Return to search

Quantitative security analysis for service-oriented software architectures

Due to the dramatic increase in intrusion activities, the definition and evaluation of
software security requirements have become important aspects of the development of
software services. It is now a well-accepted fact in software engineering that security
concerns, like any other quality concerns, should be dealt with in the early stages of
software development process. Current practices for software security architecture risk
analysis, however, still heavily rely on human expertise. This involves a significant
amount of subjective efforts creating a greater potential for inaccuracies. In this
dissertation, we propose a framework for quantitative security architecture analysis for
service-oriented software systems. In this regard two important contributions are made in
the dissertation. First, we identify and define some internal security attributes and related
properties based on a generic service-oriented software model, setting up a framework for
the definition and formal evaluation of corresponding security metrics. Second, we
propose a measurement abstraction paradigm named User System Interaction Effect
(USIE) model that can be used to systematically derive and analyze security concerns
from service-oriented software architectures. Many aspects of the model derivation and
analysis can be automated, which limit the amount of user involvement and, thereby,
reduce the subjectivity underlying typical security analysis process. The model can be
used as a foundation for quantitative analysis of software services from different security
perspectives with respect to the internal security properties introduced. Based on sample
metrics derived from the framework, we illustrate empirically the viability of our
paradigm by conducting case studies based on existing open source software.

  1. http://hdl.handle.net/1828/895
  2. M. Y. Liu, I. Traore, “Software Product Metrics for Security Analysis of Service- Oriented Architectures”, submitted to the International Journal of Empirical Software Engineering, September 2007, (37 pages).
  3. M. Y. Liu, I. Traore, “Properties for Security Measures of Software Products”, Journal of Applied Mathematics & Information Sciences, 1 (2), May 2007, pages 129- 156.
  4. M. Y. Liu, I. Traore, “A Service-oriented Framework for Quantitative Security Analysis of Software Architectures”, submitted to The 23rd ACM SAC Conference (SAC2008), Fortaleza, Ceará, Brazil, 2008.
  5. M. Y. Liu, I. Traore, “Systematic Security Analysis for Service-Oriented Software Architectures”, in the Proceedings of 3rd IEEE International Workshop on Service- Oriented System Engineering (SOSE07), Hong-Kong, China, Oct. 24-26, 2007 (10 pages).
  6. M. Y. Liu, I. Traore, “Complexity Measures for Secure Service-Oriented Software Architectures”, in the Proceedings of the 3rd IEEE International Predictor Models in Software Engineering (PROMISE) Workshop, May 20, 2007, Minneapolis, Minnesota, USA, in conjunction with 29th International Conference on Software Engineering (ICSE); (10 pages).
  7. M. Y. Liu, I. Traore, “Empirical Relationships between attackability and coupling: case study for DOS”, ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), Ottawa, Canada, June 10, 2006, pages 57-64.
  8. D. Ghindici, M. Y. Liu, G. Grimaud, I. Ryl, I. Traore, “Integrated Security Verification and Validation: Case Study”, Proceedings of 2nd IEEE LCN Workshop on Network Security, Tampa, Florida, U.S.A., November 14, 2006.
  9. M. Y. Liu, I. Traore, “Measurement Framework for Software Privilege Protection based on User Interaction Analysis”, 11th IEEE International Software Metrics Symposium, Como, Italy, September 19-22 , 2005.
  10. M. Y. Liu, I. Traore, “UML-based Security Measures of Software Products”, International Workshop on Methodologies for Pervasive and Embedded Software (MOMPES’04), Hamilton, Ontario, Canada, June, 2004.
  11. I. TraoIre, H. M. Al Jamal, Y. M. Liu, A.E.K. Sahraoui, “UML-PVS Requirements Specification and Verification”, 2004 International Symposium of the International Council on Systems Engineering (INCOSE-04), Toulouse, France, June, 2004.
  12. A. Hoole(1), I. Traore(2), M. Yanguo Liu (2), “Formal Analysis of an Agent-Based Medical Diagnosis Confirmation System”, the second NASA/IEEE Godded Workshop on formal Approaches to Agent-Based Systems (FAABS-II), Greenbelt, U.S. October 28-30 2002.
  13. M. Y. Liu, I. TRAORE, “PVS Proof-Patterns for UML-Based Verification”, IEEE ECBS Conference, Workshop on Formal Specification of Computer-Based Systems (FSBCS), Lund, Swedden, pp 9-19, April 8-11 2002.
  14. M. Y. Liu, I. Traore, “Quantitative Security Analysis for Service Oriented Software Architecture”, Technical Report No. ECE-07-5, ECE Department, University of Victoria, Victoria, BC, Canada, 2007.
  15. I. Traore, Yanguo Liu, “Evaluation of Whitenoise Cryptosystem”, Technical Report No. ECE03-3, ECE Department, University of Victoria, Victoria, BC, Canada, 2003.
  16. M. Y. Liu, H. Ye, I. Traore, “Using Formal Methods in Security Engineering: Case Study of a Patient Document Service”, Technical Report no. ECE01-3, Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, Canada, May 2001.
Identiferoai:union.ndltd.org:uvic.ca/oai:dspace.library.uvic.ca:1828/895
Date24 April 2008
CreatorsLiu, Yanguo(Michael)
ContributorsTraore, Issa
Source SetsUniversity of Victoria
LanguageEnglish, English
Detected LanguageEnglish
TypeThesis
RightsAvailable to the World Wide Web

Page generated in 0.0028 seconds