A UML Extension for the Model-Driven Specification of Audit Rules

  • Bernhard Hoisl
  • Mark Strembeck
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 112)


In recent years, a number of laws and regulations (such as the Basel II accord or SOX) demand that organizations record certain activities or decisions to fulfill legally enforced reporting duties. Most of these regulations have a direct impact on the information systems that support an organization’s business processes. Therefore, the definition of audit requirements at the modeling-level is an important prerequisite for the thorough implementation and enforcement of corresponding policies in a software system. In this paper, we present a UML extension for the specification of audit properties. The extension is generic and can be applied to a wide variety of UML elements. In a model-driven development (MDD) approach, our extension can be used to generate corresponding audit rules via model transformations.


Audit Model-driven Development UML 


  1. 1.
    Garera, S., Rubin, A.: An Independent Audit Framework for Software Dependent Voting Systems. In: Proc. of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 256–265 (2007)Google Scholar
  2. 2.
    Hasan, R., Winslett, M.: Efficient Audit-based Compliance for Relational Data Retention. In: Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 238–248 (2011)Google Scholar
  3. 3.
    King, J., Smith, B., Williams, L.: Modifying Without a Trace: General Audit Guidelines are Inadequate for Open-source Electronic Health Record Audit Mechanisms. In: Proc. of the 2nd ACM SIGHIT International Health Informatics Symposium, pp. 305–314 (2012)Google Scholar
  4. 4.
    Sandhu, R., Samarati, P.: Authentication, Access Control, and Audit. ACM Computing Surveys 28(1), 241–243 (1996)CrossRefGoogle Scholar
  5. 5.
    Schneier, B., Kelsey, J.: Secure Audit Logs to Support Computer Forensics. ACM Transaction on Information and System Security 2(2), 159–176 (1999)CrossRefGoogle Scholar
  6. 6.
    Committee on National Security Systems: National Information Assurance (IA) – Glossary (2010),
  7. 7.
    Basel Committee on Banking Supervision: Basel II: International Convergence of Capital Measurement and Capital Standards (2004),
  8. 8.
    United States Congress: Sarbanes-Oxley Act of 2002 (2002),
  9. 9.
    Object Management Group: Business Process Model and Notation (BPMN) – Version 2.0 (2011),
  10. 10.
    Object Management Group: OMG Unified Modeling Language (OMG UML), Superstructure – Version 2.4.1 (2011),
  11. 11.
    Selic, B.: The Pragmatics of Model-driven Development. IEEE Software 20(5), 19–25 (2003)CrossRefGoogle Scholar
  12. 12.
    Stahl, T., Völter, M.: Model-Driven Software Development. John Wiley & Sons (2006)Google Scholar
  13. 13.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security: From UML Models to Access Control Infrastructures. ACM Transactions on Software Engineering and Methodology (TOSEM) 15(1) (January 2006)Google Scholar
  14. 14.
    Hoisl, B., Sobernig, S.: Integrity and Confidentiality Annotations for Service Interfaces in SoaML Models. In: Proceedings of the International Workshop on Security Aspects of Process-aware Information Systems (SAPAIS). IEEE, Vienna (2011)Google Scholar
  15. 15.
    Strembeck, M., Mendling, J.: Modeling Process-related RBAC Models with Extended UML Activity Models. Information and Software Technology (IST) 53(5), 456–483 (2010)CrossRefGoogle Scholar
  16. 16.
    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture 55(4) (April 2009)Google Scholar
  17. 17.
    Deursen, A.V., Klint, P.: Little Languages: little Maintenance? Journal of Software Maintenance: Research and Practice 10(2), 75–92 (1998)CrossRefGoogle Scholar
  18. 18.
    Mernik, M., Heering, J., Sloane, A.: When and How to Develop Domain-specific Languages. ACM Computing Surveys (CSUR) 37(4), 316–344 (2005)CrossRefGoogle Scholar
  19. 19.
    Strembeck, M., Zdun, U.: An Approach for the Systematic Development of Domain-Specific Languages. Software: Practice and Experience (SP&E) 39(15) (October 2009)Google Scholar
  20. 20.
    Cannon, J.C., Byers, M.: Compliance Deconstructed. ACM Queue 4(7) (September 2006)Google Scholar
  21. 21.
    Damianides, M.: How does SOX change IT? Journal of Corporate Accounting & Finance 15(6) (2004)Google Scholar
  22. 22.
    Mishra, S., Weistroffer, H.R.: A Framework for Integrating Sarbanes-Oxley Compliance into the Systems Development Process. Communications of the Association for Information Systems (CAIS) 20(1) (2007)Google Scholar
  23. 23.
    Hohpe, G., Woolf, B.: Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions. Addison-Wesley, Boston (2004)Google Scholar
  24. 24.
    Mühl, G., Fiege, L., Pietzuch, P.: Distributed Event-Based Systems. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  25. 25.
    Mens, T., Gorp, P.V.: A Taxonomy of Model Transformation. Electronic Notes in Theoretical Computer Science 152, 125–142 (2006)CrossRefGoogle Scholar
  26. 26.
    Sendall, S., Kozaczynski, W.: Model Transformation: The Heart and Soul of Model-Driven Software Development. IEEE Software 20(5) (2003)Google Scholar
  27. 27.
    Zdun, U., Strembeck, M.: Modeling Composition in Dynamic Programming Environments with Model Transformations. In: Löwe, W., Südholt, M. (eds.) SC 2006. LNCS, vol. 4089, pp. 178–193. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Axenath, B., Kindler, E., Rubin, V.: AMFIBIA: A Meta-Model for the Integration of Business Process Modelling Aspects. In: Leymann, F., Reisig, W., Thatte, S.R., van der Aalst, W. (eds.) The Role of Business Processes in Service Oriented Architectures. Number 06291 in Dagstuhl Seminar Proceedings (2006)Google Scholar
  29. 29.
    Zdun, U.: Patterns of Component and Language Integration. In: Manolescu, D., Voelter, M., Noble, J. (eds.) Pattern Languages of Program Design 5 (2006)Google Scholar
  30. 30.
    Object Management Group: OMG Meta Object Facility (MOF) Core Specification – Version 2.4.1 (2011),
  31. 31.
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading (1995)Google Scholar
  32. 32.
    Object Management Group: OMG Object Constraint Language (OCL) – Version 2.3.1 (2012),
  33. 33.
    Object Management Group: OMG Unified Modeling Language (OMG UML), Infrastructure – Version 2.4.1 (2011),
  34. 34.
    International Organization for Standardization: Information Technology – Syntactic Metalanguage – Extended BNF (ISO/IEC 14977) (1996),
  35. 35.
    Jürjens, J.: Modelling Audit Security for Smart-Card Payment Schemes with UML-SEC. In: Proceedings of the 16th International Conference on Information Security, Paris, France (2001)Google Scholar
  36. 36.
    Rodríguez, A., Fernández-Medina, E., Trujillo, J., Piattini, M.: Secure Business Process Model Specification through a UML 2.0 Activity Diagram Profile. Decision Support Systems 51(3), 446–465 (2011)CrossRefGoogle Scholar
  37. 37.
    Hoisl, B., Strembeck, M.: Modeling Support for Confidentiality and Integrity of Object Flows in Activity Models. In: Abramowicz, W. (ed.) BIS 2011. LNBIP, vol. 87, pp. 278–289. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  38. 38.
    Schefer, S., Strembeck, M.: Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams. In: Proc. of the International Workshop on Flexible Workflows in Distributed Systems, Electronic Communications of the EASST (March 2011)Google Scholar
  39. 39.
    Schefer, S., Strembeck, M.: Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context. In: Salinesi, C., Pastor, O. (eds.) CAiSE Workshops 2011. LNBIP, vol. 83, pp. 660–667. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  40. 40.
    Schefer-Wenzl, S., Strembeck, M.: Modeling Context-Aware RBAC Models for Business Processes in Ubiquitous Computing Environments. In: Proc. of the 3rd International Conference on Mobile, Ubiquitous and Intelligent Computing, MUSIC (June 2012)Google Scholar
  41. 41.
    Fernández-Medina, E., Trujillo, J., Villarroel, R., Piattini, M.: Access Control and Audit Model for the Multidimensional Modeling of Data Warehouses. Decision Support Systems 42(3), 1270–1289 (2006)CrossRefGoogle Scholar
  42. 42.
    Memon, M., Hafner, M., Breu, R.: SECTISSIMO: A Platform-independent Framework for Security Services. In: Proceedings of the Modeling Security Workshop in Association with MODELS 2008, Toulouse, France (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Bernhard Hoisl
    • 1
    • 2
  • Mark Strembeck
    • 1
    • 2
  1. 1.Institute for Information Systems and New MediaVienna University of Economics and Business (WU Vienna)ViennaAustria
  2. 2.Secure Business Austria Research (SBA Research)ViennaAustria

Personalised recommendations