A supporting system for predicting vulnerabilities and their countermeasures of an information system during requirements analysis

2013 Fiscal Year Final Research Report

• Project/Area Number: 23500042
• Research Category: Grant-in-Aid for Scientific Research (C)
• Allocation Type: Multi-year Fund
• Section: 一般
• Research Field: Software
• Research Institution: Shinshu University
• Principal Investigator: KAIYA Haruhiko 信州大学, 工学部, 准教授 (30262596)
• Project Period (FY): 2011 – 2013
• Keywords: 要求工学 / モデリング / セキュリティ分析 / アッセトフロー / モデル検査 / システムアーキテクチャ / オントロジ

Research Abstract

We have developed a method for security requirements analysis. In the method, vulnerabilities and their countermeasures are systematically predicted on the basis of the dependencies among assets and a system architecture in a system to be developed. We can re-examine vulnerabilities and their countermeasures when the architecture is changed but system functionalities are not changed. We have also developed a supporting tool for enacting the method. The tool consists of three components: a modeling editor, a model checker and a visualizer. With the help of the tool, stakeholders including security experts can validate the predicted results of the method because the tool can automatically derive the candidates of vulnerabilities on the basis of our original model checking engine and visualize the derived results.

Research Products

• [Journal Article] 情報検索手法に基づくトレーサビリティリンク回復のための手法オプションについてのマイニングの提案と評価 (2014)
  • Author(s): 上田 健之, 小形 真平, 海谷 治彦, 海尻 賢二
  • Journal Title: 電子情報通信学会論文誌 Volume: Vol.J97-D, No.3 Pages: 414-426
  • Peer Reviewed
• [Journal Article] 機能要求に必要な品質要求の機械学習による予測法 (2013)
  • Author(s): 田中 賢, 海谷 治彦, 大西 淳
  • Journal Title: 電子情報通信学会論文誌 Volume: Vol.J96-D, No.11 Pages: 2646-2656
  • Peer Reviewed
• [Journal Article] Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment (2013)
  • Author(s): Haruhiko Kaiya, Junya Sakai, Shinpei Ogata and Kenji Kaijiri
  • Journal Title: International Journal of Secure Software Engineering (IJSSE), IGI Global Volume: Vol.4, Issue3 Pages: 42-63
  • DOI: 10.4018/jsse.2013070103
  • Peer Reviewed
• [Journal Article] Spectrum analysis on quality requirements consideration in software design documents (2013)
  • Author(s): Haruhiko Kaiya, Masahiro Umemura, Shinpei Ogata, and Kenji Kaijiri
  • Journal Title: SpringerPlus Volume: Vol.2, Issue1, No.310 Pages: 1-14
  • DOI: 10.1186/2193-1801-2-310
  • Peer Reviewed
• [Journal Article] Enhancing Goal-Oriented Security Requirements Analysis Using Common Criteria-Based Knowledge (2013)
  • Author(s): Motoshi Saeki, Shinpei Hayashi, Haruhiko Kaiya
  • Journal Title: International Journal of Software Engineering and Knowledge Engineering (IJSEKE). World Scientific Publishing Volume: Vol.23, No.05 Pages: 695-720
  • DOI: 10.1142/S0218194013500174
  • Peer Reviewed
• [Journal Article] Finding incorrect and missing quality requirements definitions using requirements frame (2012)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Journal Title: IEICE Transactions on Information and Systems Volume: Vol.E95-D, No.4 Pages: 1031-1043
  • DOI: 10.1587/transinf.E95.D.1012
  • Peer Reviewed
• [Journal Article] Toward the decision tree for inferring requirements maturation types (2012)
  • Author(s): Takako Nakatani, Narihito Kondo, Junko Shirogane, Haruhiko Kaiya, Shozo Hori, and Keiichi Katamine
  • Journal Title: IEICE Transactions on Information and Systems Volume: Vol.E95-D, No.4 Pages: 1021-1030
  • DOI: 10.1587/transinf.E95.D.1021
  • Peer Reviewed
• [Journal Article] Impact analysis on an attributed goal graph (2012)
  • Author(s): Shinpei Hayashi, Daisuke Tanabe, Haruhiko Kaiya, and Motoshi Saeki
  • Journal Title: IEICE Transactions on Information and Systems Volume: Vol.E95-D, No.4 Pages: 1012-1020
  • DOI: 10.1587/transinf.E95.D.1031
  • Peer Reviewed
• [Journal Article] Analyzing Impacts on Software Enhancement Caused by Security Design Alternatives with Patterns (2012)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Journal Title: International Journal of Secure Software Engineering (IJSSE), IGI Global Volume: Vol.3, No.1 Pages: 37-61
  • DOI: 10.4018/jsse.2012010103
  • Peer Reviewed
• [Journal Article] ソフトウェアが中心でない製品における既存技術を利用したソフトウェア改訂支援 (2012)
  • Author(s): 海谷 治彦, 原 賢一郎, 小林 亮太郎, 長田 晃, 海尻 賢二
  • Journal Title: 情報処理学会論文誌 Volume: Vol.53, No.2 Pages: 653-661
  • Peer Reviewed
• [Journal Article] 分析履歴を用いたソフトウェア品質要求のスペクトル分析法 (2012)
  • Author(s): 海谷 治彦, 鈴木 駿一, 小川 享, 谷川正明, 梅村 真弘, 海尻 賢二
  • Journal Title: 情報処理学会論文誌 Volume: Vol.53, No.2 Pages: 510-522
  • Peer Reviewed
• [Journal Article] 要求獲得のためのオントロジをWeb マイニングにより拡充する手法の提案と評価 (2012)
  • Author(s): 海谷 治彦, 清水 悠太郎, 安井 浩貴, 海尻 賢二, 林 晋平, 佐伯 元司
  • Journal Title: 情報処理学会論文誌 Volume: Vol.53, No.2 Pages: 495-509
  • Peer Reviewed
• [Presentation] Security Driven Requirements Refinement and Exploration of Architecture with multiple NFR points of view (2014)
  • Author(s): Takao Okubo, Nobukazu Yoshioka, and Haruhiko Kaiya
  • Organizer: In 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE 2014), IEEE Computer Society, CPS
  • Place of Presentation: Miami, Florida
  • Year and Date: 20140109-11
• [Presentation] IR based Traceability Link Recovery Method Mining (2013)
  • Author(s): Takeyuki Ueda, Shinpei Ogata, Haruhiko Kaiya, and Kenji Kaijiri
  • Organizer: In The Eightth International Conference on Software Engineering Advances (ICSEA13)
  • Place of Presentation: Venice, Italy
  • Year and Date: 20131027-1101
• [Presentation] Validating Security Design Pattern Applications Using Model Testing (2013)
  • Author(s): Takanori Kobashi, Nobukazu Yoshioka, Takao Okubo, Haruhiko Kaiya, Hironori Washizaki and Yoshiaki Fukazawa
  • Organizer: Proceedings of International Conference on Availability, Reliability and Security (ARES 2013), IEEE CPS
  • Place of Presentation: Regensburg, Germany
  • Year and Date: 20130902-06
• [Presentation] Goal-oriented security requirements analysis for a system used in several different activities (2013)
  • Author(s): Haruhiko Kaiya, Takao Okubo, Nobuyuki Kanaya, Yuji Suzuki, Shinpei Ogata, Kenji Kaijiri, and Nobukazu Yoshioka
  • Organizer: In Xavier Franch and Pnina Soffer, editors, Advanced Information Systems Engineering Workshops, of Lecture Notes in Business Information Processing (LNBIP), The Third International Workshop on Information Systems Security Engineering - WISSE'13
  • Place of Presentation: Valencia, Spain
  • Year and Date: 2013-06-18
• [Presentation] Model Transformation Patterns for Introducing Suitable Information Systems (2012)
  • Author(s): Haruhiko Kaiya, Shunsuke Morita, Shinpei Ogata, Kenji Kaijiri, Shinpei Hayashi, and Motoshi Saeki
  • Organizer: Proceedings of 19th Asia-Pacific Software Engineering Conference (APSEC 2012)
  • Place of Presentation: Hong Kong
  • Year and Date: 20121204-07
• [Presentation] Predicting Quality Requirements Necessary for a Functional Requirement based on Machine Learning (2012)
  • Author(s): Ken Tanaka, Haruhiko Kaiya, and Atsushi Ohnishi
  • Organizer: In The Seventh International Conference on Software Engineering Advances (ICSEA 2012)
  • Place of Presentation: Lisbon
  • Year and Date: 20121118-23
• [Presentation] Validating Quality Requirements Considerations in a Design Document using Spectrum Analysis (2012)
  • Author(s): Masahiro Umemura, Haruhiko Kaiya, Shinpei Ogata and Kenji Kaijiri
  • Organizer: Knowledge-Based Software Engineering, Proc of the Tenth Joint Conference on Knowledge-Based Software Engineering (JCKBSE2012)
  • Place of Presentation: Rhodes, Greece
  • Year and Date: 20120823-26
• [Presentation] Mutual Refinement of Security Requirements and Architecture Using Twin Peaks Model (2012)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Organizer: In 36th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2012), 2012), REFS 2012
  • Place of Presentation: Izmir, Turkey
  • Year and Date: 20120716-20
• [Presentation] Improving Software Quality Requirements Specifications Using Spectrum Analysis (2012)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Organizer: In 36th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2012), REFS 2012
  • Place of Presentation: Izmir, Turkey
  • Year and Date: 20120716-20
• [Presentation] Facilitating Business Improvement by Information Systems using Model Transformation and Metrics (2012)
  • Author(s): Haruhiko Kaiya, Shunsuke Morita, Kenji Kaijiri, Shinpei Hayashi, and Motoshi Saeki
  • Organizer: Proceedings of the Forum at the CAiSE 2012 Conference (CAiSE 2012 Forum), CEUR Workshop Proceedings
  • Place of Presentation: Gdansk, Poland
  • Year and Date: 2012-06-28
• [Presentation] Effective Security Impact Analysis with Patterns for Software Enhancement (2011)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Organizer: Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security (ARES), IEEE Computer Society, CPS
  • Place of Presentation: Vienna, Austria
  • Year and Date: 20110822-26
• [Presentation] Spectrum Analysis for Software Quality Requirements using Analyses Records (2011)
  • Author(s): Haruhiko Kaiya, Shunichi Suzuki, Toru Ogawa, Masaaki Tanigawa, Masahiro Umemura, and Kenji Kaijiri
  • Organizer: In 35th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2011), IEEE CS
  • Place of Presentation: Munich, Germany
  • Year and Date: 20110718-22
• [Presentation] Exploring how to support software revision in software non-intensive projects using existing techniques (2011)
  • Author(s): Haruhiko Kaiya, Kenichiro Hara, Kyotaro Kobayashi, Akira Osada, and Kenji Kaijiri
  • Organizer: In 35th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2011), IEEE CS
  • Place of Presentation: Munich, Germany
  • Year and Date: 20110718-22
• [Presentation] Quality Requirements Analysis using Requirements Frames (2011)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Organizer: QSIC 2011, Proc. of The 11th International Conference on Quality Software
  • Place of Presentation: Madrid, Spain
  • Year and Date: 20110713-14
• [Remarks]
  • URL: http://kaiya.cs.shinshu-u.ac.jp/~kaiya/COVA/