Security Requirements Analysis Using Knowledge in CAPEC

Because all the requirements analysts are not the experts of security, providing security knowledge automatically is one of the effective means for supporting security requirements elicitation. We propose a method for eliciting security requirements on the basis of Common Attack Patterns Enumeration and Classification (CAPEC). A requirements analyst can automatically acquire the candidates of attacks against a functional requirement with the help of our method. Because technical terms are mainly used in the descriptions in CAPEC and usual phrases are used in the requirements descriptions, there are gaps between them. To bridge the gaps, our method contains a mapping between technical terms and noun phrases called term maps.

[1]  Haruhiko Kaiya,et al.  Spectrum Analysis for Quality Requirements by Using a Term-Characteristics Map , 2009, CAiSE.

[2]  Shinpei Hayashi,et al.  Enhancing Goal-Oriented Security Requirements Analysis using Common Criteria-Based Knowledge , 2013, Int. J. Softw. Eng. Knowl. Eng..

[3]  Masahiro Umemura,et al.  Spectrum Analysis for Software Quality Requirements Using Analyses Records , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[4]  Haruhiko Kaiya,et al.  A Supporting Tool for Requirements Elicitation Using a Domain Ontology , 2007, ICSOFT/ENASE.

[5]  Andrea De Lucia,et al.  On the role of the nouns in IR-based traceability recovery , 2009, 2009 IEEE 17th International Conference on Program Comprehension.

[6]  Jing Dong,et al.  Ontology Classification for Semantic-Web-Based Software Engineering , 2009, IEEE Transactions on Services Computing.

[7]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[8]  Haruhiko Kaiya,et al.  Enhancing Domain Knowledge for Requirements Elicitation with Web Mining , 2010, 2010 Asia Pacific Software Engineering Conference.

[9]  Nobukazu Yoshioka,et al.  Misuse Cases + Assets + Security Goals , 2009, 2009 International Conference on Computational Science and Engineering.

[10]  Jan Jürjens,et al.  Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec , 2010, Requirements Engineering.