Skip to main content
SpringerLink
Log in

Natural Language Processing with Machine Learning for Security Requirements Analysis: Practical Approaches

  • Chapter
  • First Online:
CyberSecurity in a DevOps Environment

  • 292 Accesses

Abstract

Analyzing security requirements is a tedious task. Quite often they are spread around requirements specifications or specified in a very generic form. The experts have to make sure to extract all the security requirements and properly detail by applying the best practices from appropriate standards such as OWASP ASVS, STIG, or IEC62443. The requirements are specified in various forms, most commonly as statements in natural language. Natural language processing (NLP) has been applied for many years in requirements engineering (RE) for many analysis tasks. However, until recently, the performance on NLP methods on the RE tasks has been questionable. In this chapter, we outline the state of the art in the NLP methods in RE and in particular analysis of security requirements as well as provide practical recipes application of modern transfer learning architectures to several important RE tasks illustrated with an example.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. A. Sadovykh, G. Widforss, D. Truscan, E.P. Enoiu, W. Mallouli, R. Iglesias, A. Bagnto, O. Hendel, in 2021 Design, Automation Test in Europe Conference Exhibition (DATE) (2021), pp. 1330–1333. https://doi.org/10.23919/DATE51398.2021.9474185. ISSN: 1558-1101

  2. P. Loucopoulos, V. Karakostas, System Requirements Engineering (McGraw-Hill, 1995)

    Google Scholar 

  3. C. Haley, R. Laney, J. Moffett, B. Nuseibeh, IEEE Trans. Softw. Eng. 34(1), 133 (2008)

    Article  Google Scholar 

  4. Hoo, K. Soo. Tangible ROI through secure software engineering. Secur. Bus. Q. (2001). https://cir.nii.ac.jp/crid/1571698600432996480

  5. T. Li, Z. Chen, J. Syst. Softw. 165, 110566 (2020)

    Article  Google Scholar 

  6. E. Knauss, S. Houmb, K. Schneider, S. Islam, J. Jürjens, in International Working Conference on Requirements Engineering: Foundation for Software Quality (Springer, 2011), pp. 4–18

    Google Scholar 

  7. M. Kassab, C. Neill, P. Laplante, Innov. Syst. Softw. Eng.: A NASA J. (2014). https://doi.org/10.1007/s11334-014-0232-4

  8. L. Mich, M. Franch, P.L. Novi Inverardi, Requir. Eng. 9, 40 (2004). https://doi.org/10.1007/s00766-003-0179-8

    Article  Google Scholar 

  9. P. Sawyer, P. Rayson, K. Cosh, IEEE Trans. Softw. Eng. 31, 969 (2005). https://doi.org/10.1109/TSE.2005.129

    Article  Google Scholar 

  10. D. Jurafsky, C. Manning, Instructor 212(998), 3482 (2012)

    Google Scholar 

  11. E.D. Liddy, Natural language processing, in Encyclopedia of Library and Information Science, 2nd edn. (Marcel Decker, Inc., NY, 2001)

    Google Scholar 

  12. L. Zhao, W. Alhoshan, A. Ferrari, K. Letsholo, M. Ajagbe, E.V. Chioasca, R. Batista-Navarro, Natural language processing for requirements engineering: a systematic mapping study. ACM Comput. Surv. 54(3), (2022)

    Google Scholar 

  13. T. Hastie, R. Tibshirani, J. Friedman, The Elements of Statistical Learning: Data Mining, Inference, and Prediction (Springer Science & Business Media, 2009)

    Google Scholar 

  14. S. Kommrusch, arXiv preprint arXiv:1912.06796 (2019)

    Google Scholar 

  15. Z.S.H. Abad, O. Karras, P. Ghazi, M. Glinz, G. Ruhe, K. Schneider, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (IEEE, 2017), pp. 496–501

    Google Scholar 

  16. C.D. Manning, M. Surdeanu, J. Bauer, J.R. Finkel, S. Bethard, D. McClosky, in Proceedings of 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations (2014), pp. 55–60

    Google Scholar 

  17. E. Boutkova, F. Houdek, in 2011 IEEE 19th International Requirements Engineering Conference (IEEE, 2011), pp. 313–318

    Google Scholar 

  18. R. Malhotra, A. Chug, A. Hayrapetian, R. Raje, in 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH) (IEEE, 2016), pp. 26–30

    Google Scholar 

  19. N.F. Noy, M. Crubézy, R.W. Fergerson, H. Knublauch, S.W. Tu, J. Vendetti, M.A. Musen, in AMIA... Annual Symposium Proceedings. AMIA Symposium (2003), pp. 953–953

    Google Scholar 

  20. A. Hayrapetian, R. Raje, in Proceedings of the 11th Innovations in Software Engineering Conference (2018), pp. 1–11

    Google Scholar 

  21. B. Magnini, R. Zanoli, I. Dagan, K. Eichler, G. Neumann, T.G. Noh, S. Pado, A. Stern, O. Levy, in Proceedings of 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations (2014), pp. 43–48

    Google Scholar 

  22. W. Wang, K.R. Mahakala, A. Gupta, N. Hussein, Y. Wang, J. Ind. Inf. Integr. 14, 34 (2019)

    Google Scholar 

  23. Z. Kurtanović, W. Maalej, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (IEEE, 2017), pp. 490–495

    Google Scholar 

  24. J. Cleland-Huang, S. Mazrouee, H. Liguo, D. Port. NFR (2007). https://doi.org/10.5281/zenodo.268542

  25. J.M. Pérez-Verdejo, Á.J. Sánchez-García, J.O. Ocharán-Hernández, E. Mezura-Montes, K. Cortés-Verdín, Program. Comput. Softw. 47(8), 704 (2021)

    Article  Google Scholar 

  26. V. Mir Khatian, Q. Ali Arain, M. Alenezi, M. Owais Raza, F. Shaikh, I. Farah, in 2021 1st International Conference on Artificial Intelligence and Data Analytics (CAIDA) (IEEE, Riyadh, Saudi Arabia, 2021), pp. 7–12

    Google Scholar 

  27. Y. LeCun, Y. Bengio, G. Hinton, Nature 521(7553), 436 (2015)

    Article  Google Scholar 

  28. Y. Zhang, B. Wallace, arXiv preprint arXiv:1510.03820 (2015)

    Google Scholar 

  29. Y. LeCun, B. Boser, J.S. Denker, D. Henderson, R.E. Howard, W. Hubbard, L.D. Jackel, Neural Comput. 1(4), 541 (1989)

    Article  Google Scholar 

  30. T. Mikolov, K. Chen, G. Corrado, J. Dean, arXiv preprint arXiv:1301.3781 (2013)

    Google Scholar 

  31. J. Winkler, A. Vogelsang, in 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW) (IEEE, 2016), pp. 39–45

    Google Scholar 

  32. A. Dekhtyar, V. Fong, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), pp. 484–489. https://doi.org/10.1109/RE.2017.26

  33. T. Hey, J. Keim, A. Koziolek, W.F. Tichy, in 2020 IEEE 28th International Requirements Engineering Conference (RE) (IEEE, 2020), pp. 169–179

    Google Scholar 

  34. J. Devlin, M.W. Chang, K. Lee, K. Toutanova, arXiv preprint arXiv:1810.04805 (2018)

    Google Scholar 

  35. M. Ajagbe, L. Zhao, in 2022 IEEE 30th International Requirements Engineering Conference (RE) (2022), pp. 309–315

    Google Scholar 

  36. K. Ameri, M. Hempel, H. Sharif, J. Lopez Jr., K. Perumalla, J. Cybersecur. Privacy 1(4), 615 (2021). https://doi.org/10.3390/jcp1040031. https://www.mdpi.com/2624-800X/1/4/31

  37. P. Ranade, A. Piplai, A. Joshi, T. Finin, in 2021 IEEE International Conference on Big Data (Big Data) (2021), pp. 3334–3342

    Google Scholar 

  38. G. Li, C. Zheng, M. Li, H. Wang, IEEE Access 10, 30080 (2022)

    Article  Google Scholar 

  39. A. Ferrari, G.O. Spagnolo, S. Gnesi, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (2017), pp. 502–505. https://doi.org/10.1109/RE.2017.29

  40. A. Hassan, A. Mahmood, IEEE Access 6, 13949 (2018). https://doi.org/10.1109/ACCESS.2018.2814818. https://ieeexplore.ieee.org/document/8314136

  41. V. Ivanov, A. Sadovykh, A. Naumchev, A. Bagnato, K. Yakovlev, in Recent Trends in Analysis of Images, Social Networks and Texts, ed. by E. Burnaev, D.I. Ignatov, S. Ivanov, M. Khachay, O. Koltsova, A. Kutuzov, S.O. Kuznetsov, N. Loukachevitch, A. Napoli, A. Panchenko, P.M. Pardalos, J. Saramäki, A.V. Savchenko, E. Tsymbalov, E. Tutubalina. Communications in Computer and Information Science (Springer International Publishing, Cham, 2022), pp. 17–29. https://doi.org/10.1007/978-3-031-15168-2_2

  42. S. Abualhaija, C. Arora, M. Sabetzadeh, L.C. Briand, E. Vaz (2019), pp. 51–62. https://doi.org/10.1109/RE.2019.00017

  43. M.A. Gordon, K. Duh, N. Andrews, Compressing BERT: Studying the Effects of Weight Pruning on Transfer Learning (2020). http://arxiv.org/abs/2002.08307. arXiv:2002.08307 [cs]

  44. V. Sanh, L. Debut, J. Chaumond, T. Wolf, arXiv:1910.01108 [cs] (2020). http://arxiv.org/abs/1910.01108. arXiv:1910.01108

  45. J. Cleland-Huang, R. Settimi, X. Zou, P. Solc, Requir. Eng. 12(2), 103 (2007)

    Article  Google Scholar 

  46. Certification Commission for Health Information Technology (2007). https://www.cchit.org/work/criteria/, https://www.cchit.org/work/inpatient-criteria/

  47. A. Rashwan, O. Ormandjieva, R. Witte, in The 37th Annual International Computer Software & Applications Conference (COMPSAC 2013). IEEE (IEEE, 2013), pp. 381–386. https://doi.org/10.1109/COMPSAC.2013.64

  48. OWASP Application Security Verification Standard. https://github.com/OWASP/ASVS/

  49. K. Song, X. Tan, T. Qin, J. Lu, T.Y. Liu, MPNet: Masked and Permuted Pre-training for Language Understanding (2020). http://arxiv.org/abs/2004.09297. arXiv:2004.09297 [cs]

  50. T. Wolf, L. Debut, V. Sanh, J. Chaumond, C. Delangue, A. Moi, P. Cistac, T. Rault, R. Louf, M. Funtowicz, J. Davison, S. Shleifer, P. von Platen, C. Ma, Y. Jernite, J. Plu, C. Xu, T. Le Scao, S. Gugger, M. Drame, Q. Lhoest, A. Rush, in Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing: System Demonstrations (Association for Computational Linguistics, Online, 2020), pp. 38–45. https://doi.org/10.18653/v1/2020.emnlp-demos.6. https://www.aclweb.org/anthology/2020.emnlp-demos.6

  51. N. Reimers, I. Gurevych, Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks (2019). http://arxiv.org/abs/1908.10084. arXiv:1908.10084 [cs]

  52. R. Socher, A. Perelygin, J. Wu, J. Chuang, C.D. Manning, A.Y. Ng, C. Potts, in Proceedings of the 2013 Conference on Empirical Methods in Natural Language Processing (2013), pp. 1631–1642

    Google Scholar 

  53. T. Hedberg Jr., M. Helu, M. Newrock, Software requirements specification to distribute manufacturing data. Tech. Rep. NIST AMS 300-2, National Institute of Standards and Technology, Gaithersburg, MD (2017). https://doi.org/10.6028/NIST.AMS.300-2. https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-2.pdf

  54. A. Sadovykh, K. Iakovlev, A. Abherve, ARQAN Online Demonstrator by SOFTEAM (2022). http://arqan.softeam-rd.eu:8501/

  55. Security Technical Implementation Guide (STIG) Complete List. https://www.stigviewer.com/stigs

  56. I.E. Commission, others, IEC 62443: Security for Industrial Automation and Control Systems–Part 4-1: Secure Product Development Lifecycle Requirements. Tech. rep. (2018)

    Google Scholar 

  57. W. Wei, P.M. Barnaghi, A. Bargiela, Int. J. Commun. SIWN 3, 76 (2008)

    Google Scholar 

  58. N. Reimers, Pretrained Models – Sentence-Transformers documentation. https://sbert.net/docs/pretrained_models.html

  59. J. Han, J. Pei, H. Tong, Data Mining: Concepts and Techniques (Morgan Kaufmann, 2022)

    Google Scholar 

  60. R. Zhang, Operations on word vectors – Debiasing (2019). https://zhangruochi.com/Operations-on-word-vectors-Debiasing/2019/03/28/index.html

  61. N. Reimers, Semantic Search – Sentence-Transformers documentation. https://sbert.net/examples/applications/semantic-search/README.html

  62. I. Nigmatullin, A. Sadovykh, N. Messe, S. Ebersold, J.M. Bruel, in 2022 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW) (2022), pp. 2–6. https://doi.org/10.1109/ICSTW55395.2022.00015. ISSN: 2159-4848

  63. Modelio – UML/BPMN modeling tool by SOFTEAM. https://www.modeliosoft.com/en/

  64. Z. Ahmed, S.C. Francis, in 2019 International Conference on Digitization (ICD) (IEEE, 2019), pp. 178–182. https://doi.org/10.1109/ICD47981.2019.9105789. https://ieeexplore.ieee.org/abstract/document/9105789

Download references

Acknowledgements

This work is partially supported by the VeriDevOps [1] project funded by the Horizon 2020 program under the grant agreement No. 957212 (VeriDevOps project).

Author information

Authors and Affiliations

  1. SOFTEAM, Ivry-sur-Seine, France

    Andrey Sadovykh, Kirill Yakovlev, Alexandr Naumchev & Vladimir Ivanov

Authors
  1. Andrey Sadovykh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kirill Yakovlev
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alexandr Naumchev
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vladimir Ivanov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrey Sadovykh .

Editor information

Editors and Affiliations

  1. SOFTEAM, Ivry-sur-Seine, France

    Andrey Sadovykh

  2. Information Technologies, Åbo Akademi University, Turku, Finland

    Dragos Truscan

  3. Montimage, Paris, France

    Wissam Mallouli

  4. Montimage, Paris, France

    Ana Rosa Cavalli

  5. Mälardalen University, Västerås, Sweden

    Cristina Seceleanu

  6. SOFTEAM, Ivry-sur-Seine, France

    Alessandra Bagnato

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Sadovykh, A., Yakovlev, K., Naumchev, A., Ivanov, V. (2024). Natural Language Processing with Machine Learning for Security Requirements Analysis: Practical Approaches. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-42212-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-42211-9

  • Online ISBN: 978-3-031-42212-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation