CICI: UCSS: Enhancing the Usability of Vulnerability Assessment Results for Open-Source Software Technologies in Scientific Cyberinfrastructure: A Deep Learning Perspective

CICI：UCSS：增强科学网络基础设施中开源软件技术漏洞评估结果的可用性：深度学习视角

• 批准号: 2319325
• 负责人: Hsinchun Chen
• 金额: $ 60万
• 依托单位: University of Arizona
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-08-01 至 2026-07-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2319325&HistoricalAwards=false
• 关键词: CICI; UCSS; Enhancing; Usability; Vulnerability

Federally funded scientific cyberinfrastructure (CI) has accelerated ground-breaking scientific discoveries, including black hole imaging, genome sequencing, vaccine discovery, and more. However, the open-source software (OSS) technologies that help facilitate these discoveries often contain thousands of vulnerabilities that, if exploited, could threaten irreplaceable scientific analysis. Since scientific CIs often lack the personnel to manage these vulnerabilities, they increasingly outsource their vulnerability management tasks to third-party Research & Education security providers such as OmniSOC. However, security analysts at these providers often face challenges managing the tens of thousands of vulnerabilities present in OSS assets at CIs. This project scans thousands of scientific CI OSS assets for vulnerabilities and employs novel Artificial Intelligence-enabled analytics to (1) manage OSS asset vulnerabilities in scientific CI and (2) link them to their remediation strategies. Vulnerability scan and analytics results are integrated into a novel Vulnerability Management System that allows security analysts search, sort, browse, and collaborate on vulnerability data and remediation strategies across scientific CIs.This project designs a novel Artificial Intelligence-enabled AZSecure Usable and Collaborative Security for Science Framework that scans for vulnerabilities in four major categories of open-source software (OSS) assets (virtual machines, containers, infrastructure-as-code, and GitHub) across two major NSF-funded scientific cyberinfrastructures (CIs): (1) CyVerse for life sciences and (2) Jetstream, NSF’s first Science and Engineering Cloud for NSF and NIH. The vulnerability scans support three sets of AI-enabled analytics research thrusts to enhance the usability of vulnerability scan results for OmniSOC’s security analysts. The first thrust aggregates OSS asset and vulnerability data into an embedding for vulnerability management tasks through multi-view learning incorporating a vulnerability severity weighting scheme and a novel combinatorial attention mechanism. The second thrust uses self-supervised learning and transformers to link vulnerability scans with remediation strategies by stacking multiple word embeddings and aligning vulnerability severity scores with a novel contrastive loss function. The final thrust develops a Vulnerability Management System that integrates scan results and enables analysts to operate the methods. Project execution includes roles for NSF CyberCorps Scholarship-for-Service graduate students from UArizona (NSA/DHS CD-, R, and CO-designated) and IU (NSA/DHS CD- and- R-designated). Findings are disseminated through academic and industry publications and integrated into the top-ranked MS in Cybersecurity programs at UArizona and IU.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

联邦政府资助的科学网络基础设施（CI）加速了突破性的科学发现，包括黑洞成像，基因组测序，疫苗发现等。然而，有助于促进这些发现的开源软件（OSS）技术往往包含数千个漏洞，如果被利用，可能会威胁到不可替代的科学分析。由于科学CI通常缺乏管理这些漏洞的人员，他们越来越多地将漏洞管理任务外包给第三方研究教育安全提供商，如OmniSOC。然而，这些提供商的安全分析师经常面临管理CI的OSS资产中存在的数万个漏洞的挑战。该项目扫描数千个科学CI OSS资产的漏洞，并采用新颖的人工智能分析来（1）管理科学CI中的OSS资产漏洞，以及（2）将其与补救策略联系起来。漏洞扫描和分析结果被集成到一个新的漏洞管理系统中，该系统允许安全分析人员在科学CI中搜索、排序、浏览和协作漏洞数据和补救策略。该项目设计了一个新的支持人工智能的AZSecure Usable和Collaborative Security for Science Framework，该框架扫描四大类开源软件（OSS）资产中的漏洞（虚拟机，容器，基础设施即代码和GitHub）在两个主要的NSF资助的科学网络基础设施（CI）：（1）CyVerse生命科学和（2）Jetstream，NSF的第一个科学和工程云NSF和NIH。漏洞扫描支持三组支持AI的分析研究，以增强OmniSOC安全分析师漏洞扫描结果的可用性。第一个推力聚合OSS资产和脆弱性数据到一个嵌入的脆弱性管理任务，通过多视图学习纳入脆弱性严重性加权方案和一种新的组合注意力机制。第二个推力使用自监督学习和transformers，通过堆叠多个单词嵌入并将漏洞严重性分数与新的对比损失函数相匹配，将漏洞扫描与补救策略联系起来。最后的推力开发了一个漏洞管理系统，整合扫描结果，使分析师能够操作的方法。项目执行包括从UArizona（NSA/DHS CD-，R和CO指定）和IU（NSA/DHS CD-和-R指定）的NSF CyberCorps奖学金服务研究生的角色。研究结果通过学术和行业出版物传播，并被整合到UArizona和IU的网络安全计划中排名第一的MS中。该奖项反映了NSF的法定使命，并被认为值得通过使用基金会的知识价值和更广泛的影响审查标准进行评估来支持。