Automated Compliance Mapping in Cloud Security with Domain-Adapted Sentence Transformers

· Source: cs.CL updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, extended

Summary

Automating cloud security compliance mapping, a process traditionally manual and costly, is addressed by a proposed method utilizing domain-adapted Sentence Transformer models. Researchers built a training corpus of 3,499 semantic pairs from five European security standards (BSI C5, ENS, SecNumCloud, EUCS) and technical metrics, expanding it to 13,996 samples across four scenarios using back-translation and LLM-based paraphrasing. Five Sentence Transformer architectures were fine-tuned and evaluated on control-to-metric and cross-standard control association tasks. All fine-tuned models consistently outperformed their zero-shot baselines. The best model achieved up to 23 nDCG@10 points gain on the control-to-metric task, while multi-qa-mpnet-dot-v1 with back-translation reached 0.870 nDCG@10 on cross-standard control, demonstrating that in-domain training data is a primary driver of performance.

Key takeaway

For Cloud Security Architects or Compliance Engineers facing manual mapping burdens, this research demonstrates that fine-tuning Sentence Transformers with domain-specific data can automate compliance mapping effectively. You should prioritize creating a high-quality, unaugmented semantic pair corpus for control-to-metric tasks, and consider back-translation for cross-standard control alignment to achieve significant performance gains and reduce operational costs.

Key insights

Domain adaptation of Sentence Transformers significantly automates cloud security compliance mapping by leveraging specialized training data.

Principles

Method

Construct a semantic pair corpus from standards, augment via back-translation and LLM paraphrasing, then fine-tune Sentence Transformers using Multiple Negatives Ranking Loss for control-to-metric and cross-standard control association.

In practice

Topics

Code references

Best for: NLP Engineer, Research Scientist, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.CL updates on arXiv.org.