ECE Master of Science Thesis Defense By:
When: Thursday,
April 21, 2022
10:15 AM
-
11:15 AM
Where: > See description for location
Cost: Free
Description: Topic: Covariate Software Vulnerability Discovery Model to Support Cybersecurity Test & Evaluation
Location: Lester W. Cory Conference Room, Science & Engineering Building (SENG), Room 213A
ZOOM Teleconference: https://umassd.zoom.us/j/99866093498
Meeting ID: 998 6609 3498
Passcode: 470229
Abstract:
Without quantitative methods to assess the vulnerability discovery process in software systems acquired by government organizations, national defense, security, and critical infrastructure will be subject to unnecessary risk of degradation or being disabled. Rigorous test and evaluation procedures can enable quantitative assessment of cybersecurity measures and be incorporated into government contracts to ensure taxpayer dollars produce quality software that exhibits a high degree of protection against various forms of cyberattacks. This thesis presents a study which shows how explicit quantification of the underlying software testing activities that lead to vulnerability discovery enables more detailed modeling and prediction, thus showing significant improvement in their ability to support cybersecurity test and evaluation in comparison to previous models. An open-source software system is identified and subjected to various forms of penetration testing activities through the utilization of both automated and manual multi-function tools and techniques. The methodology for selecting an appropriate software vulnerability taxonomy as well as the correct combination of tools and techniques for a particular system are discussed. A dataset was created by collecting the amount of effort dedicated to each of these penetration testing activities as well as the appropriate categorization of the vulnerabilities discovered based on security risks. This data served as input into existing models to demonstrate how detailed data collection during testing can support evaluation through quantitative models to assess the discovery of vulnerabilities that may lead to cyberattack in software. The Alhazmi-Malaiya Logistic (AML) model, which often provided the best fit in past research, is a nonhomogeneous Poisson process (NHPP) software reliability model without covariates. This is compared with the Discrete Cox Proportional Hazards covariate model using several alternative hazard functions considering data on three covariates. Each model's goodness of fit in respect to the collected dataset and the prediction accuracy of each are analyzed. Effort allocation based on these models can provide general guidance on the amount of effort to invest and information regarding the effectiveness of specific testing activities. Our results indicate that the vulnerability discovery model incorporating covariates drastically outperformed the AML model. Thus, vulnerability discovery models incorporating covariates can provide more detailed and accurate assessment of software security based on multiple testing activities.
Note: All ECE Graduate Students are ENCOURAGED to attend.
All interested parties are invited to attend. Open to the public.
Advisor: Dr. Lance Fiondella
Committee Members: Dr. Hong Liu, Professor, Department of Electrical & Computer Engineering, UMASS Dartmouth; Dr. Gokhan Kul, Assistant Professor, Department of Computer & Information Science, UMASS Dartmouth
*For further information, please contact Dr. Lance Fiondella via email at lfiondella@umassd.edu.
Location: Lester W. Cory Conference Room, Science & Engineering Building (SENG), Room 213A
ZOOM Teleconference: https://umassd.zoom.us/j/99866093498
Meeting ID: 998 6609 3498
Passcode: 470229
Abstract:
Without quantitative methods to assess the vulnerability discovery process in software systems acquired by government organizations, national defense, security, and critical infrastructure will be subject to unnecessary risk of degradation or being disabled. Rigorous test and evaluation procedures can enable quantitative assessment of cybersecurity measures and be incorporated into government contracts to ensure taxpayer dollars produce quality software that exhibits a high degree of protection against various forms of cyberattacks. This thesis presents a study which shows how explicit quantification of the underlying software testing activities that lead to vulnerability discovery enables more detailed modeling and prediction, thus showing significant improvement in their ability to support cybersecurity test and evaluation in comparison to previous models. An open-source software system is identified and subjected to various forms of penetration testing activities through the utilization of both automated and manual multi-function tools and techniques. The methodology for selecting an appropriate software vulnerability taxonomy as well as the correct combination of tools and techniques for a particular system are discussed. A dataset was created by collecting the amount of effort dedicated to each of these penetration testing activities as well as the appropriate categorization of the vulnerabilities discovered based on security risks. This data served as input into existing models to demonstrate how detailed data collection during testing can support evaluation through quantitative models to assess the discovery of vulnerabilities that may lead to cyberattack in software. The Alhazmi-Malaiya Logistic (AML) model, which often provided the best fit in past research, is a nonhomogeneous Poisson process (NHPP) software reliability model without covariates. This is compared with the Discrete Cox Proportional Hazards covariate model using several alternative hazard functions considering data on three covariates. Each model's goodness of fit in respect to the collected dataset and the prediction accuracy of each are analyzed. Effort allocation based on these models can provide general guidance on the amount of effort to invest and information regarding the effectiveness of specific testing activities. Our results indicate that the vulnerability discovery model incorporating covariates drastically outperformed the AML model. Thus, vulnerability discovery models incorporating covariates can provide more detailed and accurate assessment of software security based on multiple testing activities.
Note: All ECE Graduate Students are ENCOURAGED to attend.
All interested parties are invited to attend. Open to the public.
Advisor: Dr. Lance Fiondella
Committee Members: Dr. Hong Liu, Professor, Department of Electrical & Computer Engineering, UMASS Dartmouth; Dr. Gokhan Kul, Assistant Professor, Department of Computer & Information Science, UMASS Dartmouth
*For further information, please contact Dr. Lance Fiondella via email at lfiondella@umassd.edu.
Contact:
ECE: Electrical & Computer Engineering Department 508.999.9164 http://www.umassd.edu/engineering/ece/
Topical Areas: General Public, University Community, College of Engineering, Electrical and Computer Engineering