没有合适的资源?快使用搜索试试~ 我知道了~
首页基于逻辑回归的开源软件安全需求识别新方法
基于逻辑回归的开源软件安全需求识别新方法
0 下载量 158 浏览量
更新于2024-08-27
收藏 396KB PDF 举报
本文探讨了在开源软件开发中如何有效识别安全需求的问题,针对现有的前期需求工程(RE)中的安全需求识别方法存在的局限性。在传统的RE过程中,许多方法依赖于文本信息检索技术,这在处理开源软件(OSS)项目中的动态变化和即时需求时显得不够适用。因为开源项目的开发过程更为灵活,开发者经常通过编写注释、提供代码片段、附件和外部资源链接来更新和讨论安全相关的需求。 研究者们提出了一种新颖的解决方案,即基于逻辑回归的模型来识别OSS项目中的安全需求。这种方法的关键在于考虑了五个关键指标,这些指标可能包括但不限于需求的明确性、代码中的安全实践、社区讨论中的提及频率、相关文档中的描述以及开发者的行为模式。通过应用这个模型到三个不同的OSS项目中进行实验,研究团队评估了这些指标在实际场景中的表现。 实验结果显示,模型在识别安全需求时表现出色,高达四分之三的指标在项目内部测试中展现了良好的性能。这表明逻辑回归模型能够有效地捕捉到开源项目中动态变化的安全需求,不仅能够适应RE的即时性,而且有助于提高安全需求的准确性和及时性。 这种基于回归模型的方法对于开源软件开发来说具有重要的实践价值,因为它能够帮助开发者更有效地识别和管理安全需求,减少潜在的安全漏洞,从而提升整个开源生态系统的安全性。此外,这种方法也对其他领域的即时RE提供了新的思路,特别是在处理快速迭代和用户参与度高的项目时。未来的研究可以进一步优化模型,考虑更多的因素,以进一步提升安全需求识别的精确性和效率。
资源详情
资源推荐
A Regression Model Based Approach for
Identifying Security Requirements in Open Source
Software Development
Wentao Wang
∗
, Nesrin Hussein
∗
, Arushi Gupta
∗
, and Yinglin Wang
†
∗
Department of Electrical Engineering and Computer Science, University of Cincinnati, USA
†
Department of Computer Science and Technology, Shanghai University of Finance and Economics, China
Email: {wang2wt, husseinm, gupta2ai}@mail.uc.edu, wang.yinglin@shufe.edu.cn
Abstract—There are several security requirements identifica-
tion methods proposed by researchers in up-front requirements
engnieering (RE). However, in open source software (OSS)
projects, developers use lightweight representation and refine
requirements frequently by writing comments. They also tend to
discuss security aspect in comments by providing code snippets,
attachments, and external resource links. Since most security
requirements identification methods in up-front RE are based
on textual information retrieval techniques, these methods are
not suitable for OSS projects or just-in-time RE. In our study,
we propose a new model based on logistic regression to identify
security requirements in OSS projects. We used five metrics to
build security requirements identification models and tested the
performance of these metrics by applying those models to three
OSS projects. Our results show that four out of five metrics
achieved high performance in intra-project testing.
Index Terms—Just-in-time requirements engineering, open
source software, security requirements identification.
I. INTRODUCTION
Security plays a critical role in ope source software (OSS).
Security refers to a class of non-functional requirements
(NFRs) related to system confidentiality, integrity, and avail-
ability [1]. Early detection of security requirements enables
them to be incorporated into the initial architectural design
instead of being refactored at a later date [2].
A considerable number of studies have been done on de-
tecting security requirements [3], [4]. However, they are labor
intensive. Cleland-Huang et al. [2] proposed NFR-classifier, an
automated approach based on information retrieval methods
for detecting and classifying NFRs . NFR-classifier consists
of two stages. In the first stage, a set of indicator terms
is identified from pre-identified security requirements. In the
second stage, indicator terms are used to query additional
security requirements. In traditional or up-front RE, NFR-
classifier can achieve high recall (80%) which measures the
percentage of NFRs that were correctly retrieved, but low
precision (20%) which measures the total number of correctly
retrieved NFRs with respect to the total number of retrieved
NFRs. In order to increase precision, Gibiec et al. [5] proposed
an automated approach for modifying the terms in the tracing
query. The results show that a significant portion of previously
hard-to-retrieve trace queries were improved by using this
method.
As a precursor to our work, we applied NFR-classifier to
three OSS projects. Unlike in [2], our results show that the
method can achieve relatively higher precision (15%-32%)
but relatively lower recall (50%-59%). We conclude that the
reason of lower recall is that, in OSS projects, security terms
are more likely appearing in comments instead of requirements
description. Therefore, only searching requirements descrip-
tion or statements will lead to more false negatives. In addition,
since comments contain much non-textual information such as
hyperlinks, images, and zip files, it is very hard to apply textual
mining methods directly to those information.
In this study, we investigate five metrics which can help au-
tomated retrieval of security requirements from OSS projects.
We performed empirical studies on three long-lived, widely-
used OSS projects. The results indicate that four out of five
metrics are discriminative of security requirements for all three
projects.
II. D
ATA COLLECTION
A. Datasets
In our study, we analyzed the requirements of three
OSS projects: Apache Axis2/Java (Axis2)
1
, Drools
2
, and
GeoServer
3
. We select these projects as the subject systems
due to three reasons. First, all of them are successful and long-
lived projects. Second, all resources including requirements
and source code are available. At last, all three projects are
web-based systems and security is one of the core aspects
of these projects, so identifying and realizing security re-
quirements are important tasks for developers of these three
projects.
These projects come from different application domains,
and all of them are written in Java. Axis2 is a web services
engine funded by Apache Software Foundation since August
2004. The newest version of Axis2 (1.7.4) was released
in December 2016. Drools is a business rule management
system developed by Red Hat. The latest stable release of
Drools is 6.5.0, which was published in December 2016.
GeoServer is a geographic system which allows users to edit
1
http://axis.apache.org/axis2/java/core/
2
https://www.drools.org
3
http://geoserver.org
2017 IEEE 25th International Requirements Engineering Conference Workshops
978-1-5386-3488-2/17 $31.00 © 2017 IEEE
DOI 10.1109/REW.2017.56
443
下载后可阅读完整内容,剩余3页未读,立即下载
weixin_38604330
- 粉丝: 6
- 资源: 950
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 李兴华Java基础教程:从入门到精通
- U盘与硬盘启动安装教程:从菜鸟到专家
- C++面试宝典:动态内存管理与继承解析
- C++ STL源码深度解析:专家级剖析与关键技术
- C/C++调用DOS命令实战指南
- 神经网络补偿的多传感器航迹融合技术
- GIS中的大地坐标系与椭球体解析
- 海思Hi3515 H.264编解码处理器用户手册
- Oracle基础练习题与解答
- 谷歌地球3D建筑筛选新流程详解
- CFO与CIO携手:数据管理与企业增值的战略
- Eclipse IDE基础教程:从入门到精通
- Shell脚本专家宝典:全面学习与资源指南
- Tomcat安装指南:附带JDK配置步骤
- NA3003A电子水准仪数据格式解析与转换研究
- 自动化专业英语词汇精华:必备术语集锦
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功