"Why can't I do that?": Tracing Adaptive Security Decisions

One of the challenges of any adaptive system is to ensure that users can understand how and why the behaviour of the system changes at runtime. This is particularly important for adaptive security behaviours which are essential for applications that are used in many different contexts, such as those hosted in the cloud. In this paper, we propose an approach for using traceability information, enriched with causality relations and contextual attributes of the deployment environment, when providing feedback to the users. We demonstrate, using a cloud storage-as-a-service environment, how our approach provides users of cloud applications better information, explanations and assurances about the security decisions made by the system. This enables the user to understand why a certain security adaptation has occurred, how the adaptation is related to current context of use of the application, and a guarantee that the application still satisfies its security requirements after an adaptation.

[1]  Chin-Teng Lin,et al.  Supervised and unsupervised learning with fuzzy similarity for neural-network-based fuzzy logic control systems , 1992, [Proceedings] 1992 IEEE International Conference on Systems, Man, and Cybernetics.

[2]  Olly Gotel,et al.  An analysis of the requirements traceability problem , 1994, Proceedings of IEEE International Conference on Requirements Engineering.

[3]  Pamela Zave,et al.  Deriving Specifications from Requirements: an Example , 1995, 1995 17th International Conference on Software Engineering.

[4]  Michael Jackson,et al.  Four dark corners of requirements engineering , 1997, TSEM.

[5]  Richard B. Scherl,et al.  A logic of action, causality, and the temporal relations of events , 1998, Proceedings. Fifth International Workshop on Temporal Representation and Reasoning (Cat. No.98EX157).

[6]  M.S. Feather,et al.  Reconciling system requirements and runtime behavior , 1998, Proceedings Ninth International Workshop on Software Specification and Design.

[7]  Dewayne E. Perry,et al.  A case study in root cause defect analysis , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[8]  Helen M. Edwards,et al.  Problem frames: analyzing and structuring software development problems , 2002, Softw. Test. Verification Reliab..

[9]  Bashar Nuseibeh,et al.  Combining abductive reasoning and inductive learning to evolve requirements specifications , 2003, IEE Proc. Softw..

[10]  Andrian Marcus,et al.  Recovering documentation-to-source-code traceability links using latent semantic indexing , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[11]  Andrea Zisman,et al.  Rule-based generation of requirements traceability relations , 2004, J. Syst. Softw..

[12]  Samuel Ajila,et al.  Using traceability mechanisms to support software product line evolution , 2004, Proceedings of the 2004 IEEE International Conference on Information Reuse and Integration, 2004. IRI 2004..

[13]  Erik T. Mueller,et al.  Event calculus and temporal action logics compared , 2006, Artif. Intell..

[14]  Antony Galton Causal Reasoning for Alert Generation in Smart Homes , 2006, Designing Smart Homes.

[15]  Jon G. Hall,et al.  Deriving specifications from requirements through problem reduction , 2006, IEE Proc. Softw..

[16]  Andrea Zisman,et al.  XTraQue: traceability for product line systems , 2009, Software & Systems Modeling.

[17]  Domenico Cotroneo,et al.  Software Faults Diagnosis in Complex OTS Based Safety Critical Systems , 2008, 2008 Seventh European Dependable Computing Conference.

[18]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[19]  Peter Sawyer,et al.  Requirements Tracing to Support Change in Dynamically Adaptive Systems , 2009, REFSQ.

[20]  Richard N. Taylor,et al.  Software traceability with topic modeling , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[21]  Y. Limpiyakorn,et al.  Enhancement of requirements traceability with state diagrams , 2010, 2010 2nd International Conference on Computer Engineering and Technology.

[22]  Kazutaka Matsuda,et al.  Bidirectionalizing graph transformations , 2010, ICFP '10.

[23]  Hannes Schwarz,et al.  Using Expressive Traceability Relationships for Ensuring Consistent Process Model Refinement , 2010, 2010 15th IEEE International Conference on Engineering of Complex Computer Systems.

[24]  Daniel Jackson,et al.  Dependability Arguments with Trusted Bases , 2010, 2010 18th IEEE International Requirements Engineering Conference.

[25]  Paul Hudak,et al.  Proceedings of the 15th ACM SIGPLAN international conference on Functional programming , 2010, ICFP 2010.

[26]  Luís C. Lamb,et al.  Formalizing traceability relations for product lines , 2011, TEFSE '11.

[27]  Jane Cleland-Huang,et al.  Using Traceability to Support SOA Impact Analysis , 2011, 2011 IEEE World Congress on Services.

[28]  Jane Cleland-Huang,et al.  Using tactic traceability information models to reduce the risk of architectural degradation during system maintenance , 2011, 2011 27th IEEE International Conference on Software Maintenance (ICSM).

[29]  Esperanza Marcos,et al.  Model-Driven Engineering as a new landscape for traceability management: A systematic literature review , 2012, Inf. Softw. Technol..

[30]  Nelly Bencomo,et al.  Self-Explanation in Adaptive Systems , 2012, 2012 IEEE 17th International Conference on Engineering of Complex Computer Systems.

[31]  Giuliano Antoniol,et al.  The quest for Ubiquity: A roadmap for software and systems traceability research , 2012, 2012 20th IEEE International Requirements Engineering Conference (RE).

[32]  Michael G. Hinchey,et al.  Knowledge representation for self-adaptive behavior , 2012, C3S2E '12.

[33]  Yijun Yu,et al.  Maintaining invariant traceability through bidirectional transformations , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[34]  Wolter Pieters,et al.  Security Policy Alignment: A Formal Approach , 2013, IEEE Systems Journal.

[35]  Gabriele Bavota,et al.  Enhancing software artefact traceability recovery processes with link count information , 2014, Inf. Softw. Technol..

[36]  Roberto Bruni,et al.  Revisiting causality, coalgebraically , 2014, Acta Informatica.