ABSTRACT. In the realm of software security, vulnerabilities in software programs can remain undetected for long even after attackers exploit them. Thus, associating attacks to vulnerabilities would help security experts to promptly identify them and respond to the incident. This paper introduces VULDAT, a classification tool that utilizes MPNET, a sentence transformer, to automatically identify system vulnerabilities from the description of attack techniques. We applied VULDAT to 100 attack techniques collected from the MITRE ATT&CK repository and 685 issues of the MITRE CVE repository. Then, we compare the performance and accuracy of VULDAT against the other eight SOTA classifiers based on sentence transformers. Our findings indicate that VULDAT achieves the best F1 score of 0.85, Precision of 0.86, and Recall of 0.83. Furthermore, we found that the vulnerabilities in the CVE repository and associated to an attack include on average 56% of the vulnerabilities identified by VULDAT and vice-versa, the vulnerabilities detected by VULDAT for an attack include on average 61% of the vulnerabilities of the CVE repository. Thus, VULDAT is able to associate attack techniques with vulnerabilities, enhance the detection and response to software security incidents, and thereby contribute to more secure software systems.

ABSTRACT. Nowadays, threat reports reported by cybersecurity vendors incorporate detailed descriptions of attacks within unstructured text. Knowing vulnerabilities that are related to these reports helps cybersecurity researchers and practitioners understand and adjust to evolving attacks and develop mitigation plans for them. This paper aims to aid cybersecurity researchers and practitioners in choosing attack extraction methods to enhance the monitoring and sharing of threat intelligence. In this work, we examine five existing extraction methods and find that Term Frequency-Inverse Document Frequency (TFIDF) outperforms the other four methods with a precision of 75% and an F1 score of 64%. We obtain that when we increase the class labels, all methods perform worse regarding F1 score drops. The findings offer valuable insights to the cybersecurity community, and our research can aid cybersecurity researchers in evaluating and comparing the effectiveness of upcoming extraction methods.

ABSTRACT. Polymorphism is a foundational concept within the object-oriented paradigm and is a feature of any mainstream object-oriented language that supports reusability and abstraction in software designs. With fUML being a standard specification of execution semantics of UML activity diagrams, it defines functionalities to simulate polymorphic behavior within such model executions. fUML only provides a simple standard implementation for simulating dynamic polymorphism at runtime. This default implementation does not meet the criteria of polymorphism as it is well-known and established by most mainstream object-oriented programming languages over the last decades, nor does it comply with the constraints for method overriding imposed by the original UML specification. However, fUML offers extension capabilities to add user-defined behavior for semantic variation points like polymorphism handling. This paper presents an extension of fUML execution semantics, enabling refined and more sophisticated simulation of polymorphism for executable UML models to comply with UML and the general understanding and functioning principles of polymorphic behavior within the object-oriented paradigm.

ABSTRACT. Digital twins (DTs) encapsulate the concept of a real-world entity (RE) and corresponding bidirectionally connected virtual one (VE) mimicking certain aspects of the former facilitating various use-cases such as predictive maintenance. DTs typically encompass various models that are often developed by experts from different domains using diverse tools. To maintain consistency among these models and ensure the continued functioning of the system, effective identification of any consistency issues and addressing them whenever necessary is imperative. In this paper, we investigate the concept of consistency management and propose a consistency management framework that addresses various characteristics of DT models. Subsequently, we present two case-studies that implement the proposed framework with graph-based techniques. Taking into account both case-studies, we argue that the graph-based approaches have significant potential and invite further exploration.

ABSTRACT. Requirement conflicts commonly occur in software development, especially for complex systems that involve many requirements. Resolving these conflicts can be very time-consuming and costly. Moreover, due to the contextual nature of requirements conflicts, resolution strategies are needed that can be tailored to a specific conflict and its context. Currently, there is a lack of research on what categories of conflicts exist and how practitioners manage these conflicts. To enable more adaptive resolution strategies, the aim of this research is to map what types of requirement conflicts are encountered and how they are managed in practice. Through an interview study with eleven participants from seven companies in six domains, we identified three levels of conflict types that connect to four types of causes. These types and causes revealed two main dimensions that impact conflict management. One dimension is related to the nature of the conflict, either technical or social, and the other dimension is related to the nature of the requirement scope, which is either too constraining or too undefined resulting in stakeholders making assumptions that create conflicts. We found that these two dimensions impact what conflict resolution strategies are most commonly used for different types of conflicts.

ABSTRACT. Scaling agile approaches in large company context is prone to technical debt due to large number of teams of different size, level of expertise and their need for management and communication. The goal of this study is to investigate the phenomenon of non-technical debt related issues in the context of large-scale agile software development. To achieve this goal, eleven experts from two multinational companies were interviewed as part of the the case study. The analysis results revealed four non-technical aspects of technical debt that are present in large-scale agile context. These are people, social, documentation and process debt aspects. Furthermore, the findings suggest that lack of communication, collaboration and cooperation are the key contributors to identified debt aspects, and that many of the causes for debts are stemming from a culture of not developing rules, protocols, or guidelines. Implementing ground rules to improve quality seems to mitigate several of the identified debt types.

ABSTRACT. Software sustainability is becoming critical due to the increased use of software systems. Despite gaining attention from researchers over the last decade, there remains no consensus within the software engineering community on how to approach sustainability. We believe that this confusion arises from an ambiguity regarding the integration of sustainability into the software development process, with many suggesting its consideration as a component of software quality. In this paper, we advocate for a shift in perspective, emphasizing the importance of considering the development process of software systems. We propose that sustainability should be the starting point and cornerstone of software development.

ABSTRACT. Sustainability has become a significant concern in software systems like websites, driven by their increasing adoption and environmental impact. As website usage grows, so does their energy consumption and carbon footprint, affecting their environmental sustainability. Usability is crucial for websites where user engagement is high. Understanding the relationship between usability and environmental sustainability is essential for designing websites that meet user needs while minimizing environmental impact. This paper examines this relationship, focusing on popular sports websites due to their substantial internet traffic. We evaluated ten English-language sports websites for their environmental sustainability and usability using Nielsen's 10 usability heuristics. Our assessment considered factors such as Ecological Accommodation, Content, Operation, Multimedia, and HTTP Requests. The findings reveal a strong negative correlation between usability and sustainability, suggesting that improvements in usability may increase environmental impact and vice versa. This study's insights can inform website developers and policymakers in creating digital platforms that are both usable and environmentally sustainable.

ABSTRACT. In the future, technical systems, e.g., cyber-physical systems, will increasingly become adaptive to changing contexts. However, programming context-adaptive systems is challenging. The context-specific behavior must be specified and when which context is active. Common general-purpose object-oriented languages require encoding the context-specific behavior in if-cascades. Standard polymorphism is insufficient to express object's changing behavior in different contexts because the complexity rises with the combinatorial explosion of the multi-dimensional context space. Moreover, specifying when contexts are active has to be implemented as part of the application logic. In conclusion, there are two problems: the definition of context-specific behavior and the management of context changes. In this paper, we present a framework for the Julia programming language to develop context-adaptive systems. The framework also enables context-adaptive equation-based modeling. For context management, Petri nets are utilized. Julia was chosen for the implementation due to its simulation ecosystem, rich metaprogramming, and multiple dispatch, which enables precise specification of behavioral variants. We evaluate our approach by using two case studies. The first scenario is a smart home control application. The second example shows how our framework can be used together with equation-based modeling for simulation.

ABSTRACT. Testing and validating cyber-physical systems (CPSs) in the Aerospace domain, such as field testing of drone rescue missions, poses several challenges due to volatile mission environments, such as weather conditions. While testing processes and methodologies are well established, structured guidance and execution support for field tests are still weak. This paper identifies requirements for field testing of drone missions, and introduces the Field Testing Scenario Management (FiTS) approach for adaptive field testing guidance. FiTS aims to provide sufficient guidance for field testers as a foundation for efficient data collection to facilitate quality assurance and iterative improvement of field tests and CPSs. FiTS shall leverage concepts from scenario-based requirements engineering and Behavior-Driven Development to define structured and reusable test scenarios, with dedicated tasks and responsibilities for role-specific guidance. We evaluate FiTS by (i) applying it to three use cases for a search-and-rescue drone application to demonstrate feasibility and (ii) interviews with experienced drone developers to assess its usefulness and collect further requirements. The study results indicate FiTS to be feasible and useful to facilitate drone field testing and data analysis

ABSTRACT. Nowadays, Cyber-Physical Systems (CPS), particularly drones, play a pivotal role in environmental research. Scientists depend on these platforms to monitor various sensor data and ensure comprehensive data archiving. However, despite their advantages, researchers encounter several challenges, including communication limitations and the complexity of setting up systems tailored to their needs. To address these issues, we propose MoDD, a model-driven data collection framework based on a customized publish/subscribe model. MoDD simplifies the development and configuration of data collection systems. It offers scientists a solution that meets their specific needs, allowing them to focus on high-level requirements while the framework manages the underlying complexities. We demonstrate the effectiveness of MoDD through practical evaluations on an actual Unmanned Surface Vehicle. Additionally, results show a 75% reduction in throughput (drone to base station link) compared to existing publish/subscribe systems.

ABSTRACT. In the realm of Autonomous Systems, the absence of direct human oversight introduces novel challenges as these systems start forming complex relationships. The emergent dynamics raise concerns regarding the fair distribution of resources and the promotion of altruistic behavior, which are traditionally moderated by human intervention. This paper envisions an innovative approach that integrates the monetization of acts of generosity in autonomous ecosystems to foster benevolent actions among autonomous agents and, therefore, promote the fairness of the ecosystem as a whole.

ABSTRACT. Software containers have emerged as solutions for developing and deploying software applications. Despite the popularity and portability of containers, there is significant concern about container security, which hinders their adoption. Recent research has made efforts to investigate container security theoretically and experimentally. Meanwhile, software practitioners have also developed practices to improve and maintain container security based on their work experience. However, a notable gap exists in expressing practitioners’ viewpoints on container security. Consequently, this study aims to understand practitioners’ perceptions of container security and their management strategies in real-world projects. We conducted semi- structured interviews with practitioners across various domains to explore their opinions on container security issues, causes,implications, tools, and practices. Our data analysis reveals emergent patterns in handling container security in real projects. These patterns are presented as a model that highlights the relationships between the major themes and how they affect each other. Our findings reveal that containers offer many advantages to software systems but face challenges in maintaining security. Finally, this research attempts to bridge the knowledge gap between academia and industry by providing a comprehensive understanding of container security issues as perceived by the practitioners and their interrelationships.

ABSTRACT. Currently, the IT market is promoting the use of cloud resources to build solutions using machine learning. Some projects require full independence from external resources, mainly due to the volatility of prices for renting computing power and services provided by the cloud. The paper presents the creation process of scalable "on-premise" environment enabling the construction and development of artificial intelligence systems in the field of natural language processing. The proposed approach was based on aspects related to containerization, scalability, and automation of the machine learning process. Therefore, the created "on-premise" environment can be used in the implementation and delivery of systems based on artificial intelligence.

ABSTRACT. With the dynamic nature of modern software development and operations environments and the increasing complexity of cloud-based software systems, traditional monitoring practices are often insufficient to timely identify and handle unexpected operational failures. To address these challenges, this paper presents the findings from a quantitative industry survey focused on the application of Machine Learning (ML) to enhance software monitoring and alert management strategies. The survey targets industry professionals, aiming to understand the current challenges and future trends in ML-driven software monitoring. We analyze 25 responses from 11 different software companies to conclude if and how ML is being integrated into their monitoring systems. Key findings revealed a growing but still limited reliance on ML to intelligently filter raw monitoring data, prioritize issues, and respond to system alerts, thereby improving operational efficiency and system reliability. The paper also discusses the barriers to adopting ML-based solutions and provides insights into the future direction of software monitoring.

ABSTRACT. When seeking to enhance reuse, industrial enterprises delivering complex electro-mechanical products to large global customers face various technical challenges in their engineering practice. Many challenges are due to the many-faceted and rich variability that naturally arises in such a context. We focus our attention on the requirements engineering process. This paper presents the results from a case study investigating reuse potential by analyzing legacy use cases and scenarios data for six selected railway vehicle products for customers in three product segments and on two main markets. Through our analysis, fifteen scenario clusters were identified, covering 74\% of all scenarios in the products. We also found a significant overlap between products in 13 of the clusters and a considerable variation in the degrees of overlap in the clusters. We initially anticipated that this overlap would align with the product segments, but our results suggest otherwise.

ABSTRACT. Robotic Process Automation (RPA) uses automation technologies to imitate business tasks performed by humans. Digital Automation Platforms are extremely useful services that enable developers to connect applications and automate workflows and Workflow Automation Tools (WATs) offer tremendous advantages in orchestrating tasks and services. Even if the workflow composition in WATs is offered in a low-code fashion, the unsupervised and autonomous execution of the tasks and transactions between various software systems are performed even if they are completely unrelated. For this reason, building workflows and optimizing them can be a difficult and time-consuming task. Since the workflow orchestrates external systems, we cannot assure that the execution will not fail, or that unexpected problems will arise during the evolution of the orchestrated systems. In this paper, we investigate these challenges and open issues related to unsupervised workflow declarations, and we envisage a general approach to assist the workflow definition.

ABSTRACT. Domain-specific languages (DSLs) play a crucial role in facilitating a wide range of software development activities in the context of model-driven engineering (MDE). However, there exists a significant gap in the systematic understanding of how DSLs evolve over time, which could hamper the development of effective methodologies and tools. To address this gap, we performed a comprehensive investigation into the development and evolution of textual DSLs created with Xtext, a particularly widely used language workbench in the MDE community. Through a systematic analysis of 1002 GitHub repositories, we explore DSL development practices with an emphasis on the involved artifact types, development scenarios, evolution activities, and the co-evolution of related artifacts. We find that the majority of analyzed languages were developed following a grammar-driven approach, although a notable number adopt a metamodel-driven approach. Additionally, we identify a trend of retrofitting existing languages in Xtext, illustrating the framework's flexibility beyond the creation of new DSLs. Addressing a need for large and systematically documented datasets in the model-driven engineering community, we contribute a dataset of our considered repositories together with our collected meta-information, which can be used to inform the development of improved tools for supporting the development and evolution of DSLs.

ABSTRACT. Behavioral programming is a paradigm that allows to develop software based on scenarios and use cases. Behavior is implemented in asynchronous threads (\textit{b-threads}) that run concurrently with each other and use event-based mechanisms to communicate and effect the overall system state. While the approach enables a natural and incremental development process, with a growing number of threads it gets increasingly harder to comprehend the system's state changes. In this paper, we address this problem with a debugger for behavioral programs. The Debugger increases program comprehension by providing a clear overview of the system state as well as debugging-specific control capabilities such as breakpoints and advanced techniques like time-traveling and trace-comparison. For this, we utilize a runtime model of the system's state that is causally connected to the running system. We evaluate our approach using two case studies from literature.

ABSTRACT. Modern Cyber-Physical Systems (CPS) often involve dependent real-time processes bound to different timing constraints. These CPSs can be modeled using PolyGraph, a formalism that extends the Cyclo-Static Dataflow model with explicit real-time constraints. Unlike traditional real-time approaches where timing constraints are specified for every process, PolyGraph can offer greater flexibility by binding real-time constraints for only a subset of processes (e.g., processes associated with hardware components such as sensors and actuators), along with end-to-end latency specifications. In that case, processes without specified timing constraints only inherit ones from processes with explicit and specified timing constraints due to data dependencies. This paper aims to formalize a method to derive timing constraints for an entire PolyGraph model where only a subset of processes has explicit timing constraints in the model. We demonstrate how this approach eases scheduling constraints and enables early detection of missed deadlines through two examples from a vehicle ADAS and the Ingenuity Mars helicopter.

ABSTRACT. Modern industrial systems, characterized by distributed and fragmented equipment, present challenges due to their inherent heterogeneity and complexity. This should not impact the stakeholders business logic, who are more concerned with the information itself rather than how it is collected or processed. Recently, Digital Twins --- software copies of physical assets and systems --- emerged as a pivotal strategy to bridge the cyber-physical worlds into an effective digital layer decoupling applications from the management and interaction with physical assets. Fostering this vision, we propose a structured industrial DT ecosystem exploiting twins relationships and hierarchies to build a digitalized replica of the whole manufacturing system structure enabling a simplified navigation and interaction with the physical world and the data it generates. To support the depicted visions, a fully functioning prototype has been implemented and evaluated in a experimental scenario.

ABSTRACT. Symbolic regression has shown potential in the identification of physical systems. Hybrid systems, which combine both continuous and discrete behavior, are a relevant extension of purely physical systems, used in many fields, including robotics, biological systems, and control systems. However, due to their complexity, finding an accurate model is a challenge. This paper presents a novel approach to learning models of hybrid systems using symbolic regression. Our method leverages the power of genetic programming to automatically discover accurate and interpretable mathematical models in the form of hybrid systems from observed data. Symbolic regression detects transitions between different continuous behavior of a system directly based on the dynamics, instead of simply visual similarities of observed trajectories. Furthermore, models generated by symbolic regression can be used to predict future system behavior, detect anomalies, and identify the underlying dynamics of the system while providing a human-readable representation. Our results demonstrate that symbolic regression can effectively identify the underlying dynamics of a real system represented in a hybrid model, providing a valuable tool for system identification and diagnosis.