Petri net-based methods for analyzing structural security in e-commerce business processes

https://doi.org/10.1016/j.future.2018.04.090Get rights and content

Highlights

  • A framework for analyzing structural security in e-commerce business process.

  • A method of modeling control and data structures for constructing an e-commerce business process.

  • Petri net-based modeling and analysis methods.

Abstract

The rapid development of e-commerce worldwide, means more e-commerce business processes adopting the structure of multiple participants; these include shopper clients, merchant and third-party payment platforms (TPPs), banks, and so on. It is a distributed and complex system, where communications among these participants rely on the web services and Application Programming Interfaces (APIs) such as Cashier-as-a-Service or CaaS. This introduces new security challenges due to complex interactions among multiple participants, and any design flaws in procedure structures may result in serious security issues. We study the structural security issues based on Petri nets, and a framework for analyzing structural security in e-commerce business process is proposed. Petri net-based modeling and analysis methods are also provided. Given the specifications of e-commerce business processes, the proposed methods can help designers analyze structural security issues of an e-commerce business process.

Introduction

E-commerce has significantly developed in recent years, and more and more business is conducted over the Internet. The daily volume of e-commerce is sizable and continues to grow at a rapid pace. Many e-commerce platforms spring up to accelerate this new industry [[1], [2]]. E-commerce systems with multiple participants, including third-party payment platforms (TPPs), e-commerce systems, banks, clients, and other applications, have become the new frontier for conducting business. As a distributed application on the web, e-commerce business processes are more complex and loosely coupled. The participants communicate with each other through web services and APIs such as Cashier-as-a-Service or CaaS [[3], [4]]. The business processes of different participants construct the entire process structure. This integration introduces new security challenges due to complex interactions among the APIs of multiple interactive participants. These differ from traditional security issues, and the new security challenges do not refer to virus, Trojans or security protocols [[5], [6]]. The complex structural linkage of control and data flows in e-commerce systems may produce very serious problems including the violation of the transaction properties, and losses of user funds. These issues can be defined as structural security. There are many structural security cases that have appeared over recent years. These include the vulnerability caused by a combination of open source online shopping system and TPP [3], “one yuan gate” event of Taobao in 2011 [7], and mongodb-based web applications [8].

Business processes of e-commerce systems are the key, and it is difficult to correctly design the business structure. Modern businesses are inherently process-driven, and the security of business processes is increasingly important [[9], [10], [11], [12]]. Most of the existing research around security business processes focuses on the security properties like Access Control and Confidential Information [[9], [10]] in enterprise business processes. Other related studies refer to the process consistency in complex business processes [[11], [12]]. These works are proposed to deal with the inconsistencies among business processes of different departments in a cross-organizational process. However, this research belongs to traditional security issues, and is insufficient to cope with structural security.

Petri nets are a suitable tool to illustrate true concurrency and model distributed systems, and Petri net-based approaches [[13], [14], [15], [16]] have been presented to model and verify correctness and soundness of workflows. A series of works have been done on cooperative systems and inter-organizational workflow based on Petri nets [[17], [18], [19]], and other work has also been conducted on Petri net-based analysis and composition of web services [[20], [21], [22], [23], [24]]. These mainly focus on the soundness and correctness of workflow, cooperative systems, and composition of web services, but fail to consider structural security related to the financial security issues that are related to the funds of legal users.

In order to depict e-commerce business processes of multiple participants at both application-level and design-level and consider financial security issues, a formal model called an e-commerce Business Process Net (EBPN) is proposed [[25], [26]]. Usage enables a designer to identify errors in the design process and correct them before the deployment phase. EBPNs are suitable for modeling and verifying e-commerce business processes, but their usage in structural security remains minimal. As part of our research, we use EBPN to model structural security issues in e-commerce business processes. First, we discuss the structural security, and propose a framework for analyzing methods. Then, Petri net-based modeling and analyzing methods are provided, including behavioral sequence and incidence matrix methods. Given the specifications of e-commerce business processes, the proposed methods can help designers analyze structural security issues of an e-commerce business process.

The remainder of this paper is organized as follows. Section 2 introduces the motivation example. Section 3 discusses the structural security issues. Section 4 presents the basic concepts. Section 5 describes how to model an e-commerce business process and structural properties using EBPN. Section 6 is the analyzing methods. Section 7 concludes this paper.

Section snippets

Motivation example

There is an actual e-commerce business process integrating Interspire and Google Checkout from [1]. For illustrating our method clearly, it is abridged, and we only focus on the most important functions; this is because it is a distributed and complex business process structure. The basic and important business process is shown in Fig. 1. Interspire utilizes several APIs to add/remove items in the shopping cart, which are aggregately denoted by API: Update Cart in the figure. The checkout

Related concepts

Petri nets are a graphical language for modeling and validating concurrent and distributed systems, and allow true concurrency instead of an interleaving-based semantics. Petri nets provide an explicit representation of both states and events and can be understood easily by a graphical representation of modeled systems. They have well-defined formal semantics and a wide range of formal analytical methods. The basic concepts of Petri nets are summarized in [[27], [28], [29]]. In order to

Structural security

Structural security issues are derived from the design of business structures. Hybrid web applications that combine multiple participants into integrated services like e-commerce websites have rapidly developed, and bring in new security concerns. The structural integration of multiple participants introduces new security challenges due to the complexity of an application to coordinate its internal states with those of the component services and web client across the Internet [[3], [4]]. As the

Modeling methods

Here we define control and data structures for constructing an e-commerce business process; these depict the situation that several APIs or operation events fire one after another. A completed model for integrating control and data structures from a global viewpoint is then obtained. The benefit of which is to provide different views of a composite business process, which helps designers or users understand and analyze the e-commerce business process.

Definition 11

Suppose that EN1 = (P1, T1; F1, D1, W1, S1,

Analyzing structural security

We analyze structural security by two ways according to Proposition 1, Proposition 2. One is the behavioral sequence method, in which illegal behavior sequences are constructed and executed to verify the structural security of an e-commerce business process; the other one is the state analyzing method, in which an illegal state is constructed and analyzed by three-dimensional incidence matrix.

Conclusions

The rapid development of e-commerce has led to arise structural security issues in business processes. Based on EBPN, this paper discusses the concept of structural security and proposed a modeling method that fuses control and data structures. We propose two analyzing methods to determine the structural security of e-commerce business processes. However, plenty of analyzing methods in this area is still largely open. Even with the deployment of the proposed methods, there is still ample

Acknowledgments

This paper is in part supported by the National Natural Science Foundation of China under grant 61602289, by the Fundamental Research Funds for the Central Universities of China under grants GK201803081 and GK201801004, by the Natural Science Basic Research Plan in Shaanxi Province of China under grant 2016JQ6056, by Oversea Scholarship Program of Shaanxi Normal University and National scholarship Funds of China, by the National Natural Science Foundation of China under grants 11372167, 61340003

Wangyang Yu received the M.S. degree from Shandong University of Science and Technology, Qingdao, China, in 2009, and Ph.D. degree from Tongji University, Shanghai, China, in 2014. He is currently an Associated Professor with the College of Computer Science, Shaanxi Normal University, Xi’an, China. His research interests include the theory of Petri nets, formal methods in software engineering and trustworthy software.

References (29)

  • van der AalstW.M.P.

    Ensuring correctness during process configuration via partner synthesis

    Inf. Syst.

    (2012)
  • DuY.Y.

    Modeling and monitoring of e-commerce workflows

    Inform. Sci.

    (2009)
  • CNNIC, China Internet development statistics report, China Internet Network Inform. Center, Beijing, China, Jan....
  • iResearch: 2016 Q3 e-commerce market core data. 2016. Available:...
  • R. Wang, S. Chen, X.F. Wang, S. Qadeer, How to shop for free online-Security analysis of cashier-as-a-service based web...
  • D. Hirschberger, et al., Bachelor thesis cashier-as-a-service based webshops overview and steps towards security...
  • K. Bhargavan, et al., Modular verification of security protocol code by typing, in: Proceedings of the 37th annual ACM...
  • A. Sudhodanan, et al., Attack patterns for black-box security testing of multi-party web applications, in: NDSS,...
  • One yuan gate event of Taobao [Online]. 2012, Feb. 21. Available:...
  • WenS.

    Lom: Discovering logic flaws within mongodb-based web applications

    Int. J. Autom. Comput.

    (2017)
  • A.D. Brucker, I. Hang, Secure and compliant implementation of business process-driven systems, in: Business Process...
  • A. Lehmann, N. Lohmann, Modeling wizard for confidential business processes, in: Business Process Management Workshops,...
  • D. Knuplesch, et al., Towards compliance of cross-organizational processes and their changes, in: Business Process...
  • B. Depaire, et al., A process deviation analysis framework, in: Business Process Management Workshops, Tallinn,...
  • Cited by (18)

    • Modeling and analysis of medical resource allocation based on Timed Colored Petri net

      2020, Future Generation Computer Systems
      Citation Excerpt :

      It can not only describe the control structure of the entire process well, but also dynamically simulate and record related information such as real time. Before that, the TCPN have been used in many discrete large-scale systems, such as the manufacturing process [15], resource-constrained multiple project scheduling problems (RCMPSP) [16], engineering activities [17,18], and so on [19–21]. In terms of medical and health care, the literature [22] had reviewed some relevant modeling and simulation methods, especially the achievements of the Petri net in this aspect.

    • Modeling and Analyzing Logic Vulnerabilities of E-Commerce Systems at the Design Phase

      2023, IEEE Transactions on Systems, Man, and Cybernetics: Systems
    View all citing articles on Scopus

    Wangyang Yu received the M.S. degree from Shandong University of Science and Technology, Qingdao, China, in 2009, and Ph.D. degree from Tongji University, Shanghai, China, in 2014. He is currently an Associated Professor with the College of Computer Science, Shaanxi Normal University, Xi’an, China. His research interests include the theory of Petri nets, formal methods in software engineering and trustworthy software.

    Zhijun Ding received the M.S. degree from Shandong University of Science and Technology, Taian, China, in 2001, and Ph.D. degree from Tongji University, Shanghai, China, in 2007. Now he is an Associate Professor of the Department of Computer Science and Technology, Tongji University. His research interests are in formal engineering, Petri nets, services computing, and workflows. He has published more than 60 papers in domestic and international academic journals and conference proceedings.

    Lu Liu is the Head of the Department of Electronics, Computing and Mathematics in the University of Derby and adjunct professor in the School of Computer Science and Communication Engineering at Jiangsu University. Prof. Liu received his Ph.D. degree from University of Surrey. He is the Fellow of British Computer Society and Member of IEEE. Prof. Liu’s research interests are in areas of Cloud Computing, Social Computing, Service-oriented Computing and Peer-to-Peer Computing.

    Xiaoming Wang received his Ph.D. degree in computer theory and software from Northwest University, Xian, P.R. China, in 2005. He is currently a professor in Shaanxi Normal University, Xian, China. His current research interests include network security, pervasive computing, wireless sensor network, and opportunistic networks. Prof. Wang has authored and coauthored more than 40 publications in journal, books and international conference proceedings.

    Richard David Crossley received a B.A. in English Literature from the University of Lancaster (2002) and an M.Sc. in Information Technology from the University of Derby (2014). He is currently pursuing a Ph.D. in Optimization in High Performance Computing to achieve maximum resource efficiency at the University of Derby, sponsored by Rolls-Royce PLC and the university.

    View full text