Protecting open source software by analyzing community behavior
The Defense Advanced Research Projects Agency’s SocialCyber program aims to use artificial intelligence to create a dynamic situational awareness capability that can preserve the integrity and security of open source software projects.
To maintain the security of the Defense Department’s open source software supply chain, the Defense Advanced Research Projects Agency wants to create a dynamic and continuously updated OSS situational awareness capability.
The SocialCyber program aims to preserve an OSS project’s integrity and security by providing early warnings of weaknesses, impending project disruption, stagnation or collapse, according to a March 15 presolicitation. By capturing data on the security of a project’s architecture, relevant social behaviors of participants, security economics and the attack surfaces, DARPA expects to develop an overall security assessment of an OSS project’s complex cyber-socio-technical ecosystem.
OSS communities can be damaged by participants contributing flawed code or designs, conducting social media campaigns against OSS developers, submitting misleading bug reports, muddying technical discussions and derailing functional authority on OSS projects. SocialCyber will explore hybrid methods that analyze source code, development-related communication artifacts and social media activity to detect and counteract malevolent cyber-social operations and protect the integrity of DOD’s open source infrastructure.
According to DARPA, critical considerations include a project’s implicit dependencies that might affect architectural changes and, in turn, impact the entire project. SocialCyber requires characterization of the roles of OSS developers, contributors and detractors involved in a project and analysis of their roles, contributions, functional authorities and channels used.
Combined technical and social history project timelines will be also critical to identify when participants disrupt OSS projects or push for significant architectural and structural changes that alter the course of the work. SocialCyber also requires a project development timeline that indicates the history of architectural decisions, the long-term architectural trends and upcoming changes.
The $1 million 18-month program expects to demonstrate the situational awareness tool’s ability “to dynamically correlate the code and timelines of a major architectural feature introduction or refactoring with the social activities’ timeline of discussion and decisionmaking, including any social media events relevant to the ‘tipping points’ of the decision, with a clear mapping of parties to technical trends and artifacts,” the solicitation said.
Proposals are due April 6.