SecREP : A Framework for Automating the Extraction and Prioritization of Security Requirements Using Machine Learning and NLP Techniques

Gathering and extracting security requirements adequately requires extensive effort, experience, and time, as large amounts of data need to be analyzed. While many manual and academic approaches have been developed to tackle the discipline of Security Requirements Engineering (SRE), a need still exists for automating the SRE process. This need stems mainly from the difficult, error-prone, and time-consuming nature of traditional and manual frameworks. Machine learning techniques have been widely used to facilitate and automate the extraction of useful information from software requirements documents and artifacts. Such approaches can be utilized to yield beneficial results in automating the process of extracting and eliciting security requirements. However, the extraction of security requirements alone leaves software engineers with yet another tedious task of prioritizing the most critical security requirements. The competitive and fast-paced nature of software development, in addition to resource constraints make the process of security requirements prioritization crucial for software engineers to make educated decisions in risk-analysis and trade-off analysis. To that end, this thesis presents an automated framework/pipeline for extracting and prioritizing security requirements. The proposed framework, called the Security Requirements Extraction and Prioritization Framework (SecREP) consists of two parts: SecREP Part 1: Proposes a machine learning approach for identifying/extracting security requirements from natural language software requirements artifacts (e.g., the Software Requirement Specification document, known as the SRS documents) SecREP Part 2: Proposes a scheme for prioritizing the security requirements identified in the previous step. For the first part of the SecREP framework, three machine learning models (SVM, Naive Bayes, and Random Forest) were trained using an enhanced dataset the “SecREP Dataset” that was created as a result of this work. Each model was validated using resampling (80% of for training and 20% for validation) and 5-folds cross validation techniques. For the second part of the SecREP framework, a prioritization scheme was established with the aid of NLP techniques. The proposed prioritization scheme analyzes each security requirement using Part-of-speech (POS) and Named Entity Recognition methods to extract assets, security attributes, and threats from the security requirement. Additionally, using a text similarity method, each security requirement is compared to a super-sentence that was defined based on the STRIDE threat model. This prioritization scheme was applied to the extracted list of security requirements obtained from the case study in part one, and the priority score for each requirement was calculated and showcase

Requirements Engineering that Balances Agility of Teams and System-level Information Needs at Scale

Context: Motivated by their success in software development, large-scale systems development companies are increasingly adopting agile methods and their practices. Such companies need to accommodate different development cycles of hardware and software and are usually subject to regulation and safety concerns. Also, for such companies, requirements engineering is an essential activity that involves upfront and detailed analysis which can be at odds with agile development methods. Objective: The overall aim of this thesis is to investigate the challenges and solution candidates of performing effective requirements engineering in an agile environment, based on empirical evidence. Illustrated with studies on safety and system-level information needs, we explore RE challenges and solutions in large-scale agile development, both in general and from the teams’ perspectives. Method: To meet our aim, we performed a secondary study and a series of empirical studies based on case studies. We collected qualitative data using interviews, focus groups and workshops to derive challenges and potential solutions from industry. Findings: Our findings show that there are numerous challenges of conducting requirements engineering in agile development especially where systems development is concerned. The challenges discovered sprout from an integration problem of working with agile methods while relying on established plan-driven processes for the overall system. We highlight the communication challenge of crossing the boundary of agile methods and system-level (or plan-driven) development, which also proves the coexistence of both methods. Conclusions: Our results highlight the painful areas of requirements engineering in agile development and propose solutions that can be explored further. This thesis contributes to future research, by establishing a holistic map of challenges and candidate solutions that can be further developed to make RE more efficient within agile environments

Requirements engineering challenges and practices in large-scale agile system development

Context: Agile methods have become mainstream even in large-scale systems engineering companies that need to accommodate different development cycles of hardware and software. For such companies, requirements engineering is an essential activity that involves upfront and detailed analysis which can be at odds with agile development methods. Objective: This paper presents a multiple case study with seven large-scale systems companies, reporting their challenges, together with best practices from industry. We also analyze literature about two popular large-scale agile frameworks, SAFe (R) and LeSS, to derive potential solutions for the challenges. Methods: Our results are based on 20 qualitative interviews, five focus groups, and eight cross company workshops which we used to both collect and validate our results. Results: We found 24 challenges which we grouped in six themes, then mapped to solutions from SAFe (R), LeSS, and our companies, when available. Conclusion: In this way, we contribute a comprehensive overview of RE challenges in relation to largescale agile system development, evaluate the degree to which they have been addressed, and outline research gaps. We expect these results to be useful for practitioners who are responsible for designing processes, methods, or tools for large scale agile development as well as guidance for researchers

Cybersecurity Using Risk Management Strategies of U.S. Government Health Organizations

Seismic data loss attributed to cybersecurity attacks has been an epidemic-level threat currently plaguing the U.S. healthcare system. Addressing cyber attacks is important to information technology (IT) security managers to minimize organizational risks and effectively safeguard data from associated security breaches. Grounded in the protection motivation theory, the purpose of this qualitative multiple case study was to explore risk-based strategies used by IT security managers to safeguard data effectively. Data were derived from interviews of eight IT security managers of four U.S. government health institutions and a review of relevant organizational documentation. The research data were coded and organized to support thematic development and analysis. The findings yielded four primary themes: effective cyber-risk management strategies: structured, systematic, and timely cyber risk management; continuous and consistent assessment of the risk environment; system and controls development, implementation, and monitoring; and strategy coordination through centralized interagency and interdepartmental risk management. The key recommendation based on the study findings is for IT security managers to employ cybersecurity strategies that integrate robust cybersecurity controls and systematic processes based on comprehensive risk management. The implications for positive social change include the potential to positively stimulate patient trust and confidence in healthcare systems and strengthen healthcare professionals\u27 commitments to ensure patient privacy

Conceptual Characterization of Cybersecurity Ontologies

[EN] Cybersecurity is known as the practice of protecting systems from digital attacks. Organizations are seeking efficient solutions for the management and protection of their assets. It is a complex issue, especially for great enterprises, because it requires an interdisciplinary approach. The kinds of problems enterprises must deal with and this domain complexity induces misinterpretations and misunderstandings about the concepts and relations in question. This article focus on dealing with Cybersecurity from an ontological perspective. The first contribution is a search of previously existing works that have defined Cybersecurity Ontologies. The paper describes the process to search these works. The second contribution of the paper is the definition of characteristics to classify the papers of Cybersecurity Ontologies previously found. This classification aims to compare the previous works with the same criteria. The third contribution of the paper is the analysis of the results of the comparison of previous works in the field of Cybersecurity Ontologies. Moreover, the paper discusses the gaps found and proposes good practice actions in Ontology Engineering for this domain. The article ends with some next steps proposed in the evolution towards a pragmatic and iterative solution that meets the needs of organizations.Martins, BF.; Serrano-Gil, LJ.; Reyes Román, JF.; Panach, JI.; Pastor López, O.; Rochwerger, B. (2020). Conceptual Characterization of Cybersecurity Ontologies. Springer. 323-338. https://doi.org/10.1007/978-3-030-63479-7_22S323338Baader, F., et al.: The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press, Cambridge (2003)Ben-Asher, N., Oltramari, A., Erbacher, R.F., Gonzalez, C.: Ontology-based adaptive systems of cyber defense. In: STIDS. pp. 34–41 (2015)Bergner, S., Lechner, U.: Cybersecurity ontology for critical infrastructures. In: KEOD. pp. 80–85 (2017)Bizer, C., Heath, T., Berners-Lee, T.: Linked data:the story so far. In: Semantic Services, Interoperability and Web Applications: Emerging Concepts. pp. 205–227. IGI Global (2011)Blanco, C., Lasheras, J., Valencia-García, R., Fernández-Medina, E., Toval, A., Piattini, M.: A systematic review and comparison of security ontologies. In: 3th International Conference on Availability, Reliability and Security. pp. 813–820. IEEE (2008)Booth, H., Turner, C.: Vulnerability description ontology (vdo). A Framework for Characterizing Vulnerabilities, NIST (2016)Borgo, S., Masolo, C.: Ontological foundations of dolce. In: Poli, R., Healy, M., Kameas, A., (eds.) Theory and Applications of Ontology: Computer Applications. Springer, Dordrecht (2010) https://doi.org/10.1007/978-90-481-8847-5_13Degen, W., Heller, B., Herre, H., Smith, B.: Gol: toward an axiomatized upper-level ontology. In: Proceedings of the International Conference on Formal Ontology in Information Systems-Volume. pp. 34–46 (2001)Dietz, M., Putz, B., Pernul, G.: A distributed ledger approach to digital twin secure data sharing. In: IFIP Annual Conference on Data and Applications Security and Privacy. pp. 281–300. Springer (2019)https://doi.org/10.1007/978-3-030-22479-0_15Elnagdy, S.A., Qiu, M., Gai, K.: Cyber incident classifications using ontology-based knowledge representation for cybersecurity insurance in financial industry. In: 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud). pp. 301–306. IEEE (2016)Falbo, R.D.A.: SABiO: Systematic Approach for Building Ontologies. In: Proceedings of the 1st Joint Workshop ONTO.COM/ODISE on Ontologies in Conceptual Modeling and Information Systems Engineering (2014)Fernández-López, M., Gómez-Pérez, A., Juristo, N.: Methontology: from ontological art towards ontological engineering. In: Proceedings of the Ontological Engineering AAAI-97 Spring Symposium Series. American Association for Artificial Intelligence (1997)Finkel, J.R., Grenager, T., Manning, C.: Incorporating non-local information into information extraction systems by gibbs sampling. In: Proceedings of the 43rd Annual Meeting on Association for Computational Linguistics. ACL 2005, p. 363–370. USA (2005)Giaretta, P., Guarino, N.: Ontologies and knowledge bases towards a terminological clarification. Towards very large knowledge bases: knowledge building & knowledge sharing 25, 32 (1995)Grégio, A., Bonacin, R., Nabuco, O., Afonso, V.M., De Geus, P.L., Jino, M.: Ontology for malware behavior: a core model proposal. In: 2014 IEEE 23rd International WETICE Conference. pp. 453–458. IEEE (2014)Guarino, N.: Formal ontology in information systems. In: Proceedings of the 1st International Conference. pp. 6–8. IOS Press, Trento, Italy (1998)Guarino, N.: The ontological level. Philosophy and the Cognitive Sciences (1994)Guizzardi, G.: The role of foundational ontology for conceptual modeling and domain ontology representation, keynote paper. In: 7th International Baltic Conference on Databases and Information Systems (DB&IS), Vilnius, IEEE Press (2006)Guizzardi, G.: Ontological Foundations for Structural Conceptual Models. CTIT, Centre for Telematics and Information Technology (2005)Guizzardi, G.: On ontology, ontologies, conceptualizations, modeling languages, and (meta) models. Front. Artif. Intell. Appl. 155, 18 (2007)Guizzardi, G., Ferreira Pires, L., van Sinderen, M.: An ontology-based approach for evaluating the domain appropriateness and comprehensibility appropriateness of modeling languages. In: Briand, L., Williams, C. (eds.) MODELS 2005. LNCS, vol. 3713, pp. 691–705. Springer, Heidelberg (2005). https://doi.org/10.1007/11557432_51Hadar, E., Hassanzadeh, A.: Big data analytics on cyber attack graphs for prioritizing agile security requirements. In: 2019 IEEE 27th International Requirements Engineering Conference (RE). pp. 330–339. IEEE (2019)Herre, H.: General formal ontology (gfo): a foundational ontology for conceptual modelling. In: Poli, R., Healy, M., Kameas, A. (eds) Theory and Applications of Ontology: Computer Applications. Springer, Dordrecht (2010) https://doi.org/10.1007/978-90-481-8847-5_14Horrocks, I., et al.: Daml+oil: a description logic for the semantic web. IEEE Data Eng. Bull. 25(1), 4–9 (2002)Iannacone, M., et al.: Developing an ontology for cyber security knowledge graphs. In: 10th Annual Cyber and Information Security Research Conference (2015)Jia, Y., Qi, Y., Shang, H., Jiang, R., Li, A.: A practical approach to constructing a knowledge graph for cybersecurity. Engineering 4(1), 53–60 (2018)Kang, D., Lee, J., Choi, S., Kim, K.: An ontology-based enterprise architecture. Expert Syst. Appl. 37(2), 1456–1464 (2010)Keil, J.M., Schindler, S.: Comparison and evaluation of ontologies for units of measurement. Semantic Web 10(1), 33–51 (2019)Mascardi, V., Cordì, V., Rosso, P.: A comparison of upper ontologies. In: Woa. vol. 2007, pp. 55–64 (2007)Mozzaquatro, B.A., Agostinho, C., Goncalves, D., Martins, J., Jardim-Goncalves, R.: An ontology-based cybersecurity framework for the internet of things. Sensors 18(9), 3053 (2018)Mundie, D.A., Ruefle, R., Dorofee, A.J., Perl, S.J., McCloud, J., Collins, M.: An incident management ontology. In: STIDS. pp. 62–71 (2014)Narayanan, S., Ganesan, A., Joshi, K., Oates, T., Joshi, A., Finin, T.: Cognitive techniques for early detection of cybersecurity events. arXiv preprint arXiv:1808.00116 (2018)Obrst, L., Chase, P., Markeloff, R.: Developing an ontology of the cyber security domain. In: STIDS. pp. 49–56 (2012)Oltramari, A., Cranor, L.F., Walls, R.J., McDaniel, P.: Computational ontology of network operations. In: MILCOM 2015–2015 IEEE Military Communications Conference. pp. 318–323. IEEE (2015)Oltramari, A., Cranor, L.F., Walls, R.J., McDaniel, P.D.: Building an ontology of cyber security. In: STIDS. pp. 54–61. Citeseer (2014)Oltramari, A., Henshel, D.S., Cains, M., Hoffman, B.: Towards a human factors ontology for cyber security. In: STIDS. pp. 26–33 (2015)Oltramari, A., Vetere, G., Lenzerini, M., Gangemi, A., Guarino, N.: Senso comune. In: LREC (2010)Onwubiko, C.: Cocoa: An ontology for cybersecurity operations centre analysis process. In: 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). pp. 1–8 (2018)Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: A logic-based network security analyzer. In: USENIX security symposium. vol. 8, pp. 113–128. Baltimore (2005)Parmelee, M.C.: Toward an ontology architecture for cyber-security standards. STIDS 713, 116–123 (2010)Pipa, A.M.C.: OWL ontology quality assessment and optimization in the cybersecurity domain. Ph.D. thesis, Instituto Universitário de Lisboa (2018)Rose, S., Engel, D., Cramer, N., Cowley, W.: Automatic keyword extraction from individual documents. In: Berry, M.W., Kogan, J. (eds.) Text Mining. Applications and Theory, pp. 1–20. John Wiley and Sons, Ltd (2010)Rutkowski, A., et al.: Cybex: The cybersecurity information exchange framework (x.1500). SIGCOMM Comput. Commun. Rev. 40(5), 59–64 (2010)Sikos, L.F.: OWL ontologies in cybersecurity: conceptual modeling of cyber-knowledge. In: Sikos, L.F. (ed.) AI in Cybersecurity. ISRL, vol. 151, pp. 1–17. Springer, Cham (2019). https://doi.org/10.1007/978-3-319-98842-9_1Singhal, A., Ou, X.: Security risk analysis of enterprise networks using probabilistic attack graphs. Network Security Metrics, pp. 53–73. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66505-4_3Syed, R., Zhong, H.: Cybersecurity vulnerability management: An ontology-based conceptual model (2018)Syed, Z., Padia, A., Finin, T., Mathews, L., Joshi, A.: UCO: A unified cybersecurity ontology. In: Workshops at the Thirtieth AAAI Conference on Artificial Intelligence (2016)Takahashi, T., Kadobayashi, Y.: Reference ontology for cybersecurity operational information. Comput. J. 58(10), 2297–2312 (2015)Takahashi, T., Fujiwara, H., Kadobayashi, Y.: Building ontology of cybersecurity operational information. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information intelligence Research. pp. 1–4 (2010)Takahashi, T., Kadobayashi, Y.: Cybersecurity information exchange techniques: Cybersecurity information ontology and cybex. J. National Instit. Inf. Commun. Technol. 58(3/4), 127–135 (2011)Takahashi, T., Kadobayashi, Y., Fujiwara, H.: Ontological approach toward cybersecurity in cloud computing. In: Proceedings of the 3rd International Conference on Security of Information and Networks. pp. 100–109 (2010)Undercofer, J., Joshi, A., Finin, T., Pinkston, J., et al.: A target-centric ontology for intrusion detection. In: Workshop on Ontologies in Distributed Systems, held at The 18th International Joint Conference on Artificial Intelligence (2003)Wand, Y., Weber, R.: On the deep structure of information systems. Inf. Syst. J. 5(3), 203–223 (1995)Wang, J.Z., Ali, F.: An efficient ontology comparison tool for semantic web applications. In: The 2005 IEEE/WIC/ACM International Conference on Web Intelligence (WI 2005). pp. 372–378. IEEE (2005)Wang, J.A., Guo, M.: Ovm: an ontology for vulnerability management. In: 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies. pp. 1–4 (2009)Wieringa, R.: Design Science Methodology for Information Systems and Software Engineering. Springer, Berlin (2014)Zuanelli, E.: The cybersecurity ontology platform: the poc solution. e-AGE2017 p. 1 (2017