Information Sciences and Technology Department

New scoring framework addresses software vulnerabilities

Tama Moni — Tue, 25 Oct 2022 17:50:54 +0000

New scoring framework addresses software vulnerabilities Tama Moni Tue, 10/25/2022 - 13:50

In This Story

The George Mason University College of Engineering and Computing has launched the Mason Vulnerability Scoring Framework (MVSF), which publishes a continuously updated ranking of the most-common global software weaknesses. The work, in conjunction with PARC (Palo Alto Research Center), relies on the National Institute of Standards and Technology’s (NIST)—Common Vulnerabilities and Exposures data and other sources of vulnerability information to create an up-to-date database that can be used to identify and mitigate risks. This line of work has resulted in multiple pending patent applications and a Best Paper Award at the 19th International Conference on Security and Cryptography.

Cybersecurity code with 1s and 0s
Photo provided by iStock images

Liza Wilson Durant, Mason’s associate provost for strategic initiatives and community engagement, says, "This preemptive tool to guide strategic defense against cybersecurity vulnerabilities will not only safeguard systems but mitigate potential business revenue losses for those who leverage the tool. “

An existing list called the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses, compiled by The MITRE Corporation, has long been the industry standard. MVSF improves on the CWE Top 25 by having data input monthly, compared to MITRE’s yearly reporting. This improvement allows researchers, programmers, developers, and others to have an accurate, almost real-time picture of where software vulnerabilities are most likely to be exploited. Additionally, where MITRE ranks the top 25 vulnerabilities, MVSF ranks the top 150.

Associate Professor, Department of Information Sciences and Technology and Associate Director, Center for Secure Information Systems, Max Albanese oversees the project for Mason. He says, “If there is a trend where a certain type of vulnerability is becoming more severe, you don’t have to wait for a full year to discover that; you’ll see that class of vulnerability getting worse – or better – month-to-month.” MVSF can even correct course based on new information, going back and re-ranking weaknesses’ order in a previous month based on new information that was not known at the time of original ranking.

Albanese further notes that NIST assigns a severity score to vulnerabilities based on a combination of an exploitability score – how difficult the vulnerability is to exploit – and an impact score – how bad the consequences would be if the vulnerability were exploited. MVSF uses those components as variables but allows users to add their own, additional variables not considered by NIST. MVSF also allows users to decide how to weigh the variables that rank the vulnerabilities. This customizability, still under development, is an important feature of the new system.

Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

The association with PARC here was important to making the project a success. “Working with GMU was a productive collaboration,” says Marc Mosko, principal scientist, PARC. “Configuration vulnerabilities are growing, now comprising over 15 percent of all Common Vulnerability and Exposure (CVE) notices. We appreciate that across many different industry sectors, there are often gaps in context between management, software security teams, and those who are responsible for ensuring systems are performing optimally on an ongoing basis. Our work addresses these evolving configuration security needs, and we look forward to exploring opportunities to apply this work in the future.”

Mason and PARC’s collaboration on the Mason Vulnerability Scoring Framework builds on a relationship that started with both of them working on a Defense Advanced Research Projects Agency (DARPA) program ConSec in a project dubbed SCIBORG: Secure Configurations for the Internet of Things (IoT) based on Optimization and Reasoning on Graphs. The goal of SCIBORG was to devise fundamentally new approaches to determine security configurations that protect critical infrastructure and IoT-based systems.

Albanese, who is also an external consultant for MITRE, has initiated a collaboration with MITRE’s group responsible for CWE to leverage synergies between the two organizations.

In addition to the excitement of the innovation, it is equally impactful to see undergraduate students involved in its design and implementation and innovating alongside their mentor faculty," says Wilson Durant.

The Virginia Commonwealth Cyber Initiative (CCI) will provide continued support for two Mason undergraduate students to assist with the project, which Albanese says is key for the continued maintenance of the system.

Topics

cryptography

configuration vulnerabilities

Internet of Things

Information Sciences and Technology Department

Research

CEC faculty research

Zhisheng Yan nabs Best Student Paper Award

Teresa Donnellan — Wed, 05 Oct 2022 18:57:56 +0000

Zhisheng Yan nabs Best Student Paper Award Teresa Donnellan Wed, 10/05/2022 - 14:57

In This Story

Zhisheng Yan

A recent paper by Department of Information Sciences and Technology Assistant Professor Zhisheng Yan received the Best Student Paper Award at ACM Multimedia Systems (MMSys) 2022 conference held in Athlone, Ireland. ACM MMSys is a premier conference on multimedia. The awarded paper results from a collaborative project between Yan and researchers at the University of Illinois Urbana-Champaign.

In his paper, Yan writes, “Image compression standards such as JPEG and its variants designed for human viewing are no longer the optimal choice for emerging video analytics applications where machines and computer algorithms are the end consumers. We show in this paper that it is necessary and feasible to achieve fast and compact image compression while maximizing the accuracy of image classification and object detection algorithms through a machine-centered design.”

To read the paper, “Context-aware Image Compression Optimization for Visual Analytics Offloading,” go to https://mason.gmu.edu/~zyan4/papers/cico_mmsys22.pdf.

Topics

Information Sciences and Technology Department

information sciences and technology

Media Research

New Mason IT grad says ‘just go for it’

Rena Malai — Mon, 25 Apr 2022 19:59:42 +0000

New Mason IT grad says ‘just go for it’ Rena Malai Mon, 04/25/2022 - 15:59

It was a friend’s serendipitous homework assignment that had Dania O Abu-Irshaid, upcoming George Mason graduate from the Department of Information Sciences and Technology, switch her undergrad work from pre-law to a STEM path.

She says she’s always had a natural knack for coding, and it’s something that’s always interested her. But when she helped a fellow Mason student with a Python coding exercise, that’s when it clicked.

“I was thinking about pre-law, but after taking a class in it, I didn’t feel like it suited me. I was undecided,” says Abu-Irshaid. “Then my friend was struggling with this homework assignment and I ended up finishing it for her in five minutes. She looked at me and said, this is what you should be doing.”

When Abu-Irshaid made the move to study IT, with a concentration in cybersecurity, that’s when things really picked up for her. As the oldest child in her family, she was relied on to be the tech savvy expert and help fix wifi routers in the house or explain internet nuances to her parents. Although she is the first female in her family to study and work in STEM, she’s confident of the opportunities coming her way.

After graduation, Abu-Irshaid will enter a ten weeklong internship with the Virginia Department of Elections, where she will work in the cybersecurity sector. She also sees potential for a corporate position with one of the big contenders—namely Walmart. As a resident advisor at Mason to freshman engineering students, Abu-Irshaid says some of her mentees good naturedly tease her about her Walmart aspirations to this day.

“I’m like, guys, Walmart isn’t just about celery and sticky buns, they have a corporate side,” she says. “But they’ll still ask me how Walmart’s going and what kind of merchandise I have.”

With a bright future ahead, she says she’ll miss her time at Mason, particularly the diverse community and her role as an advisor.

“I love the community and culture at Mason. There’s always something to do, and something to look forward to on campus. But I’ll hopefully be back, in some capacity,” says Abu-Irshaid.

Her message for future grads is to just go for it, whether it’s a job, course of study, or opportunity.

“It’s really as simple as that, and it’s what got me everywhere,” she says. “Just go to that club meeting, go to that class, ask your professor that question. You’re not going to get the results unless you go for it.”

Topics

Information Sciences and Technology Department

Graduation

CEC 2022 graduates

Mason NSF CAREER award looks at compressing and transmitting panoramic video for accurate analysis

Rena Malai — Mon, 07 Feb 2022 19:37:10 +0000

Mason NSF CAREER award looks at compressing and transmitting panoramic video for accurate analysis Rena Malai Mon, 02/07/2022 - 14:37

In This Story

Zhisheng Yan

Panoramic video footage is a useful tool to capture important information, like identifying suspects or monitoring a natural disaster response during an earthquake or wildfire.

George Mason University assistant professor Zhisheng Yan in the Department of Information Sciences and Technology will lead a National Science Foundation (NSF) CAREER research project called Machine-centered Cyberinfrastructure for Panoramic Video Analytics in Science and Engineering Monitoring to further develop and enhance machine centric video compression and transmission. This will look at developing a method for video footage captured by a 360 degree panoramic camera—which uses copious amounts of data—to get compressed and transmitted into a more usable, sizeable unit for data analysis in computing servers.

According to Yan, the benefit of 360 video footage is having a larger scope of footage available but transmission can be challenging without efficient compression.

“The use of 360 degree panoramic video is seen as an important tool for data collection in a variety of spaces, particularly when it comes to identifying wildlife, filming airport traffic, and suspect recognition,” says Yan. “All the views are available.”

The end consumer of 360 degree video footage is now not always a human eye, but a computer algorithm, says Yan. This is why redesigning video compression and transmission capabilities is necessary to make sure the algorithms are properly analyzing footage, and retaining the data that’s needed.

“The need to redesign compression and transmission is not necessarily for video quality, but to optimize analytic results and accuracy for the computer systems ‘viewing’ the video,” says Yan.

He adds that research done around traditional camera and video systems have shown that there are often issues when software programs are used to analyze panoramic videos that are too large for the systems to handle. This is where machine centric video compression and transmission can help these systems generate an accurate analysis.

Yan will be the single principal investigator for the project and anticipates working alongside student researchers throughout the duration. The Machine-centered Cyberinfrastructure for Panoramic Video Analytics in Science and Engineering Monitoring project will begin June 2022 and run for about five years.

Until June, Yan says he will focus on some literature reviews and preparation.

“Our first focus will be in compression technology, and then we will focus on the transmission aspect,” he says. “We’ll do testing on 360 degree panoramic video samples to see what works best.”

Topics

visual art

Information Sciences and Technology Department

College of Engineering and Computing

Media

data analytics

data

National Science Foundation

Research