OPBUS: A framework for improving the dependability of risk-aware business processes

OPBUS: A Framework for Improving theDependability of Risk-Aware Business

Processes

Ángel Jesús Varela Vaca

Supervised byDr. Rafael Martínez Gasca

Goal: Goal: qualityquality improvement of business improvement of businessprocess managementprocess management

Introduction

2

Outline

3

Outline

4

Motivation

5

Motivation

6

Motivation

7

Motivation

8

Motivation

9

BPM life-cycle

10

Business Procesos Modeling

Validation, Simulation, Verification

Process Mining Business Activity

Monitoring

Implementation Test & Deployment

Operation, Monitoring, Maintenance

Enactment Configuration

Design & Analysis

Evaluation

Design and Analysis

11

•Determine, analyze and evaluate risks

Design & Analysis

• Validation analysis• Verification analysis• Performance analysis• Diagnosis analysis

Risk assessment

[10-20] [10-20]

[10-20]

[10-20]

[10-20]

[15-30] [50-60] [15-30]

Configuration

12

• Selection and implementation of countermeasures.

Configuration

Risk treatment

Select the best configuration to treat non-acceptable risks.

Enactment

13

Enactment• Ensure the delivering of correct business

process services in presence of faults.

Fault Tolerance

Outline

14

OPBUS: The framework

15

Enactment Configuration

Design & Analysis

Evaluation

Feature Oriented Domain Analysis

Feature Oriented Domain Analysis

Model-based fault diagnosisModel-based

fault diagnosis

Model-based fault diagnosisModel-based

fault diagnosis

Model-based Fault Diagnosis

16

SDM1: x = a*cM2: y = b*dM3: z = c*eA1: f = x+yA2: g = y+z

OMa = 2b = 2c = 3d = 3e = 2f = 10g = 12

Conflicts{A1, M1, M2}{A1, A2, M1, M3}

Diagnoses{A1}{M1}{M2, A2}{M2, M3}

Model-based Fault Diagnosis

17

17

DiagnosesDiagnoses

ObservationsObservations

Structural Relations

Structural RelationsModelModel

BMx = a*cy = b*dz = c*ef = x+yg = y+z

Structural relationsARR1: f-a*c-b*d=0ARR2: g-b*d-c*e=0ARR3: f-g-c*(a-e)=0

A1 A2 M1 M2 M3

ARR1 1 0 1 1 0ARR2 0 1 0 1 1ARR3 1 1 1 0 1

Obsa = 2b = 2c = 3d = 3e = 2f = 10g = 12

Diagnoses{A1}{M1}

Feature-Oriented Domain Analysis

18

Example of SSL/TSL enforcement for strong encryptation

# allow all ciphers for the initial handshake,# so export browsers can upgrade via SGC facility

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

<Directory /usr/local/apache2/htdocs> # but finally deny all browsers which haven't upgraded SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128</Directory>

Constraint Programming

19

Model-based fault diagnosisModel-based

fault diagnosis

Feature Oriented Domain Analysis

Feature Oriented Domain Analysis

Outline

21

22

Context

Name ModellingSecurity

DimensionsCost Objectives

ThreatsVuln.

ControlsAutomatic

analysisRisk

estimationControl flow

Cope et al. 2010 BPMN √ √ √

Muehlem et al. 2005 EPC Partial Partial Partial √ √

Lambert et al. 2006 IDEF √ √

OPBUS * √ √ √ √ √ √ √ √Churilov et al. 2006 EPC √ √

Rodriguez et al. 2006 UML √ √

Menzel et al. 2009 BPMN √ √ √

Jakoubi et al. 2009 Any √ √ Partial √ Partial

Neubauer et al. 2005 Any √ Partial Partial √

Sackman et al. 2008 Any √ √ Partial Partial Partial

Fenz et al. 2009 Petri-Nets √ Partial √

Neubauer et al. 2008 Any √ √ √ √ Partial √

Xue Bai et al. 2012 BPMN √ √ √ Partial √ √

23

Related work

24

Problem statements

25

Risk-Aware Business Processes

26

Risk-aware Business Processes

27

Risk-aware Business Processes

28

Risk-aware Business ProcessesBusiness process model extended with risk information and properties.

29

Risk-aware Business Processes

AUTOMATIC

RISK CONFORMANCE

30

Risk estimation of BP models

= f(Value , Frequency, Consequence)

A1

Integrity: [1-5]Vulnerability: CWE-255: Credentials Management

Name: CVE-2010-2370Description: Oracle BPM allows remote attackers to affect integrity, related to BPMFrequency: [1-5]Consequence: [1-5]Vulnerabilities: CWE-255

How to calculate the risk of a BP model?

31

Risk estimation of BP models

S.-M. Huang et al., “Enhancing conflict S.-M. Huang et al., “Enhancing conflict detecting mechanism for Web Services ...”, detecting mechanism for Web Services ...”, Inform. Softw. Technol. (2007)Inform. Softw. Technol. (2007)

32

Risk estimation of BP models

A1 A2A3

A4A5

BP1 = A1

D1

D1 A2

MAX( A3 A4 A5

+ + +

, ) + ) / 5

(

Estimating risk of BP models

37

Risk evaluation of BP models

A1 A2A3

A4A5

D1

✔

38

Diagnosis of non-conformance of risk

39

Determination of PEFs

Determination of PEFs

40

CSP ModelRisk-Aware BP model CSP model

Automatic Transformation

41

CSP Model

Automatic Transformation

Risk-Aware BP model CSP model

42

CSP Model

Automatic Transformation

Risk-Aware BP model CSP model

43

CSP ModelRisk-Aware BP model CSP model

45

Identifying PEFs, Activities & Artifacts

46

Automatic Diagnosis – MDAModel-driven Architecture approachDifferent risk evaluation strategies:•FMEA, MAGERIT, CRAMM, Customized, …Multiple platforms for Constraint Programming:•Choco, COMET, CPLex, …Different strategy of searches: •Exhaustive, local search, hybrid …

Implementation and Results

47

Tools development of eclipse plug-in:• Customizable BPMN editor• Integration Multi-CP solvers• Validation capabilities: structural faults.• Automatic and dynamic transformations and diagnosis of non-conformances

Implementation and Results

48

Outline

49

Context

50

A1 A2A3

A4A5

D1

Identify threats, vulnerabilities and elements of BPs to be treated

What security controls must be configured together with business processes in order to correct non-conformance of risks

Manual Time-consuming

Problem statements

51

How to formalize security countermeasures?

How to select adequate security controls according to requirements/objectives/goals of organizations?

Security patterns

• Textual• Informal• Natural language

Inference mechanisms• Feature-Oriented Domain Analysis (FODA)• Constraint Programming Techniques• Multi-objective strategy (cost-benefit, MTTR-development

time, …)

Extended & Formalized• Feature models

Modelling security patterns

52

Name

Security GoalsSecurity Goals

Security IntentionSecurity Intention

Problem

Context

Solutions

Forces

Feature model: Domain of configurationsOperators:

SELECT CHECK

Integrity, Confidentiality, Availability, …

Data integrity, Fault Tolerance, Enforce Authentication, …

Vulnerability: CWE-523: Unprotected Transport of Credentials

Operators: OPTIONAL MANDATORY

Security controls – Confidentiality & Integrity & Authentication

53

Nombre Description

Security Goals: Confidentiality, Integrity, Authentication

Security Intention: Enforcerment SSL/TLS

Problem CWE-523: Unprotected Transport of Credentials

CWE-523: Unprotected Transport of Credentials

Security controls – Confidentiality & Integrity & Authentication

54

Enforcement of SSL/TLSStandards SSL v2.0, TLS v1.0, TLS v1.1, SSL v3.0Cipher Suite: high variability

Nombre Description

Security Goals: Confidentiality, Integrity, Authentication

Security Intention: Enforcerment SSL/TLS

Problem CWE-523: Unprotected Transport of Credentials

Security controls – Confidentiality & Integrity & Authentication

55

SSL/TLS enables:Confidentiality: encrypting dataIntegrity: message authentication codeAuthentication: digital signatures and/or certificate.

Lot of cross-tree constraints !!!

Metrics:

Security control – Availability & Integrity

56

CWE-390: Detection of Error Condition Without Action

Name Description

Security Goals: Availability, Integrity

Security Intention: Fault Tolerance

Problem CWE-390: Detection of Error Condition Without Action

Security control – Availability & Integrity

57

Fault tolerance:Error detectionRecovery management

Metrics:

Security control – Authorization

58

Name Description

Security Goals: Authorization

Security Intention: Enfocerment Authorization

Problem CWE-89 - SQL injectionCWE-79 - Cross-site Scripting

• CWE-89 - SQL injection• CWE-79 - Cross-site Scripting

Security control – Authorization

59

Name Description

Security Goals: Authorization

Security Intention: Enfocerment Authorization

Problem CWE-89 - SQL injectionCWE-79 - Cross-site Scripting

Enforcement of Authorization:Information filtering via Web Application Firewalls (WAFs)Configuration rule set: High variability

SecRuleREQUEST_HEADERS:Host "^$" \"phase:2,rev:'2.2.4',t:none,block,msg:'Empty Host Header',id:'960007',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

SecRuleREQUEST_HEADERS:Host "^$" \"phase:2,rev:'2.2.4',t:none,block,msg:'Empty Host Header',id:'960007',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"

Example of rule

CSP model

60

Formal models

CP

// VariablesBoolean C1,C2,C3,C4,C5,C6,C7Integer x,y,z;// Feature modelC1 ↔ C2C3 → C1C2 ↔(C6 ∨ C7 ∨ C8)C5 → C6 // require// Extra functionsC1 → x = y + zC4 → z = value1C5 → z ≥ r11 z ≤ r12˄C6 → y = value2C7 → y = value3C8 → y ≥ r21 y ≤ r22˄// OperationMaximize(x)

Transformation

Performance & Analysis Results

61

FeatureModel (FM)

Number ofFeatures

Mandatory Optional XOR OrVoid

feature model

Legalconfigurations

Time(ms)

Fault Tolerance (FT) 17 8 1 7 0 × 7 9SSL/TLS 49 10 0 42 5 × 3.683 4.699WAF 62 6 6 57 4 × 241.920 77.427

Analysis & Performance results

62

FeatureModel

Optimizationcriteria

ConfigurationsTime(ms)

SSL/TLS

Single Objective: Minimize (ALE) 13.138 2.041Single Objective: Maximize (AROR) 5.268 1.255Single Objective: Minimize (Cost) 1.800 2.394Multi-objective: Maximize (AROR) + Minimize (ALE) 5.268 5.257Multi-objective: Minimize (Cost) + Minimize (ALE) 0 406Multi-objective: ~Minimize (Cost) + Minimize (ALE) 108 880

Fault Tolerance

Single Objective: Minimize (MTTR) 4 39Single Objective: Maximize (Risk Reduction) 58 42Multi-objective: Minimize (MTTR) + Maximize (Risk Reduction) 36 39

#Digital Signature Certificate CipherSuite

ProtocolObjective

PSK SRP Anon. X.509 OpenPGPKeyChange

MethodCipherEnc MAC ALE Cost

1 √ RSA TLSv1.0 2.000 452 √ RSA MD5 TLSv1.0 2.000 453 √ RSA IDEA-128 SHA-1 TLSv1.1 2.000 504 √ Fortezza SHA-256 TLSv1.1 2.000 505 √ DHE_RSA 3DES 168 SHA-1 TLSv1.1 2.000 50

Outline

63

Context

64

A1 A2A3

A4A5

D1

Problem statements

65

Fault Tolerance Layer (FTL)

66

Recovery mechanisms

Dynamic Binding

Replication and redundancy

Software diversity

Check-pointing

Error detection

Detect Discrepancies

Fault Diagnosis

Error Detection & Fault Diagnosis

67

A1 A2A3

A4A5

FTL

FTL – Error Detection & Fault Diagnosis

68

A1 A2A3

A4A5

C1 ≡ A1 = x + yC2 ≡ A1 = dC3 ≡ A2 = d * z

MAXIMIZE(C1,C2,…)

A1, A2

Recovery – Dynamic binding

70

+ Primary-backup

FTL

Recovery – Diversity

71

FTL

FTL – Recovery

72

FTL

Performance results

73

Performance results

74

FTL - Summary

75

Recovey DiagnosisDiagnosis Check-pointsCheck-points No. ReplicasNo. Replicas MiscMisc MTTRMTTR

Dynamic Binding Dynamic Binding 2/12/1

DB-Redundant DB-Redundant BinderBinder

2/12/1 Compensation Compensation handlershandlers

N-VersioningN-Versioning NN AdjudicatorAdjudicator

Check-pointingCheck-pointing 2/12/1 Compensation Compensation handlershandlers

+

=

+

+

Outline

76

Final Remarks

78

Risk-AwarenessRisk-Awareness

DependabilityDependability

Flexibility & AgilityFlexibility & Agility

Efficiency & Efficiency & OptimizationOptimization

Risk extensionRisk extension

Risk analysisRisk analysis

Risk treatmentRisk treatment

IntegrityIntegrity

ConfidentialityConfidentiality

AvailabilityAvailability

ReliabilityReliability

AutomationAutomation

AdaptableAdaptable

Multi-platformMulti-platform

Model-Based DiagnosisModel-Based Diagnosis

Constraint ProgrammingConstraint Programming

FODAFODA

BPMBPMQualityQualityBPMBPM

QualityQuality

Outline

79

Best Paper AwardBest Paper Award

DEPEND’10 (Best Paper Award)

DEPEND’10 (Best Paper Award)

CISIS’10 (CORE B)CISIS’10 (CORE B)

Publications and Research findings

80

DX’10DX’10

SECRYTP’11 (CORE B)SECRYTP’11 (CORE B)

RCIS’11 (CORE B)RCIS’11 (CORE B)

IJAS ‘11 Google Scholar

IJAS ‘11 Google Scholar

CISIS’12 (CORE B)CISIS’12 (CORE B)

AEI’12AEI’12

IST ‘13 JCR (2012)

1.250

IST ‘13 JCR (2012)

1.250

JSS ‘13 JCR (2011)

0.836

JSS ‘13 JCR (2011)

0.836 JSS ‘11 JCR (2010)

1.293

JSS ‘11 JCR (2010)

1.293

ConferenceConference

WorkshopWorkshop

Journal in third reviewJournal in third review

Journal PublishedJournal Published

Research stay and projects

81

Other research findings

82

THANK YOU FOR YOUR ATTENTIONTHANK YOU FOR YOUR ATTENTION

Ángel J. Varela VacaÁngel J. Varela VacaUniversidad de Sevilla,Universidad de Sevilla,

E.T.S. Ingeniería Informática, E.T.S. Ingeniería Informática, Departamento de Lenguajes y Sistemas Informáticos,Departamento de Lenguajes y Sistemas Informáticos,

E-mailE-mail:: ajvarela@us.esajvarela@us.esLinkedinLinkedin: angeljesusvarelavaca: angeljesusvarelavaca

ProyectoProyecto OPBUSOPBUS: : http://www.lsi.us.es/~quivir/index.php/OPbus/HomePage http://www.lsi.us.es/~quivir/index.php/OPbus/HomePage

THANK YOU FOR YOUR ATTENTIONTHANK YOU FOR YOUR ATTENTION

Ángel J. Varela VacaÁngel J. Varela VacaUniversidad de Sevilla,Universidad de Sevilla,

E.T.S. Ingeniería Informática, E.T.S. Ingeniería Informática, Departamento de Lenguajes y Sistemas Informáticos,Departamento de Lenguajes y Sistemas Informáticos,

E-mailE-mail:: ajvarela@us.esajvarela@us.esLinkedinLinkedin: angeljesusvarelavaca: angeljesusvarelavaca

ProyectoProyecto OPBUSOPBUS: : http://www.lsi.us.es/~quivir/index.php/OPbus/HomePage http://www.lsi.us.es/~quivir/index.php/OPbus/HomePage