Abstract:Validating threat modeling results remains difficult because completeness is hard to judge without an external oracle. Existing studies often rely on expert-produced reference models and other human baselines, but these can contain omissions or disagreements. This paper evaluates a complementary, vulnerability-grounded validation approach. We apply threat modeling to intentionally vulnerable applications with a known vulnerability set to measure the number of related vulnerabilities that can be discovered. We compare ThreMoLIA, an LLM-assisted threat modeling solution developed by our team, with the Microsoft Threat Modeling Tool (MTMT) across two vulnerable applications: AzureGoat and the Vulnerable Bank Application (VulnBank). The inputs to both tools are limited to architecture, data flow diagrams, and their descriptions. The results show that ThreMoLIA achieved higher vulnerability coverage on both systems. We show that vulnerable test applications provide a practical benchmark for assessing threat coverage and complement expert-based validation.
| Subjects: | Cryptography and Security (cs.CR) |
| Cite as: | arXiv:2605.23695 [cs.CR] |
| (or arXiv:2605.23695v1 [cs.CR] for this version) | |
| https://doi.org/10.48550/arXiv.2605.23695 arXiv-issued DOI via DataCite (pending registration) |
From: Oleksandr Adamov [view email]
[v1]
Fri, 22 May 2026 14:50:33 UTC (34 KB)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。