Specific Security Requirements Research Articles

Comprehensive Analysis of Security Requirements Engineering Approaches with Assurance Perspective

Given the wide distribution of software and its current growth, security is inevitable, and software systems have become more complex. To avoid the complexity and protect valuable assets of software systems, researchers, and practitioners in the fields of security requirement engineering (SRE) and security assurance advise incorporating security requirements early in software development life cycle (SDLC). Nowadays, security requirements specification and identification are an active research area for ensuring the effectiveness of software systems. However, security requirement identification is a challenging task due to sheer numbers of threats and attacks to a software system. Previous researchers have identified different SRE techniques, each looking at the same problem from a different perspective. Therefore, a literature review conducted on SRE techniques. We compared and analyzed different SRE techniques to find the most suitable SRE techniques for researchers and practitioners. Selected SRE techniques compared based on various parameters, such as different attributes, requirement elicitation, requirement analysis, project size, and integration of standards. The literature also indicates that among SRE approaches, security quality requirements engineering (SQAURE), secure tropos, security requirements engineering process (SREP), and comprehensive lightweight application security process (CLASP) are the most used SRE approaches that focus on activities such as threats, security requirements identification, and security objectives identification. Unfortunately, several SRE approaches fail to explicitly integrate the security standard and security assurance perspective. Three questions developed for this study: Question 1 is based on comparison of existing SRE approaches, Question 2 is based on SRE with security requirements elicitation and analysis, and Question 3 highlights the incorporation of security requirements assurance by SRE approaches implicitly or explicitly. The researcher must work with the developer to easily adopt SRE approaches to elicit and ensure security requirements for the software system.

Snort Versus Suricata in Intrusion Detection

In the contemporary digital age, the increasing complexity and frequency of cyber threats underscore the need for efficient network intrusion detection systems (NIDS). This paper provides a comprehensive comparative analysis of two prominent NIDS, Snort and Suricata, focusing on their architecture, detection capabilities, and performance metrics. It explores the historical development, operational frameworks, and technological foundations of these systems, highlighting their respective benefits and limitations in different network environments. Snort, known for its extensive rule-based detection, and Suricata, which leverages multi-threading for high-speed traffic handling, are evaluated based on specific security requirements, including traffic volumes, processing speeds, and threat types. The paper also discusses future advancements in NIDS, particularly through the integration of machine learning and AI, to enhance predictive and adaptive capabilities. This analysis aims to inform cybersecurity professionals about the qualifications and capabilities of Snort and Suricata, providing insights for their effective deployment in modern network security infrastructures. The discussion on future trends emphasizes the importance of continuous improvement in NIDS to address evolving cyber threats)

Enhancing Visual Data Security: A Novel FSM-Based Image Encryption and Decryption Methodology

The paper presents a comprehensive exploration of a novel image encryption and decryption methodology, leveraging finite state machines (FSM) for the secure transformation of visual data. The study meticulously evaluates the effectiveness of the proposed encryption algorithm using a diverse image dataset. The encryption algorithm demonstrates high proficiency in obfuscating the original content of images, producing cipher images that resemble noise, thereby substantiating the encryption’s effectiveness. The robustness of the proposed methodology is further evidenced by its performance in the National Institute of Standards and Technology Statistical Test Suite (NIST STS). Such achievements highlight the algorithm’s capability to maintain the stochastic integrity of encrypted data, a critical aspect of data security and confidentiality. Histogram analysis revealed that the encryption process achieves a uniform distribution of pixel values across the encrypted images, masking any identifiable patterns and enhancing the security level. Correlation analysis corroborated the success of the encryption technique, showing a substantial reduction in the correlation among adjacent pixel values, thereby disrupting spatial relationships essential for deterring unauthorized data analysis. This improvement indicates the algorithm’s efficiency in altering pixel patterns to secure image data. Additionally, a comparative analysis of correlation coefficients using various encryption methods on the Lenna image offered insights into the relative effectiveness of different techniques, emphasizing the importance of method selection based on specific security requirements and data characteristics.

The Next Frontier of Security: Homomorphic Encryption in Action

Abstract: Encryption is essential in preventing unauthorized access to sensitive data in light of the growing concerns about data security in cloud computing. Homomorphic encryption promises to enable secure calculations on encrypted data without the need for decryption, particularly for cloud-based operations. To evaluate the effectiveness and applicability of several homomorphic encryption algorithms for safe cloud computing, we compare and contrast them in this research paper. Partially homomorphic encryption (PHE), somewhat homomorphic encryption (SHE), and fully homomorphic encryption (FHE) are the three basic homomorphic encryption subtypes that we examine. The implications of this study can aid cloud service providers and organizations in selecting the most appropriate homomorphic encryption scheme based on their specific security requirements and performance considerations. The research contributes to the ongoing efforts to enhance data privacy in cloud computing environments, opening new possibilities for secure data processing in an increasingly connected digital world. The exploration of homomorphic encryption schemes in this study opens new avenues for research and development in the field of cryptographic techniques. As technology continues to evolve, so too must our approaches to safeguarding data. This research serves as a catalyst for further innovations in homomorphic encryption algorithms, enabling even more efficient and robust methods for secure data processing in cloud environments and beyond. The insights derived from this research paper not only empower cloud service providers and organizations to make informed decisions about selecting the most appropriate homomorphic encryption scheme but also contribute to the broader mission of fortifying data privacy and security in cloud computing.

Strengthening Digital Security: Dynamic Attack Detection with LSTM, KNN, and Random Forest

Digital security is an ever-escalating concern in today's interconnected world, necessitating advanced intrusion detection systems. This research focuses on fortifying digital security through the integration of Long Short-Term Memory (LSTM), K-Nearest Neighbors (KNN), and Random Forest for dynamic attack detection. Leveraging a robust dataset, the models were subjected to rigorous evaluation, considering metrics such as accuracy, precision, recall, F1-score, and AUC-ROC. The LSTM model exhibited exceptional proficiency in capturing intricate sequential dependencies within network traffic, attaining a commendable accuracy of 99.11%. KNN, with its non-parametric adaptability, demonstrated resilience with a high accuracy of 99.23%. However, the Random Forest model emerged as the standout performer, boasting an accuracy of 99.63% and showcasing exceptional precision, recall, and F1-score metrics. Comparative analyses unveiled nuanced differences, guiding the selection of models based on specific security requirements. The AUC-ROC comparison reinforced the discriminative power of the models, with Random Forest consistently excelling. While all models excelled in true positive predictions, detailed scrutiny of confusion matrices offered insights into areas for refinement. In conclusion, the integration of LSTM, KNN, and Random Forest presents a robust and adaptive approach to dynamic attack detection. This research contributes valuable insights to the evolving landscape of digital security, emphasizing the significance of leveraging advanced machine learning techniques in constructing resilient defenses against cyber adversaries. The findings underscore the need for adaptive security solutions as the cyber threat landscape continues to evolve, with implications for practitioners, researchers, and policymakers in the field of cybersecurity.

A Hybrid Protection Scheme for the Gait Analysis in Early Dementia Recognition.

Human activity recognition (HAR) through gait analysis is a very promising research area for early detection of neurodegenerative diseases because gait abnormalities are typical symptoms of some neurodegenerative diseases, such as early dementia. While working with such biometric data, the performance parameters must be considered along with privacy and security issues. In other words, such biometric data should be processed under specific security and privacy requirements. This work proposes an innovative hybrid protection scheme combining a partially homomorphic encryption scheme and a cancelable biometric technique based on random projection to protect gait features, ensuring patient privacy according to ISO/IEC 24745. The proposed hybrid protection scheme has been implemented along a long short-term memory (LSTM) neural network to realize a secure early dementia diagnosis system. The proposed protection scheme is scalable and implementable with any type of neural network because it is independent of the network's architecture. The conducted experiments demonstrate that the proposed protection scheme enables a high trade-off between safety and performance. The accuracy degradation is at most 1.20% compared with the early dementia recognition system without the protection scheme. Moreover, security and computational analyses of the proposed scheme have been conducted and reported.

Onto-CARMEN: Ontology-driven approach for Cyber–Physical System Security Requirements meta-modelling and reasoning

In the last years, Cyber–physical systems (CPS) have attracted substantial mainstream, especially in the industrial sector, since they have become the focus of cyber-attacks. CPS are complex systems that encompass a great variety of hardware and software components with a countless number of configurations and features. For this reason, the construction, validation, and diagnosis of security in CPS become a major challenge. An invalid security requirement for the CPS can produce partial or incomplete configuration, even misconfigurations, and hence catastrophic consequences. Therefore, it is crucial to ensure the validation of the security requirements specification from the earlier design stages. To this end, Onto-CARMEN is proposed, a semantic approach that enables the automatic verification and diagnosis of security requirements according to the ENISA and OWASP recommendations. Our approach provides a mechanism for the specification of security requirements on top of ontologies, and automatic diagnosis through semantic axioms and SPARQL rules. The approach has been validated using security requirements from a real case study.

Security requirements specification by formal methods: a research metadata analysis

Security requirements specification by formal methods: a research metadata analysis

A Solution Supporting Secure Transmission of Big Data

Traditional Internet protocol networks cannot provide the service of selecting a secure path to transmit various types of data with specific security constraints. First, to solve the “secure path transmission” problem, this paper first proposes a search-transmit model for secure network path transmission, i.e., to find a multi-attribute optimized path that meets the specific security requirements in the search phase, and then transmit the packets along the optimized path in the transmission phase. Second, we propose a solution to the search-transmit model. The idea of the solution is to use the particle swarm optimization algorithm to search for a secure path that meets the multi-attribute requirements and then set the source route on the router to control the packet transmission. Finally, a prototype system based on network function virtualization is developed to evaluate the feasibility and performance of the proposed solution. Experimental results show that the proposed solution outperforms existing algorithms in terms of performance.

Information security objectives and the output legitimacy of ISO/IEC 27001: stakeholders’ perspective on expectations in private organizations in Sweden

Organizations use the ISO/IEC 27001 standard to establish an information security management system (ISMS). This standard outlines specific security measures and requirements that organizations can implement to effectively manage their information assets. However, the effectiveness of the standard’s problem-solving capabilities has raised some questions. Consequently, there is a continuous development of new governance methods that demand fresh approaches to validate security operations and measures. In light of this, research is being conducted to examine the application and impact of ISO/IEC 27001, as well as to analyze the challenges and knowledge gaps through theoretical perspectives. By employing stakeholder theory, the focus shifts towards integrating business and social issues and exploring how non-business pressures can influence stakeholder motivations in implementing standards. Additionally, it investigates the impact of these standards on an organization’s reputation, performance, and operations. Therefore, the objective of this study is to investigate the output legitimacy of ISO/IEC 27001 from the perspective of stakeholder expectations. To accomplish this, an interview-based study was conducted, involving relevant stakeholders engaged in information security management within private organizations in Sweden. The findings reveal eight key information security objectives. The results indicate that the level of output legitimacy of the standard varies across these objectives, ranging from high to medium to low. To achieve a high level of output legitimacy for ISO/IEC 27001, stakeholders must understand that the standard is not solely a technical document. Furthermore, stakeholders need to possess the appropriate knowledge and skills in information security to effectively navigate their work while leveraging the support provided by the standard.

AHP-Based Network Security Situation Assessment for Industrial Internet of Things

The Industrial Internet of Things (IIoT) is used in various industries to achieve industrial automation and intelligence. Therefore, it is important to assess the network security situation of the IIoT. The existing network situation assessment methods do not take into account the particularity of the IIoT’s network security requirements and cannot achieve accurate assessment. In addition, IIoT transmits a lot of heterogeneous data, which is subject to cyber attacks, and existing classification methods cannot effectively deal with unbalanced data. To solve the above problems, this paper first considers the special network security requirements of the IIoT, and proposes a quantitative evaluation method of network security based on the Analytic Hierarchy Process (AHP). Then, the average under-/oversampling (AUOS) method is proposed to solve the problem of unbalance of network attack data. Finally, an IIoT network security situation assessment classifier based on the eXtreme Gradient Boosting (XGBoost) is constructed. Experiments show that the situation assessment method proposed in this paper can more accurately characterize the network security state of the IIoT. The AUOS method can achieve data balance without generating too much data, and does not burden the training of the model. The classifier constructed in this paper is superior to the traditional classification algorithm.

Requirement specification extraction and analysis based on propositional projection temporal logic

AbstractAt present, formal methods significantly facilitate the specification and verification of security requirements in requirement engineering, which can reduce requirement errors in the early stage of system development. Extracting formal specifications from security requirements and then evaluating the quality of the requirements are regarded as a promising solution to ensure software quality. Propositional projection temporal logic (PPTL) with a strong mathematical basis and full regular expressiveness is a suitable language for formal specifications. Inspired by natural language processing and text mining techniques, this paper designs and implements a tool, namely, NL2PPTL, to generate formal coarse‐grained and fine‐grained specifications in terms of PPTL formulas automatically. In specific, the grammatical production rules are defined to construct the syntax tree, and then, the formula is obtained by post‐order traversal of the tree. The satisfiability of the PPTL specifications can be checked utilizing PPTLSAT. In addition, the state transformation model is constructed from fine‐grained specifications, so as to discover scope conflicts and verify the security properties of the requirement case.

Security Requirements Specification and Tracing within Topological Functioning Model

Specification and traceability of security requirements is still a challenge since modeling and analysis of security aspects of systems require additional efforts at the very beginning of software development. The topological functioning model is a formal mathematical model that can be used as a reference model for functional and non-functional requirements of the system. It can also serve as a reference model for security requirements. The purpose of this study is to determine the approach to how security requirements can be specified and traced using the topological functioning model. This article demonstrates the suggested approach and explains its potential benefits and limitations.

Handling Complexity in Modern Software Engineering: Editorial Introduction to Issue 32 of CSIMQ

The potential of the Internet and related digital technologies, such as the Internet of Things (IoT), cognition and artificial intelligence, data analytics, services computing, cloud computing, mobile systems, collaboration networks, and cyber-physical systems, are both strategic drivers and enablers of modern digital platforms with fast-evolving ecosystems of intelligent services for digital products. This issue of CSIMQ presents three recent articles on modern software engineering. First, we focus on continuous software development and place it in the context of software architectures and digital transformation. The first contribution is followed by the description of the basis of specific security requirements and adequate digital monitoring mechanisms. Finally, we present a practical example of the digital management of livestock farming.

Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations

Coordinated Vulnerability Disclosure (CVD) programmes leverage a global network of independent security researchers (hackers) to support pre- and post-deployment security. Organisations are increasingly adopting Bug Bounty Programmes (BBPs) and Vulnerability Disclosure Programmes (VDPs) to outsource work from internal security teams, and are able to utilise the results from a programme to help shape their Software Development Life Cycle (SDLC) processes. Motivated by the question How effectively are organisations utilising CVD programmes?, we aim to address two issues concerning the operation of CVD programmes. First, it is necessary to identify the pre- and post-launch issues faced by programme operators that inhibit effective operation. Second, organisations stand to benefit if they are able to use the results of a CVD programme outside of the typical reporting-triaging information flow between a hacker and the operator. As such, it is useful to explore how the results of a CVD programme influence change across the SDLCs of real-world organisations and measure the extent to which this occurs. We report upon the results of a qualitative study based on the outcomes of 39 survey responses and eight semi-structured interviews with individuals involved in the operation of CVD programmes. It is found that the fears and issues faced by organisations are similar to those identified in earlier studies, suggesting that there has been little development in preventing prevalent problems faced by CVD programme operators. High volumes of low-quality, low-value reports still burden operators and consume resources. It is also found that organisations use the information contained within vulnerability reports to influence change in a number of security activities, namely testing, communication processes, and the specification of security requirements. Finally, based on the responses from the surveys and interviews, we provide recommendations to those looking to establish a CVD programme.

Tracing security requirements in industrial control systems using graph databases

We must explicitly capture relationships and hierarchies between the multitude of system and security standards requirements. Current security requirements specification methods do not capture such structure effectively, making requirements management and traceability harder, consequently increasing costs and time to market for developing certified ICS. We propose a novel requirements repository model for ICS that uses labelled property graphs to structure and store system-specific and standards-based requirements using well-defined relationship types. Furthermore, we integrate the proposed requirements repository with design-time ICS tools to establish requirements traceability. A wind turbine case study illustrates the overall workflow in our framework. We demonstrate that a robust requirements traceability matrix is a natural consequence of using labelled property graphs. We also introduce a compatible requirements change management procedure that aids in adapting to changes in development and certification schemes.

E-voting, a proposed framework for Albania scenario

Albania has held elections with a paper-based system for many years now. However, with the innovative technological developments that have taken place in the country, there is the possibility to apply these technologies to better impact the voting process. This study aims to propose an electronic voting architecture, using a hybrid solution that integrates voting kiosks within the country and online voting for Albanian citizens living abroad. The study uses a review of the literature method. This study analyses the voting process in Albania, focusing on two key issues: the accuracy of the process and the impossibility of voting for the citizens living outside the country. The electronic voting process through electronic voting machines and online systems are analyzed as new technological approaches to address and solve the issues mentioned above. From the study, electronic voting process implementation has a higher cost. Moreover, to evaluate the feasibility of the system implementation, a detailed analysis of costs is needed, security requirements specifications, and a legal framework. Keywords: Devices; DRE; elections; e-voting; E2E.

Certificateless Reliable and Privacy-Preserving Auditing of Group Shared Data for FOG-CPSs

FOG-enabled cyber-physical systems (FOG-CPSs) open new security challenges as the local edge devices are easier to compromise than a traditional cloud server. Remote data integrity checking (RDIC) plays an important role in safeguarding against data corruption from a storage server. Certificateless cryptography (CLPKC)-based RDIC schemes do not suffer from the drawbacks of the public key infrastructure (PKI)-based RDIC protocols. Most of the CLPKC-based RDIC schemes proposed in the literature deal with personal data. However, in a FOG-CPS, it is also important to audit a data file shared by a group of edge devices. Most of the existing group shared data auditing schemes lack mechanisms to defend against a semi-trusted data auditor applicable for a FOG-CPS scenario. In order to address these issues, in this paper, we propose a novel CLPKC-based group shared data auditing protocol tailored to the specific security requirements of a FOG-CPS. Besides, we perform a detailed cryptanalysis of two existing CLPKC-based privacy-preserving group shared data auditing schemes. The formal security analysis of our proposed protocol establishes metadata and data integrity proof unforgeability and claimed zero-knowledge privacy and reliability properties through rigorous proofs in the random oracle model setting. Performance evaluations establish the efficiency of our proposed protocol.

A review on security requirements specification by formal methods

AbstractSecurity is an afterthought process for the development of software in earlier days but now the time has been changed. Now, security is on top priority and involved from the beginning of software development. Security requirements are the prime concern for the development and quality of any software product. The specification and verification of security requirements need a lot of attention from the computer science community in the process of the software development life cycle. Formal Methods are a widely used and well‐recognized approach for the specification and verification of any safety‐critical system. Formal methods play an important role in the requirement phase to the design phase of software development. In this study, we summarized the outcomes of related papers to find out the current state of the art in the proposed area. In this manuscript, three research questions are frame and we try to find the answer to these research questions to the best of our effort and knowledge. The objective of this research paper is to find out the gap analysis, state of art, and trends in the proposed area. The academician needs to pursue more effort toward the formal specification of security requirements, providing a deeper understanding to help security experts in the development of systems.

Specifics of modern security requirements for software of electronic machine control systems

The required level of safety of machines and mechanisms is achieved through the use of appropriate safety management systems for industrial equipment, including programmable electronic ones. Such systems usually include a variety of security devices for managing industrial equipment settings. Since electronic control systems are currently considered the most promising control systems in this area, the study of the security parameters of their application support determines the relevance of this study. This study analyses the main requirements of IEC 61508 and IEC 62061 standards for compliance with modern safety requirements of embedded and applied software for electronic control systems of machines and mechanisms. This study proposes an algorithm for step-by-step implementation of software for electronic machine control systems in accordance with basic security standards for both built-in and application software. Testing has been determined as the main method of verification of application software. Based on the results of the analysis, it was found that the specification of security requirements, both built-in and application software, should highlight the necessary characteristics of each subsystem, providing information that allows choosing the equipment that meets existing security requirements. Relevant recommendations are given on the specifics of practical application of these standards.