Chat with us, powered by LiveChat Read the articles attached and write a paper according to the description provided. | acewriters

1. Read main article and find a research question to work on research article Research Question taken from main article is : How misuse case requirements are collected and handled using the frameworks in a Hospital System?2.Task is to find more papers that answers the question : I have found 2 articles (article 1,2) that i think are answering the research question find 1 more 3. write a 10 page research paper addressing the research question mentioned above using the papers I have attached :Paper Format : Times new roman-12 single spacingAbstract1. Introduction – research question motivation2. Background 3. Summaries – concatenate all the paper summaries here4. Discussion – synthesis matrix (…) Follow the link to complete this section5. Conclusion- circle back to the research question6. References



Unformatted Attachment Preview

2016 IEEE 24th International Requirements Engineering Conference
NANE: Identifying Misuse Cases Using Temporal
Norm Enactments
Özgür Kafalı, Munindar P. Singh, and Laurie Williams
Department of Computer Science
North Carolina State University
Raleigh, NC 27695-8206, USA
{rkafali,singh,laurie williams}
However, Don circumvents these technical controls by using
Alice’s computer. That is, a breach occurs here because Alice
fails to end her EHR session, thereby inadvertently giving
(otherwise prohibited) access to Don.
This example illustrates the key limitation of RBAC: it is
impossible to prevent misuse because it occurs outside of the
technical realm. The only way to tackle misuse is through
social mechanisms, specifically, by making users accountable
for correct use. For example, Alice should be accountable for
ending her EHR session when her computer is unattended.
Logging is the established computational means to support
accountability of users. We define an event as a discrete
occurrence such as a user action (e.g., a physician accessing
a patient’s EHR) or an environment condition (e.g., a medical
emergency) becoming true or false. Logging seeks to record
each relevant event and its time of occurrence. However, current logging approaches suffer from two shortcomings. First,
they do not guarantee that all events necessary to assess misuse
are logged, thereby inadequately supporting accountability.
Second, they do not guarantee that only events necessary to
assess misuse are logged, thereby creating avoidable vulnerabilities through the log data itself [1]. These shortcomings
arise because of a lack of a suitable formal model based on
which to log events.
Accordingly, we propose NANE (from the Turkish slang
for shenanigans), a framework for identifying misuse cases.
NANE is based on a sociotechnical conception [29] that brings
together technical considerations such as how users access
assets via RBAC and social considerations such as the norms
that characterize users’ expectations of each other. We define
an enactment as a possible history of the system, including all
events along that history. We adopt a formal model for norms
(including conditional commitments, authorizations, and prohibitions, as explained below) that precisely describes (i) the
enactments in which each norm may be satisfied or violated,
and (ii) who is accountable for the norm. For example, Alice
accessing her patient’s EHR complies with the authorization
and prohibition of Example 1 for which she is accountable.
Our research goal is to help analysts identify misuse cases
by formal reasoning about norm enactments.
Abstract—Recent data breaches in domains such as healthcare
where confidentiality of data is crucial indicate that breaches
often originate from misuses, not only from vulnerabilities in
the technical (software or hardware) architecture. Current requirements engineering (RE) approaches determine what access
control mechanisms are needed to protect sensitive resources
(assets). However, current RE approaches inadequately characterize how a user is expected to interact with others in relation
to the relevant assets. Consequently, a requirements analyst
cannot readily identify misuses by legitimate users. We adopt
social norms as a natural, formal means of characterizing user
interactions whereby potential misuses map to norm violations.
Our research goal is to help analysts identify misuse cases by
formal reasoning about norm enactments. We propose N ANE,
a formal framework for identifying such misuse cases using
a semiautomated process. We demonstrate how N ANE enables
monitoring of potential misuses on a healthcare scenario.
Index Terms—Security requirements, sociotechnical systems
Data breaches pose a major threat to stakeholders of modern
software systems. Healthcare IT systems are no exception, and
millions of patients have suffered from compromised health
records in the recent years [22], [26]. Although some breaches
arise due to vulnerabilities in the software, an increasing
number of them are caused by misuse. For example, a failure
to erase patient data contained on photocopiers’ hard drives
led to the disclosure of 350,000 patient files, and resulted in
a fine of $1.2 million from the US Department of Health and
Human Services (HHS). Example 1 describes a typical misuse.
Example 1. A physician, Alice, and a nurse, Don, are
reviewing the electronic health records (EHR) of a patient
together on Alice’s computer. Each of them is authorized to
review EHRs of patients they are treating, and prohibited from
reviewing the EHRs of other patients. Alice receives a call and
leaves the room without ending her EHR session. Don knows
that Alice is treating one of his neighbors. He accesses his
neighbor’s EHR using Alice’s session.
The leading current approach for implementing security
requirements is role-based access control (RBAC) [23], which
provides an effective way of protecting access to sensitive
resources (assets). In Example 1, in regular (nonemergency)
practice, the hospital software does not allow any staff member
to access the EHR of a patient he or she is not treating.
2332-6441/16 $31.00 © 2016 IEEE
DOI 10.1109/RE.2016.34
Usage: A typical NANE episode proceeds as follows. First, a
requirements analyst specifies norms based upon stakeholder
RE 2016, Beijing, China
Research Paper
requirements. Second, NANE applies the formal semantics of
norms to generate all possible enactments of each stated norm,
differentiating between compliant and violating enactments.
For example, Don accessing his neighbor’s EHR is a violating
enactment of the norm that prohibits Don from accessing
EHRs of patients he is not treating. Third, an analyst modifies
the stated norms based on a review of these enactments.
Fourth, Nane produces formal representations of violating
enactments to enable the monitoring of potential misuses.
hold at the beginning of time. A fluent is a predicate whose
value can be changed in time due to the occurrence of events.
The holds at predicate queries the happened events to check
whether a fluent holds at a given time. The broken predicate
checks whether a fluent is made false (i.e., terminated) during
a time period (Ts and Te are both exclusive). The initiates
predicate states that an event makes a fluent true at a given
time. The terminates predicate states that an event makes a
fluent false at a given time. Briefly, a normative temporal
theory in EC consists of the following components:
• the domain-independent axioms of EC (Table I);
• the domain-independent normative theory that describes
the norm lifecycle (Section III-A);
• a domain model that describes which events initiate or
terminate which fluents in the domain; and
• an enactment given in the form of a list of happens
assertions (Listing 1) that describes what has occurred.
Note that the normative theory is relevant only to normbased EC formalizations like ours. The domain model contains
a list of initiates and terminates rules, e.g., the event of
a patient leaving a physician’s office terminates the fluent
regarding patient’s visit. An enactment in our formalization
corresponds to a narrative in the EC literature. Listing 1
demonstrates a sample enactment in EC.
Contributions: We address two main questions.
RQ1 Identification: How can we systematically enumerate the
potential misuse cases of a software system?
RQ2 Monitoring: How can we formally represent violations
of norms so as to enable monitoring of potential misuses?
We give a formal representation of norms and misuse
cases in the Event Calculus [20], a first-order logic with
primitives for events and temporal reasoning. We provide a
semiautomated process for identifying misuse cases. A formal
representation of norms enables us to automatically determine
which of the possible enactments violate norms (potential
misuse). We demonstrate how NANE enables monitoring of
potential misuses based on the proposed representation. These
contributions differentiate our work from the literature on
misuse, as discussed throughout the paper.
Section II reviews the relevant background.
Section III describes temporal norms and their enactments.
Section IV describes the details of the NANE framework and
how misuse cases are generated. Section V demonstrates how
NANE is used for monitoring of misuses. Section VI describes
the limitations of our work. Section VII reviews the relevant
literature. Section VIII presents future directions.
Listing 1
happens(give_consent(drBob, john), 1).
happens(access_EHR(drBob, john), 4).
happens(visit(drBob, john), 5).
happens(emergency(hospitalNC), 12).
happens(access_EHR(drBob, kate), 13).
happens(access_EHR(drAlice, adam), 13).
Each event is represented with a happens predicate describing the event and when the event happened. For example,
patient John gives physician Bob consent to view his EHR
at Time 1 (Line 1), or there is an emergency at hospitalNC at
Time 12 (Line 4). EC supports concurrent events in discrete
time. That is, multiple events can happen at the same time
point. For example, physicians Bob and Alice access patients’
EHR during the emergency (Lines 5–6). Such an enactment
can be extracted using the logs of EHR software (see the open
source OpenEMR project [2] for an example).
We review the necessary background for developing our
formalization on misuse cases, and demonstrating how this
formalization enables monitoring of potential misuse.
A. Temporal Reasoning
We use first-order logic to represent and reason about
misuse cases. Event Calculus (EC) [20] is an extension of
first-order logic to interpret and reason about events in time.
Table I summarizes the domain-independent axioms of EC.
happens(E, T)
Event E happens at Time T
Fluent F is true at Time 0
holds at(F, T)
Fluent F is true at Time T
B. Norms
We capture the interactions among users via social norms.
Definition 1 describes a norm. We adopt Singh’s [29] model of
social norms, and extend it with temporal constraints. Below,
N is a placeholder for C, A, P, signifying a commitment,
authorization, and prohibition, respectively.
broken(F, Ts, Te)
Fluent F is made false between times Ts and Te
Event E initiates fluent F at Time T
terminates at(E, F, T) Event E terminates fluent F at Time T
Definition 1. A norm N(SUBJECT, OBJECT, antecedent, consequent) is a directed relationship between its subject and object
about its consequent to be satisfied when its antecedent holds.
initiates at(E, F, T)
The happens predicate records events and the time points at
which they occur. The initially predicate specifies fluents that
Table II describes the formal syntax of norms. For simplicity, we describe norm syntax and semantics via exam-
never ant
never ant
never con
(a) Commitment (accountable: subject)
never ant
never con
(b) Authorization (accountable: object)
never con
(c) Prohibition (accountable: subject)
Fig. 1. Lifecycle of norms. Double rectangles represent terminal states (i.e., the norm’s lifecycle ends in those states). To highlight the differences, we use
the same layout of states in each diagram.

Listing 2
Commitment | Authorization | Prohibition
C(ROLE, ROLE, Expr, Expr)
A(ROLE, ROLE, Expr, Expr)
P(ROLE, ROLE, Expr, Expr)
true | φ | never Expr | ¬Expr | Expr ∧ Expr
ples. Below, PHYSICIAN, HOSPITAL, and PATIENT represent
roles to be instantiated with actual agent names at run time.
PATIENT ), access EHR( PHYSICIAN , PATIENT )) means that
physicians are authorized by a hospital to access their patients’ EHR. Commitment C(PHYSICIAN, HOSPITAL, true,
operate(PATIENT)) means that a physician is (unconditionally) committed to the hospital to operating upon patients.
PATIENT ), access EHR( PHYSICIAN , PATIENT )) means that a
physician is prohibited from accessing a patient’s EHR without
consent in regular practice (nonemergency) mode.
C. Requirements
We consider three types of requirements [7]: Must, Must
Not, and May. A Must requirement indicates a commitment for
its user. Consider the following requirement from HIPAA [32]:
a physician must obtain consent before accessing the patient’s
EHR. A Must Not requirement indicates a prohibition for its
subject (e.g., regarding security and privacy). Consider the
following: a physician must not disclose a patient’s protected
health information (PHI), which means that physicians are prohibited from performing any action that discloses the patient’s
PHI. A May requirement indicates an authorization. Consider
the following: a physician may access a patient’s EHR without
consent in emergencies. We assume that the requirements are
explicit, and do not tackle requirements elicitation.
%%% states %%%
conditional(N, T):holds_at(status(N, conditional), T).
expired(N, T):holds_at(status(N, expired), T).
detached(N, T):holds_at(status(N, detached), T).
satisfied(N, T):holds_at(status(N, satisfied), T).
violated(N, T):holds_at(status(N, violated), T).
%%% transitions %%%
terminates(E, status(N, conditional), T):expire(E, N, T).
initiates(E, status(N, expired), T):expire(E, N, T).
terminates(E, status(N, conditional), T):detach(E, N, T).
initiates(E, status(N, detached), T):detach(E, N, T).
terminates(E, status(N, detached), T):discharge(E, N, T).
initiates(E, status(N, satisfied), T):discharge(E, N, T).
terminates(E, status(N, detached), T):violate(E, N, T).
initiates(E, status(N, violated), T):violate(E, N, T).
Listing 2 considers four norm states: conditional, detached,
satisfied, and violated. Each state is described via a status
predicate (Lines 2–15). Transitions among states are described
via initiates and terminates predicates. An expire event terminates the conditional state (Lines 18–19), and initiates the
expired state (Lines 21–22). A detach event terminates the
We describe how to formalize norms and their enactments.
A. Temporal Norms
We incorporate deadlines in all norm types, extending
previous work on commitments [9], [16]. Listing 2 provides
the rules defining a norm’s lifecycle (as Figure 1 shows).
thorizations as privileges of the authorized party agrees with
established approaches [29], [33].
Definition 2 describes the EC proof procedure. Queries
can be given in the form of (i) ground predicates such as
“holds at(consent(drBob, john), 3).” for which the solution
is either true or false, or (ii) nonground predicates such as
“holds at(consent(drBob, Patient), 5).” for which the solution
consists of all patients who have given Bob consent.
conditional state (Lines 24–25), and initiates the detached
state (Lines 27–28). A discharge event terminates the detached
state (Lines 30–31), and initiates the satisfied state (Lines 33–
34). A violate event terminates the detached state (Lines 36–
37), and initiates the violated state (Lines 39–40). Note that
the lifecycle rules of Listing 2 apply to all norm types. The
lifecycle operations expire, detach, discharge, and violate are
specified for each norm type according to the lifecycle of that
norm type (Figure 1).
Definition 2. Given EC axioms Ax, a normative theory Th,
a domain model D, an enactment N , and a query Q, an EC
reasoner returns a solution set S, denoted S ⇐ EC(Ax, Th,
D, N , Q), based on the Prolog proof procedure [20].
Listing 3
T > Te.
B. Enactments
initiates(E, Ant, T),
T >= Ts, T =< Te. Definition 3. An enactment N is a finite set of event, time pairs {e1 , t1 , . . . , em , tm }. 10 11 12 discharge(E,p(S,O,Ant,Ta,Con,[Ts,Te]),T):detached(p(S,O,Ant,Ta,Con,[Ts,Te]),T), T > Te.
initiates(E, Con, T),
T >= Ts, T =< Te. Definition 3 formally defines an enactment. Recall that an EC formalization supports concurrent events. Definition 4 describes a compliant enactment with regards to an enactment (Definition 3) and the EC reasoner (Definition 2). An enactment N of a norm n is compliant if the events contained in N discharge n, i.e., n is satisfied at tm+1 , which is the next point in time after N ends. Definition 4. Let N = {e1 , t1 , . . . , em , tm } be an enactment. Let tm+1 = max({t1 , . . . , tm }) + 1 be the time point immediately after N . Then N is a compliant enactment of a norm n if and only if EC(Ax, Th, D, N , “satisfied(n, tm+1 ).”) Listing 3 describes the lifecycle operations that are specific to a prohibition. A prohibition is expired (Line 1) if no event that satisfies its antecedent happens within the antecedent deadline, i.e., Te passes (Line 3) when the prohibition is conditional (Line 2). This corresponds to the “never ant” transition shown in Figure 1(c), i.e., the antecedent is never initiated before the deadline. An event detaches a prohibition (Line 5) if the prohibition is conditional (Line 6), the event initiates the antecedent of the prohibition (Line 7), and the event happens within the antecedent deadline [Ts, Te] (Line 8). A prohibition is satisfied (Line 10) if no event that satisfies its consequent happens within the consequent deadline, i.e., Te passes (Line 12) when the prohibition is detached (Line 11). This corresponds to the “never con” transition shown in Figure 1(c), i.e., the consequent is never initiated before the deadline. An event violates a prohibition (Line 14) when the prohibition is detached (Line 15), the event initiates the consequent of the prohibition (Line 16), and the event happens within the consequent deadline [Ts, Te] (Line 17). Lifecycle operations for commitments and authorizations are analogous. With respect to a prohibition, a commitment reverses the transitions from detached to satisfied and violated. An authorization is violated when the antecedent holds but the consequent fails to hold. A subject who is authorized for performing a consequent is not committed to doing so. Importantly, whereas the subject of a commitment or prohibition is accountable to its object, it is the object of an authorization that is accountable to its subject. This understanding of au- Consider P(PHYSICIAN, HOSPITAL, ¬consent(PHYSICIAN, ∧ ¬emergency, access EHR(PHYSICIAN, PA TIENT)). Figure 2(a) shows the enactments of the above prohibition. If the physician views a patient’s EHR without consent, the norm is violated (S1 ). If the physician first obtains consent, then views the EHR, this is a compliant enactment of the norm (S2 ). If the physician views a patient’s EHR without consent, the norm is violated (S3 ). If there is an emergency and the physician views a patient’s EHR, this is a compliant enactment (S4 ). We extend such enactments with refinements of a norm. Consider the following usual practice of viewing EHR: “EHR is usually accessed during a nonemergency patient visit.” We implement this practice as a refinement of the original norm. A refinement of a norm is th ... Purchase answer to see full attachment

error: Content is protected !!