Trustworthiness Monitoring and Prediction ofComposite Services

Hisain Elshaafi, Jimmy McGibney and Dmitri BotvichTelecommunications Software & Systems Group

Waterford Institute of Technology, Waterford, IrelandEmail: helshaafi, jmcgibney, dbotvich@tssg.org

Abstract—This paper presents an approach to monitoring andpredicting the trustworthiness of services that are assembledfrom component services. In service compositions the numberof component services that need to be aggregated may be largeand dynamically changing. Additionally, the component servicesmay vary in their importance to the value of the composite serviceand in their trustworthiness and resource capacity. Servicecompositions require the capability to dynamically adapt tochanges that may occur at runtime. Those changes can occurin supply and demand, in the environment or in the componentservices’ properties and behaviour. Service composers need to beable to respond swiftly to changed trustworthiness requirementsand capabilities of service compositions, where those changes maynot be easily predictable. With the availability of alternativesproviding the same functionality as those already integrated ina composition, service composers can take advantage of this byreplacing degrading or unsatisfactory components.

I. INTRODUCTION

Service Oriented Architecture (SOA) and Services Comput-ing are increasingly popular, with increased attention fromindustry. A key concept is that services can be dynamicallyor statically composed to create new services. Services aredescribed, published, discovered, and assembled, providingdistributed business processes. The paradigm enables flexibleuse of resources for optimising operations within and acrossorganisations. Service composition assembles multiple basicservices into a single value-added combined service. Theresulting service may be used directly by a service consumeror recursively incorporated in further compositions. Dynamicservice composition is performed automatically at runtime ascompared to static development-time composition.

For a composite service (CS) to be trustworthy for utilisationby its target consumers, and for services to be able to trust andrely on other possibly unknown services, service compositiontechniques must be able to identify which component servicesare trustworthy. The composition techniques also must beable to maintain the most trustworthy and cost efficient com-posite service. Maintaining trustworthiness helps consumerconfidence and provides a safe environment for businessesto dynamically interact and carry out transactions. Therefore,addressing trust is essential for the success and adoption ofthe services paradigm.

We define trust as a relationship between two or moreentities that indicates the contextual expectations from anentity towards another in relation to reliance in accomplishinga certain action at a certain quality. Trustworthiness of an

entity is the level of trust that the trusting entity or its agenthas in that entity.

Trustworthy and secure dynamic service compositions re-quire run-time monitoring and adaptation of services. Theadaptations are needed due to changing operational, businessor threat environments or due to changes in service qualitiesand behaviour. Among the challenges to addressing thoseproblems is that the changes may not be easily predictable.Since down-time is costly, a composite service must be ableto operate even during an attack or increased demand, takingrisks and adaptation costs into account. This paper focuses onthose problems with the aim of establishing and maintainingthe trustworthiness of dynamic composite services.

Component services in a composition may vary in theirimportance to the composite service as a whole. For example,in a travel service a user may not appreciate all componentservices to the same extent such as car rental, health insurance,flight booking, etc. Therefore, it is more useful to see thecomposite service as a unit that is composed of unequalsubunits in terms of their contribution to the quality andtrustworthiness of the service. The components may differalso in the probability of their execution in the CS basedon their resource capacity or on other criteria. This paperproposes the mechanisms for monitoring and predicting thetrustworthiness of composite services taking into accounts thevariables discussed above.

The paper is structured as follows: Section II discussesthe function and architecture of the trustworthiness module.Section III explains the mechanisms for the aggregation andcalculation of the trustworthiness of a composite service basedon the service’s composition plan. It also includes calculationof the service costs. The prediction of service trustworthinessbased on its monitoring is examined in section IV. Section Vdescribes experiments using simulations of the trustworthinessmonitoring and dynamic composition and adaptation. Relatedwork is described in section VI and conclusions and futurework are discussed in section VII.

II. TRUSTWORTHINESS MODULE

The Aniketos project [1] includes a trustworthiness module(TWM) which is responsible for runtime monitoring of com-posite service trustworthiness based on a set of mechanismsand metrics to ensure contract compliance. Aniketos is anEU research project that addresses trustworthy and secure

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000580

service compositions with run-time monitoring and adaptationof services. Monitoring is the process of checking that servicecontracts are fulfilled over time, particularly if changes canoccur to operational or business environments or to internalservice quality and behaviour. Monitoring is also used todetect vulnerabilities and discover attacks on a service, e.g. bymaking use of intrusion detection systems or dynamic testingtools available in the environment.

A service composer is a service provider that is responsi-ble for constructing service compositions and offering themto consumers. A service composer is notified of importantchanges in the trustworthiness of the composite service asa result of one of its components. A component servicethat is below the satisfactory trustworthiness level can bereplaced with another component service offering the samefunctionality but with better trustworthiness. The monetarycost of a composite service as a result of its adaptation isalso determined. The consideration of costs ensures that abalance is maintained between both trustworthiness and costefficiency of the service. The main focus of this work is onthe trustworthiness monitoring and prediction for maintainingtrustworthy composite services.

Figure 1 shows the architecture of the TWM. The trustevents refer to the notifications received by the module fromevent Processing, QoS monitoring, user ratings and othercomponents. Those events include QoS metrics and alertsthat indicate violations or adherence to the service contracts,threats or changes in the environment. In addition to thedirect experience through those events, TWM can exchangerecommendations with other online modules in relation toservice trustworthiness. Incoming events are evaluated by arules engine to generate service ratings. The rules calculatethe rating for the event and add other attributes including theevent timestamp and type. Trust ratings are then stored bythe module and can be used for calculating the overall trust-worthiness level of each service. Context configurations allowcustomisation of the trust context by adjusting the weight-ing of types of trust events e.g. security and performanceevents. Policy configurations allow setting the trustworthinessthresholds and algorithmic constants such as the rating decayrate. The trust engine is responsible for the aggregation oftrustworthiness of a composite service from that of its com-ponents and providing a prediction of the trustworthiness levelof a service. The TWM is implemented in Java as dynamicOSGi service platform [2] sub-modules and uses Drools [3]for implementing the rating rules. This architecture allows thesubstitution of the sub-modules dynamically as in the casewhere alternative algorithms are required or configurations forthe policy and context need to be changed.

III. TRUSTWORTHINESS OF A SERVICE COMPOSITION

We model the trustworthiness level Tcs of a composite ser-vice in general as a function g of the trustworthiness of itscomponents:

Tcs = g (T1, T2, ..., Tm) (1)

Fig. 1. Trustworthiness Module (TWM)

However, the calculation of the trustworthiness level dependson the trustworthiness properties and the structure of the busi-ness process. The selection of component services statically(during design time) or dynamically is based on the predictedtrustworthiness level of the composite service. The trustwor-thiness properties include a set of properties that are usedto determine the overall trustworthiness level. In this paperwe consider reputation, reliability, and security properties.Reputation is the information available about a service fromuser ratings that can be used to determine its trustworthiness.Reliability refers to the percentage of successful execution ofa service within a time limit. Security properties may include anumber of properties such as confidentiality, non-repudiation,authentication, and encryption. A security property sv for aservice v is a boolean sv ∈ 0, 1 with 1 representing thefulfilment of the property and 0 for its non-fulfilment. Forother trustworthiness properties the value may be scalar as inreputation p and reliability r where 0 ≤ p, r ≤ 1.

Selected services are executed in a business process. Theprocess is viewed externally as the composite service. Thecalculation of the trustworthiness of the CS depends on theway the abstract service is constructed. It also depends on theprobability of execution and the importance of the componentservices in the composition as in the travel service exampledescribed in section I. The probability of execution of acomponent service may be based on the characteristics orinterdependence of component services in the process orlimited supply of the component service. For example in anemergency composite service a fire or ambulance service maybe required in a certain percentage of executions. An exampleof limited capacity is where a certain car rental service is mosttrustworthy but has limited supply. In that case more demandrequires additional supply from other possibly less trustworthycar rental service providers.

A. Service Composition Constructs

Component services may be invoked in a business process inone or more path constructs such as the following basic andcommonly supported constructs (illustrated in Table I):

• Sequence: Services are invoked one after another.• Parallel with Synchronisation (AND split/AND join): Two

or more services are invoked in parallel and their outcome

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000581

is synchronised. All services must be executed success-fully for the next task (service) to be executed.

• Loop or Iteration: A service is invoked in a loop until acondition is met. We assume that the number of iterationsor its average is known at the time of composition.

• Exclusive Choice (XOR Split/XOR join): A service isinvoked instead of others if a condition is met. Weassume that the likelihood of each alternative service tobe invoked is known at the time of composition.

• Discriminator (AND split/OR join): Two or more servicesare executed in parallel but no synchronisation of theoutcome of their execution.

• Multi-choice with Multi-merge(OR split/OR join): Mul-tiple services may be executed in parallel. Subsequentservices can be executed when at least one of the multipleservices is completed.

• Unordered Sequence: Multiple services are executed se-quentially but arbitrarily.

We use θ to denote a service construct in a composition.The above constructs and several other possible patterns aresupported by modelling languages and products to varyingdegrees. The constructs are investigated in other works suchas Workflow Patterns Initiative [4].

B. Unequal Weighting of Components

Each component v in a composition has a weight wv basedon its importance in the composition wv ∈ w1, ..., wlwhere wv ≥ 0 and l is the number of component servicesexcluding alternatives in exclusive choice constructs (as will bejustified shortly). If the weights are normalised for a particularcomposition as:

wv∑li=1 wi

then we can represent the weight proportion of v (βv) asfollows:

βv =wv∑li=1 wi

· l (2)

We consider components in an exclusive choice constructas a single unit in terms of their weight proportion βθ andits calculation, where θ is the service construct. For example,consider the case where a requirement may be satisfied byonly one of two services v1, v2 and the trustworthinessof v1 is more than that of v2 but its capacity is limitedto a certain quantity. When v1 becomes fully in use, v2 isinvoked. Therefore, a common weighting value is used. Fora composition with m components and x exclusive choiceconstructs:

l = m− (nx − x)

where nx is total number of components in the x exclusivechoice constructs.

The weighting of the components is used in the calculationof the CS reputation, such as in the case of a sequenceconstruct:

pθ =n∏i=1

piβi (3)

where βi is the weight proportion of the ith component servicein a sequence construct with n components, 0 ≤ βi ≤ l and∑li=1 βi = l.

C. Aggregation of Trustworthiness and Cost

1) Aggregation of Reputation, Reliability and Cost: TableI shows our functions for calculating the reputation pθ, reli-ability rθ and cost cθ per service construct. These propertiesrequire the following approaches for their aggregation:

(i) Sequence, Parallel and Unordered Sequence: The repu-tation and reliability are calculated as a product of thatof constituent services with the weighting consideredin the case of reputation as in equation (3). In caseof reliability a failure of a component means failureof subsequent dependent components. This is unlikesome other types of constructs (e.g. discriminator) wheresubsequent components may be partially independentof the failure of the construct components and can beexecuted as long as a minimum set of componentssucceeds. The cost of those constructs is the sum ofthe cost of their components.

(ii) Loop: The reputation, reliability and cost of a loopconstruct containing n iterations of a service v is thesame as a sequence construct of n copies of v i.e.rθ = (ri)

n, etc.(iii) Exclusive Choice: Each service v among the alternative

services in the exclusive choice construct has a proba-bility ρ that it will be executed and

∑ni=1 ρi = 1. The

aggregation of trustworthiness and cost in the exclusivechoice is the sum of that of each component servicemultiplied by its probability.

(iv) Discriminator: Since a discriminator construct only failsif all constituent services fail, its reliability is as follows:

rθ = 1−n∏i=1

(1− ri) (4)

However since all component services are executed, thereputation takes all services into consideration as inequation (3) and similarly the cost in this case is thesum of the cost of all components.

(v) Multichoice with Multimerge: In this construct each non-exclusive service v is associated with a probability ρ thatit will be executed. Note that in this case

∑ni=1 ρi ≥ 1

due to the non-exclusiveness. The calculation of reliabil-ity and cost in multichoice multimerge case is similar tothat in the discriminator construct. The reputation con-siders both the probability of execution and weightingof the component services:

pθ =n∏i=1

piρi·βi (5)

2) Aggregation of Security Properties: For security prop-erties, the level of security for a property in a compositionfollows the weakest link approach. Therefore, we calculatethe score for a property σ for a CS with m components as:

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000582

TABLE IAGGREGATION OF TRUSTWORTHINESS & COST PER PROCESS CONSTRUCT

Construct Reputation (pθ) Reliability (rθ) Cost (cθ)n∏i=1

pβii

n∏i=1

ri

n∑i=1

ci

pin·βi ri

n n · ci

(n∑i=1

(ρi · pi))βθn∑i=1

(ρi · ri)n∑i=1

(ρi · ci)

n∏i=1

pβii 1−

n∏i=1

(1− ri)n∑i=1

ci

n∏i=1

pρi·βii 1−

n∏i=1

(1− ri)n∑i=1

(ρi · ci)

σ =m

mini=1

σi (6)

The level of security for the composition based on b securityproperties where each property σ has a weighting γ (γ ≥ 0)is calculated as follows:

scs = 1− e−∑b

k=1(γk·σk) (7)

This means the bigger γ value the more the property’s changeaffects the security level and consequently the trustworthiness.The sum

∑bk=1 γk should be set at a value that compositions

satisfying all security properties result in a security level scs ≈1. A threshold for the minimum allowed security level e.g.scs ≥ 0.95 is also set. The description of how scs is aggregatedwith other trustworthiness properties is in section IV.

IV. TRUSTWORTHINESS PREDICTION OF A SERVICE

Here we propose an algorithm that is more efficient than thoseproposed for multiagent systems in REGRET [6] and FIRE [7]since there is no need to recursively run through all the ratingswith each new rating received. In this algorithm, the reputationis determined using moving averages that are updated withevery new rating. Older ratings reduce in value over time.The comparison with those algorithms is further discussed inthe evaluation.

The reputation pv is determined by two values; the reputa-tion score uv for service v, 0 ≤ uv ≤ 1 and the confidencefv in the score and 0 ≤ fv ≤ 1. Both of the two values (i.e.reputation and confidence scores) are important in indicatingthe status of a composite and component services. Reductionof the reputation score signifies receiving consistent bad rat-ings of the service while reduction in confidence indicateseither low number of ratings received recently or significantfluctuations in the rating scores. Those fluctuations may forexample indicate that a service is not scalable enough to meetdemands during peak times. We calculate the reputation scoreuv as a dynamically weighted moving average of the service’s

rating scores. When a new rating is received the reputationscore is updated.

First we update the total weight of all received ratings.The weighting is based on the recency wt and the categoryof the ratings wg . Recency weight indicates how recent arethe ratings received for the service. The more recent theratings the higher the weight since future ratings are morelikely to be close to the latest ratings. Reputation ratings ofa service can be classified into a set of categories or typeswith different weights depending on the way they are gathered.Examples of types of user ratings may include feedback onsatisfaction, value, speed, etc. A service composer might notvalue those categories equally and hence the customisablecategory weighting.

Recency weight wt decays exponentially and 0 ≤ wt ≤ 1,as follows:

wt = e−λ·∆t (8)

where λ is the decay constant, a customisable positive numberthat controls the rate of decay; and ∆t is the age of the ratingi.e. the difference between the current time and the time whenthe rating took place.

The accumulated weight of the reputation score wv (wv >0) is updated as follows:

wv = wv · wt + wa (9)

where wa is weight of the new rating a calculated as follows:

wa = wta · wga · Ωwhere wta and wga are the recency weight and category weightfor the rating a; and Ω is the credibility value of the raterwhich is used to protect from malicious raters. For a ratingthat is generated at the time of calculation i.e. ∆t = 0 andwa = wga · Ω, the new accumulated weight:

wv = wv · wt + wga · Ω

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000583

To facilitate the recalculation of the trustworthiness levelwhen new ratings are received, the values of wv and uv arestored after each update. The following is the formula forupdating uv after receiving a new rating.

uv =(wv − wa) · uv + wa · a

wv(10)

Since confidence reflects both the frequency of receivingnew ratings and the stability of their values as described earlier,we calculate the confidence value of service v, fv as:

fv = fη · fδ (11)

We call fη the rating quantity confidence indicating howfrequent new ratings are received; and fδ the rating qualityconfidence which indicates the stability of the ratings values.The more frequent and stable the ratings the more the con-fidence i.e. certainty in relation to the calculated reputationscore. fη is calculated as follows:

fη = 1− e−α·wv (12)

where α is a constant parameter that can be used to adjustthe slope of the relationship between the sum of the ratings’weights and the quantity confidence. The higher the value of αthe faster the full confidence (i.e. 1) is reached. It can be setto any positive value but for gradual increase in confidenceit should typically be set to a value between 0 and 1. Theconfidence increases in proportion to the number of ratingsand to the degree of their recency.

The quality confidence fδ is calculated as follows:

fδ = 1− dv (13)

where dv is the deviation history of the ratings around thereputation score, calculated as in equation (14):

dv =(wv − wa) · dv + wa · |uv − a|

wv(14)

To help update the reputation when new ratings are received,the value of dv is stored after each update. |uv − aa| is theabsolute difference between the overall reputation score andindividual rating score. fδ indicates the deviation of the ratingsaround the overall reputation score and ranges between 0(highest deviations) and 1 (lowest deviations).

A. Optimal Service Composition

For optimal selection of a component service for servicecompositions, we use the following formula:

max

(τ · Tcs +

ς

Ccs

)(15)

where Ccs is the cost of the CS and Tcs is a representationof the trustworthiness calculated from security, reliability andreputation’s score and confidence as in equation (16) omittingthe cs subscript for all variables. τ and ς are constants used tonormalise the values of trustworthiness and cost respectivelyand to customise their priority.

T = (u · f) · r · s (16)

To optimise service selection allowing to choose among the

best component services as per the computation techniquesdescribed in this paper, an optimisation solutions is needed.Since the trustworthiness levels and costs of component ser-vices have discrete values and because of the non-linearity ofthose attributes, linear programming and other solutions thatrequire continuous variables and/or linearity are not suitable.Additionally, the number of services to select from may belarge making heuristic methods a better option to provide fastand good results. Genetic algorithms (GA) are well-suited tothese kinds of problems. A custom GA is required to suit thecharacteristics of the problem of service composition.

Fig. 2. GA Genome

V. SIMULATION AND EVALUATION

A. Description of the GA

We developed a custom GA in MATLAB in which thefitness function uses equations (15) and (16) together withthe aggregation techniques that depend on the structure of theservice composition. As illustrated in Figure 2 the genome isrepresented by a binary matrix where each row represents anordered set of (concrete) services belonging to a single servicetype (abstract service). A selected service is represented by1 and an unselected by 0. Therefore, each row must haveonly single 1 as only one service can be selected from eachtype to become a component of the composite service. Eachtype (row in the representation) is associated with a constructin the composite service and with a weighting value. Sincethe number of available services may be different for eachtype, the number of columns in a matrix equals the number ofservices in the largest set of a service type S where we havem service types i.e.

mmaxi=1

(size(Si)). Empty elements are filledwith Not-a-Number (NaN).

A set of matrices (using MATLAB cell array) are createdas an initial population. The custom crossover function takes

Fig. 3. Scores by Fitness Function

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000584

Fig. 4. Example Composite Service Demonstrating Discussed Constructs

Fig. 5. Comparison of Approaches in Trustworthiness Aggregation

the parents as cell arrays, and returns the children that resultfrom a two-point crossover by exchanging randomly selectedsections in the parents’ matrices. The custom mutation func-tion randomly selects two elements in a row of a parent andswaps their values. Since all elements but one are set to 0, themutation may have an effect only if the value of one of theaffected elements equals 1. The number of generations canbe fixed to a constant number or set to be proportionate tothe number of service types and number of services. Figure3 shows the improvement of the score of best compositionover 50 generations for a simulation of services. Note that theproblem is converted to a minimisation one. In the simulationthere are 10 types of services organised in constructs asillustrated in Figure 4 with each type having between 5 and 10concrete services. The cost and trustworthiness of the servicesare randomly assigned.

B. Comparison to Other Approaches

Figure 4 illustrates an example composite service used in thesimulation that includes the composition constructs discussedearlier. Simulation services continue to receive new ratingsover the duration of their runtime. The arrival time for servicerequests is based on Poisson distribution and the mean for therequests changes over time peaking towards the end. Ratingsare created based on service executions results and their valuesvary between services, the time of the rating and whetherthere is an increased demand. The high demand is set to causeconsistent low performance (resulting in mainly low reputationscore) or fluctuations in performance (resulting mainly in lowreputation confidence) in some of the services. A Gaussianrandom number generator is used to generate new ratingswhere the mean and the variance depend on the componentservice, its type (functionality), and the time of rating (e.g.high demand).

During the simulations each of the services receives a ratingfor each request. The ratings trigger the update and checkingof the trustworthiness of the composite service. Figure 5 shows

the evaluation of the trustworthiness of the services using ourapproach compared to that using other approaches including:

• averaging of the reputation of components as proposedin [15].

• taking the minimum reputation of the components as thereputation of the composite service based on the weakestlink concept where the reputation of the composition is asgood as that of its component with the lowest reputation.

Fig. 6. Processing Time in msec for FIRE and Our Algorithm

In Figure 5 (A) only three out of ten component servicessignificantly decrease in their trustworthiness during the peaktime. Despite the low reputation of three component servicesthe reputation using the averaging technique still high. The

Fig. 7. Effect of Processing Time on Trustworthiness Calculations

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000585

Fig. 8. Effect of Reliability Drop on Constructs

weakest link technique only shows the lowest trustworthinesscomponent but does not reflect information on other com-ponents with weak reputation while our approach maintainsbetter view of the state of the CS. In Figure 5 (B) all compo-nent services’ trustworthiness levels decline significantly. Theweakest link technique estimates the trustworthiness of the CSaround the same value as in previous case despite the declineof trustworthiness of all component services. The averagingtechnique also does not reflect the low reputation of everycomponent service. The trustworthiness based on our approachfall to a very low level indicating the low trustworthiness ofthe composition.

FIRE [7] is a widely cited trust management model andalgorithm for the assessment of the trustworthiness of agentsin open multiagent systems. FIRE extends REGRET systemdeveloped by Sabater [6]. Unlike our approach of using amoving average, FIRE algorithm recursively runs through allthe ratings with each new rating received. This results in anincreasing delay in responding to requests for trustworthinessevaluation as ratings increase in quantity. Figure 6 comparesthe processing times of new ratings required by the algorithmdescribed in this paper and that of FIRE. The figure clearlyshows our algorithm is considerably more efficient as thenumber of ratings available for assessment increases. Notethat re-assessment of all ratings may be required after someconfiguration changes such as those that modify the weightingof reputation subcategories. The delay in processing timehas an effect on the trustworthiness evaluation because ofthe role of time in the computations. Figure 7 compares thetrustworthiness evaluations when (A) our prediction algorithmis used and (B) with FIRE algorithm during the time intervalbetween 100 and 200 msec. Although the trustworthinesslevels are close they are not exactly the same because of theprocessing delay in case (B).

C. Effect of Changes in Trustworthiness in Constructs

The trustworthiness of a CS may be affected differently bychanges in trustworthiness of its components if they are part ofconstructs requiring different approaches for the calculation.For example, as illustrated in Figure 8 (A) a moderate declinein the reliability of a component service executed in a loop re-sults in a significant decline. In this experiment v1 is executedthree times in the CS. Also note that in this case reliabilityvalues are more significant than cost of a component service

because of the exponential effect of changes in reliability. Inthe case of exclusive choice construct the trustworthiness of aCS is only partially affected by decline of the trustworthinessof one of the construct services depending on its probabilityof execution (see Figure 8 (B)). All three component serviceshave equal probability (331

3%). In a discriminator constructv1, v2, v3 as in Figure 8 (C). This decline does not affect theCS as the calculation method suggests as long as other servicesin the construct maintain their reliability. The reliability of theCS here is less than that of component services because ofother sequence component services in the CS. Worthy of noticein this construct is that reputation and cost of a component playmore significant role than its reliability since the reputation isthe product and the cost is the sum of the respective values ofthe component services.

VI. RELATED WORK

In the past decade there has been large amount of activityin the area of computational trust and reputation, with applica-tions in security, multi-agent systems, game theory, and spamfiltering [5]–[9]. The terms trust and trust models are also usedin Web service standards (e.g. WS-Trust [10]) but they arelimited to the context of being able to trust the identity of theservice [11]. However, establishing a service’s identity doesnot mean that the service itself is trustworthy. For instance,such an authenticated service could be temporarily unreliableor unavailable.

There is also work on trust and reputation specific to theservices domain. In [12] the authors present an agent basedtrust model for service reputation that enables rating of indi-vidual services as well as providers. The model has shortfalls,such as the need for human intervention. A framework forreputation based service selection is proposed in [13]. Serviceconsumers submit their ratings to a Reputation ManagerService which computes the service’s reputation based onthose ratings. Singh [8] discusses the challenges of trustworthyservice composition. He states that current approaches fail toadequately address the challenges for trust in service orientedcomputing. Techniques of aggregation of QoS were describedby Hwang et al [15] together with reputation where averagingof reputation of the components was proposed as discussedin section V-B. No techniques were discussed on aggregatingsecurity properties. In [14] the authors introduce a frameworkfor establishing trust in service oriented environments named

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000586

RATEWeb. The framework operates by aggregating reputationratings from consumers in a P2P fashion. It aims to supportthe use of trust in service selection and composition. However,unlike the work described in this paper, it does not considerthe computation of trustworthiness in a composite service. Italso does not provide mechanisms for responding to dynamicchanges in the environment that for instance may affect aservice’s trustworthiness.

VII. CONCLUSION

This paper has presented an approach to monitoring and pre-dicting the trustworthiness of composite services. The dynamicplugin-based trustworthiness module continuously monitorsthe adherence of the services to their contracts and receivesratings, metrics and alerts relating to the reputation, QoS,security and other events. Service ratings are generated usinga rules engine and stored in the module’s trust ratings’ store.The calculation of trustworthiness and cost depends on theconstruction of the composite service.

Ongoing and future work includes the development of noveloptimisation mechanisms for dynamic service composition andadaptation to provide robust algorithms that take into accountmultiple objectives including trustworthiness, cost and pricing.Another area under development is the use of access controland resource management techniques to manage and maintainthe trustworthiness of composite services.Acknowledgement: The research leading to these results hasreceived funding from the European Union Seventh Frame-work Programme (FP7/2007-2013) under grant no 257930(Aniketos) [1].

REFERENCES

[1] Aniketos (Secure and Trustworthy Composite Services), http://www.aniketos.eu

[2] OSGi Alliance Specifications, http://www.osgi.org/Specifications[3] Drools - The Business Logic integration Platform, http://www.jboss.org/

drools[4] Workflow Patterns Initiative, http://www.workflowpatterns.com[5] L. Xiong, L. Liu, PeerTrust: Supporting Reputation-Based Trust for Peer-

to-Peer Electronic Communities, IEEE Transactions on Knowledge andData Engineering v.16 n.7 p.843-857, 2004

[6] J Sabater, Trust and reputation for agent societies, Departamentd’Informatica, Universitat Autonoma de Barcelona (UAB), 2002

[7] T. Huynh, N. Jennings, N. Shadbolt, An integrated trust and reputationmodel for open multi-agent systems, J. of Autonomous Agents and Multi-Agent Systems, v.13 n.2 p.119-154, 2006

[8] M. Singh, Trustworthy Service Composition: Challenges and ResearchQuestions, Proc. Conf. on AAMAS, Workshop on Deception, Fraud andTrust in Agent Societies, 2002

[9] J. McGibney, D. Botvich, A Trust Overlay Architecture and Protocol forEnhanced Protection against Spam, Proc. 2nd Int. Conf. on Availability,Reliability, and Security, 2007

[10] WS-Trust specification document, http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html, Feb. 2009

[11] A. Singhal, T. Wingrad, K. Scarfone, NIST Guide to Secure WebServices, National Institute of Standards and Technology, 2007

[12] E. Maximilien, M. Singh, Agent-based trust model involving multiplequalities, Proc. 4th Int. Conf. on AAMAS, 2005

[13] S. Majithia, A. Ali, O. Rana, D. Walker, Reputation-Based SemanticService Discovery, Proc. 13th IEEE Int. Workshops on Enabling Tech-nologies: Infrastructures for Collaborative Enterprises, 2004

[14] Z. Malik, A. Bouguettaya, RATEWeb: Reputation Assessment for TrustEstablishment among Web Services, VLDB J., v.18 n.4 p.885-911, 2009

[15] S. Hwang, H. Wang, J. Tang, J. Srivastava, A probabilistic approachto modeling and estimating the QoS of web-services-based workflows,Information Science J., v.177 n.23 p.54845503, 2007

978-1-4673-2713-8/12/$31.00 ©2012 IEEE 000587