1,721,011 research outputs found
Empowering end-users in the specification of security rules
No full textWith the rapid growth of Internet-of-Things (IoT) devices, especially in the context of smart homes, enduser programming is becoming increasingly common to easily create new functionalities by connecting IoT devices and online services using simple rules, such as event-condition-action (ECA) rules. Unfortunately, IoT devices and platforms are vulnerable under security terms, and the possible countermeasures to security threats are completely hidden to end-users. This position paper presents the idea of involving end-users in the management of security risks. In particular, we describe how existing ECA rules could be expanded to deal with security aspects, and possible strategies to support end-users in the definition and customization of security rules
SIGFRID: Unsupervised, Platform-Agnostic Interference Detection in IoT Automation Rules
No full textSmart home technology has profoundly changed modern living by interconnecting devices, services, dataflows, and user interactions into integrated, automated environments. Homeowners can easily program smart devices using conditional IF-THEN rules, where triggers prompt corresponding actions. However, as smart homes incorporate more multifunctional devices, conflicting trigger-action rules can simultaneously control devices in inconsistent ways, causing unexpected and potentially unsafe interference situations. This article introduces Sigfrid, a novel interference detection approach using scene interaction graphs constructed through Large Language Models (LLMs). To enhance LLM reasoning, we propose a new prompt engineering methodology that integrates automated and manual editing techniques to formulate queries for deriving causal insights in the smart home domain. Interferences are identified through efficient exploration of the graph constructed from the extracted relations. We evaluate Sigfrid on real-world If-This-Then-That (IFTTT) and SmartThings rule sets, demonstrating its superiority over state-of-the-art methods by more than 21% in F1-score
Detecting privacy requirements from User Stories with NLP transfer learning models
No full textContext: To provide privacy-aware software systems, it is crucial to consider privacy from the very beginning of the development. However, developers do not have the expertise and the knowledge required to embed the legal and social requirements for data protection into software systems. Objective: We present an approach to decrease privacy risks during agile software development by automatically detecting privacy-related information in the context of user story requirements, a prominent notation in agile Requirement Engineering (RE). Methods: The proposed approach combines Natural Language Processing (NLP) and linguistic resources with deep learning algorithms to identify privacy aspects into User Stories. NLP technologies are used to extract information regarding the semantic and syntactic structure of the text. This information is then processed by a pre-trained convolutional neural network, which paved the way for the implementation of a Transfer Learning technique. We evaluate the proposed approach by performing an empirical study with a dataset of 1680 user stories. Results: The experimental results show that deep learning algorithms allow to obtain better predictions than those achieved with conventional (shallow) machine learning methods. Moreover, the application of Transfer Learning allows to considerably improve the accuracy of the predictions, ca. 10%. Conclusions: Our study contributes to encourage software engineering researchers in considering the opportunities to automate privacy detection in the early phase of design, by also exploiting transfer learning models
Beyond domain dependency in security requirements identification
No full textContext: Early security requirements identification is crucial in software development, facilitating the integration of security measures into IT networks and reducing time and costs throughout software life-cycle. Objectives: This paper addresses the limitations of existing methods that leverage Natural Language Processing (NLP) and machine learning techniques for detecting security requirements. These methods often fall short in capturing syntactic and semantic relationships, face challenges in adapting across domains, and rely heavily on extensive domain-specific data. In this paper we focus on identifying the most effective approaches for this task, highlighting both domain-specific and domain-independent strategies. Method: Our methodology encompasses two primary streams of investigation. First, we explore shallow machine learning techniques, leveraging word embeddings. We test ensemble methods and grid search within and across domains, evaluating on three industrial datasets. Next, we develop several domain-independent models based on BERT, tailored to better detect security requirements by incorporating data on software weaknesses and vulnerabilities. Results: Our findings reveal that ensemble and grid search methods prove effective in domain-specific and domain-independent experiments, respectively. However, our custom BERT models showcase domain independence and adaptability. Notably, the CweCveCodeBERT model excels in Precision and F1-score, outperforming existing approaches significantly. It improves F1-score by ∼3% and Precision by ∼14% over the best approach currently in the literature. Conclusion: BERT-based models, especially with specialized pre-training, show promise for automating security requirement detection. This establishes a foundation for software engineering researchers and practitioners to utilize advanced NLP to improve security in early development phases, fostering the adoption of these state-of-the-art methods in real-world scenarios
Towards Explainable Security for ECA Rules
No full textWith the rise in popularity of smart objects and online services, the use of Trigger-Action Platforms for the definition of custom behaviors is growing significantly. These platforms enable end-users to create Event-Condition-Action (ECA) rules for triggering actions upon event occurrences on physical devices or online services in different domains. ECA rules could easily expose end-users to security risks mainly due to their low level of knowledge and awareness. To alleviate this problem, classification models can be used for identifying possible security issues that ECA rules could inflict when triggered. However, the results produced by these classifiers may not be understood by end-users. This position paper provides first insights concerning the application of AI models for generating natural language explanations according to the identified risks of ECA rules
Towards a Classification Model for Identifying Risky IFTTT Applets
No full textWith the rapid growth of Internet-of-Things (IoT) devices, especially in the context of smart homes, we witnessed the rise of different services aimed at providing end-users with tools for the definition of custom behaviors. Among these, If-This-Than-That (IFTTT) became the most used end-user programming tool for creating event-condition-action (ECA) rules. However, while defining such rules, end-users might expose both their smart devices and personal information to security and privacy threats. This paper presents the progress achieved in the definition of a classification model based on neural networks for the identification of possible security and privacy issues within an IFTTT applet
PReDUS: A Privacy Requirements Detector From User Stories
No full textIn the context of requirements engineering, stakeholders are often unaware of identifying and managing privacy and security requirements. The purpose of this paper is to present a tool, namely PReDUS, for the detection of privacy content from user stories. The core of the tool is the use of deep learning algorithms that exploit Natural Language Processing techniques and linguistic resources
Towards Explainable Security for ECA Rules
No full textWith the rise in popularity of smart objects and online services, the use of Trigger-Action Platforms for the definition of custom behaviors is growing significantly. These platforms enable end-users to create Event-Condition-Action (ECA) rules for triggering actions upon event occurrences on physical devices or online services in different domains. ECA rules could easily expose end-users to security risks mainly due to their low level of knowledge and awareness. To alleviate this problem, classification models can be used for identifying possible security issues that ECA rules could inflict when triggered. However, the results produced by these classifiers may not be understood by end-users. This position paper provides first insights concerning the application of AI models for generating natural language explanations according to the identified risks of ECA rules
An Agent-Based and Context-Oriented approach to Symbol Recognition in Diagrammatic Drawings
No full text- …
