Automated classification of security requirements

Abstract

Requirement engineers are not able to elicit and analyze the security requirements clearly, that are essential for the development of secure and reliable software. Proper identification of security requirements present in the Software Requirement Specification (SRS) document has been a problem being faced by the developers. As a result, they are not able to deliver the software free from threats and vulnerabilities. Thus, in this paper, we intend to mine the descriptions of security requirements present in the SRS document and thereafter develop the classification models. The security-based descriptions are analyzed using text mining techniques and are then classified into four types of security requirements viz. authentication-authorization, access control, cryptography-encryption and data integrity using J48 decision tree method. Corresponding to each type of security requirement, a prediction model has been developed. The effectiveness of the prediction models is evaluated against requirement specifications collected from 15 projects which have been developed by MS students at DePaul University. The result analysis indicated that all the four models have performed very well in predicting their respective type of security requirements.