Advanced service monitoring configurations with SLA decomposition and selection

Service Level Agreements (SLAs) for Software Services aim to clearly identify the service level commitments established between service requesters and providers. The commitments that are agreed however can be expressed in complex notations through a combination of expressions that need to evaluated and monitored efficiently. The dynamic allocation of the responsibility for monitoring SLAs (and often different parts within them) to different monitoring components is necessary as both SLAs and the components available for monitoring them may change dynamically during the operation of a service based system. In this paper we discuss an approach to supporting this dynamic configuration, and in particular, how SLAs expressed in higher-level notations can be efficiently decomposed and appropriate monitoring components dynamically allocated for each part of the agreements. The approach is illustrated with mechanical support in the form of a configuration service which can be incorporated into SLA-based service monitoring infrastructures

Formal certification and compliance for run-time service environments

With the increased awareness of security and safety of services in on-demand distributed service provisioning (such as the recent adoption of Cloud infrastructures), certification and compliance checking of services is becoming a key element for service engineering. Existing certification techniques tend to support mainly design-time checking of service properties and tend not to support the run-time monitoring and progressive certification in the service execution environment. In this paper we discuss an approach which provides both design-time and runtime behavioural compliance checking for a services architecture, through enabling a progressive event-driven model-checking technique. Providing an integrated approach to certification and compliance is a challenge however using analysis and monitoring techniques we present such an approach for on-going compliance checking

Detection of Security and Dependability Threats: A Belief Based Reasoning Approach

Monitoring the preservation of security and dependability (S&D) properties during the operation of systems at runtime is an important verification measure that can increase system resilience. However it does not always provide sufficient scope for taking control actions against violations as it only detects problems after they occur. In this paper, we describe a proactive monitoring approach that detects potential violations of S&D properties, called ldquothreatsrdquo, and discuss the results of an initial evaluation of it

Towards hybrid cloud service certification models

In this paper, we introduce a hybrid approach for certifying security properties of cloud services that combines monitoring and testing data. The paper argues about the need for hybrid certification and examines some basic characteristics of hybrid certification models

Unified representation of monitoring information across federated cloud infrastructures

Nowadays one of the issues hindering the potential of federating cloud-based infrastructures to reach much larger scales is their standard management and monitoring. In particular, this is true in cases where these federated infrastructures provide emerging Future Internet and Smart Cities-oriented services, such as the Internet of Things (IoT), that benefit from cloud services. The contribution of this paper is the introduction of a unified monitoring architecture for federated cloud infrastructures accompanied by the adoption of a uniform representation of measurement data. The presented solution is capable of providing multi-domain compatibility, scalability, as well as the ability to analyze large amounts of monitoring data, collected from datacenters and offered through open and standardized APIs. The solution described herein has been deployed and is currently running on a community of 5 infrastructures within the framework of the European Project XIFI, to be extended to 12 more infrastructures

Sound and Complete Runtime Security Monitor for Application Software

Conventional approaches for ensuring the security of application software at run-time, through monitoring, either produce (high rates of) false alarms (e.g. intrusion detection systems) or limit application performance (e.g. run-time verification). We present a runtime security monitor that detects both known and unknown cyber attacks by checking that the run-time behavior of the application is consistent with the expected behavior modeled in application specification. This is crucial because, even if the implementation is consistent with its specification, the application may still be vulnerable due to flaws in the supporting infrastructure (e.g. the language runtime system, libraries and operating system). This runtime security monitor is sound and complete, eliminating false alarms, as well as efficient, so that it does not limit runtime application performance and so that it supports real-time systems. The security monitor takes as input the application specification and the application implementation, which may be expressed in different languages. The specification language of the application software is formalized based on monadic second order logic and event calculus interpreted over algebraic data structures. This language allows us to express behavior of an application at any desired (and practical) level of abstraction as well as with high degree of modularity. The security monitor detects every attack by systematically comparing the application execution and specification behaviors at runtime, even though they operate at two different levels of abstraction. We define the denotational semantics of the specification language and prove that the monitor is sound and complete. Furthermore, the monitor is efficient because of the modular application specification at appropriate level(s) of abstraction

Establishing and Monitoring SLAs in complex Service Based Systems

In modern service economies, service provisioning needs to be regulated by complex SLA hierarchies among providers of heterogeneous services, defined at the business, software, and infrastructure layers. Starting from the SLA Management framework defined in the SLA@SOI EU FP7 Integrated Project, we focus on the relationship between establishment and monitoring of such SLAs, showing how the two processes become tightly interleaved in order to provide meaningful mechanisms for SLA management. We first describe the process for SLA establishment adopted within the framework; then, we propose an architecture for monitoring established SLAs, which satisfies the two main requirements introduced by SLA establishment: the availability of historical data for evaluating SLA offers and the assessment of the capability to monitor the terms in a SLA offer

Continuous certification of non-repudiation in cloud storage services

This paper presents a certification model for Non-repudiation (NR) of cloud storage services. NR, i.e., The possession of proofs that certain exchanges have taken place amongst interacting parties, is a significant security property for cloud data storage services. Our model for certifying NR is based on continuous monitoring and has been defined and realised according to the CUMULUS approach. It also corresponds to certification of level 3 maturity in the reference certification framework of Cloud Security Alliance

Incremental certification of cloud services

Cloud is becoming fast a critical infrastructure. However, several recent incidents regarding the security of cloud services clearly demonstrate that security rightly remains one of the major concerns of enterprises and the general public regarding the use of the cloud. Despite advancements of research related to cloud security, we are still not in a position to provide a systematic assessment of cloud security based on real operational evidence. As a step towards addressing this problem, in this paper, we propose a novel approach for certifying the security of cloud services. Our approach is based on the incremental certification of security properties for different types of cloud services, including IaaS, PaaS and SaaS services, based on operational evidence from the provision of such services gathered through continuous monitoring. An initial implementation of this approach is presented

Towards pattern-based reliability certification of services

On Service-Oriented Architectures (SOAs), the mechanism for run-time discovery and selection of services may conflict with the need to make sure that business process instances satisfy their reliability requirements. In this paper we describe a certification scheme based on machine-readable reliability certificates that will enable run-time negotiation. Service reliability is afforded by means of reliability patterns. Our certificates describe the reliability mechanism implemented by a service and the reliability pattern used to implement such a mechanism. Digital signature is used to associate the reliability claim contained in each certificate with the party (service supplier or accredited third-party) taking responsibility for it