=Paper=
{{Paper
|id=Vol-3067/paper14
|storemode=property
|title=From CA-BRS to BPMN: Formal Approach for Modeling Adaptive Security in Cyber-Physical Systems
|pdfUrl=https://ceur-ws.org/Vol-3067/paper14.pdf
|volume=Vol-3067
|authors=Ayoub Bouheroum,Djamel Benmerzoug,Sofiane Mounine Hemam,Faiza Belala
|dblpUrl=https://dblp.org/rec/conf/tacc/BouheroumBHB21
}}
==From CA-BRS to BPMN: Formal Approach for Modeling Adaptive Security in Cyber-Physical Systems ==
https://ceur-ws.org/Vol-3067/paper14.pdf
From CA-BRS to BPMN: Formal Approach for
Modeling Adaptive Security in Cyber-Physical
Systems
Ayoub Bouheroum1 , Djamel Benmerzoug2 , Sofiane Mounine Hemam3 and
Faiza Belala4
1
Khenchela University ICOSI Laboratory, Khenchela Algeria
2
Constantine2 - Abdelhamid Mehri University LIRE Laboratory, Constantine, Algeria
3
Khenchela University ICOSI Laboratory, Khenchela Algeria
4
Constantine2 - Abdelhamid Mehri University LIRE Laboratory, Constantine, Algeria
Abstract
Cyber Physical Systems (CPSs) are emerging systems that offer integrations of computation, networking
and physical processes. Recently, the CPS field has been identified as a key area of research, and CPSs
are expected to play a major role in the design and development of future systems. However, the mutual
coordination and inter-dependence among cyber and physical components come at the price of increased
vulnerability to failures and attacks. Hence, securing a CPS is extremely challenging. In this paper, we
propose a theoretical framework to address the adaptive security in CPSs. First, we specify CPS on the
basis of the CA-BRS (Control Agent and Bigraphical Reactive Systems) formalism, which combine agent
and bigraphical reactive systems to deal with the virtual level (software), the physical level (execution
machines and their environment) and the behavioural level (dynamics) of the CPS. The given formal
model helps in answering several crucial modeling issues in CPS, such as the natural heterogeneity,
the connected dynamics, the interaction between cyber and physical components and meanwhile, the
non-functional properties as security and reliability. Then, this well defined specification of CPS is
translated to BPMN (ISO/CEI 19510 standard of the OMG) in order to bring the formal model closer to
the implementation. An illustrative example of a secure IT department in a smart factory is considered
to consolidate our theoretical approach results.
Keywords
BRS, CPS, Adaptive security, Formal modeling, BPMN4CPS, Smart Factory
1. Introduction
Embedding computing power in a physical environment has provided the functional flexibility
and performance necessary in modern products such as automobiles, aircraft, smart phones, and
more. Thus, product features came to increasingly rely on software and network infrastructure.
Tunisian Algerian Conference on Applied Computing (TACC 2021), December 18–20, 2021, Tabarka, Tunisia
$ ayoub.bouheroum@gmail.com (A. Bouheroum); djamel.benmerzoug@univ-constantine2.dz (D. Benmerzoug);
sofiane.hemam@gmail.com (S. M. Hemam); faiza.belala@univ-constantine2.dz (F. Belala)
https://dbenmerzoug.e-monsite.com/ (D. Benmerzoug)
� 0000-0002-1284-6543 (A. Bouheroum); 0000-0002-6682-2862 (D. Benmerzoug); 0000-0002-9638-8390
(S. M. Hemam); 0000-0002-4563-4061 (F. Belala)
© 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
�The latter, helped factor out common hardware, it offered sharing functionality for further inno-
vation. A logical consequence was the need for system integration. More recently, there have
been systems coming online that must perform system integration even after deployment—that
is, during operation. This has given rise to the cyber-physical systems (CPS) paradigm. The CPSs
are defined as the systems which offer integrations of computation, networking, and physical
processes [1, 2, 3]. Some of the defining characteristics of CPS include [4]: 1) Cyber capability in
every physical component, 2) High-degree of automation, 3) Networking at multiple scales, 4)
Integration at multiple temporal and spatial scales and 5) Reorganizing/reconfiguring dynamics.
Software engineering poses specific challenges based on the above characteristics of CPSs,
in today’s networked, interconnected world. It can have a profound impact in this domain, by
defining suitable modeling and specification notations as well as supporting design-time formal
verification. In this paper, we aim to present a methodology supporting the modeling of CPSs
and reasoning about their behavior properties. Indeed, the heterogeneous nature of most CPS
applications necessitates the use of heterogeneous mixtures of computation models. Among
these models, we cite those based on formal semantics like denotational, axiomatic, operational
or a hybrid of these, and those based on Meta-modeling techniques and Meta programmable
tools. In the same thought, our work supports this idea and proposes a correct design approach
of CPS using two known specification models BRS [5] and BPMN [6].
In our previous work, we combined agent technology and BRS to define a new formalism,
called CA-BRS (Control Agent and BRS) [7, 8], dealing with the cyber level (software), the
physical level (execution machines and their environment) and the control/behavioral level
(dynamics) of the Fog systems. The aim of this paper is to show, how this formal model
helps in answering several crucial modeling issues in CPS, such as the natural heterogeneity,
the connected dynamics and the interaction between cyber and physical components. On
the other hand, and in order to remove the gap between the high-level specification and the
actual implementation, the given well defined CPS specification is translated to BPMN4CPS [9],
whereas checking some behavior property, particularly that relating to adaptive security in the
Oil and Gas Refinery smart plant for instance.
The remainder of this paper is organized as follows. Section 2 reviews some related work
on the existing approaches. Section 3 gives a brief overview about BRS. Section 4 explains the
principle of our three-phase approach for modeling CPS and reasoning about their behavior
properties. Section 5 focuses on the description of the central phase of our proposal, it shows
how to define a CA-BRS model dedicated to represent all the possible interactions between
the physical and cyber entities of CPS. A transcription from the proposed formal model to
a BPMN4CPS-based one is explained in Section 6. Finally, conclusion and future work are
presented in Section 7.
2. Related Work
Obviously, a CPS is a “System Of Systems”, where complex and heterogeneous systems interact
in a continuous manner [10]. Hence, computing and communication capabilities are increasingly
embedded into physical spaces, thus blurring the boundary between computational and physical
worlds. To enable seamless integration, the events in physical world need to be reflected in the
�cyber world and the decision taken by the cyber world need to be communicated to the physical
world. To address this need, researchers have proposed several modeling techniques, semantics,
programming tools, for the design and the analysis of CPSs. However, the results remain limited
and there are still many challenges. In this section, we cite without being exhaustive some CPS
modeling approaches in order to position our contribution.
Particularly, in [11] authors survey several recent works in the field of CPSs. They classify
the developmental efforts into different categories, based on whether they deal with the design
and development of CPSs, or address specific issues of CPSs or discuss application of CPSs in
specific domains. They also identified future challenges that need to be addressed before CPSs
can be widely used.
Authors in [12] have defined in general, a CPS Framework representing its environment and
stakeholder concerns, while providing an overview of the CPS Framework analysis methodology
with its core concepts of facets (components of the systems engineering process with associated
activities and artifacts) and aspects (groupings of cross-cutting concerns). Each facet is presented
and understood from its set of activities and artifacts. The activities in turn address aspects and
concerns throughout the CPS development cycle. Despite the inclusiveness of this proposal,
the absence of formal models to represent CPS features poses a problem in the analysis and
specification of their behavior.
An early-stage results of the ongoing SICHTEN 4.0 project was presented in [13], which
reflects the goal of amalgamating existing standards from Industry 4.0, system architecture
and the Semantic Web for developing a novel, multi-level approach for the viewpoint-oriented
engineering of CPS. This work has facilitated the development of support for model-based
engineering and seamless lifecycle management. The great benefit was the possibility of creating
an open marketplace for CPS viewpoints. But, this project does not provide the development of
prototype tools for editing and aligning views and achieving the given idea.
Also, a model for designing and implementing a CPS based on cooperative multi-agent system
(MAS) paradigm was proposed in [14]. The identification of this model requires the use of
design tools and a system architecture that are able to represent and manage the characteristic
aspects of the system under analysis. Their results have been confirmed by the BigMC tool. The
use of BRS through their basic version remains limited in the context of such heterogeneous
and complex systems (CPS).
In [9] authors have introduced a CPS-aware BPMN 2.0 extension to handle CPS process
features, called BPMN4CPS. Their work aim is to enable designers to accurately and efficiently
cater for CPS elements, concepts, and properties when modeling CPS processes. Similarly,
authors of [15] have addressed another BPMN extension that specifically deals with CPS
management. Such an extension is realized as an enrichment of the PyBPMN meta model.
Moreover, in order to obtain significant levels of flexibility and customizability, the proposed
extension is implemented following a profiling-based approach, thus ensuring effectiveness
in case of BP analysis carried out by the use of both simulation and analytical approaches.
Although, BPMN, the de facto standard for business process specification, have proven to be
suitable for formalizing high-level sequences of activities, it does not provide all the required
concepts for specifying and analyzing CPS and their dynamic behavior.
These related works allow gaining insights into the frontiers of CPS, thus their study permits
to propose further design innovations to continuously push these frontiers forward.
� The heterogeneous nature of CPS, their geographic dispersion and the interaction between
their cyber and physical components necessitate use of an extended version of the BRS model
as a formal semantics framework. We consider a specific type of nodes, called Agents, equipped
with their intelligence (mind) nature and relevant reaction rules. Particularly, this computational
model (CA-BRS) will be able to represent virtual level of these systems. On the other hand
and in order to remove the gap between the high-level specification of CPS and their actual
implementation, we propose to translate the CA-BRS based models to BPMN4CPS processes in
order to check and execute them thanks to some existing tools around BPMN as for instance
VBPMN [16], Activiti [17] or BizAgi [18].
3. BRS Overview
According to Robert Milner and co-workers [19], a Bigraphical Reactive System is a graphical
model which emphasizes both locality and connectivity. A BRS comprises a category of bigraphs
and a set of reaction rules that may be applied to rewrite these bigraphs. Structurally, a bigraph
consists of two independent sub-graphs; a place graph expressing usually the physical location
of nodes whereas the link graph represents the mobile connectivity among them. The dynamic
evolution of a system formalized by means of bigraphs is represented by reaction rules. A
reaction rule is a pair of bigraphs, Redex and Reactum, where the Redex bigraph models the
current state of the system and the Reactum represents its next state, after executing the rule.
Formally, a bigraph 𝐵 = (𝑉, 𝐸, 𝑐𝑡𝑟𝑙, 𝐺𝑃 , 𝐺𝐿 ) :< 𝑚, 𝑋 >→< 𝑛, 𝑌 > , has both places
graph 𝐺𝑃 , as a set of rooted tree, and links graph 𝐺𝐿 , as a graph with nodes 𝑉 and edges
𝐸. Consider for instance, the bigraph 𝐵 of Figure 1a, nodes are defined by their names or in
general 𝑣𝑖 , edges are denoted by 𝑒𝑖 . In this case, 𝑉 = {𝑣0 , 𝑣1 , 𝑣2 , 𝑣3 } 𝑎𝑛𝑑 𝐸 = {𝑒0 , 𝑒1 , 𝑒2 }. The
little dot that connects an edge and a node is called a port. In Figure 1a, 𝑣0 node has a port that
connects it to 𝑣1 node by the edge 𝑒2 . A basic signature is assigned to each node 𝑣𝑖 thanks to the
control map ctrl. In our example, the basic signature of the bigraph 𝐵 shown in Figure 1a may
be: 𝐾 = {𝑣0 : 2, 𝑣1 : 3, 𝑣2 : 1, 𝑣3 : 3}. In general, each control of 𝐾 dictates how many ports
the node has, how it behaves dynamically, and which controls are atomic, and which of the
non-atomic controls are active or passive Then, the outgoing and incoming interfaces (𝑛, 𝑚)
of the places graph, respectively represented by its roots and sites, are noted by {0, 1...𝑛 − 1},
they are disjoint from its nodes. 𝑅𝑜𝑜𝑡𝑠(= 𝑛) can be parents of nodes and sites (= 𝑚), but there
is no parent for them; the sites may be the threads of the roots and knots but there is no son
for them. The outgoing and incoming interfaces (𝑋, 𝑌 ) of the link graph are normally sets of
names. Thus, the bigraph noted 𝐵 : (2, {𝑥}) → (3, {𝑦}) represents the bigraph of our example
with 2 roots (regions), three sites and having two possible open links. The bigraph interfaces
purpose is to allow the construction of (more complex) bigraphs from (simpler) bigraphs, and
to consider a bigraph as a substructure of another. Moreover, bigraphs can be also expressed
by term language, for example, the following is the corresponding algebraic expression of the
bigraph given in Figure 1a, 𝑉 0 | 𝑉 1𝑦 .(𝑉 2 | 𝑑1 ) | 𝑑0 ‖ 𝑉 3𝑥 | 𝑑2 . Reader may see [19] for more
details.
�4. Motivation and Principle
CPSs need to coordinate between heterogeneous systems which consist of computing devices
and distributed sensors and actuators. Thus, the central question that this work asks is: How
to define a suitable formal method to support the correct design and implementation of such
new class of engineered systems (CPSs) that are expected to play a major role in the design and
development of future systems?
In recent literature, the term CPS has been defined in several ways and in different contexts,
we identify in this paper two of the most known definitions given by the National Science
Foundation (NSF) and the National Institute of Standards and Technology (NIST). 1) For NSF,
Cyber-physical systems integrate sensing, computation, control and networking into physical
objects and infrastructure, connecting them to the Internet and to each other [20]. 2) For NIST,
Cyber-Physical Systems comprise interacting digital, analog, physical, and human components
engineered for function through integrated physics and logic [21].
Thus, CPS will provide the foundation of our critical infrastructure, form the basis of emerging
and future smart services, and improve our quality of life in many areas [21]. This advance
holds the potential to reshape our world with more responsive, precise, reliable and efficient
systems, enabling a revolution of "smart" devices and systems [20].
Obviously, in order for CPS to function properly, their behavior requires formal model for
specification, verification and implementation. Figure 1b outlines our solution principle, it
identifies three phases: the initialization phase, the formalization phase and the implementation
one.
We begin, in the initialization phase, by giving the essential elements of CPS architecture, we
identify both physical (sensors, actuators, network, etc.) and virtual (application, process, etc.)
elements, according to the standard “ISO/IEC/IEEE 42010: Systems and software engineering-
Architecture Description”. Then, we show how a given CPS will evolve and adapt to preserve
its security property, while giving some execution scenarios of the considered CPS.
In the second phase of our approach, we translate the architectural design of a CPS in a
formal model based on BRS and Agents (CA-BRS [7, 8]), with the objective to gain a better
understanding on how to model and manage the physical and the virtual entities of CPS in one
hand, and their control and interacting during the adaptation of the CPS behavior in response to
unanticipated changes on the other hand. This paper details this work step and shows that the
CPS physical layer is specified using bigraphs and their cyber and control layers are described
with control agents. Thus, agents operate on a physical structure and can observe, control and
migrate in order to fulfill a given execution property. A new form of reaction rules are defined
to support the corresponding two types of evolution over time; physical, which corresponds
to a sequence of bigraphs, and virtual conducted by the agents that move and migrate (cyber
mobility), while considering some material constraints through the "Observations".
Through the third phase, we strongly support the idea that such systems engineering, should
be unified with the engineering of security. Thus, this phase enables verifying some important
properties and requirements in the early stages of design, before implementing the actual system.
We choose to apply successive BRS-BPMN based transformations in order to capture and analyze
run-time behavior of CPS based on its execution traces. Indeed, BPMN is a modeling standard
for business processes with accepted semantics facilitating the interaction between a system
� (a) Bigraph Example
(b) Three-phase approach for CPS correct design
Figure 1: Principle Of Our Approach
engineer and a system modeler. It serves here as a standardized bridge for the gap between the
CPS business process design (BPMN4CPS) and their implementation. This transformational
approach is illustrated with a secure IT department design example in smart factory (the oil
refinery).
5. CA-BRS: Towards a formal model for CPS
Since the BRS introduction, several extensions and refinements have been added to the ordinary
BRS [19], motivating their interests and their application in several practical fields. In this
work, we are based on a generic extension of BRS, calcled CA-BRS (Control Agents & BRS)
[7, 8], which takes advantages of [22, 23, 24] and defines specific nodes called "Control Agents"
endowed with a certain intelligence, allowing them to observe, analyze and execute actions (in
the form of specific reaction rules) on the bigraphs that host them. Indeed, the CPS physical
layer is specified using bigraphs. Their virtual layer is described with a set of control agents.
Thus, agents operate on a physical structure; their state and localization may be changed in
order to fulfill a given execution property. In this section, we refine the definition of CA-BRS in
order to support two types of evolution over time; physical, which corresponds to a sequence of
bigraphs, and virtual conducted by the agents that evolve, move and migrate (cyber mobility),
while considering some material constraints through the "Observations". The formal definition
of our proposed model is illustrated through a CPS example.
5.1. Running Example
The refinery plant example that we consider, processes crude Oil from a well, being located
far from its location, to meet demand, without steadily growing in fuels (Petrol, Kerosene and
Diesel) and exporting other products such as Naphtha and Fuel Oil. The followed cycle to carry
out this type of refining of crude Oil is reported in [25] for interested readers. In this paper, we
�Figure 2: IT Department Architecture
try to continue some of the previous work of the refinery plant modeling, we address specifically
the formalization of its IT department, whilst considering some of the security monitoring
activities. For more simplification, the CPS system example (see Figure 2) is consisting in this
case of the following sets of physical and cyber entities:
1. Physical entities: Security camera, Motion detection sensor, Light, Gate, Alarm, Staff,
RFID reader, RFID card, Personnel (workers/staff who own RFID cards or outsiders who
access the department for some reasons, but they don’t have cards). We note also the
existence of Cloud server and Fog nodes that may process.
2. Virtual entities: Backing camera records, security monitoring Cloud service, Cloud refin-
ery plant, etc. and also other services to analyze and connect entities.
For experimental reasons, we consider an adaptive security system that aims to protect
valuable assets in the face of changes in the IT department. This will be done by monitoring and
analyzing its physical entities, and deploying security functions (may be in the Fog or Cloud
regions) that satisfy some protection requirements (security, privacy, or forensic). The detection
of a possible undesired topological change (such as a staff possessing a safe’s RFID card entering
the room, where the RFID reader is located) may lead to the decision to deploy a particular
security control to protect the relevant asset. By monitoring changes in this system at runtime,
one can identify new or changing threats and attacks, and deploy adequate security controls
accordingly. In the Table 1, we summarize the possible states of some physical objects involved
by the following scenario examples, depicting how this adaptive security system will evolve in
these cases. We note that the Security Camera, for instance, may be in four distinctive pairs
of contradictory states: on/off, recording/monitoring state, taking clear/unclear picture and
online/offline. The combination of all these states and those of other virtual entities increases the
complexity of this system and therefore requires its abstract modeling to describe its behavior.
Scenario1: The camera monitors the security state at the department.
If the camera is faulty and there is a motion, all moving persons must have RFID cards.
Scenario2: Unauthorized access.
The gate remains closed until the RFID card is presented.
�Table 1
Possible states of the physical entities
Security Motion
Light Gate Alarm RFID Reader RFID Card
Camera Detection Sensor
on, off on, off on, off on, off on, off on, off
online, online, online, online, online, online,
offline offline offline offline offline offline
record, detecting, open, active, valid,
monitor not detecting closed inactive unvalid
clear Pic,
Unclear Pic
5.2. Modeling the CPS Physical and Cyber levels
In a preliminary step of this work, we have proceed to integrate a simplified model of our
example, based on elementary bigraphs (without extension) in BigraphER [26] tool which is
an environment for modeling and analyzing bigraphs. The simulation with partial amount of
steps, gives a great number of states, we note then a combinatorial explosion of states. Thereby,
it is necessary to provide a more expressive and efficient formalism that can overcome these
drawbacks. Among them, the rewriting of the reaction rules to simulate such scenarios involving
several actors, must not be conducted in all possible paths, guards must be considered to guide
this execution of the rules. We will explain our solution approach step by step, in the next
sections.
We highlight the adoption of a multi-level view to delineate physical entities, virtual entities,
and dynamic aspects of a given CPS in general. Thus, the CA-BRS model includes a set of control
agents (𝐶𝐴𝑉 𝑖 ), representing Virtual entities dedicated to execute or control CPS processes,
hosted in a given bigraph (𝐵𝑃 ℎ ) expressing the real-world Physical entities.
Definition 5.1. Formally, the model CA-BRS defining a CPS is given by the tuple:
𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 = (𝐶𝐴𝑉 𝑖 , 𝐵𝑃 ℎ , 𝐻𝑜𝑠𝑡, 𝐶𝑅𝑅), where:
1. 𝐶𝐴𝑉 𝑖 = 𝐴𝑃 ℎ ∪ 𝐴𝐶𝑦 is a set of contol agents having two distinctive types.
2. 𝐵𝑃 ℎ = (𝑉, 𝐸, 𝑐𝑡𝑟𝑙, 𝐺𝑃 , 𝐺𝐿 ) :< 𝑚, 𝜑 >→< 𝑛, 𝜑 > is the hosted bigraph of agents.
a) 𝑉 = 𝑉𝑃 ℎ ∪ 𝑉𝐶𝑦 a set of nodes that represents a set of physical (𝑉𝑃 ℎ ) and logical
(𝑉𝐶𝑦 ) entities of the CPS,
b) 𝐸 set of edges representing possible relationships and links between the CPS entities,
c) 𝐶𝑡𝑟𝑙 is a mapping function, it associates each node type to its signature 𝐾,
d) 𝐺𝑃 is the derived places graph defining explicitly the parent function of all nodes
types. These nodes may be grouped into roots (regions) according to their member-
ship,
e) 𝐺𝐿 is the associated links graph of nodes; each node may have a fixed number of
ports. Some of these ports attached to physical entities represent their possible
states (as mentioned in Table 1)
f) 𝑛 and 𝑚 are ordinal numbers indicating the number of roots and sites respectively.
� Figure 3: 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 model Example: Graphical view
3. Host is a hosting function that associates to each Control Agents type (𝐶𝐴𝑉 𝑖 ), nodes
where they may host. In our case, 𝐻𝑜𝑠𝑡 : 𝐴𝑃 ℎ → 𝑉𝑃 ℎ and 𝐻𝑜𝑠𝑡 : 𝐴𝐶𝑦 → 𝑉𝐶𝑦
4. CRR is a set of decorated reaction rules modeling physical and virtual mobility of its
elements, each rule is defined by 6 elements: (𝐵𝑃 ℎ , 𝐻𝑜𝑠𝑡, 𝐵𝑃′ ℎ , 𝐻𝑜𝑠𝑡′ , 𝐴𝑆, 𝐴𝑅)
a) 𝐵𝑃 ℎ , 𝐵𝑃′ ℎ are physical structures of the CPS defining respectively, the initial and
the final bigraph during the execution of the CRR rule,
b) 𝐻𝑜𝑠𝑡 and 𝐻𝑜𝑠𝑡′ express respectively, the location of the control agents in the nodes
of the bigraphs 𝐵𝑃 ℎ and 𝐵𝑃′ ℎ they manage.
c) AS is a set of Agent State rules, expressing the Agent state evolution given its
location,
d) AR is a set of Action Rules representing local reaction rules applied to change the
bigraph topology.
Example: Let us take our running example and define the physical and cyber levels of the
IT department, while considering the 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 model. As shown in Figure 3, for
the physical level (𝐵𝑃 ℎ ) we identify 4 Roots indicating possible locations of the CPS
entities. Each Root contains some of nodes, for instance, nodes of the set 𝑉𝑃 ℎ as: Alarm,
Light, Security Camera and Motion Detection Sensor are nested in the IT Department
Root, on the other hand, nodes of the type Cyber (∈ 𝑉𝐶𝑦 ) as: Backing Camera Records,
Security Monitoring are nested in the Cloud Root. The presence of sites in a node or a root
abstracts other entities existence, for example Site 0 indicates that other nodes may be
installed in this Root as the Staff one. Concerning the virtual level (𝐶𝐴𝑉 𝑖 ), we distinguish
two types of Control Agents: 𝐴𝑃 ℎ = {𝐴𝑔𝐶𝑟𝑓 𝑖𝑑𝐶𝑎𝑟𝑑, 𝐴𝑔𝐶𝑟𝑓 𝑖𝑑𝑅𝑒𝑎𝑑𝑒𝑟, 𝐴𝑔𝐶𝑔𝑎𝑡𝑒,
𝐴𝑔𝐶𝑎𝑙𝑎𝑟𝑚, 𝐴𝑔𝐶𝑚𝑜𝑡𝑖𝑜𝑛_𝑑𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛_𝑠𝑒𝑛𝑠𝑜𝑟, 𝐴𝑔𝐶𝑠𝑒𝑐𝑢𝑟𝑖𝑡𝑦_𝐶𝑎𝑚𝑒𝑟𝑎, 𝐴𝑔𝐶𝑙𝑖𝑔ℎ𝑡} and
the set of possible other Agents that may be hosted in nodes of 𝑉𝐶𝑦 to manage their
execution, if it is of course an application or a given service (𝐴𝐶𝑦 = ∅ in our example).
Initially, as shown in Figure 3, these Control Agents are hosted in a Fog node. But, during
the system evolution, they may change their hosts (Migrate) and being in various states
which are represented by their ports.
�5.3. Modeling Adaptive Security in CPS
In this section, we define the behavior of any CPS specified with 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 . Its execution
model enriches the existing BRS one by appending the Trigger (AS) and Action rules (AR)
information’s to a new type of reaction rule (Controlled Reaction Rules –CRR). The format of
𝐴𝑆
CRR rule is given by: 𝐵𝑃 ℎ , 𝐻𝑜𝑠𝑡 −−−−−−−−−−−−−−→ 𝐵𝑃′ ℎ , 𝐻𝑜𝑠𝑡′
𝐴𝑅
The defined control agents (𝐶𝐴𝑉 𝑖 ) in the CA-BRS framework observe the physical location
of the distributed structure (𝐵𝑃 ℎ , Host) entities, capture the relationship between these entities
(AS), and affect their state and position by executing a set of control actions (AR). The control
reaction rules (CRR) then offer the ability to agents to control and adapt their corresponding
services, affecting possible states of the specified system at a given time; this novel state after
executing the controlled reaction rule (CRR) of the system is represented by (𝐵𝑃 ℎ ’, Host’).
AS is a type of reaction rules that allows changing the state of agents, graphically, it suffices
to establish a link between the port of a node, indicating its state, and that of the agent which
manages it.
AR is a set of reaction rules affecting a bigraph while applying the following actions: a)
Destroy a node, b) Create a node, c) Destroy a link, d) Create a link, e) Create an Agent instance,
f) Communicate or not two Agents, g) Migrate an Agent from one node to another.
Example: Referring to our running example, we will model, thanks to a sequence of these
guided rewrite rules (CRR), the previous given scenarios specifying how monitoring
changes in the 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 topology at runtime in order to identify new or changing
threats and attacks, and deploy adequate security controls accordingly (Agents migrating
or their state changing). We present in Figure 4a the initial state of the adaptive security
system, where we note that:
1. Each physical entity: Alarm, Security Camera, Gate, etc, is monitored by its cor-
responding agent, hosted in it. Its state is identified by the possible links between
ports.
2. The "link2" from FogNode to the Security Camera, for instance, illustrates the
streaming of the records to the IT Department; however the "link1" from FogNode
to Baking Camera Records illustrates the sending and backup to the cloud. The
existence of the two links specifies that the camera records the activities, monitored
by the specialist person at the IT Department, and then records are stored in the
cloud.
3. The "link1" from FogNode to Security Monitoring in the Cloud root, explains that
the records are augmented by motion detection sensor and RFID reader.
After executing some CRR sequence rules, we will obtain new states of this model, for
instance to define the scenario1, the corresponding CRR rule is CRR1 = (B0, Host0, B1,
Host1, AS1, AR1), B1 and Host1 are illustrated graphically in Figure 4b, while AS1 and
AR1 sets of rules are presented and commented in Table 2.
Obviously, the rewriting of the reaction rules AS1 and AR1 are guided according to the
involved Agents observations (state changes and locations) and may be also executed
�(a) IT Department 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 Model: Initial state
(b) CRR1 execution result: State (B1, Host1)
(B0, Host0)
Figure 4: Initial State & Result State
Figure 5: CRR2 execution
Table 2
AS and AR Reaction Rules for Scenario1 and Scenario2 (section 5.1).
The variables BH and BH’ bellow stand for any 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 state, i.e the tuple (B,Host).
CRR
Rules Comment
constituents
If a system state (BH) evolves toward the state BH’ that contains the
BH −→ BH’{Security Camera.Agc Security Camera & (!online) | Motion
trigger between braces, i.e: "the camera is not online and there is a
Detection Sensor.Agc Motion Detection Sensor & (detecting) ‖ Rfid Reader.Agc
AS1 motion detected by the Motion Detection Sensor, all moving persons
Rfid Reader & (Online, On) | Rfid Card.Agc Rfid Card & (Valid) [Agc Rfid
must have RFID cards". Then the corresponding rule (AR1) must be
Reader, Agc Rfid Card]𝑛𝑒𝑤 }
applied to open the gate.
One local rule is applied, to Create a link between AgC gate and the
AR1 Gate.Agc gate −→ Gate.Agc gate & (open)
node Gate on the port "open", in the global state.
The security rules to open the gate are materialized in the trigger of
BH −→ BH’{Rfid Reader.Agc Rfid Reader & (online, on) | Rfid card.Agc Rfid
AS2 this action rule, in braces: The RFID reader is online and on, the RFID
Card & (valid) [Agc Rfid Reader, Agc Rfid Card]𝑛𝑒𝑤 }
card is valid and the person is identified as new one.
Gate.Agc gate −→ Gate.Agc gate & (open) Two locale rules are applied sequentially in this case, the first one is
when opening the door (Create a link) and the second allows closing
AR2
Gate.Agc gate & (open) | [Agc Rfid Reader, Agc Rfid Card]𝑛𝑒𝑤 the door and stopping communication via the link "new" between the
−→ Gate.Agc gate & (!open) two agents Agc Rfid Reader and Agc Rfid.
concurrently to provide new states. The Scenario2 is defined by CRR2 = (B’0, Host’0,
B2, Host2, AS2, AR2), illustrated graphically in Figure 5; sets AS2 and AR2 are given in
Table 2.
We may note that due to the limited expressiveness of the term language in the case of
�Table 3
Rules Correspondence between 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 and BPMN4CPS
𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 BPMN4CPS
Cyber part
𝐴𝑔𝐶𝑦 /𝐻𝑜𝑠𝑡(𝐴𝑔𝐶𝑦 ) = 𝑉𝐶𝑦 or 𝐻𝑜𝑠𝑡(𝐴𝑔𝐶𝑦 ) = 𝑅𝑜𝑜𝑡
Controller part
𝐴𝑔𝑃 ℎ /𝐻𝑜𝑠𝑡(𝐴𝑔𝑃 ℎ ) = 𝑉𝑃 ℎ Physical part
𝑉𝑃 ℎ , 𝑉𝐶𝑦 Nodes or Root Real-world physical entity
𝐶𝐴-𝐵𝑅𝑆 model, some symbols as &, [_]𝑙𝑖𝑛𝑘 , !, {_}, etc. have been introduced, we will see their
formal semantics in a future work.
6. Translating CA-BRS to BPMN4CPS
BPMN is a modeling standard for business processes [6] that provides a set of concepts with a
clear syntax and accepted semantics to facilitate the interaction between a system engineer and
a system modeler. We choose it as an intermediate notation from the bigraph-based specification
of CPS to their implementation. But, in order to capture important particular CPS concepts,
we propose BPMN4CPS, a CPS-aware BPMN 2.0 extension, which introduces the process logic
using three parts: the cyber part, the controller part and the physical part. Each part has its
own type of activities that can be performed. In addition, the extension included the CPS device
roles, the properties of the real world environment and the physical entities.
Our proposal aims to transform the 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 elements into executable process models of
the BPMN4CPS, pointing out the need for the modelers to improve their models before they can
be used as exact specifications for CPS implementation. Most importantly, this transformation
is bidirectional (see Figure 1b), each of its two orientations can be used in an appropriate context
and for different motivations. One can use it, for instance, to associate a formal semantics to
BPMN4CPS processes and their tasks. On the other hand, it can be used to abstract some details
provided by the formal CA-BRS model and give a better interpretation to the involved agents,
in terms of activities and message flows between the different BPMN processes.
In this section, we give only the transformational approach motivation, illustrating it through
the following correspondence table (Table 3). Obviously, each part of the BPMN processes
is managed by an Agent type of the 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 model, activities or tasks represent their
behavior, according to a given scenario. Real-world entities are represented by the nodes of
the 𝐶𝐴-𝐵𝑅𝑆𝐶𝑃 𝑆 model, which consider even their imbrications and nesting. The interactions
between the different processes parts are materialized by some functions (Parent, Host, etc.)
present in CA-BRS definition. More explanation and details will be presented in an upcoming
paper.
7. Conclusion
This paper presented an idea of a new formal modeling three-phase approach based on bigraphs
and agents (CA-BRS) for Cyber Physical Systems. In the present paper, we have detailed the core
step, showing the convenience of this formalism to provide a high level modeling of CPS. Our
�contribution consisted in providing an extended BRS-based approach to formalize the physical,
the cyber entities and their dynamic behavior.
In other words, since CPS represents the coupling of its environment (physical processes) and
embedded computations, the proposed model includes a set of control agents (𝐶𝐴𝑉 𝑖 ), repre-
senting Virtual entities dedicated to execute or control CPS processes, hosted in a given bigraph
(𝐵𝑃 ℎ ) expressing the real-world Physical entities.
Besides, a new set of bigraphical reaction rules, called controlled reaction rules (CRR), to deal
with agent analysis and changes was proposed. These rules adopted the trigger information (AS)
resulting from any agent analysis to formalize the behavior evolution of CPS, while executing
some action rules (AR) in the form of a reaction rule. An illustrative example showing how to
execute these complex rules to ensure adaptive security of the IT department in smart factory
was considered.
On the other hand, we have paid more attention to the execution and formal analysis of the
proposed BRS-based specifications of CPS systems. For this, we suggested to transcript our
bigraphical model to BPMN4CPS; the agent virtual entity added to BRS is better specified in
terms of processes. Our next goal is to be able to finalize this transcription and by the same time,
define a formal semantics to the proposed correspondence rules. We plan also to extend the
term language of bigraphs in order to express virtual entities and their corresponding evolving
rules.
Acknowledgments
This work was partially supported by the LABEX-TA project MeFoGL:"Méhodes Formelles pour
le Génie Logiciel".
References
[1] M. Conti, S. K. Das, C. Bisdikian, M. Kumar, L. M. Ni, A. Passarella, G. Roussos, G. Tröster,
G. Tsudik, F. Zambonelli, Looking ahead in pervasive computing: Challenges and opportuni-
ties in the era of cyber–physical convergence, Pervasive and Mobile Computing 8 (2012) 2–21. URL:
https://www.sciencedirect.com/science/article/pii/S1574119211001271. doi:https://doi.org/
10.1016/j.pmcj.2011.10.001.
[2] L. Sha, S. Gopalakrishnan, X. Liu, Q. Wang, Cyber-Physical Systems: A New Frontier, Springer
US, Boston, MA, 2009, pp. 3–13. URL: https://doi.org/10.1007/978-0-387-88735-7_1. doi:10.1007/
978-0-387-88735-7_1.
[3] I. Horvath, B. Gerritsen, Cyber-physical systems: Concepts, technologies and implementation
principles, in: I. Horvath, Z. Rusak, A. Albers, M. Behrendt (Eds.), Proceedings of the ninth interna-
tional symposium on tools and methods of competitive engineering - TCME-2012, Delft University
of Technology, Netherlands, 2012, pp. 19–36. TMCE 2012, Karlsruhe, Germany ; Conference date:
07-05-2012 Through 11-05-2012.
[4] L. Miclea, T. Sanislav, About dependability in cyber-physical systems, in: 2011 9th East-West
Design & Test Symposium (EWDTS), IEEE, 2011, pp. 17–21.
[5] K. Zarour, D. Benmerzoug, N. Guermouche, K. Drira, A bpmn extension for business process
outsourcing to the cloud, in: World Conference on Information Systems and Technologies, Springer,
2019, pp. 833–843.
� [6] K. Zarour, D. Benmerzoug, N. Guermouche, K. Drira, A systematic literature review on bpmn
extensions, Business Process Management Journal (2019).
[7] A. Bouheroum, Z. Benzadri, F. Belala, Towards a formal approach based on bigraphs for fog security:
Case of oil and gas refinery plant, in: 2019 7th International Conference on Future Internet of
Things and Cloud (FiCloud), IEEE, 2019, pp. 64–71.
[8] Z. Benzadri, A. Bouheroum, F. Belala, A formal framework for secure fog architectures: Application
to guarantee reliability and availability, International Journal of Organizational and Collective
Intelligence (IJOCI) 11 (2021) 51–74.
[9] I. Graja, S. Kallel, N. Guermouche, A. H. Kacem, Bpmn4cps: A bpmn extension for modeling
cyber-physical systems, in: 2016 IEEE 25th International Conference on Enabling Technologies:
Infrastructure for Collaborative Enterprises (WETICE), IEEE, 2016, pp. 152–157.
[10] R. von Hanxleden, E. Lee, C. Motika, H. Fuhrmann, Multi-view modeling and pragmatics in 2020:
position paper on designing complex cyber-physical systems, in: G. D. e. Calinescu R. (Ed.), Large-
Scale Complex IT Systems. Development, Operation and Management, volume 7539 of Lecture Notes
in Computer Science, Monterey Workshop 2012, Springer, Berlin, Heidelberg, 2012, pp. 209–223.
doi:10.1007/978-3-642-34059-8_11.
[11] S. K. Khaitan, J. D. McCalley, Design techniques and applications of cyberphysical systems: A
survey, IEEE Systems Journal 9 (2014) 350–365.
[12] C. P. S. P. W. Group, et al., Framework for cyber-physical systems, release 1.0, Report, National
Institute of Standards and Technology, May. URL: https://pages. nist. gov/cpspwg/library (2016).
[13] U. Kannengiesser, H. Müller, Multi-level, viewpoint-oriented engineering of cyber-physical produc-
tion systems: An approach based on industry 4.0, system architecture and semantic web standards,
in: 2018 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA),
IEEE, 2018, pp. 331–334.
[14] V. Di Lecce, A. Amato, A. Quarto, M. Minoia, Bigraph theory for distributed and autonomous
cyber-physical system design., IAENG International Journal of Computer Science 47 (2020).
[15] P. Bocciarelli, A. D’Ambrogio, A. Giglio, E. Paglia, A bpmn extension for modeling cyber-physical-
production-systems in the context of industry 4.0, in: 2017 ieee 14th international conference on
networking, sensing and control (icnsc), IEEE, 2017, pp. 599–604.
[16] G. Salaün, P. Poizat, A. Krishna, Vbpmn framework, 2017. URL: https://pascalpoizat.github.io/
vbpmn/.
[17] I. Alfresco Software, A. community, Activiti bpm platform, 2010. URL: https://www.activiti.org/.
[18] BizAgi, Bizagi, 2010. URL: https://portal.bizagi.com/index.php?option=com_content&view=article&
id=233catid=10&Itemid=95.
[19] O. H. Jensen, R. Milner, Bigraphs and mobile processes (revised), Technical Report, University of
Cambridge, Computer Laboratory, 2004.
[20] National Science Foundation, Cyber-physical systems, 2014. URL: https://www.nsf.gov/news/
special_reports/cyber-physical/.
[21] The National Institute of Standards and Technology, Cyber-physical systems, 2018. URL: https:
//www.nist.gov/el/cyber-physical-systems.
[22] E. Pereira, C. Kirsch, R. Sengupta, Biagentsa bigraphical agent model for structure-aware computa-
tion, Cyber-Physical Cloud Computing Working Papers, CPCC Berkeley (2012) 1–13.
[23] E. Pereira, C. M. Kirsch, R. Sengupta, J. B. de Sousa, Bigactors—a model for structure-aware
computation, in: 2013 ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS),
IEEE, 2013, pp. 199–208.
[24] S. Marir, F. Belala, N. Hameurlain, A formal model for interaction specification and analysis in
iot applications, in: International Conference on Model and Data Engineering, Springer, 2018, pp.
371–384.
[25] A. Bouheroum, Vers la modélisation d’un Cloud securisé: Approche basée Fog Computing (Memoire
� de master 2), Master’s thesis, Abdelhamid Mehri, Constantine2-University, Constantine, Algeria,
2019.
[26] M. Sevegnani, Bigrapher, 2015. URL: https://dcs.gla.ac.uk/michele/bigrapher.html.
�