Remember Me
Or use your Academic/Social account:


Or use your Academic/Social account:


You have just completed your registration at OpenAire.

Before you can login to the site, you will need to activate your account. An e-mail will be sent to you with the proper instructions.


Please note that this site is currently undergoing Beta testing.
Any new content you create is not guaranteed to be present to the final version of the site upon release.

Thank you for your patience,
OpenAire Dev Team.

Close This Message


Verify Password:
Verify E-mail:
*All Fields Are Required.
Please Verify You Are Human:
fbtwitterlinkedinvimeoflicker grey 14rssslideshare1
Hibshi, Hanan; Breaux, Travis D.; Wagner, Christian (2016)
Languages: English
Types: Unknown
Organizations rely on security experts to improve the security of their systems. These professionals use background knowledge and experience to align known threats and vulnerabilities before selecting mitigation options. The substantial depth of expertise in any one area (e.g., databases, networks, operating systems) precludes the possibility that an expert would have complete knowledge about all threats and vulnerabilities. To begin addressing this problem of fragmented knowledge, we investigate the challenge of developing a security requirements rule base that mimics multi-human expert reasoning to enable new decision-support systems. In this paper, we show how to collect relevant information from cyber security experts to enable the generation of: (1) interval type-2 fuzzy sets that capture intra- and inter-expert uncertainty around vulnerability levels; and (2) fuzzy logic rules driving the decision-making process within the requirements analysis. The proposed method relies on comparative ratings of security requirements in the context of concrete vignettes, providing a novel, interdisciplinary approach to knowledge generation for fuzzy logic systems. The paper presents an initial evaluation of the proposed approach through 52 scenarios with 13 experts to compare their assessments to those of the fuzzy logic decision support system. The results show that the system provides reliable assessments to the security analysts, in particular, generating more conservative assessments in 19% of the test scenarios compared to the experts’ ratings.
  • The results below are discovered through our pilot algorithms. Let us know how we are doing!

    • [1] L. Baresi, L. Pasquale, and P. Spoletini, “Fuzzy goals for requirements-driven adaptation,” IEEE 18th Int'l Req'ts Engr. Conf., pp. 125-134, 2010.
    • [2] A. Cailliau and A. van Lamsweerde, “Handling knowledge uncertainty in risk-based requirements engineering,” IEEE 23rd Int'l Req'ts Engr. Conf., pp. 106-115, 2015.
    • [3] O. Castillo, P. Melin, and J. R. Castro, “Computational intelligence software for interval type-2 fuzzy logic,” Comput. Appl. Eng. Educ., 21(4): 737-747, 2013.
    • [4] Cisco Systems, Inc., “Cisco 2014 Annual Security Report,” Cisco Systems, Inc., 2014.
    • [5] A. F. Collins, Theories of Memory. Psychology Press, 1993.
    • [6] N. Esfahani and S. Malek, “Uncertainty in self-adaptive software systems,” Soft. Engr. for Self-Adaptive Sys. II, Springer,, 2013.
    • [7] G. Florez, S. M. Bridges, and R. B. Vaughn, “An improved algorithm for fuzzy data mining for intrusion detection,” in Annual Meeting of the North American Fuzzy Inf. Processing Society., pp. 457-462, 2002.
    • [8] M. Furr, Scale construction and psychometrics for social and personality psychology. SAGE Publications Ltd, 2011.
    • [9] D. Garlan, “Software engineering in an uncertain world,” FSE/SDP W'shp Future Soft. Engr. Res., pp. 125-128, 2010.
    • [10] W. El-Hajj, “The most recent SSL security attacks: origins, implementation, evaluation, and suggested countermeasures,” Secur. Commun. Netw., vol. 5, no. 1, pp. 113-124, 2012.
    • [11] H. Hibshi and T. D. Breaux, “Evaluation of Lingiustic Labels Used in Applications,” Tech. Rep, Carnegie Mellon Uni., 2016.
    • [12] H. Hibshi, T. Breaux, and S. B. Broomell, “Assessment of Risk Perception in Security Requirements Composition,” IEEE 23rd Int'l Req'ts. Engr. Conf., pp. 146-155, Aug. 2015.
    • [13] H. Hibshi, T. D. Breaux, M. Riaz, and L. Williams, “A Grounded Analysis of Experts' Decision-Making during Security Assessments,” To Appear: Journal of Cybersecurity, 2016.
    • [14] L. S. Huang, A. Rice, E. Ellingsen, and C. Jackson, “Analyzing forged ssl certificates in the wild,” IEEE Symp. On Security and privacy (sp), pp. 83-97,2014.
    • [15] J. Luo and S. M. Bridges, “Mining fuzzy association rules and fuzzy frequency episodes for intrusion detection,” Int. J. Intell. Syst., vol. 15, no. 8, pp. 687-703, 2000.
    • [16] J. M. Mendel, Uncertain rule-based fuzzy logic systems : introduction and new directions. Prentice Hall PTR, 2001.
    • [17] J. M. Mendel, “Type-2 fuzzy sets and systems: an overview,” IEEE Comput. Intell. Mag., 2(1): 20-29, Feb. 2007.
    • [18] C. I. Mosier, “A critical examination of the concepts of face validity.,” Educ. Psychol. Meas., 1947.
    • [19] J. Mendel and D. Wu, Perceptual computing: aiding people in making subjective judgments, v. 13. John Wiley & Sons, 2010.
    • [20] M. B. Ozek and Z. H. Akpolat, “A software tool: Type-2 fuzzy logic toolbox,” Comp. Appl. Eng. Educ., 16(2): 137-146, 2008.
    • [21] L. Pasquale and P. Spoletini, “Monitoring fuzzy temporal requirements for service compositions: Motivations, challenges and experimental results,” Workshop on Req'ts. Engr. for Sys., Services and Systems-of-Systems (RESS), pp. 63-69, 2011.
    • [22] PricewaterhouseCoopers, “Turnaround and transformation in cybersecurity: Key findings from The Global State of Information Security Survey 2016,” 2016.
    • [23] L. P. Rees, J. K. Deane, T. R. Rakes, and W. H. Baker, “Decision support for Cybersecurity risk planning,” Decis. Support Syst., vol. 51, no. 3, pp. 493-505, 2011.
    • [24] W. G. De Ru and J. H. Eloff, “Risk analysis modelling with the use of fuzzy logic,” Comput. Secur., vol. 15, no. 3, 1996.
    • [25] G. B. Smith and S. M. Bridges, “Fuzzy spatial data mining,” IEEE Trans. Knowl. Data Eng., 2002.
    • [26] W. R. Shadish, T. D. Cook, and D. T. Campbell, Experimental and quasi-experimental designs for generalized causal inference. Houghton, Mifflin and Company, 2002.
    • [27] A. Setalvad, “Demand to fill cybersecurity jobs booming,” Peninsula Press, 31-Mar-2015.
    • [28] A. Tversky, D. Kahneman. “Judgment under uncertainty: heuristics and biases.” Science, 185(4157): 1124-1131, 1974.
    • [29] U.S. Bureau of Labor Statistics., “Information Security Analysts : Occupational Outlook Handbook: : U.S. Bureau of Labor Statistics.” [Online]. [Accessed: 08-Mar-2016].
    • [30] C. Wagner, “Juzzy-a java based toolkit for type-2 fuzzy logic,” 2013 IEEE Symp. on Advances in Type-2 Fuzzy Logic Sys., 2013.
    • [31] C. Wagner, S. Miller, J. M. Garibaldi, D. T. Anderson and T. C. Havens, "From Interval-Valued Data to General Type-2 Fuzzy Sets," in IEEE Transactions on Fuzzy Systems, vol. 23, no. 2, pp. 248-269, April 2015.
    • [32] C. Wagner, M. Pierfitt, and J. McCulloch, “Juzzy online: An online toolkit for the design, implementation, execution and sharing of Type-1 and Type-2 fuzzy logic systems,” in IEEE Int'l Conf. on Fuzzy Sys. (FUZZ-IEEE), 2014, pp. 2321-2328.
    • [33] D. Wu, “A brief Tutorial on Interval type-2 fuzzy sets and systems,” Fuzzy Sets Syst., 2010.
    • [34] D. Wu and J. M. Mendel, “Designing practical interval type-2 fuzzy logic systems made simple,” IEEE Int'l Conf. Fuzzy Sys. (FUZZ-IEEE), 2014.
    • [35] H. Yang, A. D. Roeck, V. Gervasi, A. Willis, and B. Nuseibeh, “Speculative requirements: Automatic detection of uncertainty in natural language requirements,” 20th IEEE Int'l Req'ts. Engr. Conf., pp. 11-20, 2012.
    • [36] L. A. Zadeh, “Fuzzy sets,” Inf. Cont., 8(3): 338-353, 1965.
  • No related research data.
  • No similar publications.

Share - Bookmark

Cite this article