Improving security requirements adequacy: an interval type 2 fuzzy logic security assessment system

Unknown, Conference object English OPEN
Hibshi, Hanan ; Breaux, Travis D. ; Wagner, Christian (2016)

Organizations rely on security experts to improve the security of their systems. These professionals use background knowledge and experience to align known threats and vulnerabilities before selecting mitigation options. The substantial depth of expertise in any one area (e.g., databases, networks, operating systems) precludes the possibility that an expert would have complete knowledge about all threats and vulnerabilities. To begin addressing this problem of fragmented knowledge, we investigate the challenge of developing a security requirements rule base that mimics multi-human expert reasoning to enable new decision-support systems. In this paper, we show how to collect relevant information from cyber security experts to enable the generation of: (1) interval type-2 fuzzy sets that capture intra- and inter-expert uncertainty around vulnerability levels; and (2) fuzzy logic rules driving the decision-making process within the requirements analysis. The proposed method relies on comparative ratings of security requirements in the context of concrete vignettes, providing a novel, interdisciplinary approach to knowledge generation for fuzzy logic systems. The paper presents an initial evaluation of the proposed approach through 52 scenarios with 13 experts to compare their assessments to those of the fuzzy logic decision support system. The results show that the system provides reliable assessments to the security analysts, in particular, generating more conservative assessments in 19% of the test scenarios compared to the experts’ ratings.
  • References (36)
    36 references, page 1 of 4

    [1] L. Baresi, L. Pasquale, and P. Spoletini, “Fuzzy goals for requirements-driven adaptation,” IEEE 18th Int'l Req'ts Engr. Conf., pp. 125-134, 2010.

    [2] A. Cailliau and A. van Lamsweerde, “Handling knowledge uncertainty in risk-based requirements engineering,” IEEE 23rd Int'l Req'ts Engr. Conf., pp. 106-115, 2015.

    [3] O. Castillo, P. Melin, and J. R. Castro, “Computational intelligence software for interval type-2 fuzzy logic,” Comput. Appl. Eng. Educ., 21(4): 737-747, 2013.

    [4] Cisco Systems, Inc., “Cisco 2014 Annual Security Report,” Cisco Systems, Inc., 2014.

    [5] A. F. Collins, Theories of Memory. Psychology Press, 1993.

    [6] N. Esfahani and S. Malek, “Uncertainty in self-adaptive software systems,” Soft. Engr. for Self-Adaptive Sys. II, Springer,, 2013.

    [7] G. Florez, S. M. Bridges, and R. B. Vaughn, “An improved algorithm for fuzzy data mining for intrusion detection,” in Annual Meeting of the North American Fuzzy Inf. Processing Society., pp. 457-462, 2002.

    [8] M. Furr, Scale construction and psychometrics for social and personality psychology. SAGE Publications Ltd, 2011.

    [9] D. Garlan, “Software engineering in an uncertain world,” FSE/SDP W'shp Future Soft. Engr. Res., pp. 125-128, 2010.

    [10] W. El-Hajj, “The most recent SSL security attacks: origins, implementation, evaluation, and suggested countermeasures,” Secur. Commun. Netw., vol. 5, no. 1, pp. 113-124, 2012.

  • Similar Research Results (2)
  • Metrics
    No metrics available
Share - Bookmark