AI for Interactive Security-by-Design Assistance: Automatic Vulnerable Asset Extraction and Integration into a ReqSecDes Framework

Topic description Context In contemporary software development, the constant pressure of time-to-market often means that security considerations are set aside in favour of speed and functionality. Yet, design-level weaknesses account for more than half of publicly disclosed vulnerabilities, showing that late or superficial treatment of security results in both costly remediation and severe breaches [1] [6]. The Security-by-Design paradigm aims to counter this by embedding security from the earliest stages of the software development lifecycle, particularly during requirements and design [2] [5] [8] [9]. However, this ambition is constrained by a shortage of specialized expertise, the lack of systematic methods to refine abstract security goals such as confidentiality, integrity, or availability into actionable design decisions, and the absence of accessible tools for engineers who are not trained in cybersecurity. Recent progress in artificial intelligence, especially in natural language processing and machine learning, creates new opportunities to address these challenges by automatically extracting knowledge about vulnerabilities, threats, and countermeasures, and by making such knowledge usable through intelligent, interactive assistance. Research Questions The central challenge lies in finding ways to integrate security proactively and systematically during the requirements and design phases, while ensuring that non-expert engineers can access the necessary knowledge without sacrificing rigour or traceability. This raises several intertwined research questions:  How to exploit AI methods and techniques to extract and organize vulnerable assets from heterogeneous repositories such as CAPEC, CWE, or ATT&CK? How to refine high-level security objectives into formal, verifiable design patterns that engineers can directly apply? How to embed this knowledge into an interactive assistant that provides real-time feedback, contextual recommendations, and justifications, without disrupting the agility expected in modern development environments? Objectives This doctoral project aims to build the ReqSecDes (Requirement-Security-Design) framework by developing AI-powered mechanisms for vulnerable asset extraction [3], [4] and formalization, and by embedding these into a tool-supported assistant that bridges security requirements and secure design decisions. The expected results are: Automated Vulnerable Asset Library Use NLP/ML to identify, extract, and link vulnerabilities, threats, and mitigations. Structure assets into a formal ontology usable in software/system engineering tools. Formal Taxonomy of Security Properties Refine high-level security goals into verifiable design patterns. Ensure consistency and correctness through formal verification [7] (e.g., Event-B, Rodin). Interactive Security Assistance Develop algorithms to analyse system specifications and models, mapping them to the vulnerable asset library. Provide context-aware, real-time feedback and recommendations via modeling tools (Eclipse, Modelio). Empirical and Industrial Validation Evaluate the framework with industrial case studies. Assess impact on vulnerability reduction and adoption by non-experts. Expected contributions The PhD candidate will: Conduct a state-of-the-art survey on security requirements engineering, asset-based approaches, and AI/NLP applications in cybersecurity. Design and train NLP/ML models for extracting and linking vulnerable assets from security repositories. Develop a formal taxonomy of security properties, formally verify the taxonomy and integrate it into modeling environments. Implement a prototype of interactive assistance, including real-time analysis, reasoning, and user interface. Validate the contributions via case studies and usability evaluations with industry partners, measuring effectiveness and adoption. References [1] D. Gonzalez, F. Alhenaki, and M. Mirakhorli, ‘Architectural Security Weaknesses in Industrial Control Systems (ICS) an Empirical Study Based on Disclosed Software Vulnerabilities’, in IEEE International Conference on Software Architecture (ICSA), Hamburg, Germany: IEEE, Mar. , pp. 31–40. doi: 10./ICSA...  [2] N. Messe, ‘Security by Design : An asset-based approach to bridge the gap between architects and security experts’, phdthesis, Université de Bretagne Sud, . Accessed: Feb. 15, . [Online]. Available: [3] N. Messe, V. Chiprianov, N. Belloir, J. El-Hachem, R. Fleurquin, and S. Sadou, ‘Asset-Oriented Threat Modeling’, in IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Dec. , pp. –. doi: 10./TrustCom...  [4] N. Messe, N. Belloir, V. Chiprianov, J. El-Hachem, R. Fleurquin, and S. Sadou, ‘An Asset-Based Assistance for Secure by Design’, in 27th Asia-Pacific Software Engineering Conference (APSEC), Dec. , pp. –. doi: 10./APSEC...  [5] Nigmatullin, I., Sadovykh, A., Messe, N., Ebersold, S., & Bruel, J. M. (, April). RQCODE–Towards Object-Oriented Requirements in the Software Security Domain. In IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW ) (pp. 2-6). IEEE. [6] Hachem, J. E., Chiprianov, V., Babar, M. A., Khalil, T. A., & Aniorte, P. . Modeling, analyzing and predicting security cascading attacks in smart buildings systems-of-systems. Journal of Systems and Software, , . [7] Zhioua, Z., Ameur-Boulifa, R., & Roudier, Y. . Framework for the formal specification and verification of security guidelines. Advances in Science, Technology and Engineering Systems Journal, 3, 38-48. [8] Teixeira De Castro, H., Hussain, A., Blanc, G., El Hachem, J., Blouin, D., Leneutre, J., & Papadimitratos, P. (, July). A model-based approach for assessing the security of cyber-physical systems. In Proceedings of the 19th International Conference on Availability, Reliability and Security (pp. 1-10). [9] Sadovykh, A., & Ivanov, V. V. . Enhancing DevSecOps with continuous security requirements analysis and testing. Компьютерные исследования и моделирование, 16, -. Funding category Public/private mixed funding Funding further details ANR JCJC