Breadcrumb

  1. Home
  2. Research
  3. Programs
  4. SocialCyber: Hybrid AI To Protect Integrity of Open Source Code

SocialCyber: Hybrid AI to Protect Integrity of Open Source Code

 

Summary

The Department of Defense (DoD) has critical dependencies on open source software (OSS) throughout its supply chain, including operating systems, virtualization systems, and hypervisors as well as tool chains for software development. 

The DoD’s use of OSS saves cost, increases maintainability, and attracts developer talent, but also creates an unprecedented attack surface, in which many trusted software parts and paths are exposed to hostile manipulation. Manipulators can leverage the full scope of social mechanisms and incentives that make the OSS sociotechnical ecosystem so valuable.

Today, the integrity of these ecosystems relies on manual effort by their respective stewards, who typically act on implicit trust and perceived reputation. Situational awareness is a matter of heuristics, such as the so-called “bus factor” of a project, and hunches based on long-term community participation. As a result, OSS stewards struggle to protect the integrity of their projects. Moreover, tracking the dependencies of modern software ecosystems requires sustained, dedicated effort that cannot be expected of any individual or group of stewards.

For OSS projects that take the stance of not publicly distinguishing between exploitable bugs and functional bugs, adversaries may glean critical information before mitigations are completed, and interfere with the mitigations. Social media campaigns to disrupt or distract OSS developer communities can be highly effective, even if mounted by a few individuals against a large and well-established community. Since development of OSS is essentially a social process, such disruptions present a growing concern.

The AIE SocialCyber Opportunity aims to explore capabilities to detect and counteract cyber-social operations that may target OSS developer communities. SocialCyber seeks to explore hybrid methods that combine analyses of source code, development-related communication artifacts, and multi-modal social media activities related to open source development to protect the integrity of open source infrastructure critical to the DoD.

 

This program is now complete

This content is available for reference purposes. This page is no longer maintained.

 

Resources

Contact