Finding Defects in Natural Language Confidentiality Requirements

Large-scale software systems must adhere to complex, multi-lateral security and privacy requirements from regulations. It is industrial practice to define such requirements in form of natural language (NL) documents. Currently existing approaches to analyzing NL confidentiality requirements rely on a manual linguistic transformation and normalization of the original text, prior to the analysis. This paper presents an alternative approach to analyzing requirements by using semantic annotations placed directly into the original NL documents. The benefits of this alternative approach are twofold: (1) it can effectively be supported by an interactive annotation tool and (2) there is a direct traceability between annotation structures and the original NL documents. We have evaluated our method and tool support using the same real-world case study that was used to evaluate the earlier linguistic approach. Our results show that our method generates the same results, i.e., it uncovers the same problems.

[1]  Kincho H. Law,et al.  Legal information retrieval and application to e-rulemaking , 2005, ICAIL '05.

[2]  Frank van Harmelen,et al.  From Natural Language to Formal Proof Goal , 2006, EKAW.

[3]  John Mylopoulos,et al.  Computer-aided Support for Secure Tropos , 2007, Automated Software Engineering.

[4]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[5]  Shinichi Honiden,et al.  Analysis of multi-agent systems based on KAOS modeling , 2006, ICSE '06.

[6]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[7]  Marie-Francine Moens Combining structured and unstructured information in a retrieval model for accessing legislation , 2005, ICAIL '05.

[8]  Philip V. Ogren,et al.  Knowtator: A Protégé plug-in for annotated corpus construction , 2006, NAACL.

[9]  Thomas Santen,et al.  Eliciting confidentiality requirements in practice , 2005, CASCON.

[10]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[11]  Grigoris Antoniou,et al.  DR-Prolog: A System for Defeasible Reasoning with Rules and Ontologies on the Semantic Web , 2007, IEEE Transactions on Knowledge and Data Engineering.

[12]  Annie I. Antón,et al.  Ensuring compliance between policies, requirements and software design: a case study , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[13]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[14]  John Mylopoulos,et al.  The Tropos Metamodel and its Use , 2005, Informatica.

[15]  Fabio Massacci,et al.  How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach , 2007, ICAIL.

[16]  Anthony Finkelstein,et al.  A UML profile to support requirements engineering with KAOS , 2002 .

[17]  John Mylopoulos,et al.  ST-tool: a CASE tool for security requirements engineering , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[18]  Axel van Lamsweerde,et al.  Reasoning about confidentiality at requirements engineering time , 2005, ESEC/FSE-13.

[19]  Mark A. Musen,et al.  The Knowledge Model of Protégé-2000: Combining Interoperability and Flexibility , 2000, EKAW.

[20]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[21]  Andy Schürr,et al.  Adding Graph Transformation Concepts to UML's Constraint Language OCL , 2001, UNIGRA.

[22]  John Mylopoulos,et al.  Extracting rights and obligations from regulations: toward a tool-supported process , 2007, ASE.