Information security vulnerability prediction based on business process model using machine learning approach

Abstract Identifying information security vulnerabilities of a new business process resulting from a business process redesign (BPR) must occur as early as possible. Organisations frequently initiate a BPR, and vulnerability identification that involves information security experts should follow. In developing countries, many organisations have insufficient experts, causing problems related to the experts’ workload. In this study, we propose a new method called Task-based Vulnerability Prediction (TbVP), which uses a machine-learning approach to predict information security vulnerabilities of the business process model. The method utilises the type and label of tasks in the model to predict vulnerabilities in implementing applications. Vulnerabilities data are taken from the Common Weakness Enumeration (CWE) dictionary. Our method consists of two main stages. First, we developed clusters using classification and clustering methods. Second, we built an automatic system to predict vulnerabilities using the clusters obtained from the first stage. Business processes of public universities were used as case studies to evaluate the method. We evaluated the automatic prediction system using the reliability test and comparing vulnerabilities our system predicted with actual vulnerabilities that materialised in the applications. The evaluation result shows that the system is a reliable predictor of application vulnerabilities, which our method can automatically predict based on a business process model, before implementing supporting applications.

[1]  Arif Djunaidy,et al.  A Conceptual Model for Information Security Risk Considering Business Process Perspective , 2018, 2018 4th International Conference on Science and Technology (ICST).

[2]  Bashar Nuseibeh,et al.  Resolving vulnerability identification errors using security requirements on business process models , 2013, Inf. Manag. Comput. Secur..

[3]  Ilir Gashi,et al.  Vulnerability prediction capability: A comparison between vulnerability discovery models and neural network models , 2019, Comput. Secur..

[4]  Tjeerd de Boer Global user research methods , 2010 .

[5]  Mohamed El-Amine Chergui,et al.  A Valid BPMN Extension for Supporting Security Requirements Based on Cyber Security Ontology , 2018, MEDI.

[6]  Rabih Bashroush,et al.  Security predictions - A way to reduce uncertainty , 2019, J. Inf. Secur. Appl..

[7]  Gerit Wagner,et al.  Forecasting IT security vulnerabilities - An empirical analysis , 2020, Comput. Secur..

[8]  Milos Hauskrecht,et al.  Learning classification models from multiple experts , 2013, J. Biomed. Informatics.

[9]  Raimundas Matulevicius,et al.  A taxonomy for assessing security in business process modelling , 2013, IEEE 7th International Conference on Research Challenges in Information Science (RCIS).

[10]  Haralambos Mouratidis,et al.  Eliciting Security Requirements for Business Processes of Legacy Systems , 2015, PoEM.

[11]  Li Guo,et al.  Text Categorization based on Clustering Feature Selection , 2014, ITQM.

[12]  Qiang Zhou,et al.  A semantic approach for text clustering using WordNet and lexical chains , 2015, Expert Syst. Appl..

[13]  Raimundas Matulevicius,et al.  Securing business processes using security risk-oriented patterns , 2014, Comput. Stand. Interfaces.

[14]  Anil K. Jain Data clustering: 50 years beyond K-means , 2010, Pattern Recognit. Lett..

[15]  Rafael M. Gasca,et al.  A Security Pattern-Driven Approach toward the Automation of Risk Treatment in Business Processes , 2012, CISIS/ICEUTE/SOCO Special Sessions.

[16]  Stacy Simpson,et al.  SAFECode Whitepaper: Fundamental Practices for Secure Software Development 2nd Edition , 2014, ISSE.

[17]  Rakesh M. Verma,et al.  Machine Learning Methods for Software Vulnerability Detection , 2018, IWSPA@CODASPY.

[18]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[19]  Malcolm Harkins Managing Risk and Information Security , 2013, Apress.

[20]  Wei Huang,et al.  JSEFuzz: Vulnerability Detection Method for Java Web Application , 2018, 2018 3rd International Conference on System Reliability and Safety (ICSRS).

[21]  Sang Peter Chin,et al.  Automated software vulnerability detection with machine learning , 2018, ArXiv.

[22]  Malcolm Harkins Managing Risk and Information Security: Protect to Enable , 2012 .

[23]  Onur Ozdemir,et al.  Automated Vulnerability Detection in Source Code Using Deep Representation Learning , 2018, 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA).

[24]  Mark Heitmann,et al.  Comparing automated text classification methods , 2019, International Journal of Research in Marketing.

[25]  Alaa Tharwat,et al.  Classification assessment methods , 2020, Applied Computing and Informatics.

[26]  John Krogstie,et al.  BPMN 2.0 for Modeling Business Processes , 2015, Handbook on Business Process Management.

[27]  Kevin Jones,et al.  Early Stage Malware Prediction Using Recurrent Neural Networks , 2017, Comput. Secur..

[28]  Fatos Xhafa,et al.  Complex Intelligent Systems and Their Applications , 2010 .

[29]  K. Gwet,et al.  A comparison of Cohen’s Kappa and Gwet’s AC1 when calculating inter-rater reliability coefficients: a study conducted with personality disorder samples , 2013, BMC Medical Research Methodology.

[30]  Puneet Misra,et al.  A Security Framework for E-Business Applications , 2014 .

[31]  S. Tjoa,et al.  Risk-Aware Business Process Management—Establishing the Link Between Business and Security , 2010 .

[32]  Steven Furnell,et al.  Information security burnout: Identification of sources and mitigating factors from security demands and resources , 2019, J. Inf. Secur. Appl..

[33]  K. Gwet Computing inter-rater reliability and its variance in the presence of high agreement. , 2008, The British journal of mathematical and statistical psychology.

[34]  Rafael M. Gasca,et al.  Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models , 2019, IEEE Access.