Publications

Book Chapters

  1. D. Trivellato, S. Etalle, E. Luit, and N. Zannone. The POLIPO Security Framework. In Situation Awareness with Systems of Systems. Springer, 2013.
    Abstract: While offering several advantages in terms of scalability and flexibility, the system of systems (SoS) paradigm has a significant impact on systems interoperability and on the security requirements of collaborating parties. In this chapter we introduce POLIPO, a service oriented security framework that protects the information exchanged among the parties in an SoS, while preserving parties' autonomy and interoperability. Confidentiality and integrity of information are protected by combining context-aware access control with trust management. Autonomy and interoperability are enabled by the use of ontology-based services. More precisely, parties may refer to different ontologies to define the semantics of the terms used in their security policies and to describe domain knowledge and context information. A semantic alignment technique is then employed to map concepts from different ontologies and align the parties' vocabularies. We demonstrate the applicability of our solution using a scenario in the Maritime Safety and Security domain.

  2. F. Massacci and N. Zannone. Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank. In Social Modeling for Requirements Engineering. MIT Press, 2011.
  3. F. Massacci, J. Mylopoulos, and N. Zannone. Security Requirements Engineering: the SI* Modeling Language and the Secure Tropos Methodology. In Advances in Information and Intelligent Systems, SCI 265, pages 147-174. Springer-Verlag GmbH, 2010.
    Abstract: Security Requirements Engineering is an emerging field which lies at the crossroads of Security and Software Engineering. Much research has focused on this field in recent years, spurred by the realization that security must be dealt with in the earliest phases of the software development process as these phases cover a broader organizational perspective. Agent-oriented methodologies have proved to be especially useful in this setting as they support the modeling of the social context in which the system-to-be will operate.
    In our previous work, we proposed the SI* modeling language to deal with security and trust, and the Secure Tropos methodology for designing secure software systems. Since then, both have been revised and refined in light of experience gained from their application to several industry case studies. This chapter presents the consolidated versions of the SI* modeling language and the Secure Tropos methodology and recounts our experiences, explaining the practical and theoretical reasons behind each consolidation step.

  4. F. Massacci, J. Mylopoulos, and N. Zannone. An Ontology for Secure Socio-Technical Systems. In Handbook of Ontologies for Business Interaction, pages 188-207. Idea Group, 2006.
    Abstract: Security is often compromised by exploiting vulnerabilities in the interface between the organization and the information systems that support it. This reveals the necessity of modeling and analyzing information systems together with the organizational setting where they will operate. In this chapter we address this problem by presenting a modeling language tailored to analyze the problem of security at an organizational level. This language proposes a set of concepts founded on the notions of permission, delegation, and trust. The chapter also presents a semantics for these concepts, based on Datalog. A case study from the bank domain is employed to illustrate the proposed language.

  5. P. Giorgini, H. Mouratidis, and N. Zannone. Modelling Security and Trust with Secure Tropos. In Integrating Security and Software Engineering: Advances and Future Vision, pages 160-189. Idea Group, 2006.
    Abstract: Although the concepts of security and trust play an important issue in the development of information systems, they have been mainly neglected by software engineering methodologies. In this chapter, we present an approach that considers security and trust throughout the software development process. Our approach integrates two prominent software engineering approaches, one that provides a security-oriented process and one that provides a trust management process. The result is the development of a methodology that considers security and trust issues as part of its development process. Such integration represents an advance over the current state of the art by providing the first effort to consider security and trust issues under a single software engineering methodology. A case study from the health domain is employed to illustrate our approach.

  6. P. Giorgini, F. Massacci and N. Zannone. Security and Trust Requirements Engineering. In Foundations of Security Analysis and Design III - Tutorial Lectures, LNCS 3655, pages 237-272. Springer-Verlag GmbH, 2005.
    Abstract: Integrating security concerns throughout the whole software development process is one of today's challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet. The major difficulty is that providing security does not only require to solve technical problems but also to reason on the organization as a whole. This makes the usage of traditional software engineering methologies difficult or unsatisfactory: most proposals focus on protection aspects of security and explicitly deal with low level protection mechanisms and only an handful of them show the ability of capturing the high-level organizational security requirements, without getting suddenly bogged down into security protocols or cryptography algorithms. In this paper we critically review the state of the art in security requirements engineering and discuss the motivations that led us to propose the Secure Tropos methodology, a formal framework for modelling and analyzing security, that enhances the agent-oriented software development methodology i*/Tropos. We illustrate the Secure Tropos approach, a comprehensive case study, and discuss some later refinements of the Secure Tropos methodology to address some of its shortcomings. Finally, we introduce the ST-Tool, a CASE tool that supports our methodology.

International Journals

  1. D. Trivellato, N. Zannone, and S. Etalle. GEM: a Distributed Goal Evaluation Algorithm for Trust Management. Theory and Practice of Logic Programming, 2012. To appear.
    Abstract: Trust management is an approach to access control in distributed systems where access decisions are based on policy statements issued by multiple principals and stored in a distributed manner. In trust management, the policy statements of a principal can refer to other principals' statements; thus, the process of evaluating an access request (i.e., a goal) consists of finding a ``chain'' of policy statements that allows the access to the requested resource. Most existing goal evaluation algorithms for trust management either rely on a centralized evaluation strategy, which consists of collecting all the relevant policy statements in a single location (and therefore they do not guarantee the confidentiality of intensional policies), or do not detect the termination of the computation (i.e., when all the answers of a goal are computed). In this paper we present GEM, a distributed goal evaluation algorithm for trust management systems that relies on function-free logic programming for the specification of policy statements. GEM detects termination in a completely distributed way without the need of disclosing intensional policies, thereby preserving their confidentiality. We demonstrate that the algorithm terminates and is sound and complete with respect to the standard semantics for logic programs.

  2. S. Gurses, M. Segurun, and N. Zannone. Requirements engineering within a large-scale security-oriented research project: lessons learned. Requirements Engineering, 2012. To appear.
    Abstract: Requirements Engineering has been recognized as a fundamental phase of the software engineering process. Nevertheless, the elicitation and analysis of requirements are often left aside in favor of architecture-driven software development. This tendency, however, can lead to issues that may affect the success of a project. This paper presents our experience gained in the elicitation and analysis of requirements in a large-scale security-oriented European research project, which was originally conceived as an architecture-driven project. In particular, we illustrate the challenges that can be faced in large-scale research projects, and consider the applicability of existing best practices and off-the-shelf methodologies with respect to the needs of such projects. We then discuss how those practices and methods can be integrated into the requirements engineering process and possibly improved to address the identified challenges. Finally, we summarize the lessons learned from our experience and the benefits that a proper requirements analysis can bring to a project.

  3. A. Simone, B. Skoric, amd N. Zannone. Flow-based reputation: more than just ranking. International Journal of Information Technology & Decision Making, 11(3):551-578, 2012.
    Abstract: The last years have seen a growing interest in collaborative systems like electronic marketplaces and P2P file sharing systems where people are intended to interact with other people. Those systems, however, are subject to security and operational risks because of their open and distributed nature. Reputation systems provide a mechanism to reduce such risks by building trust relationships among entities and identifying malicious entities. A popular reputation model is the so-called fow-based model. Most existing reputation systems based on such a model provide only a ranking, without absolute reputation values; this makes it diffcult to determine whether entities are actually trustworthy or untrustworthy. In addition, those systems ignore a significant part of the available information; as a consequence, reputation values may not be accurate. In this paper, we present a fow-based reputation metric that gives absolute values instead of merely a ranking. Our metric makes use of all the available information. We study, both analytically and numerically, the properties of the proposed metric and the effect of attacks on reputation values.

  4. Y. Asnar, F. Massacci, A. Saidane, C. Riccucci, M. Felici, A. Tedeschi, P. El Khoury, K. Li, M. Segurun, and N. Zannone. Organizational Patterns for Security and Dependability: from design to application. International Journal of Secure Software Engineering, 2010. To appear.
    Abstract: Designing secure and dependable IT systems involves a deep analysis of organizational as well as social aspects of the environment where the system will operate. Domain experts and analysts often face security and dependability (S&D) issues they have already encountered before. These concerns require the design of S&D patterns to facilitate designers when developing IT systems. This article presents our experience in designing S&D organizational patterns, which we have gained in the course of an industry lead EU project. We use an agent-goal-oriented modeling framework (i.e., the SI* framework) to analyze organizational settings jointly with technical functionalities. We demonstrate how this framework can assist domain experts and analysts in designing S&D patterns from their experience, validating them by proof-of-concept, and applying them to increase the security level of the system.

  5. K. Bohm, S. Etalle, J. den Hartog, C. Hutter, S. Trabelsi, D. Trivellato, and N. Zannone. A Flexible Architecture for Privacy-Aware Trust Management. Journal of Theoretical and Applied Electronic Commerce Research, 2010. To appear.
    Abstract: In service-oriented systems a constellation of services cooperate, sharing potentially sensitive information and responsibilities. Cooperation is only possible if the different participants trust each other. As trust may depend on many different factors, in a flexible framework for Trust Management (TM) trust must be computed by combining different types of information. In this paper we describe the TAS3 TM framework which integrates independent TM systems into a single trust decision point. The TM framework supports intricate combinations whilst still remaining easily extensible. It also provides a unified trust evaluation interface to the (authorization framework of the) services. We demonstrate the flexibility of the approach by integrating threedistinct TM paradigms: reputation-based TM, credential-based TM, and Key Performance Indicator TM. Finally, we discuss privacy concerns in TM systems and the directions to be taken for the definition of a privacy-friendly TM architecture.

  6. M. Montali, P. Torroni, N. Zannone, P. Mello, and V. Bryl. Engineering and Verifying Agent-Oriented Requirements augmented by Business Constraints with B-Tropos. Autonomous Agents and Multi-Agent Systems, 2010. To appear.
    Abstract: We propose B-Tropos as a modeling framework to support agent-oriented systems engineering, from high-level requirements elicitation down to execution-level tasks. In particular, we show how B-Tropos extends the Tropos methodology by means of declarative business constraints, inspired by the ConDec graphical language. We demonstrate the functioning of B-Tropos using a running example inspired by a real-world industrial scenario, and we describe how B-Tropos models can be automatically formalized in computational logic, discussing formal properties of the resulting framework and its verification capabilities.

  7. G. Elahi, E. Yu, and N. Zannone. A Vulnerability-Centric Requirements Engineering Framework: Analyzing Security Attacks, Countermeasures, and Requirements Based on Vulnerabilities. Requirements Engineering, 15(1):41-62, 2010.
    Abstract: Many security breaches occur because of exploitation of vulnerabilities within the system. Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a methodological framework for security requirements elicitation and analysis centered on vulnerabilities. The framework offers modeling and analysis facilities to assist system designers in analyzing vulnerabilities and their effects on the system; identifying potential attackers and analyzing their behavior for compromising the system; and identifying and analyzing the countermeasures to protect the system. The framework proposes a qualitative goal model evaluation analysis for assessing the risks of vulnerabilities exploitation and analyzing the impact of countermeasures on such risks.

  8. L. Compagna, P. El Khoury, A. Krausova, F. Massacci, and N. Zannone. How to Integrate Legal Requirements into A Requirements Engineering Methodology for the Development of Security and Privacy Patterns. Artificial Intelligence and Law, 17(1):1-30. 2009.
    Abstract: Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose them to implement minimal precautionary security measures. Several IT solutions (e.g., Privacy Enhancing Technologies, Access Control Infrastructure, etc.) have been proposed to address security and privacy issues. However, understanding why, and when such solutions have to be adopted is often unanswered because the answer comes only from a broader perspective, accounting for legal and organizational issues. Security engineers and legal experts should analyze the business goals of a company and its organizational structure and derive from there the points where security and privacy problems may arise and which solutions best fit such (legal) problems. The paper investigates the methodological support for capturing security and privacy requirements of a concrete health care provider.

  9. P. Guarda and N. Zannone. Towards the Development of Privacy-Aware Systems. Information and Software Technology. 51(2):337-350. 2009.
    Abstract: Privacy and data protection are pivotal issues in the nowadays society. They concern the right to prevent dissemination of sensitive or confidential information of individuals. Many studies have been proposed on this topic from various perspectives, namely sociological, economic, legal, and technological. We have recognized the legal perspective as being the basis of all other perspectives. Actually, data protection regulations set the legal principles and requirements that must be met by organizations when processing personal data. The objective of this work is to provide a reference base for the development of methodologies tailored to design privacy-aware systems to be compliant with data protection regulations.

  10. Y. Asnar, P. Giorgini, P. Ciancarini, R. Moretti, M. Sebastianis, and N. Zannone. Evaluation of Business Solutions in Manufacturing Enterprises. International Journal of Business Intelligence and Data Mining, 3(3):305-329. 2008.
    Abstract: Evaluating business solutions before being deployed is essential for any organization. Risk is emerging as one of the most preeminent and accepted metrics for the evaluations of business solutions. In this paper, we present a comprehensive case study where the Tropos Goal-Risk framework is used to assess and treat risk on the basis of the likelihood and severity of failures within organizational settings. We present an analysis and an evaluation of business solutions within manufacturing enterprises.

  11. N. Kiyavitskaya and N. Zannone. Requirements Model Generation to Support Requirements Elicitation: The Secure Tropos Experience. Automated Software Engineering, 15(2):149-173. 2008.
    Abstract: In the last years several efforts have been devoted by researchers in the Requirements Engineering community to the development of methodologies for supporting designers during requirements elicitation, modeling, and analysis. However, these methodologies often lack tool support to facilitate their application in practice and encourage companies to adopt them.
    In this paper, we present our experience in the application of methods for the transformation of requirements specifications expressed in natural language into semi-structured specifications. More specifically, we apply a lightweight method for extracting requirements from system descriptions in natural language to support the Secure Tropos methodology during requirements elicitation phase. Our proposal is based on Cerno, a semantic annotation environment, which uses high-speed context-free robust parsing combined with simple word search. To evaluate our proposal, we discuss its application to the requirements elicitation process followed in the course of a European project on four industrial case studies.

  12. N. Zannone. The SI* Modeling Framework: Metamodel and Applications. International Journal of Software Engineering and Knowledge Engineering. 2008.
    Abstract: Security Requirements Engineering is emerging spurred by the realization that security must be dealt from the early phases of the system development process. Modeling languages in this field are challenging as they must provide concepts appropriate in order to talk about security within an organization. In previous work we introduced the SI* modeling language tailored to capture security aspects of socio-technical systems. SI* is founded on four main notions, namely supervision, permission, delegation, and trust. In this paper, we present the SI* metamodel. We also present some frameworks and methodologies founded on this modeling language for the analysis of security and dependability requirements as well as the exploration of design alternatives and the generation of skeletons of secure business processes. The paper also presents a development environment that uses the SI* metamodel as its basis core.

  13. F. Massacci, J. Mylopoulos and N. Zannone. Computer-Aided Support for Secure Tropos. Automated Software Engineering, 14(3):341-364. 2007.
    Abstract: In earlier work, we have introduced Secure Tropos, a requirements engineering methodology that extends the Tropos methodology and is intended for the design and analysis of security requirements. This paper briefly recaps the concepts proposed for capturing security aspects, and presents an implemented graphical CASE tool that supports the Secure Tropos methodology. Specifically, the tool supports the creation of Secure Tropos models, their translation to formal specifications, as well as the analysis of these specifications to ensure that they comply with specific security properties. Apart from presenting the tool, the paper also presents a two-tier evaluation consisting of two case studies and an experimental evaluation of the tool's scalability.

  14. F. Massacci, J. Mylopoulos and N. Zannone. From Hippocratic Databases to Secure Tropos: a Computer-Aided Re-Engineering Approach. International Journal of Software Engineering and Knowledge Engineering, 17(2):265-284. 2007.
    Abstract: Privacy protection is a growing concern in the marketplace. Yet, privacy requirements and mechanisms are usually retro-fitted into a pre-existing design which may not be able to accommodate them due to potential conflicts with functional requirements. We propose a procedure for automatically extracting privacy requirements from databases supporting access control mechanisms for personal data (hereafter Hippocratic databases) and representing them in the Tropos modeling framework where tools are available for checking the correctness and consistency of privacy requirements. The procedure is illustrated with a case study.

  15. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Requirements Engineering for Trust Management: Model, Methodology, and Reasoning. The International Journal of Information Security, 5(4):257-274, 2006.
    Abstract: A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission and trust and intended for requirements modeling. It also extends Tropos, an agent-oriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.

  16. F. Massacci, J. Mylopoulos and N. Zannone. Hierarchical Hippocratic Databases with Minimal Disclosure for Virtual Organizations. The VLDB Journal, 15(4):370-387, 2006.
    Abstract: The protection of customer privacy is a fundamental issue in today's corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms for enforcing privacy rules in database systems for inter-organizational business processes (also known as virtual organizations). This paper extends these mechanisms to allow for hierarchical purposes, distributed authorizations and minimal disclosure supporting the business processes of virtual organizations that want to offer their clients a number of ways to fulfill a service. Specifically, we use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process. Based on the purpose hierarchy derived through a goal refinement process, we provide algorithms for determining the minimum set of authorizations needed to achieve a service. This allows us to automatically derive access control policies for an inter-organizational business process from the collection of privacy policies associated with different participating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to access a service.

  17. F. Massacci, M. Prest and N. Zannone. Using a Security Requirements Engineering Methodology in Practice: the compliance with the Italian Data Protection Legislation. Computer Standards & Interfaces, 27(5):445-455, 2005.
    Abstract: Extending Requirements Engineering modelling and formal analysis methodologies to cope with Security Requirements has been a major effort in the past decade. Yet, only few works describe complex case studies that show the ability of the informal and formal approaches to cope with the level complexity required by compliance with ISO-17799 security management requirements. In this paper we present a comprehensive case study of the application of the Secure Tropos RE methodology for the compliance to the Italian legislation on Privacy and Data Protection by the University of Trento, leading to the definition and analysis of a ISO-17799-like security management scheme.

International Conferences and Workshops

  1. E. Costante, S. Vavilis, S. Etalle, M. Petkovic and N. Zannone. Database Anomalous Activities: Detection and Quantification. In Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT 2013), SciTePress. 2013.
    Abstract: The disclosure of sensitive data to unauthorized entities is a critical issue for organizations. Timely detection of data leakage is crucial to reduce possible damages. Therefore, breaches should be detected as early as possible, e.g., when data are leaving the database. In this paper, we focus on data leakage detection by monitoring database activities. We present a framework that automatically learns \emph{normal} user behavior, in terms of database activities, and detects anomalies as deviation from such behavior. In addition, our approach explicitly indicates the root cause of an anomaly. Finally, the framework assesses the severity of data leakages based on the sensitivity of the disclosed data.

  2. E. Costante, F. Paci, and N. Zannone. Privacy-Aware Web Service Composition and Ranking. In Proceedings of the 20th International Conference on Web Services (ICWS 2013), IEEE. 2013.
    Abstract: Service selection is a key issue in the Future Internet, where applications are built by composing services and content offered by different service providers. Most existing service selection schemas only focus on QoS properties of services such as throughput, latency and response time, or on their trust and reputation level. By contrast, the risk of privacy breaches arising from the selection of component services whose privacy policy is not compliant with customers' privacy preferences is largely ignored. In this paper, we propose a novel privacy-preserving Web service composition and selection approach which (i) makes it possible to verify the compliance between users' privacy requirements and providers' privacy policies and (ii) ranks the composite Web services with respect to the privacy level they offer. We demonstrate our approach using a travel agency Web service as an example of service composition.

  3. S. Vavilis, M. Petkovic, and N. Zannone. Data Reliability in Home Healthcare Services. In Proceedings of the 26th International Symposium on Computer-Based Medical Systems (CBMS'13), IEEE. 2013.
    Abstract: Home healthcare services are emerging as a new frontier in healthcare practices. Data reliability, however, is crucial for the acceptance of these new services. This work presents a semi-automated system to evaluate the quality of medical measurements taken by patients. The system relies on data qualifiers to evaluate various quality aspects of measurements. The overall quality of measurements is determined on the basis of these qualifiers enhanced with a troubleshooting mechanism. Namely, the troubleshooting mechanism guides healthcare professionals in the investigation of the root causes of low quality values.

  4. M. Veeningen, B. de Weger, and N. Zannone. Symbolic Privacy Analysis through Linkability and Detectability. In Proceedings of the 7th International IFIP WG 11.11 International Conference on Trust Management (IFIPTM 2013), Springer. 2013.
    Abstract: More and more personal information is exchanged on-line using communication protocols. This makes it increasingly important that such protocols satisfy privacy by data minimisation. Formal methods have been used to verify privacy properties of protocols; but so far, mostly in an ad-hoc way. In previous work, we provided general definitions for the fundamental privacy concepts of linkability and detectability. However, this approach is only able to verify privacy properties for given protocol instances. In this work, by generalising the approach, we formally analyse privacy of communication protocols independently from any instance. We implement the model; identify its assumptions by relating it to the instantiated model; and show how to visualise results. To demonstrate our approach, we analyse privacy in Identity Mixer.

  5. M. Egea, F. Paci, M. Petrocchi, and N. Zannone. PERSONA: A Personalized Data Protection Framework. In Proceedings of the 7th International IFIP WG 11.11 International Conference on Trust Management (IFIPTM 2013), Springer. 2013.
    Abstract: The European Directive on Data Protection recognizes the right of data subjects to control the usage of their information. However, to date there are no data protection solutions that involve data subjects in the definition and enforcement of data protection policies. In this paper we present the foundation of a novel approach to personalized data protection in which users play a central role in the authoring and enforcement of the policies governing the access and usage to their data. We discuss the challenges of designing a personalized data protection framework using personalized medicine as an illustrative scenario.

  6. S. Etalle, T. L. Hinrichs, A. J. Lee, D. Trivellato, and N. Zannone. Policy Administration in Tag-Based Authorization. In Proceedings of the 5th International Symposium on Foundations & Practice of Security (FPS 2012), Springer. 2012.
    Abstract: Tag-Based Authorization (TBA) is a hybrid access control model that combines the ease of use of extensional access control models with the expressivity of logic-based formalisms. The main limitation of TBA is that it lacks support for policy administration. More precisely, it does not allow policy-writers to specify administrative policies that constrain the tags that users can assign, and to verify the compliance of assigned tags with these policies. In this paper we introduce TBA2 (Tag-Based Authorization & Administration), an extension of TBA that enables policy administration in distributed systems. We show that TBA2 is more expressive than TBA and than two reference administrative models proposed in the literature, namely HRU and ARBAC97.

  7. M. Veeningen, B. de Weger, and N. Zannone. Formal Modelling of (De)Pseudonymisation: A Case Study in Health Care Privacy. In Proceedings of the 8th International Workshop on Security and Trust Management (STM’12), Springer. 2012.
    Abstract: In recent years, a number of infrastructures have been proposed for the collection and distribution of medical data for research purposes. The design of such infrastructures is challenging: on the one hand, they should link patient data collected from different hospitals; on the other hand, they can only use anonymised data because of privacy regulations. In addition, they should allow data depseudonymisation in case research results provide information relevant for patients' health. The privacy analysis of such infrastructures can be seen as a problem of data minimisation. In this work, we introduce coalition graphs, a graphical representation of knowledge of personal information to study data minimisation. We show how this representation allows identification of privacy issues in existing infrastructures. To validate our approach, we use coalition graphs to formally analyse data minimisation in two (de)-pseudonymisation infrastructures proposed by the Parelsnoer initiative.

  8. S. Banescu, M. Petkovic, and N. Zannone. Measuring Privacy Compliance using Fitness Metrics. In Proceedings of the 10th International Conference on Business Process Management (BPM'12), 2012.
    Abstract: Nowadays, repurposing of personal data is a major privacy issue. Detection of data repurposing requires posteriori mechanisms able to determine how data have been processed. However, current a posteriori solutions for privacy compliance are often manual, leading infringements to remain undetected. In this paper, we propose a privacy compliance technique for detecting privacy infringements and measuring their severity. The approach quantifies infringements by considering a number of deviations from specifications (i.e., insertion, suppression, replacement, and re-ordering).

  9. M. Asim, T. Ignatenko, M. Petkovic, D. Trivellato and N. Zannone. Enforcing Access Control in Virtual Organizations Using Hierarchical Attribute-Based Encryption. In Proceedings of the 7th International Conference on Availability, Reliability and Security (ARES'12), 2012.
    Abstract: Virtual organizations are dynamic, inter-organizational collaborations that involve systems and services belonging to different security domains. Several solutions have been proposed to guarantee the enforcement of the access control policies protecting the information exchanged in a distributed system, but none of them addresses the dynamicity characterizing virtual organizations. In this paper we propose a dynamic hierarchical attribute-based encryption (D-HABE) scheme that allows the institutions in a virtual organization to encrypt information according to an attribute-based policy in such a way that only users with the appropriate attributes can decrypt it. In addition, we introduce a key management scheme that determines which user is entitled to receive which attribute key from which domain authority.

  10. S. Vavilis, M. Petkovic, and N. Zannone. Impact of ICT on Home Healthcare. In Proceedings of the 10th IFIP Human Choice and Computers International Conference (HCC 2012), Springer. 2012.
    Abstract: Innovation in information and communication technology has a great potential to create large impact on modern healthcare. However, for the new technologies to be adopted, the innovations have to be meaningful and timely, taking into account user needs and addressing societal and ethical concerns. In this paper, we focus on ICT innovations related to home healthcare domain, in which patient safety and security, but also trust and privacy are of utmost importance. To ensure the adoption of new healthcare services, the new innovative technologies need to be complemented with new methods that can help patients to establish trust in healthcare service providers in terms of privacy, reliability, integrity of the data chain and techniques that help service providers to assess the reliability of information and data contributed by patients. This paper sketches various lines of research for the development of trusted healthcare services namely, patient compliance, reliability of information in healthcare, and user- friendly access control.

  11. M. Veeningen, B. de Weger, and N. Zannone. Privacy Analysis of Communication Protocols for Identity Management. In Proceedings of the 7th International Conference on Information Systems Security (ICISS 2011), Springer. 2011.
    Abstract: Over the years, formal methods have been developed for the analysis of security and privacy aspects of communication in IT systems. However, existing methods are insufficient to deal with privacy, especially in identity management (IdM), as they fail to take into account whether personal information can be linked to its data subject. In this paper, we propose a general formal method to analyze privacy of communication protocols for IdM. To express privacy, we represent knowledge of personal information in a three-layer model. We show how to deduce knowledge from observed messages and how to verify a range of privacy properties. We validate the approach by applying it to an IdM case study.

  12. S. Banescu and N. Zannone. Measuring Privacy Compliance with Process Specifications. In Proceedings of the 7th International Workshop on Security Measurements and Metrics (MetriSec'11), IEEE Computer Society Press. 2011.
    Abstract: Enforcement relies on the idea that infringements are violations and as such should not be allowed. However, this notion is very restrictive and cannot be applied in unpredictable domains like healthcare in which it is impossible to know in advance when and where an emergency situation will occur. To address this issue, we need conformance metrics for detecting and quantifying infringements of policies and procedures. However, existing metrics usually consider every deviation from specifications equally making them inadequate to measure the severity of infringements. In this paper, we identify a number of factors which can be used to quantify deviations from process specifications. These factors drive the definition of metrics that allow for a more accurate measurement of privacy infringements. We demonstrate how the proposed approach can be adopted to enhance existing conformance metrics through a case study on the provisioning of healthcare treatment.

  13. G. Elahi, E. Yu, and N. Zannone. Security Risk Management by Qualitative Vulnerability Analysis. In Proceedings of the 7th International Workshop on Security Measurements and Metrics (MetriSec'11), IEEE Computer Society Press. 2011.
    Abstract: Security risk assessment in the requirements phase is challenging because probability and damage of attacks are not always numerically measurable or available in the early phases of development. Selecting proper security solutions is also problematic because mitigating impacts and side-effects of solutions are not often quantifiable either. In the early development phases, analysts need to assess risks in the absence of numerical measures or deal with a mixture of quantitative and qualitative data. We propose a risk analysis process which intertwines security requirements engineering with a vulnerability-centric and qualitative risk analysis method. The proposed method is qualitative and vulnerability-centric, in the sense that by identifying and analyzing common vulnerabilities the probability and damage of risks are evaluated qualitatively. We also propose an algorithmic decision analysis method that considers risk factors and alternative security solutions, and helps analysts select the most cost-effective solution. The decision analysis method enables making a decision when some of the available data is qualitative.

  14. M. Petkovic, D. Prandi, and N. Zannone. Purpose Control: did you process the data for the intended purpose? In Proceedings of the 8th VLDB Workshop on Secure Data Management (SDM'11), 2011.
    Abstract: Data protection legislation requires personal data to be collected and processed only for lawful and legitimate purposes. Unfortunately, existing protection mechanisms are not appropriate for purpose control: they only prevent unauthorized actions from occurring and do not guarantee that the data are actually used for the intended purpose. In this paper, we present a flexible framework for purpose control, which connects the intended purpose of data to the business model of an organization and detects privacy infringements by determining whether the data have been processed only for the intended purpose.

  15. M. Veeningen, B. de Weger, and N. Zannone. Modeling identity-related properties and their privacy strength. In Proceedings of the 7th International Workshop on Formal Aspects of Security & Trust (FAST'10), 2010.
    Abstract: Abstract. In the last years several attempts to define identity-related properties such as identifiability, pseudonymity and anonymity have been made to analyze the privacy offered by information systems and protocols. However, these definitions are generally incomparable, making it difficult to generalize the results of their analysis. In this paper, we propose a novel framework for formalizing and comparing identity-related properties. The framework employs the notions of detectability, associability and provability to assess the knowledge of an adversary. We show how these notions can be used to specify well-known identity-related properties and classify them with respect to their logical relations and privacy strength.We also demonstrate that the proposed framework is able to capture and compare several existing definitions of identity-related properties.

  16. N. Zannone, M. Petkovic, and S. Etalle. Towards data protection compliance. In Proceedings of the International Conference on Security and Cryptography (SECRYPT'10), 2010.
    Abstract: Privacy and data protection are fundamental issues nowadays for every organization. This paper calls for the development of methods, techniques and infrastructure to allow the deployment of privacy-aware IT systems, in which humans are integral part of the organizational processes and accountable for their possible misconduct. In particular, we discuss the challenges to be addressed in order to improve organizations' privacy practices, as well as the approach to ensure compliance with legal requirements and increasing efficiency.

  17. G. Elahi, E. Yu, and N. Zannone. A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations. In Proceedings of the 28th International Conference on Conceptual Modeling (ER 2009), LNCS 5829, pages 99-114. Springer, 2009.
    Abstract: Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a vulnerability-centric modeling ontology, which aims to integrate empirical knowledge of vulnerabilities into the system development process. In particular, we identify the basic concepts for modeling and analyzing vulnerabilities and their effects on the system. These concepts drive the definition of criteria that make it possible to compare and evaluate security frameworks based on vulnerabilities. We show how the proposed modeling ontology can be adopted in various conceptual modeling frameworks through examples.

  18. D. Trivellato, F. Spiessens, N. Zannone, and S. Etalle. Reputation-Based Ontology Alignment for Autonomy and Interoperability in Distributed Access Control. In Proceedings of the 12th IEEE International Conference on Computational Science and Engineering (CSE'09), pages 252-258. IEEE Computer Society Press, 2009.
    Abstract: Vocabulary alignment is a main challenge in distributed access control as peers should understand each other's policies unambiguously. Ontologies enable mutual understanding among peers by providing a precise semantics to concepts and relationships in a domain. However, due to the distributed nature of ontology development, ontology alignment is required to allow peers to make informed access control decisions. The alignment should be flexible and accurate to not undermine the autonomy and reliability of peers. This paper addresses the problem of ontology alignment in distributed access control by combining ontology-based trust management with a reputation system.

  19. D. Trivellato, F. Spiessens, N. Zannone, and S. Etalle. POLIPO: Policies & OntoLogies for Interoperability, Portability, and autOnomy. In Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY'09), pages 110-113. IEEE Computer Society Press, 2009.
    Abstract: In this paper we identify the requirements for the definition of a security framework for distributed access control in dynamic coalitions of heterogeneous systems. Based on the elicited requirements, we introduce the POLIPO framework that combines distributed access control with ontologies to give a globally understandable semantics to policies, enabling interoperability among heterogeneous systems.

  20. J. Cabot and N. Zannone. Towards an Integrated Framework for Model-driven Security Engineering. In Proceedings of the 1st Modeling Security Workshop (MODSEC'08), 2008.
    Abstract: Security is a major issue in developing software systems. It is widely recognized that security aspects must be considered in all the phases of the development process from the analysis of the organizational context to the final implementation of the software system. However, current approaches for designing secure systems only target particular security aspects at specific stages of the development process. A unified process combining these different approaches is still missing. This paper surveys several existing techniques and discuss the need of a general framework for integrating them into a single development process.

  21. F. Massacci and N. Zannone. A Model-Driven Approach for the Specification and Analysis of Access Control Policies. In Proceedings of the 3rd International Symposium on Information Security (IS'08), LNCS 5332, pages 1087-1103. Springer, 2008.
    Abstract: The last years have seen the definition of many languages, models and standards tailored to specify and enforce access control policies, but such frameworks do not provide methodological support during the policy specification process. In particular, they do not provide facilities for the analysis of the social context where the system operates.
    In this paper we propose a model-driven approach for the specification and analysis of access control policies. We build this framework on top of SI*, a modeling language tailored to capture and analyze functional and security requirements of socio-technical systems. The framework also provides formal mechanisms to assist policy writers and system administrators in the verification of access control policies and of the actual user-permission assignment.

  22. Y. Asnar and N. Zannone. Perceived Risk Assessment. In Proceedings of the 4th Workshop on Quality of Protection (QoP'08), pages 59-64. ACM Press, 2008.
    Abstract: In the last years, IT systems play a more and more fundamental role in human activities and, in particular, in critical activities such as the management of Air Traffic Control and Nuclear Power Plant. This has spurred several researchers to develop models, metrics, and methodologies for analyzing and measuring the security and dependability of critical systems. Their objective is to understand whether the risks affecting the system are acceptable or not. If risks are too high, analysts need to identify the treatments adequate to mitigate them. Existing proposals however fail to consider risks within multi-actors settings. Here, different actors participating to the system might have a different perception of risk and react consequently. In this paper, we introduce the concept of perceived risk and discuss its differences with actual risk. We also investigate the concepts necessary to capture and analyze perceived risk.

  23. N. Kiyavitskaya, A. Krausova, and N. Zannone. Why Eliciting and Managing Legal Requirements Is Hard. In Proceedings of the 1st International Workshop on Requirements Engineering and Law (RELAW'08), pages 26-30. IEEE Computer Society Press, 2008.
    Abstract: The increasing complexity of IT systems and the growing demand for regulation compliance are main issues for the design of IT systems. Addressing these issues requires the developing of effective methods to support the analysis of regulations and the elicitation of any organizational and system requirements from them. This work investigates the problem of designing regulation-compliant systems and, in particular, the challenges in eliciting and managing legal requirements.

  24. P. Busnel, P. El Khoury, K. Li, A. Saidane, and N. Zannone. S&D Pattern Deployment at Organizational Level: A Prototype for Remote Healthcare System. In Proceedings of the 4th International Workshop on Security and Trust Management (STM'08), 2008.
    Abstract: The analysis of security incidents and frauds has shown that several vulnerabilities of IT systems are due to loopholes in the policies and procedures adopted by organizations as well as in their structure. Organizations have thus to address security and dependability issues by analyzing their organizational setting. In this paper, we present a methodology to support the deployment of Security & Dependability patterns according to their position in the Enterprise Architecture and the underlying system infrastructures. The methodology discriminates the pattern deployment process between recommendations and guidelines. Recommendations concretize the deployment with refined software and/or hardware related patterns, whereas guidelines specify the organizational patterns in terms of the system-to-be, proposing human-resource and/or policy solutions. To make the discussion more concrete, we illustrate the framework with a case study on an emergency scenario within a remote healthcare system.

  25. D. Prandi, P. Quaglia, and N. Zannone. Formal analysis of BPMN via a translation into COWS. In Proceedings of the 10th International Conference on Coordination Models and Languages (Coordination'08), LNCS 5052, pages 249-263. Springer, 2008.
    Abstract: A translation of the Business Process Modeling Notation into the process calculus COWS is presented. The stochastic extension of COWS is then exploited to address quantitative reasoning about the behaviour of business processes. An example of such reasoning is shown by running the PRISM probabilistic model checker on a case study.

  26. Y. Asnar, R. Moretti, M. Sebastianis, and N. Zannone. Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach. In Proceedings of the 3rd International Workshop on Dependability Aspects on Data WArehousing and Mining applications (DAWAM'08), pages 1240-1248. IEEE Computer Society Press, 2008.
    Abstract: The analysis of business solutions is one of critical issues in industry. Risk is one of the most preeminent and accepted metrics for the evaluation of business solutions. Not surprisingly, many research efforts have been devoted to develop risk management frameworks. Among them, Tropos Goal-Risk offers a formal framework for assessing and treating risks on the basis of the likelihood and severity of failures. In this paper, we extend the Tropos Goal-Risk to assess and treat risks by considering the interdependency among actors within an organization. To make the discussion more concrete, we apply the proposed framework for analysis of the risks within manufacturing organizations.

  27. H. A. López, F. Massacci, and N. Zannone. Goal-Equivalent Secure Business Process Re-engineering for E-Health. In Proceedings of the 1st International Workshop on Model-Based Trustworthy Health Information Systems (MOTHIS'07), 2007.
    Abstract: The introduction of ITs in e-Health often requires to re-engineer the business processes used to deliver care. Obviously the new and re-engineered processes are observationally different and thus we cannot use existing model-based techniques to argue that they are somehow "equivalent".
    In this paper we propose a notion of equivalence over secure business processes based on the notion of goal-equivalence:
    • start from the old secure business process;
    • reconstruct from that business process the functional and security requirements at organizational level that the old business process was supposed to meet (including the trust relations that existed among the members of the organization);
    • compare the re-engineered business process with the requirements and see if they are equally met or possibly improved.
    To this intent, we present a reasoning method for passing from SI*, a modeling language that captures the functional, security and trust requirements of IT systems and their operational environments, to business processes specifications and vice versa. Both translation processes are complementary, in the sense that SI* models can have multiple business process concretizations, and different business processes can be equivalent in terms of the goals they achieve. We illustrate and motivate the proposed approach using an e-health case study.

  28. H. A. López, F. Massacci, and N. Zannone. Goal-Equivalent Secure Business Process Re-engineering. In Proceedings of the 2nd International Workshop on Business Oriented Aspects concerning Semantics and Methodologies in Service-oriented Computing (SeMSoC'07), 2007.
    Abstract: The introduction of information technologies in health care systems often requires to re-engineer the business processes used to deliver care. Obviously, the new and re-engineered processes are observationally different and thus we cannot use existing model-based techniques to argue that they are somehow ``equivalent''. In this paper we propose a method for passing from SI*, a modeling language for capturing and modeling functional, security, and trust organizational and system requirements, to business process specifications and vice versa. In particular, starting from an old secure business process, we reconstruct the functional and security requirements at organizational level that such a business process was supposed to meet (including the trust relations that existed among the members of the organization). To ensure that the re-engineered business process meets the elicited requirements, we employ a notion of equivalence based on goal-equivalence. Basically, we verify if the execution of the business process, described in terms of the trace it generates, satisfies the organizational model. We motivate and illustrate the method with an e-health case study.

  29. V. Bryl, P. Mello, M. Montali, P. Torroni and N. Zannone. B-Tropos: Agent-oriented requirements engineering meets computational logic for declarative business process modeling and verification. In Proceedings of the 8th Workshop on Computational Logic in Multi-Agent Systems (CLIMA-VIII), 2007.
    Abstract: The analysis of business requirements and the specification of business processes are fundamental for the development of information systems. The first part of this paper presents B-Tropos as a way to combine business goals and requirements to the business process model. B-Tropos enhances a well-known agent-oriented early requirements engineering framework with declarative business process-oriented constructs, inspired by the DecSerFlow and ConDec languages. In the second part of the paper, we show a mapping of B-Tropos onto SCIFF, a computational logic-based framework, for properties and conformance verification.

  30. P. Guarda, F. Massacci, and N. Zannone. E-Government and On-line Services: Security and Legal Patterns. In Proceedings of the 1st International Conference on Methodologies, Technologies and Tools enabling e-Government (MeTTeG07), 2007.
    Abstract: E-government refers to the introduction of digital technologies into public administrations and it is assuming a pivotal role in many countries, including Italy. In particular, the supply of on-line services by public administrations represents a rapidly expanding phenomenon. The objective of the paper is to support system designer in the development of IT systems that comply with regulations that govern the use of technologies in public administrations. Thus, taking as running example a tax portal and its authentication issues, we look at the general principles and rules that govern institutional sites and portals, as established in the Italian Public Administration Code. We also show how Security Requirements Engineering methodologies can assist system designers in their activities.

  31. L. Compagna, P. El Khoury, F. Massacci, R. Thomas, and N. Zannone. How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach. In Proceedings of the 11th International Conference on Artificial Intelligence and Law (ICAIL 2007), pages 149-154. ACM Press. 2007.
    Abstract: Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose the adoption of the implementation of minimal precautionary security measures. Several frameworks have been proposed to deal with this issue. For instance, purpose-based access control is normally considered a good solution for meeting the requirements of privacy legislation. Yet, understanding why, how, and when such solutions to security and privacy problems have to be deployed is often unanswered. In this paper, we look at the problem from a broader perspective, accounting for legal and organizational issues. Security engineers and legal experts should be able to start from the organizational model and derive from there the points where security and privacy problems may arise and determine which solutions best fit the (legal) problems that they face. In particular, we investigate the methodology needed to capture security and privacy requirements for a Health Care Centre using a smart items infrastructure.

  32. Y. Asnar, P. Giorgini, and N. Zannone. Reasoning about Risk in Agent's Deliberation Process: a Jadex Implementation. In Proceedings of the 8th International Workshop on Agent Oriented Software Engineering (AOSE'07), 2007.
    Abstract: Autonomous agents and multi-agent systems have been proved to be useful in several safety-critical applications. However, in current agent architectures (particularly BDI architectures) the deliberation process does not include any form of risk analysis. In this paper, we propose guidelines to implement Tropos Goal-Risk reasoning. Our proposal aims at introducing risk reasoning in the deliberation process of a BDI agent so that the overall set of possible plans is evaluated with respect to risk. When the level of risk results too high, agents can consider and introduce additional plans, called treatments, that produce an overall reduction of the risk. Side effects of treatments are also considered as part of the model. To make the discussion more concrete, we illustrate the proposal with a case study on the Unmanned Aerial Vehicle agent.

  33. Y. Asnar, P. Giorgini, F. Massacci, and N. Zannone. From Trust to Dependability through Risk Analysis. In Proceedings of the 2nd International Conference on Availability, Reliability and Security (ARES'07), pages 19-26. IEEE Computer Society Press, 2007.
    Abstract: The importance of critical systems has been widely recognized and several efforts are devoted to integrate dependability requirements in their development process. Such efforts result in a number of models, frameworks, and methodologies that have been proposed to model and assess the dependability of critical systems. Among them, risk analysis considers the likelihood and severity of failures for evaluating the risk affecting the system. In our previous work, we introduced the Tropos Goal-Risk framework, a formal framework for modeling, assessing, and treating risks on the basis of the likelihood and severity of failures. In this paper, we refine this framework introducing the notion of trust for assessing risks on the basis of the organizational setting of the system. The assessment process is also enhanced to analyze risks along trust relations among actors. To make the discussion more concrete, we illustrate the framework with a case study on partial airspace delegation in Air Traffic Management system.

  34. F. Massacci, J. Mylopoulos and N. Zannone. A Privacy Model to Support Minimal Disclosure in Virtual Organizations. In Proceedings of the W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement, 2006.
    Abstract: The last years have seen an increasing attention on privacy-aware technologies and mechanisms for the negotiation of private information between customers and enterprises. Unfortunately, current proposals are still unsatisfactory since they do not cover the entire spectrum of privacy management. Moreover, they do not provide support for emerging business models such as the inter-organizational business process (also known as virtual organizations). In this paper we propose a privacy model complying with the minimal disclosure principle when a coalition of organizations integrate their efforts to provide services to customers.

  35. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Detecting Conflicts of Interest. In Proceedings of the 14th IEEE International Requirements Engineering Conference (RE'06), pages 315-318. IEEE Computer Society Press, 2006.
    Abstract: System vulnerabilities are often caused by the presence of conflicts within the organization where the system-to-be will eventually operate. In particular, conflicts of interest are very harmful since actors can exploit their positions/roles relative to the system for gaining personal advantage. Capturing and resolving such conflicts is a necessary condition for developing secure information systems. In this paper, we show how conflicts of interest can be formally detected during requirements analysis. This allows system designers to investigate the causes for which conflicts may occur in an organization. Thereby, they can better understand the organizational structure and so provide appropriate countermeasures to resolve or at least mitigate them.

  36. V. Bryl, F. Massacci, J. Mylopoulos and N. Zannone. Designing Security Requirements Models through Planning. In Proceedings of the 4th International Workshop on AI for Service Composition, pages 28-35, 2006.
    Abstract: The quest for designing secure and trusted software has led to refined Software Engineering methodologies that rely on tools to support the design process. Automated reasoning mechanisms for requirements and software verification are by now a well-accepted part of the design process, and model driven architectures support the automation of the refinement process. We claim that we can further push the envelope towards the automatic exploration and selection among design alternatives and show that this is concretely possible for Secure Tropos, a requirements engineering methodology that addresses security and trust concerns. In Secure Tropos, a design consists of a network of actors (agents, positions or roles) with delegation/permission dependencies among them. Accordingly, the generation of design alternatives can be accomplished by a planner which is given as input a set of actors and goals and generates alternative multi-agent plans to fulfill all given goals. We validate our claim with a case study using a state-of-the-art planner.

  37. N. Zannone, S. Jajodia, and D. Wijesekera. Creating Objects in the Flexible Authorization Framework. In Proceedings of the 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec 2006), LNCS 4127, pages 1-14, Springer-Verlag GmbH, 2006.
    Abstract: Access control is a crucial concern to build secure IT systems and, more specifically, to protect the confidentiality of information. However, access control is necessary, but not sufficient. Actually, IT systems can manipulate data to provide services to users. The results of a data processing may disclose information concerning the objects used in the data processing itself. Therefore, the control of information flow results fundamental to guarantee data protection. In the last years many information flow control models have been proposed. However, these frameworks mainly focus on the detection and prevention of improper information leaks and do not provide support for the dynamical creation of new objects. In this paper we extend our previous work to automatically support the dynamical creation of objects by verifying the conditions under which objects can be created and automatically associating an access control policy to them. Moreover, our proposal includes mechanisms tailored to control the usage of information once it has been accessed.

  38. V. Bryl, F. Massacci, J. Mylopoulos and N. Zannone. Designing Security Requirements Models through Planning. In Proceedings of the 18th Conference on Advanced Information Systems Engineering (CAiSE'06), LNCS 4001, pages 33-47, Springer-Verlag GmbH, 2006.
    Abstract: The quest for designing secure and trusted software has led to refined Software Engineering methodologies that rely on tools to support the design process. Automated reasoning mechanisms for requirements and software verification are by now a well-accepted part of the design process, and model driven architectures support the automation of the refinement process. We claim that we can further push the envelope towards the automatic exploration and selection among design alternatives and show that this is concretely possible for Secure Tropos, a requirements engineering methodology that addresses security and trust concerns. In Secure Tropos, a design consists of a network of actors (agents, positions or roles) with delegation/permission dependencies among them. Accordingly, the generation of design alternatives can be accomplished by a planner which is given as input a set of actors and goals and generates alternative multi-agent plans to fulfill all given goals. We validate our claim with a case study using a state-of-the-art planner.

  39. N. Zannone, S. Jajodia, F. Massacci and D. Wijesekera. Maintaining Privacy on Derived Objects. In Proceedings of Workshop on Privacy in the Electronic Society (WPES'05), pages 10-19. ACM Press, 2005.
    Abstract: Protecting privacy means to ensure users that access to their personal data complies with their preferences. However, information can be manipulated in order to derive new objects that may disclose part of the original information. Therefore, control of information flow is necessary for guaranteeing privacy protection since users should know and control not only who access their personal data, but also who access information derived from their data. Actually, current approaches for access control do not provide support for managing propagation of information and for representing user preferences. This paper proposes to extend the Flexible Authorization Framework (FAF) in order to automatically verify whether a subject is entitled to process personal data and derive the authorizations associated with the outcome of data processing. In order to control information flow, users may specify the range of authorizations that can be associated with objects derived from their data. The framework guarantees that every ``valid'' derived object does not disclose more information than users want and preserves the permissions that users want to maintain. To make the discussion more concrete, we illustrate the proposal with a bank case study.

  40. F. Massacci, J. Mylopoulos and N. Zannone. Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS 2005), LNCS 3679, pages 438-454, Springer-Verlag GmbH, 2005.
    Abstract: Hippocratic Databases have been proposed as a mechanism to guarantee the respect of privacy principles in data management. We argue that three major principles are missing from the proposed mechanism: hierarchies of purposes, delegation of tasks and authorizations (i.e. outsourcing), and the minimal disclosure of private information. In this paper, we propose a flexible framework for the negotiation of personal information among customers and (possibly virtual) enterprises based on user preferences when enterprises may adopt different processes to provide the same service. We use a goal-oriented approach to analyze the purposes of a Hippocratic system and derive a purpose and delegation hierarchy. Based on this hierarchy, effective algorithms are given to determine the minimum set of authorizations needed for a service. In this way, the minimal authorization table of a global business process can be automatically constructed from the collection of privacy policy tables associated with the collaborating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to use the services of a virtual organization.

  41. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Modeling Security Requirements Through Ownership, Permission and Delegation. In Proceedings of the 13th IEEE International Requirements Engineering Conference (RE'05), pages 167-176. IEEE Computer Society Press, 2005.
    Abstract: Security Requirements Engineering is emerging as a branch of Software Engineering, spurred by the realization that security must be dealt with early on during the requirements phase. Methodologies in this field are challenging, as they must take into account subtle notions such as trust (or lack thereof), delegation, and permission; they must also model entire organizations and not only systems-to-be. In our previous work we introduced Secure Tropos, a formal framework for modeling and analyzing security requirements. Secure Tropos is founded on three main notions: ownership, trust, and delegation. In this paper we refine Secure Tropos introducing the notions of at-least delegation and trust of execution; also, at-most delegation and trust of permission. We also propose monitoring as a security design pattern intended to overcome the problem of lack of trust between actors. The paper presents a semantics for these notions, and describes an implemented formal reasoning tool based on Datalog.

  42. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. ST-Tool: A CASE Tool for Security Requirements Engineering. In Proceedings of the 13th IEEE International Requirements Engineering Conference (RE'05), pages 451-452. IEEE Computer Society Press, 2005.
    Abstract: Security Requirements Engineering is emerging as a branch of Software Engineering, spurred by the realization that security must be dealt with early on during the requirements phase. We propose ST-Tool, a CASE tool developed for modeling and analyzing functional and security requirements.

  43. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Modeling Social and Individual Trust in Requirements Engineering Methodologies. In Proceedings of the Third International Conference on Trust Management (iTrust 2005), LNCS 3477, pages 161-176. Springer-Verlag GmbH, 2005.
    Abstract: When we model and analyze trust in organizations or information systems we have to take into account two different levels of analysis: social and individual. Social levels define the structure of organizations, whereas individual levels focus on individual agents. This is particularly important when capturing security requirements where a ``normally'' trusted organizational role can be played by an untrusted individual. Our goal is to model and analyze the two levels finding the link between them and supporting the automatic detection of conflicts that can come up when agents play roles in the organization. We also propose a formal framework that allows for the automatic verification of security requirements between the two levels by using Datalog and has been implemented in CASE tool.

  44. P. Giorgini, F. Massacci, J. Mylopoulos, A. Siena and N. Zannone. ST-Tool: A CASE Tool for Modeling and Analyzing Trust Requirements. In Proceedings of the Third International Conference on Trust Management (iTrust 2005), LNCS 3477, pages 415-419. Springer-Verlag GmbH, 2005.
    Abstract: ST-Tool is a graphical tool integrating an agent-oriented requirements engineering methodology with tools for the formal analysis of models. Essentially, the tool allows designers to draw visual models representing functional, security and trust requirements of systems and, then, to verify formally and automatically their correctness and consistency through different model-checkers.

  45. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures. In Proceedings of the 1st European PKI Workshop: Research and Applications (1st EuroPKI), LNCS 3093, pages 98-111. Springer-Verlag GmbH, 2004.
    Abstract: The last years have seen a major interest in designing and deploying trust management and public key infrastructures. Yet, it is still far from clear how one can pass from the organization and system requirements to the actual credentials and attribution of permissions in the PKI infrastructure. Our goal in this paper is filling this gap. We propose a formal framework for modeling and analyzing security and trust requirements, that extends the Tropos methodology for early requirements modeling. The key intuition that underlies our work is the identification of distinct roles for actors that manipulate resources, accomplish goals or execute tasks, and actors that own or permit usage of resources or goals. The paper also presents a simple case study and a PKI/trust management implementation.

  46. F. Massacci and N. Zannone. Privacy is Linking Permission to Purpose. In Proceedings of the Twelfth International Workshop on Security Protocols, LNCS 3957, pages 179-191. Springer-Verlag GmbH, 2004.
    Abstract: The last years have seen a peak in privacy related research. The focus has been mostly on how to protect the individual from being tracked, with plenty of anonymizing solutions. We advocate another model that is closer to the "physical" world: we consider our privacy respected when our personal data is used for the purpose for which we gave it in the first place. Essentially, in any distributed authorization protocol, credentials should mention their purpose beside their powers. For this information to be meaningful we should link it to the functional requirements of the original application. We sketch how one can modify a requirement engineering methodology to incorporate security concerns so that we explicitly trace back the high-level goals for which a functionality has been delegated by a (human or software) agent to another one. Then one could be directly derive purpose-based trust management solutions from the requirements.

  47. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Requirements Engineering meets Trust Management: Model, Methodology, and Reasoning. In Proceedings of the Second International Conference on Trust Management (iTrust 2004), LNCS 2995, pages 176-190. Springer-Verlag GmbH, 2004.
    Abstract: The last years have seen a number of proposals to incorporate Security Engineering into mainstream Software Requirements Engineering. However, capturing trust and security requirements at an organizational level (as opposed to a design level) is still an open problem. This paper presents a formal framework for modeling and analyzing security and trust requirements. It extends the Tropos methodology, an agent-oriented software engineering methodology. The key intuition is that in modeling security and trust, we need to distinguish between the actors that manipulate resources, accomplish goals or execute tasks, and actors that own the resources or the goals. To analyze an organization and its information systems, we proceed in two steps. First, we built a trust model, determining the trust relationships among actors, and then we give a functional model, where we analyze the actual delegations against the trust model, checking whether an actor that offers a service is authorized to have it. The formal framework allows for the automatic verification of security and trust requirements by using a suitable delegation logic that can be mechanized within Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.

  48. C. Bodei, P. Degano, C. Priami and N. Zannone. An Enhanced CFA for Security Policies. In Proceedings of the Workshop on Issues on the Theory of Security (WITS'03), pages 131-145, 2003.
    Abstract: We introduce a Control Flow Analysis, improving the one in [6], that statically approximates the dynamic behaviour of mobile processes, expressed in (a variant of) the pi-calculus. Our analysis of a system is able to describe the behaviour of each sub-system, tracking where and between whom communications may occur. To identify each sub-system, we use a syntactic encoding of its position inside the abstract syntax tree. Furthermore, our analysis is general enough to safely approximate the behaviour of a system plugged in a larger and mainly unknown context, without explicitly analysing it. Quite a lot of possible properties fan out, among which some related to security policies.

National Conferences and Workshops

  1. V. Bryl, P. Mello, M. Montali, P. Torroni and N. Zannone. Extending Agent-oriented Requirements with Declarative Business Processes: a Computational Logic-based Approach. In Proceedings of the 22nd Convegno Italiano di Logica Computazionale (CILC'07), 2007.
    Abstract: The analysis of business requirements and the specification of business processes are fundamental for the development of information system. The focus of this paper is on the combination of these two phases, that is, on linking the business goals and requirements to the business process model. To this end, we propose to extend the Tropos framework, which is used to model system and business requirements, with declarative business process-oriented constructs, inspired by DecSerFlow and ConDec languages. We also show how the proposed framework can be mapped into SCIFF, a computational logic-based framework, for properties and conformance verification.

PhD Thesis

  1. N. Zannone. A Requirements Engineering Methodology for Trust, Security, and Privacy. PhD Thesis. University of Trento, March 2007.
    Abstract: Security Requirements Engineering is emerging as a branch of Software Engineering, spurred by the realization that security must be dealt with early on during the requirements phase. This entails capturing security, privacy, and trust requirements at an organizational level, as opposed to an IT system level. Specifically, the development of secure and privacy-aware systems requires to explicitly model the goals and trust relations of stakeholders of the system which will be partially implemented by the IT system and partially by organizational procedures. To this end, we propose Secure Tropos, an agent-oriented requirements engineering methodology tailored to model and analyze security, privacy, and trust requirements of systems and the organizational setting where they operate. The Secure Tropos methodology adopts the SI* modeling language for the acquisition, modeling and analysis of requirements. This language proposes a set of concepts founded on the notions of permission, delegation, and trust. These concepts are formalized and are shown to support the requirements analysis process through a formal reasoning tool based on the Answer Set Programming paradigm. This allows designers to automatically verify the correctness of security, privacy, and trust requirements and their consistency with functional requirements.


Home Page
Webstats4U - Free web site statistics Personal homepage website counter