Nonfunctional Requirements Validation-A Game Theoretic Approach Vicky Papadopoulou and Andreas Gregoriades Department of Computer Science and Engineering, European University Cyprus, Cyprus Email: {v.papadopoulou, a.gregoriades}@euc.ac.cy Abstract—Network Security requirements have recently gained widespread attention in the requirements engineering community. Despite this, it is not yet clear how to systematically vali- date these requirements given the complexity and uncertainty characterizing modern networks. Traditionally, network security requirements specification has been the results of a reactive process. This however, limited the immunity property of the software systems that depended on these networks. Security requirements specification prerequisite a proactive approach. Networks’ infrastructure is constantly under attack by hackers and malicious software that aim to break into computers. To combat these threats, network designers need sophisticated security validation techniques that will guarantee the minimum level of security for their future networks. To that end, this paper presents a game-theoretic approach to security requirements validation. An introduction to game theory is presented along with a case study that demonstrates the application of the approach in a hypothetical network topology. I. I NTRODUCTION A computer network is defined as the purposeful inter- connection of computer nodes for the efficient and effective interchange of information. Network security consists of the provisions made in an underlying computer network to pro- tect the network and the network-accessible resources from unauthorized access. Network security is of paramount importance to modern information systems and their applications in modern business environments. The recent growth of public networks such as the Internet made this requirement even more significant. However, the dynamic characteristics of contemporary net- works combined with their increased size makes the vision of absolute network security almost impossible. Specifically, networks are vulnerable to infection by different types of electronic attacks. Typically, an attack by a virus, Trojan horse or eavesdropper exploits the loopholes in the security mechanisms of the network. Guaranteeing an acceptable level of security for a prospective system represents a common problem in systems engineering. More specifically network security, is defined as a non-functional property that is influ- enced by functional aspects of the system as a whole. This area of research has gained considerable popularity due to the im- plications it has on users satisfaction and business reputation. Therefore, being able to quantify the safety performance of a future network early in the design phase is of vital importance. The need to validate security requirements early has been addressed also by Lamsweerde [1] and Crook [3]. In this work, we apply game theory to validate the security NFR of a prospective network prior to its implementation. The assessed security NFR represents the minimum level of security guarantee for a prospective network, given a number of immunity requirements to be implemented in the network. These correspond to antivirus software and their location on the network. Specifically, in the problem scenario we address in this paper we assume that a number of harmful entities or attackers (or an upper bound of this number) may appear anywhere in the network. Attacks target nodes of the network. When, there is no information on the distribution of the placement of the attacks on the network nodes, one may assume that they follow a uniform distribution. The immunity functional requirements of the network describe its defence mechanisms and are expressed by a set of defenders; software security systems that can guarantee an acceptable level of security to a limited part of the network (a link, a path, or a subnetwork). Attackers damage targeted nodes unless these are guarded by a defence software. Lamsweerde in [3] also refers to the need to analyze the rational of the attacker in an attempt to become proactive rather than reactive in network security management. Lamsweerde refers to anti goals and anti requirements that define the attacker’s strategies based on which the network designers specified functional requirements to tackle these. Unlike functional requirements, which can be determin- istically validated, NFRs are soft variables that cannot be implemented directly; instead, they are satisfied [40] by a combination of functional requirements. NFRs define the over- all qualities or attributes of the resulting system and as such place restrictions on the software product being developed. Examples of NFR include safety, security, usability, reliability and performance requirements. Typical approaches to validating NFRs include, formal methods, prototypes and system simulations [2]. The paper is organised as follows. Firstly, we describe the principles behind game theory. Next we describe our approach through a case study, before we conclude with a brief discussion. II. GAME THEORY Game theory attempts to mathematically model the rational behavior in strategic situations, in which an individual’s suc- cess in making choices depends on the choices of others. Game Theory has been used to understand selfish rational behaviour