Automated extraction of security policies from natural-language software documents

Xusheng Xiao, Amit Paradkar, Suresh Thummalapenta, Tao Xie

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Access Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE 2012
DOIs
StatePublished - Dec 24 2012
Externally publishedYes
Event20th ACM SIGSOFT International Symposium on the Foundations of Software Engineering, FSE 2012 - Cary, NC, United States
Duration: Nov 11 2012Nov 16 2012

Publication series

NameProceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, FSE 2012

Other

Other20th ACM SIGSOFT International Symposium on the Foundations of Software Engineering, FSE 2012
CountryUnited States
CityCary, NC
Period11/11/1211/16/12

Keywords

  • access control
  • natural language processing
  • requirements analysis

ASJC Scopus subject areas

  • Software

Fingerprint Dive into the research topics of 'Automated extraction of security policies from natural-language software documents'. Together they form a unique fingerprint.

Cite this