Hao Zeng,Yong Wang Zhao,Dian Fu Ma

DOI: https://doi.org/10.4028/www.scientific.net/amm.644-650.2943

2014-01-01

Applied Mechanics and Materials

Abstract:With the rapid development of web services technology, the security policies defined in WS-SecurityPolicy are widely used for expressing security properties, capabilities, constraints and requirements of web services. It is well-known that security policies are crucial in the negotiation phase of service discovery and selection. However, such security policies are hard to understand and extremely error-prone, due to the complexity of the WS-SecurityPolicy specification. At the same time, because the WS-SecurityPolicy is described by natural language, there have ambiguity problem. These problem seriously hindered the development of web services policy. Therefore, this paper proposes a web services security policy description model to describe accurately and clearly security policies. The security policy model employs the formal modeling method to convert the policy assertions into the security rules.

Jin-yong LIU,Ruo-feng TONG,Jin-xiang DONG

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.10.018

2005-01-01

Abstract:Workflow systems now face a difficulty that most Workflow Management Systems (WfMS) only support few enterprises' existing applications and this problem has been the supreme bottleneck. Without uniform standard of integration, deployments of WfMS must be limited by exterior applications. So bringing a new application-independent integration framework forward becomes an urgent affair of WfMS. This paper imports Web Service and Enterprise Application Integration (EAI) into the reference model of WfMC and introduces our extended workflow model which can support Web Service and other heterogeneous applications. A WfMS prototype based on the extended workflow model and its deployment into the Management Information System of a virtual enterprise are also presented.

Peng Liu,Zhong Chen

DOI: https://doi.org/10.1109/wi.2004.10081

2004-01-01

Abstract:Business process describes a set of services that span enterprise boundaries and are provided by enterprises that see each other as partners. Web services is widely accepted and adopted to construct business process. Web services are built in exposed environment and open to security threats. When a web service contained in a business process is authorized to illegal users, it will cause economic loss of the service provider. Although there exist some standards for security of Web services and access control for services in distributed systems are well studied, there is a lack of comprehensive approach in access control for web services, especially in business process. In this paper, an extended RBAC model, called WS-RBAC, is proposed to secure web services in business process. The model takes web services in business process as protected objects and extends the classical RBAC model. Next, The software architecture of WS-RABC is presented. This paper also presents how to specify business process in the model and the authorization constraints of WS-RBAC based on WS-Policy.

Zhang Yi,Zhang Yong,Wang Weinong

DOI: https://doi.org/10.1007/s10922-004-0674-3

2004-01-01

Journal of Network and Systems Management

Abstract:The administration of authorizations in an organization is a complex task. To ensure that tasks constituting the business processes are performed by authorized users, a proper authorization mechanism is required. Alturi and Huang have proposed a workflow authorization model and presented a color-timed Petri net based representation of their model. In this paper, we extend their model by using the colored Petri net formalism to model authorization management, security constraints like separation of duties, and role hierarchy in an elegant way to establish an integrated authorization management model. One of the great advantages of using Petri net formalism for system modeling is its strong mathematical foundation and the availability of a rich set of analysis techniques. Therefore, we will show in this paper the use of linear algebraic technique to analyze the reachable authorization states, and coverability graph to calculate the valid execution chains against the colored Petri net based workflow authorization management model.

Zhang Yuan,Sun Meng

DOI: https://doi.org/10.1109/ICSESS.2011.5982244

2011-01-01

Abstract:We use a scenario-based visual notation, called Policy Sequence Chart (PSC), for specifying security policies in service coordination. A security policy defines a set of security requirements that correspond to permissions, prohibitions and obligations to some executions when some contextual conditions are satisfied. In this paper, we propose an approach of defining operational semantics of PSCs in terms of constraint automata, which can be used as the semantic foundation for checking compliance between service coordination and the security policies.An

Yu Zhiwei,Tang Rengzhong,Jia Dongjiao,Ye Fanbo

DOI: https://doi.org/10.3321/j.issn:1004-132X.2007.04.021

2007-01-01

Abstract:To identify the security requirements of information systems, a business process-based security requirement analysis method was presented. Focused on the business process security, the related assets which affect the business process security were identified by security tree model. The security requirements of assets were identified by risk packet and risk transferring model, and then the security requirements list was formed after coverage analysis. Finally, a case was studied to illustrate the proposed method.

Li Yingying,Jin Zhichao,Ruan Tong,Wang Shuyang

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.02.030

2012-01-01

Abstract:Current WS-Security-based security tools provide infrastructures of Web Service Security technically.However,these tools require rich security knowledge possessed by the users and do not equip the means of representing business context so that they cause difficulties for business users in their use of security infrastructures.In this paper we design based on MDA idea a security policy model which combines with business process.In this security model the application model describing business process is combined with the security model describing collaborative applied security information.And based on the security model we implement corresponding configuration tools using GMF frame.Business users can configure Web Service security policy based on predefined security policy model within a visual business process,and the tools can convert the security policies configured to WS-Security Policy normative documents.

Cataldo Basile,Gabriele Gatti,Francesco Settanni

2024-05-06

Abstract:Enforcing security requirements in networked information systems relies on security controls to mitigate the risks from increasingly dangerous threats. Configuring security controls is challenging; even nowadays, administrators must perform it without adequate tool support. Hence, this process is plagued by errors that translate to insecure postures, security incidents, and a lack of promptness in answering threats. This paper presents the Security Capability Model (SCM), a formal model that abstracts the features that security controls offer for enforcing security policies, which includes an Information Model that depicts the basic concepts related to rules (i.e., conditions, actions, events) and policies (i.e., conditions' evaluation, resolution strategies, default actions), and a Data Model that covers the capabilities needed to describe different types of filtering and channel protection controls. Following state-of-the-art design patterns, the model allows for generating abstract versions of the security controls' languages and a model-driven approach for translating abstract policies into device-specific configuration settings. By validating its effectiveness in real-world scenarios, we show that SCM enables the automation of different and complex security tasks, i.e., accurate and granular security control comparison, policy refinement, and incident response. Lastly, we present opportunities for extensions and integration with other frameworks and models.

Cryptography and Security

Fatima-Zahra Belouadha,Hajar Omrana,Ounsa Roudies

DOI: https://doi.org/10.48550/arXiv.1201.1481

2012-01-06

Software Engineering

Abstract:A lot of works has been especially interested to the functional aspect of Web services. Nevertheless, it is necessary to describe their non-functional properties such as the security characteristics and the quality of service. The WS-Policy standard was recommended in 2007 to describe Web services policies including the non-functional properties. However, it doesn't provide any information of their meaning necessary for automatic processes. In this paper, we propose a Model Driven Architecture approach founded on W3C standards to generate WSDL language based files including semantic policies. We use a package of WSDL and WS-Policy profiles and transformations rules to generate Web services interfaces files including policies. We extend a XML schema profile according to SAWSDL standard to define semantic non-functional properties domains. This work contributes to minimize the development cost of Web services including semantic policies. Moreover, the generated services can be automatically processed in discovery, selection and negotiation tasks.

P Liu,Z Chen

DOI: https://doi.org/10.1109/cec-east.2004.17

2005-01-01

Abstract:Web services are widely accepted and adopted to provide business functionality in business world. Especially, Web service is chosen to compose business process by companies to achieve their business objectives. Business process contains a set of activities, which represent business interactions between Web services spanning company boundaries. As Web services are built in open distributed environment, it is apt to cause security concerns. Security problems mainly prevent many companies from implementing Web services. This paper proposes an extended RBAC model, called WS-RBAC4BP, to protect Web services in business process. In this model, companies and Web services are considered as subjects and protected objects, respectively. New types of constraints are introduced. Furthermore, the system architecture of WS-RABC4BP is presented. This paper also gives examples to illustrate the model

Yang Shuxin,Zheng Jian,Wang Jian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.02.017

2009-01-01

Abstract:Some existing access control model for workflow systems are limited to tasks execution.It is difficult to satisfy the security requirement for adaptive workflow systems.To solve the problem,operation behaviors of adaptive workflow management systems are analyzed and summarized.Object,user and operation are considered as the main elements for research.Formal description and fine granularity partition about these elements are given.Finally,based on the above work,a role-based access control model and integration with systems are proposed,and relationships among role,user and operation are described.In addition,authorization method is given to guarantee operation security and rationality.The problem of security is solved effectively,and the users' flexible requirements for permission are satisfied.

MA Liang,GU Ming

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.01.031

2006-01-01

Abstract:Nowadays workflow is coming into more and more notice in many areas such as OA, e-government, e-business. Security is a important problem in workflow environment. Access control is a vital component of Security. In this paper, a RBAC model in workflow environment (WRBAC) is introduced. The model is based on proposed NIST standard for RBAC, formally describes the relationship between the key elements of access control in workflow systems such as user, role, permission and activity, presents the static and dynamic constraints. The model can effectively reduce the risk of information leakage and fraud, meet the requirements for access control in workflow systems.

Karolina Bataityte,Vassil Vassilev,Olivia Jo Gill

DOI: https://doi.org/10.1007/978-3-030-49161-1_31

2020-01-01

Abstract:Modelling of knowledge and actions in AI has advanced over the years but it is still a challenging topic due to the infamous frame problem, the inadequate formalization and the lack of automation. Some problems in cyber security such as logical vulnerability, risk assessment, policy validation etc. still require formal approach. In this paper we present the foundations of a new formal framework to address these challenges. Our approach is based on three-level formalisation: ontological, logical and analytical levels. Here we are presenting the first two levels which allow to model the security policies and provide a practical solution to the frame problem by efficient utilization of parameters as side effects. Key concepts are the situations, actions, events and rules. Our framework has potential use for analysis of a wide range of transactional systems within the financial, commercial and business domains and further work will include analytical level where we can perform vulnerability analysis of the model.

Jun-Qing Chen,Linpeng Huang,Han Huang,Chengyuan Yu,Chen Li

DOI: https://doi.org/10.1109/CSC.2012.24

2012-01-01

Abstract:How to protect sensible resources is an important issue in the development of web service applications. This paper presents a formal model for resource protections, aiming at statically analyzing and verifying that the applications use these resources in a valid manner, i.e., obeying all the protection policies. The policies are logical properties of resource usage behaviors. The usage behaviors are extracted from the execution of web services by a type and effect system, and represented as concurrent regular expressions. After a suitable transformation, the expressions can be checked for validity by model-checking tools. Web service applications use the resources correctly if their concurrent regular expressions are verified valid. The analysis result shows our approach can improve system performances in comparison with runtime checkers, e. g., execution monitors.

马晨华,陆国栋,裘炅

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.12.014

2008-01-01

Abstract:Access control models proposed so far cannot satisfy the access requirements in workflow systems very well.To address the issue,a flexible policy access control model for workflows was proposed.By the introduction of authorization certificate,which defines the authorization that can be performed during task execution and the constraints should be satisfied,dynamic access control in workflows is realized and the flexible definition of authorization policies is supported.For the description of complicated authorization rules,authorization certificate related constraints were defined.Furthermore,efficient conflict detection and resolution rules for authorization constraints were also provided.Analysis shows that the model has good security and practicability.It can meet the requirements for access control in workflow systems adequately.

黄雨,胡文蕙,高昕,王捍贫

DOI: https://doi.org/10.3969/j.issn.1007-130x.2009.10.018

2009-01-01

Abstract:WSCI is a choreography language that describes the composition of Web services.For business processes,any design fault will lead to a huge loss.Therefore,for the sake of correct deployment of business processes,it is necessary to formalize WSCI and analyze its model.This paper proposes an analytical method of WSCI:firstly we introduce the formal model,secondly present the important concept of net fusion in order to get an integrated model,and finally use the reachability graph to analyze WSCI with exception handling.

Jian Cao,Jinjun Chen,Haiyan Zhao,Minglu Li

DOI: https://doi.org/10.1016/j.jnca.2008.02.021

IF: 7.574

2009-01-01

Journal of Network and Computer Applications

Abstract:Although workflow has been widely used to support the modeling and execution of business process, the majority of current workflow management systems are not designed and suited for supporting dynamic business processes. One of the deficiencies is the inability to model realistically the organization of an enterprise to manage the dynamic human-centric business processes. A framework for workflow-enabled dynamic business process management is described in the paper. It includes an organizational model and an authorization model for supporting dynamic business processes. More specifically, authorization policies are expressed in an SQL-like language which can be easily rewritten into query sentences for execution. In addition, the framework supports dynamic integration and execution of multiple access control polices from disparate enterprise resources. Finally, a prototype implementation of the dynamic business process management framework is described.

Hao Zeng,Dianfu Ma,Yongwang Zhao,Zhuqing Li

DOI: https://doi.org/10.1007/s11761-013-0143-5

2013-01-01

Abstract:Due to the dynamic, heterogeneous and interorganizational nature, different web services and different ports or operations in the same service, even the same services at different times may have their different security requirements because of their different security domains and different business backgrounds. How to design a flexible, fine-grained and comprehensive architecture for web services security processing has become a matter of great urgency. However, no ideal solutions have been worked out for these problems. As a result of our study, we have presented in this paper a policy-based architecture termed policy-based architecture for web services security processing (PBA4WSSP) to meet the dynamic, complete and fine-grained security requirements. In PBA4WSSP, the processing of all security problems is based on security policy in service stage to support flexibly security configuration. Moreover, we have designed a service policy model to describe the fine-grained security requirements. And the conversion method between security policy model and security policy expression has also been described. In addition, a staged complete security processing architecture is provided to reduce the dependency among protocol implementations. Furthermore, with PBA4WSSP, a web service security module has been designed and implemented as well. Eventually, the performance evaluation results amply demonstrate that our system is flexible and usable.

Yu Huang,Hanpin Wang,Peng Yu,Yunni Xia

DOI: https://doi.org/10.1016/j.entcs.2005.12.067

2006-01-01

Electronic Notes in Theoretical Computer Science

Abstract:The development of workflow management system requires satisfactory models and concepts. As mentioned in [W.M.P. van der Aalst and Arthur H.M.ter Hofstede, YAWL: Yet Another Workflow Language, QUT Technical report, FIT-TR-2002-06, Queensland University of Technology, Brisbane, 2002], classical Petri nets are not suitable to describe some advanced workflow patterns, thus this paper presents a Petri-net-based model characterized by places with new properties which are suitable to represent some advance workflow patterns. Many workflow models confuse the behaviors of workflow engine and external environment(tasks), and fail to describe the real semantics of workflow engine. In our model, through separating transitions from routings, the place will describe the behaviors of engine and the transition will describe the behavior of task. Because workflow engine is a reactive system, the token-game semantic behavior of a Petri net-based workflow model will differ from its behavior at run time. However, the semantics of property-transition-net-based model with ST firing rules is suitable enough to capture the behavior of workflow process. In this paper the formal definitions and semantics of this model are discussed in detail. This paper concludes with an introduction of a verification technique for structure-soundness detection based on some new reduction rules.

han zhang,gerald weber,william zhu,clark thomborson

DOI: https://doi.org/10.1109/ICCIAS.2006.295321

2006-01-01

Abstract:We develop a new formalism for the security analysis of business logic. Our formalism can be applied to business logic in its early design stages, after the implementation is complete, or at any intermediate time. We illustrate the use of our formalism in a case study based on an initial design for a B2B e-payment system. Our analysis successfully identifies an operational risk for the trusted intermediate party.