| Title | A Threat Analysis Methodology for Security Requirements Elicitation in Machine Learning Based Systems |
| Publication Type | Conference Paper |
| Year of Publication | 2020 |
| Authors | Wilhjelm, Carl, Younis, Awad A. |
| Conference Name | 2020 IEEE 20th International Conference on Software Quality, Reliability and Security Companion (QRS-C) |
| Date Published | dec |
| Keywords | Adversarial Machine Learning, Attack Libraries, Human Behavior, Libraries, Metrics, Model Inference and Perturbation and Evasion Attacks, Perturbation methods, pubcrawl, Reliability engineering, Requirements Elicitation Using Threat Modeling, Resiliency, security, Security Requirements Engineering, software quality, software reliability, STRIDE, Systematics, threat mitigation |
| Abstract | Machine learning (ML) models are now a key component for many applications. However, machine learning based systems (MLBSs), those systems that incorporate them, have proven vulnerable to various new attacks as a result. Currently, there exists no systematic process for eliciting security requirements for MLBSs that incorporates the identification of adversarial machine learning (AML) threats with those of a traditional non-MLBS. In this research study, we explore the applicability of traditional threat modeling and existing attack libraries in addressing MLBS security in the requirements phase. Using an example MLBS, we examined the applicability of 1) DFD and STRIDE in enumerating AML threats; 2) Microsoft SDL AI/ML Bug Bar in ranking the impact of the identified threats; and 3) the Microsoft AML attack library in eliciting threat mitigations to MLBSs. Such a method has the potential to assist team members, even with only domain specific knowledge, to collaboratively mitigate MLBS threats. |
| DOI | 10.1109/QRS-C51114.2020.00078 |
| Citation Key | wilhjelm_threat_2020 |
A Threat Analysis Methodology for Security Requirements Elicitation in Machine Learning Based Systems