🤖 AI Summary
This study addresses the inefficiency and error-proneness of manual mapping between cloud security controls and technical specifications. To overcome this limitation, the authors propose the first application of a domain-adapted Sentence Transformer model to cloud compliance semantic matching. High-quality, multi-standard training corpora are generated using back-translation and large language models, followed by task-specific fine-tuning on both control-to-metric matching and cross-standard linkage tasks. Experimental results demonstrate that the best-performing model achieves a 23-point improvement in nDCG@10 for control-to-metric matching and attains a cross-standard association performance of 0.870, confirming the critical role of domain adaptation and data augmentation in enhancing semantic matching effectiveness for cloud compliance.
📝 Abstract
Mapping cloud security controls to technical metrics is currently a manual process. This paper proposes domain adaptation of Sentence Transformer models to automate it. We build a training corpus of 3,499 semantic pairs from five European security standards and a set of technical metrics, then expand it via back-translation and LLM-based paraphrasing to up to 13,996 samples across four scenarios. We fine-tune five architectures and evaluate their performance on two independent tasks: control-to-metric and cross-standard controls association. All fine-tuned models outperform their zero-shot baselines. On the control-to-metric task, the best model gains up to 23 nDCG@10 points, while on the cross-standard control task, \textit{multi-qa-mpnet-dot-v1} under back-translation reaches 0.870 nDCG@10. The results show that in-domain training data is a primary driver of performance for the considered case studies.