Pub Date : 2022-10-01DOI: 10.1109/stc55697.2022.00028
Emily Arseneault, D. Boudreau, Jarred Lien, Gregory Young
Agile teams need to be ready to fail and try again. The Integration and Test (I&S) team is integral to this process because they provide the benchmarks against which DevSecOps development teams measure their work products. The integration process for Agile features must be flexible enough to handle changing schedules and requirements, while continuing to drive the program teams toward the ultimate goal of a successful program sell-off activity. Throughout the life of the contract the I&T team must continually integrate new features; work with the hardware & software teams to ensure product quality is preserved; and regression test the system at each software build release to ensure product stability. As the defense industry continues maturing its applications of the Agile and Devsecops philosophies, this family of I&T activities must be defined, managed, and executed within these frameworks.This presentation discusses in detail the integration of new features activity in I&T. Provided are practical. proven, experience-based guidelines for planning and managing this effort in the Agile framework. These guidelines derive from the successful integration of new capabilities into an unclassified foreign system, on a program employing DevSecOps. Information presented in this lecture is recommended to individuals interested in, or tasked with, this responsibility.
{"title":"Experience-Based Guidelines for Effective Planning & Management of Software Integration & Test Activities in the Agile/DevSecOps Environment","authors":"Emily Arseneault, D. Boudreau, Jarred Lien, Gregory Young","doi":"10.1109/stc55697.2022.00028","DOIUrl":"https://doi.org/10.1109/stc55697.2022.00028","url":null,"abstract":"Agile teams need to be ready to fail and try again. The Integration and Test (I&S) team is integral to this process because they provide the benchmarks against which DevSecOps development teams measure their work products. The integration process for Agile features must be flexible enough to handle changing schedules and requirements, while continuing to drive the program teams toward the ultimate goal of a successful program sell-off activity. Throughout the life of the contract the I&T team must continually integrate new features; work with the hardware & software teams to ensure product quality is preserved; and regression test the system at each software build release to ensure product stability. As the defense industry continues maturing its applications of the Agile and Devsecops philosophies, this family of I&T activities must be defined, managed, and executed within these frameworks.This presentation discusses in detail the integration of new features activity in I&T. Provided are practical. proven, experience-based guidelines for planning and managing this effort in the Agile framework. These guidelines derive from the successful integration of new capabilities into an unclassified foreign system, on a program employing DevSecOps. Information presented in this lecture is recommended to individuals interested in, or tasked with, this responsibility.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133430049","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/STC55697.2022.00025
Julio Opolski Netto, Robison Cris Brito, F. Favarim, Luis Felipe Priester, E. Todt
The use of Unmanned Aerial Vehicle (UAV) have been shown to be increasingly frequent for a diversity of applications, mainly in agriculture. The mapping of large areas for analysis purposes is common and it is considered a challenge due to the short range of the UAVs. The base stations utilization for drone recharge and important information obtainment is a relevant proposal. This paper features a low energy cost long range communication system between in base stations. Using Internet of Things (IoT) concepts and the possibility of utilizing a diversity of communication protocols in just a single device, this paper shows the integration between microcontroller, server and operator interface. The developed system is capable of identifying a drone that just landed in a base station through RFID technology, and send this and other information in real time through the command line “gateway” to the server using LoRa technology and Message Queuing Telemetry (MQTT) protocol.
{"title":"Implementing a Communication Network between Bases Station applied for Group of Drones","authors":"Julio Opolski Netto, Robison Cris Brito, F. Favarim, Luis Felipe Priester, E. Todt","doi":"10.1109/STC55697.2022.00025","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00025","url":null,"abstract":"The use of Unmanned Aerial Vehicle (UAV) have been shown to be increasingly frequent for a diversity of applications, mainly in agriculture. The mapping of large areas for analysis purposes is common and it is considered a challenge due to the short range of the UAVs. The base stations utilization for drone recharge and important information obtainment is a relevant proposal. This paper features a low energy cost long range communication system between in base stations. Using Internet of Things (IoT) concepts and the possibility of utilizing a diversity of communication protocols in just a single device, this paper shows the integration between microcontroller, server and operator interface. The developed system is capable of identifying a drone that just landed in a base station through RFID technology, and send this and other information in real time through the command line “gateway” to the server using LoRa technology and Message Queuing Telemetry (MQTT) protocol.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"54 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125964524","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/STC55697.2022.00024
Igor Khokhlov, A. Okutan, Ryan Bryla, Steven Simmons, Mehdi Mirakhorli
Software vulnerabilities are closely monitored by the security community to timely address the security and privacy issues in software systems. Before a vulnerability is published by vulnerability management systems, it needs to be characterized to highlight its unique attributes, including affected software products and versions, to help security professionals prioritize their patches. Associating product names and versions with disclosed vulnerabilities may require a labor-intensive process that may delay their publication and fix, and thereby give attackers more time to exploit them. This work proposes a machine learning method to extract software product names and versions from unstructured CVE descriptions automatically. It uses Word2Vec and Char2Vec models to create context-aware features from CVE descriptions and uses these features to train a Named Entity Recognition (NER) model using bidirectional Long short-term memory (LSTM) networks. Based on the attributes of the product names and versions in previously published CVE descriptions, we created a set of Expert System (ES) rules to refine the predictions of the NER model and improve the performance of the developed method. Experiment results on real-life CVE examples indicate that using the trained NER model and the set of ES rules, software names and versions in unstructured CVE descriptions could be identified with F-Measure values above 0.95.
{"title":"Automated Extraction of Software Names from Vulnerability Reports using LSTM and Expert System","authors":"Igor Khokhlov, A. Okutan, Ryan Bryla, Steven Simmons, Mehdi Mirakhorli","doi":"10.1109/STC55697.2022.00024","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00024","url":null,"abstract":"Software vulnerabilities are closely monitored by the security community to timely address the security and privacy issues in software systems. Before a vulnerability is published by vulnerability management systems, it needs to be characterized to highlight its unique attributes, including affected software products and versions, to help security professionals prioritize their patches. Associating product names and versions with disclosed vulnerabilities may require a labor-intensive process that may delay their publication and fix, and thereby give attackers more time to exploit them. This work proposes a machine learning method to extract software product names and versions from unstructured CVE descriptions automatically. It uses Word2Vec and Char2Vec models to create context-aware features from CVE descriptions and uses these features to train a Named Entity Recognition (NER) model using bidirectional Long short-term memory (LSTM) networks. Based on the attributes of the product names and versions in previously published CVE descriptions, we created a set of Expert System (ES) rules to refine the predictions of the NER model and improve the performance of the developed method. Experiment results on real-life CVE examples indicate that using the trained NER model and the set of ES rules, software names and versions in unstructured CVE descriptions could be identified with F-Measure values above 0.95.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126380968","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/STC55697.2022.00029
Bill Andel
End item deliveries to government customers are usually accompanied by a multitude of required documents, typically in print-ready formats such as Microsoft Word or Adobe Portable Document Format (PDF). Preparing these documents requires tedious manual collation and re-formatting of data from a multitude of data sources, which takes a significant amount of labor, is error-prone, and incurs lengthy review and approval cycles.How can we modernize our document preparation to support continuous release and delivery? Continuous Documentation (CDoc)! By leveraging the Authoritative Sources of Truth (ASOTs) for data already within our DevSecOps pipelines, we can extend the concept of “Documents as Code” (DaC) to reliably and repeatably automate document preparation using a suite of Free and Open-Source Software (FOSS) tools. Continuous Documentation ensures documents are ready for delivery and release in the print-ready formats customers expect at the same time as the software they accompany.
交付给政府客户的最终产品通常附带大量所需文件,通常是可打印的格式,例如Microsoft Word或Adobe Portable Document Format (PDF)。准备这些文档需要对来自大量数据源的数据进行繁琐的手工整理和重新格式化,这需要大量的人力,容易出错,并且需要冗长的审查和批准周期。我们如何使文档准备现代化,以支持持续发布和交付?连续文档(CDoc)!通过利用DevSecOps管道中已经存在的数据的权威真相来源(ASOTs),我们可以扩展“文档即代码”(DaC)的概念,使用一套免费和开源软件(FOSS)工具可靠且可重复地自动化文档准备。持续文档确保文档以客户期望的打印格式交付和发布,同时伴随软件。
{"title":"Continuous Documentation: Automating Document Preparation with your DevSecOps Pipeline","authors":"Bill Andel","doi":"10.1109/STC55697.2022.00029","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00029","url":null,"abstract":"End item deliveries to government customers are usually accompanied by a multitude of required documents, typically in print-ready formats such as Microsoft Word or Adobe Portable Document Format (PDF). Preparing these documents requires tedious manual collation and re-formatting of data from a multitude of data sources, which takes a significant amount of labor, is error-prone, and incurs lengthy review and approval cycles.How can we modernize our document preparation to support continuous release and delivery? Continuous Documentation (CDoc)! By leveraging the Authoritative Sources of Truth (ASOTs) for data already within our DevSecOps pipelines, we can extend the concept of “Documents as Code” (DaC) to reliably and repeatably automate document preparation using a suite of Free and Open-Source Software (FOSS) tools. Continuous Documentation ensures documents are ready for delivery and release in the print-ready formats customers expect at the same time as the software they accompany.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128975466","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/STC55697.2022.00021
Y. Bobbert, J. Scheerder
How can high-level directives concerning risk, cybersecurity and compliance be operationalized in the central nervous system of any organization above a certain complexity? How can the effectiveness of technological solutions for security be proven and measured, and how can this technology be aligned with the governance and financial goals at the board level? These are the essential questions for any CEO, CIO or CISO that is concerned with the wellbeing of the firm. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset to be protected, and from the value that asset represents. Zero Trust has been around for quite some time. Most professionals associate Zero Trust with a particular architectural approach to cybersecurity, involving concepts such as segments, resources that are accessed in a secure manner and the maxim “always verify never trust”. This paper describes the current state of the art in Zero Trust usage. We investigate the limitations of current approaches and how these are addressed in the form of Critical Success Factors in the Zero Trust Framework developed by ON2IT ‘Zero Trust Innovators’ (1). Furthermore, this paper describes the design and engineering of a Zero Trust artefact that addresses the problems at hand (2), according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner oriented research, in order to gain a broader acceptance and implementation of Zero Trust strategies (3). The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks.
{"title":"Zero Trust Validation: from Practice to Theory : An empirical research project to improve Zero Trust implementations","authors":"Y. Bobbert, J. Scheerder","doi":"10.1109/STC55697.2022.00021","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00021","url":null,"abstract":"How can high-level directives concerning risk, cybersecurity and compliance be operationalized in the central nervous system of any organization above a certain complexity? How can the effectiveness of technological solutions for security be proven and measured, and how can this technology be aligned with the governance and financial goals at the board level? These are the essential questions for any CEO, CIO or CISO that is concerned with the wellbeing of the firm. The concept of Zero Trust (ZT) approaches information and cybersecurity from the perspective of the asset to be protected, and from the value that asset represents. Zero Trust has been around for quite some time. Most professionals associate Zero Trust with a particular architectural approach to cybersecurity, involving concepts such as segments, resources that are accessed in a secure manner and the maxim “always verify never trust”. This paper describes the current state of the art in Zero Trust usage. We investigate the limitations of current approaches and how these are addressed in the form of Critical Success Factors in the Zero Trust Framework developed by ON2IT ‘Zero Trust Innovators’ (1). Furthermore, this paper describes the design and engineering of a Zero Trust artefact that addresses the problems at hand (2), according to Design Science Research (DSR). The last part of this paper outlines the setup of an empirical validation trough practitioner oriented research, in order to gain a broader acceptance and implementation of Zero Trust strategies (3). The final result is a proposed framework and associated technology which, via Zero Trust principles, addresses multiple layers of the organization to grasp and align cybersecurity risks and understand the readiness and fitness of the organization and its measures to counter cybersecurity risks.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"58 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128583183","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/STC55697.2022.00009
Zane Varner, Çerağ Oğuztüzün, Feng Long
The names given to methods within a software system are critical to the success of both software development and maintenance. Meaningful and concise method names save developers both time and effort when attempting to understand and use the code. Our study focuses on learning concise and meaningful method names from word tokens found within the contexts of a method, including the method documentation, input parameters, return type, method body, and enclosing class. Combining the approaches of previous studies, we constructed both an RNN encoder-decoder model with attention as well as a Transformer model, each tested using different combinations of contextual information as input. Our experiments demonstrate that a model that uses all of the mentioned contexts will have a higher performance than a model that uses any subset of the contexts. Furthermore, we demonstrate that the Transformer model outperforms the RNN model in this scenario.
{"title":"Neural Model for Generating Method Names from Combined Contexts","authors":"Zane Varner, Çerağ Oğuztüzün, Feng Long","doi":"10.1109/STC55697.2022.00009","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00009","url":null,"abstract":"The names given to methods within a software system are critical to the success of both software development and maintenance. Meaningful and concise method names save developers both time and effort when attempting to understand and use the code. Our study focuses on learning concise and meaningful method names from word tokens found within the contexts of a method, including the method documentation, input parameters, return type, method body, and enclosing class. Combining the approaches of previous studies, we constructed both an RNN encoder-decoder model with attention as well as a Transformer model, each tested using different combinations of contextual information as input. Our experiments demonstrate that a model that uses all of the mentioned contexts will have a higher performance than a model that uses any subset of the contexts. Furthermore, we demonstrate that the Transformer model outperforms the RNN model in this scenario.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"79 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134363716","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
State of the art Artificial Intelligence Assurance (AIA) methods validate AI systems based on predefined goals and standards, are applied within a given domain, and are designed for a specific AI algorithm. Existing works do not provide information on assuring subjective AI goals such as fairness and trustworthiness. Other assurance goals are frequently required in an intelligent deployment, including explainability, safety, and security. Accordingly, issues such as value loading, generalization, context, and scalability arise; however, achieving multiple assurance goals without major trade-offs is generally deemed an unattainable task. In this manuscript, we present two AIA pipelines that are model-agnostic, independent of the domain (such as: healthcare, energy, banking), and provide scores for AIA goals including explainability, safety, and security. The two pipelines: Adversarial Logging Scoring Pipeline (ALSP) and Requirements Feedback Scoring Pipeline (RFSP) are scalable and tested with multiple use cases, such as a water distribution network and a telecommunications network, to illustrate their benefits. ALSP optimizes models using a game theory approach and it also logs and scores the actions of an AI model to detect adversarial inputs, and assures the datasets used for training. RFSP identifies the best hyper-parameters using a Bayesian approach and provides assurance scores for subjective goals such as ethical AI using user inputs and statistical assurance measures. Each pipeline has three algorithms that enforce the final assurance scores and other outcomes. Unlike ALSP (which is a parallel process), RFSP is user-driven and its actions are sequential. Data are collected for experimentation; the results of both pipelines are presented and contrasted.
{"title":"Model-Agnostic Scoring Methods for Artificial Intelligence Assurance","authors":"Md. Nazmul Kabir Sikder, Feras A. Batarseh, Pei Wang, Nitish Gorentala","doi":"10.1109/STC55697.2022.00011","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00011","url":null,"abstract":"State of the art Artificial Intelligence Assurance (AIA) methods validate AI systems based on predefined goals and standards, are applied within a given domain, and are designed for a specific AI algorithm. Existing works do not provide information on assuring subjective AI goals such as fairness and trustworthiness. Other assurance goals are frequently required in an intelligent deployment, including explainability, safety, and security. Accordingly, issues such as value loading, generalization, context, and scalability arise; however, achieving multiple assurance goals without major trade-offs is generally deemed an unattainable task. In this manuscript, we present two AIA pipelines that are model-agnostic, independent of the domain (such as: healthcare, energy, banking), and provide scores for AIA goals including explainability, safety, and security. The two pipelines: Adversarial Logging Scoring Pipeline (ALSP) and Requirements Feedback Scoring Pipeline (RFSP) are scalable and tested with multiple use cases, such as a water distribution network and a telecommunications network, to illustrate their benefits. ALSP optimizes models using a game theory approach and it also logs and scores the actions of an AI model to detect adversarial inputs, and assures the datasets used for training. RFSP identifies the best hyper-parameters using a Bayesian approach and provides assurance scores for subjective goals such as ethical AI using user inputs and statistical assurance measures. Each pipeline has three algorithms that enforce the final assurance scores and other outcomes. Unlike ALSP (which is a parallel process), RFSP is user-driven and its actions are sequential. Data are collected for experimentation; the results of both pipelines are presented and contrasted.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"140 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116432962","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/stc55697.2022.00016
Luke Biersmith, P. Laplante
The deployment of artificial intelligence (AI) applications has accelerated faster than most scientists, policymakers and business leaders could have predicted. AI enabled technologies are facing the public in many ways including infrastructure, consumer products and home applications. Because many of these technologies present risk either in the form of physical injury or unfair outcomes, policy makers must consider the need for oversight. Most policymakers, however, lack the technical knowledge to judge whether an emerging AI technology is safe, effective and requires oversight, therefore depending on experts opinion. But policymakers are better served when, in addition to expert opinion, they have some general understanding of existing guidelines and regulations.While not comprehensive, this work provides an overview of AI legislation and directives at the international, U.S. state and federal levels. It also covers business standards, and technical society initiatives. This work can serve as a resource for policymakers and other key stakeholders and an entry point to their understanding of AI policy.
{"title":"Introduction to AI Assurance for Policy Makers","authors":"Luke Biersmith, P. Laplante","doi":"10.1109/stc55697.2022.00016","DOIUrl":"https://doi.org/10.1109/stc55697.2022.00016","url":null,"abstract":"The deployment of artificial intelligence (AI) applications has accelerated faster than most scientists, policymakers and business leaders could have predicted. AI enabled technologies are facing the public in many ways including infrastructure, consumer products and home applications. Because many of these technologies present risk either in the form of physical injury or unfair outcomes, policy makers must consider the need for oversight. Most policymakers, however, lack the technical knowledge to judge whether an emerging AI technology is safe, effective and requires oversight, therefore depending on experts opinion. But policymakers are better served when, in addition to expert opinion, they have some general understanding of existing guidelines and regulations.While not comprehensive, this work provides an overview of AI legislation and directives at the international, U.S. state and federal levels. It also covers business standards, and technical society initiatives. This work can serve as a resource for policymakers and other key stakeholders and an entry point to their understanding of AI policy.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"61 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123456627","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/STC55697.2022.00023
P. Mell
While the existence of many security elements in software can be measured (e.g., vulnerabilities, security controls, or privacy controls), it is challenging to measure their relative security impact. In the physical world we can often measure the impact of individual elements to a system. However, in cyber security we often lack ground truth (i.e., the ability to directly measure significance). In this work we propose to solve this by leveraging human expert opinion to provide ground truth. Experts are iteratively asked to compare pairs of security elements to determine their relative significance. On the back end our knowledge encoding tool performs a form of binary insertion sort on a set of security elements using each expert as an oracle for the element comparisons. The tool not only sorts the elements (note that equality may be permitted), but it also records the strength or degree of each relationship. The output is a directed acyclic ‘constraint’ graph that provides a total ordering among the sets of equivalent elements. Multiple constraint graphs are then unified together to form a single graph that is used to generate a scoring or prioritization system.For our empirical study, we apply this domain-agnostic measurement approach to generate scoring/prioritization systems in the areas of vulnerability scoring, privacy control prioritization, and cyber security control evaluation.
{"title":"The Generation of Software Security Scoring Systems Leveraging Human Expert Opinion","authors":"P. Mell","doi":"10.1109/STC55697.2022.00023","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00023","url":null,"abstract":"While the existence of many security elements in software can be measured (e.g., vulnerabilities, security controls, or privacy controls), it is challenging to measure their relative security impact. In the physical world we can often measure the impact of individual elements to a system. However, in cyber security we often lack ground truth (i.e., the ability to directly measure significance). In this work we propose to solve this by leveraging human expert opinion to provide ground truth. Experts are iteratively asked to compare pairs of security elements to determine their relative significance. On the back end our knowledge encoding tool performs a form of binary insertion sort on a set of security elements using each expert as an oracle for the element comparisons. The tool not only sorts the elements (note that equality may be permitted), but it also records the strength or degree of each relationship. The output is a directed acyclic ‘constraint’ graph that provides a total ordering among the sets of equivalent elements. Multiple constraint graphs are then unified together to form a single graph that is used to generate a scoring or prioritization system.For our empirical study, we apply this domain-agnostic measurement approach to generate scoring/prioritization systems in the areas of vulnerability scoring, privacy control prioritization, and cyber security control evaluation.","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125665712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-10-01DOI: 10.1109/STC55697.2022.00010
Francis Durso, M. Raunak, Rick Kuhn, R. Kacker
We learn more from analyzing failures in engineering than by studying successes. There is significant value in documenting and tracking AI failures in sufficient detail to understand their root causes, and to put processes and practices in place toward preventing similar problems in the future. Similar efforts to track and record vulnerabilities in traditional software led to the establishment of National Vulnerability Database, which has contributed towards understanding vulnerability trends, their root causes, and how to prevent them [1], [3].
{"title":"Analyzing Failures in Artificial Intelligent Learning Systems (FAILS)","authors":"Francis Durso, M. Raunak, Rick Kuhn, R. Kacker","doi":"10.1109/STC55697.2022.00010","DOIUrl":"https://doi.org/10.1109/STC55697.2022.00010","url":null,"abstract":"We learn more from analyzing failures in engineering than by studying successes. There is significant value in documenting and tracking AI failures in sufficient detail to understand their root causes, and to put processes and practices in place toward preventing similar problems in the future. Similar efforts to track and record vulnerabilities in traditional software led to the establishment of National Vulnerability Database, which has contributed towards understanding vulnerability trends, their root causes, and how to prevent them [1], [3].","PeriodicalId":170123,"journal":{"name":"2022 IEEE 29th Annual Software Technology Conference (STC)","volume":"217 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127603769","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: