An adaptive security model using agent-oriented MDA

https://doi.org/10.1016/j.infsof.2008.05.005Get rights and content

Abstract

Model-driven architecture (MDA) supports model-centred software development via successive model transformation. In MDA, the reusability of models is improved as well as the traceability of requirements. Agent-oriented model-driven architecture (AMDA) associates adaptive agents with a business-oriented interaction model and lets agents dynamically interpret their behaviour from the continuously maintained model via which the current business needs are deployed at runtime. The continuous re-interpretation rather than discrete re-transformation of models means immediate requirements deployment after re-configuration, no system down time being required to affect changes and results in a development process that is oriented to business experts rather than developers. Adopting the adaptive agent model, an AMDA paradigm, we put forward a security–aware model-driven mechanism by using an extension of the role-based access control (RBAC) model. For this purpose, the concept of agent role proposed in agent-oriented software engineering (AOSE) is integrated with the one proposed in RBAC. Agent duties are specified in an interaction model and describe the roles that agents can play to fulfil their functional responsibilities. Agent rights are specified in a security policy rule model attached to the interaction model and describe constraints upon agent capabilities caused by their associated social roles. The role-based interaction and policy-driven model incorporates both agent rights and duties. Hence, functional requirements and non-functional security constraint requirements are put together, related by the concept of role. Consequently, agents can continuously use the re-configurable model to play their roles in order to fulfil their responsibilities, and at the same time respect the security constraints. The major contribution from the approach is a method for building adaptive and secure MAS, following model-driven architecture. The approach is illustrated with an actual British railway management system.

Introduction

Model based development for secure systems can benefit from high level abstraction and model transformation in a model-centric development paradigm, at the same time providing improved productivity and platform independence. Security, as part of the system requirements, must be integrated into the system model from the very beginning, if full advantage of model-driven software development is to be taken. However, existing approaches using model-centric development typically ignore security at the modelling stage, rather adding security aspects later in an ad-hoc manner. This can lead to deficiencies in security and more importantly, a less cost-effective development process. The fact that security requirements are usually not considered as an essential part of the overall system requirements is reflected in the fact that design models often describe only what components in a system should do, as in traditional functional requirements. What is equally important is what the systems should not do. Malicious misuse/abuse should be prohibited in the non-functional requirements of security but, unfortunately, the latter is sometimes ignored or considered very late in the system development process. The separation of production and protection of systems results in vulnerability and a lack of integration.

Addressing security separately late in development also leads to poor maintainability. This is due to the complex and cross-cutting nature of the security requirements. Late discovery of security requirements will lead to costly correction or adaptation, sometimes after software development has been completed. Without at least abstracting and preferably decoupling the security requirements, the development and maintenance of secure software systems will remain a significant challenge. A means of modelling security requirements as part of the system model and adapting them accordingly afterwards must be provided. One possible approach is to use a model transformation approach, where the model includes security needs and where these are traceable and easily adapted later.

The object management group’s (OMG) model-driven architecture (MDA) paradigm [8], [9] is now well established. The paradigm has been advocated for productive software development, based on successive model transformation. Models are built for reuse and once re-configured, systems can be re-generated. Hence, code change is minimised when requirements change. Systems with mutable security needs can take advantages of the paradigm if security is explicitly modelled as part of the system model at a suitable level of abstraction. Adaptivity and maintainability of systems can then be enhanced since changes to the model, including functional requirements as well as non-functional security requirements, will lead to automatic behavioural change in running systems.

The adaptive agent model (AAM) [27], [28], [32] allows an agent-oriented model-driven architecture (AMDA) [29] paradigm, compatible with MDA and appropriate for multi-agent systems (MAS). AAM combines the dynamic features of agent with the advanced development paradigm of MDA. Briefly, AAM is a methodology that guides the building of an organised hierarchical business knowledge model [31] to drive adaptive agent system behaviour. The model originates from business requirements [35], is interpreted and executed dynamically by agents at runtime, and is under continuous maintenance by business people. Tools [30] have been developed to support the documentation and maintenance of the model. Existing components and services can be reused to support agents to execute business requirements captured in the model [33], [34]. A model-driven security model as integrated in AAM is put forward in this paper. We consider the very important access control issue as our security focus, formalising a security model centred on policy rules. Agents make use of the integrated model to perform functional capabilities, constrained by the security policies. Business experts and decision makers can continuously maintain the integrated model in order to reflect changing business needs.

An agent-oriented MDA solution is appropriate since agents residing within the MAS under development can conceptually have security constraints while also realising their functional behaviour. In this way, security requirements are integrated with functional requirements. agent-oriented software engineering (AOSE) considers system model building to be centred on a role concept, role representing functional requirements. Role-based access control (RBAC) considers the security model to be centred on role, role representing non-functional security requirements. Unifying these role concepts offers the fundamental core model element on which an integrated model can be built. A new combined role notion can be used to pull duties and rights together in a single model. In this way, security requirements become first class citizens along with functional requirements and can also start at the requirements modelling phase.

The rest of the paper is structured as follows. The next section will investigate the existing modelling approaches towards security, the current status of security development in MAS, and in particular, the role concept as in AOSE and in RBAC. In Section 3, we describe our approach in detail, including an overview of the proposed approach, an illustration of the original AAM interaction model, the security model add-on, and their integration using a unified role notion. Section 4 discusses a British railway management system as our case study. Our approach will be applied and a CIM, PIM, as well as a PSM and code be developed, using an agent-oriented MDA paradigm. Section 5 demonstrates the adaptivity that has been achieved and evaluates the advantages of the new approach over traditional methods. Finally, Section 6 discusses the contribution this work makes to the state of the art, in the areas of agent-oriented software engineering, model-driven architecture, distributed computing, and role-based access control, as well as provides some conclusions to the paper.

Section snippets

Security modelling

UML does not explicitly provide security modelling. However, one may extend the standard language to accommodate extra concepts. Defining a profile is one extension mechanism that can be used for this purpose. In [6] an extension to the business process modelling notation (BPMN) has been described, security requirements being incorporated as part of a UML profile that supports security modelling in business process diagrams. In a related approach [7], [42] a UML profile for secure data

Approach overview

Our framework consists of: (1) an agent runtime platform; (2) agent instances running on the platform that are empowered by an engine with model interpretation capabilities; (3) a reaction rule model that the agent runtime engine can use to interpret reactive behaviour; (4) a policy rule model that the agent runtime engine can interpret global strategic constraints; (5) the overall model produced using (3) and (4) which agents use as their interaction and computation pattern running in business

The requirements specification of a British railway management system

To demonstrate the efficacy of our approach, we have investigated how it might be applied to an actual system, the British railway management system called Railtrack. The system is mainly responsible for the running of a railway on a daily basis, monitoring train running with regard to incidents, and ensuring the safety of the train services by conveying issues to relevant parties for resolution. Being a very complex and safety critical system, the documented specification has more than 250

Model-driven adaptation (after deployment)

The security-enabled AAM approach achieves both adaptivity of functional duties via functional interaction model (add new collaborators, new service facilities, new roles, etc.) and adaptivity of social rights via an integrated security policy rule model (add new security PRs, etc.).

Contributions, conclusions, and future work

Role has been accredited importance in agent behaviour modelling for MAS. Also role has been central to permission assignment and management in access control. This paper offers an integrated role notion and, based on that, an integrated security–aware modelling approach in the paradigm of model-driven architecture. To the knowledge of author, no previous work has been carried out in associating the role of functional duty and the role of social right, though such a relationship is natural and

Acknowledgement

Thanks to Des Greer for helpful comments and suggestions for improving the paper.

References (42)

  • E. Fernández-Medina et al.

    Access control and audit model for the multidimensional modeling of data warehouses

    Decision Support Systems

    (2006)
  • J. Jurjens, M. Lehrhuber, G. Wimmel, Model-based design and analysis of permission-based security, in: Proceedings of...
  • H. Mouratidis, J. Jurjens, J. Fox, Towards a comprehensive framework for secure systems development, in: Proceedings of...
  • D. Kim, I. Ray, R. France, N. Li, Modeling role-based access control using parameterized UML models, in: Proceedings of...
  • T. Lodderstedt, D. Basin, J. Doser, SecureUML: a UML-based modeling language for model-driven security, in: Proceedings...
  • J. Jurjens, UMLsec: extending UML for secure systems development, in: Proceedings of the Fifth International Conference...
  • A. Rodriguez et al.

    A BPMN extension for the modeling of security requirement in business processes

    IEICE Transactions on Information and Systems

    (2007)
  • R. Villarroel et al.

    A UML 2.0/OCL extension for designing secure data warehouses

    Journal of Research and Practice in Information Technology

    (2006)
  • Object Management Group, 250 First Avenue, Suite 100, Needham, MA 02494,...
  • A. Kleppe et al.

    MDA Explained: The Model Driven Architecture: Practice and Promise

    (2003)
  • Foundation for Intelligent Physical Agents. Available from:...
  • G.A.S. Torrellas, L.B. Sheremetov, An authentication protocol for agent platform security manager, in: Proceedings of...
  • Java Agent DEvelopment Framework, Available from:...
  • A. Poggi, G. Rimassa, M. Tomaiuolo, Multi-user and security support for multi-agent systems, in: Proceedings of WOA,...
  • S. Poslad, M. Calisti, Towards improved trust and security in FIPA agent platforms, in: Proceedings of the Autonomous...
  • C. Farkas et al.

    Making agents secure on the semantic web

    IEEE Internet Computing

    (2002)
  • G. Vigna, Mobile Agents and Security, LNCS, vol. 1419, Springer,...
  • JADE Board, JADE Security Guide,...
  • C. Petrie et al.

    Service agents and virtual enterprises: a survey

    IEEE Internet Computing

    (2003)
  • R.S. Sandhu et al.

    Role-based access control models

    IEEE Computer

    (1996)
  • J. Odell, M. Nodine, R. Levy, A metamodel for agents, roles, and groups, in: Proceedings of the Fifth International...
  • Cited by (16)

    • An extensive systematic review on the Model-Driven Development of secure systems

      2015, Information and Software Technology
      Citation Excerpt :

      The introduced DSL called Security@Runtime covers many of the security requirements of modern applications such as authorisation, obligation, and reaction policies. Xiao’s [130] work is on adaptive and secure multi-agent systems. The authors adopting the adaptive agent model to put forward a security-aware model-driven mechanism by using an extension of RBAC model.

    • A collection of method fragments automated with model transformations in agent-orientedmodeling

      2013, Engineering Applications of Artificial Intelligence
      Citation Excerpt :

      Then, MTs are used for transforming the models defined with this language to another modeling language specific of the platform, and finally code is generated from these models. In addition, Xiao (2009) presents another method for building AMASs with MDE principles. In particular, this method uses MDA standards and guarantees certain security features in these MASs.

    View all citing articles on Scopus
    View full text