The Automatic Acquisition Method And Tool For Software Security Requirement Based On Level And Formal Modeling

With the rapid development of IT technology and used in various research area, software security issues become increasingly prominent, and it has drawn many attention in various research area. The issues of software security were mostly caused by the requirements phase by studies. The rational security requirements play an important role in finding the security problem early. It can ensure the security of software and reduce the costs of development and maintenance.With the problem of the lack of the integration of security requirement and security assurance in software requirement engineering, this paper build a software security requirement engineering based on level and formal modeling according to the ISO/IEC 15408. This paper use the technologies of lightweight formalism, weakness detecting and uncertainty measurement theory to solve the problem of level detailing, the acquisition of security requirement and the development of the supported platform. For the level detailing, we finds the security requirement for different software attribute is different for the same security level based on GA/T390 by analyzing many software security requirement documents(PP, ST document). This paper use the uncertainty measurement theory to calculate the three-dimension level rules. According to the international common weakness base and threat base such as CWE and CAPEC, this paper build an integrated security knowledge base using the formalized language. At last, this paper build a software security requirement automatically acquisition method according to the security requirement theory and related technologies using the threedimension level rules and the formalized knowledge base. We develop an automatically software security requirement acquisition tool which implement the research method.This paper use the formalized method, weakness match technology and threedimension level rules in the requirement engineering which solve the problem of the fuzzification and ambiguity of the natural language. This paper implement the acquisition of security requirement automatically which can decrease the difficulty of the use of CC criteria and improve the accuracy of the security requirements screening.