Security Policy Monitoring of BPMN-based Service Compositions

By Muhammad Asim, Artsiom Yautsiukhin, Achim D. Brucker, Thar Baker, Qi Shi, and Brett Lempereur.

Service composition is a key concept of Service- Oriented Architecture that allows for combining loosely coupled services that are offered and operated by different service providers. Such environments are expected to dynamically respond to changes that may occur at runtime, including changes in the environment and individual services themselves. Therefore, it is crucial to monitor these loosely-coupled services throughout their lifetime. In this paper, we present a novel framework for monitoring services at runtime and ensuring that services behave as they have promised. In particular, we focus on monitoring non-functional properties that are specified within an agreed security contract. The novelty of our work is based on the way in which monitoring information can be combined from multiple dynamic services to automate the monitoring of business processes and proactively report compliance violations. The framework enables monitoring of both atomic and composite services and provides a user friendly interface for specifying the monitoring policy. We provide an information service case study using a real composite service to demonstrate how we achieve compliance monitoring. The transformation of security policy into monitoring rules, which is done automatically, makes our framework more flexible and accurate than existing techniques.

Keywords:
Service-Oriented Computing, Composite Services, Business Process Compliance, Compliance Monitoring, Security

Please cite this work as follows:
M. Asim, A. Yautsiukhin, A. D. Brucker, T. Baker, Q. Shi, and B. Lempereur, “Security policy monitoring of BPMN-based service compositions,” Journal of Software: Evolution and Process, 2018, doi: 10.1002/smr.1944. Author copy: https://logicalhacking.com/publications/asim.ea-policy-monitoring-2018/

BibTeX
@Article{ asim.ea:policy-monitoring:2018,
  author    = {Muhammad Asim and Artsiom Yautsiukhin and Achim D. Brucker
               and Thar Baker and Qi Shi and Brett Lempereur},
  journal   = {Journal of Software: Evolution and Process},
  publisher = {John Wiley \& Sons },
  address   = {},
  language  = {USenglish},
  title     = {Security Policy Monitoring of {BPMN}-based Service
               Compositions},
  year      = {2018},
  areas     = {security, software},
  doi       = {10.1002/smr.1944},
  keywords  = {Service-Oriented Computing, Composite Services, Business
               Process Compliance, Compliance Monitoring, Security},
  abstract  = {Service composition is a key concept of Service- Oriented
               Architecture that allows for combining loosely coupled
               services that are offered and operated by different service
               providers. Such environments are expected to dynamically
               respond to changes that may occur at runtime, including
               changes in the environment and individual services themselves.
               Therefore, it is crucial to monitor these loosely-coupled
               services throughout their lifetime. In this paper, we present
               a novel framework for monitoring services at runtime and
               ensuring that services behave as they have promised. In
               particular, we focus on monitoring non-functional properties
               that are specified within an agreed security contract. The
               novelty of our work is based on the way in which monitoring
               information can be combined from multiple dynamic services to
               automate the monitoring of business processes and proactively
               report compliance violations. The framework enables monitoring
               of both atomic and composite services and provides a user
               friendly interface for specifying the monitoring policy. We
               provide an information service case study using a real
               composite service to demonstrate how we achieve compliance
               monitoring. The transformation of security policy into
               monitoring rules, which is done automatically, makes our
               framework more flexible and accurate than existing techniques.
               },
  note      = {Author copy: \url{https://logicalhacking.com/publications/asim.ea-policy-monitoring-2018/}},
  pdf       = {https://logicalhacking.com/publications/asim.ea-policy-monitoring-2018/asim.ea-policy-monitoring-2018.pdf},
}