Visible to the public Improving Security Requirements Adequacy An Interval Type 2 Fuzzy Logic Security Assessment SystemConflict Detection Enabled

TitleImproving Security Requirements Adequacy An Interval Type 2 Fuzzy Logic Security Assessment System
Publication TypeConference Proceedings
Year of Publication2016
AuthorsHanan Hibshi, Travis Breaux, Christian Wagner
Conference Name2016 IEEE Symposium Series on Computational Intelligence
Date Published12/2016
Conference LocationAthens, Greece
KeywordsCMU, Fuzzy logic, Jan'17, recommender system, scenarios, security requirements, type-2, Uncertainty, user study, vignettes
Abstract

Organizations rely on security experts to improve the security of their systems. These professionals use background knowledge and experience to align known threats and vulnerabilities before selecting mitigation options. The substantial depth of expertise in any one area (e.g., databases, networks, operating systems) precludes the possibility that an expert would have complete knowledge about all threats and vulnerabilities. To begin addressing this problem of distributed knowledge, we investigate the challenge of developing a security requirements rule base that mimics human expert reasoning to enable new decision-support systems. In this paper, we show how to collect relevant information from cyber security experts to enable the generation of: (1) interval type-2 fuzzy sets that capture intra- and inter-expert uncertainty around vulnerability levels; and (2) fuzzy logic rules underpinning the decision-making process within the requirements analysis. The proposed method relies on comparative ratings of security requirements in the context of concrete vignettes, providing a novel, interdisciplinary approach to knowledge generation for fuzzy logic systems. The proposed approach is tested by evaluating 52 scenarios with 13 experts to compare their assessments to those of the fuzzy logic decision support system. The initial results show that the system provides reliable assessments to the security analysts, in particular, generating more conservative assessments in 19% of the test scenarios compared to the experts' ratings.

Citation Keynode-30336

Other available formats:

Hibshi_Improving_Security_TB.pdf