Quantitative Security Analysis for Service-Oriented

Supervisory Committee Dr. Issa Traore Supervisor Dr. Kin Fun Li Departmental Member Dr. Stephen W. Neville Departmental Member Weber-Jahnke, J.H. Outside Member Dr. John Mullins Additional Member Due to the dramatic increase in intrusion activities, the definition and evaluation of software security requirements have become important aspects of the development of software services. It is now a well-accepted fact in software engineering that security concerns, like any other quality concerns, should be dealt with in the early stages of software development process. Current practices for software security architecture risk analysis, however, still heavily rely on human expertise. This involves a significant amount of subjective efforts creating a greater potential for inaccuracies. In this dissertation, we propose a framework for quantitative security architecture analysis for service-oriented software systems. In this regard two important contributions are made in the dissertation. First, we identify and define some internal security attributes and related properties based on a generic service-oriented software model, setting up a framework for the definition and formal evaluation of corresponding security metrics. Second, we propose a measurement abstraction paradigm named User System Interaction Effect (USIE) model that can be used to systematically derive and analyze security concerns from service-oriented software architectures. Many aspects of the model derivation and analysis can be automated, which limit the amount of user involvement and, thereby, reduce the subjectivity underlying typical security analysis process. The model can be used as a foundation for quantitative analysis of software services from different security perspectives with respect to the internal security properties introduced. Based on sample metrics derived from the framework, we illustrate empirically the viability of our paradigm by conducting case studies based on existing open source software.