Threats Management Throughout the Software Service Life-Cycle

Software services are inevitably exposed to a fluctuating threat picture. Unfortunately, not all threats can be handled only with preventive measures during design and development, but also require adaptive mitigations at runtime. In this paper we describe an approach where we model composite services and threats together, which allows us to create preventive measures at design-time. At runtime, our specification also allows the service runtime environment (SRE) to receive alerts about active threats that we have not handled, and react to these automatically through adaptation of the composite service. A goal-oriented security requirements modelling tool is used to model business-level threats and analyse how they may impact goals. A process flow modelling tool, utilising Business Process Model and Notation (BPMN) and standard error boundary events, allows us to define how threats should be responded to during service execution on a technical level. Throughout the software life-cycle, we maintain threats in a centralised threat repository. Re-use of these threats extends further into monitoring alerts being distributed through a cloud-based messaging service. To demonstrate our approach in practice, we have developed a proof-of-concept service for the Air Traffic Management (ATM) domain. In addition to the design-time activities, we show how this composite service duly adapts itself when a service component is exposed to a threat at runtime.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

A semantical framework for the orchestration and choreography of web services

Web Services are software services that can be advertised by providers and invoked by customers using Web technologies. This concept is currently carried further to address the composition of individual services through orchestration and choreography to services processes that communicate and interact with each other. We propose an ontology framework for these Web service processes that provides techniques for their description, matching, and composition. A description logic-based knowledge representation and reasoning framework provides the foundations. We will base this ontological framework on an operational model of service process behaviour and composition

Inventory control for a non-stationary demand perishable product: comparing policies and solution methods

This paper summarizes our findings with respect to order policies for an inventory control problem for a perishable product with a maximum fixed shelf life in a periodic review system, where chance constraints play a role. A Stochastic Programming (SP) problem is presented which models a practical production planning problem over a finite horizon. Perishability, non-stationary demand, fixed ordering cost and a service level (chance) constraint make this problem complex. Inventory control handles this type of models with so-called order policies. We compare three different policies: a) production timing is fixed in advance combined with an order up-to level, b) production timing is fixed in advance and the production quantity takes the age distribution into account and c) the decision of the order quantity depends on the age-distribution of the items in stock. Several theoretical properties for the optimal solutions of the policies are presented. In this paper, four different solution approaches from earlier studies are used to derive parameter values for the order policies. For policy a), we use MILP approximations and alternatively the so-called Smoothed Monte Carlo method with sampled demand to optimize values. For policy b), we outline a sample based approach to determine the order quantities. The flexible policy c) is derived by SDP. All policies are compared on feasibility regarding the α-service level, computation time and ease of implementation to support management in the choice for an order policy.National project TIN2015-66680-C2-2-R, in part financed by the European Regional Development Fund (ERDF)

On the Modular Specification of NFPs: A Case Study

The modular specification of non-functional properties of systems is a current challenge of Software Engineering, for which no clear solution exists. However, in the case of Domain-Specific Languages some successful proposals are starting to emerge, combining model-driven techniques with aspect-weaving mechanisms. In this paper we show one of these approaches in practice, and present the implementation we have developed to fully support it. We apply our approach for the specification and monitoring of non-functional properties using observers to a case study, illustrating how generic observers defining non-functional properties can be defined in an independent manner. Then, correspondences between these observers and the domain-specific model of the system can be established, and then weaved into a unified system specification using ATL model transformation. Such a unified specification can also be analyzed in a natural way to obtain the required non-functional properties of the system.This work is partially funded by Research Projects TIN2011-23795 and TIN2011-15497-E