CICI: SSC: SciTrust: Enhancing Security for Modern Software Programming Cyberinfrastructure

CICI：SSC：SciTrust：增强现代软件编程网络基础设施的安全性

• 批准号: 1839909
• 负责人: Yanfang Ye
• 金额: $ 64.92万
• 依托单位: West Virginia University Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-10-01 至 2019-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1839909&HistoricalAwards=false
• 关键词: CICI; SSC; SciTrust; Enhancing; Security

Software plays a vital role supporting scientific communities. Modern software programming cyberinfrastructure (CI), consisting of online discussion platforms (such as Stack Overflow) and social coding repositories (such as Github), offers an open-source and collaborative environment for distributed scientific communities to expedite the process of software development. Within the ecosystem, researchers and developers can reuse code snippets and libraries, or adapt existing ready-to-use software to solve their own problems. Despite the apparent benefits of this new social coding paradigm, its potential security-related risks have been largely overlooked; insecure or malicious codes could be easily embedded and distributed, which could severely damage the scientific credibility of CI. Therefore, there is an urgent need for developing scalable techniques and tools to automatically detect these open-source insecure or malicious codes. To address this issue, this proposed project seeks to explore innovative links between Artificial Intelligence (AI) and cybersecurity to enhance the security of modern software programming CI. The key components of the proposed research are three-fold: (1) a novel AI-based solution (iTrustSO) utilizing social coding properties is developed to automatically identify suspicious insecure code snippets on Stack Overflow; (2) a cross-platform model is constructed to represent the complex interplay between GitHub and Stack Overflow; deep learning techniques are then utilized to build a predictive model (iTrustGH) for automatic detection of malicious codes on GitHub; and (3) a user-friendly tool (SciTrust) is developed to enhance code security for software development. The broader impacts of this work include benefits to scientific communities and the whole society by promoting the efficiency of cyber-enabled software development without sacrificing the security. The establishment of a Cybersecurity Lab through this project enhances the education and workforce training in cybersecurity. The project integrates research with education through curriculum development and student mentoring activities for the newly-established cybersecurity degree program. It is also expected to increase the participation of underrepresented groups including minority and women.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

软件在支持科学界方面发挥着至关重要的作用。现代软件编程网络基础设施（CI）由在线讨论平台（如Stack Overflow）和社交编码库（如Github）组成，为分布式科学社区提供了一个开源和协作环境，以加快软件开发过程。在这个生态系统中，研究人员和开发人员可以重用代码片段和库，或者调整现有的即用型软件来解决他们自己的问题。尽管这种新的社会编码范式有明显的好处，但其潜在的安全相关风险在很大程度上被忽视了;不安全或恶意代码可以很容易地嵌入和分发，这可能严重损害CI的科学可信度。因此，迫切需要开发可扩展的技术和工具来自动检测这些开源的不安全或恶意代码。为了解决这个问题，这个拟议的项目旨在探索人工智能（AI）和网络安全之间的创新联系，以提高现代软件编程CI的安全性。所提出的研究的关键组成部分有三个方面：（1）一种新的基于AI的解决方案（2）构建了一个跨平台模型来描述GitHub和Stack Overflow之间复杂的交互关系;然后利用深度学习技术构建预测模型（iTrustGH），用于自动检测GitHub上的恶意代码;（3）开发用户友好的工具（SciTrust），以增强软件开发的代码安全性。这项工作的更广泛的影响包括通过提高网络软件开发的效率而不牺牲安全性，为科学界和整个社会带来好处。通过该项目建立的网络安全实验室加强了网络安全方面的教育和劳动力培训。该项目通过新设立的网络安全学位课程的课程开发和学生辅导活动将研究与教育相结合。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

ICSD: An Automatic System for Insecure Code Snippet Detection in Stack Overflow over Heterogeneous Information Network

• DOI: 10.1145/3274694.3274742
• 发表时间: 2018-12
• 期刊: Proceedings of the 34th Annual Computer Security Applications Conference
• 作者: Yanfang Ye;Shifu Hou;Lingwei Chen;X. Li;Liang Zhao;Shouhuai Xu;Jiabin Wang;Qi Xiong

Enhancing Robustness of Deep Neural Networks against Adversarial Malware Samples: Principles, Framework, and Application to AICS’2019 Challenge

增强深度神经网络针对对抗性恶意软件样本的鲁棒性：原则、框架和 AICS 2019 挑战赛的应用

• 发表时间: 2019
• 作者: Li, Deqiang;Li, Qianmu;Ye, Yanfang;Xu, Shouhuai
• 通讯作者: Xu, Shouhuai

KADetector: Automatic Identification of Key Actors in Online Hack Forums Based on Structured Heterogeneous Information Network

• DOI: 10.1109/icbk.2018.00028
• 发表时间: 2018-11
• 期刊: 2018 IEEE International Conference on Big Knowledge (ICBK)
• 作者: Yiming Zhang;Yujie Fan;Yanfang Ye;Liang Zhao;Jiabin Wang;Qi Xiong;Fudong Shao

iDev: Enhancing Social Coding Security by Cross-platform User Identification Between GitHub and Stack Overflow

• DOI: 10.24963/ijcai.2019/315
• 发表时间: 2019-08
• 期刊: Int. J. Pattern Recognit. Artif. Intell.
• 作者: Yujie Fan;Yiming Zhang;Shifu Hou;Lingwei Chen;Yanfang Ye;C. Shi;Liang Zhao;Shouhuai Xu

Your Style Your Identity: Leveraging Writing and Photography Styles for Drug Trafficker Identification in Darknet Markets over Attributed Heterogeneous Information Network

• DOI: 10.1145/3308558.3313537
• 发表时间: 2019-05
• 期刊: The World Wide Web Conference
• 作者: Yiming Zhang;Yujie Fan;Wei Song;Shifu Hou;Yanfang Ye;X. Li;Liang Zhao;C. Shi;Jiabin Wang;Qi Xiong