Mathematik 1(1), 269–271 (1959)
Henning, R.: Security service level agreements: quantifiable security for the enterprise? In: Proceedings of 1999 Workshop on New Security Paradigms. ACM, New York (2000)
Irvine, C., Levin, T.: Quality of security service. In: Proceedings of the 2000 Workshop on New Security Paradigms. ACM, New York (2000)
Karabulut, Y., Kerschbaum, F., Robinson, P., Massacci, F., Yautsiukhin, A.: Security and trust in it business outsourcing: a manifesto. Electronic Notes in Theoretical Computer Science 179, 47–58 (2006)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Risk-based usage control for service oriented architecture. In: Proceedings of the 18th Euromicro Conference on Parallel, Distributed and Network-Based Processing. IEEE, Los Alamitos (2010)
Krautsevich, L., Martinelli, F., Yautsiukhin, A.: Formal approach to security metrics.: what does ”more secure” mean for you? In: Proceedings of the Fourth European Conference on Software Architecture: Companion Volume. ACM, New York (2010)
Krautsevich, L., Martinelli, F., Yautsiukhin, A.: Formal analysis of security metrics and risk. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 304–319. Springer, Heidelberg (2011)
Massacci, F., Yautsiukhin, A.: An algorithm for the appraisal of assurance indicators for complex business processes. In: Proceedings of the 3rd Workshop on Quality of Protection. ACM, New York (2007)
Massacci, F., Yautsiukhin, A.: Modelling of quality of protection in outsourced business processes. In: Proceedings of the The Third International Symposium on Information Assurance and Security. IEEE, Los Alamitos (2007)
Jaeger, G.R.-G.M.C., Mühl, G.: QoS aggregation in web service compositions. In: Proceedings of the IEEE International Conference on e-Technology, e-Commerce and e-Service, EEE 2005 (2005)
Milner, R.: Communicating and Mobile Systems: the pi-Calculus. Cambridge University Press, Cambridge (1999)
Mohri, M.: Semiring frameworks and algorithms for shortest-distance problems. Journal of Automata, Languages and Combinatorics 7(3), 321–350 (2002)
Yu, T., Lin, K.-J.: A broker-based framework for qos-aware web service composition. In: Proceedings of the IEEE International Conference on e-Technology, e-Commerce and e-Service. IEEE, Los Alamitos (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Krautsevich, L., Martinelli, F., Yautsiukhin, A. (2011). A General Method for Assessment of Security in Complex Services. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds) Towards a Service-Based Internet. ServiceWave 2011. Lecture Notes in Computer Science, vol 6994. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24755-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-24755-2_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24754-5
Online ISBN: 978-3-642-24755-2
eBook Packages: Computer ScienceComputer Science (R0)