A deep learning model was developed by the team, which included Ram Krishnan, associate professor in the UTSA Department of Electrical and Computer Engineering; Yufei Huang, professor in Electrical and Computer Engineering; Jianwei Niu, associate professor in Computer Science; Ravi Sandhu, professor, and Lutcher Brown Distinguished Chair in Cyber Security; and John Heaps, postdoctoral researcher in the UTSA Institute for Cyber Security, to teach software how to extract security information.
Agile software development, in contrast to conventional software models, is intended to generate software at a quicker rate, reducing the need to spend time on thorough papers and changing software requirements, as is the case with traditional software models. There is just one kind of documentation required: user stories, which are specifications that outline the software’s needs. This method, however, is hampered by behaviors inherent to it, such as the need for continual code modifications, which make it difficult to undertake security assurance evaluations.
In a chance interaction with software professionals in the business, Krishnan came up with the fundamental concept of bridging the gap between security rules and agile software development, he said. In order to begin exploring this challenge and developing a practical solution, we were able to put together a team of teachers and students with experience in cybersecurity, software engineering, and machine learning.”
The researchers investigated a number of different machine learning algorithms before arriving on a deep learning strategy that can handle a variety of various user story styles and lengths. The model is composed of three components that work together to make the prediction: access control classifications, named entity recognition, and access type classification. The categorization of access control information assists the program in determining whether or not user stories include access control information. The actors and data items in the tale are all identified by a named entity. The link between the two is determined by the categorization of access type classifications.
To test their technique, the team used a data collection of 21 online apps, each of which had 50-130 user tales, for a total of 1,600 user stories.
According to Krishnan, “we constructed a learning model based on transformers,” which is an extremely effective machine learning approach, using a dataset of 1,600 user tales. It was possible to extract security rules with high accuracy and display the findings to assist stakeholders in refining user stories and maintaining an overview of the system’s access control, as shown in this case study.”
A crucial tool in the contemporary agile software development life cycle, says Krishnan, this revolutionary new technique will prove to be a game changer.
Since agile software development emphasizes incremental modifications to code, a manual procedure for extracting security rules would be error-prone and time-consuming, according to the author. The use of machine learning and artificial intelligence has shown to be a powerful method in yet another field, says the author.
Krishnan said that the team has numerous ideas for where they would want to take the project in the future.
“We know that, in a completely automated approach, there is little further information regarding access control that can be collected or identified directly from user stories,” Krishnan stated. “That implies that without the intervention of a person, it is difficult or impossible to identify the precise access control of a program from user stories. We want to improve our approach by making it more interactive with stakeholders, who will then be able to contribute to the refinement of the access control information.”
