Discovering Security Requirements from Natural Language Project Artifacts

explicitly stated may not be considered during implementation. The goal of this research is to aid requirements analysts in generating security requirements through identifying securityrelevant statements in project documentation and providing context-specific templates to generate security requirements. First, we identify the most prevalent security objectives from software security literature. To identify security-relevant statements in project documentation, we propose a tool-based process to classify statements as related to zero or more security objectives. We then develop a set of context-specific templates to help translate the security objectives of each statement into explicit sets of security functional requirements. We evaluate our process on six documents from the electronic healthcare software industry, identifying 46% of statements as implicitly or explicitly related to security. Our classification approach identified security objectives with a precision of .82 and recall of .79. From our total set of classified statements, we extracted 16 context-specific templates that identify 41 reusable security requirements.

[1]  Yiming Yang,et al.  A Comparative Study on Feature Selection in Text Categorization , 1997, ICML.

[2]  Tao Xie,et al.  Automated extraction of security policies from natural-language software documents , 2012, SIGSOFT FSE.

[3]  Jerome H. Saltier,et al.  Protection of information in computer systems , 1975, IEEE CSIT Newsletter.

[4]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[5]  Marcelo R. Campo,et al.  Identi(cid:28)cation of Non-Functional Requirements in Textual Speci(cid:28)cations: A Semi-Supervised Learning Approach , 2009 .

[6]  Laurie A. Williams,et al.  Classifying Natural Language Sentences for Policy , 2012, 2012 IEEE International Symposium on Policies for Distributed Systems and Networks.

[7]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[8]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[9]  Thorsten Joachims,et al.  Text Categorization with Support Vector Machines: Learning with Many Relevant Features , 1998, ECML.

[10]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[11]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[12]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[13]  Laurie Williams,et al.  Automated extraction of non-functional requirements in available documentation , 2013, 2013 1st International Workshop on Natural Language Analysis in Software Engineering (NaturaLiSE).

[14]  Stephen Withall Software Requirement Patterns , 2007 .

[15]  Michael McGill,et al.  Introduction to Modern Information Retrieval , 1983 .

[16]  Céline Rouveirol,et al.  Machine Learning: ECML-98 , 1998, Lecture Notes in Computer Science.

[17]  Christopher D. Manning,et al.  Generating Typed Dependency Parses from Phrase Structure Parses , 2006, LREC.

[18]  Bashar Nuseibeh,et al.  Risk and argument: A risk-based argumentation method for practical security , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[19]  Bashar Nuseibeh,et al.  Core Security Requirements Artefacts , 2004 .

[20]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[21]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[22]  Jane Cleland-Huang,et al.  The Detection and Classification of Non-Functional Requirements with Application to Early Aspects , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[23]  Annie I. Antón,et al.  A legal cross-references taxonomy for identifying conflicting software requirements , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[24]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[25]  Su Liu,et al.  An Empirical Study on Classification of Non-Functional Requirements , 2011, SEKE.

[26]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[27]  Ye Yang,et al.  An Empirical Study on Classification of Non-Functional Requirements , 2011 .

[28]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[29]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[30]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[31]  L OpdahlAndreas,et al.  Eliciting security requirements with misuse cases , 2005 .

[32]  Annie I. Antón,et al.  Requirements-based Access Control Analysis and Policy Specification (ReCAPS) , 2009, Inf. Softw. Technol..

[33]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[34]  Lior Rokach,et al.  Ensemble-based classifiers , 2010, Artificial Intelligence Review.

[35]  Xavier Franch,et al.  Software requirement patterns , 2013, 2013 35th International Conference on Software Engineering (ICSE).