Decision Support for Security-Control Identification Using Machine Learning

BETTAIEB, Seifeddine; SHIN, Seung Yeob; SABETZADEH, Mehrdad; BRIAND, Lionel; Nou, Grégory; Garceau, Michael

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

BETTAIEB, Seifeddine; SHIN, Seung Yeob; SABETZADEH, Mehrdad et al.

2019 • In International Working Conference on Requirements Engineering: Foundation for Software Quality, Essen 18-21 March 2019

Peer reviewed

Permalink
https://hdl.handle.net/10993/38497

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

REFSQ_2019_paper_11.pdf

Author postprint (410.81 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Security Requirements Engineering; Security Assessment; Machine Learning

Abstract :

[en] [Context & Motivation] In many domains such as healthcare and banking, IT systems need to fulfill various requirements related to security. The elaboration of security requirements for a given system is in part guided by the controls envisaged by the applicable security standards and best practices. [Problem] An important difficulty that analysts have to contend with during security requirements elaboration is sifting through a large number of security controls and determining which ones have a bearing on the security requirements for a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. [Principal ideas/results] In this paper, we develop automated decision support for the identification of security controls that are relevant to a specific system in a particular context. Our approach, which is based on machine learning, leverages historical data from security assessments performed over past systems in order to recommend security controls for a new system. We operationalize and empirically evaluate our approach using real historical data from the banking domain. Our results show that, when one excludes security controls that are rare in the historical data, our approach has an average recall of ≈ 95% and average precision of ≈ 67%. [Contribution] The high recall – indicating only a few relevant security controls are missed – combined with the reasonable level of precision – indicating that the effort required to confirm recommendations is not excessive – suggests that our approach is a useful aid to analysts for more efficiently identifying the relevant security controls, and also for decreasing the likelihood that important controls would be overlooked.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)

Disciplines :

Computer science

Author, co-author :

BETTAIEB, Seifeddine ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

SHIN, Seung Yeob ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

SABETZADEH, Mehrdad ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Nou, Grégory

Garceau, Michael

External co-authors :

Language :

English

Title :

Decision Support for Security-Control Identification Using Machine Learning

Publication date :

2019

Event name :

25th International Working Conference on Requirements Engineering: Foundation for Software Quality

Event place :

Essen, Germany

Event date :

from 18-03-2019 to 21-03-2019

Audience :

International

Main work title :

International Working Conference on Requirements Engineering: Foundation for Software Quality, Essen 18-21 March 2019

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Funders :

Alphonse Weicker Foundation

Available on ORBilu :

since 22 January 2019

Statistics

Number of views

344 (85 by Unilu)

Number of downloads

657 (51 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Batista, G.E., et al.: A study of the behavior of several methods for balancingma-chine learning training data. ACM SIGKDD Explor. Newslett. 6, 20–29 (2004)
Breiman, L., et al.: Classification and Regression Trees. Wadsworth International Group, Belmont (1984)
Casamayor, A., et al.: Identification of non-functional requirements in textual specifications: a semi-supervised learning approach. IST 52(4), 436–445 (2010)
Chawla, N.V., et al.: SMOTE: synthetic minority over-sampling technique. JAIR 16, 321–357 (2002)
Cohen, W.W.: Fast effective rule induction. In: ICML 1995 (1995)
Dalpiaz, F., Paja, E., Giorgini, P.: Security Requirements Engineering: Designing Secure Socio-Technical Systems. MIT Press, Cambridge (2016)
Dowd, M., et al.: The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Pearson Education, London (2006)
Elkan, C.: The foundations of cost-sensitive learning. In: IJCAI 2001 (2001)
Frank, E., Witten, I.H.: Generating accurate rule sets without global optimization. In: ICML 1998 (1998)
Furnell, S.: End-user security culture: a lesson that will never be learnt? Comput. Fraud Secur. 2008, 6–9 (2008)
Hall, M., et al.: The WEKA data mining software: an update. ACM SIGKDD Explor. Newslett. 11, 10–18 (2009)
Ionita, D., Wieringa, R.: Web-based collaborative security requirements elicitation. In: REFSQ Workshops (2016)
ISO/IEC 27002:2005 Code of Practice for Information Security Controls. ISO Standard (2005)
ISO/IEC 27000:2018 Information Security Management Systems. ISO Standard (2018)
John, G.H., Langley, P.: Estimating continuous distributions in Bayesian classifiers. In: UAI 1995 (1995)
Jufri, M.T., et al.: Risk-assessment based academic information system security policy using octave allegro and ISO 27002. In: ICIC 2017 (2017)
Kurtanović, Z., Maalej, W.: Mining user rationale from software reviews. In: RE 2017 (2017)
le Cessie, S., van Houwelingen, J.C.: Ridge estimators in logistic regression. Appl. Stat. 41(1), 191–201 (1992)
Li, T.: Identifying security requirements based on linguistic analysis and machine learning. In: APSEC 2017 (2017)
Meier, J.D., et al.: Improving web application security: threats and countermea-sures. Technical report, Microsoft (2012)
Mitchell, T.M.: Machine learning and data mining. Commun. ACM 42(11), 30 (1999)
Myagmar, S., et al.: Threat modeling as a basis for security requirements. In: SREIS 2005 (2005)
Nasrabadi, N.M.: Pattern recognition and machine learning. J. Electron. Imaging 16(4), 049901 (2007)
NIST Special Publication 800–30: Guide for Conducting Risk Assessments. NIST Standard (2012)
OSA: Open Security Architecture. http://www.opensecurityarchitecture.org. Accessed Sep 2018
Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)
Quinlan, R.: C4.5: Programs for Machine Learning. Morgan Kaufmann, Burlington (1993)
Rodeghero, P., et al.: Detecting user story information in developer-client conversations to generate extractive summaries. In: ICSE 2017 (2017)
Schmitt, C., Liggesmeyer, P.: A model for structuring and reusing security requirements sources and security requirements. In: REFSQ Workshops (2015)
Sihwi, S.W., et al.: An expert system for risk assessment of information system security based on ISO 27002. In: ICKEA 2016 (2016)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. REJ 10, 34–44 (2005)
Türpe, S.: The trouble with security requirements. In: RE 2017 (2017)