中文

Reverse Engineering Compliance: A Dual-Graph Verification Framework for Auditing Legacy IT Security Concepts

密码学与安全 2026-07-09 v1

摘要

The NIS-2 Directive increases the need for continuous, auditable compliance evidence and motivates a shift from document-based compliance toward machine-readable compliance artifacts. The Open Security Controls Assessment Language (OSCAL) is a standard for this purpose, which the German Federal Office for Information Security (BSI) is adapting with Grundschutz++. However, companies are still managing extensive legacy IT security concepts (IT-SCs), and migrating them without verification could transfer outdated assets into the new format. While existing research primarily addresses the generation of new concepts, there is a lack of a verification framework that extracts legacy IT-SCs into an auditable intermediate representation, deterministically compares the extracted graph with an independently constructed reference state, and exports schema-valid OSCAL artifacts. This paper introduces the Automated Security Concept Structure Extraction and Reverse Topology-checking (ASSERT) Framework, which addresses this gap by using ontology-based extraction of legacy documents into formal document graphs, a five-class graph difference against a verified reference graph, and the export into schema-valid OSCAL outputs for system description and assessment evidence. Using the BSI's RecPlast dataset, we compare a local open-weight model and a commercial model across three configurations with different levels of reference-ontology exposure. The evaluation shows that ASSERT makes document-infrastructure inconsistencies measurable, but reveals a trade-off between discovering undocumented entities and enforcing a schema.

引用

@article{arxiv.2607.08292,
  title  = {Reverse Engineering Compliance: A Dual-Graph Verification Framework for Auditing Legacy IT Security Concepts},
  author = {Lea Roxanne Muth and Marian Margraf},
  journal= {arXiv preprint arXiv:2607.08292},
  year   = {2026}
}

备注

Accepted for publication at the 2026 IEEE International Conference on Computer, Information and Telecommunication Systems (IEEE CITS), Piraeus-Athens, Greece, July 22-24, 2026. 8 pages, 1 figure