Risk-driven revision of requirements models

© 2016 ACM.Requirements incompleteness is often the result of unanticipated adverse conditions which prevent the software and its environment from behaving as expected. These conditions represent risks that can cause severe software failures. The identification and resolution of such risks is therefore a crucial step towards requirements completeness. Obstacle analysis is a goal-driven form of risk analysis that aims at detecting missing conditions that can obstruct goals from being satisfied in a given domain, and resolving them. This paper proposes an approach for automatically revising goals that may be under-specified or (partially) wrong to resolve obstructions in a given domain. The approach deploys a learning-based revision methodology in which obstructed goals in a goal model are iteratively revised from traces exemplifying obstruction and non-obstruction occurrences. Our revision methodology computes domain-consistent, obstruction-free revisions that are automatically propagated to other goals in the model in order to preserve the correctness of goal models whilst guaranteeing minimal change to the original model. We present the formal foundations of our learning-based approach, and show that it preserves the properties of our formal framework. We validate it against the benchmarking case study of the London Ambulance Service

How Good is a Security Policy against Real Breaches? A HIPAA Case Study

Policy design is an important part of software development. As security breaches increase in variety, designing a security policy that addresses all potential breaches becomes a nontrivial task. A complete security policy would specify rules to prevent breaches. Systematically determining which, if any, policy clause has been violated by a reported breach is a means for identifying gaps in a policy. Our research goal is to help analysts measure the gaps between security policies and reported breaches by developing a systematic process based on semantic reasoning. We propose SEMAVER, a framework for determining coverage of breaches by policies via comparison of individual policy clauses and breach descriptions. We represent a security policy as a set of norms. Norms (commitments, authorizations, and prohibitions) describe expected behaviors of users, and formalize who is accountable to whom and for what. A breach corresponds to a norm violation. We develop a semantic similarity metric for pairwise comparison between the norm that represents a policy clause and the norm that has been violated by a reported breach. We use the US Health Insurance Portability and Accountability Act (HIPAA) as a case study. Our investigation of a subset of the breaches reported by the US Department of Health and Human Services (HHS) reveals the gaps between HIPAA and reported breaches, leading to a coverage of 65%. Additionally, our classification of the 1,577 HHS breaches shows that 44% of the breaches are accidental misuses and 56% are malicious misuses. We find that HIPAA's gaps regarding accidental misuses are significantly larger than its gaps regarding malicious misuses

ゴール指向要求分析に基づくビジネスプロセスの構築と検証に関する研究

　情報システムは様々な企業や官公庁で利用されており，業務を支援している．このような状況では，実際の業務において真に有用な情報システムを開発するためには，情報システムの開発とビジネスプロセスの設計をそれぞれ独立して行うのではなく，組織の目標を達成するためのビジネスプロセスを設計し，それに合わせてビジネスプロセスの実行を効率的に支援するための情報システムを構築する必要がある．これらの設計・構築は要求を体系的・論理的に記述できるゴールモデルや，ビジネスプロセスの流れを記述できるビジネスプロセスモデルを用いることで，効果的に行うことができる．しかし，設計時において前提としていた組織を取り巻く環境は法律の改正や市場の変化等の理由によって変化するため，情報システムやビジネスプロセスは１度構築するだけでは十分ではなく，継続的に現環境において適切なものとなっているのかを検証し，不適切であれば改善する必要がある．また，このように複雑で変化する環境においては，情報システムやビジネスプロセスに求められる要件定義を行うことは難しい．　上記のような問題に対処するためには，環境変化が発生しているか確認するために，情報システムの実行ログが望ましい性質を満たしているか検証する技術や，組織の目標やビジネスプロセスに関するモデルを効率的に構築する技術が必要であり，研究が行われているが依然困難である．既存研究においては，実行ログの分析手法については，一般的に時相論理によって成り立つべき性質や成り立つべきでない性質を記述して検証を行うが，時相論理の記述は数理論理学の知識が不足している者やドメイン知識が不足している場合においては，正確に記述することが難しいという問題がある．また，モデルの構築については，組織を取り巻く様々な側面を記述した複数のモデルの整合性がとれた状態で構築する手法が不十分である．　本研究で提案するアプローチはこれらの課題の解決を目指し，以下の2 つの内容に取り組んだ．：(1) ゴール指向要求分析手法KAOS によるゴールモデルからビジネスプロセスモデルを導出する手法，(2) 決定木を利用したビジネスプロセス実行ログの検証支援手法．これらを用いることで，要求を的確にビジネスプロセスに反映すること，実行されたビジネスプロセスの問題点を把握することができる．これらの提案手法はロンドンにおける救急車配備システムや電話の修理プロセス等を題材にケーススタディを行いそれぞれ2 つの提案手法について評価し，有効性を確認できた．電気通信大学201

Heuristics for the refinement of assumptions in generalized reactivity formulae

Reactive synthesis is concerned with automatically generating implementations from formal specifications. These specifications are typically written in the language of generalized reactivity (GR(1)), a subset of linear temporal logic capable of expressing the most common industrial specification patterns, and describe the requirements about the behavior of a system under assumptions about the environment where the system is to be deployed. Oftentimes no implementation exists which guarantees the required behavior under all possible environments, typically due to missing assumptions (this is usually referred to as unrealizability). To address this issue, new assumptions need to be added to complete the specification, a problem known as assumptions refinement. Since the space of candidate assumptions is intractably large, searching for the best solutions is inherently hard. In particular, new methods are needed to (i) increase the effectiveness of the search procedures, measured as the ratio between the number of solutions found and of refinements explored; and (ii) improve the results' quality, defined as the weakness of the solutions. In this thesis we propose a set of heuristics to meet these goals, and a methodology to assess and compare assumptions refinement methods based on quantitative metrics. The heuristics are in the form of algorithms to generate candidate refinements during the search, and quantitative measures to assess the quality of the candidates. We first discuss a heuristic method to generate assumptions that target the cause of unrealizability. This is done by selecting candidate refinement formulas based on Craig's interpolation. We provide a formal underpinning of the technique and evaluate it in terms of our new metric of effectiveness, as defined above, whose value is improved with respect to the state of the art. We demonstrate this on a set of popular benchmarks of embedded software. We then provide a formal, quantitative characterization of the permissiveness of environment assumptions in the form of a weakness measure. We prove that the partial order induced by this measure is consistent with the one induced by implication. The key advantage of this measure is that it allows for prioritizing candidate solutions, as we show experimentally. Lastly, we propose a notion of minimal refinements with respect to the observed counterstrategies. We demonstrate that exploring minimal refinements produces weaker solutions, and reduces the amount of computations needed to explore each refinement. However, this may come at the cost of reducing the effectiveness of the search. To counteract this effect, we propose a hybrid search approach in which both minimal and non-minimal refinements are explored.Open Acces

Risk-driven revision of requirements models

Requirements incompleteness is often the result of unanticipated adverse conditions which prevent the software and its environment from behaving as expected. These conditions represent risks that can cause severe software failures. The identification and resolution of such risks is therefore a crucial step towards requirements completeness. Obstacle analysis is a goal-driven form of risk analysis that aims at detecting missing conditions that can obstruct goals from being satisfied in a given domain, and resolving them. This paper proposes an approach for automatically revising goals that may be under-specified or (partially) wrong to resolve obstructions in a given domain. The approach deploys a learning-based revision methodology in which obstructed goals in a goal model are iteratively revised from traces exemplifying obstruction and non-obstruction occurrences. Our revision methodology computes domain-consistent, obstruction-free revisions that are automatically propagated to other goals in the model in order to preserve the correctness of goal models whilst guaranteeing minimal change to the original model. We present the formal foundations of our learning-based approach, and show that it preserves the properties of our formal framework. We validate it against the benchmarking case study of the London Ambulance Service