methodologies and algorithms, both in the fields of fault tolerance and security. Whilst they have taken separate paths until recently, the problems to be solved are of similar nature. In classical dependability, fault tolerance has been the workhorse of many solutions. Classical security-related work has on the other hand privileged, with few exceptions, intrusion prevention.

If you can’t make your data dependable, then you can’t make your computing dependable, either. The good news is that the list of data protection techniques is long, and growing. The bad news is that the choices they offer are getting more complicated: how many copies of data to keep? whether to use full or partial redundancy? how often to make snapshots? how to schedule full and incremental backups? what combination of techniques to use? The stakes are getting higher: web access means that services must have 24x7 availability, and users are willing to switch if services are unavailable. Finally, human administrators can (and often do) make mistakes. These factors compel us to simplify and automate data dependability decisions as much as possible. We are developing a system that will automatically select which data protection techniques to use, and how to apply them, to meet user-specified dependability (i.e., reliability and availability) goals. This paper describes our approach and outlines our initial descriptions for user requirements, failure characteristics and data protection techniques.

Depending on the physical structuring of large distributed safety-critical real-time systems, one can distinguish federated and integrated system architectures. This paper investigates the communication services of an integrated system architecture, which combines the complexity management advantages of federated systems with the functional integration and hardware benefits of an integrated approach. A major challenge is the need to accommodate the communication services to the different types of integrated application subsystems that range from ultradependable control applications (e.g., an x-by-wire system) to non safety-critical applications such as multimedia or comfort systems. In particular, the encapsulation of the communication activities of different application subsystems is required not only to prevent error propagation from non safety-critical application subsystems to higher levels of criticality, but also to facilitate complexity management and permit independent development activities.

Abstract—We address the problem of information system survivability, or dynamically preserving intended functionality & computational performance, in the face of malicious intrusive activity. A feedback control approach is proposed which enables tradeoffs between the failure cost of a compromised information system and the maintenance cost of ongoing defensive countermeasures. Online implementation features an inexpensive computation architecture consisting of a sensor-driven recursive estimator followed by an estimate-driven response selector. Offline design features a systematic empirical procedure utilizing a suite of mathematical modeling and numerical optimization tools. The engineering challenge is to generate domain models and decision strategies offline via tractable methods, while achieving online effectiveness. We illustrate the approach with experimentation results for a prototype autonomic defense system which protects its host, a Linux-based web-server, against an automated Internet worm attack. The overall approach applies to other types of computer attacks, network-level security and other domains which could benefit from automatic decision-making based on a sequence of sensor measurements. Index Terms—Computer security, empirical methods, intrusion tolerance, Markovian processes, numerical optimization, sensor uncertainty, stochastic control, survivable systems.

Using trust and reputation mechanisms offers a promising way to solve the web service selection problem. The investigation of trust and reputation systems in other areas can provide valuable observations and approaches that can be used in web service systems. Therefore, this paper presents a systematic review of various trust and reputation systems and proposes a typology to classify them from three aspects, centralized vs. decentralized, persons/agents vs. resources, global vs. personalized. These aspects are important not only in that they clarify the difference between various existing trust and reputation systems, but also in that they point out the potential research directions for using trust and reputation in web services and provide some reference systems for them.

The increasing use of electronics in the automotive and avionic domain has lead to dramatic improvements with respect to functionality, safety, and cost. However, with this growth of electronics the likelihood of failures due to faults originating from electronic equipment also increases. In order to tackle prevalent diagnostic problems such as the reduction of the fault-not-found ratio, a maintenance-oriented fault model is needed that serves as the basis for the classification of experienced failures.

The paper compares two UML Profiles adopted by OMG for annotating non-functional requirements of software systems: the UML Profile for Schedulability, Performance and Time (SPT) formally adopted in 2003 and the recently emerging UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms (QoS). The SPT Profile was the first attempt to extend UML with basic timing and concurrency concepts, and to express requirements and properties needed for conducting schedulability and performance analysis. While the SPT Profile is focused on these two types of analysis, the more recent QoS Profile has a broader scope, aiming to allow the user to define a wider variety of QoS requirements and properties. In order to compare the two profiles, we will focus on performability and timing aspects of software systems, by exemplifying the concepts through an example of embedded automation system. The comparative analysis shows that new concepts are needed in both profiles to express time intervals between two arbitrary events. Also, the two profiles will need to reach a common agreement on the specification of complex timing values, especially of those with stochastic characteristics. Another open problem is the parameterization of models, as in many cases fixed values for model parameters are not enough. The SPT Profile goes a step further by supporting symbolic variables and expressions, but the QoS Profile does not have such a capability yet. In general, both Profiles struggle with the balance between flexibility (i.e., allow the user to introduce its own definitions) and simplicity/convenience of expression. The challenge when defining a UML profile is to find convenient yet powerful mechanisms of expression for complex concepts, yet to remain within the limits of the UML standard extension mechanisms, which is necessary to insure that the annotated models could be understood by standard UML tools.

QoS (Quality of Service) parameters play a key role in selecting Grid resources and optimizing resources usage efficiently. Although many works have focused on using QoS metrics, surprisingly few tools support the monitoring and analysis of QoS metrics of Grid services. This paper presents a novel framework which supports the monitoring and analysis of QoS metrics in the Grid. Our approach is that, firstly, we develop a classification of important QoS metrics for Grid services that should be monitored and analyzed. Secondly, sensors are developed to monitor QoS of disparate Grid services by using a peer-to-peer Grid monitoring middleware. The dependencies among Grid services are modeled. Based on that, several techniques are used to analyze QoS metrics of dependent Grid services. 1

Abstract Embedded real-time systems are being increasingly used in a major part of critical applications. In these systems, critical real-time constraints must be satisfied even in the presence of failures. In this paper, we present a new method-based on graph transformation that introduces fault-tolerance in building embedded real-time systems. The proposed method targets distributed architecture and can tolerate a fixed number of arbitrary processors and communication links failures. Because of the resource limitation in embedded systems, our method uses a software-based replication technique to provide fault-tolerance. Finally, since we use graph transformation to perform replication, our method may be used by any off-line distribution-scheduling algorithm to generate a fault-tolerant distributed schedule.

Abstract—Critical infrastructures of today’s society are built over networks that require a degree of survivability not foreseen when they were built. This paper reports on work in progress in a European project that aims to safeguard critical infrastructures such as electricity and telecom networks. It assumes that there will be accidents, attacks, and failures in parts of a network. The goal of safeguard is to enable delivery of the essential services despite these. Hence, we define a metric for network level survivability in terms of a continuous function of critical components ’ availability and integrity. We further go on to measure the survivability of the system in terms of the time taken to breach of survivability. In a system where the implemented defence/recovery mechanisms are not adequate, this time is finite. In a system that implements self-healing, the presence of attacks and failures is continuously compensated by defence and recovery mechanisms. Again, a measure of time to recover from component failures is a key to increased network survivability. The paper presents a preliminary study of defence mechanisms in a telecom management network, and illustrates how simulations of the network and harmful data can be used to identify trade-offs that are central to increased survivability.