Software Security Risk Analysis Using Fuzzy Expert System

Softw be Level of Security Risk Analysis Using Fuzzy expert System ARTIFICIAL INTELLIGENT UNIVERSITI TEKNIKAL MALAYSIA MELAKA FACULTY OF INFORMATION & COMMUNICATION TECHNOLOGY SESSION 2 2010/2011 NURUL AZRIN BT AIRRUDIN B031010343 SITI NURSHAFIEQA BT SUHAIMI B031010313 NUR SHAHIDA BT MUHTAR B031010266 LECTURE NAME DR ABD.SAMAD HASSAN BASARI 12th APRIL 2011 SOFTWARE LEVEL OF SECURITY RISK ANALYSIS utilise foggy EXPERT SYSTEM ABSTRACT There is wide concern on the hostage of softw are systems because many organizations depend largely on them for their everyday operations. Since we ask not seen a computer software package system that is completely secure, there is need to analyze and determine the security endangerment of emerging software systems.This invent presents a technique for analyzing software security using fuzzy expert system. The stimuluss to the system are suitable fuzzy sets representing linguistic values for software security goals of confi dentiality, integrity and accessibility. The expert molds were constructed using the Mamdani fuzzy reasoning in order to adequately analyze the inputs. The defuzzication technique was by means of with(p) using Centroid technique. The implementation of the design is done using MATLAB fuzzy logic tool because of its ability to implement fuzzy based systems.Using newly develop software products from three software development organizations as test cases, the results show a system that discharge be use to effectively analyze software security essay. ANALYSIS AND DESIGN The design is fundament all in ally divided into four stages 1) DESIGN OF THE LINGUISTIC VARIABLES The inputs to the system are the values assumed for the software security goal thru confidentiality, integrity and availability. The goals are assumed to be the same weight and a particular valued is determined for individually of them based on questions that are answered about the specific software.Also the values de termined for each of the input are defined as a fuzzy number instead of crisp numbers by using suitable fuzzy sets. intent the fuzzy system requires that the opposite inputs (that is, confidentiality, integrity, and availability) are stand for by fuzzy sets. The fuzzy sets are in turn represented by a social status function. The membership function use in this paper is the triangular membership function which is a three point function defined by minimum, maximum and modal values where usually represented in 1. picFigure 1 Triangular rank and file Function 2) THE FUZZY SETS The level of confidentiality is defined based on the scales of not confidential, pretty confidential, very confidential and extremely confidential. The level of integrity is also defined based on the scales very low, low, high, very high, and extra high. Also, the level of availability is also defined by the scales very low, low, high, very high and extra high. The levels defined above are based on a range commentary with an assumed interval of 0 -10. The ranges for the inputs are shown in tables 1 and 2. DESCRIPTION RANGE Non-Confidential 0-1 Slightly Confidential 2-3 Confidential 4-6 truly Confidential 7-8 highly Confidential 9-10 give in 1 lean of inputs for Confidentiality Very Low Low gritty Very High Extra High 0 1 2 3 4 6 7 8 9 10 Table 2 Range of inputs for Integrity Very Low Low High Very High Extra High 0 1 2 3 4 6 7 8 9 10 Table 3 Range of inputs for Availability DESCRIPTION RANGE non Secure 0 3 Slightly Secure 4 9 Secure 10 18 Very Secure 19 25 Extremely Secure 26 30 Table 4 Level Of Security RiskThe fuzzy sets above are represented by membership functions. The corresponding membership functions for confidentiality, integrity and availability are presented in sorts below pic Figure 1 Membership functions for Confidentiality Similarly, the issue, that is, the level of security risk is also represented by fuzzy sets and then a membershi p function. The level of security risk is defined based on the scales not secure, slightly secure, secure, very secure, and extremely secure within the range of 0- 30.The range definition is shown in table above. The membership function for the output fuzzy set is presented in figure below. pic Figure 2 Membership functions for Integrity pic Figure 3 Membership functions for Availability pic Figure 4 Level Of Security Risk 3) THE regularizeS OF THE FUZZY SYSTEM Once the input and output fuzzy sets and membership functions are constructed, the rules are then formulated. The rules are formulated based on the input parameters (confidentiality, integrity, and availability) and the output i. e. level of security risk.The levels of confidentiality, integrity, and availability are used in the antecedent of rules and the level of security risk as the consequent of rules. A fuzzy rule is conditional statement in the form IF x is A THEN y is B. Where x and y are linguistic variables and A and B are linguistic values determined by fuzzy sets on universe of discourses X and Y, respectively. Both the antecedent and consequent of a fuzzy rule can have multiple parts. All parts of the antecedent are calculated simultaneously and resolved in a single number and the antecedent affects all parts of the consequent equally.Some of the rules used in the design of this fuzzy Systems are as follow 1. If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability is Very Low) then (Security Risk is Not Secure). 2. If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability is Low) then (Security Risk is Slightly Secure). 3. If (Confidentiality is Extremely Confidential) and (Integrity is Extra High) and (Availability is High) then (Security Risk is Slightly Secure). . 125.If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability is high) then (Security Risk is Extremely Secure). The rules above were f ormulated using the Mamdani max-min fuzzy reasoning. DEVELOPMENT AND IMPLEMENTATION The linguistic variables were determined with the extent of the positive and negative responses to a well constructed security questions that are presented in form of on-line questionnaire. As it was mentioned earlier, MATLAB was used for the implementation. The linguistic inputs to the system are supplied through the graphical user interface called rule watchman.Once the rule viewer has been opened, the input variables are supplied in the text box captioned input with each of them separated with a space. a) THE FIS EDITOR The fuzzy inference system editor shows a summary of the fuzzy inference system. It shows the mapping of the inputs to the system type and to the output. The names of the input variables and the processing methods for the FIS can be changed through the FIS editor. Figure 5 The FIS editor b) THE MEMBERSHIP FUNCTION EDITOR This can be opened from the command window by using the plo tmf function but more easily through the GUI.The membership function editor shows a plot of highlighted input or output variable along their possible ranges and against the probability of occurrence. The name and the range of a membership value can be changed, so also the range of the particular variable itself through the membership function editor. pic Figure 6 The Membership Function editor c) THE RULE EDITOR The rule editor can be used to add, delete or change a rule. It is also used to change the connection type and the weight of a rule. The rule editor for this application is shown in figure 7. pic Figure 7 Rule Editor d) THE RULE VIEWER The text box captioned input is used to supply the three input variables needed in the system. The appropriate input corresponds to the number of YES answer in the questionnaire for each of the input variables. For example, in the figure 8, all the input variables are 5 and the corresponding output is 13. 9, which specified at the top of the c orresponding graphs. The input for each of the input variables is specified at the top of the section corresponding to them, so also the output variable.The rule viewer for this work is presented in figure 8. pic Figure 8 The Rule editor e) THE SURFACE VIEWER The surface viewer shown in figure 9 is a 3-D graph that shows the consanguinity between the inputs and the output. The output (security Risk) is represented on the Z-axis while 2 of the inputs (Confidentiality and Integrity) are on the x and y axes and the other input (Availability) is held constant. The surface viewer shows a plot of the possible ranges of the input variables against the possible ranges of the output. 4) EVALUATIONThe security risk analysis system was evaluated using three newly completed software products from three different software development organizations. The output determines the security level of software under consideration. The summary of the evaluation is given in figure 11. For product A, 5 is t he make believe for confidentiality, 5 for the integrity and 5 for the availability. Software Input Output Significance Security Level Product A 5 5 5 13. 45% slightly secure, 55% secure 46. 33 % Product B 8 7 8 24. 2 20% secure, 80% very secure 80. 60 % Product C 10 10 10 28. 4 35% very secure, 65% extremely secure 94. 67 % Table 5 rating of Different Input Variables pic Figure 9 The Surface Viewer pic Figure 10 Histogram & 3D CONCLUSION AND FINDINGThus, this work proposes a fuzzy logic-based technique for intention of level of security risk associated with software systems. Fuzzy logic is one of the major tools used for security analysis. The major goals of secure software which are used as the inputs to them system are the preservation of confidentiality (preventing unauthorized disclosure of information), preservation of integrity (preventing unauthorized alteration of information) and preservation of availability (preventing unauthorized destruction or denial of acces s or service to an authentic user).It might be necessary to redesign this system in a way that it will be deployable and will be without the use of MATLAB. It might also be necessary to use an adaptive fuzzy logic technique for security risk analysis. We have been able to design a system that can be used to evaluate the security risk associated with the production of secure software systems. This will by all odds help software organizations meet up with the standard requirements. A technique for assessing security of software system before final deployment has been presented.The result of this test shows that if the software producing companies will incorporate security risk analysis into the production of software system, the issue of insecurity of software will be held to the minimum if not eliminated. This study has also revealed that if each of the software security goals can be increased to the maximum, then the level security will also be increased and the risk associated wi ll be eliminated. Finally, security risk analysis is a path towards producing secure software and should be considered a significant activity by software development organizations.