.

Sunday, March 3, 2019

Software Security Risk Analysis Using Fuzzy Expert System

Softw atomic number 18 Level of protective cover find Analysis Using Fuzzy Expert System ARTIFICIAL INTELLIGENT UNIVERSITI TEKNIKAL MALAYSIA MELAKA FACULTY OF learning & COMMUNICATION TECHNOLOGY SESSION 2 2010/2011 NURUL AZRIN BT AIRRUDIN B031010343 SITI NURSHAFIEQA BT SUHAIMI B031010313 NUR SHAHIDA BT MUHTAR B031010266 LECTURE NAME DR ABD.SAMAD HASSAN BASARI 12th APRIL 2011 computer softwargon package LEVEL OF SECURITY RISK ANALYSIS USING FUZZY right SYSTEM ABSTRACT There is wide concern on the trade protection governance of softw be systems because many organizations depend largely on them for their day-to-day operations. Since we produce not seen a parcel system that is completely fixate, there is emergency to analyze and determine the pledge endangerment of emerging softwargon systems.This twist presents a technique for analyzing software program auspices using hairy in force(p) system. The stimulations to the system are suitable groggy sets representing linguistic values for software security goals of confidentiality, integrity and avail qualification. The expert rules were constructed using the Mamdani fuzzy reasoning in order to adequately analyze the gossips. The defuzzication technique was d wiz using Centroid technique. The execution of instrument of the design is done using MATLAB fuzzy system of logic tool because of its ability to implement fuzzy based systems.Using newly develop software products from trio software development organizations as test cases, the results show a system that drop be utilize to effectively analyze software security fortune. ANALYSIS AND frame of speech The design is basically divided into four stages 1) DESIGN OF THE LINGUISTIC VARIABLES The inserts to the system are the values assumed for the software security goal thru confidentiality, integrity and availability. The goals are assumed to be the same fish and a particular valued is set(p) for each of them based on questions that are answered about the specific software.Also the values determined for each of the input are delineate as a fuzzy number sooner of crisp numbers by using suitable fuzzy sets. blueprint the fuzzy system requires that the different inputs (that is, confidentiality, integrity, and availability) are represent by fuzzy sets. The fuzzy sets are in turn represented by a social status function. The rank and file function apply in this paper is the trilateral membership function which is a three point function define by minimum, maximum and modal values where usually represented in 1. pic bet 1 Triangular Membership Function 2) THE FUZZY SETS The direct of confidentiality is defined based on the scales of not confidential, slightly confidential, real confidential and highly confidential. The level of integrity is overly defined based on the scales very(prenominal) low, low, high, very high, and extra high. Also, the level of availability is also defined by the sc ales very low, low, high, very high and extra high. The levels defined above are based on a chain definition with an assumed interval of 0 -10. The ranges for the inputs are shown in tables 1 and 2. DESCRIPTION RANGE Non- mystical 0-1 Slightly Confidential 2-3 Confidential 4-6 in truth Confidential 7-8 exceedingly Confidential 9-10 hold over 1 Range of inputs for Confidentiality Very Low Low luxuriously Very High duplication High 0 1 2 3 4 6 7 8 9 10 Table 2 Range of inputs for Integrity Very Low Low High Very High Extra High 0 1 2 3 4 6 7 8 9 10 Table 3 Range of inputs for Availability DESCRIPTION RANGE not practiced 0 3 Slightly unspoiled 4 9 Secure 10 18 Very Secure 19 25 Extremely Secure 26 30 Table 4 Level Of Security stakeThe fuzzy sets above are represented by membership functions. The alike(p) membership functions for confidentiality, integrity and availability are presented in figures below pic direct 1 Membership functions for Conf identiality Similarly, the yield, that is, the level of security risk is also represented by fuzzy sets and then a membership function. The level of security risk is defined based on the scales not secure, slightly secure, secure, very secure, and extremely secure within the range of 0- 30.The range definition is shown in table above. The membership function for the getup fuzzy set is presented in figure below. pic Figure 2 Membership functions for Integrity pic Figure 3 Membership functions for Availability pic Figure 4 Level Of Security fortune 3) THE RULES OF THE FUZZY SYSTEM Once the input and output fuzzy sets and membership functions are constructed, the rules are then contour lineulated. The rules are formulated based on the input parameters (confidentiality, integrity, and availability) and the output i. e. level of security risk.The levels of confidentiality, integrity, and availability are used in the occasion of rules and the level of security risk as the effect o f rules. A fuzzy rule is conditional statement in the form IF x is A THEN y is B. Where x and y are linguistic variables and A and B are linguistic values determined by fuzzy sets on universe of discourses X and Y, respectively. Both the antecedent and consequent of a fuzzy rule can have sextuple separate. All parts of the antecedent are calculated simultaneously and refractory in a single number and the antecedent affects all parts of the consequent equally.Some of the rules used in the design of this fuzzy Systems are as follow 1. If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability is Very Low) then (Security Risk is Not Secure). 2. If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability is Low) then (Security Risk is Slightly Secure). 3. If (Confidentiality is Extremely Confidential) and (Integrity is Extra High) and (Availability is High) then (Security Risk is Slightly Secure). . 125.If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability is high) then (Security Risk is Extremely Secure). The rules above were formulated using the Mamdani max-min fuzzy reasoning. DEVELOPMENT AND performance The linguistic variables were determined with the extent of the positive and negative responses to a strong constructed security questions that are presented in form of on-line questionnaire. As it was mentioned earlier, MATLAB was used for the implementation. The linguistic inputs to the system are supplied through the graphical user porthole called rule smasher.Once the rule ravisher has been opened, the input variables are supplied in the text edition box captioned input with each of them separated with a space. a) THE FIS EDITOR The fuzzy induction system editor program shows a summary of the fuzzy inference system. It shows the mapping of the inputs to the system type and to the output. The names of the input variables and the processing methods for the FIS can be changed through the FIS editor. Figure 5 The FIS editor b) THE MEMBERSHIP live on EDITOR This can be opened from the command window by using the plotmf function but more easily through the GUI.The membership function editor shows a plot of highlighted input or output variable along their possible ranges and against the probability of occurrence. The name and the range of a membership value can be changed, so also the range of the particular variable itself through the membership function editor. pic Figure 6 The Membership Function editor c) THE RULE EDITOR The rule editor can be used to add, delete or change a rule. It is also used to change the connection type and the weight of a rule. The rule editor for this application is shown in figure 7. pic Figure 7 Rule Editor d) THE RULE VIEWER The text box captioned input is used to supply the three input variables needed in the system. The earmark input corresponds to the number of YES answer in the questionnaire for each of the i nput variables. For example, in the figure 8, all the input variables are 5 and the corresponding output is 13. 9, which specified at the top of the corresponding graphs. The input for each of the input variables is specified at the top of the section corresponding to them, so also the output variable.The rule viewer for this work is presented in figure 8. pic Figure 8 The Rule editor e) THE SURFACE VIEWER The surface viewer shown in figure 9 is a 3-D graph that shows the birth between the inputs and the output. The output (security Risk) is represented on the Z-axis while 2 of the inputs (Confidentiality and Integrity) are on the x and y axes and the other input (Availability) is held constant. The surface viewer shows a plot of the possible ranges of the input variables against the possible ranges of the output. 4) EVALUATIONThe security risk analysis system was evaluated using three newly completed software products from three different software development organizations. The ou tput determines the security level of software under consideration. The summary of the evaluation is given in figure 11. For product A, 5 is the score for confidentiality, 5 for the integrity and 5 for the availability. software product Input Output Significance Security Level Product A 5 5 5 13. 45% slightly secure, 55% secure 46. 33 % Product B 8 7 8 24. 2 20% secure, 80% very secure 80. 60 % Product C 10 10 10 28. 4 35% very secure, 65% extremely secure 94. 67 % Table 5 Evaluation of diametric Input Variables pic Figure 9 The Surface Viewer pic Figure 10 Histogram & 3D CONCLUSION AND FINDINGThus, this work proposes a fuzzy logic-based technique for design of level of security risk associated with software systems. Fuzzy logic is one of the major tools used for security analysis. The major goals of secure software which are used as the inputs to them system are the preservation of confidentiality (preventing unofficial disclosure of information), preservation of integri ty (preventing unauthorized alteration of information) and preservation of availability (preventing unauthorized destruction or denial of access or service to an authorized user).It cleverness be necessary to redesign this system in a way that it exit be deployable and will be without the use of MATLAB. It might also be necessary to use an adaptive fuzzy logic technique for security risk analysis. We have been able to design a system that can be used to evaluate the security risk associated with the production of secure software systems. This will definitely help software organizations meet up with the standard requirements. A technique for assessing security of software system before final deployment has been presented.The result of this mull shows that if the software producing companies will incorporate security risk analysis into the production of software system, the have it off of insecurity of software will be held to the minimum if not eliminated. This study has also re vealed that if each of the software security goals can be increase to the maximum, then the level security will also be increase and the risk associated will be eliminated. Finally, security risk analysis is a path towards producing secure software and should be considered a significant act by software development organizations.

No comments:

Post a Comment