An LLM-based Approach to Recover Traceability Links between Security Requirements and Goal Models
Pages 643 - 651
Abstract
The recovery of requirements traceability links between goal models and requirements is crucial for ensuring alignment between stakeholder objectives and system specifications. Large Language Models (LLMs) show potential to transform automated traceability significantly, addressing challenges such as accurately capturing diverse relationships between requirements artifacts, and ensuring scalability and efficiency in large-scale software projects. In this paper, we propose an LLM-based approach to generate security-related traceability links between requirements (expressed in natural language) and goals (described as part of GRL models). We employ a Zero-Shot (0S) approach utilizing GPT-3.5-turbo, enhanced by employing a meticulously crafted prompt. The approach is implemented in a prototype tool, tailored for the textual GRL (TGRL) language. We evaluate the approach and tool using a GRL model describing the objectives of a Virtual Interior Designer application along with a set of 42 requirements addressing both security and non-security aspects. The approach and tool yielded positive results, demonstrating a precision of 100%, a recall of 78.5%, and an F1-score of 87.9%.
References
[1]
Vahdat Abdelzad, Daniel Amyot, and Timothy C. Lethbridge. 2015. Adding a Textual Syntax to an Existing Graphical Modeling Language: Experience Report with GRL. In SDL 2015: Model-Driven Engineering for Smart Cities - 17th International SDL Forum, Berlin, Germany, October 12-14, 2015, Proceedings(LNCS, Vol. 9369), Joachim Fischer, Markus Scheidgen, Ina Schieferdecker, and Rick Reed (Eds.). Springer, 159–174. https://doi.org/10.1007/978-3-319-24912-4_12
[2]
Nadeen AlAmoudi, Jameleddine Hassine, and Malak Baslyman. 2024. GRLMerger: an automatic approach for integrating GRL models. Requirements Engineering (2024), 1–51. https://doi.org/10.1007/s00766-024-00413-6
[3]
Nasir Ali, Haipeng Cai, Abdelwahab Hamou-Lhadj, and Jameleddine Hassine. 2019. Exploiting Parts-of-Speech for effective automated requirements traceability. Inf. Softw. Technol. 106 (2019), 126–141. https://doi.org/10.1016/J.INFSOF.2018.09.009
[4]
Hasan Salim Alkaf, Jameleddine Hassine, Taha Binalialhag, and Daniel Amyot. 2019. An automated change impact analysis approach for User Requirements Notation models. J. Syst. Softw. 157 (2019), 110397. https://doi.org/10.1016/J.JSS.2019.110397
[5]
Hasan Salim Alkaf, Jameleddine Hassine, Abdelwahab Hamou-Lhadj, and Luay Alawneh. 2017. An Automated Change Impact Analysis Approach to GRL Models. In SDL 2017: Model-Driven Engineering for Future Internet - 18th International SDL Forum, Budapest, Hungary, October 9-11, 2017, Proceedings(Lecture Notes in Computer Science, Vol. 10567), Tibor Csöndes, Gábor Kovács, and György Réthy (Eds.). Springer, 157–172. https://doi.org/10.1007/978-3-319-68015-6_10
[6]
Daniel Amyot, Okhaide Akhigbe, Malak Baslyman, Sepideh Ghanavati, Mahdi Ghasemi, Jameleddine Hassine, Lysanne Lessard, Gunter Mussbacher, Kai Shen, and Eric Yu. 2022. Combining Goal modelling with Business Process modelling Two Decades of Experience with the User Requirements Notation Standard. Enterp. Model. Inf. Syst. Archit. Int. J. Concept. Model. 17 (2022). https://doi.org/10.18417/EMISA.17.2
[7]
Omar Bahy Badreddin, Arnon Sturm, and Timothy C. Lethbridge. 2014. Requirement traceability: A model-based approach. In IEEE 4th International Model-Driven Requirements Engineering Workshop, MoDRE 2014, 25 August, 2014, Karlskrona, Sweden, Ana Moreira, Pablo Sánchez, Gunter Mussbacher, and João Araújo (Eds.). IEEE Computer Society, 87–91. https://doi.org/10.1109/MODRE.2014.6890829
[8]
Tom B. Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, Sandhini Agarwal, Ariel Herbert-Voss, Gretchen Krueger, Tom Henighan, Rewon Child, Aditya Ramesh, Daniel M. Ziegler, Jeffrey Wu, Clemens Winter, Christopher Hesse, Mark Chen, Eric Sigler, Mateusz Litwin, Scott Gray, Benjamin Chess, Jack Clark, Christopher Berner, Sam McCandlish, Alec Radford, Ilya Sutskever, and Dario Amodei. 2020. Language Models are Few-Shot Learners. In Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual, Hugo Larochelle, Marc’Aurelio Ranzato, Raia Hadsell, Maria-Florina Balcan, and Hsuan-Tien Lin (Eds.). Vol. 33. Curran Associates, 1877–1901. https://proceedings.neurips.cc/paper/2020/hash/1457c0d6bfcb4967418bfb8ac142f64a-Abstract.html
[9]
Jane Cleland-Huang, Orlena Gotel, Jane Huffman Hayes, Patrick Mäder, and Andrea Zisman. 2014. Software traceability: trends and future directions. In Proceedings of the on Future of Software Engineering, FOSE 2014, Hyderabad, India, May 31 - June 7, 2014, James D. Herbsleb and Matthew B. Dwyer (Eds.). ACM, 55–69. https://doi.org/10.1145/2593882.2593891
[10]
Co-EST. 2020. Center of Excellence for Software & Systems Traceability. http://sarec.nd.edu/coest/index.html Last accessed, March 2024.
[11]
Martin Glinz. 2007. On Non-Functional Requirements. In 15th IEEE International Requirements Engineering Conference, RE 2007, October 15-19th, 2007, New Delhi, India. IEEE Computer Society, 21–26. https://doi.org/10.1109/RE.2007.45
[12]
Jin Guo, Jinghui Cheng, and Jane Cleland-Huang. 2017. Semantically enhanced software traceability using deep learning techniques. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017, Sebastián Uchitel, Alessandro Orso, and Martin P. Robillard (Eds.). IEEE / ACM, 3–14. https://doi.org/10.1109/ICSE.2017.9
[13]
ITU-T. 2018. Recommendation Z.151 (10/18), User Requirements Notation (URN) Language Definition, Geneva, Switzerland. http://www.itu.int/rec/T-REC-Z.151/en
[14]
jUCMNav. 2017. v7.0.0. https://github.com/jUCMNav, University of Ottawa, Canada. Last Accessed March 2024.
[15]
Haruhiko Kaiya, Hisayuki Horai, and Motoshi Saeki. 2002. AGORA: Attributed Goal-Oriented Requirements Analysis Method. In 10th Anniversary IEEE Joint International Conference on Requirements Engineering (RE 2002), 9-13 September 2002, Essen, Germany. IEEE Computer Society, 13–22. https://doi.org/10.1109/ICRE.2002.1048501
[16]
Jinpeng Lan, Lina Gong, Jingxuan Zhang, and Haoxiang Zhang. 2023. BTLink : automatic link recovery between issues and commits based on pre-trained BERT model. Empir. Softw. Eng. 28, 4 (2023), 103. https://doi.org/10.1007/S10664-023-10342-7
[17]
Jinfeng Lin, Yalin Liu, Qingkai Zeng, Meng Jiang, and Jane Cleland-Huang. 2021. Traceability Transformed: Generating more Accurate Links with Pre-Trained BERT Models. In 43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021, Madrid, Spain, 22-30 May 2021. IEEE, 324–335. https://doi.org/10.1109/ICSE43902.2021.00040
[18]
Patrick Mäder, Rocco Oliveto, and Andrian Marcus. 2017. Empirical studies in software and systems traceability. Empir. Softw. Eng. 22, 3 (2017), 963–966. https://doi.org/10.1007/S10664-017-9509-1
[19]
Balasubramaniam Ramesh and Matthias Jarke. 2001. Toward Reference Models for Requirements Traceability. IEEE Trans. Softw. Eng. 27, 1 (jan 2001), 58–93. https://doi.org/10.1109/32.895989
[20]
Alberto D. Rodriguez, Katherine R. Dearstyne, and Jane Cleland-Huang. 2023. Prompts Matter: Insights and Strategies for Prompt Engineering in Automated Software Traceability. In 31st IEEE International Requirements Engineering Conference, RE 2023 - Workshops, Hannover, Germany, September 4-5, 2023, Kurt Schneider, Fabiano Dalpiaz, and Jennifer Horkoff (Eds.). IEEE, 455–464. https://doi.org/10.1109/REW57809.2023.00087
[21]
Axel van Lamsweerde. 2009. Requirements Engineering - From System Goals to UML Models to Software Specifications. Wiley. http://eu.wiley.com/WileyCDA/WileyTitle/productCd-EHEP000863.html
[22]
Claes Wohlin, Per Runeson, Martin Höst, Magnus C. Ohlsson, and Björn Regnell. 2012. Experimentation in Software Engineering. Springer. https://doi.org/10.1007/978-3-642-29044-2
[23]
Eric S. K. Yu. 1997. Towards Modelling and Reasoning Support for Early-Phase Requirements Engineering. In Proceedings of the 3rd IEEE International Symposium on Requirements Engineering(RE’97). IEEE Computer Society, 226–235. https://doi.org/10.1109/ISRE.1997.566873
[24]
Jianfei Zhu, Guanping Xiao, Zheng Zheng, and Yulei Sui. 2022. Enhancing Traceability Link Recovery with Unlabeled Data. In IEEE 33rd International Symposium on Software Reliability Engineering, ISSRE 2022, Charlotte, NC, USA, October 31 - Nov. 3, 2022. IEEE, 446–457. https://doi.org/10.1109/ISSRE55969.2022.00050
Index Terms
- An LLM-based Approach to Recover Traceability Links between Security Requirements and Goal Models
Recommendations
Using templates to elicit implied security requirements from functional requirements - a controlled experiment
ESEM '14: Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and MeasurementContext: Security requirements for software systems can be challenging to identify and are often overlooked during the requirements engineering process. Existing functional requirements of a system can imply the need for security requirements. Systems ...
Elicitation of Security requirements for E-Health system by applying Model Oriented Security Requirements Engineering (MOSRE) Framework
CCSEIT '12: Proceedings of the Second International Conference on Computational Science, Engineering and Information TechnologyE-health is a health care system which is supported by electronic process and communication. The information that is kept in the system must be accurate. In case of false information, it may cause harm to human life. So this system needs more security ...
Eliciting security requirements with misuse cases
Use cases have become increasingly common during requirements engineering, but they offer limited support for eliciting security threats and requirements. At the same time, the importance of security is growing with the rise of phenomena such as e-...
Comments
Information & Contributors
Information
Published In
June 2024
728 pages
ISBN:9798400717017
DOI:10.1145/3661167
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
EASE 2024
EASE 2024: 28th International Conference on Evaluation and Assessment in Software Engineering
June 18 - 21, 2024
Salerno, Italy
Acceptance Rates
Overall Acceptance Rate 71 of 232 submissions, 31%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 389Total Downloads
- Downloads (Last 12 months)389
- Downloads (Last 6 weeks)49
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format