Search papers, labs, and topics across Lattice.
This paper automates the mapping of cloud security controls to technical metrics using domain-adapted Sentence Transformer models, addressing the inefficiencies of the current manual process. By constructing a training corpus of 3,499 semantic pairs and expanding it to 13,996 samples through back-translation and LLM-based paraphrasing, the authors fine-tune five model architectures. The results indicate that all models significantly outperform zero-shot baselines, with the best model achieving a 23-point improvement in nDCG@10 on the control-to-metric task, underscoring the importance of in-domain training data for performance enhancement.
Automating cloud security compliance mapping can dramatically improve efficiency, with models achieving up to 23 points higher accuracy than traditional methods.
Mapping cloud security controls to technical metrics is currently a manual process. This paper proposes domain adaptation of Sentence Transformer models to automate it. We build a training corpus of 3,499 semantic pairs from five European security standards and a set of technical metrics, then expand it via back-translation and LLM-based paraphrasing to up to 13,996 samples across four scenarios. We fine-tune five architectures and evaluate their performance on two independent tasks: control-to-metric and cross-standard controls association. All fine-tuned models outperform their zero-shot baselines. On the control-to-metric task, the best model gains up to 23 nDCG@10 points, while on the cross-standard control task, \textit{multi-qa-mpnet-dot-v1} under back-translation reaches 0.870 nDCG@10. The results show that in-domain training data is a primary driver of performance for the considered case studies.