Review Comment:
The authors propose a hybrid approach for the composition of SOA security patterns, combining model-driven and ontology engineering techniques in a comprehensive framework.
The contribution of the paper lies less in insights about security engineering in service-oriented architectures, but rather in a methodology that may in the future leverage the advantages of two approaches that have largely been developed independently in different research communities. This may facilitate a model-driven approach that relies on both UML models and a semantic model representation in an OWL ontology, using the latter to query suitable patterns for given security requirements as well as formal verification of the constructed compositions. The paper provides a detailed overview of the proposed approach and an illustrative application in the health domain, but falls a bit short in highlighting the benefits of the comprehensive "ontology driven security framework" and methodology that introduces substantial additonal modeling effort. This could be improved both in the introduction and in the context of the illustrative application.
The paper is ambitious in what it sets out to do and reports on original and innovative work at the interface of ontology engineering and metamodeling in a security context. It fits well within the scope of the journal and could introduce new ideas on how to combine ontology engineering with model-driven engineering techniques into the Semantic Web community.
Overall, the paper makes a relevant contribtion in bridging the gap between model and ontology engineering approaches through a development methodology that combines the strengths of each approach.
However, the goals and contributions should be laid out more clearly (after reading the abstract, it wasn't entirely clear to me what this paper sets out to do).
Critically, the quality of writing and exposition must be improved substantially which requires major revisions throughout the paper before it can be considered for publication (see detailed comments below). Therefore, I recommend that the paper should not be accepted without major revision.
## Suggested structural improvements
Organization of related work could be improved. The paper touches upon and integrates multiple areas, such as SOA security (not really covered in the related work, only on the modelling level), metamodelling, ontologies, formal verification etc. The related work section provides comprehensive pointers for many of these areas, but a little more structure (subsections, named paragraphs or introductory sentences) would make it easier to navigate.
The references provided in the related work section are useful, but parts of it seem a bit like an arbitrary collection without a coherent overarching structure (particularly at the beginning: UMLSec, SecureUML,..). IMO, aiming to list everything that has been done in the "UML/Metamodeling world" related to security seems excessive without an integrative framework that links the cited contributions more directly to the topic of the paper (i.e., SOA security), but this is more a matter of taste. It would help, however, to put the cited references closer into context.
The paper is fairly difficult to read, which is partly due to the quality of writing, but may also be due to the mix of terminology from multiple domains and a lack of conceptual clarity and a somewhat haphazard way in which concepts from the different paradigms are combined.
Finally, the text is partly redundant and a bit verbose in some parts of the paper (e.g., the itemization in the introduction repeats mostly what has already been stated in the preceding paragraph).
## Required corrections
Incomplete/Unintelligible/Not meaningful sentences throughout the paper, e.g., (illustrative rather than exhaustive list):
- p. 1: "Service Oriented Architecture (SOA) is a special form of distributed systems, sharing business logics, data through a programmatic interface across the Internet makes them vulnerable to different security threats."
- p. 1: "To overcome these problems, a good number of soft- ware design solutions are available which may reuse available security solutions by using security patterns."
- p. 3: "Developing a metamodel using Meta Object Facility (MOF) for a particular do- main, such as SOA security pattern is a difficult task, for defining syntax and semantics of the new entities."
- p. 3: "Formal modeling of the available SOA design patterns need to be required."
- p. 5: "Few of them are not based on ontology, which lack proper semantic notation, interoperability, and scalability. "
- p. 6: "A number of solutions are available for the above defined problems occurred in a particular context."
- p.21: "The proposed DL notations represent the formal re-lation and sensitive axioms for the SOA-based security critical system."
- p.22: "all OWL features can be ex-pressed in SPARQL" -> not clear what you mean by that (whatn does "expressing features"? mean)
- p.23: "reuse.. the reusability"
All acronyms used - including standard ones - should be properly defined (I may have overlooked the definitions, but it seems that CIM, PIM, and PSM, for instance, are not introduced anywhere)
Other corrections:
- Figure 5: "confirmsTo" -> "conformsTo"? (also in other parts of the paper)
- Introduction: W3C and IETF are not security standards, but organizations (that among many other things, publish security standards).
- * p. 3: *"ODM and OMG can be differentiated as descriptive and prescriptive models."* -- This is highly confusing because it suggests that ODM is descriptive and OMG is prescriptive (wheras actually ODM is a specification published by the OMG).
- missing pronouns throughout the paper (e.g. "An attacker can design threat..." -> "a threat", "using security pattern",...); some unnecessary ones ("In the Table 5" -> in Table 5")
- p.19 and others: wouldn't it be more accurate to state that an attacker can design an exploit, which results in a threat, rather than "design a threat"
- p.19: "the role of web services is more prominent in web services" -> more prominent than in what?
- the word "considered" is used incorrectly in various parts of the paper (e.g., p.20: "In this ontology ‘wssr' namespace is considered" does not make sense)
p.23: "Patterns, those have good error detection and correction ability, lower data redundancy, and easy implementation, are useful for the system." -> "Patterns that have good.."; also: what does for "the system" mean?
- some figures (e.g., Figure 11) appear distorted (changed aspect ratio?) and should be fixed.
## Other suggested improvements (style)
A lot of unnecessary weasel words and phrases that add little or no meaning are used. Those should be checked and unless they are necessary be avoided to improve clarity and make the text more concise.
Examples: special, mostly, a good number, already, some, a number of,..
Incorrect gerund constructs in many places:
e.g., Security standards can be repre- sented as security patterns for making them easier to understand -> in order to make them easier to understand.
Parts of Section 3 appear a bit verbose because they merely state literally what is illustrated in the figures, with hardly any actual explaination. The text would be more useful if it discussed motivations for design choices and explained the details rather than just reiterating what is shown in the figures. Also, IMO a running example might help to illustrate the concepts and make the content more accessible.
|