A Security-aware Simulation Method for Generating Business Process Event Logs

Transcription

1 A Security-aware Simulation Method for Generating Business Process Event Logs Rafael Accorsi University of Freiburg, Germany Abstract. One of the difficulties at developing mechanisms for business process security monitoring and auditing is the existence of representative, realistic and controlled test runs. This paper presents ongoing work toward a business process simulation method geared to the synthesis of event logs. The novelty is that it considers the activity of an (internal) attacker able purposefully infringe the designated security requirements or simply manipulate the process control and data flow. The resultant logs can be, e.g., readily replayed on a reference monitor, business activity monitoring tool, or serve as input for process discovery tools. 1 Introduction Research into business process security and control is concerned with the formalization of security requirements (e.g., secrecy, integrity, binding of duties) and the development of well-founded techniques and tools for analyzing, monitoring and auditing these requirements in business process specifications. Techniques for this may include, for instance, program analysis [5,6], usage control [1,19] and various types of a posteriori process process analysis [2,4,23]. In this research area, a particular challenge appears when it comes to empirically testing the effectiveness of monitoring and auditing techniques and corresponding tools [3]. Here, controlled input with regard to structural vulnerabilities [15,16] is required to feed the tools with process runs and ascertain the kill-rate, i.e. the precision to identify the violation of the designated security properties. Business process simulation techniques can provide for these runs. However, the current state of the art approaches (e.g., [11,21,22]) and tool support (e.g.,[9,10]) do not take into account an attacker able to intentionally (albeit controllably) manipulate the process executions and violate the security properties that a specific process under consideration must satisfy. In particular, the capabilities of such an attacker must be determined, thereby defining an attacker model that can be configured for the simulated process. This paper presents ongoing work toward a business process simulation method geared to the synthesis of attacker-aware event logs. The method, depicted in Fig. 1, takes a business process specification and the security requirements applicable to the process as main inputs. Based upon the process specification, it automatically generates a series of process variants (so-called mutants) that

2 2 R. Accorsi initial model transformation operations t1 t i tn model variants mutant1 mutanti mutantn properties simulation individual traces with property annotations log 1 logi log n accumulated traces combined log Fig. 1. Overview of the approach. deviate from the prescribed control and data flow. Similarly, based upon the security requirements, incorrect process instantiations (with regard to the subjects and their rights) are generated while producing the individual traces. Together, these steps provide for a definition of an attacker model, which can be detailed configured for a particular test case. For versatility, the generated logs are outputted in a variety of formats, including XES and MXML (traditional formats for process mining), as well as CSV and plain text. The contributions summarized in this extended abstract are threefold: 1. It suggests transformation rules to derive mutants. Assuming a sound information flow net [7] that represents the process, each of the proposed transformations create a novel and sound net. 2. Considering traditional security and organizational properties for business processes [12], the approach allows for configurable instantiations of process models, thereby allowing for the controllable generation of event logs in which these requirements are violated. Together with structural mutants, these capabilities characterize an attacker model. 3. It describes a prototypical implementation that realizes some of the features of the attacker model, while providing for the configurable synthesizing of

3 A Security-aware Simulation Method for Generating Event Logs 3 event logs. Eventually, this implementation will be integrated as a SWAT plug-in. The Security Workflow Analysis Toolkit (SWAT) provides for a platform to business process analysis [8]. Overall, the generation of defect data has been applied to software process improvement in general [20], but has never been seen in the BPM area. This paper is a first step in this direction. We firmly believe that the controlled, push-button generation of (large) test data is a promising research direction and application domain in business process testing and improvement. This not only for testing mechanisms in the context of security (as in this paper), but also for compliance [1,17], resilience [13,24], visualization [14] and dependability [25] engineering for business process and process-aware information systems. Regarding the proposed methods, there are several issues that need to be added to obtain a fully-fledged log synthesizing tool, e.g. the simultaneous execution of parallel process models, thereby allowing for the trace interleaving. Further, the completeness of generated logs has not been investigated, i.e. are all the possible cases considered while generating the log. Soundness should be guaranteed by construction, but will be investigated formally in the future. These, as well as other conceptual and practical issues are subject of ongoing and further work. Paper structure. The remainder of this paper describes the main steps of the approach (Section 2), reports on its prototypical realization (Section 3) and summarizes the ongoing/further work (Section 4). 2 Building Blocks and Deviations 2.1 Building Blocks The main building blocks are, firstly, the process and environment specification and, secondly, the specification of the properties that must hold for the process. Process specification. The process specification considers a Petri net representation of the process. Specifically, we consider an Information Flow Net (IFnet) [7]. IFnet is a colored Petri net dialect that allows the annotation of activities with subject/role information, as well as the consideration of resources (modeled as colored tokens). These models can be obtained automatically for BPEL and BPMN specifications. The definition of a process provides a tuple P = (A, O, O), where A is a set of activities, O is the set of objects and O : A O assigns the objects employed by the activities. The environment in which the process P is executed is defined by a tuple E P = (P, S, R, R), where S stands for a set of subject, R for a set of roles and R for a set of tuples (s, r, a), where s S, r R and a A. If (s 1, r 2, a 5 ) R, this means that in P the subject s 1 is assigned the role r 2 for executing the activity a 5. To simplify the notation, we employ α(a, s, r) to denote that the activity a is executed by the subject s taking the role r. Security property specification. The specification of security properties assume a formalization using temporal logics. The properties we consider are standard

4 4 R. Accorsi and assume the organizational properties (e.g. binding of duties and four-eye rule) [12] and purely security properties arising from the violations of the role assignment relation R and, more generally, usage control policies on the style of Park and Sandhu [18] (e.g. obligations after the access to data). Of course there is a non-empty intersection, e.g., between misleading role assignment and a binding of duties, but this is not relevant for the purposes of the paper. With regard to their specification (and semantics), these properties are specified using linear temporal logics. For example, let α i (a i, s, r) and α j (a j, s, r ). The formula ψ BoD = (α i α j ) is an initial formalization to capture the separation of duties requirements. (This means: it is always the case that if s carried out a i on the role r, then eventually a should also execute a j on the role r.) Regarding the semantics, the idea is to have a trace corresponding to a process execution, whereas each event in the trace corresponds to the execution of an activity. A trace fulfills a property, e.g. separation of duties, iff the events appear in the order prescribed by the policies. The full version of the paper provides the formal definition of specification language and its semantics. 2.2 Process Deviations and Property Violations Given the specification of processes and properties, this section introduces the rules with which deviations (i.e. mutants) are generated. This comprises both the control flow and the instantiation of the process variables with subject/role information. Altogether, both aspects capture the activity of an attacker, whereas control flow only transformations could also be taken as failures of the execution engine. Control-Flow deviations. The control flow transformations regard only the structure of the process specification and assume, for the sake of simplicity, a correct instantiation of process variables. At the moment, the following mutants are considered. And2Xor: this transformation provides a mutant in which an AND-gate is rewritten as an XOR-gate. This means: while the original process requires traversing both paths of the AND-gate, the mutant assumes that only one (randomly chosen) path is traversed. Xor2And: the opposite of And2Xor, i.e. each XOR-gate is rewritten as ANDgate. Activity skipping: this transformation provides for mutants in which a transition is simply skipped during the execution. Activity swapping: this transformation provides for mutants in which the order of a pair of activities is swapped. By now, we assume that these transformations are not combined with each other (primitive mutant). In future, they will be combined to what we call composite mutant. Note, however, that we give full control to configure the sort and frequency of the deviations.

5 A Security-aware Simulation Method for Generating Event Logs 5 Fig. 2. Screenshot of the configuration panel. Security requirements. Given a mutant and the security requirements applicable to the process, this step computes mutants that consider the instantiation or control flow of the system violating at least one of policies. We do so by negating the formulae representing the policies. This negation provides us with a pattern of nonconformance with the policies. Hence, whenever applicable, the approach generates an execution trace in which this malicious execution pattern occurs. Coming back to the binding of duties requirement, by negating the formula ψ SoD, we obtain a pattern in which an activity pair prescribed to be performed by the same subjects is executed by different subjects or not executed at all. 3 Prototypical Realization The approach has been implemented in Python. Figure 2 depicts configuration panel of the application. It assumes as input an IFnet model containing the process specification, the details on the environment and a definition of the policies. Given that, the user can visualize and configure, on the one hand, execution parameters for each activity in the process. This includes, e.g., the average execution time to be simulated for each activity (useful to model delays and perturbations) and the overall frequency of a particular execution trace (handy for modeling outliers). On the other hand, the user can select the requirements that should hold for the process, thereby specifying the policy applicable to the process. Once this

6 6 R. Accorsi is carried out, the frequency and kind of security violations can be thoroughly configured. The output format can be selected among plain text, CSV, MXML and XES. The latter two formats are standard input for process mining technologies, thereby serving as a basis for generating logs to test with process mining tools. The former are useful as an input to be replayed, e.g., onto execution monitors. The performance itself is acceptable: for example, an execution log including 100K process run (middle size log) for a process including 15 activities, 50 roles and 100 subjects takes less than 2 minutes for the CSV output format and in average 3,5 minutes for XML-based formats (AMD quad core A8, 6GB Dual Channel DDR3 SDRAM at 1333Mhz under Windows). In future, this application will be realized as a module of the Security Workflow Analysis Toolkit (SWAT) [8]. SWAT is an extensible, Eclipse-based application that allows the specification of processes in BPEL and BPMN, their transformation into several Petri net dialects (e.g. open Workflow nets, IFnet, plain Petri nets) and analysis. At the moment, SWAT focuses on the analysis process models, in particular focusing on compliance and information flow. The simulation, an essential step for testing with process discovery methods, is a missing feature. 4 Summary and Further Work This paper presents and outlined a method to simulating business processes considering an attacker model. Overall, this approach is novel, both in the security and business process management community. With this approach at hand, one is able to quickly and highly-controllably simulate a process that comprises targeted security violations, as well as random failures that potentially lead to the violation of selected properties. The approach has been realized in a prototype. The results are promising and after the thorough testing and extension, it will be added to the a workbench specialized on the security reasoning of business processes. Besides the aforementioned ongoing work, the current effort is in the realization of parallel execution and the consideration of further security properties. Furthermore, the demonstration of formal properties, such as soundness and completeness, must have to be investigated as a means to provide evidence on the quality of the log files generated by the method. Overall, we believe that the automated generation of such event logs is a necessary step toward the development of tools for business process analysis. This not only for standard process-aware information systems. More importantly, with the advent of big data and business process management in the large, there will be the need to test with such log data. Today, generating these data is very tedious. Our proposal should, in the future, be also used for this setting. References 1. R. Accorsi, Y. Sato, and S. Kai. Compliance monitor for early warning risk determination. Wirtschaftsinformatik, 50(5): , October 2008.

7 A Security-aware Simulation Method for Generating Event Logs 7 2. R. Accorsi and T. Stocker. Automated privacy audits based on pruning of log data. In Proceedings of the EDOC International Workshop on Security and Privacy in Enterprise Computing. IEEE, R. Accorsi and T. Stocker. On the Exploitation of Process Mining for Security Audits: The Conformance Checking Case. In ACM Symposium on Applied Computing, pages ACM, R. Accorsi and C. Wonnemann. Auditing workflow executions against dataflow policies. In W. Abramowicz and R. Tolksdorf, editors, Proceedings of the Business Information Systems, volume 47 of Lecture Notes in Business Information Processing, pages Springer, R. Accorsi and C. Wonnemann. Static information flow analysis of workflow models. In W. Abramowicz, K.-P. F. Rainer Alt, and L. Maciaszek, editors, Conference on Business Process and Service Computing, volume 147 of Lecture Notes in Informatics, pages GI, R. Accorsi and C. Wonnemann. Strong non-leak guarantees for workflow models. In ACM Symposium on Applied Computing, pages ACM, R. Accorsi and C. Wonnemann. InDico: Information flow analysis of business processes for confidentiality requirements. In J. C. et al., editor, ERCIM Workshop on Security and Trust Management, volume 6710 of Lecture Notes in Computer Science, pages Springer, R. Accorsi, C. Wonnemann, and S. Dochow. SWAT: A security workflow toolkit for reliably secure process-aware information systems. In Conference on Availability, Reliability and Security, pages IEEE, A. Bahrami, D. A. Sadowski, and S. Bahrami. Enterprise architecture for business process simulation. In Winter Simulation Conference, pages , A. Burattin and A. Sperduti. PLG: A framework for the generation of business process models and their execution logs. In M. zur Muehlen and J. Su, editors, Business Process Management Workshops, volume 66 of Lecture Notes in Business Information Processing, pages Springer, Y. H. Cho, J. K. Kim, and K. S. Hie. Role-based approach to business process simulation modeling and analysis. Computers & Industrial Engineering, 35(1/2): , K. Knorr and S. Röhrig. Security requirements of e-business processes. In B. Schmid, K. Stanoevska-Slabeva, and V. Tschammer, editors, IFIP Conference on E-Commerce, E-Business, E-Government, volume 202 of IFIP Conference Proceedings, pages Kluwer, T. Koslowski and J. Strüker. Erp on demand platform - complementary effects using the example of a sustainability benchmarking service. Business & Information Systems Engineering, 3(6): , S. Kriglstein and S. Rinderle-Ma. Change visualizations in business processes - requirements analysis. In P. Richard, M. Kraus, R. S. Laramee, and J. Braz, editors, Conference on Computer Graphics Theory and Applications and International Conference on Information Visualization Theory and Applications, pages SciTePress, L. Lowis and R. Accorsi. On a classification approach for SOA vulnerabilities. In Proceedings of the IEEE International Computer Software and Applications Conference, pages IEEE Computer Society, L. Lowis and R. Accorsi. Finding vulnerabilities in SOA-based business processes. IEEE Transactions on Service Computing, 4(3): , August 2011.

8 8 R. Accorsi 17. L. T. Ly, S. Rinderle-Ma, D. Knuplesch, and P. Dadam. Monitoring business process compliance using compliance rule graphs. In R. Meersman, T. S. Dillon, P. Herrero, A. Kumar, M. Reichert, L. Qing, B. C. Ooi, E. Damiani, D. C. Schmidt, J. White, M. Hauswirth, P. Hitzler, and M. K. Mohania, editors, On the Move to Meaningful Internet Systems, volume 7044 of Lecture Notes in Computer Science, pages Springer, J. Park and R. Sandhu. The UCON ABC usage control model. ACM Transactions on Information and System Security, 7(1): , February A. Pretschner, F. Massacci, and M. Hilty. Usage control in service-oriented architectures. In C. Lambrinoudakis, G. Pernul, and A. M. Tjoa, editors, Proceedings of the 4th International Conference on Trust, Privacy and Security in Digital Business, volume 4657 of Lecture Notes in Computer Science, pages Springer, A. Raninen, T. Toroi, H. Vainio, and J. J. Ahonen. Defect data analysis as input for software process improvement. In O. Dieste, A. Jedlitschka, and N. J. Juzgado, editors, Conference on Product-Focused Software Process Improvement, volume 7343 of Lecture Notes in Computer Science, pages Springer, K. Tumay. Business process simulation. In Winter Simulation Conference, pages 93 98, W. van der Aalst. Business process simulation. In J. vom Brocke and M. Rosemann, editors, Handbook on Business Process Management, volume 1, pages Springer, W. van der Aalst. Process Mining Discovery, Conformance and Enhancement of Business Processes. Springer, Q. Wang and N. Li. Satisfiability and resiliency in workflow systems. In J. Biskup and J. Lopez, editors, Proceedings of the European Symposium On Research In Computer Security, volume 4734 of Lecture Notes in Computer Science, pages Springer, B. Wetzstein, P. Leitner, F. Rosenberg, I. Brandic, S. Dustdar, and F. Leymann. Monitoring and analyzing influential factors of business process performance. In IEEE International Enterprise Distributed Object Computing Conference, pages IEEE Computer Society, 2009.