A supporting system for predicting vulnerabilities and their countermeasures of an information system during requirements analysis

• Project/Area Number: 23500042
• Research Category: Grant-in-Aid for Scientific Research (C)
• Allocation Type: Multi-year Fund
• Section: 一般
• Research Field: Software
• Research Institution: Shinshu University
• Principal Investigator: KAIYA Haruhiko 信州大学, 工学部, 准教授 (30262596)
• Project Period (FY): 2011 – 2013
• Project Status: Completed (Fiscal Year 2013)
• Budget Amount: ¥5,200,000 (Direct Cost: ¥4,000,000、Indirect Cost: ¥1,200,000); Fiscal Year 2013: ¥1,690,000 (Direct Cost: ¥1,300,000、Indirect Cost: ¥390,000); Fiscal Year 2012: ¥1,950,000 (Direct Cost: ¥1,500,000、Indirect Cost: ¥450,000); Fiscal Year 2011: ¥1,560,000 (Direct Cost: ¥1,200,000、Indirect Cost: ¥360,000)
• Keywords: 要求工学 / モデリング / セキュリティ分析 / アッセトフロー / モデル検査 / システムアーキテクチャ / オントロジ / アセットフロー / アーキテクチャ / データフロー図 / モデルチェック / インパクト分析 / ソフトウェアパターン

Research Abstract

We have developed a method for security requirements analysis. In the method, vulnerabilities and their countermeasures are systematically predicted on the basis of the dependencies among assets and a system architecture in a system to be developed. We can re-examine vulnerabilities and their countermeasures when the architecture is changed but system functionalities are not changed. We have also developed a supporting tool for enacting the method. The tool consists of three components: a modeling editor, a model checker and a visualizer. With the help of the tool, stakeholders including security experts can validate the predicted results of the method because the tool can automatically derive the candidates of vulnerabilities on the basis of our original model checking engine and visualize the derived results.

Research Products

• [Journal Article] 情報検索手法に基づくトレーサビリティリンク回復のための手法オプションについてのマイニングの提案と評価 (2014)
  • Author(s): 上田 健之, 小形 真平, 海谷 治彦, 海尻 賢二
  • Journal Title: 電子情報通信学会論文誌 Volume: Vol.J97-D, No.3 Pages: 414-426
  • Peer Reviewed
• [Journal Article] 情報検索手法に基づくトレーサビリティリンク回復のための手法オプションについてのマイニングの提案と評価 (2014)
  • Author(s): 上田 健之, 小形 真平, 海谷 治彦, 海尻 賢二.
  • Journal Title: 電子情報通信学会論文誌 Volume: J97-D, 3 Pages: 414-426
  • Peer Reviewed
• [Journal Article] 機能要求に必要な品質要求の機械学習による予測法 (2014)
  • Author(s): 田中 賢, 海谷 治彦, 大西 淳.
  • Journal Title: 電子情報通信学会論文誌 Volume: J96-D, 11 Pages: 2646-2656
  • Peer Reviewed
• [Journal Article] 機能要求に必要な品質要求の機械学習による予測法 (2013)
  • Author(s): 田中 賢, 海谷 治彦, 大西 淳
  • Journal Title: 電子情報通信学会論文誌 Volume: Vol.J96-D, No.11 Pages: 2646-2656
  • Peer Reviewed
• [Journal Article] Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment (2013)
  • Author(s): Haruhiko Kaiya, Junya Sakai, Shinpei Ogata and Kenji Kaijiri
  • Journal Title: International Journal of Secure Software Engineering (IJSSE), IGI Global Volume: Vol.4, Issue3 Issue: 3 Pages: 42-63
  • DOI: 10.4018/jsse.2013070103
  • Peer Reviewed
• [Journal Article] Spectrum analysis on quality requirements consideration in software design documents (2013)
  • Author(s): Haruhiko Kaiya, Masahiro Umemura, Shinpei Ogata, and Kenji Kaijiri
  • Journal Title: SpringerPlus Volume: Vol.2, Issue1, No.310 Issue: 1 Pages: 1-14
  • DOI: 10.1186/2193-1801-2-310
  • Peer Reviewed
• [Journal Article] Enhancing Goal-Oriented Security Requirements Analysis Using Common Criteria-Based Knowledge (2013)
  • Author(s): Motoshi Saeki, Shinpei Hayashi, Haruhiko Kaiya
  • Journal Title: International Journal of Software Engineering and Knowledge Engineering Volume: vol.23, no.5 Issue: 05 Pages: 495-509
  • DOI: 10.1142/s0218194013500174
  • Peer Reviewed
• [Journal Article] Impact Analysis on an Attributed Goal Graph (2012)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Journal Title: IEICE Transactions on Information and Systems Volume: E95.D Issue: 4 Pages: 1012-1020
  • DOI: 10.1587/transinf.E95.D.1012
  • NAID: 10030941982
  • ISSN: 0916-8532, 1745-1361
  • Peer Reviewed
• [Journal Article] Toward the Decision Tree for Inferring Requirements Maturation Types (2012)
  • Author(s): Takako Nakatani, Narihito Kondo, Junko Shirogane, Haruhiko Kaiya, Shozo Hori, and Keiichi Katamine
  • Journal Title: IEICE Transactions on Information and Systems Volume: E95.D Issue: 4 Pages: 1021-1030
  • DOI: 10.1587/transinf.E95.D.1021
  • NAID: 130002131629
  • ISSN: 0916-8532, 1745-1361
  • Peer Reviewed
• [Journal Article] Finding Incorrect and Missing Quality Requirements Definitions Using Requirements Frame (2012)
  • Author(s): Shinpei Hayashi, Daisuke Tanabe, Haruhiko Kaiya, and Motoshi Saeki
  • Journal Title: IEICE Transactions on Information and Systems Volume: E95.D Issue: 4 Pages: 1031-1043
  • DOI: 10.1587/transinf.E95.D.1031
  • NAID: 10030942041
  • ISSN: 0916-8532, 1745-1361
  • Peer Reviewed
• [Journal Article] Analyzing Impacts on Software Enhancement Caused by Security Design Alternatives with Patterns (2012)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Journal Title: International Journal of Secure Software Engineering (IJSSE), IGI Global Volume: Vol.3, No.1 Issue: 1 Pages: 37-61
  • DOI: 10.4018/jsse.2012010103
  • Peer Reviewed
• [Journal Article] ソフトウェアが中心でない製品における既存技術を利用したソフトウェア改訂支援 (2012)
  • Author(s): 海谷 治彦, 原 賢一郎, 小林 亮太郎, 長田 晃, 海尻 賢二
  • Journal Title: 情報処理学会論文誌 Volume: Vol.53, No.2 Pages: 653-661
  • NAID: 110008767170
  • Peer Reviewed
• [Journal Article] 分析履歴を用いたソフトウェア品質要求のスペクトル分析法 (2012)
  • Author(s): 海谷 治彦, 鈴木 駿一, 小川 享, 谷川正明, 梅村 真弘, 海尻 賢二
  • Journal Title: 情報処理学会論文誌 Volume: Vol.53, No.2 Pages: 510-522
  • NAID: 110008767156
  • Peer Reviewed
• [Journal Article] 要求獲得のためのオントロジをWeb マイニングにより拡充する手法の提案と評価 (2012)
  • Author(s): 海谷 治彦, 清水 悠太郎, 安井 浩貴, 海尻 賢二, 林 晋平, 佐伯 元司
  • Journal Title: 情報処理学会論文誌 Volume: Vol.53, No.2 Pages: 495-509
  • NAID: 110008767155
  • Peer Reviewed
• [Journal Article] 析履歴を用いたソフトウェア品質要求のスペクトル分析法 (2012)
  • Author(s): 海谷 治彦, 鈴木 駿一, 小川 享, 谷川 正明, 梅村 真弘, 海尻 賢二
  • Journal Title: 情報処理学会論文誌 Volume: 53 Pages: 510-522
  • Peer Reviewed
• [Journal Article] 要求獲得のためのオントロジをWebマイニングにより拡充する手法の提案と評価 (2012)
  • Author(s): 海谷 治彦, 清水 悠太郎, 安井 浩貴, 海尻 賢二, 林 晋平, 佐伯 元司.
  • Journal Title: 情報処理学会論文誌 Volume: 53 Pages: 495-509
  • NAID: 110008767155
  • Peer Reviewed
• [Presentation] Security Driven Requirements Refinement and Exploration of Architecture with multiple NFR points of view (2014)
  • Author(s): Takao Okubo, Nobukazu Yoshioka, and Haruhiko Kaiya
  • Organizer: In 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE 2014), IEEE Computer Society, CPS
  • Place of Presentation: Miami, Florida
• [Presentation] Security Driven Requirements Refinement and Exploration of Architecture with multiple NFR points of view (2014)
  • Author(s): Takao Okubo, Nobukazu Yoshioka, and Haruhiko Kaiya.
  • Organizer: IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE 2014)
  • Place of Presentation: Miami, Florida, USA
• [Presentation] Goal-oriented security requirements analysis for a system used in several different activities (2013)
  • Author(s): Haruhiko Kaiya, Takao Okubo, Nobuyuki Kanaya, Yuji Suzuki, Shinpei Ogata, Kenji Kaijiri, and Nobukazu Yoshioka
  • Organizer: In Xavier Franch and Pnina Soffer, editors, Advanced Information Systems Engineering Workshops, of Lecture Notes in Business Information Processing (LNBIP), The Third International Workshop on Information Systems Security Engineering - WISSE'13
  • Place of Presentation: Valencia, Spain
  • Year and Date: 2013-06-18
• [Presentation] IR based Traceability Link Recovery Method Mining (2013)
  • Author(s): Takeyuki Ueda, Shinpei Ogata, Haruhiko Kaiya, and Kenji Kaijiri
  • Organizer: In The Eightth International Conference on Software Engineering Advances (ICSEA13)
  • Place of Presentation: Venice, Italy
• [Presentation] Validating Security Design Pattern Applications Using Model Testing (2013)
  • Author(s): Takanori Kobashi, Nobukazu Yoshioka, Takao Okubo, Haruhiko Kaiya, Hironori Washizaki and Yoshiaki Fukazawa
  • Organizer: Proceedings of International Conference on Availability, Reliability and Security (ARES 2013), IEEE CPS
  • Place of Presentation: Regensburg, Germany
• [Presentation] IR based Traceability Link Recovery Method Mining (2013)
  • Author(s): Takeyuki Ueda, Shinpei Ogata, Haruhiko Kaiya, and Kenji Kaijiri.
  • Organizer: The Eightth International Conference on Software Engineering Advances (ICSEA13)
  • Place of Presentation: Venice, Italy
• [Presentation] Validating Security Design Pattern Applications Using Model Testing (2013)
  • Author(s): Takanori Kobashi, Nobukazu Yoshioka, Takao Okubo, Haruhiko Kaiya, Hironori Washizaki and Yoshiaki Fukazawa.
  • Organizer: International Conference on Availability, Reliability and Security (ARES 2013)
  • Place of Presentation: Regensburg, Germany
• [Presentation] Goal-oriented security requirements analysis for a system used in several different activities (2013)
  • Author(s): Haruhiko Kaiya, Takao Okubo, Nobuyuki Kanaya, Yuji Suzuki, Shinpei Ogata, Kenji Kaijiri, and Nobukazu Yoshioka.
  • Organizer: Third International Workshop on Information Systems Security Engineering - WISSE'13
  • Place of Presentation: Valencia, Spain
• [Presentation] アセットフロー図と配置図を用いた情報システムのセキュリティ要求分析支援ツール (2013)
  • Author(s): 瀧澤 悠介, 阪井 隼也, 海谷 治彦, 小形 真平, 海尻賢二
  • Organizer: 電子情報通信学会技術研究報告, Vol. 112, No. 496, pp. 31-36
  • Place of Presentation: 東京
• [Presentation] Facilitating Business Improvement by Information Systems using Model Transformation and Metrics (2012)
  • Author(s): Haruhiko Kaiya, Shunsuke Morita, Kenji Kaijiri, Shinpei Hayashi, and Motoshi Saeki
  • Organizer: Proceedings of the Forum at the CAiSE 2012 Conference (CAiSE 2012 Forum), CEUR Workshop Proceedings
  • Place of Presentation: Gdansk, Poland
  • Year and Date: 2012-06-28
• [Presentation] Model Transformation Patterns for Introducing Suitable Information Systems (2012)
  • Author(s): Haruhiko Kaiya, Shunsuke Morita, Shinpei Ogata, Kenji Kaijiri, Shinpei Hayashi, and Motoshi Saeki
  • Organizer: Proceedings of 19th Asia-Pacific Software Engineering Conference (APSEC 2012)
  • Place of Presentation: Hong Kong
• [Presentation] Predicting Quality Requirements Necessary for a Functional Requirement based on Machine Learning (2012)
  • Author(s): Ken Tanaka, Haruhiko Kaiya, and Atsushi Ohnishi
  • Organizer: In The Seventh International Conference on Software Engineering Advances (ICSEA 2012)
  • Place of Presentation: Lisbon
• [Presentation] Validating Quality Requirements Considerations in a Design Document using Spectrum Analysis (2012)
  • Author(s): Masahiro Umemura, Haruhiko Kaiya, Shinpei Ogata and Kenji Kaijiri
  • Organizer: Knowledge-Based Software Engineering, Proc of the Tenth Joint Conference on Knowledge-Based Software Engineering (JCKBSE2012)
  • Place of Presentation: Rhodes, Greece
• [Presentation] Mutual Refinement of Security Requirements and Architecture Using Twin Peaks Model (2012)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Organizer: In 36th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2012), 2012), REFS 2012
  • Place of Presentation: Izmir, Turkey
• [Presentation] Improving Software Quality Requirements Specifications Using Spectrum Analysis (2012)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Organizer: In 36th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2012), REFS 2012
  • Place of Presentation: Izmir, Turkey
• [Presentation] Model Transformation Patterns for Introducing Suitable Information Systems (2012)
  • Author(s): Haruhiko Kaiya, Shunsuke Morita, Shinpei Ogata, Kenji Kaijiri, Shinpei Hayashi, and Motoshi Saeki
  • Organizer: 19th Asia-Pacific Software Engineering Conference (APSEC 2012)
  • Place of Presentation: Hong Kong
• [Presentation] Predicting Quality Requirements Necessary for a Functional Requirement based on Machine Learning (2012)
  • Author(s): Ken Tanaka, Haruhiko Kaiya, and Atsushi Ohnishi
  • Organizer: The Seventh International Conference on Software Engineering Advances (ICSEA 2012)
  • Place of Presentation: Lisbon
• [Presentation] Validating Quality Requirements Considerations in a Design Document using Spectrum Analysis (2012)
  • Author(s): Masahiro Umemura, Haruhiko Kaiya, Shinpei Ogata and Kenji Kaijiri
  • Organizer: Tenth Joint Conference on Knowledge-Based Software Engineering (JCKBSE2012)
  • Place of Presentation: Rhodes
• [Presentation] Mutual Refinement of Security Requirements and Architecture Using Twin Peaks Model (2012)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Organizer: 36th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2012)
  • Place of Presentation: Izmir
• [Presentation] Improving Software Quality Requirements Specifications Using Spectrum Analysis (2012)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Organizer: 36th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2012)
  • Place of Presentation: Izmir
• [Presentation] Facilitating Business Improvement by Information Systems using Model Transformation and Metrics (2012)
  • Author(s): Haruhiko Kaiya, Shunsuke Morita, Kenji Kaijiri, Shinpei Hayashi, and Motoshi Saeki
  • Organizer: the Forum at the CAiSE 2012 Conference (CAiSE 2012 Forum)
  • Place of Presentation: Gdansk
• [Presentation] モデルテストによるセキュリティ分析・設計パターンの適用支援 (2012)
  • Author(s): 小橋 孝紀, 大久保 隆夫, 海谷 治彦, 吉岡 信和, 伊永 祥太, 鷲崎 弘宜, 深澤 良彰.
  • Organizer: コンピュータセキュリティシンポジウム 2012 (CSS2012) 論文集, pp.655-662
  • Place of Presentation: 松江市
• [Presentation] 因指向脆弱性モデルに基づくWebアプリケーションのセキュリティ要求分析支援 (2012)
  • Author(s): 西野 裕範, 阪井 隼也, 海谷 治彦, 海尻 賢二
  • Organizer: 電子情報通信学会技術研究報告
  • Place of Presentation: 東京
• [Presentation] Effective Security Impact Analysis with Patterns for Software Enhancement (2011)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Organizer: Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security (ARES), IEEE Computer Society, CPS
  • Place of Presentation: Vienna, Austria
• [Presentation] Spectrum Analysis for Software Quality Requirements using Analyses Records (2011)
  • Author(s): Haruhiko Kaiya, Shunichi Suzuki, Toru Ogawa, Masaaki Tanigawa, Masahiro Umemura, and Kenji Kaijiri
  • Organizer: In 35th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2011), IEEE CS
  • Place of Presentation: Munich, Germany
• [Presentation] Exploring how to support software revision in software non-intensive projects using existing techniques (2011)
  • Author(s): Haruhiko Kaiya, Kenichiro Hara, Kyotaro Kobayashi, Akira Osada, and Kenji Kaijiri
  • Organizer: In 35th Annual IEEE International Computer Software and Applications Conference Workshops (COMPSACW 2011), IEEE CS
  • Place of Presentation: Munich, Germany
• [Presentation] Quality Requirements Analysis using Requirements Frames (2011)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Organizer: QSIC 2011, Proc. of The 11th International Conference on Quality Software
  • Place of Presentation: Madrid, Spain
• [Presentation] Effective Security Impact Analysis with Patterns for Software Enhancement (2011)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Organizer: Sixth International Conference on Availability, Reliability and Security
  • Place of Presentation: ウイーン
• [Presentation] Quality Requirements Analysis using Requirements Frames (2011)
  • Author(s): Haruhiko Kaiya and Atsushi Ohnishi
  • Organizer: 11th International Conference on Quality Software
  • Place of Presentation: マドリッド
• [Presentation] Spectrum Analysis for Software Quality Requirements using Analyses Records (2011)
  • Author(s): Haruhiko Kaiya, Shunichi Suzuki, Toru Ogawa, Masaaki Tanigawa, Masahiro Umemura, and Kenji Kaijiri
  • Organizer: COMPSAC2011
  • Place of Presentation: ミュヘン
• [Presentation] how to support software revision in software non-intensive projects using existing techniques (2011)
  • Author(s): Haruhiko Kaiya, Kenichiro Hara, Kyotaro Kobayashi, Akira Osada, and Kenji Kaijiri.
  • Organizer: COMPSAC2011
  • Place of Presentation: ミュヘン
• [Remarks]
  • URL: http://kaiya.cs.shinshu-u.ac.jp/~kaiya/COVA/