Pradeep K. Murukannaiah

A Domain-Independent Model for Identifying Security Requirements

Existing work on identifying security requirements relies on training binary classification models using domain-specific data sets to achieve a high accuracy. Considering that domain-specific data sets are often not readily available, we propose a domain-independent model for classifying security requirements based on two key ideas. First, we train our model on the description of weaknesses from the Common Weakness Enumeration (CWE) data set. Although CWE does not describe requirements, it describes security weaknesses that are manifestations of unrealized security requirements. Second, we exploit a one-class classification model that relies only on positive samples (description of weaknesses in CWE), eliminating the need for negative samples, collecting which can be nontrivial.We evaluated our model on three industrial requirements documents from different domains. We found that a One-Class Support Vector Machine trained with domain-independent CWE data set outperforms a model from prior literature by identifying security requirements with an average precision, recall and F-score of 67.35%, 70.48% and 67.68%, respectively. Further, considering data sets from prior literature (consisting of both positive and negative examples), we found that one-class classifiers trained with only positive examples outperformed binary classifiers trained with both positive and negative examples in two out of three evaluation data sets, demonstrating the potential value of one-class classification for security requirements identification.

Canary: Extracting Requirements-Related Information from Online Discussions

Online discussions about software applications generate a large amount of requirements-related information. This information can potentially be usefully applied in requirements engineering; however currently, there are few systematic approaches for extracting such information. To address this gap, we propose Canary, an approach for extracting and querying requirements-related information in online discussions. The highlight of our approach is a high-level query language that combines aspects of both requirements and discussion in online forums. We give the semantics of the query language in terms of relational databases and SQL. We demonstrate the usefulness of the language using examples on real data extracted from online discussions. Our approach relies on human annotations of online discussions. We highlight the subtleties involved in interpreting the content in online discussions and the assumptions and choices we made to effectively address them. We demonstrate the feasibility of generating high-quality annotations by obtaining them from lay Amazon Mechanical Turk users.

Natural Language Insights from Code Reviews that Missed a Vulnerability

Engineering secure software is challenging. Software development organizations leverage a host of processes and tools to enable developers to prevent vulnerabilities in software. Code reviewing is one such approach which has been instrumental in improving the overall quality of a software system. In a typical code review, developers critique a proposed change to uncover potential vulnerabilities. Despite best efforts by developers, some vulnerabilities inevitably slip through the reviews. In this study, we characterized linguistic features—inquisitiveness, sentiment and syntactic complexity—of conversations between developers in a code review, to identify factors that could explain developers missing a vulnerability. We used natural language processing to collect these linguistic features from 3,994,976 messages in 788,437 code reviews from the Chromium project. We collected 1,462 Chromium vulnerabilities to empirically analyze the linguistic features. We found that code reviews with lower inquisitiveness, higher sentiment, and lower complexity were more likely to miss a vulnerability. We used a Naive Bayes classifier to assess if the words (or lemmas) in the code reviews could differentiate reviews that are likely to miss vulnerabilities. The classifier used a subset of all lemmas (over 2 million) as features and their corresponding TF-IDF scores as values. The average precision, recall, and F-measure of the classifier were 14%, 73%, and 23%, respectively. We believe that our linguistic characterization will help developers identify problematic code reviews before they result in a vulnerability being missed.

Robust Norm Emergence by Revealing and Reasoning about Context: Socially Intelligent Agents for Enhancing Privacy

Norms describe the social architecture of a society and govern the interactions of its member agents. It may be appropriate for an agent to deviate from a norm; the deviation being indicative of a specialized norm applying under a specific context. Existing approaches for norm emergence assume simplified interactions wherein deviations are negatively sanctioned. We investigate via simulation the benefits of enriched interactions where deviating agents share selected elements of their contexts. We find that as a result (1) the norms are learned better with fewer sanctions, indicating improved social cohesion; and (2) the agents are better able to satisfy their individual goals. These results are robust under societies of varying sizes and characteristics reflecting pragmatic, considerate, and selfish agents.

Ethics, values, and personal agents: poster

We address the problem of designing privacy-preserving ethical personal agents that understand and act according to their users preferred values and ethical principles, and provide a satisfying social experience to all their stakeholders.

Canary: An Interactive and Query-Based Approach to Extract Requirements from Online Forums

Interactions among stakeholders and engineers is key to Requirements engineering (RE). Increasingly, such interactions take place online, producing large quantities of qualitative (natural language) and quantitative (e.g., votes) data. Although a rich source of requirements-related information, extracting such information from online forums can be nontrivial.We propose Canary, a tool-assisted approach, to facilitate systematic extraction of requirements-related information from online forums via high-level queries. Canary (1) adds structure to natural language content on online forums using an annotation schema combining requirements and argumentation ontologies, (2) stores the structured data in a relational database, and (3) compiles high-level queries in Canary syntax to SQL queries that can be run on the relational database.We demonstrate key steps in Canary workflow, including (1) extracting raw data from online forums, (2) applying annotations to the raw data, and (3) compiling and running interesting Canary queries that leverage the social aspect of the data.

Toward Automating Crowd RE

Crowd RE is an emerging avenue for engaging the general public or the so called crowd in variety of requirements engineering tasks. Crowd RE scales RE by involving, potentially, millions of users. Although humans are at the center of Crowd RE, automated techniques are necessary (1) to derive useful insights from large amounts of raw data the crowd can produce; and (2) to drive the Crowd RE process, itself, by facilitating novel workflows combining crowd and machine intelligence.To facilitate automated techniques for Crowd RE, first, we showcase a crowd-acquired dataset, consisting of requirements and their ratings on multiple dimensions for the smart homes application domain. Our dataset is unique in that it contains not only requirements, but also the characteristics of the crowd workers who produced those requirements including their demographics, personality traits, and creative potential. Understanding the crowd characteristics is essential to developing effective Crowd RE processes. Second, we outline key challenges involved in automating Crowd RE and describe, how our dataset can serve as a foundation for developing such automated techniques.

SMASC 2017: First International Workshop on Social Media Analytics for Smart Cities

In an increasingly digital urban setting, connected & concerned Citizens typically voice their opinions on various civic topics via social media. Efficient and scalable analysis of these citizen voices on social media to derive actionable insights is essential to the development of smart cities. The very nature of the data: heterogeneity and dynamism, the scarcity of gold standard annotated corpora, and the need for multi-dimensional analysis across space, time and semantics, makes urban social media analytics challenging. This workshop is dedicated to the theme of social media analytics for smart cities, with the aim of focusing the interest of CIKM research community on the challenges in mining social media data for urban informatics. The workshop hopes to foster collaboration between researchers working in information retrieval, social media analytics, linguistics; social scientists, and civic authorities, to develop scalable and practical systems for capturing and acting upon real world issues of cities as voiced by their citizens in social media. The aim of this workshop is to encourage researchers to develop techniques for urban analytics of social media data, with specific focus on applying these techniques to practical urban informatics applications for smart cities.