DoD launches project to use artificial intelligence to protect open source software from attacks

The Defense Department is seeking input for an Artificial Intelligence Exploration project exploring capabilities to detect and counteract cyber-social operations that may target open source software developer communities through combinations of attacks.

The attacks can include submissions of flawed code or designs, social media campaigns against open source software developers and maintainers critical of the flaws. 

The project, called SocialCyber, will explore hybrid methods that combine analyses of source code, development-related communication artifacts, and multi-modal social media activities related to open source development to protect the integrity of open source infrastructure critical to the DoD.

The DoD depends on open source software throughout its supply chain, including operating systems, virtualization systems, and hypervisors and also tool chains for software development, according to the announcement. 

DoD’s use of open source software saves cost, increases maintainability, and attracts developer talent, but also creates an attack surface, in which many trusted software parts and paths are exposed to hostile manipulation. 

Manipulators can leverage the full scope of social mechanisms and incentives that make the open source software sociotechnical ecosystem so valuable.

Today, the integrity of these ecosystems entirely relies on manual effort by their respective stewards, who typically act on implicit trust and perceived reputation. 

Numerous instances of confirmed malicious package attacks on popular open source software package repositories have been documented in recent years. Moreover, tracking the dependencies of modern software ecosystems requires sustained dedicated effort that cannot be expected of any individual or group of stewards.

For open source software projects that take the stance of not publicly distinguishing between exploitable bugs and functional bugs, adversaries may glean critical information before mitigations are completed, and interfere with the mitigations. 

Social media campaigns to disrupt or distract open source software developer communities can be highly effective, even if mounted by a few individuals against a large and well-established community. 

Since development of open source software is essentially a social process, such disruptions present a growing concern.

SocialCyber will explore hybrid methods that combine analyses of source code, development-related communication artifacts, and multi-modal social media activities related to open source development to protect the integrity of open source infrastructure.

After carefully characterizing these and other relevant potential scenarios of interfering with open source software projects, the SocialCyber program seeks to create a dynamic and continuously updated open source software situational awareness capability. 

Proposals should discuss specific open source project(s), specific notable open source software historical incidents and experiences and reference the state of the art in identifying the topology, statistics, and key attributes of an open source software developer social network. 

Desirable outcomes include, but are not limited to, providing an early warning of the open source software projects’ weaknesses, impending project disruption, stagnation or collapse and preserving project integrity and security. 

An overall security assessment of the open source software project will capture relevant social behaviors, security of the architecture, security economics, and the attack surfaces that present themselves in this complex cyber-socio-technical system.

To learn more and present a proposal, visit the posting HERE.