27-08-2014, 02:48 PM
Machine Assisted Report Generation At Abb Global Industries And Services Limited, Bangalore
Machine Assisted Report Generation –It is a tool which provides an automatic generation of Reports in Word and Excel format so that users could get semi filled Report while writing summary for the results of TestTools. These Test Tools are used to scans ports and check network vulnerabilities in DSAC team of ABB Global Industries and Services Ltd. The auto generation of Report arises due to the fact that the testing tools being used can provide output in XML format. This tool fetches the appropriate data from the XML files generated by the testing tools. It finds the suitable locations and fills this data in the predefined MS Word and MS Excel report templates. This would definitely reduce efforts and errors in writing reports.It is developed using Python, MiniDom and Win32Com.
A problem is well defined very rarely. The first task is to get more crucial information by interviewing and meeting concerned people. It clarifies how the problem is felt, how often it occurs, how it affects the business and which departments are suffering with this. This phase consists of the following tasks.
This was a preliminary investigation done with a view to have a “feel” of the working of the proposed system. This phase has been identified the end-user directly involved in the system who were the managers, assistant officer and database administrator, and the development department. By understanding the working of database, its flow and also after conducting meetings and interviews with the concerned persons of the department, a clear idea about the working was obtained.
A flexible approach is adapted towards people who are interviewed. Short hand written notes are prepared based on the response of the employees. The interviews are preferably conducted at the work place of the person being interviewed. Detailed investigation is done in order to define the scope of the problem .The interview is concluded with a quick resume of the ground covered during the interview .The Questionnaire technique is combined with interviews to get the best result. Proper care has been taken in the design of such questionnaires so that the persons answering these questions do not feel hesitant. An explanatory note that serves to gain cooperation and avoid misunderstanding by setting out the purpose of the exercise clearly accomplishes each questionnaire.
Observation techniqueis also used for fact finding. The work described at the time of interview is observed personally ads it reduces the chances of misunderstanding and omissions. Some important things observed are like the flow of information through the system and important data transactions, the data being maintained and the frequency of their updating.
By the end of this phase, idea as to how the information enters the system, how it is stored, how it is processed, how information changes affects the working of the system and finally the output format required by the end-user was collected. All the information generated from this phase acted as an input to the next phase.
Device Security Assurance Centre (DSAC) performs robustness testing of communication protocol stack implementation on ABB devices. At the end of Testing and Analysis DSAC delivers a Test report summarizing identified vulnerabilities and possible solutions. Test report includes summary of tool test results and detailed analysis. Tool Test Results section in the report is filled by extracting data from output files generated by DSAC test tools.
Machine Assisted Report Generation is an interface for automating report generation from DSAC(Device Security Assurance Centre) test data. This tool will write data from xml files to MS-Word and MS-Excel file, so that users can get prefilled data while creating reports.
1.1 Scope and Objective of Project
Possibility for Machine Assisted Report Generation scheme arises due to the fact that test tools Device Profiling Tool, Vulnerability Scanner and Fuzzing and Flooding Tool used in DSAC Lab are able to generate XML format reports as well. XML based reports areeasy to parse and make reckonings on data stored in xml database. Many programming languages provide libraries to do the same. This allows easy processing of test data and possibility of automatic generation of test reports.
The main aim of creating this tool is to reduce efforts and errors in writing reports for the Test Tools .This can be done by automating the system which can be executed by programmatically filling the report templates from the Xml format provided by the Test Tools.
2 System Study and Problem Formulation 2.1 Existing System
Manual report generation system put pressure on people to be correct in all details of their work at all times. It can be too easy to accidentally switch details and end up with inconsistency in data entry or in hand written reports. So, with manual system the level of service is dependent on individuals. This has the effect of not only causing problems with customer service but also making information unreliable.
Here are some tools used by ABB:
Vulnerability Scanner is a modular computer software program for performing probabilistic analysis of structural/mechanical components and systems. Vulnerability Scanner combines state-of-the-art probabilistic algorithms with general-purpose numerical analysis methods to compute the probabilistic response and reliability of engineered systems. Variations in loading, material properties, geometry, boundary conditions, and initial conditions can be simulated. Many deterministic modelling tools can be used such as finite element, boundary element, hydro codes, and others. Vulnerability Scanner offers a wide range of capabilities, a graphical user interface, and is verified using hundreds of test problems. Vulnerability Scanner was initially developed to perform probabilistic analysis of space shuttle main engine components. SW RI continues to develop and apply Vulnerability Scanner to a diverse range of problems including aerospace structures, automotive structures,biomechanics, gas turbine engines, geomechanics, nuclear waste packaging, offshore structures, pipelines, and rotor dynamics. To accomplish this, the codes have been interfaced with many well-known third-party and commercial deterministic analysis programs.
Device Profiling Tool features include:
· Host discovery – Identifying hosts on a network. For example, listing the hosts that respond toTCP and/orICMP requests or have a particular port open.
· Port scanning – Enumerating the openportson target hosts.
· Version detection – Interrogating network services on remote devices to determine application name and version number.
· OS detection– Determining theoperating system and hardware characteristics of network devices.
· Scriptable interaction with the target – usingDevice Profiling Tool Scripting Engine andLua programming language.
· Device Profiling Tool can provide further information on targets, including reverseDNS names, device types, andMAC addresses.
Fuzzing and Flooding Tool is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It generates piles of pseudo random packets of the target protocol. The packets are given tendancies to conform to. Ie 50% of the packets generated can have IP Options. 25% of the packets can be IP fragments.But the percentages are arbitrary and most of the packet fields have a configurable tendency.The packets are then sent against the target machine to either penetrate its firewall rules or find bugs in the IP stack. ABB IP Stack Integrity Checker also contains a utility generate raw ether frames to examine hardware implementations.
For all these tools DSAC team has to generate manual Reports for creating summary of results of these Test Tools. The report generation task is done for the output files generated by the test results of Device Profiling Tool, Vulnerability Scanner, Fuzzing and Flooding Tool .Robustness Testing of these tools is also done for which a separate report has to be formulated.
2.1.1 Detailed Study of the Existing System
This phase provides the overall requirement for the system what is to be done. Input for this phase is the information collected through several data collecting schemes such as survey, cross-questioning-answering etc and the raw data obtained which is not properly ordered and not in the precise manner. So here this raw data is converted into useful information written in precise manner and thus output is a formal document.
After collecting all the information and requirements, they were verified from the concerned persons by presenting a diagrammatic version of the proposed system. The points missing were added to the system specifications for the desired system. So this final document provides the system requirement specifications for the desired system. It helps in reducing the total development cost and also establishes the various points for validation and verification.
A study is conducted to calculate the days it takes to prepare the reportonce the tests are finished. The results state that on an average it takes 6 work days from .Test End Date. to .Last modification of report date..The .Regression Tests. were not included in consideration. However, actual days may be more than 6 days as testers tend to update thereport as the tests proceed and sometimes carry out additional tests during internal report review.
If we assume that an automated scheme can get the reports generated and reviewed in 2 work days instead ofsix, this can save 4 days per device tested. The number may be smallfor individual devices, but since DSAC proposed to test more than100 devices in current fiscal year, the combined time saved perreport can be well ahead of 400 work days (or 3,600 Man Hours) and allow testers to focus solely on the technical aspects of testing and analysis.
Possibility for automated report generation scheme arises due to the fact that Device Profiling Tool, Vulnerability Scanner and Fuzzing and Flooding Tool are able to generate XML format reports as well. XML based reports areeasy to parse programmatically and many programming languages provide libraries to parse suchfiles with ease. This allows easy processing of test data and possibility of automatic generation of test reports. This can further be extended to export data into meaningful knowledge-base, which can be used to perform studies related pertaining to security testing.
The automated report generation also diminishes Human Error as the test data is analysed and processedby the automated system. This can remove all structural errors from the reports, leaving the testers to focus only on the faults generated by device during testing. This also facilitates exporting test reportinto various formats with ease. Such a scheme may allow generation of a separate Managerial Report, Technical Report, High detailed technical report, XML report, Business Unit summary Report, etc.Since the reports will be generated by automated system, the redundancy errors will be diminished from such reports.
2.2 Limitations of Existing System
Manual Report generation has following concerns:
v Labor-Intensive
v Tedious
v Time Consuming
v Fetching and working out data from Test Tool Generated reports is very difficult.
v Entails training to write data
v High potential of typing errors
2.3 Proposed System
Device Security Assurance Centre performs robustness testing of communication protocol stack implementation on ABB devices. At the end of Testing and Analysis DSAC delivers a Test report summarizing identified vulnerabilities and possible solutions. Test report includes summary of tool test results and detailed analysis. Tool Test Results section in the report is filled by extracting data from output files generated by DSAC test tools.
A tool which can extract data from Test tool generated reports and present the same in MS-word and MS Excel template would reduce efforts and errors in writing reports.
Possibility for Machine Assisted Report Generation scheme arises due to the fact that Device Profiling Tool, Vulnerability Scanner, Mu-8000 and Fuzzing and Flooding Tool are able to generate XML format reports as well. XML based reports areeasy to parse and make reckonings on data stored in xml database. Many programming languages provide libraries to do the same. This allows easy processing of test data and possibility of automatic generation of test reports.
2.4 Advantages of Proposed System
Machine Assisted Report generation has following advantages:
v Requires less efforts
v Error Free
v Time Saving
v Fetching and working out data from Test Tool Generated reports becomes easy.
v Dynamic
v Quick and easy to use
2.5 Feasibility Study
A feasibility study is a test of a system proposal according to its workability impact on organization, ability to meet user needs and effective use of resources. The objective of a feasibility study is not to solve a problem but to acquire a sense of its scope. During the study, the problem definition is crystallized and the aspects of the problem to be included in the system are determined. After the initial investigation of the system is done, it is needed to have in-depth study of the existing system, understanding its strength and weaknesses and the requirements for the new proposed system. Feasibility study was done in three phases documented below.
2.5.1.1 Behavioural feasibility
People are inherently resistant to change and computers have been known to facilitate change. There is always some reluctance among the users against the introduction of new system but they were told that this system would eliminate the unnecessary overhead of database migration and conversion, which presently had to be carried out on daily basis to facilitate transactions between the different departments. The objective this feasibility phase is to take the operational staff into confidence.
As the success of a good system depends upon the willingness of the operating staff, they were taken into full confidence that the new proposed system would make their jobs easier, relieve them from the unnecessary overheads and reduce the possibility of errors creeping into the system.
2.5.1.2 Economic feasibility:
Economic feasibility is the most frequently used method for evaluating the effectiveness of the candidate system. More commonly known as costenefit analysis, the procedure is to determine the benefits and savings that are expected from a candidate system and compare them with the costs. If benefits outweigh the costs, then the decision is made to design and implement the system. A costenefit analysis was done for the proposed system to evaluate whether it would be economically viable or not.
The organization has in store many machines with high processing power necessary to implement the system. Also the organization has necessary software or hardware to support the system. Considering the programmer time and the negligible hardware/software cost required for developing the system, it was found that the benefits in terms of reduced overhead was more than the cost.
2.5.1.3 Technical feasibility
Technical feasibility centres on the existing computer system. (Hardware/software) and to what extent it can support the proposed addition also the organization already has sufficient high-end machines to serve the processing requirements of the proposed system. So there is no need to purchase new software as the organization has necessary software or hardware to support the proposed system. Having gone through the steps of the overall analysis and feasibility study the next step was to carry out a detailed system analysis. The project analysis phase was conducted to learn about the proposed system, to study the problems and finally select a system that would take care of the problems identified in the working of the present system.
3 Project Plan 3.1 Analysis Phase
Systems analysis is the study of sets of interacting entities, including computer systems analysis. This field is closely related to operations research. It is also "an explicit formal inquiry carried out to help someone (referred to as the decision maker) identify a better course of action and make a better decision than he might otherwise have made."
Analysis is defined as the procedure by which we break down an intellectual or substantial whole into parts so that we can achieve our end goals.
The development of a computer-based information system includes a systems analysis phase which produces or enhances the data model which itself is a precursor to creating or enhancing a database. There are a number of different approaches to system analysis. When a computer-based information system is developed, systems analysis would constitute the following steps:
Conducting fact-finding measures, designed to ascertain the requirements of the system.s end-users. These typically span interviews, questionnaires, or visual observations of work on the existing system.
Gauging how the end-users would operate the system (in terms of general experience in using computer hardware or software), what the system would be used for etc.
Another view outlines a phased approach to the process. This approach breaks systems analysis into 5 phases:
· Scope definition
· Problem analysis
· Requirements analysis
· Logical design
· Decision analysis
Use cases are a widely-used systems analysis modelling tool for identifying and expressing the functional requirements of a system. Each use case is a business scenario or event for which the system must provide a defined response. Use cases evolved out of object-oriented analysis.
3.1.1 User Requirement
Since end users are the ones who are finally going to use the system, their requirements need to be identified. This involves questioning the end users what their expectations were. The main requirement of the end user is that the system should be easy to use and take less time. In addition to these another important factor was to eliminate the need for database conversion and migration that had to be carried out presently. After conducting interviews with the users a document called the software requirement specification was created. This is the most important document that forms the basis for system development. It should be consistent, complete, unambiguous, traceable and inter-related.
3.1.2 Functional Requirements:
The functional requirements specify relationship between the inputs and outputs. All the operations to be performed on the input data to obtain output are to be specified. This includes specifying the validity checks on the input and output data, parameters affected by the operations and the other operations, which must be used to transform the inputs into outputs. Functional requirements specify the behaviour of the system for valid input and outputs.
3.1.3 Performance Requirements:
This section includes performance of the product that are set by user interaction and studying the existing system of the organization. These are stated in complete measurable terms, so that they can be verified during system evaluation phase. Some of the performance requirements are stated below.
· User Friendly: The system produced is user friendly, understandable and easy to use so that the users of the system can easily learn to use the system. For this the system is made menu-driven with well-documented programs.
· Time Element (response and processing time): The response time of the system is very less and takes less time to execute queries and triggers.
· Maximum Throughput: The system gives maximum throughput with relevant output
· Robustness: The system will be able to handle undesirable situations and errors encountered at various levels e.g. if the user supplies invalid input for processing, the system gracefully halts, displaying a message to the user indicating the cause of the error and prompting him it enter the correct input.