The Cyber threats exposure has created worldwide pressure on organizations to comply with cyber security standards and policies for protecting their digital assets. Vulnerability assessment (VA) and Penetration Testing (PT) are widely adopted Security Compliance (SC) methods to identify security gaps and anticipate security breaches. In the computer networks context and despite the use of autonomous tools and systems, security compliance remains highly repetitive and resources consuming. In this paper, we proposed a novel method to tackle the ever-growing problem of efficiency and effectiveness in network infrastructures security auditing by formally introducing, designing, and developing an Expert-System Automated Security Compliance Framework (ESASCF) that enables industrial and open-source VA and PT tools and systems to extract, process, store and re-use the expertise in a human-expert way to allow direct application in similar scenarios or during the periodic re-testing. The implemented model was then integrated within the ESASCF and tested on different size networks and proved efficient in terms of time-efficiency and testing effectiveness allowing ESASCF to take over autonomously the SC in Re-testing and offloading Expert by automating repeated segments SC and thus enabling Experts to prioritize important tasks in Ad-Hoc compliance tests. The obtained results validate the performance enhancement notably by cutting the time required for an expert to 50% in the context of typical corporate networks first SC and 20% in re-testing, representing a significant cost-cutting. In addition, the framework allows a long-term impact illustrated in the knowledge extraction, generalization, and re-utilization, which enables better SC confidence independent of the human expert skills, coverage, and wrong decisions resulting in impactful false negatives.

翻译：网络威胁的暴露给全球组织带来压力，迫使其遵循网络安全标准与策略以保护数字资产。漏洞评估与渗透测试是广泛采用的安全合规方法，用于识别安全缺口并预测安全漏洞。在计算机网络环境中，尽管使用了自动化工具与系统，安全合规工作仍高度重复且消耗资源。本文提出一种新方法，通过正式引入、设计与开发一种专家系统自动化安全合规框架（ESASCF），以解决网络基础设施安全审计中日益严峻的效率与效能问题。该框架使工业级及开源VA与PT工具及系统能够以人类专家方式提取、处理、存储并复用专家知识，从而在相似场景或定期复测中直接应用。随后，将实现的模型集成至ESASCF，并在不同规模网络中进行测试。结果表明，该模型在时间效率与测试效果方面表现优异，使ESASCF能够自主接管复测中的安全合规任务，并通过自动化重复的合规检测环节减轻专家负担，从而让专家优先处理临时合规测试中的重点任务。实验结果验证了性能提升，典型企业网络首次安全合规测试中专家耗时减少50%，复测中减少20%，显著降低成本。此外，该框架通过知识提取、泛化与复用产生长期影响，使安全合规置信度独立于人类专家技能、覆盖范围及可能导致严重漏报的决策失误。