Decision Support for Security-Control Identification Using Machine Learning

被引:8
作者
Bettaieb, Seifeddine [1 ]
Shin, Seung Yeob [1 ]
Sabetzadeh, Mehrdad [1 ]
Briand, Lionel [1 ]
Nou, Gregory [2 ]
Garceau, Michael [2 ]
机构
[1] Univ Luxembourg, SnT Ctr, Luxembourg, Luxembourg
[2] BGL BNP Paribas, Luxembourg, Luxembourg
来源
REQUIREMENTS ENGINEERING: FOUNDATION FOR SOFTWARE QUALITY (REFSQ 2019) | 2019年 / 11412卷
关键词
Security requirements engineering; Security assessment; Machine learning;
D O I
10.1007/978-3-030-15538-4_1
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
[Context & Motivation] In many domains such as healthcare and banking, IT systems need to fulfill various requirements related to security. The elaboration of security requirements for a given system is in part guided by the controls envisaged by the applicable security standards and best practices. [Problem] An important difficulty that analysts have to contend with during security requirements elaboration is sifting through a large number of security controls and determining which ones have a bearing on the security requirements for a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. [Principal ideas/results] In this paper, we develop automated decision support for the identification of security controls that are relevant to a specific system in a particular context. Our approach, which is based on machine learning, leverages historical data from security assessments performed over past systems in order to recommend security controls for a new system. We operationalize and empirically evaluate our approach using real historical data from the banking domain. Our results show that, when one excludes security controls that are rare in the historical data, our approach has an average recall of similar to 95% and average precision of similar to 67%. [Contribution] The high recall - indicating only a few relevant security controls are missed - combined with the reasonable level of precision - indicating that the effort required to confirm recommendations is not excessive - suggests that our approach is a useful aid to analysts for more efficiently identifying the relevant security controls, and also for decreasing the likelihood that important controls would be overlooked.
引用
收藏
页码:3 / 20
页数:18
相关论文
共 32 条
[1]  
[Anonymous], 2018, 27000 ISOIEC
[2]  
[Anonymous], 2012, NIST SPECIAL PUBLICA
[3]  
[Anonymous], 2005, 270022005 ISOIEC
[4]  
BISHOP C. M., 2006, Pattern recognition and machine learning, DOI [DOI 10.1117/1.2819119, 10.1007/978-0-387-45528-0]
[5]   SmcHD1, containing a structural-maintenance-of-chromosomes hinge domain, has a critical role in X inactivation [J].
Blewitt, Marnie E. ;
Gendrel, Anne-Valerie ;
Pang, Zhenyi ;
Sparrow, Duncan B. ;
Whitelaw, Nadia ;
Craig, Jeffrey M. ;
Apedaile, Anwyn ;
Hilton, Douglas J. ;
Dunwoodie, Sally L. ;
Brockdorff, Neil ;
Kay, Graham F. ;
Whitelaw, Emma .
NATURE GENETICS, 2008, 40 (05) :663-669
[6]   Identification of non-functional requirements in textual specifications: A semi-supervised learning approach [J].
Casamayor, Agustin ;
Godoy, Daniela ;
Campo, Marcelo .
INFORMATION AND SOFTWARE TECHNOLOGY, 2010, 52 (04) :436-445
[7]   SMOTE: Synthetic minority over-sampling technique [J].
Chawla, Nitesh V. ;
Bowyer, Kevin W. ;
Hall, Lawrence O. ;
Kegelmeyer, W. Philip .
2002, American Association for Artificial Intelligence (16)
[8]  
Cohen W. W., 1995, Machine Learning. Proceedings of the Twelfth International Conference on Machine Learning, P115
[9]  
Dalpiaz F., 2016, Security Requirements Engineering: Designing Secure Socio-Technical Systems
[10]  
Dowd Mark, 2006, The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities