Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment

  • Be the first to like this


  1. 1. Prof. D.M.Thakore, Torana N.Kamble / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1574-1577 Validating UML Diagram for Security Prof. D.M.Thakore *, Torana N.Kamble.***(Department of Computer Engineering, Bharti Vidyapeeth Deemed University, College of Engineering, Pune) **(M.Tech. Student, Department of Computer Engineering, Bharti Vidyapeeth Deemed University College of Engineering, Pune )ABSTRACT Now days there are different quality of object oriented and keep track of designattributes of software artifacts but security has performance. Mainly two kinds of metrics are usedgot less responsiveness because of different for object oriented design namely-Static metrics andreasons. Like lack of knowledge about which Dynamic metrics. Static metrics are obtained fromproperties must be considered when it comes to static analysis and dynamic metrics are computed onevaluate security because definition of security is the basis of data collected during the execution ofdifferent for different organization and code. Traditional metrics for measuring softwareaccordingly they implement the security metrics. such as Lines of Code (LoC) have been found to beSecure software development is still research insufficient for analysis of object-Oriented software.topic in many organizations, because of the The suite of metrics proposed by Chidamber andfailure in designing security at early stage. Kemerer are useful to measure static feature ofTraditional approaches focus primarily on code. These code metrics computes different aspectsantivirus, firewall, intrusion detection, but all are of complexity of the source code, but not able toat the level of individual program statements and accurately predict the dynamic behaviour of anso on. This approach makes it difficult and costly application is as yet unproven. [8]to determine and repair weakness caused by Evaluating the dynamic behaviour of andesign errors. It has been seen that flaws are left application at run time with static metrics is difficultin the software design during development because its behaviour will be influenced by theprocess are responsible for successful attack. The operational environment as well as complexity ofproper care should be taken at the design level object-oriented software.Different metrics have beenonly. developed for software quality attributes of object- Proposed approach describes oriented designs such as performance, reusability,identification of secure design at early stage with and reliability. However, metrics which measure thethe help of design level security metrics and quality attribute of information security haveGenetic algorithm (GA). received little attention as security is non-functional The reason of using this algorithm is to quality attribute.exploit previous and alternate solution and Moreover, existing security metricsprovides multiple solutions to speedup. Then it measures the system at high level i.e. the wholedetermines the security aspects of program system’s level or at a low level i.e. the programduring execution using set of metrics. It can be code’s level. These approaches are tough and costlyachieve by finding some method to log all to determine and fix weaknesses caused by softwareoccurrences of object instantiations, deletions, design errors. [3]method invocations, and direct reference to To overcome these difficulties designattributes while the system is executing. metrics have been developed which measures security at design level. Proposed system appliesKeywords- Design, Measurement, Software these design level metrics and gives secure designSecurity, Security, Quality Metrics, Software .The advantage of this technique is the cost andMetrics. efforts needed to solve the problems after implementation get reduced as it discovers errors atI. INTRODUCTION early stage. And after implementing that secure Due to the modularity and reusability many design it can be tested by different dynamic projects are shifted from traditionalstructured development to object oriented design. In II. LITERATURE SURVEYthis Object Oriented approach metrics are useful tool There are different ways of reducingto measure different quality attributes. Metrics are a security risks and vulnerabilities. But a commonmeans for attaining more accurate estimations of approach is to enforce security at theproject milestones, and developing a software implementation stage only [5].system that contains minimal faults. There is project A survey has shown that most of thebase metrics which keep track of project security metrics calculate the security at systemmaintenance, budgeting etc. whereas Design based level it considers system as whole. These aremetrics describe the complexity, size and robustness referred as a high level metrics. These metrics check 1574 | P a g e
  2. 2. Prof. D.M.Thakore, Torana N.Kamble / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1574-1577out not only software but also many other aspects of ES2: It is atool for collecting object oriented designthe system.[2] metrics from C++ and Java Code.It is helpful for Several projects have inspected information making quality management decisions in practices.flow through computer program code, by type Chidamber & Kemmerer Java Metrics: It is ananalysis, data/control flow analysis, and different open source tool to access CK Object Orientedother ways of identifying and eliminating program Design quality metric by processing the byte-code ofcode vulnerabilities.[10] There are number of compiled Java files. It is command line version andsecurity metrics that assess the security of a given generates output in text format.program based on code inspections. However, their QJ-Pro: It is java review tool used to find the errorsmetrics require full system implementations to related with the language standards. It normally usedassess security which makes it impossible to fix during testing phase.problems at design time. [4] Instead, the mostefficient approach is to enforce security at early VizzAnalyzer: It is a quality analysis tool, readsphases of the software development lifecycle such as software code and other design specifications asduring the design phase. The National Institute of well as documentation and performs a number ofStandards and Technology stated that eliminating quality analyses.vulnerabilities in the design stage can cost 30 timesless than fixing them at a later stage. One of the Semmle: Semmle is basically java testing tool usedearliest studies in this area was the development of to enforce coding conventions by findingsoftware security design principles, these principles programming bug patterns, to compute softwareare intended as guidance to help develop secure metrics. All these tasks can be formulated as queriessystems, mainly operating systems, and are not in an object-oriented query language named QL.capable of quantifying the security levels of designs.Thus, there is a need for security metrics which OOMeter: This tool is useful for measuring eachobjectively measure the security of a given program artifacts produced during software development lifedirectly from its design artifacts. [6] Study cycle, like requirements, specification, designconducted by B. Alshammari et al. [3] defined model, source code, test specification.different security metrics to identify secure design Table I shows different existing tools with theamong different design which are obtained after different coupling metrics .There are design levelrefactoring. tools as well as code level tools. Table I – Supported metrics in Existing AvailableIII. EXISTING TOOLS AND COMPARATIVE ToolsSTUDY Tools Metrics Following are the existing tools which C W N R C D Dmeasures quality of software based on defined B M O F O I Ametrics. Some of them can be applied at design level O C C C F T Cand some are at code level.[13] Classycle --- --- --- --- --- Y ---Classycle:It analyses static class and packagedependencies in java. It overcome limitation of JDepend --- --- Y --- --- Y ---JDepend i.e. it finds cyclic dependencies between ES2 Y Y Y --- --- --- ---classes and packages Semmle --- --- Y Y --- Y ---JDepend: JDepend automatically measures quality OOMeter Y --- Y --- --- Y ---of design by managing package dependency. It VizzAnaly Y Y Y Y --- Y ---examines design and checks weather design shows zerspecified quality or not during refactoring. But it has CKJ Y Y Y Y --- Y ---some limitations like Cyclic dependency detection,does not collect source code complexity metrics and IV. COUPLING AND SOFTWARE SECURITYit can’t differs Java interfaces and Java abstract Coupling is the interaction betweenclasses. different software components. It is an internal software property whereas security is external. But JHAWK: It is a stand-alone, Eclipse many studies have been shown that coupling isPlugin, command line version It useful to measure closely associated with the Security of software. Theparameters like Cyclometric Complexity,NOP by reason behind this is when information passedcomputing loops and iterations existing in a among different components there is moreprogram. Its disadvantage is Halstead metrics are not probabilities that it is exposed. It makes sense toused for measuring the program. Limitation of this assume that coupling is important factor that affectstool is it accepts only java code. security of software. Thus, proposed system aims to 1575 | P a g e
  3. 3. Prof. D.M.Thakore, Torana N.Kamble / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1574-1577develop tool which device security metrics by taking V. SYSTEM DESCRIPTIONinto consideration this association. From above study it is clear that there are different tools to measure the quality of software atSupported Coupling Metrics:- design level as well as code level. Each tool includesHere are some of the coupling metrics that can be different set of metrics to measure different qualitydevised in proposed system[6]- attributes. When user uses any tool at design level to 1. RFC (Response for a Class) is the number validate the design with the help of included set of of the methods that can potentially be metrics then there is need to assess the implemented invoked in response to a public message code with same set of metrics. received by an object of a particular class. Proposed tool facilitate user to measure If the number of methods that can be security by applying tool at design level as well as invoked from a class is high, it is more code with same set of metrics. In this it concerns difficult and highly coupled to some only one feature of object oriented design which is methods. highly associated with the security i.e. coupling. 2. WMC (Weighted Methods per Class) is Proposed system is involves three modules, which defined as the weighted sum of all class’s works in sequential manner. methods. It is a measure for the complexity First module accepts UML diagram as a of classes. More complex classes are more input and applies Genetic algorithm on it. Here GA error-prone, harder to analyze and test. It is is used to obtain more than one design which fulfills expected that complex classes have higher different levels of fitness function. These alternate change rates because of bug fixing and designs are of three levels of security i.e. High refactoring activities. secure, medium secure, low secure. 3 CBO (Coupling Between Object Classes) is the number of classes that a class is coupled to. It is calculated by counting other classes Secure Secure Design UML design whose attributes or methods are used by the Genetic level design given classes plus those that use the diagram Algo metric attributes or methods of the given class.If a s Metrics class is highly coupled with other classes, result changes in other classes can also cause changes in that class. Module-1 4 (DIT) Depth of Inheritance Tree: the maximum depth of the class in the GA is a search in which successor states inheritance tree. It measures the number of are generated from two parent states. It starts with potential ancestor classes that can affect a randomly generated population. It evolves through class, i.e., it measures inter-class coupling three phases selection, crossover and mutation. due to inheritance. Finally best solution is chosen based on the 5 (NOC) Number Of Children: the number of optimization criteria. Each state is assessed by immediate sub-classes of a class or the fitness function. Then different Security related count of derived classes. If class class A coupling metrics are applied on all levels of secure inherits class classB, then class B is the design and stores result. base class and class A is the derived class. In second module code is implemented for In other words, class A is the children of highly secure or medium or low secure design .Then class class B, and class B is the parent of this implemented code get evaluated based on the class class B. NOC measures inheritance security related same coupling metrics. Means it complexity. checks coupling aspect at code level to provide 6 COF(Coupling factor):Coupling factor security. measures the actual coupling among classes .Maximum coupling accursed when all classes are coupled with each other. But Code level maximum coupling leads to complexity Secure Metrics Coupling design from result which is in tern leads to need of security. Module-1 Metrics 7 DAC(Data Abstraction Coupling): This metric measures the number of instantiations of other classes within the given class. It is not caused due to inheritance or the object oriented paradigm. Module - 2 The higher the DAC, the more complex the data structure (classes) of the system 1576 | P a g e
  4. 4. Prof. D.M.Thakore, Torana N.Kamble / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 5, September- October 2012, pp.1574-1577Third module is nothing but the validation of all [4] I. Chowdhury, B. Chan, and M.designs. It compares metrics results computed at Zulkernine, “Security metrics fordesign level and code level to generate the graph. sourcecode structures,” in Proceedings of the Fourth International Workshop onSoftware Engineering for Secure Systems, (Leipzig, Germany), ACM, 2008.. [5] Smriti Jain, “A Review of Security Metrics in Software Development Process” et al / (IJCSIT) International Journal of Computer Science and Information Technologies, 2011. [6] IstehadChowdhury, Mohammad ZulkernineVI. CONCLUSION “Can Complexity, Coupling, and Cohesion Existing software metric tools interpret and Metrics be Used as Early Indicators ofimplement the definitions of object-oriented Vulnerabilities?” ACM metrics differently. This provides results [7] S. Chidamber and C. Kemerer, “A metricsbased on tool-dependent metrics and has even suite for object oriented design,” IEEEallegations on the results of analyses based on these Transactions on Software Engineering, vol.metrics results. In short, the metrics based 20, pp. 476–493, 1994.,assessment of a software system and measures taken [8] M. Fowler, Refactoring: Improving Theto improve its design differ considerably from tool Design of Existing Code. Reading, MA:to tool. So the limitation is all tools are platform Addison-Wesley, 1999dependent. There are separate tools for dynamic [9] Payal Khurana&Puneet Jai Kaurmetrics, static metrics and for reverse engineering. DYNAMIC METRICS AT DESIGN LEVELBut the proposed system develops a tool which ,International Journal of Informationapplies dynamic as well as static metrics on design Technology and Knowledge Managementby considering coupling of classes and objects. And July-December 2009, Volume 2, No. 2, pp.also applies reverse engineering to validate the 449-454design. Again in proposed tool uses genetic [10] AmjanShaik,C. R. K. Reddy, BalaManda,algorithm for alternate designs. Benefit to use this Prakashini. C, Deepthi. K, “An Empiricalalgorithm is it is easy to understand and multi object Validation of Object Oriented Designoptimizer. Metrics in Object Oriented Systems” There is lot of scope in future work as the Journal of Emerging Trends in Engineeringdynamic metrics are related with the behaviour of and Applied Sciences (JETEAS) ,(ISSN:the program, they have advantage of more precise, 2141-7016).but difficult to implement compare to static one .So [11] John Lloyd1 and Jan Jürjens2,„Securitythere is clear opportunity for researcher to work in Analysis of a Biometric Authenticationhybrid approach where dynamic results can be System „Using UMLsec and JML*, A.augmented by static information for collection of Schürr and B. Selic (Eds.): MODELS 2009,metrics data. LNCS 5795, pp. 77–91, 2009.,© Springer- Verlag Berlin Heidelberg 2009REFERENCES [12] M. Y. Liu and I. Traore, “Empirical [1] J. Bansiya and C. G. Davis, “A relation between coupling and attackability hierarchical model for object-oriented in software systems: a case study on DOS,” design quality assessment,” IEEE in Proceedings of the 2006 Workshop on Transactions on Software Engineering, vol. Programming Languages and Analysis for 28, pp. 4–17, 2002 .. Security Ottawa. Ontario, Canada: ACM, [2] P K. Manadhata, K. M. C. Tan, R. A. 2006, pp. 57–64 Maxion, and J. M. Wing, “An approach to [13] Rüdiger Lincke, Jonas Lundberg and Welf measuring a system‟s attack surface,” Löwe,“Comparing Software Metric Tools”, Tech. Rep. CMU-CS- 07-146, Carnegie 2008 ACM 978-1-59593-904-3/08/07. Mellon University, Pittsburgh, PA, August 2007. [3] B. Alshammari, C. J. Fidge, and D. Corney, “Security metrics for object-oriented class designs,” in Proceedings of the Ninth International Conference on Quality Software (QSIC 2009), (Jeju, Korea), pp. 11–20, IEEE, 2009 1577 | P a g e