首页 > 最新文献

Journal of Systems and Software最新文献

英文 中文
Assessing gender bias in the software used in computer science and software engineering education 评估计算机科学和软件工程教育所用软件中的性别偏见
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-27 DOI: 10.1016/j.jss.2024.112225
Women are underrepresented in Computer Science (CS)/ Software Engineering (SE) and other technology related degrees. As undergraduates, they are also less likely to persist with CS/SE studies than men enrolled in those same courses. Gender correlated differences in personal characteristics, behaviour, and preferences mean that course design decisions may introduce unintended bias. To address this issue, we drew inspiration from the GenderMag method. GenderMag uses personas with evidence-based gender differences in problem-solving traits to detect usability issues in software. In this paper we investigate the personal qualities of CS and SE students, and how these influence their CS/SE learning journey. A series of persona development workshops were held to gather an extensive and unique qualitative dataset capturing the prior experiences, preferences, learning styles, motivations, goals, frustrations, and constraints of CS/SE students. Gender differences were used to construct preliminary male and female student personas. These personas were used in cognitive walkthroughs of software applications commonly used in education, and their performance compared to GenderMag’s Tim and Abi. While the student personas were less effective and lacked specificity compared to Abi, they were able to identify issues not detectable with GenderMag. Furthermore, the findings show the utility of persona development workshops as a data collection method and introduce a comprehensive list of CS/SE student qualities that may inspire future investigations.
女性在计算机科学(CS)/软件工程(SE)和其他技术相关专业中的比例偏低。作为本科生,她们坚持学习计算机科学(CS)/软件工程(SE)课程的可能性也低于学习这些课程的男生。与性别相关的个人特征、行为和偏好差异意味着课程设计决策可能会带来意想不到的偏差。为了解决这个问题,我们从 GenderMag 方法中汲取了灵感。GenderMag 使用在解决问题的特质上存在基于证据的性别差异的角色来检测软件的可用性问题。在本文中,我们调查了 CS 和 SE 学生的个人素质,以及这些素质如何影响他们的 CS/SE 学习历程。我们举办了一系列角色开发研讨会,以收集广泛而独特的定性数据集,捕捉 CS/SE 学生的先前经历、偏好、学习风格、动机、目标、挫折和限制因素。性别差异被用来构建初步的男女学生角色。这些角色被用于教育中常用软件的认知演练,并将他们的表现与 GenderMag 的 Tim 和 Abi 进行比较。虽然与 Abi 相比,学生角色的效果较差,而且缺乏特异性,但它们能够发现 GenderMag 无法发现的问题。此外,研究结果还显示了 "角色开发研讨会 "作为一种数据收集方法的实用性,并介绍了一份全面的 CS/SE 学生素质清单,这可能会对未来的调查有所启发。
{"title":"Assessing gender bias in the software used in computer science and software engineering education","authors":"","doi":"10.1016/j.jss.2024.112225","DOIUrl":"10.1016/j.jss.2024.112225","url":null,"abstract":"<div><div>Women are underrepresented in Computer Science (CS)/ Software Engineering (SE) and other technology related degrees. As undergraduates, they are also less likely to persist with CS/SE studies than men enrolled in those same courses. Gender correlated differences in personal characteristics, behaviour, and preferences mean that course design decisions may introduce unintended bias. To address this issue, we drew inspiration from the GenderMag method. GenderMag uses personas with evidence-based gender differences in problem-solving traits to detect usability issues in software. In this paper we investigate the personal qualities of CS and SE students, and how these influence their CS/SE learning journey. A series of persona development workshops were held to gather an extensive and unique qualitative dataset capturing the prior experiences, preferences, learning styles, motivations, goals, frustrations, and constraints of CS/SE students. Gender differences were used to construct preliminary male and female student personas. These personas were used in cognitive walkthroughs of software applications commonly used in education, and their performance compared to GenderMag’s Tim and Abi. While the student personas were less effective and lacked specificity compared to Abi, they were able to identify issues not detectable with GenderMag. Furthermore, the findings show the utility of persona development workshops as a data collection method and introduce a comprehensive list of CS/SE student qualities that may inspire future investigations.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142427417","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Evaluation of time-based virtual machine migration as moving target defense against host-based attacks 将基于时间的虚拟机迁移作为移动目标防御主机攻击的评估
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-20 DOI: 10.1016/j.jss.2024.112222
Moving Target Defense (MTD) consists of applying dynamic reconfiguration in the defensive side of the attack-defense cybersecurity game. Virtual Machine (VM) migration could be used as MTD against specific host-based attacks in the cloud computing environment by remapping the distribution of VMs in the existing physical hosts. This way, when the attacker’s VM is moved to a different machine, the attack has to be restarted. However, one significant gap here is how to select a proper VM migration-based MTD schedule to reach the desired levels of system protection. This paper develops a Stochastic Petri Net (SPN) model to address this issue. The model leverages empirical knowledge about the dynamics of the attack defense in a VM migration-enabled setup. First, we present the results of an experimental campaign to acquire knowledge about the system’s behavior. The experiments provide insights for the model design. Then, based on the model, we propose a tool named PyMTDEvaluator, which provides a graphical interface that serves as a wrapper for the simulation environment of the model. Finally, we exercise the tool using Multi-Criteria Decision-Making methods to aid the MTD policy selection. Hopefully, our results and methods will be helpful for system managers and cybersecurity professionals.
移动目标防御(MTD)包括在攻击防御网络安全游戏的防御端应用动态重新配置。虚拟机(VM)迁移可用作 MTD,通过重新映射现有物理主机中的虚拟机分布来抵御云计算环境中基于特定主机的攻击。这样,当攻击者的虚拟机转移到不同的机器上时,攻击就必须重新启动。然而,如何选择适当的基于虚拟机迁移的 MTD 计划,以达到所需的系统保护水平,是这方面的一个重大缺陷。本文开发了一个随机 Petri 网(SPN)模型来解决这一问题。该模型利用了有关虚拟机迁移设置中攻击防御动态的经验知识。首先,我们介绍了一项实验活动的结果,以获取有关系统行为的知识。实验为模型设计提供了启示。然后,基于模型,我们提出了一个名为 PyMTDEvaluator 的工具,它提供了一个图形界面,可作为模型模拟环境的包装器。最后,我们使用多标准决策方法对该工具进行练习,以帮助 MTD 政策选择。希望我们的结果和方法对系统管理员和网络安全专业人员有所帮助。
{"title":"Evaluation of time-based virtual machine migration as moving target defense against host-based attacks","authors":"","doi":"10.1016/j.jss.2024.112222","DOIUrl":"10.1016/j.jss.2024.112222","url":null,"abstract":"<div><div>Moving Target Defense (MTD) consists of applying dynamic reconfiguration in the defensive side of the attack-defense cybersecurity game. Virtual Machine (VM) migration could be used as MTD against specific host-based attacks in the cloud computing environment by remapping the distribution of VMs in the existing physical hosts. This way, when the attacker’s VM is moved to a different machine, the attack has to be restarted. However, one significant gap here is how to select a proper VM migration-based MTD schedule to reach the desired levels of system protection. This paper develops a Stochastic Petri Net (SPN) model to address this issue. The model leverages empirical knowledge about the dynamics of the attack defense in a VM migration-enabled setup. First, we present the results of an experimental campaign to acquire knowledge about the system’s behavior. The experiments provide insights for the model design. Then, based on the model, we propose a tool named <em>PyMTDEvaluator</em>, which provides a graphical interface that serves as a wrapper for the simulation environment of the model. Finally, we exercise the tool using Multi-Criteria Decision-Making methods to aid the MTD policy selection. Hopefully, our results and methods will be helpful for system managers and cybersecurity professionals.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142358797","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Improve cross-project just-in-time defect prediction with dynamic transfer learning 利用动态迁移学习改进跨项目及时缺陷预测
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-20 DOI: 10.1016/j.jss.2024.112214
Cross-project just-in-time software defect prediction (CP-JIT-SDP) is a prominent research topic in the field of software engineering. This approach is characterized by its immediacy, accuracy, real-time feedback, and traceability, enabling it to effectively address the challenges of defect prediction in new projects or projects with limited training data. However, CP-JIT-SDP faces significant challenges due to the differences in the feature distribution between the source and target projects. To address this issue, researchers have proposed methods for adjusting marginal or conditional probability distributions. This study introduces a transfer-learning approach that integrates dynamic distribution adaptation. The kernel variance matching (KVM) method is proposed to adjust the disparity in the marginal probability distribution by recalculating the variance of the source and target projects within the reproducing kernel Hilbert space (RKHS) to minimize the variance disparity. The categorical boosting (CatBoost) algorithm is used to construct models, while the improved CORrelation ALignment (CORAL) method is applied to develop the loss function to address the difference in the conditional probability distribution. This method is abbreviated as KCC, where the symbol K represents KVM, the symbol C represents CatBoost, and the next symbol C represents improved CORAL. The KCC method aims to optimize the joint probability distribution of the source project so that it closely agrees with that of the target project through iterative and dynamic integration. Six well-known open-source projects were used to evaluate the effectiveness of the proposed method. The empirical findings indicate that the KCC method exhibited significant improvements over the baseline methods. In particular, the KCC method demonstrated an average increase of 18% in the geometric mean (G-mean), 105.4% in the Matthews correlation coefficient (MCC), 25.6% in the F1-score, and 16.9% in the area under the receiver operating characteristic curve (AUC) when compared to the baseline methods. Furthermore, the KCC method demonstrated greater stability.
跨项目及时软件缺陷预测(CP-JIT-SDP)是软件工程领域的一个突出研究课题。这种方法具有即时性、准确性、实时反馈和可追溯性等特点,能有效解决新项目或训练数据有限的项目中的缺陷预测难题。然而,由于源项目和目标项目的特征分布存在差异,CP-JIT-SDP 面临着巨大的挑战。为解决这一问题,研究人员提出了调整边际或条件概率分布的方法。本研究引入了一种整合了动态分布适应的迁移学习方法。研究提出了核方差匹配(KVM)方法,通过在再现核希尔伯特空间(RKHS)内重新计算源项目和目标项目的方差来调整边际概率分布的差异,从而使方差差异最小化。分类提升(CatBoost)算法用于构建模型,而改进的 CORrelation ALignment(CORAL)方法则用于开发损失函数,以解决条件概率分布的差异问题。这种方法简称为 KCC,其中符号 K 代表 KVM,符号 C 代表 CatBoost,下一个符号 C 代表改进 CORAL。KCC 方法旨在通过迭代和动态整合,优化源项目的联合概率分布,使其与目标项目的联合概率分布密切吻合。我们使用了六个知名的开源项目来评估所提出方法的有效性。实证研究结果表明,与基线方法相比,KCC 方法有显著改进。特别是,与基线方法相比,KCC 方法的几何平均数(G-mean)平均提高了 18%,马修斯相关系数(MCC)平均提高了 105.4%,F1 分数平均提高了 25.6%,接收器工作特征曲线下面积(AUC)平均提高了 16.9%。此外,KCC 方法的稳定性更高。
{"title":"Improve cross-project just-in-time defect prediction with dynamic transfer learning","authors":"","doi":"10.1016/j.jss.2024.112214","DOIUrl":"10.1016/j.jss.2024.112214","url":null,"abstract":"<div><div>Cross-project just-in-time software defect prediction (CP-JIT-SDP) is a prominent research topic in the field of software engineering. This approach is characterized by its immediacy, accuracy, real-time feedback, and traceability, enabling it to effectively address the challenges of defect prediction in new projects or projects with limited training data. However, CP-JIT-SDP faces significant challenges due to the differences in the feature distribution between the source and target projects. To address this issue, researchers have proposed methods for adjusting marginal or conditional probability distributions. This study introduces a transfer-learning approach that integrates dynamic distribution adaptation. The kernel variance matching (KVM) method is proposed to adjust the disparity in the marginal probability distribution by recalculating the variance of the source and target projects within the reproducing kernel Hilbert space (RKHS) to minimize the variance disparity. The categorical boosting (CatBoost) algorithm is used to construct models, while the improved CORrelation ALignment (CORAL) method is applied to develop the loss function to address the difference in the conditional probability distribution. This method is abbreviated as KCC, where the symbol K represents KVM, the symbol C represents CatBoost, and the next symbol C represents improved CORAL. The KCC method aims to optimize the joint probability distribution of the source project so that it closely agrees with that of the target project through iterative and dynamic integration. Six well-known open-source projects were used to evaluate the effectiveness of the proposed method. The empirical findings indicate that the KCC method exhibited significant improvements over the baseline methods. In particular, the KCC method demonstrated an average increase of 18% in the geometric mean (G-mean), 105.4% in the Matthews correlation coefficient (MCC), 25.6% in the F1-score, and 16.9% in the area under the receiver operating characteristic curve (AUC) when compared to the baseline methods. Furthermore, the KCC method demonstrated greater stability.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142358796","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Program Dependence Net and on-demand slicing for property verification of concurrent system and software 用于并发系统和软件属性验证的程序依赖网和按需切分法
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-19 DOI: 10.1016/j.jss.2024.112221
When checking concurrent software using a finite-state model, we face a formidable state explosion problem. One solution to this problem is dependence-based program slicing, whose use can effectively reduce verification time. It is orthogonal to other model-checking reduction techniques. However, when slicing concurrent programs for model checking, there are conversions between multiple irreplaceable models, and dependencies need to be found for variables irrelevant to the verified property, which results in redundant computation. To resolve this issue, we propose a Program Dependence Net (PDNet) based on Petri net theory. It is a unified model that combines a control-flow structure with dependencies to avoid conversions. For reduction, we present a PDNet slicing method to capture the relevant variables’ dependencies when needed. PDNet and its on-demand slicing in verifying linear temporal logic are used to significantly reduce computation cost. We implement a model-checking tool based on PDNet and its on-demand slicing and validate the advantages of our proposed methods.
在使用有限状态模型检查并发软件时,我们面临着一个棘手的状态爆炸问题。解决这一问题的方法之一是基于依赖性的程序切分,使用这种方法可以有效缩短验证时间。它与其他模型检查缩减技术是正交的。然而,在切分并发程序进行模型检查时,需要在多个不可替代的模型之间进行转换,并且需要为与验证属性无关的变量找到依赖关系,这就造成了冗余计算。为了解决这个问题,我们提出了基于 Petri 网理论的程序依赖网(PDNet)。它是一种统一的模型,将控制流结构与依赖关系相结合,以避免转换。为了简化,我们提出了一种 PDNet 切片方法,以便在需要时捕捉相关变量的依赖关系。在验证线性时态逻辑时,我们使用 PDNet 及其按需切分方法来显著降低计算成本。我们实现了基于 PDNet 及其按需切分的模型检查工具,并验证了我们提出的方法的优势。
{"title":"Program Dependence Net and on-demand slicing for property verification of concurrent system and software","authors":"","doi":"10.1016/j.jss.2024.112221","DOIUrl":"10.1016/j.jss.2024.112221","url":null,"abstract":"<div><div>When checking concurrent software using a finite-state model, we face a formidable state explosion problem. One solution to this problem is dependence-based program slicing, whose use can effectively reduce verification time. It is orthogonal to other model-checking reduction techniques. However, when slicing concurrent programs for model checking, there are conversions between multiple irreplaceable models, and dependencies need to be found for variables irrelevant to the verified property, which results in redundant computation. To resolve this issue, we propose a Program Dependence Net (PDNet) based on Petri net theory. It is a unified model that combines a control-flow structure with dependencies to avoid conversions. For reduction, we present a PDNet slicing method to capture the relevant variables’ dependencies when needed. PDNet and its on-demand slicing in verifying linear temporal logic are used to significantly reduce computation cost. We implement a model-checking tool based on PDNet and its on-demand slicing and validate the advantages of our proposed methods.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142427421","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Centralization potential of automotive E/E architectures 汽车 E/E 架构的集中化潜力
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-17 DOI: 10.1016/j.jss.2024.112220

Current automotive E/E architectures are subject to significant transformations: Computing-power-intensive advanced driver-assistance systems, bandwidth-hungry infotainment systems, the connection of the vehicle with the internet and the consequential need for cyber-security drives the centralization of E/E architectures. A centralized architecture is often seen as a key enabler to master those challenges. Available research focuses mostly on the different types of E/E architectures and contrasts their advantages and disadvantages. There is a research gap on guidelines for system designers and function developers to analyze the potential of their systems for centralization. The present paper aims to quantify centralization potential reviewing relevant literature and conducting qualitative interviews with industry practitioners. In literature, we identified seven key automotive system properties reaching limitations in current automotive architectures: busload, functional safety, computing power, feature dependencies, development and maintenance costs, error rate, modularity and flexibility. These properties serve as quantitative evaluation criteria to estimate whether centralization would enhance overall system performance. In the interviews, we have validated centralization and its fundament – the conceptual systems engineering – as capabilities to mitigate these limitations. By focusing on practical insights and lessons learned, this research provides system designers with actionable guidance to optimize their systems, addressing the outlined challenges while avoiding monolithic architecture. This paper bridges the gap between theoretical research and practical application, offering valuable takeaways for practitioners.

当前的汽车电子/电气架构正在经历重大变革:计算能力密集型高级驾驶辅助系统、带宽要求极高的信息娱乐系统、汽车与互联网的连接以及随之而来的网络安全需求,都推动着 E/E 架构的集中化。集中式架构通常被视为应对这些挑战的关键因素。现有的研究主要集中在不同类型的电子/电子架构上,并对其优缺点进行了对比。在为系统设计人员和功能开发人员提供分析其系统集中化潜力的指南方面,还存在研究空白。本文旨在通过审查相关文献和对行业从业人员进行定性访谈,量化集中化的潜力。在文献中,我们确定了当前汽车架构中存在局限性的七个关键汽车系统属性:总线负载、功能安全性、计算能力、功能依赖性、开发和维护成本、错误率、模块化和灵活性。这些特性可作为量化评估标准,用于估算集中化是否能提高系统的整体性能。在访谈中,我们验证了集中化及其基础--概念系统工程--是缓解这些限制的能力。通过关注实际见解和经验教训,本研究为系统设计人员提供了优化系统的可行指导,在避免单一架构的同时解决了概述的挑战。本文在理论研究与实际应用之间架起了一座桥梁,为从业人员提供了宝贵的经验。
{"title":"Centralization potential of automotive E/E architectures","authors":"","doi":"10.1016/j.jss.2024.112220","DOIUrl":"10.1016/j.jss.2024.112220","url":null,"abstract":"<div><p>Current automotive E/E architectures are subject to significant transformations: Computing-power-intensive advanced driver-assistance systems, bandwidth-hungry infotainment systems, the connection of the vehicle with the internet and the consequential need for cyber-security drives the centralization of E/E architectures. A centralized architecture is often seen as a key enabler to master those challenges. Available research focuses mostly on the different types of E/E architectures and contrasts their advantages and disadvantages. There is a research gap on guidelines for system designers and function developers to analyze the potential of their systems for centralization. The present paper aims to quantify centralization potential reviewing relevant literature and conducting qualitative interviews with industry practitioners. In literature, we identified seven key automotive system properties reaching limitations in current automotive architectures: busload, functional safety, computing power, feature dependencies, development and maintenance costs, error rate, modularity and flexibility. These properties serve as quantitative evaluation criteria to estimate whether centralization would enhance overall system performance. In the interviews, we have validated centralization and its fundament – the conceptual systems engineering – as capabilities to mitigate these limitations. By focusing on practical insights and lessons learned, this research provides system designers with actionable guidance to optimize their systems, addressing the outlined challenges while avoiding monolithic architecture. This paper bridges the gap between theoretical research and practical application, offering valuable takeaways for practitioners.</p></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142270242","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
A model-driven formal methods approach to software architectural security vulnerabilities specification and verification 软件架构安全漏洞规范与验证的模型驱动形式方法
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-16 DOI: 10.1016/j.jss.2024.112219
Detecting and addressing security vulnerabilities in software designs is crucial for ensuring the reliable and safe operation of systems. Existing approaches for vulnerability specification lack the necessary flexibility for practical use. To tackle this issue, we propose an integrated model-driven approach for vulnerability detection and treatment during software architecture design. The approach involves specifying vulnerabilities as properties of a modeled system in a technology-independent language, expressing conditions for vulnerability detection using a language supported by automated tools, and recommending security requirements to mitigate detected vulnerabilities. Formalized vulnerabilities and security requirements are presented as model libraries to facilitate reuse. Our methodology employs first-order and modal logic as a technology-independent formalism, with Alloy as the tool-supported language for modeling and software development. We have developed a Model-Driven Engineering (MDE) tool to implement this approach. To validate our work, we apply it to representative vulnerabilities based on the Common Weakness Enumeration (CWE) classifications within the context of secure component-based software architecture development.
检测和解决软件设计中的安全漏洞对于确保系统的可靠和安全运行至关重要。现有的漏洞规范方法缺乏实际应用所需的灵活性。为了解决这个问题,我们提出了一种综合的模型驱动方法,用于在软件架构设计过程中检测和处理漏洞。该方法包括用一种技术独立的语言将漏洞指定为建模系统的属性,用一种自动工具支持的语言表达漏洞检测的条件,并推荐安全要求以减少检测到的漏洞。形式化的漏洞和安全要求以模型库的形式呈现,便于重复使用。我们的方法采用一阶逻辑和模态逻辑作为与技术无关的形式主义,并使用 Alloy 作为建模和软件开发的工具支持语言。我们开发了一种模型驱动工程(MDE)工具来实现这种方法。为了验证我们的工作,我们在基于组件的安全软件架构开发中,将其应用于基于常见弱点枚举(CWE)分类的代表性漏洞。
{"title":"A model-driven formal methods approach to software architectural security vulnerabilities specification and verification","authors":"","doi":"10.1016/j.jss.2024.112219","DOIUrl":"10.1016/j.jss.2024.112219","url":null,"abstract":"<div><div>Detecting and addressing security vulnerabilities in software designs is crucial for ensuring the reliable and safe operation of systems. Existing approaches for vulnerability specification lack the necessary flexibility for practical use. To tackle this issue, we propose an integrated model-driven approach for vulnerability detection and treatment during software architecture design. The approach involves specifying vulnerabilities as properties of a modeled system in a technology-independent language, expressing conditions for vulnerability detection using a language supported by automated tools, and recommending security requirements to mitigate detected vulnerabilities. Formalized vulnerabilities and security requirements are presented as model libraries to facilitate reuse. Our methodology employs first-order and modal logic as a technology-independent formalism, with Alloy as the tool-supported language for modeling and software development. We have developed a Model-Driven Engineering (MDE) tool to implement this approach. To validate our work, we apply it to representative vulnerabilities based on the Common Weakness Enumeration (CWE) classifications within the context of secure component-based software architecture development.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142315504","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Balancing quality and efficiency: An improved non-autoregressive model for pseudocode-to-code conversion 平衡质量与效率:伪代码到代码转换的改进型非自回归模型
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-12 DOI: 10.1016/j.jss.2024.112206

Pseudocode can efficiently represent algorithm logic, but manual conversion to executable code requires more time. Recent works have applied autoregressive (AR) models to automate pseudocode-to-code conversion, achieving good results but slow generation speed. Non-autoregressive (NAR) models offer the advantage of parallel generation. However, they face challenges in effectively capturing contextual information, leading to a potential degradation in the quality of the generated output. This paper presents an improved NAR model for balancing quality and efficiency in pseudocode conversion. Firstly, two strategies are proposed to address out-of-vocabulary and repetition problems. Secondly, an improved NAR model is built using linear smoothing and adaptive techniques in the transition matrix, which can mitigate the “winner takes all” effect. Finally, a new synthesis potential metric is proposed for evaluating pseudocode conversion. Experimental results show that the proposed method matches AR model performance while accelerating generation over 10-fold. Further, the proposed NAR model reduces the gap with the AR model in terms of the BLEU score on the EN-DE and DE-EN tasks of the WMT14 machine translation.

伪代码可以有效地表示算法逻辑,但手动转换为可执行代码需要更多时间。最近的研究应用自回归(AR)模型来自动实现伪代码到代码的转换,取得了良好的效果,但生成速度较慢。非自回归(NAR)模型具有并行生成的优势。然而,它们在有效捕捉上下文信息方面面临挑战,导致生成输出的质量可能下降。本文提出了一种改进的 NAR 模型,用于平衡伪代码转换的质量和效率。首先,本文提出了两种策略来解决词汇不足和重复问题。其次,在转换矩阵中使用线性平滑和自适应技术建立了改进的 NAR 模型,从而减轻了 "赢家通吃 "效应。最后,提出了一种新的综合潜力指标,用于评估伪代码转换。实验结果表明,所提出的方法与 AR 模型的性能相匹配,同时将生成速度提高了 10 倍以上。此外,在 WMT14 机器翻译的 EN-DE 和 DE-EN 任务中,所提出的 NAR 模型缩小了与 AR 模型在 BLEU 分数上的差距。
{"title":"Balancing quality and efficiency: An improved non-autoregressive model for pseudocode-to-code conversion","authors":"","doi":"10.1016/j.jss.2024.112206","DOIUrl":"10.1016/j.jss.2024.112206","url":null,"abstract":"<div><p>Pseudocode can efficiently represent algorithm logic, but manual conversion to executable code requires more time. Recent works have applied autoregressive (AR) models to automate pseudocode-to-code conversion, achieving good results but slow generation speed. Non-autoregressive (NAR) models offer the advantage of parallel generation. However, they face challenges in effectively capturing contextual information, leading to a potential degradation in the quality of the generated output. This paper presents an improved NAR model for balancing quality and efficiency in pseudocode conversion. Firstly, two strategies are proposed to address out-of-vocabulary and repetition problems. Secondly, an improved NAR model is built using linear smoothing and adaptive techniques in the transition matrix, which can mitigate the “<em>winner takes all</em>” effect. Finally, a new synthesis potential metric is proposed for evaluating pseudocode conversion. Experimental results show that the proposed method matches AR model performance while accelerating generation over 10-fold. Further, the proposed NAR model reduces the gap with the AR model in terms of the BLEU score on the EN-DE and DE-EN tasks of the WMT14 machine translation.</p></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142172727","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
An intelligent test management system for optimizing decision making during software testing 优化软件测试决策的智能测试管理系统
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-06 DOI: 10.1016/j.jss.2024.112202

To ensure the proper testing of any software product, it is imperative to cover various functional and non-functional requirements at different testing levels (e.g., unit or integration testing). Ensuring appropriate testing requires making a series of decisions—e.g., assigning features to distinct Continuous Integration (CI) configurations or determining which test specifications to automate. Such decisions are generally made manually and require in-depth domain knowledge. This study introduces, implements, and evaluates ITMOS (Intelligent Test Management Optimization System), an intelligent test management system designed to optimize decision-making during the software testing process. ITMOS efficiently processes new requirements presented in natural language, segregating each requirement into appropriate CI configurations based on predefined quality criteria. Additionally, ITMOS has the capability to suggest a set of test specifications for test automation. The feasibility and potential applicability of the proposed solution were empirically evaluated in an industrial telecommunications project at Ericsson. In this context, ITMOS achieved accurate results for decision-making tasks, exceeding the requirements set by domain experts.

为确保对任何软件产品进行适当的测试,必须在不同的测试级别(如单元测试或集成测试)涵盖各种功能和非功能要求。确保适当的测试需要做出一系列决策,例如,将功能分配给不同的持续集成(CI)配置,或确定哪些测试规范需要自动化。这些决策一般都是手动做出的,需要深入的领域知识。本研究介绍、实施并评估了 ITMOS(智能测试管理优化系统),这是一种智能测试管理系统,旨在优化软件测试过程中的决策。ITMOS 可高效处理以自然语言呈现的新需求,并根据预定义的质量标准将每个需求分离成适当的 CI 配置。此外,ITMOS 还能为测试自动化提出一套测试规范。爱立信公司在一个工业电信项目中对所提解决方案的可行性和潜在适用性进行了实证评估。在这种情况下,ITMOS 在决策任务方面取得了准确的结果,超过了领域专家设定的要求。
{"title":"An intelligent test management system for optimizing decision making during software testing","authors":"","doi":"10.1016/j.jss.2024.112202","DOIUrl":"10.1016/j.jss.2024.112202","url":null,"abstract":"<div><p>To ensure the proper testing of any software product, it is imperative to cover various functional and non-functional requirements at different testing levels (e.g., unit or integration testing). Ensuring appropriate testing requires making a series of decisions—e.g., assigning features to distinct Continuous Integration (CI) configurations or determining which test specifications to automate. Such decisions are generally made manually and require in-depth domain knowledge. This study introduces, implements, and evaluates ITMOS (Intelligent Test Management Optimization System), an intelligent test management system designed to optimize decision-making during the software testing process. ITMOS efficiently processes new requirements presented in natural language, segregating each requirement into appropriate CI configurations based on predefined quality criteria. Additionally, ITMOS has the capability to suggest a set of test specifications for test automation. The feasibility and potential applicability of the proposed solution were empirically evaluated in an industrial telecommunications project at Ericsson. In this context, ITMOS achieved accurate results for decision-making tasks, exceeding the requirements set by domain experts.</p></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142161757","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Feature transformation for improved software bug detection and commit classification 改进软件错误检测和提交分类的特征转换
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-06 DOI: 10.1016/j.jss.2024.112205

Testing and debugging software to fix bugs is considered one of the most important stages of the software life cycle. Many studies have investigated ways to predict bugs in software artifacts using machine learning techniques. It is important to consider the explanatory aspects of such models for reliable prediction. In this paper, we show how feature transformation can significantly improve prediction accuracy and provide insight into the inner workings of bug prediction models. We propose a new approach for bug prediction that first extracts the features, then finds a weighted transformation of these features using a genetic algorithm that best separates bugs from non-bugs when plotted in a low-dimensional space, and finally, trains predictive models using the transformed dataset. In our experiment using the proposed feature transformation, the traditional machine learning and deep learning classifiers achieved an average improvement of 4.25% and 9.6% in recall values for bug classification over 8 software systems compared to the models built on original data. We also examined the generalizability of our concept for multiclass classification tasks such as commit classification in software systems and found modest improvements in F1-scores (sometimes up to 3%) for traditional machine learning models and 4% with deep learning models.

测试和调试软件以修复错误被认为是软件生命周期中最重要的阶段之一。许多研究都在探讨如何利用机器学习技术预测软件工件中的错误。要进行可靠的预测,必须考虑这些模型的解释性方面。在本文中,我们展示了特征转换如何显著提高预测准确性,并深入探讨了错误预测模型的内部工作原理。我们提出了一种新的错误预测方法,该方法首先提取特征,然后使用遗传算法对这些特征进行加权变换,在低维空间中绘制出最能区分错误与非错误的图像,最后使用变换后的数据集训练预测模型。在我们使用所提出的特征转换进行的实验中,与基于原始数据构建的模型相比,传统机器学习和深度学习分类器在 8 个软件系统的错误分类召回值上平均提高了 4.25% 和 9.6%。我们还检验了我们的概念在多类分类任务(如软件系统中的提交分类)中的通用性,发现传统机器学习模型的 F1 分数略有提高(有时可达 3%),而深度学习模型的 F1 分数提高了 4%。
{"title":"Feature transformation for improved software bug detection and commit classification","authors":"","doi":"10.1016/j.jss.2024.112205","DOIUrl":"10.1016/j.jss.2024.112205","url":null,"abstract":"<div><p>Testing and debugging software to fix bugs is considered one of the most important stages of the software life cycle. Many studies have investigated ways to predict bugs in software artifacts using machine learning techniques. It is important to consider the explanatory aspects of such models for reliable prediction. In this paper, we show how feature transformation can significantly improve prediction accuracy and provide insight into the inner workings of bug prediction models. We propose a new approach for bug prediction that first extracts the features, then finds a weighted transformation of these features using a genetic algorithm that best separates bugs from non-bugs when plotted in a low-dimensional space, and finally, trains predictive models using the transformed dataset. In our experiment using the proposed feature transformation, the traditional machine learning and deep learning classifiers achieved an average improvement of 4.25% and 9.6% in recall values for bug classification over 8 software systems compared to the models built on original data. We also examined the generalizability of our concept for multiclass classification tasks such as commit classification in software systems and found modest improvements in F1-scores (sometimes up to 3%) for traditional machine learning models and 4% with deep learning models.</p></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0164121224002498/pdfft?md5=24be736d13c3422f3ae6248d88baf8da&pid=1-s2.0-S0164121224002498-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142161759","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
Attributes of a great requirements engineer 优秀需求工程师的特质
IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Journal of Systems and Software
Pub Date : 2024-09-05 DOI: 10.1016/j.jss.2024.112200

Context and motivation:

Several studies have investigated attributes of great software practitioners. However, the investigation of such attributes is still missing in Requirements Engineering (RE). The current knowledge on attributes of great software practitioners might not be easily translated to the context of RE because its activities are, usually, less technical and more human-centered than other software engineering activities.

Question/problem:

This work aims to investigate which are the attributes of great requirements engineers, the relationship between them, and strategies that can be employed to obtain these attributes. We follow a method composed of a survey with 18 practitioners and follow up interviews with 11 of them.

Principal ideas/results:

Investigative ability in talking to stakeholders, judicious, and understand the business are the most commonly mentioned attributes amongst the set of 22 attributes identified, which were grouped into four categories. We also found 38 strategies to improve RE skills. Examples are training, talking to all stakeholders, and acquiring domain knowledge.

Contribution:

The attributes, their categories, and relationships are organized into a map. The relations between attributes and strategies are represented in a Sankey diagram. Software practitioners can use our findings to improve their understanding about the role and responsibilities of requirements engineers.

背景与动机:已有多项研究调查了优秀软件从业人员的特质。然而,在需求工程(RE)中,对这些属性的调查仍然缺失。问题:这项工作旨在研究优秀需求工程师的特质、这些特质之间的关系以及获得这些特质的策略。我们采用的方法包括对 18 名从业人员进行调查,并对其中 11 人进行后续访谈。主要观点/结果:在已确定的 22 项属性中,最常被提及的属性是与利益相关者交谈时的调查能力、判断力和对业务的理解,这些属性被分为四类。我们还发现了 38 种提高 RE 技能的策略。贡献:属性、其类别和关系被整理成一张地图。贡献:属性、类别和关系被整理成一张地图,属性和策略之间的关系用桑基图表示。软件从业人员可以利用我们的研究结果来提高他们对需求工程师的角色和职责的理解。
{"title":"Attributes of a great requirements engineer","authors":"","doi":"10.1016/j.jss.2024.112200","DOIUrl":"10.1016/j.jss.2024.112200","url":null,"abstract":"<div><h3>Context and motivation:</h3><p>Several studies have investigated attributes of great software practitioners. However, the investigation of such attributes is still missing in Requirements Engineering (RE). The current knowledge on attributes of great software practitioners might not be easily translated to the context of RE because its activities are, usually, less technical and more human-centered than other software engineering activities.</p></div><div><h3>Question/problem:</h3><p>This work aims to investigate which are the attributes of great requirements engineers, the relationship between them, and strategies that can be employed to obtain these attributes. We follow a method composed of a survey with 18 practitioners and follow up interviews with 11 of them.</p></div><div><h3>Principal ideas/results:</h3><p><em>Investigative ability in talking to stakeholders</em>, <em>judicious</em>, and <em>understand the business</em> are the most commonly mentioned attributes amongst the set of 22 attributes identified, which were grouped into four categories. We also found 38 strategies to improve RE skills. Examples are <em>training</em>, <em>talking to all stakeholders</em>, and <em>acquiring domain knowledge</em>.</p></div><div><h3>Contribution:</h3><p>The attributes, their categories, and relationships are organized into a map. The relations between attributes and strategies are represented in a Sankey diagram. Software practitioners can use our findings to improve their understanding about the role and responsibilities of requirements engineers.</p></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":null,"pages":null},"PeriodicalIF":3.7,"publicationDate":"2024-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142167497","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 0
首页 上一页 下一页 尾页
类型
全部 化学•材料 生命科学 医学 物理 工程技术 环境•农林 材料科学 地球科学 法学 管理学 化学 环境科学与生态学 计算机科学 教育学 经济学 农林科学 人文科学 生物学 数学 物理与天体物理 心理学 综合性期刊 其他 工业工程 理学 历史学 农学 文学 信息工程
数据库
全部 ACS Publications Elsevier ieeexplore Springer The Royal Society of Chemistry Wiley
期刊
Journal of Systems and Software
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1