The Aniketos Service Composition Framework

Analysing and Ranking of Secure Services
  • Achim D. Brucker
  • Francesco Malmignati
  • Madjid Merabti
  • Qi Shi
  • Bo Zhou
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8900)


Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. Therefore there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications, in order to ensure security and trustworthiness.

In this chapter, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the “security as an afterthought” paradigm.


secure service composition BPMN service modelling service availability 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    van der Aalst, W., de Medeiros, A.: Process mining and security: Detecting anomalous process executions and checking process conformance. ENTCS 121, 3–21 (2005)Google Scholar
  2. 2.
    van der Aalst, W.M.P., Dumas, M., Gottschalk, F., ter Hofstede, A.H.M., La Rosa, M., Mendling, J.: Correctness-preserving configuration of business process models. In: Fiadeiro, J.L., Inverardi, P. (eds.) FASE 2008. LNCS, vol. 4961, pp. 46–61. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Accorsi, R., Wonnemann, C.: inDico: Information flow analysis of business processes for confidentiality requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Aniketos: Deliverable 5.1: Aniketos platform design and platform basis implementation (2011)Google Scholar
  5. 5.
    Arsac, W., Compagna, L., Pellegrino, G., Ponta, S.E.: Security validation of business processes via model-checking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 29–42. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51(5), 815–831 (2009)CrossRefGoogle Scholar
  7. 7.
    Brucker, A.D., Brügger, L., Kearney, P., Wolff, B.: An approach to modular and testable security models of real-world health-care applications. In: SACMAT, pp. 133–142. ACM Press (2011)Google Scholar
  8. 8.
    Brucker, A.D., Doser, J., Wolff, B.: A model transformation semantics and analysis methodology for secureUML. In: Wang, J., Whittle, J., Harel, D., Reggio, G. (eds.) MoDELS 2006. LNCS, vol. 4199, pp. 306–320. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Brucker, A.D., Hang, I.: Secure and compliant implementation of business process-driven systems. In: Rosa, M.L., Soffer, P. (eds.) Joint Workshop on Security in Business Processes (SBP). LNBIP, vol. 132, pp. 662–674. Springer, Heidelberg (1982)Google Scholar
  10. 10.
    Christensen, E., Curbera, F., Meredith, G., Weerawarana, S.: Web services description language (WSDL) 1.1. Tech. rep., W3C (2001)Google Scholar
  11. 11.
    Compagna, L., Guilleminot, P., Brucker, A.D.: Business process compliance via security validation as a service. In: Oriol, M., Penix, J. (eds.) Testing Tools Track of ICST. IEEE Computer Society (2013)Google Scholar
  12. 12.
    Dijkman, R.M., Dumas, M., Ouyang, C.: Semantics and analysis of business process models in BPMN. Information & Software Technology 50(12), 1281–1294 (2008)CrossRefGoogle Scholar
  13. 13.
    Elshaafi, H., McGibney, J., Botvich, D.: Trustworthiness monitoring and prediction of composite services. In: ISCC, pp. 580–587 (2012)Google Scholar
  14. 14.
    Jorstad, N., Landgrave, T.S.: Cryptographic algorithm metrics. In: 20th National Information Systems Security Conference (1997)Google Scholar
  15. 15.
    Jürjens, J., Rumm, R.: Model-based security analysis of the german health card architecture. Methods Inf Med 47(5), 409–416 (2008)Google Scholar
  16. 16.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Mülle, J., von Stackelberg, S., Böhm, K.: A security language for BPMN process models. Tech. rep., University Karlsruhe, KIT (2011)Google Scholar
  18. 18.
    OASIS: eXtensible Access Control Markup Language (XACML), version 2.0 (2005),
  19. 19.
    Object Management Group: Business process model and notation bpmn, version 2.0 (2011), Available as omg document formal/2011-01-03Google Scholar
  20. 20.
    Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: Modelling security requirements in socio-technical systems with sts-tool. In: Kirikova, M., Stirna, J. (eds.) CAiSE Forum, vol. 855, pp. 155–162 (2012)Google Scholar
  21. 21.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D, 745–752 (2007)CrossRefGoogle Scholar
  22. 22.
    Sohr, K., Ahn, G.-J., Gogolla, M., Migge, L.: Specification and validation of authorisation constraints using UML and OCL. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 64–79. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  23. 23.
    Welke, R., Hirschheim, R., Schwarz, A.: Service-oriented architecture maturity. Computer 15(1), 662–674 (2011)Google Scholar
  24. 24.
    Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requir. Eng. 15(4), 359–373 (2010)CrossRefGoogle Scholar
  25. 25.
    Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Zhou, B., Arabo, A., Drew, O., Llewellyn-Jones, D., Merabti, M., Shi, Q., Waller, A., Craddock, R., Jones, G., Arnold, K.L.Y.: Data flow security analysis for system-of-systems in a public security incident. In: ACSF, pp. 8–14 (2008)Google Scholar
  27. 27.
    Zhou, B., Drew, O., Arabo, A., Llewellyn-Jones, D., Kifayat, K., Merabti, M., Shi, Q., Craddock, R., Waller, A., Jones, G.: System-of-systems boundary check in a public event scenario. In: SoSE (2010)Google Scholar
  28. 28.
    Zhou, B., Llewellyn-Jones, D., Shi, Q., Asim, M., Merabti, M., Lamb, D.: Secure service composition adaptation based on simulated annealing. In: ACSAC, pp. 49–55 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Achim D. Brucker
    • 1
  • Francesco Malmignati
    • 2
  • Madjid Merabti
    • 3
  • Qi Shi
    • 3
  • Bo Zhou
    • 3
  1. 1.SAP SEKarlsruheGermany
  2. 2.Selex ES S.p.A, A Finmeccanica CompanyItaly
  3. 3.Liverpool John Moores UniversityLiverpoolUnited Kingdom

Personalised recommendations