...
  • 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>Empirical Software Engineering >Using machine learning to assist with the selection of security controls during security assessment
【24h】

Using machine learning to assist with the selection of security controls during security assessment

机译:使用机器学习来帮助在安全评估期间选择安全控制

获取原文
获取原文并翻译 | 示例
           
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Context In many domains such as healthcare and banking, IT systems need to fulfill various requirements related to security. The elaboration of security requirements for a given system is in part guided by the controls envisaged by the applicable security standards and best practices. An important difficulty that analysts have to contend with during security requirements elaboration is sifting through a large number of security controls and determining which ones have a bearing on the security requirements for a given system. This challenge is often exacerbated by the scarce security expertise available in most organizations. Objective In this article, we develop automated decision support for the identification of security controls that are relevant to a specific system in a particular context. Method and Results Our approach, which is based on machine learning, leverages historical data from security assessments performed over past systems in order to recommend security controls for a new system. We operationalize and empirically evaluate our approach using real historical data from the banking domain. Our results show that, when one excludes security controls that are rare in the historical data, our approach has an average recall of ≈ 94% and average precision of ≈ 63%. We further examine through a survey the perceptions of security analysts about the usefulness of the classification models derived from historical data. Conclusions The high recall - indicating only a few relevant security controls are missed - combined with the reasonable level of precision - indicating that the effort required to confirm recommendations is not excessive - suggests that our approach is a useful aid to analysts for more efficiently identifying the relevant security controls, and also for decreasing the likelihood that important controls would be overlooked. Further, our survey results suggest that the generated classification models help provide a documented and explicit rationale for choosing the applicable security controls.
机译:背景信息在医疗保健和银行等域中,IT系统需要满足与安全相关的各种要求。对给定系统的安全要求的制定部分是由适用的安全标准和最佳实践所设想的控件的部分。分析师必须在安全要求期间竞争的重要困难是通过大量的安全控制来筛选,并确定哪些安全要求对给定系统的安全要求。大多数组织中可用的稀缺安全专业知识往往加剧了这一挑战。目的在本文中,我们开发自动决策支持,以确定与特定上下文相关的安全控制。方法和结果我们的方法是基于机器学习,利用过去系统执行的安全评估的历史数据,以便为新系统推荐安全控制。我们使用来自银行领域的真实历史数据进行操作化并经验评估我们的方法。我们的结果表明,当一个人排除历史数据中很少罕见的安全控制时,我们的方法在≈64%和平均精度为≈63%的平均召回。我们进一步通过调查对安全分析师的看法进行了调查,了解源自历史数据的分类模型的有用性。结论高召回 - 表明只有少数相关的安全控制 - 结合合理的精确度 - 表明确认建议所需的努力不是过度 - 表明我们的方法是对分析师的有用援助,以便更有效地识别相关的安全控制,以及降低重要控制将被忽视的可能性。此外,我们的调查结果表明,生成的分类模型有助于提供用于选择适用的安全控制的文档和显式基本原理。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号