Tong Li

DOI: https://doi.org/10.1109/apsec.2017.45

2017-01-01

Abstract:Eliciting security requirements in early stage of system development has been widely recognized as an efficient way for minimizing security cost and avoiding recurring security problems. However, in many projects, security requirements are not explicitly specified but rather mixed with other requirements, requiring precise and fast identification of such security requirements. Although several probability-based approaches have been proposed to tackle this problem, they are either imprecise or domain-dependent. In this paper, we propose a tool-supported method to efficiently identify security requirements, which combines linguistic analysis with machine learning techniques. In particular, we apply a systematic approach to identify linguistic features of security requirements based on existing security requirements ontologies and linguistic knowledge. We automatically extract such features from textual requirements, which are then used to train security requirements classifiers using typical machine learning techniques. We have implemented a prototype tool to support our approach, and have systematically evaluated our approach based on three realistic requirements specifications. The evaluation results show that our approach has promising potential to train classifiers that can classify requirements specifications from different application domains.

Yinglin Wang

DOI: https://doi.org/10.1007/s12204-016-1783-3

2016-01-01

Journal of Shanghai Jiaotong University (Science)

Abstract:Nowadays, software requirements are still mainly analyzed manually, which has many drawbacks (such as a large amount of labor consumption, inefficiency, and even inaccuracy of the results). The problems are even worse in domain analysis scenarios because a large number of requirements from many users need to be analyzed. In this sense, automatic analysis of software requirements can bring benefits to software companies. For this purpose, we proposed an approach to automatically analyze software requirement specifications (SRSs) and extract the semantic information. In this approach, a machine learning and ontology based semantic role labeling (SRL) method was used. First of all, some common verbs were calculated from SRS documents in the E-commerce domain, and then semantic frames were designed for those verbs. Based on the frames, sentences from SRSs were selected and labeled manually, and the labeled sentences were used as training examples in the machine learning stage. Besides the training examples labeled with semantic roles, external ontology knowledge was used to relieve the data sparsity problem and obtain reliable results. Based on the SemCor and WordNet corpus, the senses of nouns and verbs were identified in a sequential manner through the K-nearest neighbor approach. Then the senses of the verbs were used to identify the frame types. After that, we trained the SRL labeling classifier with the maximum entropy method, in which we added some new features based on word sense, such as the hypernyms and hyponyms of the word senses in the ontology. Experimental results show that this new approach for automatic functional requirements analysis is effective.

Wentao Wang,Nesrin Hussein,Arushi Gupta,Yinglin Wang

DOI: https://doi.org/10.1016/j.jii.2018.11.001

IF: 11.718

2018-01-01

Journal of Industrial Information Integration

Abstract:There are several security requirements identification methods proposed by researchers in up-front requirements engineering (RE). However, in open source software (OSS) projects, developers use lightweight representation and refine requirements frequently by writing comments. They also tend to discuss security aspect in comments by providing code snippets, attachments, and external resource links. Since most security requirements identification methods in up-front RE are based on textual information retrieval techniques, these methods are not suitable for OSS projects or just-in-time RE. In this study, we proposed a linear based approach to identify security requirements. It first uses logistic regression models (RMs) to calculate feature values for requirements in OSS project. Then it uses the linear combination of all feature values to classify security and non-security requirements Our results show that compares to single RMs, our approach can achieve higher recall and precision.

Oluwasefunmi 'Tale Arogundade,Zhi Jin,Xiaoguang Yang

DOI: https://doi.org/10.1504/ijics.2014.065168

2014-01-01

International Journal of Information and Computer Security

Abstract:Security requirements managers aim at eliciting, reusing and keeping their sets of requirements. They desire well defined, consistent and up to date requirements throughout the system lifecycle. This paper presents security ontology (SO) which can be used as a basis for eliciting risk-based security requirements. The ontology is based on the security relationship model described in the national institute of standards and technology special publication 800-12 but use-misuse case concepts and some extensions were used. We extended use case with some elements (action and object) to facilitate information system (IS) security policy instantiation after the system has been deployed. We incorporated risk and privilege concepts in order to represent risk knowledge in an unambiguous way and to enable ontology control security issues respectively. This ontology enriches the modelling and management of risk-based safeguard requirements within the requirements engineering discipline by organising the security knowledge to form heavy weight ontology which include concepts, concept taxonomies, relationships, properties, axioms and constraints. This ontology provides capabilities such as IS security management, traceability and reuse. OWL protégé 3.3.1 editor was used for the ontology coding. The results of its adoption in capturing safeguard requirements of healthcare IS were also discussed.

Huangjie Zheng,Yuchen Wang,Chen Han,Fangjie Le,Ruan He,Jialiang Lu

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00180

2018-01-01

Abstract:In cyber security, the ontology is invented to provide vocabulary in a generalized machine-processable language for downstream works such as attack detection. Meanwhile, machine learning (ML) as a promising intelligent field, is widely investigated to achieve the automation of these tasks. Existing ML-based methods suffer from confines of specific data and preprocessing, while applying ontology with machine learning methods is still rarely discussed. In this paper, 1) we propose a novel approach for automatic attack detection by generating ontology with deep learning through neural network embeddings; 2) we validate the learned ontology by comparing it with a manual ontology built by security expert, the results demonstrates that the latent representation learned with neural networks could serve as a novel ontology format so as to provide a generalized machine-processable language for downstream works, which is the intention of the ontology; 3) finally, we develop a platform to achieve the entire intelligent ontology learning and utilization for cyber attack detection. Our experimental results shows that our proposed ontology is promising to collaborate with machine learning based methods in order to improve the intelligent intrusion detection for cyber security.

Han Zhang,Jiaxian Zhu,Jicheng Chen,Junxiu Liu,Lixia Ji

DOI: https://doi.org/10.1016/j.knosys.2021.107472

2021-11-01

Abstract:The field of information security suffers from the lack of labelled entities. This study proposes a zero-shot hybrid approach, combining a clustering algorithm with a method for representing category labels, to classify fine-grained entity typing based on unified cybersecurity ontology (UCO) to address this issue. However, certain category labels in UCO do not have distinct domain features, while certain abbreviations cannot be obtained directly from word embedding using Word2vec. Thus, we propose a new method, referred to as mixed entities and hierarchy of UCO (MEHC), to represent the category labels. Moreover, to further improve the performance of fine-grained entity typing we propose the triClustering algorithm to re-cluster coarse-grained classification results or determine corresponding types for new entities, based on the theorem that the sum of two sides of a triangle is greater than the third. The experimental results prove that our triClustering algorithm can effectively shorten the computation time and that the proposed hybrid method is superior to other baselines for information security applications.

computer science, artificial intelligence

Yan Liang,Zepeng Wen,Yizheng Tao,GongLiang Li,Bing Guo

DOI: https://doi.org/10.1109/ITAIC.2019.8785798

2019-01-01

Abstract:Document security classification is the foundation of security management for the sensitive and confidential information. Different with the general document classification, the security one is more difficult and challenging, due to the diverse and changeable sensitive features and high requirement for accuracy. In this paper, we propose a new method named incremental learning and similarity comparison (ILSC), which combines two effective security labeling strategies for automatic security classification. In fact, the sensitive document dataset augments continuously. Accordingly, we exploit the use of incremental learning to capture continuously the useful information of the new classified documents and update the classifier. In addition, to utilize the identified sensitive sentences in the classified documents, we introduce a method based on similarity comparison of sentence features, as a supplement to the prediction obtained by the incremental learning. Experimental results show the proposed method can produce competitive results in terms of accuracy.

O. T. Arogundade,A. T. Akinwale,Z. Jin,X. G. Yang

DOI: https://doi.org/10.1080/19393555.2011.652290

2012-01-01

Abstract:ABSTRACT Misuse cases are currently used to identify safety and security threats and subsequently capture safety and security requirements. There is limited consensus to the precise meaning of the basic terminology used for use/misuse case concepts. This paper delves into the use of ontology for the formal representation of the use-misuse case domain knowledge for eliciting safety and security requirements. We classify misuse cases into different category to reflect different type of misusers. This will allow participants during the requirement engineering stage to have a common understanding of the problem domain. We enhanced the misuse case domain to include abusive misuse case and vulnerable use case in order to boost the elicitation of safety requirements. The proposed ontological approach will allow developer to share and reuse the knowledge represented in the ontology thereby avoiding ambiguity and inconsistency in capturing safety and security requirements. OWL protégé 3.3.1 editor was used for the ontology coding. An illustration of the use of the ontology is given with examples from the health care information system.

Tong Li,Yeming Ni

DOI: https://doi.org/10.1007/978-3-030-21290-2_16

2019-01-01

Abstract:System security analysis has been focusing on technology-based attacks, while paying less attention on social perspectives. As a result, social engineering are becoming more and more serious threats to socio-technical systems, in which human plays important roles. However, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering, with the purpose of prompting the fast development of this field. In particular, we first review and compare existing social engineering taxonomies in order to summarize the core concepts and boundaries of social engineering, as well as identify corresponding research challenges. We then define a comprehensive social engineering ontology, which is embedded with extensive knowledge from psychology and sociology, providing a full picture of social engineering. The ontology is built on top of existing security ontologies in order to align social engineering analysis with typical security analysis as much as possible. By formalizing such ontology using Description Logic, we provide unambiguous definitions for core concepts of social engineering, serving as a fundamental terminology to facilitate research within this field. Finally, our ontology is evaluated based on a collection of existing social engineering attacks, the results of which indicate good expressiveness of our ontology.

Ziyan Zhao,Li Zhang,Xiaoyun Gao,Xiaoli Lian,Heyang Lv,Lin Shi

DOI: https://doi.org/10.48550/arxiv.2211.16716

2022-01-01

Abstract: Software requirements specification is undoubtedly critical for the whole software life-cycle. Nowadays, writing software requirements specifications primarily depends on human work. Although massive studies have been proposed to fasten the process via proposing advanced elicitation and analysis techniques, it is still a time-consuming and error-prone task that needs to take domain knowledge and business information into consideration. In this paper, we propose an approach, named ReqGen, which can provide recommendations by automatically generating natural language requirements specifications based on certain given keywords. Specifically, ReqGen consists of three critical steps. First, keywords-oriented knowledge is selected from domain ontology and is injected to the basic Unified pre-trained Language Model (UniLM) for domain fine-tuning. Second, a copy mechanism is integrated to ensure the occurrence of keywords in the generated statements. Finally, a requirement syntax constrained decoding is designed to close the semantic and syntax distance between the candidate and reference specifications. Experiments on two public datasets from different groups and domains show that ReqGen outperforms six popular natural language generation approaches with respect to the hard constraint of keywords(phrases) inclusion, BLEU, ROUGE and syntax compliance. We believe that ReqGen can promote the efficiency and intelligence of specifying software requirements.

Tong Li,Jennifer Horkoff,John Mylopoulos

DOI: https://doi.org/10.1007/s10270-016-0560-y

2016-01-01

Software & Systems Modeling

Abstract:Security has been a growing concern for large organizations, especially financial and governmental institutions, as security breaches in the systems they depend on have repeatedly resulted in billions of dollars in losses per year, and this cost is on the rise. A primary reason for these breaches is that the systems in question are "socio-technical" a mix of people, processes, technology, and infrastructure. However, such systems are designed in a piecemeal rather than a holistic fashion, leaving parts of the system vulnerable. To tackle this problem, we propose a three-layer security analysis framework consisting of a social layer (business processes, social actors), a software layer (software applications that support the social layer), and an infrastructure layer (physical and technological infrastructure). In our proposal, global security requirements lead to local security requirements, cutting across conceptual layers, and upper-layer security analysis influences analysis at lower layers. Moreover, we propose a set of analytical methods and a systematic process that together drive security requirements analysis across the three layers. To support analysis, we have defined corresponding inference rules that (semi-)automate the analysis, helping to deal with system complexity. A prototype tool has been implemented to support analysts throughout the analysis process. Moreover, we have performed a case study on a real-world smart grid scenario to validate our approach.

Tong Li,Xiaowei Wang,Yeming Ni

DOI: https://doi.org/10.1016/j.is.2020.101699

IF: 3.18

2022-02-01

Information Systems

Abstract:<p>Along with the rapid development of socio-technical systems, people are playing an increasingly important role in information system and have actually become an essential system component. However, unlike technology-based attacks that have been investigated for decades, social engineering attacks have not been efficiently addressed. In particular, due to the interdisciplinary nature of social engineering, there is a lack of consensus on its definition, hindering the further development of this research field. In this paper, we propose a comprehensive and fundamental ontology of social engineering based on a systematic review of existing social engineering taxonomies and ontologies in order to provide a theoretical foundation for social engineering analysis. The essential contributions of this paper include: (1) propose a comprehensive ontology of social engineering and precisely specify ontological definitions of its essential concepts based on Situation Calculus; (2) enumerate and summarize a set of social engineering techniques and present their fine-grained classification based on the proposed ontology; (3) incorporate psychology and sociology knowledge into social engineering analysis, encapsulating such knowledge in terms of a formalized ontology. We have evaluated our ontology based on a set of real social engineering attacks, the results of which show the usefulness of our proposal.</p>

computer science, information systems

Hu Xuan,Wang Yichen,Liu Bin,Lu Minyan

2009-01-01

Abstract:Nowadays, there are many researches on the ontology-based software requirements elicitation approach. However, there are still some disadvantages. One of the disadvantages is lacking of researches on military aircraft systems (MAS) ontology. Another is lacking of ontology-based software safety requirements elicitation approaches. This paper adopts ontology to construct the safety requirements knowledge multi-ontology framework (SRKMOF) of MAS. Moreover it introduces the software safety requirements error pattern (SSREP) which can be merged into the foregoing framework to enrich ontology knowledge. Furthermore the multi-ontology based safety requirements elicitation approach can be obtained. The SSREP can be weaved into the task ontology (TO) by aspect-oriented method (AOM). Finally, a case study is presented to validate the effectiveness of the proposed safety requirements elicitation approach. The results show that the number of safety requirements errors in safety requirements document obtained by the proposed approach is less than the comparative approach. It shows that the proposed approach is effective.

Xuan Hu,Jie Liu,Yichen Wang

DOI: https://doi.org/10.23919/icact48636.2020.9061484

2020-01-01

Abstract:Because of the increasing complexity of software systems as well as the more various types of R&D personnel of the workers, software development is going to a significant trend of knowledge intensification. In the field of knowledge engineering, an ontology is an explicit specification of a conceptualization. In this paper, the ontology method is used to construct the requirement knowledge framework and the various of requirement knowledge is expressed as a clear, complete and consistent hierarchical ontology concept and association, which is more conducive to knowledge sharing and reuse as well as reflects multiple viewpoints of stakeholders. Furthermore, the relevant content of the decomposition of the generalization ontology is added in the framework, which is divided into the structure ontology and action ontology. It makes up for the deficiency of undifferentiated knowledge composition representation of the generalization ontology. Besides, the concept of software requirement error pattern is proposed and integrated into the multi-ontology framework of requirement knowledge in a consistent form. Based on the framework, the domain requirement model and the application requirement model can be built. It can be adopted as the basis of the requirement elicitation activities to avoid errors and improve the quality and reliability of software products.

HanXiang Xu,ShenAo Wang,Ningke Li,Yanjie Zhao,Kai Chen,Kailong Wang,Yang Liu,Ting Yu,HaoYu Wang

DOI: https://doi.org/10.48550/arxiv.2405.04760

2024-05-08

Cryptography and Security

Abstract:The rapid advancement of Large Language Models (LLMs) has opened up new opportunities for leveraging artificial intelligence in various domains, including cybersecurity. As the volume and sophistication of cyber threats continue to grow, there is an increasing need for intelligent systems that can automatically detect vulnerabilities, analyze malware, and respond to attacks. In this survey, we conduct a comprehensive review of the literature on the application of LLMs in cybersecurity (LLM4Security). By comprehensively collecting over 30K relevant papers and systematically analyzing 127 papers from top security and software engineering venues, we aim to provide a holistic view of how LLMs are being used to solve diverse problems across the cybersecurity domain. Through our analysis, we identify several key findings. First, we observe that LLMs are being applied to a wide range of cybersecurity tasks, including vulnerability detection, malware analysis, network intrusion detection, and phishing detection. Second, we find that the datasets used for training and evaluating LLMs in these tasks are often limited in size and diversity, highlighting the need for more comprehensive and representative datasets. Third, we identify several promising techniques for adapting LLMs to specific cybersecurity domains, such as fine-tuning, transfer learning, and domain-specific pre-training. Finally, we discuss the main challenges and opportunities for future research in LLM4Security, including the need for more interpretable and explainable models, the importance of addressing data privacy and security concerns, and the potential for leveraging LLMs for proactive defense and threat hunting. Overall, our survey provides a comprehensive overview of the current state-of-the-art in LLM4Security and identifies several promising directions for future research.

Wilson Wong,Wei Liu,Saujoe Liaw,Nicoletta Balliu,Hongwei Wu,Moses Tade

DOI: https://doi.org/10.48550/arXiv.0812.3478

2008-12-18

Abstract:The need for domain ontologies in mission critical applications such as risk management and hazard identification is becoming more and more pressing. Most research on ontology learning conducted in the academia remains unrealistic for real-world applications. One of the main problems is the dependence on non-incremental, rare knowledge and textual resources, and manually-crafted patterns and rules. This paper reports work in progress aiming to address such undesirable dependencies during ontology construction. Initial experiments using a working prototype of the system revealed promising potentials in automatically constructing high-quality domain ontologies using real-world texts.

Artificial Intelligence

Rui Li,Shilong Ma,Wentao Yao

DOI: https://doi.org/10.1109/cit/iucc/dasc/picom.2015.126

2015-01-01

Abstract:As a kind of critical system, safety-critical system is always used for the key areas such as aerospace, national defense, transportation, nuclear energy, health and so on, which require the high security. Due to the inherent defects which caused by the complexity of the organizational structure, and the external threats which caused by the open and dynamic environment, some unexpected results will be produced inevitably which reduce the credibility of the safety-critical system. Therefore, requirements analysis for credibility validation has gradually become an essential work. However, there still lacks a systematic method to guide the elicitation of trustworthiness requirements. In this paper, we present an ontology-based requirements analysis method to elicit and model the credibility-related requirements. Using the formal representation, we model the system from static and dynamic aspects, model the inherent defects and the external threats that may exist. Further, we enable a set of rules to reason the requirements from the knowledge base we build. At last, the approach is evaluated on a mission electronic system.

Jalil Abbas,Cheng Zhang,Bin Luo

DOI: https://doi.org/10.1109/access.2024.3452011

IF: 3.9

2024-01-01

IEEE Access

Abstract:Accurate classification of software requirements, distinguishing between functional and non-functional aspects, is crucial for developing reliable and efficient software systems. However, existing methods often struggle with insufficient semantic understanding and managing diverse software requirements. In this study, we introduce an innovative framework named EnsCL-CatBoost (Ensembled Contrastive Learning with CatBoost) to address these challenges by enhancing classification accuracy and robustness. Our method uses a weighted ensemble of Doc2Vec, Word2Vec, and FastText, leveraging their strengths for richer semantic representation. Unlike conventional strategies, we incorporate contrastive learning with the InfoNCE loss function, boosting discriminative power by clustering similar samples and distancing dissimilar ones, thus enhancing robustness and model generalization. To tackle class imbalance, we integrate SMOTE-Tomek links into the embedding process, achieving balanced class distribution before classification. Additionally, our evaluation extends beyond test datasets to new, unlabeled datasets, demonstrating practical applicability in real-world scenarios. We compare our framework’s performance with five machine learning classifiers which we trained using traditional embedding techniques. The results show that our method significantly outperforms others, achieving 94% accuracy. Our research transparently presents tool-based results, highlighting the transformative potential of automation in software requirement classification and setting a new benchmark for practical deployment in diverse environments, paving the way for future research in the field.

Chuanyi Li,Liguo Huang,Jidong Ge,Bin Luo,Vincent Ng

DOI: https://doi.org/10.1016/j.jss.2017.12.028

IF: 3.5

2017-01-01

Journal of Systems and Software

Abstract:In order to make a software project succeed, it is necessary to determine the requirements for systems and to document them in a suitable manner. Many ways for requirements elicitation have been discussed. One way is to gather requirements with crowdsourcing methods, which has been discussed for years and is called crowdsourcing requirements engineering. User requests forums in open source communities, where users can propose their expected features of a software product, are common examples of platforms for gathering requirements from the crowd. Requirements collected from these platforms are often informal text descriptions and we name them user requests. In order to transform user requests into structured software requirements, it is better to know the class of requirements that each request belongs to so that each request can be rewritten according to corresponding requirement templates. In this paper, we propose an effective classification methodology by employing both project-specific and non-project specific keywords and machine learning algorithms. The proposed strategy does well in achieving high classification accuracy by using keywords as features, reducing considerable manual efforts in building machine learning based classifiers, and having stable performance in finding minority classes no matter how few instances they have. (C) 2018 Elsevier Inc. All rights reserved.

Tong Li,Jennifer Horkoff,John Mylopoulos

DOI: https://doi.org/10.1007/978-3-319-16101-3_8

2015-01-01

Abstract:[Context and motivation] Security mechanisms, such as firewalls and encryption, operationalize security requirements, such as confidentiality and integrity. [Question/problem] Although previous work has pointed out that the application of a security mechanism affects system specifications, there is no systematic approach to describe and analyze this impact. [Principal ideas/results] In this paper, we investigate more than 40 security mechanisms that are well documented in security pattern repositories in order to better understand what they are and how they function. [Contribution] Based on this study, we propose a conceptual model for security mechanisms, and evaluate this model against 20 security mechanisms. Using the conceptual model, we provide a systematic process for analyzing and enforcing security mechanisms on system requirements. We also develop a prototype tool to facilitate the application and evaluation of our approach.