Skip to main content
OpenConf small logo

Providing all your submission and review needs
Abstract and paper submission, peer-review, discussion, shepherding, program, proceedings, and much more

Worldwide & Multilingual
OpenConf has powered thousands of events and journals in over 100 countries and more than a dozen languages.

Visit OpenConf.com


ZIP
0.6MB

Ai4sre: From Ml To Llms In Security Requirements Engineering: A Mapping Study

Artificial Intelligence (AI) has begun to reshape how we approach Security Requirements Engineering (SRE), with techniques ranging from traditional Machine Learning (ML) models to emerging Large Language Models (LLMs). These methods are increasingly used to classify, identify, and even generate security requirements from natural-language artifacts. Yet despite this momentum, research in the area remains scattered, and there is limited clarity on how AI is being applied in SRE. To address this, we conducted a mapping study characterizing 29 primary papers that apply ML or LLM-based approaches to security requirements tasks. These studies were selected from an initial set of 403 retrieved through searches in Scopus, IEEE Xplore, and Web of Science using predefined inclusion and exclusion criteria. Our analysis shows that most of the included papers rely on classical ML techniques—such as Bayesian methods, decision trees, SVMs, and regression models—while LLM-based solutions, primarily BERT and its variants, are emerging but still represent a minority. The 29 studies mainly target classification and identification tasks using textual artifacts like Software Requirements Specifications and security standards. Academic datasets (PROMISE NFR, DOSSPRE, PROMISE-exp) dominate the evidence base, and evaluation practices rely heavily on accuracy, precision, recall, and F1-score, with limited expert validation or cross-domain assessment. Across the included papers, recurring limitations appear: scarce and imbalanced datasets, difficulty achieving generalization, semantic ambiguity in natural-language requirements, and weak integration with real-world RE processes. Overall, the body of evidence depicts a field transitioning from ML to LLMs, but still facing significant methodological and practical constraints. We highlight several opportunities for future work, including the development of richer datasets, domain-adaptive pretraining strategies, explainability mechanisms, and deeper engagement with industry practitioners to move toward more robust and applicable AI-supported SRE.

Daniel Pérez-Morera
Universidad de Costa Rica
Costa Rica

Christian Quesada-López
University of Costa Rica
Costa Rica

José Ramírez
University of Costa Rica
Costa Rica

Alejandra Selva
University of Costa Rica
Costa Rica