research-article

On-Demand Security Requirements Synthesis with Relational Generative Adversarial Networks

Authors:

Viktoria Koscinski,

Mehdi MirakhorliAuthors Info & Claims

ICSE '23: Proceedings of the 45th International Conference on Software Engineering

Pages 1609 - 1621

https://doi.org/10.1109/ICSE48619.2023.00139

Published: 26 July 2023 Publication History

Abstract

Security requirements engineering is a manual and error-prone activity that is often neglected due to the knowledge gap between cybersecurity professionals and software requirements engineers. In this paper, we aim to automate the process of recommending and synthesizing security requirements specifications and therefore supporting requirements engineers in soliciting and specifying security requirements. We investigate the use of Relational Generative Adversarial Networks (GANs) in automatically synthesizing security requirements specifications. We evaluate our approach using a real case study of the Court Case Management System (CCMS) developed for the Indiana Supreme Court's Division of State Court Administration. We present an approach based on RelGAN to generate security requirements specifications for the CCMS. We show that RelGAN is practical for synthesizing security requirements specifications as indicated by subject matter experts. Based on this study, we demonstrate promising results for the use of GANs in the software requirements synthesis domain. We also provide a baseline for synthesizing requirements, highlight limitations and weaknesses of RelGAN and define opportunities for further investigations.

References

[1]

B. Berenbach, D. Paulish, J. Kazmeier, and A. Rudorfer, Software amp; Systems Requirements Engineering: In Practice, 1st ed. USA: McGraw-Hill, Inc., 2009.

[2]

M. T. J. Ansari, D. Pandey, and M. Alenezi, "Store: Security threat oriented requirements engineering methodology," Journal of King Saud University - Computer and Information Sciences, vol. 34, no. 2, pp. 191--203, 2022. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1319157818306876

Digital Library

[3]

D. Ameller, C. Ayala, J. Cabot, and X. Franch, "Non-functional requirements in architectural decision making," IEEE Software, vol. 30, no. 2, pp. 61--67, 2013.

Digital Library

[4]

L. Chen, M. Ali Babar, and B. Nuseibeh, "Characterizing architecturally significant requirements," IEEE Software, vol. 30, no. 2, pp. 38--45, 2013.

Digital Library

[5]

L. Cysneiros and J. do Prado Leite, "Nonfunctional requirements: from elicitation to conceptual models," IEEE Transactions on Software Engineering, vol. 30, no. 5, pp. 328--350, 2004.

Digital Library

[6]

J. Steinmann and O. Ochoa, "Supporting security requirements engineering through the development of the secure development ontology," in 2022 IEEE 16th International Conference on Semantic Computing (ICSC), 2022, pp. 151--158.

[7]

E. Knauss, S. Houmb, K. Schneider, S. Islam, and J. Jürjens, "Supporting requirements engineers in recognising security issues," in International Working Conference on Requirements Engineering: Foundation for Software Quality. Springer, 2011, pp. 4--18.

[8]

M. Hilbrich and M. Frank, "Enforcing security and privacy via a cooperation of security experts and software engineers: a model-based vision," in 2017 IEEE 7th International Symposium on Cloud and Service Computing (SC2). IEEE, 2017, pp. 237--240.

[9]

M. Bruckschen, C. Northfleet, D. Silva, P. Bridi, R. Granada, R. Vieira, P. Rao, and T. Sander, "Named entity recognition in the legal domain for ontology population," in Workshop Programme. Citeseer, 2010, p. 16.

[10]

D. M. Fernández, S. Wagner, M. Kalinowski, M. Felderer, P. Mafra, A. Vetrò, T. Conte, M. T. Christiansson, D. Greer, C. Lassenius, T. Männistö, M. Nayabi, M. Oivo, B. Penzenstadler, D. Pfahl, R. Prikladnicki, G. Ruhe, A. Schekelmann, S. Sen, R. Spinola, A. Tuzcu, J. L. de la Vara, and R. Wieringa, "Naming the pain in requirements engineering," Empirical Software Engineering, vol. 22, no. 5, pp. 2298--2338, 2017. [Online].

Digital Library

[11]

V. Gervasi and D. Zowghi, "Reasoning about inconsistencies in natural language requirements," ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 14, no. 3, pp. 277--330, 2005.

Digital Library

[12]

P. Sawyer, P. Rayson, and K. Cosh, "Shallow knowledge as an aid to deep understanding in early phase requirements engineering," IEEE Transactions on Software Engineering, vol. 31, no. 11, pp. 969--981, 2005.

Digital Library

[13]

J. Badger, D. Throop, and C. Claunch, "Vared: verification and analysis of requirements and early designs," in 2014 IEEE 22nd International Requirements Engineering Conference (RE). IEEE, 2014, pp. 325--326.

[14]

M. Riaz, J. King, J. Slankas, and L. Williams, "Hidden in plain sight: Automatically identifying security requirements from natural language artifacts," in 2014 IEEE 22nd International Requirements Engineering Conference (RE). IEEE, 2014, pp. 183--192.

[15]

I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, "Generative adversarial nets," Advances in neural information processing systems, vol. 27, 2014.

[16]

Y. Zhang, Z. Gan, K. Fan, Z. Chen, R. Henao, D. Shen, and L. Carin, "Adversarial feature matching for text generation," in International Conference on Machine Learning. PMLR, 2017, pp. 4006--4015.

[17]

L. Yu, W. Zhang, J. Wang, and Y. Yu, "Seqgan: Sequence generative adversarial nets with policy gradient," in Proceedings of the AAAI conference on artificial intelligence, vol. 31, no. 1, 2017.

[18]

J. Guo, S. Lu, H. Cai, W. Zhang, Y. Yu, and J. Wang, "Long text generation via adversarial training with leaked information," in Proceedings of the AAAI conference on artificial intelligence, vol. 32, no. 1, 2018.

[19]

K. Lin, D. Li, X. He, Z. Zhang, and M.-T. Sun, "Adversarial ranking for language generation," Advances in neural information processing systems, vol. 30, 2017.

[20]

W. Nie, N. Narodytska, and A. Patel, "Relgan: Relational generative adversarial networks for text generation," in International conference on learning representations, 2018.

[21]

R. Shu, T. Xia, L. Williams, and T. Menzies, "Dazzle: Using optimized generative adversarial networks to address security data class imbalance issue," in 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR), 2022, pp. 144--155.

[22]

W. Fedus, I. Goodfellow, and A. M. Dai, "Maskgan: better text generation via filling in the_," arXiv preprint arXiv:1801.07736, 2018.

[23]

C. de Masson d'Autume, S. Mohamed, M. Rosca, and J. Rae, "Training language gans from scratch," Advances in Neural Information Processing Systems, vol. 32, 2019.

[24]

T. Che, Y. Li, R. Zhang, R. D. Hjelm, W. Li, Y. Song, and Y. Bengio, "Maximum-likelihood augmented discrete generative adversarial networks," CoRR, vol. abs/1702.07983, 2017. [Online]. Available: http://arxiv.org/abs/1702.07983

[25]

P. Runeson and M. Hoest, "Guidelines for conducting and reporting case study research in software engineering," Empirical Software Engineering, vol. 14, pp. 131--164, 2009.

Digital Library

[26]

J. Verner, J. Sampson, V. Tosic, N. A. A. Bakar, and B. Kitchenham, "Guidelines for industrially-based multiple case studies in software engineering," in Third IEEE International Conference on Research Challenges in Information Science, 2009, pp. 313--324.

[27]

E. Jang, S. Gu, and B. Poole, "Categorical reparameterization with gumbel-softmax," arXiv preprint arXiv:1611.01144, 2016.

[28]

C. J. Maddison, A. Mnih, and Y. W. Teh, "The concrete distribution: A continuous relaxation of discrete random variables," arXiv preprint arXiv:1611.00712, 2016.

[29]

H. Zhang, I. Goodfellow, D. Metaxas, and A. Odena, "Self-attention generative adversarial networks," in International conference on machine learning. PMLR, 2019, pp. 7354--7363.

[30]

D. P. Kingma and J. Ba, "Adam: A method for stochastic optimization," arXiv preprint arXiv:1412.6980, 2014.

[31]

"Ieee recommended practice for software requirements specifications," IEEE Std 830-1998, pp. 1--40, 1998.

[32]

S. Lu, L. Yu, S. Feng, Y. Zhu, and W. Zhang, "Cot: Cooperative training for generative modeling of discrete data," in International Conference on Machine Learning. PMLR, 2019, pp. 4164--4172.

[33]

K. Papineni, S. Roukos, T. Ward, and W.-J. Zhu, "Bleu: a method for automatic evaluation of machine translation," in Proceedings of the 40th annual meeting of the Association for Computational Linguistics, 2002, pp. 311--318.

[34]

Y. Zhu, S. Lu, L. Zheng, J. Guo, W. Zhang, J. Wang, and Y. T. Yu, "A benchmarking platform for text generation models. arxiv 2018," arXiv preprint arXiv:1802.01886.

[35]

J. a. Lemos, C. Alves, L. Duboc, and G. N. Rodrigues, "A systematic mapping study on creativity in requirements engineering," in Proceedings of the 27th Annual ACM Symposium on Applied Computing, ser. SAC '12. New York, NY, USA: Association for Computing Machinery, 2012, p. 1083--1088. [Online].

Digital Library

[36]

M. G. Hinchey, J. L. Rash, and C. A. Rouff, "Requirements to design to code: Towards a fully formal approach to automatic code generation," Tech. Rep., 2005.

[37]

D. K. Deeptimahanti and R. Sanyal, "Semi-automatic generation of uml models from natural language requirements," in Proceedings of the 4th India Software Engineering Conference, 2011, pp. 165--174.

[38]

W. Ben Abdessalem Karaa, Z. Ben Azzouz, A. Singh, N. Dey, A. S. Ashour, and H. Ben Ghazala, "Automatic builder of class diagram (abcd): an application of uml generation from functional requirements," Software: Practice and Experience, vol. 46, no. 11, pp. 1443--1458, 2016.

Digital Library

[39]

K. Kolthoff, "Automatic generation of graphical user interface prototypes from unrestricted natural language requirements," in 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 2019, pp. 1234--1237.

[40]

H. Harmain and R. Gaizauskas, "Cm-builder: A natural language-based case tool for object-oriented analysis," Automated Software Engineering, vol. 10, no. 2, pp. 157--181, 2003.

Digital Library

[41]

V. Ambriola and V. Gervasi, "On the systematic analysis of natural language requirements with circe," Automated Software Engineering, vol. 13, no. 1, pp. 107--167, 2006.

Digital Library

[42]

M. Ilieva and O. Ormandjieva, "Models derived from automatically analyzed textual user requirements," in Fourth International Conference on Software Engineering Research, Management and Applications (SERA'06). IEEE, 2006, pp. 13--21.

[43]

N. A. Maiden, S. Manning, S. Jones, and J. Greenwood, "Generating requirements from systems models using patterns: a case study," Requirements Engineering, vol. 10, no. 4, pp. 276--288, 2005.

Digital Library

[44]

N. Maiden, S. Jones, C. Ncube, and J. Lockerbie, "Using i* in requirements projects: Some experiences and lessons learned," Social Modeling for Requirements Engineering. The MIT Press, Cambridge, 2010.

[45]

F. Meziane, N. Athanasakis, and S. Ananiadou, "Generating natural language specifications from uml class diagrams," Requirements Engineering, vol. 13, no. 1, pp. 1--18, 2008.

Digital Library

[46]

B. Berenbach, "The automated extraction of requirements from uml models," in Proceedings. 11th IEEE International Requirements Engineering Conference, 2003. IEEE Computer Society, 2003, pp. 287--287.

[47]

B. A. Berenbach, "Comparison of uml and text based requirements engineering," in Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications, 2004, pp. 247--252.

[48]

H. Burden and R. Heldal, "Natural language generation from class diagrams," in Proceedings of the 8th International Workshop on Model-Driven Engineering, Verification and Validation, 2011, pp. 1--8.

[49]

K. Goto, S. Ogata, J. Shirogane, T. Nakatani, and Y. Fukazawa, "Support of scenario creation by generating event lists from conceptual models," in 2015 3rd International Conference on Model-Driven Engineering and Software Development (MODELSWARD). IEEE, 2015, pp. 376--383.

[50]

D. A. Burke and K. Johannisson, "Translating formal software specifications to natural language," in International Conference on Logical Aspects of Computational Linguistics. Springer, 2005, pp. 51--66.

[51]

N. R. Mead and T. Stehney, "Security quality requirements engineering (square) methodology," ACM SIGSOFT Software Engineering Notes, vol. 30, no. 4, pp. 1--7, 2005.

Digital Library

[52]

C. Arora, M. Sabetzadeh, L. Briand, and F. Zimmer, "Automated checking of conformance to requirements templates using natural language processing," IEEE Transactions on Software Engineering, vol. 41, no. 10, pp. 944--968, 2015.

Digital Library

[53]

G. Sindre and A. L. Opdahl, "Eliciting security requirements with misuse cases," Requirements engineering, vol. 10, no. 1, pp. 34--44, 2005.

Digital Library

[54]

A. Van Lamsweerde, "Elaborating security requirements by construction of intentional anti-models," in Proceedings. 26th International Conference on Software Engineering. IEEE, 2004, pp. 148--157.

[55]

G. Sindre, D. G. Firesmith, and A. L. Opdahl, "A reuse-based approach to determining security requirements," in REFSQ, vol. 3. Citeseer, 2003, pp. 127--136.

[56]

K. Cox, K. T. Phalp, S. J. Bleistein, and J. M. Verner, "Deriving requirements from process models via the problem frames approach," Information and Software Technology, vol. 47, no. 5, pp. 319--337, 2005.

Digital Library

[57]

Z.-B. Gan, D.-W. Wei, J.-L. Zhang, and V. Varadharajan, "Business-process-oriented software requirements automatic generator," in Third International Conference on Information Technology and Applications (ICITA'05), vol. 1. IEEE, 2005, pp. 95--98.

[58]

N. Argyropoulos, S. Shei, C. Kalloniatis, H. Mouratidis, A. Delaney, A. Fish, and S. Gritzalis, "A semi-automatic approach for eliciting cloud security and privacy requirements," in Proceedings of the 50th hawaii international conference on system sciences, 2017.

[59]

H. Li, X. Li, J. Hao, G. Xu, Z. Feng, and X. Xie, "Fesr: A framework for eliciting security requirements based on integration of common criteria and weakness detection formal model," in 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS). IEEE, 2017, pp. 352--363.

Cited By

Fazelnia MMirakhorli MBagheri HFilkov VRay BZhou M(2024)Translation Titans, Reasoning Challenges: Satisfiability-Aided Language Models for Detecting Conflicting RequirementsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695302(2294-2298)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695302

Recommendations

Security requirements engineering framework for software product lines

Context: The correct analysis and understanding of security requirements are important because they assist in the discovery of any security or requirement defects or mistakes during the early stages of development. Security requirements engineering is ...
Problem-based Elicitation of Security Requirements
ENASE 2018: Proceedings of the 13th International Conference on Evaluation of Novel Approaches to Software Engineering

Security is of great importance for many software systems. The security of a software system can be compromised by threats, which may harm assets with a certain likelihood, thus constituting a risk. All such risks should be identified, and unacceptable ...
Secure Tropos framework for software product lines requirements engineering

Security and requirements engineering are two of the most important factors of success in the development of a software product line (SPL). Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed as a suitable ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '23: Proceedings of the 45th International Conference on Software Engineering

May 2023

2713 pages

ISBN:9781665457019

General Chair:
John Grundy
Department of Software Systems and Cybersecurity, Faculty of IT, Monash University, Australia
,
Program Co-chairs:
Lori Pollock
University of Delaware, DE, USA
,
Massimiliano Di Penta
University of Sannio, Italy

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

IEEE CS

Publisher

IEEE Press

Publication History

Published: 26 July 2023

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE '23

Sponsor:

SIGSOFT

ICSE '23: 45th International Conference on Software Engineering

May 14 - 20, 2023

Victoria, Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
27
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fazelnia MMirakhorli MBagheri HFilkov VRay BZhou M(2024)Translation Titans, Reasoning Challenges: Satisfiability-Aided Language Models for Detecting Conflicting RequirementsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695302(2294-2298)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695302

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents