Novel Security Conscious Evaluation Criteria for Web Service Composition

: This study aims to present a new mathematical based evaluation method for service composition with respects to security aspects. Web service composition as complex problem solver in service computing has become one of the recent challenging issues in today’s web environment. It makes a new added value service through combination of available basic services to address the problem requirements. Despite the importance of service composition in service computing, security issues have not been addressed in this area. Considering the dazzling growth of number of service based transactions, making a secure composite service from candidate services with different security concerns is a demanding task. To deal with this challenge, different techniques have been employed which have direct impacts on secure service composition efficiency. Nonetheless, little work has been dedicated to deeply investigate those impacts on service composition outperformance. Therefore, the focus of this study is to evaluate the existing approaches based on their applied techniques and QoS aspects. A mathematical-based security-aware evaluation framework is proposed wherein Analytic Hierarchy Process (AHP), a multiple criteria decision making technique, is adopted. The proposed framework is tested on state-of-the-art approaches and the statistical analysis of the results presents the efficiency and correctness of the proposed work.


INTRODUCTION
In today's society, people face with such familiar concepts including e-government, e-business, e-science and e-health.This happened due to being key enablers who shift human life concepts from the physical to the virtual world.However, the question rises in this regard is: what are the key enablers?Web Services and Service Oriented Computing (SOC) are the most acceptable answers to this question.They make the new world where interconnected services have interaction and communication with sensors, embedded services and human users.Furthermore, the leading technology to realization this migration is undoubtedly a Web.Considering this, the introduction of Web Services has been a conspicuous progression and emerges the new concept called Service-oriented Web (Service Web) (Malik and Bouguettaya, 2009).In fact, enabling use of Web Services as independent components to organizing automated consumer-demand formed services without human intervention is the ultimate aim of Web Service technology (Brahim et al., 2003).They strongly support the development of low-cost, rapid, massively, evolvable and interoperable distributed applications as major goal of SOC through defined XML-based standards such as Web Service Description Language (WSDL) and Simple Object Access Protocol (SOAP).Nonetheless, being unknown parties or the ones with unpredictable level of trustworthiness raise an argument in the global e-society members recently whether they can trust such type of services.It leads to claim that there is still a missing point to be optimistic to SOC.In this regard, one of the keywords that should be highlighted is "security" which can be viewed as an imperative component of internet-based interaction and service oriented environments.Compared to existing computer systems, providing security for service oriented environments is much more challenging.It happened, owing to the dynamic and adaptable nature of these environments where are often large scale and across domains (Bajaj et al., 2006).Therefore, it can be claimed that Web services technology has not achieved its authentic performance and full potential yet.Furthermore, as IBM and Microsoft (2002) stated in their technical report security has been a key factor that holds companies back from adopting Web services.Particularly, this rationale grows in the computer society that Service revolution cannot eventuate unless security issues are resolved.As an instance, the success of Web service based marketplaces still faces critical impediment and lack consumers' trust whether or not they are secured.On the other hand, the real power of web services cannot be realized unless service composition is efficiently employed.Ramakrishnan and Tomkins (2007) mentioned service composition has brought about a change in the Web from being a "readonly" repository of Web pages to a Web of services that can be enriched and composed.In order to address security issue, the related parameters as subset of nonfunctional properties i.e., Quality of Service (QoS) are considered along with functional properties.The aim of involving QoS in service deployment process is enhancing and optimizing service oriented processes.Considering security issues in QoS can also help to more realizing this aim.Although providing security for single Web services is a demanding task, securing service composition process seems to be more challengeable.Regarding the former case, security requirements of users and Web services should be matched together while in the latter one security coordination and compatibility between services components have to be taken into account.That is, security requirements between service components, the composer and the user need to be considered.Concerning security in service composition is important from two viewpoints: service consumer and service provider.Regarding the former view, satisfying desired goals by reliable and reputable candidate service is so important since personal information may be transferred between involved parties.In contrast, it is very high importance to latter view i.e., service provider as composer to choose the closest and most reliable services for composition which have no negative impact on his reputation in the future.Recently, the bulk of research has been conducted on Web service security in both industry and academia whereas, few number of researches have been presented with regards to security in service composition.Nonetheless, there is a lack of appropriate review on investigating the role of security in Web services composition.This study aims to present a new mathematical based evaluation method for service composition with respects to security aspects (based on our prior work (Movahednejad et al., 2011)).In this regard, firstly a taxonomy of Web service composition solution which is an extension of our prior work (Movahednejad et al., 2011) is presented and existing approaches are classified in respective categories.In order to do that, rigorous review of existing literature has been conducted and most relevant and updated literature has been selected and analyzed.After that, evaluation criteria with respect to service composition, QoS and security are gathered and applied.Next, these criteria are mathematically demonstrated applying decision making techniques and new security conscious evaluation formulation is introduced for service composition approaches.The gathered approaches are evaluated based on the proposed formula to prove its correctness.Finally, the achieved results demonstrate how a service composition approach addresses security aspects.

CLASSIFICATION OF STATE-OF-THE-ART WEB SERVICE COMPOSITION APPROACHES
In this section, a new classification regarding service composition approaches is introduced and all the existing approaches are classified from two major points of view: syntactic-based and semantic-based.The first category is divided to two sub categories namely information flow control based and access control based approaches.The hierarchical classification of the security-aware Web Service Composition (WSC) approaches is illustrated in Fig. 1.For each category, a brief explanation along with respective approaches is provided.It should be noted that there are no predefined strictly boundaries between these classification aspects.

Syntactic-based approaches:
The approaches which are based on XML like BPEL-based composition are classified in syntactic based service composition approach.There are two major approaches in syntacticbased WSC realm namely WS orchestration and WS choreography.In the former approach, a central coordinator i.e., the orchestrator is devised to invoke and combine the atomic activities and compose available WSs.While in the latter, a central coordinator is substituted and complex tasks are defined through the definition of the conversation which each participant should take on (Ter Beek et al., 2007).Web Service Business Process Execution Language (WS-BPEL) and Web Service Choreography Description Language (WS-CDL) are two representative languages that mostly use for orchestration and chorography, respectively.
Besides, for the purpose of assuring secure composition and having convenience design and analysis, secure orchestration and choreography as a demanding and critical means are needed (Xu et al., 2008).Therefore, the latter points out a simple form of equations for secure WSC: Secure Web services composition is equal to secure orchestration accompanied with secure choreography (Secure WSC = Secure Orchestration + Secure Choreography).In this research, syntactic-based approaches-that are XMLbased approaches as well-are reviewed from security point of view.An approach is classified as securityaware solution as long as it can address at least one of Information flow control-based: Non-functional aspects modelling of service oriented systems and utilizing them for the purpose of analysis and deployment are presented by Gilmore et al. (2010).In the proposed work, SOA profile so-called UML4SOA is employed to modelling service composition in UML.Moreover, the Non-Functional extension of UML4SOA (UML4SOA-NFP) and the MARTE profile can represent non-functional properties of service-oriented systems as well.The annotation of models is facilitated through Modelling and Analysis of Real-Time and Embedded systems (MARTE) profile and can be used to execute specific analysis (more concentrated on performance and schedulability analysis).Considering this, modelling of performance, security and reliable messaging are enabled as well.In addition, authors discussed formal analysis of model and considered reliability analysis and performance estimation applying "Stochastically Timed Process Algebra" (PEPA) as the underlying analytical engine.From the security perspective, the approach addresses confidentiality and integrity and provides authentication using security token.The user privacy is also protected since all requests have been encrypted.Charfi and Mezini (2007) utilized WS-Policy and WS-Security to propose a secure framework for the sake of securing BPEL compositions.In order to achieve it, XML-Encryption is employed to cover confidentiality, XML-Signature is used to providing integrity and security token is given to support authentication.The process container which is implemented by a set of aspects in AO4BPEL is the main component of proposed framework.AO4BPEL is an aspect-oriented extension for BPEL which supports more adaptable and modular WSs.In the proposed approach, AO4BPEL is implemented as an aspectaware orchestration engine for BPEL.As another work in the context of secure WSC, Boger et al. (2009) proposed a model wherein existing standards are combined and it is tried to provide a practical and consistent solution for secure service composition.According to the approach, WS-Policy is utilized to specify policies and supports not only the orchestration language (WS-BPEL), but also the business processes description language (WS-CDL).
Moreover, an approach to build processes in accordance with consumer security requirements and provider capabilities is proposed in Garcia and Felgar de Toledo (2008).In order to express these characteristics, the suggested approach utilizes Web Ontology Language (OWL) ontology and Web Services Policy Framework (WS-Policy) policies.Moreover, a framework presented by Biskup et al. (2007) is proposed to execute composite Web service in a decentralized manner and enable secure execution as well.The main component of framework is a data structure called container which is passed among the participating web services in the composition process.The container is encrypted and authenticated so that the execution flow is secured and a set of relevant security requirements are addressed.Besides, an automated service composition considering security policies of component services is presented in a novel approach (Chevalier et al., 2008).As discussed in latter, the approach amounts to constraints collection from parameters, messages and control flow of the components services as well as the goal service requirements.As a novelty of the approach, a constraint solver is introduced to check the probability of the composition-i.e., feasibly adaption of the message structure and the semantics preserving simultaneouslyand presents the service composition as a message sequence chart.Besides this, authors modelled composed web services in the HLPSL language that has originally designed for security protocols specification in cryptography.In addition, a composite web service solution is proposed by Chafle et al. (2005) which is grounded on decentralized orchestration.The proposed approach considers the "business defined data flow constraints" as well.Lastly, an open, fine grained and end-to-end framework is pointed out by Singaravelu and Pu (2007).The proposed framework leverages WS-Security to preserve confidentiality and integrity in WSC.
Access control based approaches: One of the key components in secure systems is access control.The main responsibility of access control is answering these types of questions: which subject can do which action under which circumstances on the protected resources (Bertino et al., 2009).According to this approach, a method to encode an access control policy is given in an access control model and all the conditions which should be satisfied to grant an access request are stated in the model as well.In the service composition scope, access control had not been seriously considered in the past.As an instance, BPEL doesn't provide access control mechanism itself and there is no condition to invoke service in BPEL-based process.Consequently, a security model to support access control function for BPEL should be necessitated.As discussed by Rossebø and Braek (2006), authentication and authorization patterns can be integrated to grant access rights as well.
In this study, access control based approaches are classified with respects to different perspectives including Model Driven vs. Policy Driven, Single Organization vs. Cross Organization and User based vs. Service based.The first perspective i.e., model vs. policy driven is discussed in the following.Regarding the second one, the former refers to providing interorganizational access control comprising a small or enterprise organization, whereas the latter applies to presenting access control between some different organizational domains which intend to have connections together.Considering the last perspective, the latter refers to set limitations on service-to-service interactions while the former relates to restricting services access by users.

Policy-driven approaches:
As Sodiya et al. (2009) state policy refers to "the statement of what is and what is not allowed".The policy-driven approach is about how the needed rules in access control can be expressed.In this regard, Rouached and Godart (2007) proposed a framework to mange authorization policies for WSC.A logic based approach is utilized to specify authorization policies and detect the resulting conflicts.In WS environments, conflicts come from the combination of various kinds of authorization and constraint policies.Rather than static detection of policy, the method can be used to correct the policies.Moreover, a formal based approach for specifying authorization policies is proposed by Bertino et al. (2006).The formalism technique utilized in the approach is based on Event Calculus (EC) and SPIKE is also used as automated theorem prover to verify whether a provided policy is conflict-free and prove that there are no imposed conflicts during adding and removing operations.In another presented framework (Rossebø and Braek, 2006), a policy-driven approach is integrated with Authentication and Authorization patterns (AA-patterns) to compose services and restrict service access to only authorized users.The authors point out that the approach is applicable considering both static and dynamic composition of services.According to the approach, UML 2.0 is employed to specify AA-patterns as well as Object Constraint Language (OCL) that is used for specifications of semantic interfaces annotated with policies.Further, the authors concentrate on definition of organizational policies like RBAC.

Model driven approaches:
Regarding the model definition, Sodiya et al. (2009) state that "the model is the formal representation of the security policies enforced by the system".According to the same reference, the model can be useful to prove the theoretical limitations of a system.In the field of access control, the model-driven approaches are concerned with execution of rules and policies.The famous types of access control like Role Based Access Control (RBAC) are classified as model-driven.In the following, some representatives of this category are discussed briefly: • Role Based Access Control (RBAC): RBAC also known as non discretionary access Control inspires a real world approach more to structure access control.Considering the RBAC mechanism, permissions are firstly assigned to particular roles in an organization.Following this, users are assigned to that particular role.Then, access is granted based on users' job function within the organization and same permissions are defined for the specified role.That is, no individual user can be assigned more permissions than the defined ones for his role.In the service computing realm, RBAC widely utilized to enforce access control.There is a wealth of research in service composition about employing RBAC access control and WSC approaches which some of them are briefly explained in the following.RBAC-WS-BPEL is proposed to tackle the problem of WSC (Paci et al., 2009).In fact, BPEL itself has no support for access control mechanism and RBAC-WS-BPEL is an extension of WS-BPEL language to support access control in service composition.According to the proposed approach, role hierarchy which reflects the organizational structure, permission role assignment relation and a set of permissions representing the ability to perform activities are included in the authorization information.The main components of the proposed architecture are the XACML policy store, history store, BPCL constraints store repositories, the RBAC-WS-BPEL enforcement service and WS-BPEL engine.
According to the presented architecture, scheduling and synchronizing the various activities of business process with regards to the specified activity dependencies are responsibilities of WS-BPEL engine.Further, it should invoke the associated WS operations for activities.Compared to the previous architecture which presented by Bertino et al. (2006), the history store is added as a new component to record the users who have performed an activity and verify whether the execution of the activity has been successful.In addition, RBAC-WS-BPEL enforcement service is responsible to support the WS-BPEL process administrators at both deployment time and at runtime.The XACML and BPCL are also utilized in the proposed approach to encode the authorization information and describe authorization constraints such as separation of duty respectively.Moreover, this work is extended by Paci et al. (2008b) wherein the new types of authorization constraints such as binding of duty and resiliency are introduced and used to restrict the roles and users who can execute the activities in the business process.
Besides, another RBAC access control model for WSC is proposed by Srivatsa et al. (2007).In this study constraints are expressed via access control rules.These constraints may include separation of duty constraints and past histories of service invocations constraints which can also be dependent on one or more parameters associated with a WS invocation.In order to represent access control rules, a Pure-Past Linear Temporal Logic language (PPLTL) is used.In addition, role translations enforce access control and they are defined in a form of a table to map roles among different involved organizations in the composition process.After that, if the user having a certain role invokes an operation of the composite Web service, the role translation is carried out through the enforcement system and a composite role is created.A composite role includes a temporally ordered sequence of roles and services involved in the invocation.
Moreover, an integrated access control model for Web service oriented architecture is presented by Emig et al. (2007) wherein Attribute-Based Access Control (ABAC) model is combined with hierarchical RBAC.From the ABAC perspective, the proposed approach inherits the way service requestors are authenticated i.e., identification of a set of attributes whereas, from the RBAC point of view, it inherits a set of permissions i.e., the role hierarchy and policies definition.As a result, access control policy include not only the integration of combined permissions of an object (either an operation or the whole Web service) but also a set of attributes which should be provided by requestor and environmental state constraints (any other attribute not related to the object or service requestor e.g.date and time).Compared to the RBAC, the permissions are associated with a set of attributes of the service requestor rather than a role and it identifies a set of the service requestor's attributes rather than a business role.Furthermore, Klarl et al. (2009) proposed an extension of the previous model to support composite service wherein policy is enforced by composite service.This policy is a combination of the policies which protect the operations invoked in the composition process.
• Task Based Access Control (TBAC): TBAC framework is an extension of RBAC introduced by Thomas and Sandhu (1998) which is known as an active security model (Xu et al., 2008).As stated by Kerschbaum and Robinson (2009), "TBAC authorizations are granted and revoked based on when tasks are scheduled and performed.Therefore, capabilities are valid only for the duration of a task".In addition, Ji-Bo and Fan (2003) discuss that TBAC as new security model can: adopt the service-oriented perspective; build security model; realize security mechanism from the task viewpoint; and provide dynamic real-time security administration during the task processing.
Considering TBAC in service computing, workflow can be modelled from the task view and permissions can be dynamically administrated with regards to the task and its status.Likewise, Ji et al. (2007) discuss TBAC is suitable to be utilized in distributed workflow processing and decision making for transaction management system.TBAC can be also considered as kind of context-based access control model that gives flexible security mechanism to be used in business process.
Since activating and deactivating of permissions are based on current state of the tasks in TBAC, it provides the tracking of overall task progress and as a result secure workflow management can be supported by TBAC.In addition, TBAC can be employed for the purpose of security modelling and enforcement and has its advantages over the system-centric approach in subject-object systems.Nonetheless, for the majority of collaborative environments, TBAC should be used along with other access control (Bhatti et al., 2005).One of the research directions in access control technology is concentrated on integration of RBAC and TBAC (Thomas and Sandhu, 1998).Moreover, a TBAC model suitable for service composition is proposed by Ji et al. (2007) wherein BPEL and TBAC model are integrated together.The basic structure and functions of each main component of the TBAC engine is presented as well.

• Credential Based Access Control (CBAC):
According to Agarwal et al. (2004), "Credentials are digitally signed documents, which can be transmitted by un-trusted channels like the Web".
In CBAC, defined rules by access control policies state that only subjects having credentials fulfilling specific conditions are eligible to invoke a provided operation of the WS.A logical framework for CBAC was proposed by Koshutanski and Massacci (2005).In the proposed approach, an interactive algorithm based on negotiation of credentials is presented and used in stateful business process.The proposed algorithm is an extension of the previous one which supports stateless processes.An automatic composition synthesis technique grounded on satisfiability reduction using Propositional Dynamic Logic (PDL) was proposed by Cheikh et al. (2006).In the suggested approach, the component services have their own authorization constraints and credential based access control.In addition, the issued credentials by other component services may or may not be trusted and the possible conversations between services and clients are used to model the service behavior.

• Attribute Based Access Control (ABAC):
According to Yuan and Tong (2005), there are different kinds of attributes.Considering the concept of subject (such as application, user and process), the associated attributes can be the characteristics and identity of the subjects such as name, role and job title.Regarding resource, environment and context, attributes can be considered as Dublin Core metadata elements, operational, technical, or situational environment information and the access information such as current date, time and threat level respectively.In regards to service computing, an access control model is proposed by She et al. (2009) through which services of service chain are enabled to control their sensitive information flow.In the proposed model, information flow control is supported via a back-check procedure and pass-on certificates as well as the basic mechanism is based on the attribute certificate.During the access decision, the attribute certificates of the requesting services along with the properties of the requested resources are evaluated against the security policies.An attribute certificate of a service indicates service properties like service provider or service name, clearance level and role.

Semantic-based approaches:
The representation and exchange of information in a meaningful way is one of the advantages which are allowed in Semantic Web as well as automated processing of descriptions is facilitated through it on the web (Lee et al., 2001).Indeed, the ultimate aim of the Semantic Web is transforming the data stored in the web to interpretable knowledge which can be understood by both machines and humans (Zhu et al., 2006).The key enablers to achieve this goal are ontologies which provide knowledge structure of the semantic web.Ontologies as backbone of Semantic Web helps to support interoperability as an impressive requirement of Web service environments.Due to taking care security requirements, ontologies can be extended with additional message security techniques and technologies.In order to achieve it, new classes and properties should added (Garcia and Felgar de Toledo, 2008).While an approach can address at least one of the security requirements, it goes under security-aware approaches.In the following, brief explanations of the state-of-the-art approaches relevant to this category are provided.
A semantic web service composition approach namely SCAIMO with respect to security issues is presented by Tabatabaei et al. (2010).In the SCAIMO framework, a secure task matchmaker is introduced to its previous work i.e., AIMO-it is based on AI-planning and Web Service Modelling Ontology (WSMO)-to match tasks with operators and methods as well as take care security requirements of both service provider and requester.To achieve this aim, three different constrains including security related goal, choreography and orchestration are defined and checked during matchmaking process.Furthermore, a recent study by Kuter and Golbeck (2009) involved an effort to generate trustworthy Web service composition.To achieve this goal, they present a new formalism for Web service composition considering available user ratings as well as a novel service composition algorithm called Trusty.Moreover, three trust computation strategies for Trusty are defined; namely overlycautious, overly-optimistic and average.In their approach, the Hierarchical Task Network (HTN) planner SHOP2 is advanced in order to generate trustworthy service composition by incorporating reasoning mechanisms for social trust.The trust information is used as input for this new procedure and as a result, the most trustworthy composition is produced to solve a service composition problem.A WSC approach Based on Service-Ontology is reported by Liquan et al. (2009) and authors integrated the proposed approach with intelligent smart transcript repository.Besides, considering service composition process, Maamar et al. (2006) concentrate on problem of context heterogeneity of WSs and as a result, they propose an ontology based approach using OWL-C language to tackle the problem.They aim to develop a new language to manage contexts of Web services and their language is inspired by OWL-S.This new language i.e., OWL-C stands for "Ontology Web Language-based Context Ontology".According to the suggested approach, each Web service is subject to have multiple constraints such as strategy for selecting the ontology or maximum number of Web service instances for concurrent use.In addition, security constraints as one of the multiple constraints for WSs are focused and among them, the integrity of the context of Web services and achieving it is more concentrated.

THE PROPOSED EVALUATION FRAMEWORK
For the purpose of security-aware evaluation, following framework has been presented.As it can be seen in Fig. 2, there are five defined steps which should be followed respectively.For the purpose of service composition, there are several languages developed by several organizations such as BPEL4WS, OWL-S, WSMO.Static/Dynamic composition (S/D) Static composition refers to constructing an abstract process model prior to the composition planning whereas, dynamic composition creates process model and selects atomic WSs in an automatic manner.Automatic composition (A) Automatic composition promises many improvements for service composition approaches including safer reusability, faster application development and facilitating user interactions through complex service sets.QoS criteria Security Constraints (SC) Specified to restrict the activity execution for roles or users.Security policy/Constraint Language (SCL) Constraints like separation and binding of duty can be specified through these languages to limit the execution of activities for users.

Reliability (R)
The ability of a WS to perform its functions is represented by reliability.Applying formal method increases the reliability of WS applications (Ter Beek et al., 2007).Performance (P) Performance represents how fast a web service request can be completed.In addition, employing AI-planning or agents in WS application, improves the performance of process (Jian Feng and Kowalczyk, 2006;Sirin, 2006).

Correctness (C)
The correctness verifiability can be identified directly with regards to the specifications of WSC (Ter Beek et al., 2007).Considering this, complicated web service systems might be formed through WSC wherein the behavior accuracy will be the feature of such systems.Applying AI-planning, UML and formal methods can improve correctness of WSC (Gilmore et al., 2010;Sirin, 2006).Privacy (PR) Privacy means the identity and personal data of a client is not revealed to non-authorized bodies.Availability (AV) The probability that a WS is available at any given time, measured as the percentage of time a WS is available over an extended period of time.Moreover, based on (Chafle et al., 2005) those approaches which are agentbased can increase WS availability.Validation (V) Verification of WSC at runtime refers to validation.Stateless/Stateful (SL/SF) Stateful systems are systems where the status of the current state depends on the status of the system in past conditions.

Security criteria Confidentiality (CO)
It means that information during transit cannot be read by unauthorized entities.Integrity (I) Information cannot be changed or tampered with during transit by unauthorized entities.Authentication (AU) The process of verifying or testing that the claimed identity is valid.Authorization (AUT) The process of establishing what someone who has been authenticated is allowed to do.Evaluation criteria: In this section, the criteria which are used to compare WSC approaches are presented and briefly discussed in Table 1 (first step of evaluation framework).In the comparative table, some of the criteria are assigned symbols as " " or "×".The former symbol indicates that the respective criterion either is supported or improved by the desired approach.On the contrary, the latter one applies in case of the required criterion neither is nor supported neither enhanced via the demanded approach.In addition, informative explanations are provided along with symbols whenever it is needed.Besides, some terms are presented in Table 2 including "Model Driven", "Formal Method" and "Agent Based" which are explained here, respectively.Model Driven Architecture (MDA) as an approach to software development is centered on the creation of models rather than program code (such as UML).Making separation between design and architecture is one of its major goals.Regarding the second term, Dillon et al.Extreme importance or preference (1997) states "A formal method manipulates a precise mathematical description of a software system for the purpose of establishing that the system does or does not exhibit some property, which is itself precisely defined".The last term refers to a piece of code that acts on behalf of a user with authority to decide for the best action for the user.

Mathematical formulation:
The second step of the proposed evaluation framework is mathematically evaluation formulation.Multi Criteria Decision Making (MCDM) has remarkable impact in the situations facing different alternative options and decision criteria.In this study, since different criteria with various values affect (2) The proposed composition language is syntactic based and the security constraint language isn't even applied along with UML, mathematic or ontology.0.410

BA if
The proposed composition language is syntactic based and is applied along with an engine to support QoS criteria as well as security constraint language is applied without ontology.0.500 A if The proposed composition language is OWL-S or WSMO but applies no security constraint language.0.590

AA if
The proposed composition language is syntactic based (BPEL) and security constraint language is applied along with UML, mathematic or ontology.
The approach applies no standard or method to provide authentication.
Ji-Bo and Fan ( 2003 The proposed composition language is syntactic based and the security constraint language isn't even applied along with UML, mathematic or ontology.0.410

BA if
The proposed composition language is syntactic based and is applied along with an engine to support QoS criteria as well as security constraint language is applied without ontology.Credential applies to provide authentication.0.500 A if The proposed composition language is OWL-S or WSMO but applies no security constraint language.Credential applies to provide authentication.0.590

AA if
The proposed composition language is syntactic based (BPEL) and security constraint language is applied along with UML, mathematic or ontology.Credential applies to provide authentication.
The proposed composition language is syntactic and offers no engine and security constraint language.
Ji-Bo and Fan ( 2003 process algebra process algebra process algebra where, the ‫ܯܥ‬ and ‫ܵܳ‬ are composition and QoS criteria for approach ݇ respectively and comprise two important parts of the proposed evaluation formula Eq. ( 1) and ( 4).They compute based on their comprised criteria as presented in Eq. ( 2) and (3).K is the number of compared approaches which equals to 22 in this study.݅ and ݆ indicate the respective criterion as described as follows: The next step in evaluation framework is defining criteria sets.In order to do this, Table 2 proposed by Chen et al. (1992) is utilized to assign values to respective criteria considering their all possible situations.
Considering this table, a designated set to each criterion is demonstrated in Table 4 and 5.It can be noted here that these data sets are derived through the exhaustive literature review.
Lastly, final step in the proposed evaluation framework is computing the weights for evaluation criteria.This step is based on pair-wise comparisons of criteria suggested by AHP methodology to determine criteria weights.Therefore as major contribution of AHP, subjective assessments of relative importance is converted to numerical values i.e., weights and a matrix for evaluation of criteria importance is proposed (as depicted in Fig. 3).In the matrix, f is the number of criteria and cells above the diagonal of the matrix are specified through an answer to the question of "how important is criterion C i compared with criterion C j ?" (which could be one from the Table 3).On a diagonal, the cells are equal to 1 and the rest of them are reciprocal.The weights for criteria come from this matrix.
In order to do that, an AHP based tool called "Expert Choice" is utilized to calculate the appropriate each criterion with respect to received feedbacks from experts.Number of experts and academics has been    6.This table concerns on descriptive data derived from each approach.In the next step, this information with regards to defined formula in above section is utilized to mathematically evaluate those approaches.

Mathematical based evaluation:
In this section, the comparative table presented in previous section i.e., Table 6 is transformed from descriptive mode to mathematical-based style with the help of Table 2, 4 and 5 discussed in section (Mathematical formulation).As a result, a new diagram i.e., Fig. 5 is produced wherein the value of each criterion with respect to each approach is illustrated.
Considering the presented results in Fig. 5 and aforementioned formulation, comparative evaluation for all proposed categories is in more precisely manner performed and each approach is ranked through the obtained results.Moreover, the definition of "Low", "Average" and "High" approach is inferred from the achieved approaches ranking.According to the definition depicted in Fig. 6, an approach is considered as a "Low", if its achieved value (x) is less than 0.335 (x≤0.335).In case of an approach obtains a value between 0.335 and 0.450 (0.335<x≤0.450), it is considered as an "Average".Finally, an approach is considered as a "High" if its gained value is more than 0.450 (x>0.450).

RESULT ANALYSIS
In this section, discussion and analysis with respects to each category is provided.The comparative evaluation of state-of-the-art approaches are presented in Table 7.This table is the mathematical version of Table 6 demonstrated as primary assessment.In the following, the respective explanation with regards to each classification is provided.(2010) are evaluated as "Average" approaches while the rest of them are marked as "Low" ones.It also can be noted all the existed approaches in this comparison mainly concern confidentiality and integrity of exchanged message in WSC.From the perspective of composition language, all the approaches except the work presented by Boger et al. (2009) have considered BPEL to provide only secure orchestration and have not dealt with secure choreography.Nevertheless, being secure orchestration and choreography together is needed to ensure secure service composition.Therefore, integration of conversation specification languages such as WS-CDL along with BPEL can be considered as advantage of proposed work by Boger et al. (2009).Furthermore, all compared approaches except proposed work by Chevalier et al. (2008)  (2010) through model transformation.Besides, it has estimated and analyzed reliability, correctness and performance using timed Process Algebra namely PEPA.The work presented by Chevalier et al. is also evaluated as "Above Average" quality with respect to correctness since the approach used mathematicalbased (cryptographic tools) technique.Regarding performance, Singaravelu and Pu (2007) claimed that acceptable performance is provided while proposed works by Chafle et al. (2005) and Biskup et al. (2007) have improved their performance due to using agent based technique.Moreover, they enhanced availability of services during service composition via utilizing agent based technique.It is also claimed that privacy has been addressed using data encryption in works presented by Biskup et al. (2007), Singaravelu and Pu (2007) and Gilmore et al. (2010).From security point of view, WS-Security has been utilized by Charfi et al. (2005), Singaravelu and Pu (2007), Biskup et al. (2007), Garcia and Felgar de Toledo (2008) and Boger et al. (2009) to address security issues including confidentiality and integrity.Nevertheless, basic security functionalities can only be provided through WS-Security and there is no enough support provided in those approaches to ensure security for WSC (Biskup et al., 2007).In addition, Chafle et al. (2005) claimed that confidentiality of message can be provided utilizing decentralized (agent based) approach.According to latter, WSs may impose some restrictions on data flow and these data constraints present obstacles for centralized coordinator in orchestrationbased service composition.Moreover, authentication has been provided by Charfi et al. (2005), Chevalier et al. (2008) and Gilmore et al. (2010) through security token (username) and digital signature respectively.With respect to security policy languages, XACML and WS-Policy languages are employed to specify WS security policies by Chafle et al. (2005), Charfi et al. (2005) and Boger et al. (2009) respectively.However, WS-Policy and XACML lack semantics.It in turn impedes the effectiveness of computing the compatibility between the policies.

Comparative
Moreover, since applying WS-Policy and XACML as syntactic approaches may restrict the selection of suitable WSs, the use of ontology to overcome this limitation is essentially needed.Therefore, ontology based policy annotations are added to WS-Policy by Garcia and Felgar de Toledo (2008) to offer a flexible approach to support interoperability as a key requirement in service computing environments.In addition, according to the latter, additional message security techniques and technologies can be extended to WS-policy utilizing new classes and properties.Considering this, the proposed approach enables building processes in accordance with provider capabilities and consumer security requirements which is expressed through WS-Policy along with OWL.Despite that, flexibility and extensibility of this approach has been limited due to inherent deficiencies of WS-Policy.Besides, security policies should be enforced through the orchestration engine (Charfi et al., 2005).Since current BPEL engines have not provided this, an aspect-aware orchestration engine (as extension to BPEL engine) so-called AO4BPEL is proposed by Charfi et al. (2005) to support more adaptable and modular WSC.Nonetheless, there are still some remaining problems in that proposed approach as follows.Firstly, although the dynamic adaptability and modularity have been provided in AO4BPEL towards service composition, it still suffers lack of semantic description for business processes and rules and security aspects.Thus, conflicts detection and policy negotiation are infeasible for secure WSC.Secondly, the approach lacks flexibility since service composition aspect is considered at the deployment time rather than runtime.Moreover, Chevalier et al. (2008) utilized HLPSL language to specify security constraints.With regards to validation, proposed approach by Gilmore et al. (2010) has been marked as "High" due to using formal methods while approaches proposed by Garcia and Felgar de Toledo (2008) and Biskup et al. (2007) have been evaluated as "Very Low" since they provide no validation proofs.The rest of compared approaches are marked as "Average" owing to presenting prototypes.Finally, since there are no formal semantics in BPEL and WS-CDL, they can provide no formal reasoning regarding process behavior.On the other hand, better service discovery as well as easier service interoperation and composition will be enabled through semantically described services.In that case, in order to enable semantically meaningful execution, there must be certain rules and mapping formalisms between ontologically described knowledge about business process on one side and BPEL and WS-CDL definitions of business process on another side.
Access control-based: Considering access controlbased classification, proposed approaches by Rossebø and Braek (2006), Cheikh et al. (2006), Rouached and Godart (2007) and She et al. (2009) are evaluated as "Average" while the rest of compared approaches are evaluated as "Low".With respects to composition language, all the compared approaches selected BPEL as their composition language however, approaches presented by Rossebø and Braek (2006) and Rouached and Godart (2007) just claim they are syntactic-based and clarify no languages used in their works.Likewise, all of these works except Cheikh et al. (2006) are contemplated as static approaches to support service composition owing to use of BPEL language.On the other hand, Cheikh et al. (2006) proposed dynamic technique towards service composition due to utilizing PDL as logic based approach along with BPEL.Moreover, among compared approaches only the presented works by Cheikh et al. (2006) and She et al. (2009) are classified as an automatic service composition since they employed agent-based technique and mathematic approach (PDL) respectively.Besides, latter approach claimed that it has acceptable performance by applying agents in its work.
Regarding correctness, approaches proposed by Cheikh et al. (2006), Rossebø and Braek (2006) and Rouached and Godart (2007) are evaluated as "High" since they PDL, EC and UML, respectively.From the security perspective, presented works by Koshutanski and Massacci (2005), Srivatsa et al. (2007) and Paci et al. (2009) are considered as stateful approaches due to keeping user or service histories for future decisions.Moreover, approaches proposed by Emig et al. (2007) and She et al. (2009) provide authentication through user and service attributes respectively.In addition, authentication is addressed via user credentials in works proposed by Koshutanski and Massacci (2005), Rossebø and Braek (2006) and Paci et al. (2009) whereas service credentials are utilized by Cheikh et al. (2006) and Rouached and Godart (2007) for the purpose of authentication.
With regards to authorization, role-based technique is used by Rossebø and Braek (2006), Emig et al. (2007), Srivatsa et al. (2007) and Paci et al. (2009).However, RBAC is insufficient method to be used in service composition due to the following reasons: firstly, RBAC as an inactive security model cannot dynamically administrate permissions in the executing states of working progress and thus the requirements of BPEL-based access control cannot properly addressed.Following this, RBAC suffers the inability for specifying a fine-grained control in collaborative environments.Next, RBAC provides no abstraction to capture a set of collaborating users which operate in different roles.Lastly, RBAC sometimes faces difficulties for encapsulation of all permissions to perform a job function.
To address RBAC problems in BPEL, Ji et al. (2007) suggests replacing TBAC with RBAC.It caused to provision of more flexibility for secure business processes.However, better support to understand context semantics is provided in semantic based approaches compared to the BPEL.Likewise, semantic based approaches provide better reasoning for complicated relations among contextual concepts.Moreover, approaches proposed by Koshutanski and Massacci (2005), Cheikh et al. (2006), Rouached and Godart (2007) and She et al. (2009) proposed authorization technique based on user/service attribute or credential.According to section Model Driven Approaches, it is concluded that attribute-based access control is more perfect than credential-based one.With regards to security constraints or policy language, presented approaches by Paci et al. (2009) and She et al. (2009) utilized XACML to define their security policies as well as BPCL (Business Process Constraint Language) is used in the former approach as a constraint language.In fact, the BPCL is proposed in this approach since RBAC is insufficient to address all the authorization requirements of workflow systems like separation and binding of duty constraints.Despite that XACML is a good approach to specify policy in a designated domain, it suffers some limitations as follow: Firstly, the issue of enforcing access control has not been addressed properly and it has not been considered to include in composition phase.After that, XACML faces with lack of semantics for high-level security requirements and this affects on effectiveness of the compatibility computing among the policies and thus it results in false negative (Rouached and Godart, 2007).Lastly, no explicit constructs is provided in XACML to reason about transactional histories (Srivatsa et al., 2007).Manual definition and verification of authorization policies is error-prone and cumbersome.Thus, it is needed to have an automated analysis to make sure policies are conflict-free at first time and during adding or removing new authorization policies.In order to address it, Cheikh et al. (2006) utilize PDL to automate defining and verifying authorization policies as a part of composition process.Likewise, security policies are carried out dynamically by Rossebø and Braek (2006) and Rouached and Godart (2007) applying UML as model driven technique and EC as formal method respectively.Moreover, proposed approaches by Cheikh et al. (2006) and Rouached and Godart (2007) increase the reliability due to using formal methods.With regards to verification, these two approaches are evaluated as "High" due to presenting mathematical-based proof while the rest of compared approaches are marked as "Average" owing to proposing prototypes for their works.However, those works which use syntactic-based approaches cannot be fully applicable since their completeness depends on syntactical restrictions.

Comparative evaluation of semantic-based approaches:
Regarding semantic-based classification, proposed work by Kuter and Golbeck (2009) and Tabatabaei et al. (2010) are evaluated as "High", whereas the rest of the approaches are marked as "Average".All the approaches classified in this category support automatic and dynamic service composition owing to using ontologies (Liquan et al., 2009).Considering these approaches, the composition language used by Tabatabaei et al. (2010) is WSMO while the rest of composition languages are based on OWL-S.With regards to supporting non-functional properties, WSMO is superior than OWL-S.The reason is that non-functional properties in OWL-S are more restricted than WSMO.While the latter supports them in any WSMO elements, the former provides nonfunctional properties in service profile (Kuter and Golbeck, 2009).Furthermore, proposed works by Kuter and Golbeck (2009) and Tabatabaei et al. (2010) present more automation composition due to applying AI planning.The former approach utilizes HTN planning as an AI technique to automate WSC while the latter one employs HTN-DL for automation of service composition.Although HTN is suitable approach for service composition and HTN planner is more efficient compared to other planning languages, there are some limitations when a HTN planner is used for service composition by itself.It faces limitations such as: no formalization, lack of an interactive WS environment, no function to cover additional scheduling information or satisfaction of general problems, lack of autonomy and no proper non-functional properties support.Consequently, integration of Description (DL) with HTN is proposed to solve most of aforementioned limitations, specially supporting nonfunctional properties such as performance and correctness in proper way (Sirin, 2006).Considering this, Tabatabaei et al. (2010) applied HTN-DL to automate WSC.In the light of correctness and performance, those two works have improved the correctness and performance of composition process using AI planning.Moreover, the proposed approach by Tabatabaei et al. (2010) provides more correctness and performance than the Kuter and Golbeck's work (2009) due to using HTN along with DL.As a result, HTN-DL can be considered as optimized AI planning technique for WSC.
From the security perspective, approaches presented by Kuter and Golbeck (2009) and Liquan et al. (2009) are state full approaches.Generally speaking, keeping a past history of service invocations i.e., being state full can be a key feature to support access control for service composition to make suitable access decisions (Liquan et al., 2009).Furthermore, authentication is provided through X.509 and service credential in these two works respectively.It should also be noted that the privacy of service credential in the former work needs to be provided.In addition, Maamar et al. (2006) claim that their proposed approach supports the integrity to secure WS interactions.Security constraints must be carefully considered during WSC.In this regard, only the presented approaches by Maamar et al. (2006) and Tabatabaei et al. (2010) take security constraints into account with service composition process.Finally, all the approaches discussed in this comparison proposed prototype to validate their approaches and with regards to definition of validation criterion they marked as "Average".
An statistical approach to study security conscious web service composition: In this part, statistical analysis results based on existing data are presented.First statistic technique used is the mean of all 16 characteristics with respect to three categories as presented in Table 8.Comparing among all approaches was done using one way Analysis of Variance (ANOVA) for all criteria.Results of this test (Table 9) indicated a significant difference among Mean score of some criteria including CL, D/S, A, CO, I, AUT and SF/SL at 0.05 level but the other criteria did not show significant differences among approaches (p>0.05).Semantic based approaches are significantly higher than others with respects to CL characteristic.As discussed before, first diagram in Fig. 7 proves that semantic based approaches support much more automation and dynamism in service composition compared to other approaches.According to the presented diagrams in Fig. 7, the most level of confidentiality is provided by information flowcontrol based while access control-based approaches provide much more authentication and authorization compared to other categories.The second statistical analysis utilized in this work is factor analysis.The role of factor analysis is describing variability between observed, correlated variables considering unobserved latent variables called factors.The number of criteria used to evaluate service composition approaches reduced from 16 parameters to 5 linear functions where previous parameters are classified in those five dimensions based on their similarity and co-linearity.
Varimax rotation was applied for clearing all dimensions and an examination of the Kaiser-Meyer in measure of sampling adequacy suggested that the sample was factorable (KMO = 0.347).The initial Eigen values presented that the first factor explained 22.468% of the variance and the second, third, fourth and fifth factor 17.716, 15.472, 12.419 and 11.571% of the variance, respectively.As indicated in Table 10, the most important function is the first one called "Accountability and Accuracy" explained 22.46% of the variance.A brief explanation for each factor is provided below.First of all, three criteria loaded onto Factor 1 which is labeled "Accountability and Accuracy".As it can be clearly seen from Table 11, these four criteria relate to level of correctness and validation provided by approach as well as countermeasure proposed for authentication and authorization.Three criteria load onto a second factor labeled as "Automation and Dynamism" relate to automatic and dynamic composition and the composition language used in approach.After that, the four criteria that load onto Factor 3 relate to confidentiality level, being stateless or ----------------------------------------------------------------------------------------------------------------------------------------------------Accountability and accuracy stateful, proposed security constraints and the language used to define those security constraints.This factor is labelled as "Secrecy and Security Controls".Next factor i.e., forth factor is labeled as "Credibility and Privateness" which two criteria including privacy and reliability load onto it.Lastly, criteria loaded for Factor 5 relates to level of performance and availability in an approach and this factor is labeled as "Productivity and Accessibility".According to the rotated component matrix depicted in Table 11, the most important factor in security evaluation does "Accountability and Accuracy" comprise Correctness (C), Authentication (AU), Validation (V) and Authorization (AUT) parameters.It can be concluded that all 16 criteria categorized in these five factors (dimensions) have overall 79.645% effect on security evaluation.That is, there are some other effective factors on security evaluation which are unknown for us in this study.

DISCUSSION
A comparative evaluation of state-of-the-art security conscious WSC approaches with respects to all categories of WSC taxonomy is proposed.In this section, it is tried to highlight the most salient advantages and strengths of evaluated approaches to achieve (guideline) principle for researchers to evaluate service composition approaches and take advantages of this evaluation to enhance strengths and lessen deficiencies of desired approach.
The approaches with the highest achieved rank are selected as the best representative of each classification.The approaches proposed by Gilmore et al. (2010), Cheikh et al. (2006) and Tabatabaei et al. (2010) are picked out as the representative of information flow control-based, access control based and semantic-based category, respectively.Considering the obtained results with respect to being dynamic and automatic service composition, it can be claimed that applying formal methods has a significant impact to support these characteristics.Applying formal methods along with UML by Gilmore et al. (2010) not only supports automatic and dynamic composition but enhance the level of correctness and reliability.Cheikh et al. (2006) propose PDL (mathematic based language) to provide automation, dynamism and high level of correctness in composition process.Moreover, being semantic helps to support dynamic composition (such as proposed work by Tabatabaei et al. (2010)).Generally speaking, employing formal methods in service composition offers several advantages as follows: It enhances the correctness and reliability of service composition regardless of being syntactic or semantic; it improves the level of automation and dynamism; and it provides strong validation for service composition because of its being intrinsic mathematic-based.Regarding the composition language, it is recommended orchestration and choreography are considered together in service composition such as work proposed by Tabatabaei et al. (2010).This work uses WSMO as semantic solution to support this issue, whereas those two works employ BPEL to address it.In fact, lack of semantic leads to impede the effectiveness of the compatibility computing among the policies and causes some restrictions for service selection (Charfi and Mezini, 2007).As a result, it can be taken as deficiency into account for those approaches which apply no semantics.
With respects to security issues, only Cheikh et al. (2006) specify security constraint language while Tabatabaei et al. (2008) propose security constraints including goal, choreography and orchestration constraints.To gain the real power of security in service composition, it is advised to address its aspects as much as possible.As an instance, the security aspects are addressed in the aforementioned approaches comprises confidentiality, integrity, authentication and

Fig. 1 :
Fig. 1: Hierarchical classification of WSC approaches the security criteria.In this regards, the state-of-the-art approaches are summarized and discussed below.

Fig. 2 :
Fig. 2: The proposed framework for security-conscious evaluation of web service composition

Fig. 3 :
Fig. 3: Matrix for evaluation of criteria importance and the results based on extracted information from review of respective approaches are illustrated in Table6.This table concerns on descriptive data derived from each approach.In the next step, this information with regards to defined formula in above section is utilized to mathematically evaluate those approaches.
In this section, security-aware syntacticbased approaches are compared with respects to two sub categories namely information flow control-based and access control-based.The result of these comparisons is presented as follows.Information flow control-based: Regarding information flow control-based category, works proposed by Chevalier et al. (2008) and Gilmore et al.
Fig. 4: Weight of evaluation attributes

Fig. 7 :
Fig. 7: Difference level of means between three groups

Table 1 :
Evaluation criteria proposed for web service composition approaches

Table 2 :
Values of security-aware evaluation of service composition criterion Qualitative measure of evaluation criterion

Table 4 :
Regulated data set for evaluation criteria Derived regulations to assign data set to evalaution criteria References

Table 5 :
Regulated data set for evaluation criteria Derived regulations to assign data set to evalaution criteria References

Table 6 :
Primary assessment of web service composition approaches QoS

Table 7 :
Mathematical evaluation of security aware web service composition approaches QoS

Table 8 :
Mean of criteria for approaches Criteria

Table 11 :
Rotated component matrix Principal component analysis; Rotation method: Varimax with Kaiser normalization: Rotation converged in 7 iterations