Requirements and Specifications for Adaptive Security: Concepts and Analysis

In an adaptive security-critical system, security mechanisms change according to the type of threat posed by the environment. Specifying the behavior of these systems is difficult because conditions of the environment are difficult to describe until the system has been deployed and used for a length of time. This paper defines the problem of adaptation in security-critical systems, and outlines the RELAIS approach for expressing requirements and specifying the behavior in a way that helps identify the need for adaptation, and the appropriate adaptation behavior at runtime. The paper introduces the notion of adaptation via input approximation and proposes statistical machine learning techniques for realizing it. The approach is illustrated with a running example and is applied to a realistic security example from a cloud-based file-sharing application. Bayesian classification and logistic regression methods are used to implement adaptive specifications and these methods offer different levels of adaptive security and usability in the file-sharing application.

[1]  Michael Jackson,et al.  Four dark corners of requirements engineering , 1997, TSEM.

[2]  Ladan Tahvildari,et al.  Self-adaptive software: Landscape and research challenges , 2009, TAAS.

[3]  Carlo Ghezzi,et al.  Synthesizing dynamically updating controllers from changes in scenario-based specifications , 2012, 2012 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS).

[4]  Helen M. Edwards,et al.  Problem frames: analyzing and structuring software development problems , 2002, Softw. Test. Verification Reliab..

[5]  Betty H. C. Cheng,et al.  Model-based development of dynamically adaptive software , 2006, ICSE.

[6]  David W. Hosmer,et al.  Applied Logistic Regression , 1991 .

[7]  William N. Robinson A requirements monitoring framework for enterprise systems , 2005, Requirements Engineering.

[8]  John Mylopoulos,et al.  (Requirement) evolution requirements for adaptive systems , 2012, 2012 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS).

[9]  Carlo Ghezzi,et al.  Managing non-functional uncertainty via model-driven adaptivity , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[10]  Nathalie Japkowicz,et al.  The class imbalance problem: A systematic study , 2002, Intell. Data Anal..

[11]  Jeff Magee,et al.  Self-Managed Systems: an Architectural Challenge , 2007, Future of Software Engineering (FOSE '07).

[12]  Anders Møller,et al.  Automated detection of client-state manipulation vulnerabilities , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[13]  Salim Hariri,et al.  Randomized Instruction Set Emulation To Disrupt Binary Code Injection Attacks , 2003 .

[14]  Carlos Ribeiro,et al.  WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection , 2011, ESORICS.

[15]  Manfred Broy,et al.  Formalizing the notion of adaptive system behavior , 2009, SAC '09.

[16]  John Mylopoulos,et al.  Awareness requirements for adaptive systems , 2011, SEAMS '11.

[17]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[18]  Nelly Bencomo,et al.  RELAX: a language to address uncertainty in self-adaptive systems requirement , 2010, Requirements Engineering.

[19]  David Lorge Parnas,et al.  Functional Documents for Computer Systems , 1995, Sci. Comput. Program..

[20]  V. N. Venkatakrishnan,et al.  TamperProof: a server-agnostic defense for parameter tampering attacks on web applications , 2013, CODASPY '13.

[21]  Rick Salay,et al.  A Methodology for Verifying Refinements of Partial Models , 2015, J. Object Technol..

[22]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[23]  Nelly Bencomo,et al.  RELAX: Incorporating Uncertainty into the Specification of Self-Adaptive Systems , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[24]  Tracy Hall,et al.  Researcher Bias: The Use of Machine Learning in Software Defect Prediction , 2014, IEEE Transactions on Software Engineering.

[25]  Peyman Oreizy,et al.  Architecture-based runtime software evolution , 1998, Proceedings of the 20th International Conference on Software Engineering.

[26]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.