For effective vulnerability management, vulnerability and attack information must be collected quickly and efficiently. A security knowledge repository can collect such information. The Common Vulnerabilities and Exposures (CVE) provides known vulnerabilities of products, while the Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of common attributes and approaches employed by adversaries to exploit known weaknesses. Due to the fact that the information in these two repositories are not linked, identifying related CAPEC attack information from CVE vulnerability information is challenging. Currently, the related CAPEC-ID can be traced from the CVE-ID using Common Weakness Enumeration (CWE) in some but not all cases. Here, we propose a method to automatically trace the related CAPEC-IDs from CVE-ID using three similarity measures: TF–IDF, Universal Sentence Encoder (USE), and Sentence-BERT (SBERT). We prepared and used 58 CVE-IDs as test input data. Then, we tested whether we could trace CAPEC-IDs related to each of the 58 CVE-IDs. Additionally, we experimentally confirm that TF–IDF is the best similarity measure, as it traced 48 of the 58 CVE-IDs to the related CAPEC-ID.

To guide practitioners and researchers to design and research Machine Learning (ML) system development processes, we conduct a preliminary literature review on ML system development practices. We identified seven papers and two other papers determined in an ad-hoc review. Our findings include emphasized phases in ML system developments, frequently described ML-specific practices, and tailored traditional practices.

Security and privacy in cloud systems are critical. To address security and privacy concerns, many security patterns, privacy patterns, and non-pattern-based knowledge have been reported. However, knowing which pattern or combination of patterns to use in a specific scenario is challenging due to the sheer volume of options and the layered cloud stack. To deal with security and privacy in cloud services, this study proposes the cloud security and privacy metamodel (CSPM). CSPM uses a consistent approach to classify and handle existing security and privacy patterns. In addition, CSPM is used to develop a security and privacy awareness process to develop cloud systems. The effectiveness and practicality of CSPM is demonstrated via several case studies.

Security and privacy in cloud systems are critical. To address security and privacy concerns, many security patterns, privacy patterns, and non-pattern-based knowledge have been reported. However, knowing which pattern or combination of patterns to use in a specific scenario is challenging due to the sheer volume of options and the layered cloud stack. To deal with security and privacy in cloud services, this study proposes the cloud security and privacy metamodel (CSPM). CSPM uses a consistent approach to classify and handle existing security and privacy patterns. In addition, CSPM is used to develop a security and privacy awareness process to develop cloud systems. The effectiveness and practicality of CSPM is demonstrated via several case studies.

Security patterns encapsulate security-related problems and solutions that recur in certain contexts for secure software system development and operations. Almost 500 security patterns have been proposed since the late 1990s. Technical investigations on their applications have advanced implementation, but the direction, overall picture, and significant technical challenges remain unclear. In this study, we propose a taxonomy for security pattern research by conducting a systematic literature review. Over 200 papers are categorized based on the taxonomy. The taxonomy is expected to guide practitioners to choose existing security pattern methods and tools. In addition, the taxonomy and the survey results should support communications among practitioners and researchers, and improve the quality of security pattern research and the effectiveness of security patterns.

Security patterns encapsulate security-related problems and solutions that recur in certain contexts for secure software system development and operations. Almost 500 security patterns have been proposed since the late 1990s. Technical investigations on their applications have advanced implementation, but the direction, overall picture, and significant technical challenges remain unclear. In this study, we propose a taxonomy for security pattern research by conducting a systematic literature review. Over 200 papers are categorized based on the taxonomy. The taxonomy is expected to guide practitioners to choose existing security pattern methods and tools. In addition, the taxonomy and the survey results should support communications among practitioners and researchers, and improve the quality of security pattern research and the effectiveness of security patterns.

A software system is developed for satisfying requirements of stakeholders. Each requirement will be never satisfied without the collaboration of several components such as the system, devices and people interacting with them, i.e. users. However, a user does not or cannot always behave toward the other components according to their expectations. For example, a user sometimes makes mistake or even misuse of the system. The system thus has to encourage users to behave according to such expectations as well as possible. In this paper, we propose a method for eliciting software requirements that will improve users’ behavior with respect to the expectations. We rely on transparency, i.e. the open flow of information amongst stakeholders because no one can directly manipulate users but transparency has an influence on users’ behavior. We expect users will voluntarily behave better than ever when the system provides suitable information flows. We represent our method by using KAOS goal modeling notation, and show examples how it works.

Traceability is important knowledge for improving the artifacts of software and systems and processes related to them. Even in a single system, various kinds of artifacts exist. Various kinds of processes also exist, and each of them relates to different kinds of artifacts. Traceability over them has thus large diversity. In addition, developers in each process have different types of purposes to improve their artifacts and process. Research results in traceability have to be categorized and analyzed so that such a developer can choose one of them to achieve his/her purposes. In this paper, we report on the results of Systematic Literature Review (SLR) related to software and systems traceability. Our SLR is preliminary one because we only analyzed articles in ACM digital library and IEEE computer society digital library. We found several interesting trends in traceability research. For example, researches related to creating or maintaining traceability are larger than those related to using it or thinking its strategy. Various kinds of traceability purposes are addressed or assumed in many researches, but some researches do not specify purposes. Purposes related to changes and updates are dominant.

Business processes can be assessed by checking transaction documents for inconsistency risks and can be classified into two categories. Inconsistency refers to a mismatch between items (product name, quantity, unit price, amount price, etc.) among transaction documents. For any process in the first category, the consistency of any pair of transaction documents in the process is checked, and there is no risk of inconsistency. For any process in the second category, the consistency of some pairs of transaction documents in the process cannot be checked, and there is a risk of inconsistency. This paper proposes a method and a tool for the assessment of risk inconsistencies. The assessment can be used to design and evaluate business processes for a company’s internal control over financial reporting. A business process diagram and inconsistency risk detection algorithm for classifying business processes is provided. A BPA-tool (Business Process Assessment tool) is also presented.

Security patterns are intended to support software developers as the patterns encapsulate security expert knowledge. However, these patterns may be inappropriately applied because most developers are not security experts, leading to threats and vulnerabilities. Here we propose a support method for security design patterns in the implementation phase of software development. Our method creates a test template from a security design pattern, consisting of an "aspect test template" to observe the internal processing and a "test case template". Providing design information creates a test from the test template with a tool. Because our test template is reusable, it can easily perform a test to validate a security design pattern. In an experiment involving four students majoring in information sciences, we confirm that our method can realize an effective test, verify pattern applications, and support pattern implementation.

Clouds do not work in isolation but interact with other clouds and with a variety of systems either developed by the same provider or by external entities with the purpose to interact with them
forming then an ecosystem. A software ecosystem is a collection of software systems that have been developed to coexist and evolve together. The stakeholders of such a system need a variety of models to give them a perspective of the possibilities of the system, to evaluate specific quality attributes, and to extend the system. A powerful representation when building or using software ecosystems is the use of architectural models, which describe the structural aspects of such a system. These models have value for security and compliance, are useful to build new systems, can be used to define service contracts, find where quality factors can be monitored, and to plan further expansion. We have described a cloud ecosystem in the form of a pattern diagram where its components are patterns and reference architectures. A pattern is an encapsulated solution to a recurrent problem. We have recently expanded these models to cover fog systems and containers. Fog Computing is a highly-virtualized platform that provides compute, storage, and networking services between end devices and Cloud Computing Data Centers
a Software Container provides an execution environment for applications sharing a host operating system, binaries, and libraries with other containers. We intend to use this architecture to answer a variety of questions about the security of this system as well as a reference to design interacting combinations of heterogeneous components. We defined a metamodel to relate security concepts which is being expanded.

We propose a metamodel for handling security and privacy in cloud service development and operation. The metamodel is expected to be utilized for building a knowledge base to accumulate, classify and reuse existing cloud security and privacy patterns and practices in a consistent and uniform way. Moreover the metamodel and knowledge base are expected to be utilized for designing and maintaining architectures for cloud service systems incorporating security and privacy.

Software development requires the protection of privacy. However, a body of knowledge does not exist for the development of privacy-aware software. Based on a literature survey, this paper introduces various studies that address knowledge regarding the development of privacy-aware software, and describes the current status and future direction toward building a knowledge base for privacy-aware software development.

An information system can store personal information of its primary users such as shopping histories, and some third party wants or happens to know such information. Because the system usually provides its privacy policy and its users have to give their consent to it, they sometimes have to partially give up the protection of their privacy. On the other hand, a chance of a third party to know such information is too limited if the policy is too defensive. We proposed a method to explore trade-offs between protection of such information and access permissions for a third party, and exemplified it. In this method, operation logs of a system are focused. The structure of each log is then modelled for analysing what kinds of information can be accessed by a third party. Access limitations of each third party are explored so as to balance the protection of privacy information against access right of third parties.

This study describes a new approach to cloud federation architecture for academic community cloud. Two basic approaches have been proposed to deal with cloud burst, disaster recovery, business continuity, etc., in community clouds: standardization of cloud services and multi-cloud federation. The standardization approach would take time; i.e., it would not be effective until there are enough implementations and deployments following the standard specifications. The federation approach places limitations on the functionalities provided to users; they have to be the greatest common divisor of the clouds' functions. Our approach is "cloud on demand", which means on-demand cloud extension deployments at remote sites for inter-cloud collaborations. Because we can separate the governance of physical resources for cloud deployment and the governance of each cloud by this approach, each organization can have full control on its cloud. We describe how the problems of the previous approaches are solved by the new approach and evaluate a prototype implementation of our approach.

An ecosystem is the expansion of a software product line architecture to include systems outside the product which interact with the product. We model here the architecture of a cloud-based ecosystem, showing security patterns for its main components. We discuss the value of this type of models.

In recent years, importance on software security technologies has been recognized and various types of technologies have been developed. On the other hand, in spite of recognition of necessity of providing cases that deal with full life cycle for secure software development, only few are reported. This paper describes a case-based management system (CBMS) that consists of an artifact management system and a knowledge-based management system (KBMS) to manage cases for secure software development. The former manages the artifacts created in secure software life cycle. The latter manages software security knowledge. The case-based management system also manages association between artifacts and software security knowledge and supports both visualization among software security knowledge and between artifacts and software security knowledge. We conducted an experiment to evaluate the system. We describe the effectiveness and future work of the system. (C) 2015 The Authors. Published by Elsevier B.V

The importance of software security technologies has been gaining attention due to the increase in services on the Internet. Various technologies regarding software security have been developed. However, we believe knowledge regarding software security is not integrated; therefore, we have been developing a knowledge base for secure software development. We previously proposed a learning model that associates artifacts created in secure software development with knowledge in the knowledge base as design rationale. However, only a few case studies that addressed a full life cycle for secure software development have been reported. To mitigate this lack in reported case studies, Okubo et al. created a common task regarding software security. In this study, we developed a case base of secure software development whose artifacts are associated with the knowledge base using this common task as a case.

Because software developers are not necessarily security experts, identifying potential threats and vulnerabilities in the early stage of the development process (e.g., the requirement-or design-phase) is insufficient. Even if these issues are addressed at an early stage, it does not guarantee that the final software product actually satisfies security requirements. To realize secure designs, we propose extended security patterns, which include requirement-and design-level patterns as well as a new model testing process. Our approach is implemented in a tool called TESEM (Test Driven Secure Modeling Tool), which supports pattern applications by creating a script to execute model testing automatically. During an early development stage, the developer specifies threats and vulnerabilities in the target system, and then TESEM verifies whether the security patterns are properly applied and assesses whether these vulnerabilities are resolved.

Although security patterns contain security expert knowledge to support software developers, these patterns may be inappropriately applied because most developers are not security specialists, leading to threats and vulnerabilities. Here we propose a validation method for security design patterns in the implementation phase of software development. Our method creates a test template from a security design pattern, which consists of the "aspect test template" to observe the internal processing and the "test case template". Providing design information creates a test from the test template. Because a test template is recyclable, it can create easily a test, which can validate the security design patterns. As a case study, we applied our method to a web system. The result shows that our method can test repetition in the early stage of implementation, verify pattern applications, and assess whether vulnerabilities are resolved.

National Institute of Informatics has developed a private IaaS cloud "edubase Cloud" and a private bare-metal IaaS cloud "Gunnii". Additionally, we have just developed an prototype cloud platform, "Academic InterCloud(AIC)", and run it in trial. Operating such large cloud infrastructure relies on operators experience. A new more efficient approach, therefore, is needed. In this paper, we propose an editable huge "Map" approach and apply it to some practical cases. This paper also describes the future work to make a more efficient map.

Earlier software architecture design is essential particularly when it comes to security concerns, since security risks, requirements and architectures are all closely interrelated and interacting. We have proposed the security driven twin peaks method with a mutual refinement of the requirements, and architectures. However, there are multiple alternatives to an architecture design for initial requirements, and their choices depend on non-functional requirements (NFRs), such as security, performance, and cost which often largely change. We propose a new method we call TPM-SA2 to avoid any back-track in refinement. Each architectural alternative in TPM-SA2 is refined so that it aligns with the requirements. For each refinement, the requirements can be updated vice versa. TPM-SA2 enables us to predict the impacts on the NFRs by each candidate for the architecture, and choose the most appropriate one with respect to the impact. As a result, we can define the requirements and architectures, and estimated the development costs earlier than ever.

There is an issue when security measures are implemented and tested while using agile software development techniques such as Behavior Driven Development (BDD). We need to define the necessary levels of security and the privacy behaviors and acceptance criteria for the BDD. A method for defining the acceptance criteria (BehaveSafe) by creating a threat and countermeasure graph called the T&C graph is proposed in this paper. We have estimated the efficiency of our method with a web based system.

Light weight development processes like Agile have emerged in response to rapidly changing market requirements. However such processes are inadequate for software in embedded systems. As embedded software undergoes frequent refactoring, targeting only immediate requirements. As a result maintainability decreases because the system is not designed to respond to changes in the associated hardware. In this paper, we propose a method for detection of variation points and variability mechanisms. We also propose a technique for evaluation of flexibility to changes. Our approach is based on analyses of the call graph and the inheritance structure of source code to identify a layer structure that is specific to embedded software. These techniques provide us with objective and quantitative information about costs of adding functionality. We applied the proposal method to an actual product's code before and after the refactoring and could verify an improvement in system's variability.

Misuse case model and its development process are useful and practical for security requirements analysis, but they require expertise especially about security assets and goals. To enable inexperienced requirements analysts to elicit and to analyse security requirements, we present an extension of misuse case model and its development process by incorporating new model elements, assets and security goals. We show its effectiveness from the quantitative and qualitative results of a case study. According to the results, we conclude the extension and its process enable inexperienced analysts to elicit security requirements as well as experienced analysts do. © 2014 Information Processing Society of Japan.

Because all the requirements analysts are not the experts of security, providing security knowledge automatically is one of the effective means for supporting security requirements elicitation. We propose a method for eliciting security requirements on the basis of Common Attack Patterns Enumeration and Classification (CAPEC). A requirements analyst can automatically acquire the candidates of attacks against a functional requirement with the help of our method. Because technical terms are mainly used in the descriptions in CAPEC and usual phrases are used in the requirements descriptions, there are gaps between them. To bridge the gaps, our method contains a mapping between technical terms and noun phrases called term maps.

Earlier software architecture design is essential particularly when it comes to security concerns, since security risks, requirements and architectures are all closely interrelated and interacting. We have proposed the security driven twin peaks method with a mutual refinement of the requirements, and architectures. However, there are multiple alternatives to an architecture design for initial requirements, and their choices depend on non-functional requirements (NFRs), such as security, performance, and costs which have a big impact on the quality of the software. We propose a new method called TPM-SA2 to avoid any back-track in refinement. Each architectural alternative in TPM-SA2 is refined so that it aligns with the requirements. For each refinement, the requirements can be updated vice versa. TPM-SA2 enables us to predict the impacts on the NFRs by each candidate for the architecture, and choose the most appropriate one with respect to the impact. As a result, we can define the requirements and architectures, and estimated the development costs earlier than ever.

In a Web application framework suitable for a code-centric development approach, maintaining the faultlessness of the security features is an issue because the security features are dispersed throughout the code during the implementation. In this paper, we propose a method and develop a static verification tool for Web applications that checks the completeness of the security features implementation. The tool generates a navigation model from an application code while retaining the security properties and then checks the consistency of the security properties on the model since access control is relevant to the application behavior. We applied the proposed tool to various Ruby on Rails Web application source codes and then tested their authentication and authorization features. Results showed that the tool is an effective aid in the implementation of security features in code-centric and iterative Web application development. © 2013 IEEE.

Software developers are not necessarily security specialists, security patterns provide developers with the knowledge of security specialists. Although security patterns are reusable and include security knowledge, it is possible to inappropriately apply a security pattern or that a properly applied pattern does not mitigate threats and vulnerabilities. Herein we propose a method to validate security pattern applications. Our method provides extended security patterns, which include requirement- and design-level patterns as well as a new model testing process using these patterns. Developers specify the threats and vulnerabilities in the target system during an early stage of development, and then our method validates whether the security patterns are properly applied and assesses whether these vulnerabilities are resolved. © 2013 IEEE.

We propose a model-assisted security testing framework for developing Web applications. We devised a tool called "RailroadMap" that automatically extracts a behavior model from the code base of Ruby-on-Rails. This model provides a unified point of view for analyzing security problems by representing an application's behavior, which includes all security functions and possible attack scenarios.

Because an information system is used in different activities simultaneously today, we have to analyze usages of the system in the existing activities and to-be usages in an intended activity together. Especially, security aspects should be carefully analyzed because existing activities are not always secure. We propose a security requirements analysis method for resolving this problem. To take both existing and intended activities into account together, we integrate them on the basis of the unification of common actors. To explore possible attacks under integrated activities, we enumerate achievable attacks on the basis of the possible means in each actor with the help of security knowledge. To avoid or mitigate the attacks and to achieve fundamental goals, we disable some means or narrow down the means to be monitored with the help of propositional logic formulae. Through case studies on insurance business, we illustrated our idea.

Intercloud object storage services are crucial for inter-organization research collaborations that need huge amounts of remotely stored data and machine image. This study introduces a prototype implementation of wide-area distributed object storage services, called colony, and describes a trial of its cloud storage architecture and intercloud storage services for academic clouds.

It is difficult to sufficiently specify software security requirements because they depend on a software architecture that has not yet been designed. Although the Twin Peaks model is a reference model to elicit a sufficient amount of software requirements in conjunction with the architectural requirements, it is still unclear how the security requirements can be elicited while taking the architecture into consideration. We propose a novel method to elicit the security requirements with architecture elaboration based on the Twin Peaks model, which is called the Twin Peaks Model application for Security Analysis (TMP-SA). In our method, security countermeasures for attacks are elicited as the security requirements incrementally according to the refinement of the architecture. We can comprehensively explore the alternatives for the countermeasures (security requirements) and choose the most suitable one for each project because we can focus on the architecture-specific security issues as well as architecture-independent security issues. We have applied our method to several applications and discuss its advantages and limitations. We found that our method is suitable for iterative development, and it enables us to find threats caused by architectural issues that are severely difficult to find when analyzing only the requirements issues. © 2012 IEEE.

The need for early consideration of security during system design and development cannot be over-emphasized, since this allows security features to be properly integrated into the system rather than added as patches later on. A necessary pre-requisite is the elicitation and analysis of the security requirements prior to system design. Existing methods for the security requirements phase, such as attack trees and misuse case analysis, use manual means for analysis, with which it is difficult to validate and analyse system properties exhaustively. We present a computational solution to this problem using an institutional (also called normative) specification to capture the requirements in the InstAL action language, which in turn is implemented in answer set programming (a kind of logic programming language). The result of solving the answer set program with respect to a set of events is a set of traces that capture the evolution of the model over time (as defined by the occurrence of events). Verification is achieved by querying the traces for specific system properties. Using a simple scenario, we show how any state of the system can be verified with respect to the events that brought about that state. We also demonstrate how the same traces enable: (i) identification of possible times and causes of security breaches and (ii) establishment of possible consequences of security violations. © 2012 IEEE.

Cloud computing is a new computing model that allows providers to deliver services on demand by means of virtualization. One of the main concerns in cloud computing is security. In particular, the authors describe some attacks in the form of misuse patterns, where a misuse pattern describes how an attack is performed from the point of view of the attacker. Specially, they describe three misuse patterns: Resource Usage Monitoring Inference, Malicious Virtual Machine Creation, and Malicious Virtual Machine Migration Process. © 2013, IGI Global.

Multi-agent systems (MASs) are one of the effective approaches for dealing with the recent increase in software complexity and their autonomy. In the MAS research community, there has recently been increasing interest in the adoption of requirements engineering techniques to bridge the gap between the system requirements and the system design. One of the most important tasks based on the requirements description in the MAS design activity is the extraction of roles, which are the fundamental components of multi-agent systems, from it. It is also important to comprehend the relative degree of responsibility of the individual roles. The comprehension helps the developer decide the system architecture and discuss the performance and stability of the system. We introduce the concept of importance as a quantitative metric and an evaluation framework for the extraction of a suitable role set for the system and the task assignment to these roles. The importance is propagated from the requirements to the roles through their assigned tasks. We demonstrate the effectiveness of our framework through a case study and show that our metric and evaluation framework help not only to identify the importance of each role, but also to determine the system architecture.

this study describes a trial for establishing a network-aware object storage service. For scientific applications that need huge amounts of remotely stored data, the cloud infrastructure has functionalities to provide a service called 'cluster as a service' and an inter-cloud object storage service. The scientific applications move from locations with constrained resources to locations where they can be executed practically. The inter-cloud object storage service has to be network-aware in order to perform well.

This paper presents a modelling framework to support Internal Control. The proposed framework is intended to be used for the design and evaluation of internal controls by organisations and their auditors. One component of the framework is a modelling language and the other is a process to establish internal controls. The proposed modelling language is based on Secure Tropos modelling language. It extends Secure Tropos in several ways in order to conceptualize some aspects of internal controls in which organisational structure and relationships between major stakeholders are taken into account. In this paper we describe the proposed framework by presenting an internal control model and show how risks can be analysed in the models according to the proposed process. © 2011 IEEE.

We present two common patterns for distributed systems: Enterprise Service Bus (ESB) and Distributed Publish/Subscribe (P/S). ESB defines a common bus structure that provides basic brokerage functions as well as a set of other appropriate services. The ESB has been used mostly for web services but it can be used for any distributed system. The P/S realizes a system structure where subscribers register to receive events produced by a publisher. The P/S has been described usually in a centralized environment and we emphasize here its distributed nature. These patterns are mainly intended for web services application and distributed systems architects and designers. In those applications, the ESB and the Distributed P/S are architectural units that need to be combined with other architectural units. © Copyright 2011 Carnegie Mellon University.

A good way to obtain secure systems is to build applications in a systematic way where security is an integral part of the lifecycle. The same applies to reliability. If we want a system which is secure and reliable, both security and reliability must be built together. If we build not only applications but also middleware and operating systems in the same way, we can build systems that not only are inherently secure but also can withstand attacks from malicious applications and resist errors. In addition, all security and reliability constraints should be defined in the application level, where their semantics is understood and propagated to the lower levels. The lower levels provide the assurance that the constraints are being followed. In this approach all security constraints are defined at the conceptual or application level. The lower levels just enforce that there are no ways to bypass these constraints. By mapping to a highly secure platform, e.g., one using capabilities, we can produce a very secure system. Our approach is based on security patterns that are mapped through the architectural levels of the system. We make a case for this approach and we present here three aspects to further develop it. These aspects include a metamodel for security requirements, a mapping of models across architectural levels, and considerations about the degree of security of the system. © 2011 IEEE.

Unlike functional implementations, it is difficult to analyze the impact software enhancements on security. One of the difficulties is identifying the range of effects by new security threats, and the other is developing proper countermeasures. This paper proposes an analysis process that uses two kinds of security pattern: security requirements patterns for identifying threats and security design patterns for identifying countermeasures at an action class level. With these two patterns and the conventional traceability methodology, developers can estimate and compare the amounts of modifications needed by multiple security countermeasures. © 2011 IEEE.

The purpose of this study is to reduce the difficulties encountered when designing multi-agent systems (MAS). Although MAS are one of the more effective approaches for dealing with the recent increase in software complexity, they are themselves difficult to develop. We believe the difficulties in determining agent responsibilities and the organizational structure as the most significant obstacles to MAS development. In this paper, we propose a design framework for MAS, which includes restriction rules in the goal-oriented requirements description and a generator that transforms the restricted requirements description into a general MAS design model. We demonstrate the effectiveness of our framework through a case study and show how the framework can be used to construct MAS design models more precisely than conventional methods permit. © 2011 ACM.

Education for cloud engineers is crucial in terms of innovation in the development of cloud technologies. We propose a new cloud platform based on open-source software that uses multi-clouds for the education. © 2011 Authors.

This paper presents a new approach, which attempts to provide a basic framework in which security requirements and security assurance can be aligned in a uniform and concise way in a single requirements modelling methodology. This framework aims at providing security requirements modelling method for the system development as well as security assurance under the Common Criteria (IEC/ISO 15408), an international standard for security assurance and evaluation for IT products. We will adopt use case diagrams as a basis for this modelling method and extend them based on a meta model derived from the Common Criteria, which includes all relevant security concepts and their relationships for an analysis of security threats. We take Multi Function Peripherals (MFPs) as a working example and demonstrate how our proposed modelling method can effectively elicit/analyze security requirements in this paper. © 2010 IEEE.

The spread of open-software services through the Internet increases the importance of security. A security pattern is one of the techniques in which developers utilize security experts' knowledge. Security patterns contain typical solutions about security problems. However there is a possibility that developers may apply security patterns in inappropriate ways due to a lack of consideration on dependencies among patterns. Application techniques of security patterns that consider such dependencies have not been proposed yet. In this paper, we propose an automated application technique of security patterns in model driven software development by defining applications procedures of security patterns to models as model transformation rules with consideration for pattern dependencies. Our technique prevents inappropriate applications such as the application of security patterns to wrong model elements and that in wrong orders. Therefore our technique supports developers apply security patterns to their own models automatically in appropriate ways.

It is possible to reasonably measure the security quality of individual security patterns. However, more interesting is to ask: Can we show that a system built using security patterns is secure in some sense? We discuss here some issues about evaluating the security of a system built using security patterns. We consider the use of threats and misuse patterns to perform this evaluation.

Addressing the challenges of developing secure software systems remains an active research area in software engineering. Current research efforts have resulted in the documentation of recurring security problems as security patterns. Security patterns provide encapsulated solutions to specific security problems and can be used to build secure systems by designers with little knowledge of security. Despite this benefit, there is lack of work that focus on evaluating the capabilities of security analysis approaches for their support in incorporating security analysis patterns. This chapter presents evaluation results of a study we conducted to examine the extent to which constructs provided by security requirements engineering approaches can support the use of security patterns as part of the analysis of security problems. To achieve this general objective, the authors used a specific security pattern and examined the challenges of representing this pattern in some security modeling approaches. The authors classify the security modeling approaches into two categories: Problem and solution and illustrate their capabilities with a well-known security patterns and some practical security examples. Based on the specific security pattern they have used our evaluation results suggest that current approaches to security engineering are, to a large extent, capable of incorporating security analysis patterns. © 2011, IGI Global.

The spread of open-software services through the Internet increases the importance of security. A security pattern is one of the techniques in which developers utilize security experts' knowledge. Security patterns contain typical solutions about security problems. However there is a possibility that developers may apply security patterns in inappropriate ways due to a lack of consideration on dependencies among patterns. Application techniques of security patterns that consider such dependencies have not been proposed yet. In this paper, we propose an automated application technique of security patterns in model driven software development by defining applications procedures of security patterns to models as model transformation rules with consideration for pattern dependencies. Our technique prevents inappropriate applications such as the application of security patterns to wrong model elements and that in wrong orders. Therefore our technique supports developers apply security patterns to their own models automatically in appropriate ways.

We have proposed a new type of pattern, the misuse pattern. This pattern describes, from the point of view of the attacker, how a type of attack or misuse is performed (what system units it uses and how)
it also provides ways of stopping the attack by enumerating possible security patterns that can be applied for this purpose, and helps analyzing the attack once it has happened by indicating where can we find forensics data as well as what type of data. A catalog of misuse patterns is needed to let designers evaluate their designs with respect to possible threats. We present here a misuse pattern for a generic worm, which describes the essential and typical characteristics of this type of malware. We consider how to stop this malware and we also discuss some examples and variations.

Peer-To-Peer-systems (P2P) introduced new methods to distribute large amounts of data to end users. To increase the distribution speed resources from all participating network nodes, the peers, are used, and therefore the workload on own resources decreases. To utilize all peers large data is split into small pieces, so called chunks, and these chunks are distributed among peers therefore making each chunk available on different peers. To identify and find chunks in P2P-systems hash algorithms are used, and each peer is responsible for a specific range of the hash's keyspace and all chunks that fall within this keyspace. With data stored on multiple peers new security risks in terms of confidentiality, integrity, and availability arise. Our security pattern targeted specifically for P2P-systems helps system designers to identify possible threats and show appropriate countermeasures. We show how secure hash algorithms can guarantee the integrity of the distributed data even though chunks are sent to, received from, and stored by multiple, possible untrustworthy, peers.

Although model checking is expected as a practical formal verification approach for its automatic nature, it still suffers from difficulties in writing the formal descriptions to be verified and applying model checking tools to them effectively. The difficulties are found mainly in grasping the exact system behaviors, representing them in formal languages, and using model checking tools that fit the best to the verification problems. Even capable software developers need extensive education to overcome the difficulties. In this paper, we report our education course of practical applications of model checking in our education project called Top SE. Our approach consists of the following two features. First, we adopt UML as the design specification language and create the descriptions for each specific model checking tool from the UML diagrams, to enable easy practical application of model checking. Second, we build taxonomies of system behaviors, in particular behaviors of concurrent systems that are main targets of model checking. We can organize the knowledge and the techniques of practical model checking according to the taxonomies. The taxonomies are based on several aspects of system behaviors such as synchronization of transitions, synchronization of communications, and modeling of system environments. In addition, we make clear which model checking tools fit which types of systems. We treat the three different model checking tools: SPIN, SMV, and LTSA. Each tool has its specific features that make the tool easier or more difficult to be applied to specific problems than others. In our education course, we explain the taxonomies, the knowledge, and the techniques using very simple examples. We also assign the students exercises to apply the knowledge and the techniques to more complicated problems such as the dining philosopher problem, data copying between a DVD recorder and a hard disk recorder, and the alternating bit protocol.

Although model checking is expected as a practical formal verification approach for its automatic nature, it still suffers from difficulties in writing the formal descriptions to be verified and applying model checking tools to them effectively. The difficulties are found mainly in grasping the exact system behaviors, representing them in formal languages, and using model checking tools that fit the best to the verification problems. Even capable software developers need extensive education to overcome the difficulties. In this paper, we report our education course of practical applications of model checking in our education project called Top SE. Our approach consists of the following two features. First, we adopt UML as the design specification language and create the descriptions for each specific model checking tool from the UML diagrams, to enable easy practical application of model checking. Second, we build taxonomies of system behaviors, in particular behaviors of concurrent systems that are main targets of model checking. We can organize the knowledge and the techniques of practical model checking according to the taxonomies. The taxonomies are based on several aspects of system behaviors such as synchronization of transitions, synchronization of communications, and modeling of system environments. In addition, we make clear which model checking tools fit which types of systems. We treat the three different model checking tools: SPIN, SMV, and LTSA. Each tool has its specific features that make the tool easier or more difficult to be applied to specific problems than others. In our education course, we explain the taxonomies, the knowledge, and the techniques using very simple examples. We also assign the students exercises to apply the knowledge and the techniques to more complicated problems such as the dining philosopher problem, data copying between a DVD recorder and a hard disk recorder, and the alternating bit protocol.

Security is now the most critical feature of any, computing systems. Eliciting and analyzing security requirements, in the early stages of the system development process is highly, recommended to reduce security vulnerabilities which might be, found in the later stages of the system development process. In, order to address this issue, we will propose a new extension, of the misuse case diagram for analyzing and eliciting security, requirements with special focus on assets and security goals. We, will also present the process model in which business requirements, and system requirements related to security features are, separately analyzed and elicited in different phases. This process, model helps us to analyze the requirements related to business, goals in an earlier phase and to the system goals in a later phase, so that any concerns related to them are dealt with separately.We will illustrate our approach with a case study taken from an, accounting software package. © 2009 IEEE.

We will discuss here the theoretical, social, technological and practical issues related to quality aspects of software patterns including security and safety aspects. The workshop will provide the opportunity for bringing together researchers and practitioners, and for discussing the future prospects of this area. As for the workshop format, first, we will have short talks on what software patterns are, and how they are related to quality. Second, we will have accepted position paper presentations to expose the latest researches and practices on software patterns and quality. Finally, we will discuss several topics related to these presentations in small groups. Newcomers, interested researchers and practitioners are free to attend the workshop to facilitate their understandings, researches and practices on software patterns and quality.

In order to make practical use of formal methods, it is not sufficient for engineers to obtain general, fundamental knowledge of the methods and tools. Actually, it is also necessary for them to carefully consider their own contexts and determine adequate approaches to their own problems. Specifically, engineers need to choose adequate methods and tools, determine their usage strategies, and even customize or extend them for their effective and efficient use. Regarding the point, this paper reports and discusses experiences on education of formal methods in the Top SE program targeting software engineers in the industry. The program involves education of a variety of scientific methods and tools with group exercises on practical problems, allowing students to compare different approaches while understanding common principles. In addition, the program involves graduation studies where each student identifies and tackles their own problems. Statistics on problem settings in the graduation studies provide interesting insights into what top-level engineers tackles after learning formal methods. © 2009 Springer-Verlag Berlin Heidelberg.

There are a large number of security patterns encapsulating reusable solutions to recurrent security problems. However, catalogs of security patterns are not enough because the designer does not know when and where to apply them, especially in a large complex system. There is a need to conduct more precise classifications of security patterns. We analyze here ways to represent security patterns using specialized models for their precise classification. We define two new types of models, one that describes how a security pattern relates to several classification dimensions (Dimension Graph), and another that describes how security patterns relate to each other (Pattern Graphs). We show these ideas with examples from security patterns.

Java Script is a popular scripting language that is particularly useful for client-side programming together with HTML/XML on the Web. As Java Script programs become more complex and large, separation of concerns at the implementation level is a significant challenge. Aspect orientation has been a well known concept to realize improved separation; however, existing mechanisms require modifications in the target modules for aspect weaving in Java Script (i.e., not "complete" separation). In this paper, we propose an Aspect-Oriented Java Script framework, named "AOJS", which realizes the complete separation of aspects and other core modules in Java Script. AOJS can specify function executions, variable assignments and file initializations in Java Script programs as the joinpoints of aspects. Moreover, AOJS guarantees the complete separation of aspects and core program modules by adopting a proxy-based architecture for aspect weaving. By utilizing these features, we confirmed that AOJS offers improved modifiability and extendability for Java Script programming.

Wireless sensor networks (WSN) consist of spatially distributed nodes that monitor physical conditions. In the past, most WSNs have been designed with a single specific application in mind. Recent developments however are expanding the applicability of WSNs and are increasing the demand for deploying multiple applications simultaneously. To host multiple applications in a single WSN, current solutions provide mechanisms for components to be dynamically deployed to nodes. However, two issues make the present form of dynamic deployment impractical for applications involving distributed collaboration and the redeployment of multiple distributed components. For one, existing works lack a suitable architecture for cooperation and interaction between components in WSNs. Another problematic aspect is the insufficiency of current methods in efficiently deploying multiple components throughout the network. To address these issues, we propose an architecture based on multiple components that have specific responsibilities in regard to deployment and a generative approach for dynamic deployment of such components.

Security patterns are now starting to be accepted by industry. Security patterns are useful to guide the security design of systems by providing generic solutions that can stop a variety of attacks but it is not clear to an inexperienced designer what pattern should be applied to stop a specific attack. They are not useful either for forensics because they do not emphasize the modus operandi of the attack. To complement security patterns, we have proposed a new type of pattern, the misuse pattern. This pattern describes, from the point of view of the attacker how a type of attack is performed (what units it uses and how), defines precisely the context of the attack, analyzes the ways of stopping the attack by enumerating possible security patterns that can be applied for this purpose, and describes how to trace the attack once it has happened by appropriate collection and observation of forensics data. We present here a model that characterizes the precise structure of this type of pattern.

We held the 2nd Workshop on Software Patterns and Quality (SPAQu'08) as a focus group of the 15th Conference on Pattern Languages of Programs (PLoP '08), to discuss the theoretical, social, technological and practical issues related to quality aspects of software patterns, including security aspects. In this report we summarize the objectives and results of the workshop. © 2008 is held by the author(s).

We introduce the concept of "abstract" security patterns that deal with abstract security mechanisms, rather than concrete implementations. We also show an organization of abstract security patterns and concrete ones into hierarchies. © 2008 is held by the author(s).

Patterns are useful knowledge about recurring problems and solutions. Detecting a security problem using patterns in requirements models may lead to its early solution. In order to facilitate early detection and resolution of security problems, in this paper, we formally describe a role-based access control (RBAC) as a pattern that may occur in stakeholder requirements models. We also implemented in our goal-oriented modeling tool the formally described pattern using model-driven queries and transformations. Applied to a number of requirements models published in literature, the tool automates the detection and resolution of the security pattern in several goal-oriented stakeholder requirements. Copyright 2008 ACM.

We have proposed in the past three separate methodologies for secure software development. We have found that they have many common and complementary aspects and we proposed a combination of them that appears as a good approach to secure software development. The combined methodology applies security at all stages, considers the architectural levels of the system, applies security policies through the use of patterns, and formalizes some portions of the design. We have studied in some detail how to elicit and describe security requirements, how to reflect these requirements in the conceptual model, how to estimate some performance aspects, how to formalize some aspects such as communication protocols, and how to map the conceptual requirements into design artifacts. A design aspect which we have not studied is the incorporation of databases as part of the secure architecture. The database system is a fundamental aspect for security because it stores the persistent information, which constitutes most of the information assets of the institution. We present here some ideas on how to make sure that the database system has the same level of security than the rest of the secure application.

Patterns combine experience and good practices to develop basic models that can be used for new designs. Security patterns join the extensive knowledge accumulated about security with the structure provided by patterns to provide guidelines for secure system design and evaluation. In addition to their value for new system design, security patterns are useful to evaluate existing systems. They are also useful to compare security standards and to verify that products comply with some standard. A variety of security patterns has been developed for the construction of secure systems and catalogs of them are appearing. However, catalogs of patterns are not enough because the designer does not know when and where to apply them, especially in a large complex system. We discuss here several ways to classify patterns. We show a way to use these classifications through pattern diagrams where a designer can navigate to perform her pattern selection.

Although numbers of software pattern catalogues and languages have been published, little is known about quality of patterns, quality by patterns and quality aspects of pattern activities. This workshop seeks to gain an improved understanding on the theoretical, social, technological and practical issues related to quality aspects of patterns including security and safety. © 2007 IEEE.

This paper discusses the Top SE program established to bridge the industry-academia gap. The program features extensive use of software engineering tools, not only to introduce students to the tools, but also as a conduit for learning the techniques and guidelines needed to apply the tools to practical software development situations. The curriculum is organized around practical problems mainly from the area of digital home appliances and focuses on upper stream software development processes.
The Top SE program is developed and operated by a close collaboration between industry and academia. We illustrate our discussion with examples from one of the courses, Verification of Design Models, which takes up model checking technologies, including three specific tools: SPIN, SMV, and LTSA.

Efforts to realize Web service technology for dynamic integration of distributed components have been started. There is also a proposal for a language that describes the integration flow in a platform-independent form. It is expected that Web service integration will be applied not only to the Internet, but also to various environments such as pervasive networks composed of mobile devices with wireless connections. In the latter case, it is necessary to deal with resource saving problems such as those that arise in a relatively low speed and unstable wireless channel. This study applies the mobile agent technique to the above problem and proposes a mobile agent system for Web service integration. In the proposed system, the physical actions of the mobile agents, that is, migration and cloning, are separated from the integration logic, and are represented as rules to be added to the integration flow description. By this separation, the physical behavior can be added or modified according to environmental conditions without modifying the integration flow. © 2005 Wiley Periodicals, Inc.

This work proposes a novel model where multimedia contents with their related services (business processes and functions) are packaged together as mobile agents. This is intended to enable content providers both to encapsulate their contents and to provide value-added services, for flexible content editing, delivery, and presentation. In addition, agents encapsulating contents/services can contain other agents in themselves (synthesis of agents). A mobile agent compound integrating multiple contents/services can be thus dynamically formed, in which multiple agents work cooperatively and migrate together as a unit. This paper also describes our proposed MAFEH/WS framework for the model. Agents in the model can be developed by incorporating simple parameter settings for synthesis control into business process descriptions in BPEL4WS.

In future ubiquitous environments, contents (data, movie, text, graphics, etc.) will be more sophisticated and context-aware so that they can enrich user experience. We have proposed the Active Contents (AC) framework, which is based on contents encapsulation with program and aspect definition to allow contents to behave actively. AC can be seen as a software component with several viewpoints of contributors (planner, designer, programmer, etc.). The problem is about maintainability of AC which is modified by the contributors based on their own viewpoints.
In this position paper, we propose a mechanism to allow such contributors to modify AC with context-aware aspect. In our mechanism, based on location binding analysis for AC, parallel executions to be performed at a sepaxate location axe detected and automatically executed using workflow-aware communication.

Location-specific data retrieval is an attractive application in a Mobile Ad-hoc Network (MANET). Simple solution for it is that an observer retrieves the data by geocasting from an observer node, but its overhead highly depends on location of the observer and the designated region. We propose a mobile agent approach. A mobile agent migrates from the observer node to a node in the designated region, retrieves data from there, and summarizes, filters, and compresses the retrieved data, This data is sent back to the observer, when the observer request. Since the data is retrieved by the mobile agent located near the data Sources, the data retrieval in the mobile agent approach would involve low overhead, even if the observer is far from the target region or moves around. In the MANET, however, even after the first migration; to stay near data Sources, a mobile agent should migrate to another node in response to node movements.. In this paper, we propose the Geographically Bound Mobile Agent (GBMA) which is a mobile agent that migrates to always be located in a designated region. Moreover, to clarify where the GBMA should be located and when the GBMA starts to migrate, we introduce two geographic zones: required zone and expected zone, Compared with the conventional methods with geocast or with a conventional mobile agent, the GBMA with these zones for retrieving location-specific data can reduce the total number of messages.

In recent years, the rapid development of network infrastructure and the spread of terminals capable of network access have made it possible to access networks at any place and at any time. Ubiquitous information systems, in which necessary information can be accessed easily and safely at any place, are becoming an important issue. It is, however, hard to design such distributed systems when the user uses many kinds of terminals and migrates with these. That is, traditional approaches to development of distributed systems have problems when the systems are used in a ubiquitous environment. This paper proposes a new framework for ubiquitous information systems. The framework includes three kinds of agents: User Interface Agents, Programmable Agents and Service Mediation Agents. We can easily design ubiquitous information systems by ensuring that these agents collaborate. In addition, in cases where distributed systems must be implemented on various networks and terminals, it gives a high degree of flexibility to the systems. We also evaluate the framework's flexibility.

A location-specific data retrieval, which is data retrieval from nodes in a designated region at the time, is an attractive application in a Mobile Ad-hon Network (MANET). However, almost all nodes in a MANET are powered by batteries, the location-specific data retrieval should involve a small number of messages. In this paper, we use a mobile agent to retrieve the location-specific data. A mobile agent migrates to a node in a designated region, and retrieves data from nodes in this region. Since, after migration, the agent can communicate with nodes in the designated region through low overhead short length hops, the mobile agent can retrieve data at low message cost for long periods, even if the owner of this agent moves around. However, even after migrating to node in the designated region, in order to stay near this region, a mobile agent should migrate to other nodes in response to the movement of the node hosting this agent. In this paper, we propose the Geographically Bound Mobile Agent (GBMA) which is a mobile agent that periodically migrates in order to always be located in a designated region. In order to clarify where the GBMA should be located and when the GBMA starts to migrate, two geographic zones are set to the GBMA: required zone and expected zone. The required zone ease tracking of the GBMA, and the expected zone ease adjustment of the GBMA migration timing.

This work proposes a novel model where multimedia contents with their related services (business processes and functions) are packaged together as mobile agents. This is intended to enable content providers both to encapsulate their contents and to provide value-added services, for flexible content editing, delivery, and presentation. In addition, agents encapsulating contents/services can contain other agents in themselves (synthesis of agents). A mobile agent compound integrating multiple contents/services can be thus dynamically formed, in which multiple agents work cooperatively and migrate together as a unit. This paper also describes our proposed MAFEH/WS framework for the model. Agents in the model can be developed by incorporating simple parameter settings for synthesis control into business process descriptions in BPEL4WS. © 2005 IEEE.

Product recommendation system is realized by applying business rules acquired by data maining techniques. Business rules such as demographical patterns of purchase, are able to cover the groups of users that have a tendency to purchase products, but it is difficult to recommend products adaptive to various personal preferences only by utilizing them. In addition to that, it is very costly to gather the large volume of high quality survey data, which is necessary for good recommendation based on personal preference model. A method collecting kansei information automatically without questionnaire survey is required. The constructing personal preference model from less favor data is also necessary, since it is costly for the user to input favor data. In this paper, we propose product recommendation system based on kansei information extracted by text mining and user's preference model constructed by Category-guided Adaptive Modeling, CAM for short. CAM is a feature construction method that can generate new features constructing the space where same labeled examples are close and different labeled examples are far away from some labeled examples. It is possible to construct personal preference model by CAM despite less information of likes and dislikes categories. In the system, retrieval agent gathers the products' specification and user agent manages preference model, user's likes and dislikes. Kansei information of the products is gained by applying text mining technique to the reputation documents about the products on the web site. We carry out some experimental studies to make sure that prefrence model obtained by our method performs effectively.

Pervasive computing is becoming a more important issue for open distributed systems. It is, however, hard to design such distributed systems when the user uses many kinds of terminals and migrates with these. This paper has proposed a new framework for pervasive computing. The framework includes three kinds of agents: User Interface Agents, Programmable Agents, and Service Mediation Agents. We can easily design a flexible distributed system by collaborating these agents. We also evaluate the framework from the flexibility point of view. (C) 2004 Wiley Periodicals, Inc.

As a consequence of the increasing role of computers throughout society, computers, especially mobile devices, are used in diverse situations. Additionally, the computing environment is becoming more changeable. A network application coordinating mobile devices needs to be able to adapt to changes in the environments. In this paper, we propose a new architecture for mobile computing, which uses a mobile agent technology and adapts to changes flexibly. The framework splits the specification of an application into network environments, coordination logic and patterns. Patterns are applied to the coordination logic in order to derive appropriate behaviors automatically.

A methodology which enables a flexible and reusable development of mobile agent application to a mobility aware indoor environment is provided in this study. The methodology is named Workflow-awareness model based on a concept of a pair of mobile agents cooperating to perform a given task. A monolithic mobile agent application with numerous concerns in a mobility aware setting is divided into a master agent (MA) and a shadow agent (SA) according to a type of tasks. The MA executes a main application logic which includes monitoring a user's physical movement and coordinating various services. The SA performs additional tasks depending on environments to aid the MA in achieving efficient execution without losing application logic. "Workflow-awareness (WFA) " means that the SA knows the MA's execution state transition so that the SA can provide a proper task at a proper timing. A prototype implementation of the methodology is done with a practical use of AspectJ. AspectJ is used to automate WFA by weaving communication modules to both MA and SA. Usefulness of this methodology concerning its efficiency and software engineering aspects are analyzed. As for the effectiveness, the overhead of WFA is relatively small to the whole expenditure time. And from the view of the software engineering, WFA is possible to provide a mechanism to deploy one application in various situations.

We propose a system architecture for mobile agents to improve their security in the environments of insecure networks and non-sophisticated terminals such as PDAs. As mobile agents freely migrate onto their favorite terminals through insecure networks or terminals, it is not appropriate for them to store some secret information for authentication and encryption/decryption. We introduce one and more secure nodes(OASIS NODE) for securely generating and verifying authentication codes. The each agent's data are encrypted by a pseudo-chaos cipher mechanism which doesn't need any floating processing co-processor. We've constructed a prototype system on a Java mobile agent framework, “Bee-gent” which implements the proposed authentication and cipher mechanisms, and evaluated their performances and their applicability to business fields such as an auction system by mobile agents. © 2004, The Institute of Electrical Engineers of Japan. All rights reserved.

This paper proposes an authentication architecture for collaboration among agents in a network environment without security assurance. The architecture requires that there should exist at least one secure node (oasis node). The oasis node generates the same number of authentication codes as the number of objects of authentication, using random numbers and agent information, and distributes the codes among the agents. The agents gather at the specified oasis node and obtain verification by the oasis node, based on the distributed random value and the authentication code. In the authentication architecture proposed in this paper, the random number and the authentication code are publicized information which can be compromised by eavesdropping. But the algorithm for generation and verification of the authentication code is not publicized. The architecture is suited for handling authentication processing in ad hoc collaboration among an unspecified number of agents. (C) 2004 Wiley Periodicals, Inc. Electron Comm Jpn Pt 1, 87(5): 11-19, 2004; Published online in Wiley InterScience (www.interscience.wiley.com). DOI 10.1002/ ecja.10165.

As mobile computing becomes common, the battery issue of mobile computing devices has become increasingly notable. To this end, research and development of various power-conservation devices and methods are actively taking place. However, the conventional method of extending the battery life through power-conservation can never prevent the unintentional shutdowns of applications due to the dead battery. This research aims to realize the evacuation of applications on a mobile computing device to another device before the battery runs out by creating the application as a mobile agent Particularly, by introducing the concept of the Crisis Management Center dynamic and smooth evacuation of multiple application agents will become possible. This paper explains and verifies the effectiveness of the EASTER (Escape Agent System from dying batTERy), a system developed for the purpose of recovering the applications when a battery is running out through the use of mobile agent system.

The recent innovation of telecommunication and networking technology is enabling easy and flexible distribution of digital multimedia contents. However, such rapid progress has brought about various problems on intellectual properties and security. We are investigating a technique to solve the problem called active contents based on hierarchical structures of mobile agents. The agents work as wrappers of contents and can easily manage the policies for contents distribution. In this paper, we give a formal model of active contents in order to establish rigorous foundations for the active contents technique, especially the system of the policy control mechanisms. Using the model, we can verify if the behaviors of the active contents satisfy the given policies or not. An example of the redistribution prohibition policy illustrates how the verification works.

We propose a fault-tolerant mechanism based on message integrity code (MIC) method for mobile agent authentication under non-secured network environment. We introduce one or more secured nodes (OASIS NODE) and a mobile agent (FT_Agent) having a replica management mechanism. We assume that the candidate agents for authentication are safely stored in an OASIS NODE and a shared secret key is safely distributed to user terminals from the OASIS NODE at the beginning. When the replica agents on user terminals need their authentication, they calculate MIC by using the shared secret key and move themselves having the MIC to the OASIS NODE, which verifies the MIC. The FT_Agents which are also verified by an OASIS NODE are distributed to the each agent and dynamically manage active replicas and passive replicas. By introducing the MIC method and the replica management mechanism, a secured fault-tolerant system suitable for mobile agents under non-secured network environment can be constructed. © 2003, The Institute of Electrical Engineers of Japan. All rights reserved.

Pervasive computing is becoming a more important issue for open distributed systems. It is, however, hard to design such distributed systems when the user uses many kinds of terminals and migrates with these. This paper has proposed a new framework for pervasive computing. The framework includes three kinds of agents: User Interface Agents, Programmable Agents and Service Mediation Agents. We can easily design a flexible distributed system by collaborating these agents. We also evaluate the framework from flexibility point of view. © 2003, The Institute of Electrical Engineers of Japan. All rights reserved.

Interoperability between different systems is becoming a more important issue for open distributed systems. In this paper, we investigate what kind of framework we need for constructing open distributed systems. Firstly, we enumerate the features and functions which the framework should have. We then evaluate a proposed multi-agent framework, Bee-gent, by using a typical example of open distributed systems. Lastly, we show clearly what is required for such a framework.

In view of the proliferation and expansion of wide-area open networks such as the intranets and extra-nets, agent technology is attracting greater attention. However, as yet there is well-established and widely used method of developing safe and secure agent systems. In this paper, we propose a methodology that supports the step-by-step development of mobile agent systems while ensuring consideration of security issues. This approach results in a robust infrastructure for practical system development, and by supporting calculation of various costs allows efficiency and security tradeoffs to be objectively evaluated. © 2001 Springer Berlin Heidelberg.