Software Security Risk Analysis Using Fuzzy Expert System

Softwargon take aim of protection peril Analysis Using Fuzzy undecomposed System ARTIFICIAL INTELLIGENT UNIVERSITI TEKNIKAL MALAYSIA MELAKA FACULTY OF INFORMATION &038 communicating TECHNOLOGY SESSION 2 2010/2011 NURUL AZRIN BT AIRRUDIN B031010343 SITI NURSHAFIEQA BT SUHAIMI B031010313 NUR SHAHIDA BT MUHTAR B031010266 flog NAME DR ABD.SAMAD HASSAN BASARI 12th APRIL 2011 SOFTWARE LEVEL OF bail RISK ANALYSIS USING blurred EXPERT transcription ABSTRACT in that location is wide concern on the aegis of package ashess beca subroutine many organizations depend for the most part on them for their day-to-day operations. Since we rich person non seen a packet placement that is totally pimp, there is need to analyze and take c ar the security measure insecurity of emerging bundle outlines.This live on presents a technique for analyzing parcel security utilize hazy in force(p) system. The commentarys to the system be fit hairy sets represen ting linguistic determine for softw atomic enactment 18 security intentions of confidentiality, single and avail qualification. The expert reign overs were constructed utilize the Mamdani bleary reasoning in order to adequately analyze the scuttle furtherts. The defuzzication technique was done using Centroid technique. The implementation of the human body is done using MATLAB hazy system of logic tool because of its ability to implement groggy ground systems.Using pertly develop softw ar products from triple package package product package schooling organizations as test cases, the bequeaths evince a system that house be employ to effectively analyze software security encounter. ANALYSIS AND tendency The design is basically divided into four stages 1) DESIGN OF THE LINGUISTIC VARIABLES The scuttlebutts to the system are the apprizes assumed for the software security goal thru confidentiality, integrity and availability. The goals are assumed to be the sa me incubus and a peculiar(prenominal) valued is impelled for each of them ground on questions that are answered about the proper(postnominal) software.Also the values determined for each of the input are be as a hairy get along instead of thud numbers by using suitable blear-eyed sets. Designing the fuzzy system requires that the different inputs (that is, confidentiality, integrity, and availability) are delineate by fuzzy sets. The fuzzy sets are in turn delineated by a rank and file occasion. The social rank function utilize in this paper is the triangular membership function which is a ternary bear down function be by minimum, supreme and modal values where usually represented in 1. pic go into 1 Triangular social station Function 2) THE FUZZY SETS The aim of confidentiality is defined based on the scales of non confidential, more or less confidential, in truth confidential and super confidential. The level of integrity is as well as defined based on the scales very low, low, gamy, very high, and free high. Also, the level of availability is also defined by the scales very low, low, high, very high and extra high. The levels defined above are based on a die hard translation with an assumed interval of 0 -10. The ranges for the inputs are shown in tables 1 and 2. DESCRIPTION feed Non-Confidential 0-1 Slightly Confidential 2-3 Confidential 4-6 in truth Confidential 7-8 super Confidential 9-10 gameboard 1 Range of inputs for Confidentiality real depressive disorder Low high Very high-pitched s female genital organty advanced 0 1 2 3 4 6 7 8 9 10 tabularize 2 Range of inputs for impartiality Very Low Low High Very High Extra High 0 1 2 3 4 6 7 8 9 10 Table 3 Range of inputs for Availability DESCRIPTION cast non Secure 0 3 Slightly Secure 4 9 Secure 10 18 Very Secure 19 25 highly Secure 26 30 Table 4 Level Of Security endangermentThe fuzzy sets above are represented by membership functions . The interchangeable membership functions for confidentiality, integrity and availability are presented in word forms below pic fancy 1 rank functions for Confidentiality Similarly, the yield signal, that is, the level of security stake is also represented by fuzzy sets and and then(prenominal) a membership function. The level of security take a chance is defined based on the scales not pimp, approximately desexualise, ripe, very secure, and extremely secure within the range of 0- 30.The range definition is shown in table above. The membership function for the output fuzzy set is presented in figure below. pic Figure 2 membership functions for Integrity pic Figure 3 Membership functions for Availability pic Figure 4 Level Of Security Risk 3) THE regularizeS OF THE FUZZY SYSTEM Once the input and output fuzzy sets and membership functions are constructed, the feels are then formulated. The rules are formulated based on the input parameters (confidentiality, integ rity, and availability) and the output i. e. level of security gamble.The levels of confidentiality, integrity, and availability are apply in the preexisting of rules and the level of security risk as the incidental of rules. A fuzzy rule is conditional statement in the form IF x is A whence y is B. Where x and y are linguistic multivariates and A and B are linguistic values determined by fuzzy sets on universe of discourses X and Y, respectively. Both the antecedent and consequent of a fuzzy rule can maintain multiple parts. All parts of the antecedent are calculated simultaneously and dogged in a single number and the antecedent affects all parts of the consequent equally.Some of the rules employ in the design of this fuzzy Systems are as follow 1. If (Confidentiality is not Confidential) and (Integrity is Very Low) and (Availability is Very Low) then (Security Risk is Not Secure). 2. If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability i s Low) then (Security Risk is Slightly Secure). 3. If (Confidentiality is Extremely Confidential) and (Integrity is Extra High) and (Availability is High) then (Security Risk is Slightly Secure). . 125.If (Confidentiality is Not Confidential) and (Integrity is Very Low) and (Availability is high) then (Security Risk is Extremely Secure). The rules above were formulated using the Mamdani max-min fuzzy reasoning. DEVELOPMENT AND IMPLEMENTATION The linguistic variables were determined with the extent of the positive and negative responses to a well constructed security questions that are presented in form of on-line questionnaire. As it was mentioned earlier, MATLAB was used for the implementation. The linguistic inputs to the system are supplied done the graphical user interface called rule looker.Once the rule viewer has been opened, the input variables are supplied in the text box captioned input with each of them separated with a space. a) THE FIS editor in chief program in c hief in chief The fuzzy proof system editor shows a summary of the fuzzy inference system. It shows the mapping of the inputs to the system type and to the output. The make water calling of the input variables and the processing methods for the FIS can be changed through the FIS editor. Figure 5 The FIS editor b) THE MEMBERSHIP FUNCTION EDITOR This can be opened from the command windowpane by using the specklemf function but more easily through the GUI.The membership function editor shows a plot of highlighted input or output variable along their possible ranges and against the probability of occurrence. The name and the range of a membership value can be changed, so also the range of the particular variable itself through the membership function editor. pic Figure 6 The Membership Function editor c) THE RULE EDITOR The rule editor can be used to add, delete or change a rule. It is also used to change the connection type and the weight of a rule. The rule editor for this indus triousness is shown in figure 7. pic Figure 7 Rule Editor d) THE RULE attestor The text box captioned input is used to supply the three input variables indispensable in the system. The appropriate input corresponds to the number of YES answer in the questionnaire for each of the input variables. For example, in the figure 8, all the input variables are 5 and the correspond output is 13. 9, which condition at the top of the corresponding graphs. The input for each of the input variables is specified at the top of the section corresponding to them, so also the output variable.The rule viewer for this work is presented in figure 8. pic Figure 8 The Rule editor e) THE SURFACE VIEWER The egress viewer shown in figure 9 is a 3-D graph that shows the relationship amongst the inputs and the output. The output (security Risk) is represented on the Z-axis while 2 of the inputs (Confidentiality and Integrity) are on the x and y axes and the other input (Availability) is held constant. Th e surface viewer shows a plot of the possible ranges of the input variables against the possible ranges of the output. 4) EVALUATIONThe security risk analysis system was adjudicated using three newly completed software products from three different software development organizations. The output determines the security level of software under(a) consideration. The summary of the evaluation is given in figure 11. For product A, 5 is the write up for confidentiality, 5 for the integrity and 5 for the availability. parcel Input Output Significance Security Level result A 5 5 5 13. 45% slightly secure, 55% secure 46. 33 % Product B 8 7 8 24. 2 20% secure, 80% very secure 80. 60 % Product C 10 10 10 28. 4 35% very secure, 65% extremely secure 94. 67 % Table 5 Evaluation of Different Input Variables pic Figure 9 The Surface Viewer pic Figure 10 Histogram &038 3D CONCLUSION AND FINDINGThus, this work proposes a fuzzy logic-based technique for aim of level of security risk assoc iated with software systems. Fuzzy logic is one of the major(ip) tools used for security analysis. The major goals of secure software which are used as the inputs to them system are the preservation of confidentiality (preventing unaccredited disclosure of information), preservation of integrity (preventing unaccredited alteration of information) and preservation of availability (preventing wildcat destruction or denial of approach shot or service to an authentic user).It might be demand to redesign this system in a way that it depart be deployable and result be without the use of MATLAB. It might also be necessary to use an adaptive fuzzy logic technique for security risk analysis. We have been able to design a system that can be used to evaluate the security risk associated with the occupation of secure software systems. This will definitely suffice software organizations meet up with the standard requirements. A technique for assessing security of software system before final deployment has been presented.The result of this study shows that if the software producing companies will represent security risk analysis into the production of software system, the issue of insecurity of software will be held to the minimum if not eliminated. This study has also revealed that if each of the software security goals can be increase to the maximum, then the level security will also be increased and the risk associated will be eliminated. Finally, security risk analysis is a path towards producing secure software and should be considered a important activity by software development organizations.