AI for Interactive Security-by-Design Assistance: Automatic Vulnerable Asset Extraction and Integration into a ReqSecDes Framework

Context

In contemporary software development, the constant pressure of time-to-market often means that security considerations are set aside in favour of speed and functionality. Yet, design-level weaknesses account for more than half of publicly disclosed vulnerabilities, showing that late or superficial treatment of security results in both costly remediation and severe breaches [1] [6]. The Security-by-Design paradigm aims to counter this by embedding security from the earliest stages of the software development lifecycle, particularly during requirements and design [2] [5] [8] [9]. However, this ambition is constrained by a shortage of specialized expertise, the lack of systematic methods to refine abstract security goals such as confidentiality, integrity, or availability into actionable design decisions, and the absence of accessible tools for engineers who are not trained in cybersecurity. Recent progress in artificial intelligence, especially in natural language processing and machine learning, creates new opportunities to address these challenges by automatically extracting knowledge about vulnerabilities, threats, and countermeasures, and by making such knowledge usable through intelligent, interactive assistance.

Research Questions

The central challenge lies in finding ways to integrate security proactively and systematically during the requirements and design phases, while ensuring that non-expert engineers can access the necessary knowledge without sacrificing rigour or traceability. This raises several intertwined research questions: 

How to exploit AI methods and techniques to extract and organize vulnerable assets from heterogeneous repositories such as CAPEC, CWE, or ATT&CK?

How to refine high-level security objectives into formal, verifiable design patterns that engineers can directly apply?

How to embed this knowledge into an interactive assistant that provides real-time feedback, contextual recommendations, and justifications, without disrupting the agility expected in modern development environments?

Objectives

This doctoral project aims to build the ReqSecDes (Requirement-Security-Design) framework by developing AI-powered mechanisms for vulnerable asset extraction [3], [4] and formalization, and by embedding these into a tool-supported assistant that bridges security requirements and secure design decisions. The expected results are:

Automated Vulnerable Asset Library

Use NLP/ML to identify, extract, and link vulnerabilities, threats, and mitigations.

Structure assets into a formal ontology usable in software/system engineering tools.

Formal Taxonomy of Security Properties

Refine high-level security goals into verifiable design patterns.

Ensure consistency and correctness through formal verification [7] (e.g., Event-B, Rodin).

Interactive Security Assistance

Develop algorithms to analyse system specifications and models, mapping them to the vulnerable asset library.

Provide context-aware, real-time feedback and recommendations via modeling tools (Eclipse, Modelio).

Empirical and Industrial Validation

Evaluate the framework with industrial case studies.

Assess impact on vulnerability reduction and adoption by non-experts.

Expected contributions

The PhD candidate will:

Conduct a state-of-the-art survey on security requirements engineering, asset-based approaches, and AI/NLP applications in cybersecurity.

Design and train NLP/ML models for extracting and linking vulnerable assets from security repositories.

Develop a formal taxonomy of security properties, formally verify the taxonomy and integrate it into modeling environments.

Implement a prototype of interactive assistance, including real-time analysis, reasoning, and user interface.

Validate the contributions via case studies and usability evaluations with industry partners, measuring effectiveness and adoption.

References

[1] D. Gonzalez, F. Alhenaki, and M. Mirakhorli, ‘Architectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities’, in 2019 IEEE International Conference on Software Architecture (ICSA), Hamburg, Germany: IEEE, Mar. 2019, pp. 31–40. doi: 10.1109/ICSA.2019.00012. 

[2] N. Messe, ‘Security by Design : An asset-based approach to bridge the gap between architects and security experts’, phdthesis, Université de Bretagne Sud, 2021. Accessed: Feb. 15, 2022. [Online]. Available: https://tel.archives-ouvertes.fr/tel-03407189 

[3] N. Messe, V. Chiprianov, N. Belloir, J. El-Hachem, R. Fleurquin, and S. Sadou, ‘Asset-Oriented Threat Modeling’, in 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Dec. 2020, pp. 491–501. doi: 10.1109/TrustCom50675.2020.00073. 

[4] N. Messe, N. Belloir, V. Chiprianov, J. El-Hachem, R. Fleurquin, and S. Sadou, ‘An Asset-Based Assistance for Secure by Design’, in 2020 27th Asia-Pacific Software Engineering Conference (APSEC), Dec. 2020, pp. 178–187. doi: 10.1109/APSEC51365.2020.00026. 

[5]  Nigmatullin, I., Sadovykh, A., Messe, N., Ebersold, S., & Bruel, J. M. (2022, April). RQCODE–Towards Object-Oriented Requirements in the Software Security Domain. In IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW 2022) (pp. 2-6). IEEE.

[6] Hachem, J. E., Chiprianov, V., Babar, M. A., Khalil, T. A., & Aniorte, P. (2020). Modeling, analyzing and predicting security cascading attacks in smart buildings systems-of-systems. Journal of Systems and Software, 162, 110484.

[7] Zhioua, Z., Ameur-Boulifa, R., & Roudier, Y. (2018). Framework for the formal specification and verification of security guidelines. Advances in Science, Technology and Engineering Systems Journal, 3(1), 38-48.

[8] Teixeira De Castro, H., Hussain, A., Blanc, G., El Hachem, J., Blouin, D., Leneutre, J., & Papadimitratos, P. (2024, July). A model-based approach for assessing the security of cyber-physical systems. In Proceedings of the 19th International Conference on Availability, Reliability and Security (pp. 1-10).

[9] Sadovykh, A., & Ivanov, V. V. (2024). Enhancing DevSecOps with continuous security requirements analysis and testing. Компьютерные исследования и моделирование, 16(7), 1687-1702.

L’Institut de Recherche en Informatique de Toulouse (IRIT), une des plus imposantes Unité Mixte de Recherche (UMR 5505) au niveau national, est l’un des piliers de la recherche en Occitanie avec ses 600 membres, permanents et non-permanents, et une centaine de collaborateurs extérieurs. De par son caractère multi-tutelle (CNRS, Universités toulousaines), son impact scientifique et ses interactions avec les autres domaines, le laboratoire constitue une des forces structurantes du paysage de l’informatique et de ses applications dans le monde du numérique, tant au niveau régional que national. Notre unité a su, par ses travaux de pointe et sa dynamique, définir son identité et acquérir une visibilité incontestable, tout en se positionnant au cœur des évolutions des structures locales : Communauté d’Universités et établissements de Toulouse (COMUE), ainsi que les divers dispositifs issus des investissements d’avenir (LabEx CIMI, IRT Saint-Exupéry, SAT TTT…).

Master’s students or professionals with a Master’s degree

Required skills: machine learning, software engineering, cybersecurity, formal methods