Information and Software Technology最新文献_第3页

Uncovering challenges of cybersecurity cross-regulation in EU legislation 揭示欧盟立法中网络安全交叉监管的挑战

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-23 DOI: 10.1016/j.infsof.2026.108033

Daniele Canavese , Afonso Ferreira , Liina Kamm , Adrian Quesada Rodriguez

Context:

The European Union has recently introduced a suite of foundational digital regulations—the Cyber Resilience Act, the Artificial Intelligence Act, the Radio Equipment Directive, the NIS 2 Directive, and the Cybersecurity Act—that directly affect the engineering of software-intensive systems. While these instruments aim to enhance trust and security, their overlapping scopes generate a complex compliance landscape that software development must address at the design, implementation, and deployment stages.

Objectives:

This paper examines the cross-regulatory impact of such EU cybersecurity legislation from a software engineering perspective, aiming to provide a set of guidelines and recommendations for implementing a compliance-by-design approach.

Method:

We analyze and compare the five legal instruments, focusing on how their obligations intersect with each other. We then translate their regulatory requirements into actionable artifacts, ranging from architectural constraints and security controls to organisational processes, using a legal engineering approach. Finally, we propose a compliance-by-design lifecycle pattern that integrates regulatory alignment into requirements engineering, system design, and testing.

Results:

To demonstrate applicability, we evaluate three representative use cases: an AI-enabled power plant, an autonomous drone delivery platform, and an AI-powered clinical decision support system. These examples demonstrate that multiple regulatory regimes often govern software-based systems. We conclude with practical recommendations for suppliers, deployers, and policymakers towards an integrated compliance framework to promote compliance-aware software engineering.

Conclusion:

Our findings indicate that the European digital landscape is shifting compliance from a post-hoc audit exercise to a design-time engineering principle. Embedding compliance early into the software development lifecycle not only supports regulatory alignment but also improves system resilience and trustworthiness.

背景：欧盟最近推出了一套基础数字法规——《网络弹性法案》、《人工智能法案》、《无线电设备指令》、《NIS 2指令》和《网络安全法》——这些法规直接影响到软件密集型系统的工程。虽然这些工具的目的是增强信任和安全性，但是它们重叠的范围产生了一个复杂的遵从性环境，软件开发必须在设计、实现和部署阶段解决这个问题。目的：本文从软件工程的角度考察了此类欧盟网络安全立法的交叉监管影响，旨在为实施设计合规方法提供一套指导方针和建议。方法：对五项法律文书进行分析比较，重点分析其义务之间的相互关系。然后，我们使用法律工程方法，将他们的法规需求转换为可操作的工件，范围从架构约束和安全控制到组织过程。最后，我们提出了一个按设计遵循的生命周期模式，该模式将法规一致性集成到需求工程、系统设计和测试中。结果：为了证明适用性，我们评估了三个代表性用例：人工智能支持的发电厂，自主无人机交付平台和人工智能驱动的临床决策支持系统。这些例子表明，多种管理制度经常管理基于软件的系统。最后，我们为供应商、部署人员和政策制定者提供了实用的建议，以实现集成的法规遵循框架，以促进法规遵循意识软件工程。结论：我们的研究结果表明，欧洲数字环境正在将合规性从事后审计工作转变为设计时工程原则。在软件开发生命周期的早期嵌入遵从性不仅支持法规一致性，而且还提高了系统的弹性和可信度。

{"title":"Uncovering challenges of cybersecurity cross-regulation in EU legislation","authors":"Daniele Canavese , Afonso Ferreira , Liina Kamm , Adrian Quesada Rodriguez","doi":"10.1016/j.infsof.2026.108033","DOIUrl":"10.1016/j.infsof.2026.108033","url":null,"abstract":"<div><h3>Context:</h3><div>The European Union has recently introduced a suite of foundational digital regulations—the Cyber Resilience Act, the Artificial Intelligence Act, the Radio Equipment Directive, the NIS 2 Directive, and the Cybersecurity Act—that directly affect the engineering of software-intensive systems. While these instruments aim to enhance trust and security, their overlapping scopes generate a complex compliance landscape that software development must address at the design, implementation, and deployment stages.</div></div><div><h3>Objectives:</h3><div>This paper examines the cross-regulatory impact of such EU cybersecurity legislation from a software engineering perspective, aiming to provide a set of guidelines and recommendations for implementing a compliance-by-design approach.</div></div><div><h3>Method:</h3><div>We analyze and compare the five legal instruments, focusing on how their obligations intersect with each other. We then translate their regulatory requirements into actionable artifacts, ranging from architectural constraints and security controls to organisational processes, using a legal engineering approach. Finally, we propose a compliance-by-design lifecycle pattern that integrates regulatory alignment into requirements engineering, system design, and testing.</div></div><div><h3>Results:</h3><div>To demonstrate applicability, we evaluate three representative use cases: an AI-enabled power plant, an autonomous drone delivery platform, and an AI-powered clinical decision support system. These examples demonstrate that multiple regulatory regimes often govern software-based systems. We conclude with practical recommendations for suppliers, deployers, and policymakers towards an integrated compliance framework to promote compliance-aware software engineering.</div></div><div><h3>Conclusion:</h3><div>Our findings indicate that the European digital landscape is shifting compliance from a post-hoc audit exercise to a design-time engineering principle. Embedding compliance early into the software development lifecycle not only supports regulatory alignment but also improves system resilience and trustworthiness.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"193 ","pages":"Article 108033"},"PeriodicalIF":4.3,"publicationDate":"2026-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146081168","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Fairness-aware graph representation learning through bias disentanglement 基于偏见解纠缠的公平感知图表示学习

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-22 DOI: 10.1016/j.infsof.2026.108034

Shuhan Liu, Zheyun Qin, Xuan Hou, Yining Wang, Ziwen Wang, Zhaohui Peng

Context:

Graph neural networks (GNNs) can amplify social biases in graph data, exacerbating inequality and compromising privacy, especially in high-risk applications. Existing graph fairness methods are limited by GNNs’ low-pass filtering, which smooths out local fairness-related information, thus cannot adequately represent fairness in graph attributes effectively.

Objective:

To address these limitations, we propose the FairDT method, in which the harmful bias generated by the sensitive attribute is decoupled from the learned fair representation based on a disentanglement strategy.

Method:

We first construct global and local graph views using polynomial filter encoders with controllable spectral properties. Then, a Mixture of Experts Model for Debiasing disentangles bias from the sensitive attribute in both views. We also introduce a fairness-aware contrastive learning framework to mitigate bias in graph representations, enhancing fairness without sacrificing prediction accuracy.

Results:

We compare the fairness and predictive performances with nine baseline methods on six real-world datasets and design specialized ablation studies to demonstrate the effectiveness of our proposed method on each component.

Conclusion:

The experimental results show that FairDT outperforms the baseline methods in most metrics in terms of both fairness and prediction performances. Code is available at https://github.com/ShuhanLiu2019/FairDT.

背景：图神经网络（gnn）可以放大图数据中的社会偏见，加剧不平等并损害隐私，特别是在高风险应用中。现有的图公平性方法受gnn的低通滤波的限制，只能平滑局部公平性相关信息，无法有效地充分表示图属性的公平性。目的：为了解决这些限制，我们提出了FairDT方法，该方法基于解纠缠策略将敏感属性产生的有害偏差与学习到的公平表示解耦。方法：首先利用具有可控谱特性的多项式滤波编码器构造全局图视图和局部图视图。然后，利用混合专家模型将两种视图中的偏见从敏感属性中分离出来。我们还引入了一个公平感知的对比学习框架来减轻图表示中的偏见，在不牺牲预测精度的情况下提高公平性。结果：我们在六个真实数据集上比较了9种基线方法的公平性和预测性能，并设计了专门的消融研究来证明我们提出的方法在每个组件上的有效性。结论：实验结果表明，FairDT在公平性和预测性能方面在大多数指标上都优于基线方法。代码可从https://github.com/ShuhanLiu2019/FairDT获得。

{"title":"Fairness-aware graph representation learning through bias disentanglement","authors":"Shuhan Liu, Zheyun Qin, Xuan Hou, Yining Wang, Ziwen Wang, Zhaohui Peng","doi":"10.1016/j.infsof.2026.108034","DOIUrl":"10.1016/j.infsof.2026.108034","url":null,"abstract":"<div><h3>Context:</h3><div>Graph neural networks (GNNs) can amplify social biases in graph data, exacerbating inequality and compromising privacy, especially in high-risk applications. Existing graph fairness methods are limited by GNNs’ low-pass filtering, which smooths out local fairness-related information, thus cannot adequately represent fairness in graph attributes effectively.</div></div><div><h3>Objective:</h3><div>To address these limitations, we propose the <strong>FairDT</strong> method, in which the harmful bias generated by the sensitive attribute is decoupled from the learned fair representation based on a <strong>disentanglement</strong> strategy.</div></div><div><h3>Method:</h3><div>We first construct global and local graph views using polynomial filter encoders with controllable spectral properties. Then, a Mixture of Experts Model for Debiasing disentangles bias from the sensitive attribute in both views. We also introduce a fairness-aware contrastive learning framework to mitigate bias in graph representations, enhancing fairness without sacrificing prediction accuracy.</div></div><div><h3>Results:</h3><div>We compare the fairness and predictive performances with nine baseline methods on six real-world datasets and design specialized ablation studies to demonstrate the effectiveness of our proposed method on each component.</div></div><div><h3>Conclusion:</h3><div>The experimental results show that FairDT outperforms the baseline methods in most metrics in terms of both fairness and prediction performances. Code is available at <span><span>https://github.com/ShuhanLiu2019/FairDT</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"193 ","pages":"Article 108034"},"PeriodicalIF":4.3,"publicationDate":"2026-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146026177","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A decision model for selecting FaaS platforms 选择FaaS平台的决策模型

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-22 DOI: 10.1016/j.infsof.2026.108042

Muhammad Hamza , Siamak Farshidi , Muhammad Azeem Akbar , Rafael Capilla , Slinger Jansen , Kari Smolander

Context:

Serverless computing is an umbrella paradigm that encompasses multiple service categories, including Function-as-a-Service (FaaS) and Backend-as-a-Service (BaaS). It has reshaped cloud application development by abstracting infrastructure management tasks such as provisioning, scaling, and operational maintenance from developers, thereby enabling greater focus on application logic. To realize these benefits, organizations need to select among various FaaS platforms such as AWS Lambda, Google Cloud Functions, Azure Functions, and Apache OpenWhisk to develop their serverless applications. Nevertheless, the increasing number of available FaaS platforms and their heterogeneous characteristics (e.g., timeout constraints, cold-start behavior, memory and package size limits, and event-source integration) make platform selection complex and knowledge-intensive for the decision makers.

Objective:

The main objective of this study is to support decision-makers in selecting appropriate FaaS platforms by designing an effective and systematic decision model. The model aims to simplify the selection process, reduce time and effort, and provide deeper insights into platform suitability based on specific organizational requirements.

Method:

We employed a mixed-method research design to develop a decision model for the FaaS platforms selection problem. The model contains a mapping of 219 features across 16 FaaS platforms.

Results:

The model was evaluated through five real-world case studies conducted at different software development companies. It suggests and prioritizes more than one FaaS platform based on the participants’ requirements. The case study participants reported that the model offered valuable insights and significantly simplified the selection process by reducing the time and costs associated with the decision-making process.

Conclusion:

We observe in the empirical evidence that decision-makers can make more rational, efficient, and effective decisions with the decision model. Additionally, the model provides reusable insights that can support future research, such as developing new frameworks and solutions for emerging challenges in serverless computing.

上下文：无服务器计算是一个伞形范式，包含多个服务类别，包括功能即服务（FaaS）和后端即服务（BaaS）。它通过抽象开发人员的基础设施管理任务（如供应、扩展和操作维护）重塑了云应用程序开发，从而使人们能够更加关注应用程序逻辑。为了实现这些好处，组织需要在各种FaaS平台（如AWS Lambda、谷歌Cloud Functions、Azure Functions和Apache OpenWhisk）中进行选择，以开发他们的无服务器应用程序。然而，越来越多的可用FaaS平台及其异构特性（例如，超时约束、冷启动行为、内存和包大小限制以及事件源集成）使得平台选择变得复杂，并且对决策者来说是知识密集型的。目的：本研究的主要目的是通过设计一个有效和系统的决策模型来支持决策者选择合适的FaaS平台。该模型旨在简化选择过程，减少时间和精力，并根据特定的组织需求对平台适用性提供更深入的见解。方法：采用混合方法研究设计，建立FaaS平台选择问题的决策模型。该模型包含跨16个FaaS平台的219个特性的映射。结果：该模型通过在不同的软件开发公司进行的五个真实案例研究进行了评估。它根据参与者的需求建议并确定多个FaaS平台的优先级。案例研究参与者报告说，该模型提供了有价值的见解，并通过减少与决策过程相关的时间和成本，大大简化了选择过程。结论：我们在实证中观察到，运用该决策模型，决策者可以做出更加理性、高效、有效的决策。此外，该模型提供了可重用的见解，可以支持未来的研究，例如为无服务器计算中出现的挑战开发新的框架和解决方案。

{"title":"A decision model for selecting FaaS platforms","authors":"Muhammad Hamza , Siamak Farshidi , Muhammad Azeem Akbar , Rafael Capilla , Slinger Jansen , Kari Smolander","doi":"10.1016/j.infsof.2026.108042","DOIUrl":"10.1016/j.infsof.2026.108042","url":null,"abstract":"<div><h3>Context:</h3><div>Serverless computing is an umbrella paradigm that encompasses multiple service categories, including Function-as-a-Service (FaaS) and Backend-as-a-Service (BaaS). It has reshaped cloud application development by abstracting infrastructure management tasks such as provisioning, scaling, and operational maintenance from developers, thereby enabling greater focus on application logic. To realize these benefits, organizations need to select among various FaaS platforms such as AWS Lambda, Google Cloud Functions, Azure Functions, and Apache OpenWhisk to develop their serverless applications. Nevertheless, the increasing number of available FaaS platforms and their heterogeneous characteristics (e.g., timeout constraints, cold-start behavior, memory and package size limits, and event-source integration) make platform selection complex and knowledge-intensive for the decision makers.</div></div><div><h3>Objective:</h3><div>The main objective of this study is to support decision-makers in selecting appropriate FaaS platforms by designing an effective and systematic decision model. The model aims to simplify the selection process, reduce time and effort, and provide deeper insights into platform suitability based on specific organizational requirements.</div></div><div><h3>Method:</h3><div>We employed a mixed-method research design to develop a decision model for the FaaS platforms selection problem. The model contains a mapping of 219 features across 16 FaaS platforms.</div></div><div><h3>Results:</h3><div>The model was evaluated through five real-world case studies conducted at different software development companies. It suggests and prioritizes more than one FaaS platform based on the participants’ requirements. The case study participants reported that the model offered valuable insights and significantly simplified the selection process by reducing the time and costs associated with the decision-making process.</div></div><div><h3>Conclusion:</h3><div>We observe in the empirical evidence that decision-makers can make more rational, efficient, and effective decisions with the decision model. Additionally, the model provides reusable insights that can support future research, such as developing new frameworks and solutions for emerging challenges in serverless computing.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"193 ","pages":"Article 108042"},"PeriodicalIF":4.3,"publicationDate":"2026-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146026174","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Structured policy modeling and context-aware generation for multi-jurisdictional compliance in global software systems 全球软件系统中多司法管辖区遵从性的结构化策略建模和上下文感知生成

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-20 DOI: 10.1016/j.infsof.2026.108041

Zhixian Zhuang , Xiaodong Lee , Aiyao Zhang , Jiuqi Wei , Yufan Fu , Botao Peng

Context:

Legal compliance is increasingly vital in software systems that process personal data across jurisdictions, yet ensuring adherence to diverse regulatory requirements remains challenging throughout the development lifecycle.

Objective:

We aim to develop a modular framework that enables automated, context-aware compliance policy generation and seamless integration into software engineering workflows.

Methods:

We propose CBCMS+, a cross-border compliance management system that introduces a structured Policy Definition Language (PDL) for representing both legal constraints and user-defined preferences. CBCMS+ employs a two-step solution: EpMap, which transforms multilingual legal texts into structured PDL representations, and ComGen, which generates contextualized policies based on runtime scenarios. The framework also supports policy conflict resolution, DevOps integration, and flexible deployment.

Results:

We implement CBCMS+ and evaluate it on multilingual legal corpora from multiple jurisdictions. EpMap achieves an F1 score of 89.11% in legal-to-PDL mapping, while ComGen reaches 94.21% in generating valid policies. Under high-concurrency workloads, ComGen sustains over 1200 requests per second with an average latency of 12.8 ms.

Conclusion:

CBCMS+ provides a scalable and practical foundation for compliance-by-design in global software systems, combining structured modeling, multilingual adaptability, and efficient policy automation.

背景：法律遵从性在跨司法管辖区处理个人数据的软件系统中变得越来越重要，然而在整个开发生命周期中确保遵守不同的法规要求仍然是一个挑战。目标：我们的目标是开发一个模块化框架，使自动化的、上下文感知的遵从性策略生成和无缝集成到软件工程工作流中。方法：我们提出CBCMS+，这是一个跨境合规管理系统，它引入了结构化的政策定义语言（PDL）来表示法律约束和用户自定义偏好。CBCMS+采用两步解决方案：EpMap（将多语言法律文本转换为结构化的PDL表示）和ComGen（根据运行时场景生成情境化策略）。该框架还支持策略冲突解决、DevOps集成和灵活部署。结果：我们实施了CBCMS+，并对来自多个司法管辖区的多语言法律语料库进行了评估。EpMap在合法到pdl映射方面F1得分为89.11%，ComGen在生成有效策略方面F1得分为94.21%。结论：CBCMS+结合了结构化建模、多语言适应性和高效的策略自动化，为全球软件系统中的遵从性设计提供了可扩展的实用基础。

{"title":"Structured policy modeling and context-aware generation for multi-jurisdictional compliance in global software systems","authors":"Zhixian Zhuang , Xiaodong Lee , Aiyao Zhang , Jiuqi Wei , Yufan Fu , Botao Peng","doi":"10.1016/j.infsof.2026.108041","DOIUrl":"10.1016/j.infsof.2026.108041","url":null,"abstract":"<div><h3>Context:</h3><div>Legal compliance is increasingly vital in software systems that process personal data across jurisdictions, yet ensuring adherence to diverse regulatory requirements remains challenging throughout the development lifecycle.</div></div><div><h3>Objective:</h3><div>We aim to develop a modular framework that enables automated, context-aware compliance policy generation and seamless integration into software engineering workflows.</div></div><div><h3>Methods:</h3><div>We propose CBCMS+, a cross-border compliance management system that introduces a structured Policy Definition Language (PDL) for representing both legal constraints and user-defined preferences. CBCMS+ employs a two-step solution: EpMap, which transforms multilingual legal texts into structured PDL representations, and ComGen, which generates contextualized policies based on runtime scenarios. The framework also supports policy conflict resolution, DevOps integration, and flexible deployment.</div></div><div><h3>Results:</h3><div>We implement CBCMS+ and evaluate it on multilingual legal corpora from multiple jurisdictions. EpMap achieves an F1 score of 89.11% in legal-to-PDL mapping, while ComGen reaches 94.21% in generating valid policies. Under high-concurrency workloads, ComGen sustains over 1200 requests per second with an average latency of 12.8ms.</div></div><div><h3>Conclusion:</h3><div>CBCMS+ provides a scalable and practical foundation for compliance-by-design in global software systems, combining structured modeling, multilingual adaptability, and efficient policy automation.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"193 ","pages":"Article 108041"},"PeriodicalIF":4.3,"publicationDate":"2026-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146026178","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Towards bias-free recruitment: Adversarial contrastive tuning for LLM-based resume screening 迈向无偏见招聘：法学硕士简历筛选的对抗性对比调整

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-19 DOI: 10.1016/j.infsof.2026.108040

Fengyu Wu, Ayong Ye, Zihan Cai, Jing Chen

Context:

Large language model (LLM)-based resume screening systems have gained traction for automating candidate evaluation, significantly enhancing recruitment efficiency. However, these systems risk perpetuating societal biases embedded in their pre-training data, which may lead to discriminatory employment outcomes. Existing debiasing approaches often suffer from performance degradation and limited operational flexibility.

Objectives:

Our study aims to resolve the critical limitations of inflexibility and performance degradation in existing debiasing methods. We seek to develop an adaptable framework capable of mitigating biases across diverse sensitive attributes while preserving the core performance of LLM-based resume screening systems.

Methods:

We propose a parameter-efficient debiasing framework utilizing adapter-based tuning. The method integrates adversarial training to disentangle sensitive attribute biases from candidate qualification signals, combined with contrastive learning objectives to preserve the LLM’s core functionality. This approach avoids modifying the base LLM architecture, ensuring computational efficiency and flexibility.

Results:

Evaluations on real-world resume data demonstrate superior fairness performance compared to three baseline methods across two fairness metrics, with consistent bias mitigation effects across different sensitive attributes. The method achieves this while maintaining competitive screening performance, incurring only marginal accuracy loss.

Conclusion:

This framework addresses algorithmic bias through a modular adapter architecture that enables targeted debiasing for specific sensitive attributes without full-model retraining. By allowing dynamic selection of attribute-specific adapters, the method maintains original screening performance while significantly reducing deployment costs, offering organizations a scalable solution to implement ethical AI in recruitment systems.

背景：基于大语言模型（LLM）的简历筛选系统已经获得了自动化候选人评估的吸引力，显著提高了招聘效率。然而，这些系统可能会使嵌入在培训前数据中的社会偏见永久化，从而导致歧视性的就业结果。现有的除偏方法往往存在性能下降和操作灵活性有限的问题。目的：我们的研究旨在解决现有脱偏方法中缺乏灵活性和性能下降的关键限制。我们寻求开发一种适应性强的框架，能够减轻不同敏感属性的偏见，同时保持基于法学硕士的简历筛选系统的核心性能。方法：我们提出了一种基于适配器调优的参数高效去偏框架。该方法结合了对抗性训练，从候选人资格信号中分离出敏感的属性偏差，并结合了对比学习目标，以保持法学硕士的核心功能。这种方法避免了修改基本LLM体系结构，确保了计算效率和灵活性。结果：对真实简历数据的评估表明，与三种基线方法相比，在两个公平指标上的公平表现更好，在不同的敏感属性上具有一致的偏见缓解效果。该方法实现了这一目标，同时保持了具有竞争力的筛选性能，只产生了微小的精度损失。结论：该框架通过模块化适配器架构解决了算法偏差，该架构可以针对特定敏感属性进行有针对性的去偏，而无需对整个模型进行再训练。通过允许动态选择特定属性的适配器，该方法在保持原始筛选性能的同时显著降低了部署成本，为组织提供了在招聘系统中实施道德人工智能的可扩展解决方案。

{"title":"Towards bias-free recruitment: Adversarial contrastive tuning for LLM-based resume screening","authors":"Fengyu Wu, Ayong Ye, Zihan Cai, Jing Chen","doi":"10.1016/j.infsof.2026.108040","DOIUrl":"10.1016/j.infsof.2026.108040","url":null,"abstract":"<div><h3>Context:</h3><div>Large language model (LLM)-based resume screening systems have gained traction for automating candidate evaluation, significantly enhancing recruitment efficiency. However, these systems risk perpetuating societal biases embedded in their pre-training data, which may lead to discriminatory employment outcomes. Existing debiasing approaches often suffer from performance degradation and limited operational flexibility.</div></div><div><h3>Objectives:</h3><div>Our study aims to resolve the critical limitations of inflexibility and performance degradation in existing debiasing methods. We seek to develop an adaptable framework capable of mitigating biases across diverse sensitive attributes while preserving the core performance of LLM-based resume screening systems.</div></div><div><h3>Methods:</h3><div>We propose a parameter-efficient debiasing framework utilizing adapter-based tuning. The method integrates adversarial training to disentangle sensitive attribute biases from candidate qualification signals, combined with contrastive learning objectives to preserve the LLM’s core functionality. This approach avoids modifying the base LLM architecture, ensuring computational efficiency and flexibility.</div></div><div><h3>Results:</h3><div>Evaluations on real-world resume data demonstrate superior fairness performance compared to three baseline methods across two fairness metrics, with consistent bias mitigation effects across different sensitive attributes. The method achieves this while maintaining competitive screening performance, incurring only marginal accuracy loss.</div></div><div><h3>Conclusion:</h3><div>This framework addresses algorithmic bias through a modular adapter architecture that enables targeted debiasing for specific sensitive attributes without full-model retraining. By allowing dynamic selection of attribute-specific adapters, the method maintains original screening performance while significantly reducing deployment costs, offering organizations a scalable solution to implement ethical AI in recruitment systems.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"193 ","pages":"Article 108040"},"PeriodicalIF":4.3,"publicationDate":"2026-01-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146026176","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

EdgeSim: Firmware vulnerability detection with control transfer-enhanced binary code similarity detection EdgeSim：固件漏洞检测与控制传输增强的二进制代码相似性检测

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-17 DOI: 10.1016/j.infsof.2026.108020

Li Liu, Shen Wang, Xunzhi Jiang

Context:

The widespread adoption of Internet of Things (IoT) devices has amplified the impact of vulnerabilities in embedded firmware. Binary code similarity detection (BCSD), a static analysis technique that compares functions without source code, plays an important role in firmware vulnerability detection. However, existing control flow graph (CFG)-based methods directly aggregate basic block features to learn structural information, neglecting the rich semantics in control transfers between basic blocks (i.e., CFG edges). This limitation leads to degraded performance under diverse compilation settings.

Objective:

To address the limitations of existing CFG-based similarity detection methods, this paper proposes a novel binary similarity detection method, EdgeSim, which extracts and utilizes control transfer information between basic blocks for the first time in CFG-based BCSD.

Method:

EdgeSim employs a language model to extract semantic features of both basic blocks and the control transfer relationships between them. Basic block semantics are used as node features, while control transfer semantics are incorporated as edge features in CFGs. Furthermore, we design a novel edge feature-enhanced graph neural network (EGNN) to aggregate features of nodes and edges in CFG, leveraging control transfer information between basic blocks to learn more comprehensive graph embeddings of functions.

Results:

Experimental evaluations on datasets covering diverse architectures, optimization levels, and compilers demonstrate that EdgeSim improves the Recall@1 by over 25% compared to baseline approaches in one-to-many function search tasks under cross-compilation conditions. Additionally, in real-world firmware vulnerability search experiments, EdgeSim outperforms baselines in identifying all vulnerability functions while maintaining the highest mean reciprocal rank (MRR) metric and the lowest false positive rate (FPR).

Conclusion:

The experimental results indicate that integrating control transfer semantics substantially enhances CFG-based function representations. EdgeSim consistently delivers superior performance in binary similarity detection and firmware vulnerability discovery across diverse compilation environments.

背景：物联网（IoT）设备的广泛采用放大了嵌入式固件漏洞的影响。二进制代码相似度检测（Binary code similarity detection， BCSD）是一种无需源代码就能对功能进行比较的静态分析技术，在固件漏洞检测中发挥着重要作用。然而，现有的基于控制流图（CFG）的方法直接聚合基本块特征来学习结构信息，忽略了基本块（即CFG边）之间控制传递的丰富语义。这个限制导致在不同的编译设置下性能下降。目的：针对现有基于cfg的相似度检测方法的局限性，提出了一种新的二元相似度检测方法EdgeSim，该方法在基于cfg的BCSD中首次提取并利用了基本块之间的控制传递信息。方法：EdgeSim采用语言模型提取两个基本块的语义特征及其之间的控制转移关系。在cfg中，基本块语义作为节点特征，控制转移语义作为边缘特征。此外，我们设计了一种新的边缘特征增强图神经网络（EGNN）来聚合CFG中的节点和边的特征，利用基本块之间的控制传递信息来学习更全面的函数图嵌入。结果：对涵盖不同架构、优化级别和编译器的数据集进行的实验评估表明，在交叉编译条件下，EdgeSim在一对多函数搜索任务中比基线方法提高了Recall@1 25%以上。此外，在真实的固件漏洞搜索实验中，EdgeSim在识别所有漏洞函数方面优于基线，同时保持最高的平均倒数秩（MRR）度量和最低的假阳性率（FPR）。结论：实验结果表明，集成控制传递语义大大增强了基于cfg的函数表示。EdgeSim在不同的编译环境中始终如一地在二进制相似性检测和固件漏洞发现方面提供卓越的性能。

{"title":"EdgeSim: Firmware vulnerability detection with control transfer-enhanced binary code similarity detection","authors":"Li Liu, Shen Wang, Xunzhi Jiang","doi":"10.1016/j.infsof.2026.108020","DOIUrl":"10.1016/j.infsof.2026.108020","url":null,"abstract":"<div><h3>Context:</h3><div>The widespread adoption of Internet of Things (IoT) devices has amplified the impact of vulnerabilities in embedded firmware. Binary code similarity detection (BCSD), a static analysis technique that compares functions without source code, plays an important role in firmware vulnerability detection. However, existing control flow graph (CFG)-based methods directly aggregate basic block features to learn structural information, neglecting the rich semantics in control transfers between basic blocks (i.e., CFG edges). This limitation leads to degraded performance under diverse compilation settings.</div></div><div><h3>Objective:</h3><div>To address the limitations of existing CFG-based similarity detection methods, this paper proposes a novel binary similarity detection method, EdgeSim, which extracts and utilizes control transfer information between basic blocks for the first time in CFG-based BCSD.</div></div><div><h3>Method:</h3><div>EdgeSim employs a language model to extract semantic features of both basic blocks and the control transfer relationships between them. Basic block semantics are used as node features, while control transfer semantics are incorporated as edge features in CFGs. Furthermore, we design a novel edge feature-enhanced graph neural network (EGNN) to aggregate features of nodes and edges in CFG, leveraging control transfer information between basic blocks to learn more comprehensive graph embeddings of functions.</div></div><div><h3>Results:</h3><div>Experimental evaluations on datasets covering diverse architectures, optimization levels, and compilers demonstrate that EdgeSim improves the Recall@1 by over 25% compared to baseline approaches in one-to-many function search tasks under cross-compilation conditions. Additionally, in real-world firmware vulnerability search experiments, EdgeSim outperforms baselines in identifying all vulnerability functions while maintaining the highest mean reciprocal rank (MRR) metric and the lowest false positive rate (FPR).</div></div><div><h3>Conclusion:</h3><div>The experimental results indicate that integrating control transfer semantics substantially enhances CFG-based function representations. EdgeSim consistently delivers superior performance in binary similarity detection and firmware vulnerability discovery across diverse compilation environments.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"192 ","pages":"Article 108020"},"PeriodicalIF":4.3,"publicationDate":"2026-01-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146038347","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

AI systems’ negative social impact and factors 人工智能系统的负面社会影响和因素

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-17 DOI: 10.1016/j.infsof.2026.108038

Nafen Haj Ahmad , Linnea Stigholt , Leticia Duboc , Birgit Penzenstadler

Context:

AI technologies are rapidly being integrated into society, offering numerous benefits but also raising significant ethical and social concerns. While some AI systems aim to improve efficiency and decision-making, they can also cause harmful impacts on individuals and society.

Objective:

This study examines both the immediate and systemic negative effects of AI systems, as well as the underlying factors that might contribute to these issues.

Method:

Using a multi-vocal literature review, we analyze 28 AI systems and their associated impacts, including discrimination, psychological and physical harm, and unfair treatment.

Results:

We identify key factors that might have led AI systems to operate in that manner and explain why these impacts may occur. Additionally, we propose initial concrete actions to mitigate these negative effects and promote the development of AI systems that align with ethical and social sustainability principles.

Impact:

By shedding light on these issues, we aim to raise awareness among researchers and developers, encouraging the adoption of more responsible and inclusive as well as concrete AI guidelines.

背景：人工智能技术正在迅速融入社会，带来了许多好处，但也引发了重大的伦理和社会问题。虽然一些人工智能系统旨在提高效率和决策，但它们也可能对个人和社会造成有害影响。目的：本研究考察了人工智能系统的直接和系统性负面影响，以及可能导致这些问题的潜在因素。方法：使用多声音文献综述，我们分析了28个人工智能系统及其相关影响，包括歧视，心理和身体伤害以及不公平待遇。结果：我们确定了可能导致人工智能系统以这种方式运行的关键因素，并解释了这些影响可能发生的原因。此外，我们提出了初步的具体行动，以减轻这些负面影响，并促进符合道德和社会可持续性原则的人工智能系统的发展。影响：通过揭示这些问题，我们的目标是提高研究人员和开发人员的意识，鼓励采用更负责任、更包容以及更具体的人工智能指导方针。

{"title":"AI systems’ negative social impact and factors","authors":"Nafen Haj Ahmad , Linnea Stigholt , Leticia Duboc , Birgit Penzenstadler","doi":"10.1016/j.infsof.2026.108038","DOIUrl":"10.1016/j.infsof.2026.108038","url":null,"abstract":"<div><h3>Context:</h3><div>AI technologies are rapidly being integrated into society, offering numerous benefits but also raising significant ethical and social concerns. While some AI systems aim to improve efficiency and decision-making, they can also cause harmful impacts on individuals and society.</div></div><div><h3>Objective:</h3><div>This study examines both the immediate and systemic negative effects of AI systems, as well as the underlying factors that might contribute to these issues.</div></div><div><h3>Method:</h3><div>Using a multi-vocal literature review, we analyze 28 AI systems and their associated impacts, including discrimination, psychological and physical harm, and unfair treatment.</div></div><div><h3>Results:</h3><div>We identify key factors that might have led AI systems to operate in that manner and explain why these impacts may occur. Additionally, we propose initial concrete actions to mitigate these negative effects and promote the development of AI systems that align with ethical and social sustainability principles.</div></div><div><h3>Impact:</h3><div>By shedding light on these issues, we aim to raise awareness among researchers and developers, encouraging the adoption of more responsible and inclusive as well as concrete AI guidelines.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"192 ","pages":"Article 108038"},"PeriodicalIF":4.3,"publicationDate":"2026-01-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146038345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Designing an ISO 23247-compliant Hybrid Digital Twin Architecture for industry 为工业设计符合ISO 23247标准的混合数字孪生体系结构

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-15 DOI: 10.1016/j.infsof.2026.108039

Alfredo Garro, Alessandro Sorrenti

Context:

Traditional Digital Twins (DTs), often based solely on deterministic physical models, are weak in managing nonlinear behaviors and adapting to evolving operational dynamics.

Objective:

To address these limitations, this paper proposes a novel Hybrid Digital Twin (HDT) architecture that integrates physics-based models with data-driven approaches.

Results:

The main contributions of this paper are twofold: (1) a structured requirements analysis that covers functional, non-functional, software, and user aspects of a HDT, and (2) a reference architecture aligned with the industrial ISO 23247 standard.

Method:

The proposed HDT Architecture has been defined on the basis of a structured requirement analysis and validated in the context of the BIOPURE project (Biopharmaceuticals purification by continuous membrane-assisted crystallization achieving lower cost and intensified processes), funded under the Horizon Europe programme.

Conclusion:

The study concludes with a discussion of the benefits in terms of operational efficiency, interoperability, and standardization, derived from the adoption of the proposed reference architecture for HDTs, aligned with the ISO 23247 standard.

背景：传统的数字孪生（DTs）通常仅仅基于确定性的物理模型，在管理非线性行为和适应不断变化的操作动态方面很弱。目的：为了解决这些限制，本文提出了一种新的混合数字孪生（HDT）架构，该架构将基于物理的模型与数据驱动的方法集成在一起。结果：本文的主要贡献有两方面：(1)涵盖HDT的功能、非功能、软件和用户方面的结构化需求分析，以及(2)与工业ISO 23247标准一致的参考体系结构。方法：提议的HDT架构已经在结构化需求分析的基础上进行了定义，并在BIOPURE项目（通过连续膜辅助结晶实现低成本和强化过程的生物制药纯化）的背景下进行了验证，该项目由Horizon Europe项目资助。结论：本研究最后讨论了采用与ISO 23247标准一致的hdt参考架构所带来的运营效率、互操作性和标准化方面的好处。

{"title":"Designing an ISO 23247-compliant Hybrid Digital Twin Architecture for industry","authors":"Alfredo Garro, Alessandro Sorrenti","doi":"10.1016/j.infsof.2026.108039","DOIUrl":"10.1016/j.infsof.2026.108039","url":null,"abstract":"<div><h3>Context:</h3><div>Traditional Digital Twins (DTs), often based solely on deterministic physical models, are weak in managing nonlinear behaviors and adapting to evolving operational dynamics.</div></div><div><h3>Objective:</h3><div>To address these limitations, this paper proposes a novel Hybrid Digital Twin (HDT) architecture that integrates physics-based models with data-driven approaches.</div></div><div><h3>Results:</h3><div>The main contributions of this paper are twofold: (1) a structured requirements analysis that covers functional, non-functional, software, and user aspects of a HDT, and (2) a reference architecture aligned with the industrial ISO 23247 standard.</div></div><div><h3>Method:</h3><div>The proposed HDT Architecture has been defined on the basis of a structured requirement analysis and validated in the context of the BIOPURE project (Biopharmaceuticals purification by continuous membrane-assisted crystallization achieving lower cost and intensified processes), funded under the Horizon Europe programme.</div></div><div><h3>Conclusion:</h3><div>The study concludes with a discussion of the benefits in terms of operational efficiency, interoperability, and standardization, derived from the adoption of the proposed reference architecture for HDTs, aligned with the ISO 23247 standard.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"193 ","pages":"Article 108039"},"PeriodicalIF":4.3,"publicationDate":"2026-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"146006658","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Unsupervised, robust, and lightweight detection of data pattern anomalies and outliers 数据模式异常和异常值的无监督、鲁棒和轻量级检测

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-13 DOI: 10.1016/j.infsof.2026.108035

Qiaolin Qin, Heng Li, Ettore Merlo

Context:

As a current consensus, data quality strongly impacts the process of building software and AI systems. Hence, practitioners must detect the anomalies in data and repair these underlying problems. When dealing with big data in the industry, statistic-based unsupervised anomaly detectors come in handy since they do not require labels and are highly scalable. However, we noticed that these tools unsupervised, always require data-dependent parameters, which can largely affect the detection performance and are effort-consuming to configure.

Objectives:

In this work, we propose a fully unsupervised, statistic-based cell-level data anomaly detector, LUCARIO (Learning Unsupervised, Cell-level Anomaly-detector for Regex Incompatibilities and Outliers). Our approach aims to detect common cell-level data anomalies (pattern violations and outliers) without manual efforts in data annotations or parameter configurations, yet providing a robust performance for different data across diverse domains.

Methods:

According to previous studies, we categorized cell anomalies into two categories: pattern violations and outliers (categorical and numerical). We proposed three detection approaches based on heuristics and statistical theories to identify these anomalies. To evaluate LUCARIO’s effectiveness and usability, we conducted experiments on six open-source datasets and a real-life industrial dataset from our industrial partner CompanyX.

Results:

According to our experiment on six open-source datasets in various domains, LUCARIO can stably detect cell-level data issues (pattern violations and outliers) regardless of the dataset’s size and anomaly rate. LUCARIO reached an average F1 score of 0.54, higher than all baseline unsupervised anomaly detectors, including GPT-5 with few-shot prompting. Practitioners from CompanyX generally agree that LUCARIO can benefit their data quality by detecting critical data issues and providing reliable suggestions.

Conclusion:

The experimental results show that LUCARIO has the potential to improve the data used for both software and AI system construction in real-life applications, suggesting its practicality in data management.

背景：作为当前的共识，数据质量强烈影响构建软件和人工智能系统的过程。因此，从业者必须检测数据中的异常并修复这些潜在的问题。在处理行业中的大数据时，基于统计的无监督异常检测器会派上用场，因为它们不需要标签，并且具有高度可扩展性。然而，我们注意到这些工具是无监督的，总是需要与数据相关的参数，这在很大程度上影响检测性能，并且配置起来很费力。在这项工作中，我们提出了一个完全无监督的、基于统计的细胞级数据异常检测器LUCARIO（学习无监督的、用于正则表达式不兼容和异常值的细胞级异常检测器）。我们的方法旨在检测常见的单元级数据异常（模式违规和异常值），而无需手动进行数据注释或参数配置，同时为不同领域的不同数据提供健壮的性能。方法：根据以往的研究，我们将细胞异常分为两类：模式违规和异常值（分类和数值）。我们提出了三种基于启发式和统计理论的检测方法来识别这些异常。为了评估LUCARIO的有效性和可用性，我们在六个开源数据集和来自我们的工业合作伙伴CompanyX的现实工业数据集上进行了实验。结果：根据我们在不同领域的六个开源数据集上的实验，无论数据集的大小和异常率如何，LUCARIO都可以稳定地检测细胞级数据问题（模式违规和异常值）。LUCARIO的平均F1得分为0.54，高于所有基线无监督异常检测器，包括使用少量提示的GPT-5。来自CompanyX的从业者普遍认为，LUCARIO可以通过检测关键数据问题并提供可靠的建议来提高数据质量。结论：实验结果表明，LUCARIO具有改善实际应用中用于软件和人工智能系统构建的数据的潜力，表明其在数据管理方面的实用性。

{"title":"Unsupervised, robust, and lightweight detection of data pattern anomalies and outliers","authors":"Qiaolin Qin, Heng Li, Ettore Merlo","doi":"10.1016/j.infsof.2026.108035","DOIUrl":"10.1016/j.infsof.2026.108035","url":null,"abstract":"<div><h3>Context:</h3><div>As a current consensus, data quality strongly impacts the process of building software and AI systems. Hence, practitioners must detect the anomalies in data and repair these underlying problems. When dealing with big data in the industry, statistic-based unsupervised anomaly detectors come in handy since they do not require labels and are highly scalable. However, we noticed that these tools unsupervised, always require data-dependent parameters, which can largely affect the detection performance and are effort-consuming to configure.</div></div><div><h3>Objectives:</h3><div>In this work, we propose a fully unsupervised, statistic-based cell-level data anomaly detector, LUCARIO (Learning Unsupervised, Cell-level Anomaly-detector for Regex Incompatibilities and Outliers). Our approach aims to detect common cell-level data anomalies (pattern violations and outliers) without manual efforts in data annotations or parameter configurations, yet providing a robust performance for different data across diverse domains.</div></div><div><h3>Methods:</h3><div>According to previous studies, we categorized cell anomalies into two categories: pattern violations and outliers (categorical and numerical). We proposed three detection approaches based on heuristics and statistical theories to identify these anomalies. To evaluate LUCARIO’s effectiveness and usability, we conducted experiments on six open-source datasets and a real-life industrial dataset from our industrial partner <em>CompanyX</em>.</div></div><div><h3>Results:</h3><div>According to our experiment on six open-source datasets in various domains, LUCARIO can stably detect cell-level data issues (pattern violations and outliers) regardless of the dataset’s size and anomaly rate. LUCARIO reached an average F1 score of 0.54, higher than all baseline unsupervised anomaly detectors, including GPT-5 with few-shot prompting. Practitioners from <em>CompanyX</em> generally agree that LUCARIO can benefit their data quality by detecting critical data issues and providing reliable suggestions.</div></div><div><h3>Conclusion:</h3><div>The experimental results show that LUCARIO has the potential to improve the data used for both software and AI system construction in real-life applications, suggesting its practicality in data management.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"192 ","pages":"Article 108035"},"PeriodicalIF":4.3,"publicationDate":"2026-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145979055","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

VulATMHD: Joint adaptive triplet mining and hybrid distillation for type-aware vulnerability classification VulATMHD：面向类型感知漏洞分类的联合自适应三元组挖掘和混合蒸馏

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology

Pub Date : 2026-01-13 DOI: 10.1016/j.infsof.2026.108037

Xuanye Wang , Lu Lu

Context:

Vulnerability detection leveraging pre-trained models has achieved notable success, but its coarse-grained outputs fail to provide security engineers with vulnerability type information. Recent type-aware Software Vulnerability Classification (SVC) methods mitigate this gap, but often neglect inter-type semantic relationships and exhibit limited knowledge transfer, resulting in suboptimal learned representations.

Objective:

To address these limitations, this study proposes VulATMHD, a novel type-aware SVC framework that integrates adaptive triplet mining with hybrid distillation.

Methods:

VulATMHD first groups vulnerability types based on common weakness enumeration abstract types. It then constructs a multi-teacher architecture, with each teacher assigned to a specific group. Adaptive triplet mining is introduced to guide feature learning, yielding feature representations that are intra-class compact and inter-class separable. Since each teacher is optimized for intra-group performance, VulATMHD further introduces a hybrid distillation strategy to transfer both feature representations and label distributions from the teacher ensemble to a pre-trained student.

Results:

Empirical evaluations on the BigVul dataset show that, compared to baseline methods, VulATMHD improves Accuracy and weighted F1-score by 4.7%–29.9% and 5.7%–34.1%, respectively. Moreover, VulATMHD is compatible with various pre-trained models, such as CodeBERT, CodeT5+, and GraphCodeBERT.

Conclusion:

The proposed VulATMHD outperforms state-of-the-art SVC methods and exhibits superior robustness and scalability in downstream tasks, highlighting its potential for practical applications.

背景：利用预训练模型的漏洞检测已经取得了显著的成功，但其粗粒度输出无法为安全工程师提供漏洞类型信息。最近的类型感知软件漏洞分类（SVC）方法缓解了这一差距，但往往忽略了类型间的语义关系，并且表现出有限的知识转移，导致次优学习表征。为了解决这些局限性，本研究提出了一种新的类型感知SVC框架VulATMHD，该框架将自适应三重态挖掘与混合蒸馏相结合。方法：VulATMHD首先根据常见漏洞枚举抽象类型对漏洞类型进行分组。然后，它构建了一个多教师架构，每个教师分配到一个特定的组。引入自适应三元组挖掘来指导特征学习，生成类内紧凑和类间可分离的特征表示。由于每个教师都针对组内性能进行了优化，因此VulATMHD进一步引入了混合蒸馏策略，将特征表示和标签分布从教师集合转移到预训练的学生。结果：在BigVul数据集上的实证评估表明，与基线方法相比，VulATMHD方法的准确率和加权f1得分分别提高了4.7% ~ 29.9%和5.7% ~ 34.1%。此外，VulATMHD兼容各种预训练模型，如CodeBERT、CodeT5+和GraphCodeBERT。结论：所提出的VulATMHD方法优于当前最先进的SVC方法，在下游任务中表现出优越的鲁棒性和可扩展性，突出了其实际应用潜力。

{"title":"VulATMHD: Joint adaptive triplet mining and hybrid distillation for type-aware vulnerability classification","authors":"Xuanye Wang , Lu Lu","doi":"10.1016/j.infsof.2026.108037","DOIUrl":"10.1016/j.infsof.2026.108037","url":null,"abstract":"<div><h3>Context:</h3><div>Vulnerability detection leveraging pre-trained models has achieved notable success, but its coarse-grained outputs fail to provide security engineers with vulnerability type information. Recent type-aware Software Vulnerability Classification (SVC) methods mitigate this gap, but often neglect inter-type semantic relationships and exhibit limited knowledge transfer, resulting in suboptimal learned representations.</div></div><div><h3>Objective:</h3><div>To address these limitations, this study proposes VulATMHD, a novel type-aware SVC framework that integrates adaptive triplet mining with hybrid distillation.</div></div><div><h3>Methods:</h3><div>VulATMHD first groups vulnerability types based on common weakness enumeration abstract types. It then constructs a multi-teacher architecture, with each teacher assigned to a specific group. Adaptive triplet mining is introduced to guide feature learning, yielding feature representations that are intra-class compact and inter-class separable. Since each teacher is optimized for intra-group performance, VulATMHD further introduces a hybrid distillation strategy to transfer both feature representations and label distributions from the teacher ensemble to a pre-trained student.</div></div><div><h3>Results:</h3><div>Empirical evaluations on the BigVul dataset show that, compared to baseline methods, VulATMHD improves Accuracy and weighted F1-score by 4.7%–29.9% and 5.7%–34.1%, respectively. Moreover, VulATMHD is compatible with various pre-trained models, such as CodeBERT, CodeT5<span>+</span>, and GraphCodeBERT.</div></div><div><h3>Conclusion:</h3><div>The proposed VulATMHD outperforms state-of-the-art SVC methods and exhibits superior robustness and scalability in downstream tasks, highlighting its potential for practical applications.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"192 ","pages":"Article 108037"},"PeriodicalIF":4.3,"publicationDate":"2026-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"145979056","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0