Security Requirements Analysis Using Knowledge in CAPEC

  • Haruhiko Kaiya
  • Sho Kono
  • Shinpei Ogata
  • Takao Okubo
  • Nobukazu Yoshioka
  • Hironori Washizaki
  • Kenji Kaijiri
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 178)


Because all the requirements analysts are not the experts of security, providing security knowledge automatically is one of the effective means for supporting security requirements elicitation. We propose a method for eliciting security requirements on the basis of Common Attack Patterns Enumeration and Classification (CAPEC). A requirements analyst can automatically acquire the candidates of attacks against a functional requirement with the help of our method. Because technical terms are mainly used in the descriptions in CAPEC and usual phrases are used in the requirements descriptions, there are gaps between them. To bridge the gaps, our method contains a mapping between technical terms and noun phrases called term maps.


Requirements Engineering Requirements Elicitation Security Requirements Structured Knowledge 


  1. 1.
    Capobianco, G., Lucia, A.D., Oliveto, R., Panichella, A., Panichella, S.: On the role of the nouns in ir-based traceability recovery. In: ICPC, pp. 148–157 (2009)Google Scholar
  2. 2.
    Houmb, S.H., Islam, S., Knauss, E., Jürjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: An integration of common criteria, heuristics, and UMLsec. Requirements Engineering 15(1), 63–93 (2010)CrossRefGoogle Scholar
  3. 3.
    Kaiya, H., Shimizu, Y., Yasui, H., Kaijiri, K., Saeki, M.: Enhancing domain knowledge for requirements elicitation with web mining. In: APSEC, pp. 3–12 (2010)Google Scholar
  4. 4.
    Kaiya, H., Suzuki, S., Ogawa, T., Tanigawa, M., Umemura, M., Kaijiri, K.: Spectrum analysis for software quality requirements using analyses records. In: COMPSAC Workshops, pp. 500–503 (2011)Google Scholar
  5. 5.
    Kaiya, H., Tanigawa, M., Suzuki, S., Sato, T., Kaijiri, K.: Spectrum analysis for quality requirements by using a term-characteristics map. In: van Eck, P., Gordijn, J., Wieringa, R. (eds.) CAiSE 2009. LNCS, vol. 5565, pp. 546–560. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Kitamura, M., Hasegawa, R., Kaiya, H., Saeki, M.: A Supporting Tool for Requirements Elicitation Using a Domain Ontology. In: Filipe, J., Shishkov, B., Helfert, M., Maciaszek, L.A. (eds.) ICSOFT/ENASE 2007. CCIS, vol. 22, pp. 128–140. Springer, Heidelberg (2008)Google Scholar
  7. 7.
    Okubo, T., Taguchi, K., Yoshioka, N.: Misuse cases + assets + security goals. In: CSE, vol. (3), pp. 424–429 (2009)Google Scholar
  8. 8.
    Saeki, M., Hayashi, S., Kaiya, H.: Enhancing goal-oriented security requirements analysis using common criteria-based knowledge. International Journal of Software Engineering and Knowledge Engineering 23(5), 695–720 (2013)CrossRefGoogle Scholar
  9. 9.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  10. 10.
    Zhao, Y., Dong, J., Peng, T.: Ontology classification for semantic-web-based software engineering. IEEE Transactions on Services Computing 2, 303–317 (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Haruhiko Kaiya
    • 1
  • Sho Kono
    • 2
  • Shinpei Ogata
    • 2
  • Takao Okubo
    • 3
  • Nobukazu Yoshioka
    • 4
  • Hironori Washizaki
    • 5
  • Kenji Kaijiri
    • 2
  1. 1.Dept. of Information SciencesKanagawa UniversityHiratsukaJapan
  2. 2.Dept. of Computer ScienceShinshu UniversityNaganoJapan
  3. 3.Institute of Information SecuriryKanagawaJapan
  4. 4.National Institue of Informatics (NII)TokyoJapan
  5. 5.Waseda UniversityTokyoJapan

Personalised recommendations