{"id":"https://openalex.org/W7162334957","doi":"https://doi.org/10.48550/arxiv.2605.23695","title":"Validating Threat Modeling Results with the Help of Vulnerable Test Applications","display_name":"Validating Threat Modeling Results with the Help of Vulnerable Test Applications","publication_year":2026,"publication_date":"2026-05-22","ids":{"openalex":"https://openalex.org/W7162334957","doi":"https://doi.org/10.48550/arxiv.2605.23695"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.23695","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.23695","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.23695","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5136943755","display_name":"Oleksandr Adamov","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Adamov, Oleksandr","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136936275","display_name":"Davide Fucci","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Fucci, Davide","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136980522","display_name":"Felix Viktor Jedrzejewski","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jedrzejewski, Felix Viktor","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135862965","display_name":"Ricardo Britto","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Britto, Ricardo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5090947442","display_name":"Nishrith Saini","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Saini, Nishrith","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":0,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.8317999839782715,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.8317999839782715,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.04659999907016754,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.012000000104308128,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.6514999866485596},{"id":"https://openalex.org/keywords/complement","display_name":"Complement (music)","score":0.6046000123023987},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.5293999910354614},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4814999997615814},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.4214000105857849},{"id":"https://openalex.org/keywords/measure","display_name":"Measure (data warehouse)","score":0.38280001282691956},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.3537999987602234}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6546000242233276},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.6514999866485596},{"id":"https://openalex.org/C112313634","wikidata":"https://www.wikidata.org/wiki/Q7886648","display_name":"Complement (music)","level":5,"score":0.6046000123023987},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5393999814987183},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.5293999910354614},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4814999997615814},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.4708999991416931},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.4214000105857849},{"id":"https://openalex.org/C2780009758","wikidata":"https://www.wikidata.org/wiki/Q6804172","display_name":"Measure (data warehouse)","level":2,"score":0.38280001282691956},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.3537999987602234},{"id":"https://openalex.org/C2778868856","wikidata":"https://www.wikidata.org/wiki/Q18394273","display_name":"Threat assessment","level":2,"score":0.33250001072883606},{"id":"https://openalex.org/C2777267654","wikidata":"https://www.wikidata.org/wiki/Q3519023","display_name":"Test (biology)","level":2,"score":0.3183000087738037},{"id":"https://openalex.org/C17231256","wikidata":"https://www.wikidata.org/wiki/Q5156540","display_name":"Completeness (order theory)","level":2,"score":0.31139999628067017},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.303600013256073},{"id":"https://openalex.org/C12174686","wikidata":"https://www.wikidata.org/wiki/Q1058438","display_name":"Risk assessment","level":2,"score":0.2815000116825104},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.28130000829696655},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.27379998564720154},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.26460000872612},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.26190000772476196},{"id":"https://openalex.org/C3019813237","wikidata":"https://www.wikidata.org/wiki/Q65089264","display_name":"Model validation","level":2,"score":0.25029999017715454}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.23695","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.23695","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"Preprint"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.23695","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.23695","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Preprint"},"sustainable_development_goals":[{"score":0.4632111191749573,"id":"https://metadata.un.org/sdg/10","display_name":"Reduced inequalities"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Validating":[0],"threat":[1,45,72,136],"modeling":[2,46,73],"results":[3,113],"remains":[4],"difficult":[5],"because":[6],"completeness":[7],"is":[8],"hard":[9],"to":[10,47,56,99,104],"judge":[11],"without":[12],"an":[13,70],"external":[14],"oracle.":[15],"Existing":[16],"studies":[17],"often":[18],"rely":[19],"on":[20,121],"expert-produced":[21],"reference":[22],"models":[23],"and":[24,91,109,138],"other":[25],"human":[26],"baselines,":[27],"but":[28],"these":[29],"can":[30,64],"contain":[31],"omissions":[32],"or":[33],"disagreements.":[34],"This":[35],"paper":[36],"evaluates":[37],"a":[38,52,131],"complementary,":[39],"vulnerability-grounded":[40],"validation":[41],"approach.":[42],"We":[43,67,124],"apply":[44],"intentionally":[48],"vulnerable":[49,88,127],"applications":[50,129],"with":[51,79],"known":[53],"vulnerability":[54,119],"set":[55],"measure":[57],"the":[58,80,92],"number":[59],"of":[60],"related":[61],"vulnerabilities":[62],"that":[63,115,126],"be":[65],"discovered.":[66],"compare":[68],"ThreMoLIA,":[69],"LLM-assisted":[71],"solution":[74],"developed":[75],"by":[76],"our":[77],"team,":[78],"Microsoft":[81],"Threat":[82],"Modeling":[83],"Tool":[84],"(MTMT)":[85],"across":[86],"two":[87],"applications:":[89],"AzureGoat":[90],"Vulnerable":[93],"Bank":[94],"Application":[95],"(VulnBank).":[96],"The":[97,112],"inputs":[98],"both":[100,122],"tools":[101],"are":[102],"limited":[103],"architecture,":[105],"data":[106],"flow":[107],"diagrams,":[108],"their":[110],"descriptions.":[111],"show":[114,125],"ThreMoLIA":[116],"achieved":[117],"higher":[118],"coverage":[120,137],"systems.":[123],"test":[128],"provide":[130],"practical":[132],"benchmark":[133],"for":[134],"assessing":[135],"complement":[139],"expert-based":[140],"validation.":[141]},"counts_by_year":[],"updated_date":"2026-07-01T06:00:48.157686","created_date":"2026-05-26T00:00:00"}
