Abstract
Analyzing security requirements is a tedious task. Quite often they are spread around requirements specifications or specified in a very generic form. The experts have to make sure to extract all the security requirements and properly detail by applying the best practices from appropriate standards such as OWASP ASVS, STIG, or IEC62443. The requirements are specified in various forms, most commonly as statements in natural language. Natural language processing (NLP) has been applied for many years in requirements engineering (RE) for many analysis tasks. However, until recently, the performance on NLP methods on the RE tasks has been questionable. In this chapter, we outline the state of the art in the NLP methods in RE and in particular analysis of security requirements as well as provide practical recipes application of modern transfer learning architectures to several important RE tasks illustrated with an example.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
A. Sadovykh, G. Widforss, D. Truscan, E.P. Enoiu, W. Mallouli, R. Iglesias, A. Bagnto, O. Hendel, in 2021 Design, Automation Test in Europe Conference Exhibition (DATE) (2021), pp. 1330–1333. https://doi.org/10.23919/DATE51398.2021.9474185. ISSN: 1558-1101
P. Loucopoulos, V. Karakostas, System Requirements Engineering (McGraw-Hill, 1995)
C. Haley, R. Laney, J. Moffett, B. Nuseibeh, IEEE Trans. Softw. Eng. 34(1), 133 (2008)
Hoo, K. Soo. Tangible ROI through secure software engineering. Secur. Bus. Q. (2001). https://cir.nii.ac.jp/crid/1571698600432996480
T. Li, Z. Chen, J. Syst. Softw. 165, 110566 (2020)
E. Knauss, S. Houmb, K. Schneider, S. Islam, J. Jürjens, in International Working Conference on Requirements Engineering: Foundation for Software Quality (Springer, 2011), pp. 4–18
M. Kassab, C. Neill, P. Laplante, Innov. Syst. Softw. Eng.: A NASA J. (2014). https://doi.org/10.1007/s11334-014-0232-4
L. Mich, M. Franch, P.L. Novi Inverardi, Requir. Eng. 9, 40 (2004). https://doi.org/10.1007/s00766-003-0179-8
P. Sawyer, P. Rayson, K. Cosh, IEEE Trans. Softw. Eng. 31, 969 (2005). https://doi.org/10.1109/TSE.2005.129
D. Jurafsky, C. Manning, Instructor 212(998), 3482 (2012)
E.D. Liddy, Natural language processing, in Encyclopedia of Library and Information Science, 2nd edn. (Marcel Decker, Inc., NY, 2001)
L. Zhao, W. Alhoshan, A. Ferrari, K. Letsholo, M. Ajagbe, E.V. Chioasca, R. Batista-Navarro, Natural language processing for requirements engineering: a systematic mapping study. ACM Comput. Surv. 54(3), (2022)
T. Hastie, R. Tibshirani, J. Friedman, The Elements of Statistical Learning: Data Mining, Inference, and Prediction (Springer Science & Business Media, 2009)
S. Kommrusch, arXiv preprint arXiv:1912.06796 (2019)
Z.S.H. Abad, O. Karras, P. Ghazi, M. Glinz, G. Ruhe, K. Schneider, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (IEEE, 2017), pp. 496–501
C.D. Manning, M. Surdeanu, J. Bauer, J.R. Finkel, S. Bethard, D. McClosky, in Proceedings of 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations (2014), pp. 55–60
E. Boutkova, F. Houdek, in 2011 IEEE 19th International Requirements Engineering Conference (IEEE, 2011), pp. 313–318
R. Malhotra, A. Chug, A. Hayrapetian, R. Raje, in 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH) (IEEE, 2016), pp. 26–30
N.F. Noy, M. Crubézy, R.W. Fergerson, H. Knublauch, S.W. Tu, J. Vendetti, M.A. Musen, in AMIA... Annual Symposium Proceedings. AMIA Symposium (2003), pp. 953–953
A. Hayrapetian, R. Raje, in Proceedings of the 11th Innovations in Software Engineering Conference (2018), pp. 1–11
B. Magnini, R. Zanoli, I. Dagan, K. Eichler, G. Neumann, T.G. Noh, S. Pado, A. Stern, O. Levy, in Proceedings of 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations (2014), pp. 43–48
W. Wang, K.R. Mahakala, A. Gupta, N. Hussein, Y. Wang, J. Ind. Inf. Integr. 14, 34 (2019)
Z. Kurtanović, W. Maalej, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (IEEE, 2017), pp. 490–495
J. Cleland-Huang, S. Mazrouee, H. Liguo, D. Port. NFR (2007). https://doi.org/10.5281/zenodo.268542
J.M. Pérez-Verdejo, Á.J. Sánchez-García, J.O. Ocharán-Hernández, E. Mezura-Montes, K. Cortés-Verdín, Program. Comput. Softw. 47(8), 704 (2021)
V. Mir Khatian, Q. Ali Arain, M. Alenezi, M. Owais Raza, F. Shaikh, I. Farah, in 2021 1st International Conference on Artificial Intelligence and Data Analytics (CAIDA) (IEEE, Riyadh, Saudi Arabia, 2021), pp. 7–12
Y. LeCun, Y. Bengio, G. Hinton, Nature 521(7553), 436 (2015)
Y. Zhang, B. Wallace, arXiv preprint arXiv:1510.03820 (2015)
Y. LeCun, B. Boser, J.S. Denker, D. Henderson, R.E. Howard, W. Hubbard, L.D. Jackel, Neural Comput. 1(4), 541 (1989)
T. Mikolov, K. Chen, G. Corrado, J. Dean, arXiv preprint arXiv:1301.3781 (2013)
J. Winkler, A. Vogelsang, in 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW) (IEEE, 2016), pp. 39–45
A. Dekhtyar, V. Fong, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), pp. 484–489. https://doi.org/10.1109/RE.2017.26
T. Hey, J. Keim, A. Koziolek, W.F. Tichy, in 2020 IEEE 28th International Requirements Engineering Conference (RE) (IEEE, 2020), pp. 169–179
J. Devlin, M.W. Chang, K. Lee, K. Toutanova, arXiv preprint arXiv:1810.04805 (2018)
M. Ajagbe, L. Zhao, in 2022 IEEE 30th International Requirements Engineering Conference (RE) (2022), pp. 309–315
K. Ameri, M. Hempel, H. Sharif, J. Lopez Jr., K. Perumalla, J. Cybersecur. Privacy 1(4), 615 (2021). https://doi.org/10.3390/jcp1040031. https://www.mdpi.com/2624-800X/1/4/31
P. Ranade, A. Piplai, A. Joshi, T. Finin, in 2021 IEEE International Conference on Big Data (Big Data) (2021), pp. 3334–3342
G. Li, C. Zheng, M. Li, H. Wang, IEEE Access 10, 30080 (2022)
A. Ferrari, G.O. Spagnolo, S. Gnesi, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), pp. 502–505. https://doi.org/10.1109/RE.2017.29
A. Hassan, A. Mahmood, IEEE Access 6, 13949 (2018). https://doi.org/10.1109/ACCESS.2018.2814818. https://ieeexplore.ieee.org/document/8314136
V. Ivanov, A. Sadovykh, A. Naumchev, A. Bagnato, K. Yakovlev, in Recent Trends in Analysis of Images, Social Networks and Texts, ed. by E. Burnaev, D.I. Ignatov, S. Ivanov, M. Khachay, O. Koltsova, A. Kutuzov, S.O. Kuznetsov, N. Loukachevitch, A. Napoli, A. Panchenko, P.M. Pardalos, J. Saramäki, A.V. Savchenko, E. Tsymbalov, E. Tutubalina. Communications in Computer and Information Science (Springer International Publishing, Cham, 2022), pp. 17–29. https://doi.org/10.1007/978-3-031-15168-2_2
S. Abualhaija, C. Arora, M. Sabetzadeh, L.C. Briand, E. Vaz (2019), pp. 51–62. https://doi.org/10.1109/RE.2019.00017
M.A. Gordon, K. Duh, N. Andrews, Compressing BERT: Studying the Effects of Weight Pruning on Transfer Learning (2020). http://arxiv.org/abs/2002.08307. arXiv:2002.08307 [cs]
V. Sanh, L. Debut, J. Chaumond, T. Wolf, arXiv:1910.01108 [cs] (2020). http://arxiv.org/abs/1910.01108. arXiv:1910.01108
J. Cleland-Huang, R. Settimi, X. Zou, P. Solc, Requir. Eng. 12(2), 103 (2007)
Certification Commission for Health Information Technology (2007). https://www.cchit.org/work/criteria/, https://www.cchit.org/work/inpatient-criteria/
A. Rashwan, O. Ormandjieva, R. Witte, in The 37th Annual International Computer Software & Applications Conference (COMPSAC 2013). IEEE (IEEE, 2013), pp. 381–386. https://doi.org/10.1109/COMPSAC.2013.64
OWASP Application Security Verification Standard. https://github.com/OWASP/ASVS/
K. Song, X. Tan, T. Qin, J. Lu, T.Y. Liu, MPNet: Masked and Permuted Pre-training for Language Understanding (2020). http://arxiv.org/abs/2004.09297. arXiv:2004.09297 [cs]
T. Wolf, L. Debut, V. Sanh, J. Chaumond, C. Delangue, A. Moi, P. Cistac, T. Rault, R. Louf, M. Funtowicz, J. Davison, S. Shleifer, P. von Platen, C. Ma, Y. Jernite, J. Plu, C. Xu, T. Le Scao, S. Gugger, M. Drame, Q. Lhoest, A. Rush, in Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing: System Demonstrations (Association for Computational Linguistics, Online, 2020), pp. 38–45. https://doi.org/10.18653/v1/2020.emnlp-demos.6. https://www.aclweb.org/anthology/2020.emnlp-demos.6
N. Reimers, I. Gurevych, Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks (2019). http://arxiv.org/abs/1908.10084. arXiv:1908.10084 [cs]
R. Socher, A. Perelygin, J. Wu, J. Chuang, C.D. Manning, A.Y. Ng, C. Potts, in Proceedings of the 2013 Conference on Empirical Methods in Natural Language Processing (2013), pp. 1631–1642
T. Hedberg Jr., M. Helu, M. Newrock, Software requirements specification to distribute manufacturing data. Tech. Rep. NIST AMS 300-2, National Institute of Standards and Technology, Gaithersburg, MD (2017). https://doi.org/10.6028/NIST.AMS.300-2. https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-2.pdf
A. Sadovykh, K. Iakovlev, A. Abherve, ARQAN Online Demonstrator by SOFTEAM (2022). http://arqan.softeam-rd.eu:8501/
Security Technical Implementation Guide (STIG) Complete List. https://www.stigviewer.com/stigs
I.E. Commission, others, IEC 62443: Security for Industrial Automation and Control Systems–Part 4-1: Secure Product Development Lifecycle Requirements. Tech. rep. (2018)
W. Wei, P.M. Barnaghi, A. Bargiela, Int. J. Commun. SIWN 3, 76 (2008)
N. Reimers, Pretrained Models – Sentence-Transformers documentation. https://sbert.net/docs/pretrained_models.html
J. Han, J. Pei, H. Tong, Data Mining: Concepts and Techniques (Morgan Kaufmann, 2022)
R. Zhang, Operations on word vectors – Debiasing (2019). https://zhangruochi.com/Operations-on-word-vectors-Debiasing/2019/03/28/index.html
N. Reimers, Semantic Search – Sentence-Transformers documentation. https://sbert.net/examples/applications/semantic-search/README.html
I. Nigmatullin, A. Sadovykh, N. Messe, S. Ebersold, J.M. Bruel, in 2022 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW) (2022), pp. 2–6. https://doi.org/10.1109/ICSTW55395.2022.00015. ISSN: 2159-4848
Modelio – UML/BPMN modeling tool by SOFTEAM. https://www.modeliosoft.com/en/
Z. Ahmed, S.C. Francis, in 2019 International Conference on Digitization (ICD) (IEEE, 2019), pp. 178–182. https://doi.org/10.1109/ICD47981.2019.9105789. https://ieeexplore.ieee.org/abstract/document/9105789
Acknowledgements
This work is partially supported by the VeriDevOps [1] project funded by the Horizon 2020 program under the grant agreement No. 957212 (VeriDevOps project).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Sadovykh, A., Yakovlev, K., Naumchev, A., Ivanov, V. (2024). Natural Language Processing with Machine Learning for Security Requirements Analysis: Practical Approaches. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-42212-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42211-9
Online ISBN: 978-3-031-42212-6
eBook Packages: Computer ScienceComputer Science (R0)