Publication Date


Date of Final Oral Examination (Defense)


Type of Culminating Activity


Degree Title

Master of Science in Computer Science


Computer Science

Major Advisor

Dianxiang Xu, Ph.D.


Jyh-haw Yeh, Ph.D.


Jidong Xiao, Ph.D.


Having a comprehensive model of security requirements is a crucial step towards developing a reliable software system. An effective model of security requirements which describes the possible scenarios that may affect the security aspects of the system under development can be an effective approach for subsequent use in generating security test cases.

Misuse case was first proposed by Sinder and Opdahl as an approach to extract the security requirements of the system under development [1]. A misuse case is a use case representing scenarios that might be followed by a system adversary in order to compromise the system; that is a behavior that should not happen in a system.

As an effective approach used to model potential threats to the system under development, misuse cases are an effective approach for suggesting mitigation mechanisms. A mitigation use case is a use case that represents the countermeasure requirements of a misuse case.

By describing the security threats that may be exploited from the adversary’s point of view, a misuse case provides an effective basis for security testing that addresses the interactions between the adversary and the system under development. Security testing also needs to verify the security mechanisms of the system against misuse cases. Thus, by representing the security requirements of the system, mitigation use cases can also be a good basis for security testing.

Misuse cases and mitigation use cases are ordinarily described in natural language. Unfortunately, this approach has difficulties and limits the ability to generate security test cases from the misuse cases and mitigation use cases. This thesis presents a new, structured approach to generating security test cases based on the extracted security test model from the textual description of the misuse cases accompanying mitigation use cases, represented as a Predicate/Transition (PrT) net.

This approach will enable the system developers to model the misuse cases accompanying mitigation use cases and then generating security test cases based on the resulting security test models, ensuring that the potential attacks are mitigated appropriately in the software development process.

This approach has been applied to two real-world applications, FileZilla Server, a popular FTP server [19] in C++ and a Grant Proposal Management System (GPMS) in Java. Experiment results show that the generated security test cases are efficient test cases that can reveal many security vulnerabilities during the development of GPMS and can kill the majority of the FileZilla Server mutants with seeded vulnerabilities.