CICI: UCSS: Enhancing the Usability of Vulnerability Assessment Results for Open-Source Software Technologies in Scientific Cyberinfrastructure: A Deep Learning Perspective

CICI：UCSS：增强科学网络基础设施中开源软件技术漏洞评估结果的可用性：深度学习视角

• 批准号: 2319325
• 负责人: Hsinchun Chen
• 金额: $ 60万
• 依托单位: University of Arizona
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-08-01 至 2026-07-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2319325&HistoricalAwards=false
• 关键词: CICI; UCSS; Enhancing; Usability; Vulnerability

Federally funded scientific cyberinfrastructure (CI) has accelerated ground-breaking scientific discoveries, including black hole imaging, genome sequencing, vaccine discovery, and more. However, the open-source software (OSS) technologies that help facilitate these discoveries often contain thousands of vulnerabilities that, if exploited, could threaten irreplaceable scientific analysis. Since scientific CIs often lack the personnel to manage these vulnerabilities, they increasingly outsource their vulnerability management tasks to third-party Research & Education security providers such as OmniSOC. However, security analysts at these providers often face challenges managing the tens of thousands of vulnerabilities present in OSS assets at CIs. This project scans thousands of scientific CI OSS assets for vulnerabilities and employs novel Artificial Intelligence-enabled analytics to (1) manage OSS asset vulnerabilities in scientific CI and (2) link them to their remediation strategies. Vulnerability scan and analytics results are integrated into a novel Vulnerability Management System that allows security analysts search, sort, browse, and collaborate on vulnerability data and remediation strategies across scientific CIs.This project designs a novel Artificial Intelligence-enabled AZSecure Usable and Collaborative Security for Science Framework that scans for vulnerabilities in four major categories of open-source software (OSS) assets (virtual machines, containers, infrastructure-as-code, and GitHub) across two major NSF-funded scientific cyberinfrastructures (CIs): (1) CyVerse for life sciences and (2) Jetstream, NSF’s first Science and Engineering Cloud for NSF and NIH. The vulnerability scans support three sets of AI-enabled analytics research thrusts to enhance the usability of vulnerability scan results for OmniSOC’s security analysts. The first thrust aggregates OSS asset and vulnerability data into an embedding for vulnerability management tasks through multi-view learning incorporating a vulnerability severity weighting scheme and a novel combinatorial attention mechanism. The second thrust uses self-supervised learning and transformers to link vulnerability scans with remediation strategies by stacking multiple word embeddings and aligning vulnerability severity scores with a novel contrastive loss function. The final thrust develops a Vulnerability Management System that integrates scan results and enables analysts to operate the methods. Project execution includes roles for NSF CyberCorps Scholarship-for-Service graduate students from UArizona (NSA/DHS CD-, R, and CO-designated) and IU (NSA/DHS CD- and- R-designated). Findings are disseminated through academic and industry publications and integrated into the top-ranked MS in Cybersecurity programs at UArizona and IU.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

联邦政府资助的科学网络基础设施 (CI) 加速了突破性的科学发现，包括黑洞成像、基因组测序、疫苗发现等。然而，帮助促进这些发现的开源软件 (OSS) 技术通常包含数千个漏洞。如果被利用，可能会威胁到不可替代的科学分析，因为科学 CI 往往缺乏管理这些漏洞的人员，因此它们越来越多地将漏洞管理任务外包给第三方研究和教育安全提供商，例如 OmniSOC。这些提供商的分析师经常面临管理 CI OSS 资产中存在的数万个漏洞的挑战。该项目扫描了数千个科学 CI OSS 资产中的漏洞，并采用新颖的人工智能分析来 (1) 管理科学中的 OSS 资产漏洞。 CI 和 (2) 将它们链接到其修复策略 漏洞扫描和分析结果被集成到一个新颖的漏洞管理系统中，该系统允许安全分析师搜索、排序、浏览和协作处理漏洞数据和。该项目设计了一种新型的人工智能支持的 AZSecure 可用和协作科学安全框架，可扫描四大类开源软件 (OSS) 资产（虚拟机、容器、基础设施即服务）中的漏洞代码和 GitHub）跨越 NSF 资助的两个主要科学网络基础设施 (CI)：(1) 用于生命科学的 CyVerse 和 (2) NSF 的第一个 Jetstream NSF 和 NIH 的科学与工程云。漏洞扫描支持三组人工智能分析研究重点，以增强 OmniSOC 安全分析师的漏洞扫描结果的可用性。第一个重点将 OSS 资产和漏洞数据聚合到漏洞管理的嵌入中。第二个重点是通过多视图学习结合漏洞严重性加权方案和新颖的组合注意机制来执行任务，使用自我监督学习和变压器通过堆叠多个单词将漏洞扫描与修复策略联系起来。最后的重点是开发一个漏洞管理系统，该系统集成了扫描结果，并使分析人员能够操作这些方法，其中包括来自亚利桑那州的 NSF Cyber​​Corps 奖学金研究生的角色。 NSA/DHS CD-、R 和 CO-指定）和 IU（NSA/DHS CD-和-R-指定）调查结果通过学术和行业出版物传播并纳入亚利桑那大学和印第安纳大学的网络安全项目排名第一的硕士学位。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。