A Co-Occurrence Recommendation Model of Software Security Requirement

To guarantee the quality of software, specifying security requirements (SRs) is essential for developing systems, especially for security-critical software systems. However, using security threat to determine detailed SR is quite difficult according to Common Criteria (CC), which is too confusing and technical for non-security specialists. In this paper, we propose a Co-occurrence Recommend Model (CoRM) to automatically recommend software SRs. In this model, the security threats of product are extracted from security target documents of software, in which the related security requirements are tagged. In order to establish relationships between software security threat and security requirement, semantic similarities between different security threat is calculated by Skip-thoughts Model. To evaluate our CoRM model, over 1000 security target documents of 9 types software products are exploited. The results suggest that building a CoRM model via semantic similarity is feasible and reliable.

[1]  Xiaohong Li,et al.  Automated Software Security Requirements Recommendation Based on FT-SR Model , 2017, SEKE.

[2]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[3]  Ian Sommerville,et al.  An empirical study of industrial requirements engineering process assessment and improvement , 2005, TSEM.

[4]  Michael I. Jordan,et al.  Latent Dirichlet Allocation , 2001, J. Mach. Learn. Res..

[5]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[6]  Sanja Fidler,et al.  Skip-Thought Vectors , 2015, NIPS.

[7]  Jörg Dörr,et al.  Requirements Elicitation and Derivation of Security Policy Templates—An Industrial Case Study , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[8]  Laurie A. Williams,et al.  Hidden in plain sight: Automatically identifying security requirements from natural language artifacts , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[9]  Haruhiko Kaiya,et al.  Using Common Criteria as Reusable Knowledge in Security Requirements Elicitation , 2008, MODSEC@MoDELS.

[10]  Franz Lehner,et al.  Requirements Engineering as a Success Factor in Software Projects , 2001, IEEE Softw..

[11]  M. R Raja Ramesh,et al.  A SURVEY ON SECURITY REQUIREMENT ELICITATION METHODS: CLASSIFICATION, MERITS AND DEMERITS , 2016 .

[12]  Shinpei Hayashi,et al.  Enhancing Goal-Oriented Security Requirements Analysis using Common Criteria-Based Knowledge , 2013, Int. J. Softw. Eng. Knowl. Eng..

[13]  Sajjad Mahmood,et al.  Exploring software security approaches in software development lifecycle: A systematic mapping study , 2017, Comput. Stand. Interfaces.

[14]  John P. McDermott,et al.  Abuse-case-based assurance arguments , 2001, Seventeenth Annual Computer Security Applications Conference.

[15]  Li Li,et al.  Automatic Verification for Later-Correspondence of Security Protocols , 2014, SOFL+MSVL.

[16]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[17]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.