Cross-project Classification of Security-related Requirements

TL;DR

This paper explores the potential of using machine learning classifiers trained on online requirement specifications to identify security-related requirements across different domains and styles, aiding compliance and security assurance processes.

Contribution

It demonstrates the feasibility of cross-project classification of security requirements using heterogeneous data and highlights the importance of data consistency for improved accuracy.

Findings

Feasibility of training classifiers on diverse requirement data

Performance improves with data consistency revisions

Type-specific training yields better results

Abstract

We investigate the feasibility of using a classifier for security-related requirements trained on requirement specifications available online. This is helpful in case different requirement types are not differentiated in a large existing requirement specification. Our work is motivated by the need to identify security requirements for the creation of security assurance cases that become a necessity for many organizations with new and upcoming standards like GDPR and HiPAA. We base our investigation on ten requirement specifications, randomly selected from a Google Search and partially pre-labeled. To validate the model, we run 10-fold cross-validation on the data where each specification constitutes a group. Our results indicate the feasibility of training a model from a heterogeneous data set including specifications from multiple domains and in different styles. However, performance benefits from revising the pre-labeled data for consistency. Additionally, we show that classifiers trained only on a specific specification type fare worse and that the way requirements are written has no impact on classifier accuracy.