Building on nearly five years of helping the Department of Defense and the Department of Homeland Security improve methods for resisting cyberattacks, Montana State University is leading a new effort to reduce software vulnerabilities across a wide range of systems.
The project, funded by a $4.47 million, three-year DHS contract award, will draw on advanced computing and data science techniques to develop innovative tools for identifying computer code that could be exploited by cybercriminals or foreign enemies.
"We’re growing the work we've done already and expanding into new areas," said project leader and principal investigator Clem Izurieta, professor in the Gianforte School of Computing in MSU’s Norm Asbjornson College of Engineering. "As we see an increase in the frequency of cyberattacks and the types of systems being breached, there's a real need for detecting the potential for attacks before they occur."
The team, which includes a total of eight faculty at MSU, Idaho State University, Washington State University and Rochester Institute of Technology, will create computer models that can analyze software throughout the development process, a process known as quality assurance, and identify code that could be hacked once the software is used.
"When you go to the grocery store, you can look at product labels to see if what you're buying contains peanuts so you don’t have an allergic reaction," Izurieta said. "But with software it isn’t like that. A lot of times programmers build something and trust it to work without knowing the vulnerabilities. That’s one area of what we’re trying to fix."
The project expands on work that started in 2018, when Izurieta brought his cybersecurity expertise to a project with MSU’s Techlink Center to improve software that the Department of Defense uses to manage its facilities. The MSU team developed an innovative framework that used multiple existing tools for identifying software vulnerabilities. That success helped Izurieta’s team secure $3.1 million in DHS funding in 2020 for a partnership with the Idaho National Laboratory through an interagency agreement focused on developing new ways of evaluating software vulnerabilities. The new project expands the scope to include cloud-based software as well as industrial control systems responsible for critical infrastructure.
The new project will also apply the latest advances in computing such as machine learning, which uses algorithms and statistical models to dynamically adapt to patterns in data. That approach will allow the cybersecurity tools to comb through computer code and spot potential problems, according to machine learning expert Brad Whitaker, assistant professor in the Department of Electrical and Computer Engineering.
“The computer code in a typical program is too vast for a person to go through and really understand, but we can create tools that identify the parts that are important to look at,” Whitaker said. “It’s like a triage process.”
The stakes have increased in recent years as more and more systems are computerized and connected to the internet, including in health care, finance and energy, Whitaker said. While there are numerous benefits to being able to conveniently store and manage data and remotely control infrastructure, there are also risks. Hackers routinely exploit vulnerabilities in common desktop software to shut companies out of their computer networks until a ransom is paid and have also made strides in gaining access to the computerized systems that control power grids and other infrastructure.
Ann Marie Reinhold, assistant professor of computer science, will use advanced data science methods to characterize the risk that’s often built into software as it’s created by a series of different teams of programmers. "One of the things that's exciting about this project is how interdisciplinary it is,” she said. “We’re bringing together people with a wide range of expertise to weave cybersecurity through the entire software development life cycle.”
Suzie Hockel in MSU’s Gianforte School of Computing will serve as program manager for the project and postdoctoral researcher Derek Reimanis will serve as a leading expert in quality assurance techniques. Rochester Institute of Technology and Washington State University will support machine learning aspects of the project, with WSU also helping to develop algorithms for detecting sensitive sections of computer code. The project will make use of an Idaho State University industrial control systems facility that will enable the team to test the effectiveness of the new computer models at protecting software that controls infrastructure, like power grids. The project will produce quality assurance tools for quantifying, visualizing, and communicating the effects of software vulnerabilities so remedies can be made, according to Izurieta.
"This goes beyond theories,” Izurieta said. “We're going to actually test and deploy something that can be applied once we’re done.”
The project will also provide numerous educational opportunities for students. The funding is expected to support four doctoral students at MSU and four at the partnering universities, as well as several undergraduate research opportunities. To date, Izurieta’s cybersecurity projects have provided hands-on experience to more than 20 undergraduates and many graduate students in MSU’s Software Engineering Laboratory.
The new project comes as MSU began offering a new Master of Science in Cybersecurity degree this fall. Also this fall, Gallatin College MSU began offering a two-year associate degree in cybersecurity information assurance. Additionally, as part of the Northwest Virtual Institute for Cybersecurity Education and Research, which recently received $1.5 million from the Department of Defense, MSU offers cybersecurity trainings to a select number of its Air Force ROTC students. And through the National Science Foundation-funded Research Experience for Undergraduates program, MSU mentors roughly 10 undergraduates from across the U.S. in cybersecurity each summer.
"This is a timely award in the sense that it’s building on a much bigger effort to grow our research and education in cybersecurity to meet the growing need,” Izurieta said. “We have momentum across all fronts.”
Original source can be found here.
Alerts Sign-up