Abstract
Identifying security concerns is a security activity that can be integrated into the requirements development phase. However, it has been shown that manually identifying concerns is a time-consuming and challenging task. The software engineering community has utilized natural language processing and query systems to automatically find part of the requirement specification with a specific concern. This research presents an ontology-based recommender system to suggest security concerns based on use case semantic rules and build on recent studies to find concerns in use cases. Our approach is to model use cases for interface design and map specific parts of use cases to the Application Security Verification Standard (ASVS) based on security concerns at the interaction steps of use cases. We conducted two evaluations, where we generated use case models from Restricted Use Case Modeling (RUCM) descriptions and then used semantic rules to infer where a specific security concern is in the use case models. These evaluations show that the recommender achieves up to 100% precision and recall for modeling use cases and recommending security concerns when the use case steps strictly adhere to rules for RUCM use cases. Otherwise, the modeling precision and recall will have arbitrary values, thus affecting the precision and recall for the recommended security concerns. As the main contribution, our approach can address security concerns for ASVS at the level of use case interaction steps.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
An assertation that states that an individual is an instance of certain class. Alternatively, a fact that is associated with a concept in the ontology.
Protégé is a free, open-source ontology editor and framework for building intelligent systems.
Source of original dataset: https://personal.utdallas.edu/~chung/RE/Presentations07S/Team_3/
References
Abioye, T.E., Arogundade, O.T., Misra, S., Akinwale, A.T., Adeniran, O.J.: Toward ontology-based risk management framework for software projects: an empirical study. J. Softw. Evolut. Process 32(12), 269 (2020)
Acharya, S., Schilling, W.W.: Infusing software security in software engineering. Presented at the 2017 ASEE Annual Conference & Exposition (2017)
Al-Ahmad, B., Magel, K., Abufardeh, S.: Tool support for automatically identifying effect types of security requirements upon functional requirements. Lect. Notes Softw. Eng. 4(3), 205 (2016)
Araujo, J., Baniassad, E., Clements, P., Moreira, A., Tekinerdogan, B.: Early aspects: the current landscape, Technical Notes. CMU/SEI and Lancaster University (2005)
Arogundade, O.T., Abayomi-Alli, A., Misra, S.: An ontology-based security risk management model for information systems. Arab. J. Sci. Eng. 45(8), 6183–6198 (2020)
Bagiampou, M., Kameas, A.: A use case diagrams ontology that can be used as common reference for Software Engineering education, pp. 035–040 (2012)
Berry, D.M.: Evaluation of tools for hairy requirements and software engineering tasks, pp. 284–291 (2017)
Boberski, M., Williams, J., Wichers, D.: Owasp application security verification standard (2009)
Burke, R.: Knowledge-based recommender systems. Encycl. Libr. Inf. Syst. 69(Suppl 32), 175–186 (2000)
Calderón, M.E.: A taxonomy of software security requirements. Avances en Sistemas e Informática 4(3), 43–50 (2007)
Chikh, A., Abulaish, M., Nabi, S.I., Alghathbar, K.: An ontology based information security requirements engineering framework, pp 139–146 (2011)
Cockburn, A.: Writing Effective Use Cases. Pearson Education, Delhi (2001)
Constantine, L.L., Lockwood, L.A.: Structure and style in use cases for user interface design. Object Modeling and User Interface Design, pp 245–280 (2001)
Couto, R., Ribeiro, A.N., Campos, J.C.: Application of ontologies in identifying requirements patterns in use cases, arXiv preprint https://arxiv.org/abs/1404.0850 (2014)
Cox, K., Phalp, K.T.: Practical experience of eliciting classes from use case descriptions. J. Syst. Softw. 80(8), 1286–1304 (2007)
Decker, B., Ras, E., Rech, J., Klein, B., Hoecht, C.: Self-organized reuse of software engineering knowledge supported by semantic wikis, p. 76 (2005)
De Giacomo, G., Lenzerini, M.: TBox and ABox reasoning in expressive description logics. KR 96(316–317), 10 (1996)
DeGrace, P., Stahl, L.H.: Wicked Problems, Righteous Solutions. Yourdon Press, New York (1990)
Dritsas S. et al.: A knowledge-based approach to security requirements for e-health applications. Electron J E-Commer Tools Appl, 2(1), 1–24 (2006)
Felfernig, A., Burke, R.: Constraint-based recommender systems: technologies and research issues, pp. 1–10 (2008)
Felfernig, A., Gula, B.: An empirical study on consumer behavior in the interaction with knowledge-based recommender applications, pp. 37–37 (2006)
Felfernig, A., Jeran, M., Ninaus, G., Reinfrank, F., Reiterer, S., Stettinger, M.: Basic approaches in recommendation systems. In: Recommendation Systems in Software Engineering. Springer, pp. 15–37 (2014)
Gomaa, H., Shin, M.E.: Separating application and security concerns in use case models. In: Proceedings of the 15th workshop on Early aspects, pp. 1–6 (2009)
Gruber, T.R.: A translation approach to portable ontology specifications. Knowl. Acquis. 5(2), 199–220 (1993)
Haley C.B. et al.: Validating security requirements using structured toulmin-style argumentation. Department of Computing, The Open University, Milton Keynes, UK, Technical Report, vol. 4, p. 21 (2005)
Happel, H.-J., Seedorf, S.: Applications of ontologies in software engineering, pp. 5–9 (2006)
Hesse, W.: Ontologies in the Software Engineering Process, pp. 3–16 (2005)
Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Computer security in the 21st century. Springer, pp. 109–137 (2005)
Jürjens, J.: Secure Systems Development with UML. Springer, Berlin (2005)
Jurkiewicz, J., Nawrocki, J.: Automated events identification in use cases. Inf. Softw. Technol. 58, 110–122 (2015)
Kamalrudin, M., Grundy, J., Hosking, J.: Tool support for essential use cases to better capture software requirements, pp. 255–264 (2010).
Kang, W., Liang, Y.: A security ontology with MDA for software development, pp. 67–74 (2013)
Ko, D., Kim, S., Park, S.: Automatic recommendation to omitted steps in use case specification. Requir. Eng. 24(4), 431–458 (2019)
Kolaitis, P.G., Vardi, M.Y.: Conjunctive-query containment and constraint satisfaction. J. Comput. Syst. Sci. 61(2), 302–332 (2000)
Konstan, J.A., Miller, B.N., Maltz, D., Herlocker, J.L., Gordon, L.R., Riedl, J.: Grouplens: applying collaborative filtering to usenet news. Commun. ACM 40(3), 77–87 (1997)
Lamy, J.-B.: Owlready: Ontology-oriented programming in Python with automatic classification and high level constructs for biomedical ontologies. Artif. Intell. Med. 80, 11–28 (2017)
Lin, J., Fox, M.S., Bilgic, T.: A requirement ontology for engineering design. Concurr. Eng. 4(3), 279–291 (1996)
Martin, B., Brown, M., Paller, A., Kirby, D., Christey, S.: 2011 CWE/SANS top 25 most dangerous software errors. Common Weakness Enumer. 7515 (2011).
Mayank, V., Kositsyna, N., Austin, M.: Requirements engineering and the semantic web, part II. representaion, management, and validation of requirements and system-level architectures (2004)
Mayfield, J., Finin, T.: Evaluating the quality of a knowledge base populated from text. UMBC Faculty Collection (2012)
Miller, E.: An introduction to the resource description framework. Bull. Am. Soc. Inf. Sci. Technol. 25(1), 15–19 (1998)
Misra, S: A step by step guide for choosing project topics and writing research papers in ICT related disciplines. pp. 727–744 (2020)
Musen, M.A.: The protégé project: a look back and a look forward. AI Matters 1(4), 4–12 (2015)
Noy, N.F., McGuinness, D.L.: Ontology development 101: a guide to creating your first ontology (2001).
Pakdeetrakulwong, U., Wongthongtham, P., Siricharoen, W.V.: Recommendation systems for software engineering: a survey from software development life cycle phase perspective, pp. 137–142 (2014)
Preece, A., Chalmers, S., McKenzie, C., Pan, J.Z., Gray, P.: A semantic web approach to handling soft constraints in virtual organisations, pp. 151–161 (2006)
Proksch, S., Bauer, V., Murphy, G.C.: How to build a recommendation system for software engineering. Software Engineering. Springer, pp. 1–42 (2013)
Rago, A., Marcos, C., Diaz-Pace, J.A.: Assisting requirements analysts to find latent concerns with REAssistant. Autom. Softw. Eng. 23(2), 219–252 (2016)
Rago, A., Marcos, C.A., Diaz-Pace, J.A.: REAssistant: a tool for identifying crosscutting concerns in textual requirements, pp. 32–35 (2015)
Rago, A., Marcos, C., Diaz-Pace, J.A.: Uncovering quality-attribute concerns in use case specifications via early aspect mining. Requir. Eng. 18(1), 67–84 (2013)
Ricci, F., Rokach, L., Shapira, B.: Introduction to recommender systems handbook. In: Ricci, F., Rokach, L., Shapira, B., Kantor, P.B. (eds.) Recommender Systems Handbook, pp. 1–35. Springer, Boston (2011). https://doi.org/10.1007/978-0-387-85820-3_1
Romero-Mariona, J., Ziv, H., Richardson, D.J.: SRRS: a recommendation system for security requirements, pp. 50–52 (2008)
Salini, P., Kanmani, S.: A novel method: Ontology-based security requirements engineering framework, pp 1–5 (2016)
Salini, P., Kanmani, S.: Security requirements engineering process for web applications. Proc. Eng. 38, 2799–2807 (2012)
Sampaio, A., Rashid, A., Chitchyan, R., Rayson, P.: EA-Miner: towards automation in aspect-oriented requirements engineering. In: Transactions on aspect-oriented software development III. Springer, pp. 4–39 (2007)
Santos, J., Moreira, A., Amaral, V., Kulesza, U.: Generating requirements analysis models from textual requirements, pp. 32–41 (2008)
Sommerville, I.: An integrated approach to dependability requirements engineering. In: Current Issues in safety-critical systems. Springer, pp. 3–15 (2003)
Tena, S., Díez, D., Díaz, P., Aedo, I.: Standardizing the narrative of use cases: a controlled vocabulary of web user tasks. Inf. Softw. Technol. 55(9), 1580–1589 (2013)
Tiwari, S., Gupta, A.: A controlled experiment to assess the effectiveness of eight use case templates, vol. 1, pp. 207–214 (2013)
Tsang, E.: Foundations of constraint satisfaction: the classic text. BoD–Books on Demand (2014).
Türpe, S.: The trouble with security requirements, pp 122–133 (2017)
Valaski, J., Reinehr, S., Malucelli, A.: Which roles ontologies play on software requirements engineering? A systematic review, p. 24 (2016)
Velasco, J.L., Valencia-García, R., Fernández-Breis, J.T., Toval, A.: Modelling reusable security requirements based on an ontology framework. J. Res. Pract. Inf. Technol. 41(2), 119–133 (2009)
Wang, C., Pastore, F., Goknil, A., Briand, L.: Automatic generation of acceptance test cases from use case specifications: an nlp-based approach. IEEE Trans. Softw. Eng. 48(2), 585–616 (2020)
Welty, C., McGuinness, D.L., Smith, M.K.: Owl web ontology language guide. W3C recommendation, W3C (February 2004) http://www.w3.org/TR/2004/REC-owl-guide-20040210, p. 48 (2004)
Williams, I., Yuan, X.: Identifying security concerns based on a use case ontology framework, pp. 83–88 (2020)
Wouters, B., Deridder, D., Van Paesschen, E.: The use of ontologies as a backbone for use case management, vol 182 (2000)
Yahya, S., Kamalrudin, M., Sidek, S., Grundy, J.: Capturing security requirements using essential use cases (EUCs). In: Requirements Engineering. Springer, pp. 16–30 (2014)
Yue, T., Briand, L.C., Labiche, Y.: A use case modeling approach to facilitate the transition towards analysis models: concepts and empirical evaluation, pp. 484–498 (2009)
Yue, T., Briand, L.C., Labiche, Y.: Facilitating the transition from use case models to analysis models: approach and experiments. ACM Trans. Softw. Eng. Methodol. 22(1), 1–38 (2013)
Zanker, M., Jessenitschnig, M., Schmid, W.: Preference reasoning with soft constraints in constraint-based recommender systems. Constraints 15(4), 574–595 (2010)
Zhang, H., Yue., T., Ali, S., Wu, J., Liu, C.: A restricted natural language based use case modeling methodology for real-time systems, pp. 5–11 (2017)
Acknowledgements
This work is in part funded by the National Security Agency Grant H98230-20-1-0404. Any opinions, findings, or conclusions found in this paper are those of the authors and do not necessarily reflect the sponsors' views. The authors would like to acknowledge Dr. Albert Esterline for his suggestion on the use of ontology programming as well.
Author information
Authors and Affiliations
Contributions
IW: Conceptualization, Methodology, Formal analysis, Investigation, Resources, Data curation, Writing—Original draft, Writing—review & editing, Visualization. XY: Validation, Writing—review & editing, Supervision, Project administration, Funding acquisition. MA: Validation, Writing—review & editing. JTM: Writing—review & editing.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Supplementary Information
Below is the link to the electronic supplementary material.
Rights and permissions
About this article
Cite this article
Williams, I., Yuan, X., Anwar, M. et al. An Automated Security Concerns Recommender Based on Use Case Specification Ontology. Autom Softw Eng 29, 42 (2022). https://doi.org/10.1007/s10515-022-00334-0
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10515-022-00334-0