LAGOON Executive Summary

Abstract

The DoD strategy of 'Adopt, Buy, Create' puts an emphasis on adopting open source software (OSS) where possible as a means to build robust systems at low cost. For example, in avionics, the Army believes that a Modular Open Systems Approach (MOSA) leveraging OSS is "expected to yield an ROI in the hundreds of millions of dollars." Ensuring the supply-chain integrity of OSS is therefore crucial for the security of downstream DoD applications. In the LAGOON project, we built a brand-new, open source platform that helps security analysts understand OSS communities from a social-oriented threat perspective. Focusing on the observable artifacts produced within these communities, like mailing list archives, LAGOON provides a comprehensive suite of tools for ingesting different kinds of data, fusing it into a unified, sociotechnical and spatiotemporal graph, and then leveraging Machine Learning (ML)-enabled capabilities to help predict and prevent future attacks against OSS software. The platform is designed for Observe, Orient, Decide, Act (OODA) loop scenarios, and we plan to deploy it through continuous integration in future work. Our results demonstrate that our tools enable rapid exploration of new social threat scenarios compared to the state of the art, and include findings regarding the social threat level of specifically the CPython open source development community.

Document Details

Document Type

Technical Report

Publication Date

Feb 24, 2022

Accession Number

AD1162744

Entities

Tags