2023-01-10: I Am Number 10
On December 17, 2022, I walked in ODU's commencement ceremony as Dr. Michele Weigle's 10th Ph.D. graduate. The number 10 is some what fitting as 10 years have passed since I started taking doctoral level courses at ODU, first as a non-degree student, before officially enrolling in the Computer Science program. If you search mythology, numerology, literature, or religion you will find various meanings and themes around the number 10. The one I find most fitting for the doctoral degree is completion of a cycle, endings and beginnings where knowledge gained during the journey is now available to you.
On November 16, 2022, I defended my dissertation research "A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities (video)." I sincerely appreciate the willingness of Dr. Weigle, Dr. Nelson, and the Web Science and Digital Libraries (WS-DL) research group to join me in tackling a cybersecurity challenge. My dissertation committee members, Dr. Ross Gore and Dr. Faryaneh Poursardar, offered valuable insight which served to make my findings much more impactful. We all learned a lot along the way and even managed to make some connections with concepts from information retrieval.
The goal of my research was to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations that an organization can use to prioritize its vulnerability management strategy will offer significant improvements over what is currently realized using the Common Vulnerability Scoring System (CVSS). We focused on types of attacks and attackers to create two ranking policies that could be powered by the data sets in the study to facilitate a data-driven approach for ranking CVE-IDs as they are published weekly. We used techniques from information retrieval to the rank the quality of the defined threat-centric policies using 13,862 vulnerabilities published between 2019 and 2021. Evaluation using nDCG and a paired t-test showed a average 71.5% improvement over the CVSS base score for escalating CVE-IDs for mitigation that fit the criteria for tactics and techniques employed by known Advanced Persistent Threat (APT) groups. Further, we measured the ROI of patching and realized a 23.3% reduction in annual unit costs.
Figure 1: nDCG@20 for the CVSS Base Score versus the General Threat policy for organizations in the education subsector |
Figure 2: Graph shows the traceability from APT groups (dark orange) operating in China (yellow) to the exploit of CVE-2021-38000 (red node) based on the techniques employed (brown) |
- Make sure you consider the amount of work required. A 40-hour work week leaves precious time for studies
- Choose your topic early and start writing while you're completing course work
- You've taken on a second job. Maintaining a schedule is essential to keep your sanity
- Be organized and document everything. This will be useful when you need to repeat some portion of your research
- Be resilient and understand that a good idea can sometimes yield bad results
- Leverage resources including your professional colleagues. Talking about your research can spawn new approaches
- Plan where you want your Ph.D. to take you (e.g., elevating your current position or pursuing a different path)
- Try to maintain balance. It's okay to spend time with family and friends
- Backup your data and documents in multiple places
- Keep reminding yourself how good you'll feel when you finish
Comments
Post a Comment