Abstract
Agile software development methodology involves developing code incrementally and iteratively from a set of evolving user stories. Since software developers use user stories to write code, these user stories are better representations of the actual code than that of the high-level product documentation. In this paper, we develop an automated approach using machine learning to generate access control information from a set of user stories that describe the behavior of the software product in question. This is an initial step to automatically produce access control specifications and perform automated security review of a system with minimal human involvement. Our approach takes a set of user stories as input to a transformers-based deep learning model, which classifies if each user story contains access control information. It then identifies the actors, data objects, and operations the user story contains in a named entity recognition task. Finally, it determines the type of access between the identified actors, data objects, and operations through a classification prediction. This information can then be used to construct access control documentation and information useful to stakeholders for assistance during access control engineering, development, and review.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alohaly, M., Takabi, H., Blanco, E.: A deep learning approach for extracting attributes of ABAC policies. In: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies, pp. 137ā148 (2018)
Bartsch, S.: Practitionersā perspectives on security in agile development. In: 2011 Sixth International Conference on Availability, Reliability and Security, pp. 479ā484. IEEE (2011)
Ben Othmane, L., Angin, P., Weffers, H., Bhargava, B.: Extending the agile development process to develop acceptably secure software. IEEE Trans. Dependable Secure Comput. 11(6), 497ā509 (2014)
Beznosov, K., Kruchten, P.: Towards agile security assurance. In: Proceedings of the 2004 Workshop on New Security Paradigms, pp. 47ā54 (2004)
Bostrƶm, G., WƤyrynen, J., BodĆ©n, M., Beznosov, K., Kruchten, P.: Extending XP practices to support security requirements engineering. In: Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems, pp. 11ā18 (2006)
Dalpiaz, F.: Requirements data sets (user stories). Mendeley Data (2018). https://doi.org/10.17632/7zbk8zsd8y.1
Dalpiaz, F., van der Schalk, I., Lucassen, G.: Pinpointing ambiguity and incompleteness in requirements engineering via information visualization and NLP. In: Kamsties, E., Horkoff, J., Dalpiaz, F. (eds.) REFSQ 2018. LNCS, vol. 10753, pp. 119ā135. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-77243-1_8
Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)
Fowler, M., Highsmith, J., et al.: The agile manifesto. Softw. Dev. 9(8), 28ā35 (2001)
Karimi, L., Aldairi, M., Joshi, J., Abdelhakim, M.: An automatic attribute based access control policy extraction from access logs. arXiv preprint arXiv:2003.07270 (2020)
Lucassen, G., Dalpiaz, F., van der Werf, J.M.E., Brinkkemper, S.: Improving agile requirements: the quality user story framework and tool. Requirements Eng. 21(3), 383ā403 (2016). https://doi.org/10.1007/s00766-016-0250-x
Lucassen, G., Robeer, M., Dalpiaz, F., Van Der Werf, J.M.E., Brinkkemper, S.: Extracting conceptual models from user stories with visual narrator. Requirements Eng. 22(3), 339ā358 (2017). https://doi.org/10.1007/s00766-017-0270-1
Narouei, M., Takabi, H., Nielsen, R.D.: Automatic extraction of access control policies from natural language documents. IEEE Trans. Dependable Secure Comput. 17, 506ā517 (2020)
Oueslati, H., Rahman, M.M., ben Othmane, L.: Literature review of the challenges of developing secure software using the agile approach. In: 2015 10th International Conference on Availability, Reliability and Security, pp. 540ā547. IEEE (2015)
Pohl, C., Hof, H.J.: Secure scrum: development of secure software with scrum. arXiv preprint arXiv:1507.02992 (2015)
Settles, B.: Active learning. In: Synthesis Lectures on Artificial Intelligence and Machine Learning, vol. 6, no. 1, pp. 1ā114 (2012)
Siponen, M., Baskerville, R., Kuivalainen, T.: Integrating security into agile development methods. In: Proceedings of the 38th Annual Hawaii International Conference on System Sciences, p. 185a. IEEE (2005)
Slankas, J., Xiao, X., Williams, L., Xie, T.: Relation extraction for inferring access control rules from natural language artifacts. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 366ā375 (2014)
Sobieski, Å., ZieliÅski, B.: User stories and parameterized role based access control. In: Bellatreche, L., Manolopoulos, Y. (eds.) MEDI 2015. LNCS, vol. 9344, pp. 311ā319. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23781-7_25
WƤyrynen, J., BodĆ©n, M., Bostrƶm, G.: Security engineering and eXtreme programming: an impossible marriage? In: Zannier, C., Erdogmus, H., Lindstrom, L. (eds.) XP/Agile Universe 2004. LNCS, vol. 3134, pp. 117ā128. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27777-4_12
Wolf, T., et al.: Transformers: state-of-the-art natural language processing. In: Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing: System Demonstrations, pp. 38ā45 (2020)
Xiao, X., Paradkar, A., Thummalapenta, S., Xie, T.: Automated extraction of security policies from natural-language software documents. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, pp. 1ā11 (2012)
Acknowledgments
We would like to thank the CREST Center For Security And Privacy Enhanced Cloud Computing (C-SPECC) through the National Science Foundation (NSF) (Grant Award #1736209), the NSF Division of Computer and Network Systems (CNS) (Grant Award #1553696), the and NSF Division of Computing and Communication Foundations (Grant Award #2007718) for their support and contributions to this research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Heaps, J., Krishnan, R., Huang, Y., Niu, J., Sandhu, R. (2021). Access Control Policy Generation fromĀ User Stories Using Machine Learning. In: Barker, K., Ghazinour, K. (eds) Data and Applications Security and Privacy XXXV. DBSec 2021. Lecture Notes in Computer Science(), vol 12840. Springer, Cham. https://doi.org/10.1007/978-3-030-81242-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-81242-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81241-6
Online ISBN: 978-3-030-81242-3
eBook Packages: Computer ScienceComputer Science (R0)