{"id":"https://openalex.org/W7140607854","doi":"https://doi.org/10.48550/arxiv.2603.23698","title":"Towards Leveraging LLMs to Generate Abstract Penetration Test Cases from Software Architecture","display_name":"Towards Leveraging LLMs to Generate Abstract Penetration Test Cases from Software Architecture","publication_year":2026,"publication_date":"2026-03-24","ids":{"openalex":"https://openalex.org/W7140607854","doi":"https://doi.org/10.48550/arxiv.2603.23698"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.23698","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.23698","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.23698","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Jafari, Mahdi","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Jafari, Mahdi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Sharma, Rahul","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sharma, Rahul","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Naim, Sami","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Naim, Sami","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Gerking, Christopher","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gerking, Christopher","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":null,"display_name":"Reussner, Ralf","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Reussner, Ralf","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.38029998540878296,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.38029998540878296,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.26100000739097595,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.12049999833106995,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.5663999915122986},{"id":"https://openalex.org/keywords/software-architecture","display_name":"Software architecture","score":0.501800000667572},{"id":"https://openalex.org/keywords/software-architecture-description","display_name":"Software architecture description","score":0.45570001006126404},{"id":"https://openalex.org/keywords/architecture","display_name":"Architecture","score":0.4438000023365021},{"id":"https://openalex.org/keywords/usability","display_name":"Usability","score":0.44279998540878296},{"id":"https://openalex.org/keywords/reference-architecture","display_name":"Reference architecture","score":0.4383000135421753},{"id":"https://openalex.org/keywords/resource-oriented-architecture","display_name":"Resource-oriented architecture","score":0.4230000078678131},{"id":"https://openalex.org/keywords/metamodeling","display_name":"Metamodeling","score":0.40950000286102295},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.3792000114917755}],"concepts":[{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.5989000201225281},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5701000094413757},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.5663999915122986},{"id":"https://openalex.org/C35869016","wikidata":"https://www.wikidata.org/wiki/Q846636","display_name":"Software architecture","level":3,"score":0.501800000667572},{"id":"https://openalex.org/C73219336","wikidata":"https://www.wikidata.org/wiki/Q7554254","display_name":"Software architecture description","level":5,"score":0.45570001006126404},{"id":"https://openalex.org/C123657996","wikidata":"https://www.wikidata.org/wiki/Q12271","display_name":"Architecture","level":2,"score":0.4438000023365021},{"id":"https://openalex.org/C170130773","wikidata":"https://www.wikidata.org/wiki/Q216378","display_name":"Usability","level":2,"score":0.44279998540878296},{"id":"https://openalex.org/C55356503","wikidata":"https://www.wikidata.org/wiki/Q2136675","display_name":"Reference architecture","level":4,"score":0.4383000135421753},{"id":"https://openalex.org/C97382630","wikidata":"https://www.wikidata.org/wiki/Q13501132","display_name":"Resource-oriented architecture","level":5,"score":0.4230000078678131},{"id":"https://openalex.org/C86610423","wikidata":"https://www.wikidata.org/wiki/Q1925081","display_name":"Metamodeling","level":2,"score":0.40950000286102295},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.3792000114917755},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.37070000171661377},{"id":"https://openalex.org/C126383566","wikidata":"https://www.wikidata.org/wiki/Q4787220","display_name":"Architecture tradeoff analysis method","level":5,"score":0.3529999852180481},{"id":"https://openalex.org/C201995342","wikidata":"https://www.wikidata.org/wiki/Q682496","display_name":"Systems engineering","level":1,"score":0.3472000062465668},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.3465000092983246},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.33379998803138733},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.3303999900817871},{"id":"https://openalex.org/C128942645","wikidata":"https://www.wikidata.org/wiki/Q1568346","display_name":"Test case","level":3,"score":0.31029999256134033},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.30660000443458557},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.29589998722076416},{"id":"https://openalex.org/C41065761","wikidata":"https://www.wikidata.org/wiki/Q2193309","display_name":"Applications architecture","level":4,"score":0.27309998869895935},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.27219998836517334},{"id":"https://openalex.org/C98025372","wikidata":"https://www.wikidata.org/wiki/Q477538","display_name":"Systems architecture","level":3,"score":0.2653999924659729},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.2628999948501587},{"id":"https://openalex.org/C186846655","wikidata":"https://www.wikidata.org/wiki/Q3398377","display_name":"Software construction","level":4,"score":0.2624000012874603},{"id":"https://openalex.org/C60172848","wikidata":"https://www.wikidata.org/wiki/Q7495506","display_name":"Sherwood Applied Business Security Architecture","level":5,"score":0.2574999928474426},{"id":"https://openalex.org/C52913732","wikidata":"https://www.wikidata.org/wiki/Q857102","display_name":"Software design","level":4,"score":0.2549000084400177},{"id":"https://openalex.org/C152752567","wikidata":"https://www.wikidata.org/wiki/Q116877","display_name":"Code refactoring","level":3,"score":0.2524000108242035}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.23698","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.23698","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.23698","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.23698","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Software":[0],"architecture":[1,70,108,137,156],"models":[2,71,98],"capture":[3],"early":[4],"design":[5,111,184],"decisions":[6],"that":[7,85,172],"strongly":[8],"influence":[9],"system":[10],"quality":[11],"attributes,":[12],"including":[13],"security.":[14],"However,":[15],"architecture-level":[16,77],"security":[17,27,78,138],"assessment":[18,139],"and":[19,90,119,132,140,168,186],"feedback":[20],"are":[21],"often":[22],"absent":[23],"in":[24,40],"practice,":[25],"allowing":[26],"weaknesses":[28],"to":[29,43,48,75,103,151,165],"propagate":[30],"into":[31],"later":[32],"phases":[33],"of":[34,62,95,121],"the":[35,60,87,93,112,122,173],"software":[36,69,130,155],"development":[37],"lifecycle":[38],"and,":[39],"some":[41],"cases,":[42],"remain":[44],"undiscovered,":[45],"ultimately":[46],"leading":[47],"vulnerable":[49],"systems.":[50],"In":[51],"this":[52,56,146],"paper,":[53],"we":[54,115,148],"bridge":[55],"gap":[57],"by":[58],"proposing":[59],"generation":[61],"Abstract":[63],"Penetration":[64],"Test":[65],"Cases":[66],"(APTCs)":[67],"from":[68,107,129,154],"as":[72],"an":[73],"input":[74],"support":[76,178],"assessment.":[79],"We":[80],"first":[81],"introduce":[82],"a":[83],"metamodel":[84],"defines":[86],"APTC":[88,113],"concept,":[89],"then":[91,149],"investigate":[92],"use":[94],"large":[96],"language":[97],"with":[99],"different":[100],"prompting":[101],"strategies":[102],"generate":[104,152],"meaningful":[105],"APTCs":[106,153,175],"models.":[109,157],"To":[110],"metamodel,":[114,147],"analyze":[116],"relevant":[117],"standards":[118],"state":[120],"art":[123],"using":[124],"two":[125],"criteria:":[126],"(i)":[127],"derivability":[128],"architecture,":[131],"(ii)":[133],"usability":[134],"for":[135],"both":[136,179],"subsequent":[141],"penetration":[142,187],"testing.":[143],"Building":[144],"on":[145],"proceed":[150],"Our":[158],"evaluation":[159],"shows":[160],"promising":[161],"results,":[162],"achieving":[163],"up":[164],"93\\%":[166],"usefulness":[167],"86\\%":[169],"correctness,":[170],"indicating":[171],"generated":[174],"can":[176],"substantially":[177],"architects":[180],"(by":[181,189],"highlighting":[182],"security-critical":[183],"decisions)":[185],"testers":[188],"providing":[190],"actionable":[191],"testing":[192],"guidance).":[193]},"counts_by_year":[],"updated_date":"2026-03-27T14:29:43.386196","created_date":"2026-02-16T00:00:00"}