{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T10:47:42Z","timestamp":1769856462154,"version":"3.49.0"},"reference-count":31,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2025,1,3]],"date-time":"2025-01-03T00:00:00Z","timestamp":1735862400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"EU DUCA","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]},{"name":"EU CyberSecPro","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]},{"name":"SYNAPSE, PTR 22-24 P2.01","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]},{"name":"SERICS","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Security and non-security requirements are two critical issues in software development. Classifying requirements is crucial as it aids in recalling security needs during the early stages of development, ultimately leading to enhanced security in the final software solution. However, it remains a challenging task to classify requirements into security and non-security categories automatically. In this work, we propose a novel method for automatically classifying software requirements using transformer models to address these challenges. In this work, we fine-tuned four pre-trained transformers using four datasets (the original one and the three augmented versions). In addition, we employ few-shot learning techniques by leveraging transfer learning models, explicitly utilizing pre-trained architectures. The study demonstrates that these models can effectively classify security requirements with reasonable accuracy, precision, recall, and F1-score, demonstrating that the fine-tuning and SetFit can help smaller models generalize, making them suitable for enhancing security processes in the Software Development Cycle. Finally, we introduced the explainability of fine-tuned models to elucidate how each model extracts and interprets critical information from input sequences through attention visualization heatmaps.<\/jats:p>","DOI":"10.3390\/fi17010015","type":"journal-article","created":{"date-parts":[[2025,1,3]],"date-time":"2025-01-03T10:17:23Z","timestamp":1735899443000},"page":"15","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":11,"title":["Explainable Security Requirements Classification Through Transformer Models"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-3616-9244","authenticated-orcid":false,"given":"Luca","family":"Petrillo","sequence":"first","affiliation":[{"name":"Institute for Informatics and Telematics, National Research Council of Italy (CNR), 56124 Pisa, Italy"},{"name":"IMT School for Advanced Studies Lucca, 55100 Lucca, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6721-9395","authenticated-orcid":false,"given":"Fabio","family":"Martinelli","sequence":"additional","affiliation":[{"name":"Institute for High Performance Computing and Networking, National Research Council of Italy (CNR), 87036 Rende, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2634-4456","authenticated-orcid":false,"given":"Antonella","family":"Santone","sequence":"additional","affiliation":[{"name":"Department of Medicine and Health Sciences \u201cVincenzo Tiberio\u201d, University of Molise, 86100 Campobasso, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9425-1657","authenticated-orcid":false,"given":"Francesco","family":"Mercaldo","sequence":"additional","affiliation":[{"name":"Institute for Informatics and Telematics, National Research Council of Italy (CNR), 56124 Pisa, Italy"},{"name":"Department of Medicine and Health Sciences \u201cVincenzo Tiberio\u201d, University of Molise, 86100 Campobasso, Italy"}]}],"member":"1968","published-online":{"date-parts":[[2025,1,3]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"481","DOI":"10.1007\/s00766-015-0229-z","article-title":"Automating trade-off analysis of security requirements","volume":"21","author":"Pasquale","year":"2016","journal-title":"Requir. Eng."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"19139","DOI":"10.1109\/ACCESS.2021.3052311","article-title":"Systematic mapping study on security approaches in secure software engineering","volume":"9","author":"Khan","year":"2021","journal-title":"IEEE Access"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/j.jss.2016.02.047","article-title":"Rapid quality assurance with requirements smells","volume":"123","author":"Femmer","year":"2017","journal-title":"J. Syst. Softw."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"102333","DOI":"10.1016\/j.inffus.2024.102333","article-title":"MamlFormer: Priori-experience guiding transformer network via manifold adversarial multi-modal learning for laryngeal histopathological grading","volume":"108","author":"Huang","year":"2024","journal-title":"Inf. Fusion"},{"key":"ref_5","first-page":"1","article-title":"FDTs: A Feature Disentangled Transformer for Interpretable Squamous Cell Carcinoma Grading","volume":"12","author":"Huang","year":"2024","journal-title":"IEEE\/CAA J. Autom. Sin."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"3557","DOI":"10.1109\/JBHI.2024.3373438","article-title":"LA-ViT: A Network with Transformers Constrained by Learned-Parameter-Free Attention for Interpretable Grading in a New Laryngeal Histopathology Image Dataset","volume":"28","author":"Huang","year":"2024","journal-title":"IEEE J. Biomed. Health Inform."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3641289","article-title":"A survey on evaluation of large language models","volume":"15","author":"Chang","year":"2024","journal-title":"ACM Trans. Intell. Syst. Technol."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Martinelli, F., Mercaldo, F., Petrillo, L., and Santone, A. (2024, January 19\u201321). Security Policy Generation and Verification through Large Language Models: A Proposal. Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy, Porto, Portugal.","DOI":"10.1145\/3626232.3658635"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"4853","DOI":"10.1016\/j.procs.2024.09.351","article-title":"A Method for AI-generated sentence detection through Large Language Models","volume":"246","author":"Martinelli","year":"2024","journal-title":"Procedia Comput. Sci."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Sun, X., Li, X., Li, J., Wu, F., Guo, S., Zhang, T., and Wang, G. (2023). Text classification via large language models. arXiv.","DOI":"10.18653\/v1\/2023.findings-emnlp.603"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Petrillo, L., Martinelli, F., Santone, A., and Mercaldo, F. (2024). Toward the Adoption of Explainable Pre-Trained Large Language Models for Classifying Human-Written and AI-Generated Sentences. Electronics, 13.","DOI":"10.3390\/electronics13204057"},{"key":"ref_12","unstructured":"Kant, N., Puri, R., Yakovenko, N., and Catanzaro, B. (2018). Practical text classification with large pre-trained language models. arXiv."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Dekhtyar, A., and Fong, V. (2017, January 4\u20138). Re data challenge: Requirements identification with word2vec and tensorflow. Proceedings of the 2017 IEEE 25th International Requirements Engineering Conference (RE), Lisbon, Portugal.","DOI":"10.1109\/RE.2017.26"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Kobilica, A., Ayub, M., and Hassine, J. (2020, January 15\u201317). Automated identification of security requirements: A machine learning approach. Proceedings of the 24th International Conference on Evaluation and Assessment in Software Engineering, Trondheim, Norway.","DOI":"10.1145\/3383219.3383288"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Varenov, V., and Gabdrahmanov, A. (2021, January 20\u201324). Security requirements classification into groups using nlp transformers. Proceedings of the 2021 IEEE 29th International Requirements Engineering Conference Workshops (REW), Notre Dame, IN, USA.","DOI":"10.1109\/REW53955.2021.9714713"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"107202","DOI":"10.1016\/j.infsof.2023.107202","article-title":"Zero-shot learning for requirements classification: An exploratory study","volume":"159","author":"Alhoshan","year":"2023","journal-title":"Inf. Softw. Technol."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Knauss, E., Houmb, S., Schneider, K., Islam, S., and J\u00fcrjens, J. (2011, January 28\u201330). Supporting requirements engineers in recognising security issues. Proceedings of the Requirements Engineering: Foundation for Software Quality: 17th International Working Conference, REFSQ 2011, Essen, Germany. Proceedings 17.","DOI":"10.1007\/978-3-642-19858-8_2"},{"key":"ref_18","unstructured":"Devlin, J. (2018). Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv."},{"key":"ref_19","first-page":"1","article-title":"Exploring the Limits of Transfer Learning with a Unified Text-to-Text Transformer","volume":"21","author":"Raffel","year":"2020","journal-title":"J. Mach. Learn. Res."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Black, S., Gao, L., Wang, P., Leahy, C., and Biderman, S. (2021). Gpt-neo: Large Scale Autoregressive Language Modeling with Mesh-Tensorflow, Zenodo.","DOI":"10.18653\/v1\/2022.bigscience-1.9"},{"key":"ref_21","unstructured":"Zhang, J., Zhao, Y., Saleh, M., and Liu, P.J. (2019). PEGASUS: Pre-training with Extracted Gap-sentences for Abstractive Summarization. arXiv."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Mercaldo, F., Zhou, X., Huang, P., Martinelli, F., and Santone, A. (2022, January 7\u20139). Machine learning for uterine cervix screening. Proceedings of the 2022 IEEE 22nd International Conference on Bioinformatics and Bioengineering (BIBE), Taichung, Taiwan.","DOI":"10.1109\/BIBE55377.2022.00023"},{"key":"ref_23","first-page":"15","article-title":"ASI-DBNet: An adaptive sparse interactive resnet-vision transformer dual-branch network for the grading of brain cancer histopathological images","volume":"15","author":"Zhou","year":"2023","journal-title":"Interdiscip. Sci. Comput. Life Sci."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"He, H., Yang, H., Mercaldo, F., Santone, A., and Huang, P. (2024). Isolation Forest-Voting Fusion-Multioutput: A stroke risk classification method based on the multidimensional output of abnormal sample detection. Comput. Methods Programs Biomed., 253.","DOI":"10.1016\/j.cmpb.2024.108255"},{"key":"ref_25","unstructured":"Sanh, V., Debut, L., Chaumond, J., and Wolf, T. (2019). DistilBERT, a distilled version of BERT: Smaller, faster, cheaper and lighter. arXiv."},{"key":"ref_26","unstructured":"Liu, Y. (2019). Roberta: A robustly optimized BERT pretraining approach. arXiv."},{"key":"ref_27","unstructured":"Yang, Z. (2019). XLNet: Generalized Autoregressive Pretraining for Language Understanding. arXiv."},{"key":"ref_28","first-page":"1","article-title":"Generalizing from a few examples: A survey on few-shot learning","volume":"53","author":"Wang","year":"2020","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_29","unstructured":"Tunstall, L., Reimers, N., Jo, U.E.S., Bates, L., Korat, D., Wasserblat, M., and Pereg, O. (2022). Efficient few-shot learning without prompts. arXiv."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Adelani, D.I., Masiak, M., Azime, I.A., Alabi, J., Tonja, A.L., Mwase, C., Ogundepo, O., Dossou, B.F., Oladipo, A., and Nixdorf, D. (2023). Masakhanews: News topic classification for african languages. arXiv.","DOI":"10.18653\/v1\/2023.ijcnlp-main.10"},{"key":"ref_31","unstructured":"Pannerselvam, K., Rajiakodi, S., Thavareesan, S., Thangasamy, S., and Ponnusamy, K. (2022, January 26). SetFit: A Robust Approach for Offensive Content Detection in Tamil-English Code-Mixed Conversations Using Sentence Transfer Fine-tuning. Proceedings of the Fourth Workshop on Speech, Vision, and Language Technologies for Dravidian Languages, Dublin, Ireland."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/1\/15\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T10:22:32Z","timestamp":1759918952000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/17\/1\/15"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,3]]},"references-count":31,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,1]]}},"alternative-id":["fi17010015"],"URL":"https:\/\/doi.org\/10.3390\/fi17010015","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,1,3]]}}}