skip to main content
10.1145/2393596.2393608acmconferencesArticle/Chapter ViewAbstractPublication PagesfseConference Proceedingsconference-collections
research-article

Automated extraction of security policies from natural-language software documents

Published:11 November 2012Publication History

ABSTRACT

Access Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.

References

  1. Office of the National Coordinator for Health Information Technology (ONC). http://www.hhs.gov/healthit/.Google ScholarGoogle Scholar
  2. U. S. department of Health & Human Service (HHS). http://www.hhs.gov/.Google ScholarGoogle Scholar
  3. eXtensible Access Control Markup Language (XACML), 2005. http://www.oasis-open.org/committees/xacml.Google ScholarGoogle Scholar
  4. eXtensible Access Control Markup Language (XACML) specification, 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.Google ScholarGoogle Scholar
  5. iTrust: Role-based healthcare, 2008. http://agile.csc.ncsu.edu/iTrust/wiki/.Google ScholarGoogle Scholar
  6. Text2Policy, 2012. http://research.csc.ncsu.edu/ase/projects/text2policy/.Google ScholarGoogle Scholar
  7. P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter. Enterprise privacy architecture language (EPAL 1.2), 2003. http://www.w3.org/Submission/EPAL/.Google ScholarGoogle Scholar
  8. B. K. Boguraev. Towards finite-state analysis of lexical cohesion. In Proc. INTEX-3, 2000.Google ScholarGoogle Scholar
  9. C. Brodie, C.-M. Karat, J. Karat, and J. Feng. Usable security and privacy: A case study of developing privacy management tools. In Proc. SOUPS, pages 35--43, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. C. A. Brodie, C.-M. Karat, and J. Karat. An empirical study of natural language parsing of privacy policy rules using the sparcle policy workbench. In Proc. SOUPS, pages 8--19, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. F. Chantree, B. Nuseibeh, A. de Roeck, and A. Willis. Identifying nocuous ambiguities in natural language requirements. In Proc. RE, pages 56--65, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. A. Cockburn. Writing Effective Use Cases. Addison-Wesley Longman Publishing Co., Inc., 1st edition, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Specifying and reasoning about dynamic access-control policies. In Proc. IJCAR, pages 632--646, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. O. Etzioni, M. Cafarella, D. Downey, A.-M. Popescu, T. Shaked, S. Soderland, D. S. Weld, and A. Yates. Unsupervised named-entity extraction from the web: An experimental study. Artif. Intell., pages 91--134, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. C. Fellbaum, editor. WordNet An Electronic Lexical Database. The MIT Press, 1998.Google ScholarGoogle Scholar
  16. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. TISSEC, 4(3):224--274, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. M. I. Gofman, R. Luo, J. He, Y. Zhang, and P. Yang. Incremental information flow analysis of role based access control. In Security and Management, pages 397--403, 2009.Google ScholarGoogle Scholar
  18. G. Grefenstette. Light parsing as finite state filtering. In A. Kornai, editor, Extended finite state models of language, pages 86--94. Cambridge University Press, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Q. He and A. I. Antón. Requirements-based access Control Analysis and Policy Specification (ReCAPS). Inf. Softw. Technol., 51(6):993--1009, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. V. C. Hu, D. R. Kuhn, T. Xie, and J. Hwang. Model checking for verification of mandatory access control models and properties. IJSEKE, 21(1):103--127, 2011.Google ScholarGoogle Scholar
  21. J. Hwang, T. Xie, V. C. Hu, and M. Altunay. ACPT: A tool for modeling and verifying access control policies. In Proc. POLICY, pages 40--43, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. I. Jacobson. Object-Oriented Software Engineering: A Use Case Driven Approach. Addison Wesley Longman Publishing Co., Inc., 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. I. Jacobson, M. Christerson, P. Jonsson, and G. Overgaard. Object-Oriented Software Engineering: A Use Case Driven Approach. Addison Wesley Longman Publishing Co., Inc., 1992. Google ScholarGoogle Scholar
  24. D. Jagielska, P. Wernick, M. Wood, and S. Bennett. How natural is natural language?: How well do computer science students write use cases? In Proc. OOPSLA, pages 914--924, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. C.-M. Karat, J. Karat, C. Brodie, and J. Feng. Evaluating interfaces for privacy policy rule authoring. In Proc. CHI, pages 83--92, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. J. Karat, C.-M. Karat, C. Brodie, and J. Feng. Designing natural language and structured entry methods for privacy policy authoring. In Proc. INTERACT, pages 671--684, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. C. Kennedy. Anaphora for everyone: Pronominal anaphora resolution without a parser. In Proc. COLING, pages 113--118, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: a fast and scalable XACML policy evaluation engine. In Proc. SIGMETRICS, pages 265--276, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. E. Martin, J. Hwang, T. Xie, and V. Hu. Assessing quality of policy properties in verification of access control policies. In Proc. ACSAC, pages 163--172, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. E. Martin and T. Xie. A fault model and mutation testing of access control policies. In Proc. WWW, pages 667--676, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. J. B. Michael, V. L. Ong, and N. C. Rowe. Natural-language processing support for developing policy-governed software systems. In Proc. TOOLS, pages 263--274, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. M. S. Neff, R. J. Byrd, and B. K. Boguraev. The talent system: Textract architecture and data model. Nat. Lang. Eng., 10(3--4):307--326, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. OASIS. Privacy policy profile of XACML v2.0., 2005. http://docs.oasis-open.org/xacml/2.0/privateprofile/access_control-xacml-2.0-privacy_profile-specos.pdf.Google ScholarGoogle Scholar
  34. R. Pandita, X. Xiao, H. Zhong, T. Xie, S. Oney, and A. Paradkar. Inferring method specifications from natural language API descriptions. In Proc. ICSE, pages 815--825, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. C. Rolland and C. B. Achour. Guiding the construction of textual use case specifications. Data Knowl. Eng., 25(1--2):125--160, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. P. Samarati and S. D. C. d. Vimercati. Access control: Policies, models, and mechanisms. In Proc. FOSAD, pages 137--196, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. A. Schaad, V. Lotz, and K. Sohr. A model-checking approach to analysing organisational controls in a loan origination process. In Proc. SACMAT, pages 139--149, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. A. Sinha, S. M. S. Jr., and A. Paradkar. Text2Test: Automated inspection of natural language use cases. In Proc. ICST, pages 155--164, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. A. Sinha, A. M. Paradkar, P. Kumanan, and B. Boguraev. A linguistic analysis engine for natural language use case description and its application to dependability analysis in industrial use cases. In Proc. DSN, pages 327--336, 2009.Google ScholarGoogle ScholarCross RefCross Ref
  40. M. Stickel and M. Tyson. FASTUS: A cascaded finite-state transducer for extracting information from natural-language text. In Proc. Finite-State Language Processing, pages 383--406, 1997.Google ScholarGoogle Scholar
  41. L. Williams and Y. Shin. Work in progress: Exploring security and privacy concepts through the development and testing of the iTrust medical records system. In Proc. FIE, pages 30--31, 2006.Google ScholarGoogle ScholarCross RefCross Ref
  42. X. Xiao, T. Xie, N. Tillmann, and J. de Halleux. Precise identification of problems for structural test generation. In Proc. ICSE, pages 611--620, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. T. Xie. Cooperative testing and analysis: Human-tool, tool-tool, and human-human cooperations to get work done. In Proc. SCAM, Keynote, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. H. Yang, A. de Roeck, V. Gervasi, A. Willis, and B. Nuseibeh. Extending nocuous ambiguity analysis for anaphora in natural language requirements. In Proc. RE, pages 25--34, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. H. Zhong, L. Zhang, T. Xie, and H. Mei. Inferring resource specifications from natural language API documentation. In Proc. ASE, pages 307--318, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Automated extraction of security policies from natural-language software documents

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          FSE '12: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
          November 2012
          494 pages
          ISBN:9781450316149
          DOI:10.1145/2393596

          Copyright © 2012 ACM

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 11 November 2012

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article

          Acceptance Rates

          Overall Acceptance Rate17of128submissions,13%

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader