Posted by: Andy Tickner | 20th October 2009

System Modelling Innovations

SERSCIS is generating new system architecture modelling ontologies. The Springboard software tool developed by QinetiQ can use the models based on these ontologies to automatically produce ‘systems of systems views’. An example picture is shown here that has been captured from the tool (click picture for full detail).

Here Springboard is showing interdependencies that have been found between the resource “Natural Gas” and the many services and functionality that ultimately rely on natural gas. The key innovation in Springboard is that it is able to automatically infer and visualise such relationships and interdependencies. In this way Springboard can discover the system of systems that emerges even where it is not readily apparent apart from in details in underlying data and provide.

The ontology used in the picture above includes description logics which specify what action is taken in the case of a direct or indirect failure of a resource. For example, a catastrophic failure of the Electricity Generation service will have a direct effect on the service functions it provides. However, the service functions of the Telecoms service may be resilient to a failure in the Electricity Generation service (and the consequent absence of Electricity) since it is also dependent on Natural Gas. The understanding of such system-level inter-dependencies could show the user to put the necessary precautions and alternative planning mechanisms in place at the service level using SERSCIS components.

In the next picture (click picture for full detail) a different ontology is being processed. The text in the top left reads “DBSy.pprj” because the user has loaded a DBSy-based InfoSec model into Springboard. In fact Springboard is using the same model used to produce security views in the SERSCIS Decision Support Tool as shown in the centre of this figure from decision support.

From this display the user can see the potential problem of cascading failure or propagating attacks from one domain to another. In this case the criticality of the domains are probably equal. But in other cases seemingly less important (and possibly less well protected) parts of a system of systems will be connected to more crucial parts. An attacker may choose to target those less critical, less protected, systems and still manage to adversely affect more crucial systems. Workshops conducted by QinetiQ with threat analysis experts have corroborated the real word significance of propagating attack strategies including in the scenarios used in the application case studies.

The importance of loading a variety of model types is that it demonstrates how Springboard can be used as a common and unifying tool for discovering dependency issues by drawing on lots of types of SERSCIS related models. In the final demonstration our aim is to show that SERSCIS system modelling supports dependability analysis of a very wide range of modelling schemes.

Some of the associations between resources, services and service providers in the pictures above may have already been obvious to the operator. However, using SERSCIS system modelling tools users can gain a greater understanding of the systems they oversee and manage the dependencies within them and those that relate to systems beyond their direct control.

This is important because dependencies – particularly interdependencies – may not be fully appreciated for reasons such as:

  • changes in low-level details;
  • changes in Service Level Agreements;
  • changes in potential impacts;
  • overall system complexity and/or dynamism.

Leave a Comment

Posted in System Modelling

Posted by: Andy Tickner | 14th October 2009

Testbed Architecture

An architecture reflecting the requirements of the SERSCIS project has been developed. The individual components of this architecture are currently being implemented by the project partners and will be integrated into the testbed in the next phase of the project.

The architecture shown here depicts the components of the SERSCIS testbed for a particular service provider. Two channels of communication exist between downstream service consumers and upstream service providers. The management channel allows information to be exchanged regarding the negotiation of access to resources and their characteristics (encoded as SLAs), as well as runtime usage information relating to these terms and conditions. The application channel allows the functional services to be invoked and return results (both interim and final) based on this invocation. Within a service provider’s domain, the components communicate via an Enterprise Service Bus (ESB). The individual components are explained in more detail below.

Decision Support

Monitoring of events occurs at each service, using a service monitor. These events are sent to and aggregated by a monitoring hub, which monitors specified Key Performance Indicators (KPI). These are displayed to the operator, who can filter/query the information, using the decision support tool. This will help SERSCIS-assisted operators to manage the system by administration of other SERSCIS components (through their admin interfaces) or by direct actions on the critical infrastructure resources or ICT applications.

System Models

These models integrate service models in terms of abstract workflows, service-level QoS parameters and service management actions (responses to failure) to ensure that the total system configuration can reasonably be expected to adequately satisfy system-level performance and availability requirements based on local service monitoring and management actions.

SLA Manager

The SLA manager hosts SLA templates and handles requests from clients for SLAs based on them. The SLA manager grants new SLAs, provides information to the clients on their status, and may terminate existing SLAs if required.

Resource Manager

The resource manager handles the acquisition/allocation and removal of resources, and maintains a registry of these resources in which the orchestrator can discover resources when it has to execute a service workflow. This allows service providers to pursue dynamic provisioning strategies.

Service Manager

The service manager is responsible for ensuring that the service can meet its current and future commitments. Service providers can operate a flexible management strategy in the response to failure or under-performance in resources. When certain events occur (such as agreeing a new SLA, the failure of a resource or the provision of service outside of the terms of an SLA), the service manager may use the resource manager and SLA manager to alter its resources and/or commitments to keep them in balance with each other. It may also change the access control policy on the service.

Service Access Control Point

Access to the service is restricted according to a security policy that is dynamically updatable and enforced at the time of invocation.

System Orchestrator

The system orchestrator coordinates the use of application services to execute a workflow. A workflow editor is used to define an abstract workflow, which represents the orchestration of resources (including external services) used by a system (which may itself be a service), together with non-functional requirements on its execution. The workflow composer concretises these workflows by selecting appropriate resources from the semantic service registry, in which the resource manager has stored all resources available to the service. The workflow service coordinates all the steps that are required for workflow execution.

Application Services

The application services represent the actual functionality offered by the service provider and which are wrapped and invoked as Web services.

Leave a Comment

Posted in General News

Posted by: Andy Tickner | 13th October 2009

Service Composition Prototype

Selection of the Workflow Representation Language

Although the system architecture is designed to be open for executing workflows defined in arbitrary languages as long as a suitable execution component is available, the selection of a workflow representation language for the prototype is an important step as it influences decisions to be made for other aspects of its implementation.

We chose Business Process Execution Language (BPEL) plus semantic annotations for the following reasons:

  • All the requirements for implementing the first prototype as well as the full scenario prototype are met by this combination. There are no planned features that cannot be expressed that way.
  • BPEL contains a well defined mechanism for treatment of failure situations, which is of utmost importance in critical infrastructures.
  • BPEL has gained the status of a standard in service orchestration language and there are mature tools available for handling such workflows.

Despite being a de facto standard, BPEL still is popular as a basis for projects in the semantic web service research community.

Dynamic Service Binding

One of the challenges is to solve the problem of finding a set of suitable services. The degree of complexity of this problem depends on the degree of freedom in the matching process.

Regarding the service finding challenge SERSCIS will use the following simplifications for the service composition prototype such as interface types are arranged in a taxonomy and semantic matching is done against interface types only.

For the first prototype the service selection process is done on a per invocation basis including the adherence to dependencies among service invocations.

Failures and Exception Handling

One of the primary goals within SERSCIS is to make the system resilient. In this respect, it is important to think about exception handling strategies in the context of workflow execution. By using a BPEL engine as execution environment for business processes, workflows can make use of built-in features for exception handling.

Leave a Comment

Posted in System Composition

Posted by: Andy Tickner | 16th September 2009

Decision Support Prototype

For the initial prototype in SERSCIS, the Decision Support Tools (DST) have been enhanced with the development of a monitoring and message passing framework that integrates with the InfoSec editor. The editor has also been enhanced with supplemental user interface components that build on the existing user interface to provide non-intrusive notification of monitoring messages to the user.

As shown in the diagram to the left, monitoring messages can be supplied from the SERSCIS system either as part of the event-decision-action loop of SERSCIS via the Enterprise Service Bus (ESB) when the system cannot make a decision based on policy, or as direct notifications of Key Performance Indicators (KPIs) from the components themselves.

The initial monitoring framework has been developed independently of the other SERSCIS components and will be integrated with them in the final prototype through a “monitoring translator” that will be specifically designed to convert the SERSCIS messages in to the more general form used by the monitoring framework. This separation of monitoring consumer from monitoring provider allows for both the creation of mock providers in the initial prototype to indicate how the system will work as well as a way in which additional monitoring values from other sources can be readily incorporated.

The screenshot to the left shows an example of the colour filters highlighting entities in red that have received monitoring messages in a simple Airport Collaborative Decision Making (CDM) system in the InfoSec tooling. The use of colouring to highlight these entities allows the user to be visually notified of monitoring events and incidents, thereby improving their situational awareness without reaching an information overload caused by a storm of dialog notifications. Different severities of monitoring event can be represented by different colours, emphasising the most serious events. The most extreme and important monitoring events could provide dialog notifications to be purposefully intrusive in the user’s operations, although this would have to be tempered against the aforementioned “dialog storm”.

Leave a Comment

Posted in Decision Support

Posted by: Andy Tickner | 16th September 2009

System Governance Innovations

SERSCIS will deliver novel technologies in system governance in the areas of dynamic resource management, automated and assisted governance and SLAs for dependability commitments. These areas of contribution correspond to the following three major components of the system governance prototype:

Resource Manager

  • New capacity models that allow service providers to pursue dynamic provisioning strategies
  • Semantic storage and discovery of resources that allow workflows matching dependability requirements to be composed from a pool of available resources

Service Manager

  • Balance the level of commitments with the available resources and operate a flexible management strategy in the response to failure or under-performance in resources
  • Variable level of autonomy between automated and assisted management through policy-based management
  • Round trip from service monitoring to a risk management process and back to service management

SLA Manager

  • Service Level Agreement represents a resource and is the root of trust
  • Dynamically manage trust across domains

These innovations allow a level of inter-enterprise collaboration that is not currently possible with any guarantee of end-to-end dependability. This collaboration will be demonstrated in the proof of concept phase through application to an Airport Collaborative Decision Making (A-CDM) case study.

Leave a Comment

Posted in System Governance

Posted by: Andy Tickner | 12th February 2009

SERSCIS Scenario Agreed

SERSCIS has evaluated two application scenarios in the airport domain from which validation case studies will be derived:

The SERSCIS consortium has decided to focus its validation efforts on the airport CDM scenario.

Airport CDM aims at integrating and globally optimising the processes of the stakeholders involved in the turn-around of an aircraft at an airport: the air navigation service provider (ANSP), the airport operator and the airlines and the ground handling companies participating in CDM.

Process integration and optimisation is based on a real-time exchange of relevant data between the stakeholders. Thus it is required to interconnect the ICT systems of the above-mentioned stakeholders. Several interconnection approaches are possible ranging from a point-to-point mesh to a central database. All approaches do rely on a service-oriented architectureand must meet high standards with respect to availability, safety and security. 

The SERSCIS methodologies and tools will be used to model and compose the airport CDM ICT system, to ensure its governance and to provide decision support for operators in case of attacks or technical failures. As the basis of the application scenario infrastructure is in operational use, it cannot be applied for the purpose of the project. Thus a simulation environment reflecting the relevant behavior of the systems will be built.

Leave a Comment

Posted in Application Case Study

Posted by: Andy Tickner | 31st January 2009

SERSCIS Official Launch

The SERSCIS project website is now officially launched. For an overview description, see the project brochure, now available for download from this website.

Leave a Comment

Posted in General News

Posted by: Andy Tickner | 30th January 2009

First SERSCIS Milestone

The first SERSCIS milestone has been reached. The project has selected starting technologies, and plans to create an initial prototype framework by bringing together the GRIA service-oriented inter-enterprise middleware, WSMO semantic service orchestration technology, and QinetiQ’s Semantic Modelling Toolset, which forms part of its Domain Based Security (DBSy®) analysis package.

Leave a Comment

Posted in General News

Posted by: Andy Tickner | 29th January 2009

Trust and Security Working Group Meeting

There will be a meeting of the Future Internet Software and Services Collaborative Working Group on Trust and Security, on 19-20 March 2009 at CETIC in Belgium. Details will be published to members next month via the group’s website.

Leave a Comment

Posted in General News

Posted by: Andy Tickner | 1st December 2008

Future Internet Assembly

The EU-sponsored Future Internet Assembly is meeting in Madrid this month. See: http://www.future-internet.eu/home/future-internet-assembly/madrid-dec-2008.html

The Future Internet Assembly is a forum for interaction and cross-fertilisation between EU-supported projects in ICT, around a coherent vision for the development of the Internet as a secure and trustworthy infrastructure encompassing networks, services, content and interations between the virtual (information) and real (physical) worlds. SERSCIS is contributing to the Assembly in several ways.

The SERSCIS coordinator chairs the Collaborative Working Group for Future Internet Software and Services projects on Trust and Security. We also contribute to the expert working group established by the THINKTRUST project to discuss security, trust and privacy challenges across projects in trustworthy ICT.

Leave a Comment

Posted in General News

« Newer Posts - Older Posts »

Categories