2023-01-10: I Am Number 10


On December 17, 2022, I walked in ODU's commencement ceremony as Dr. Michele Weigle's 10th Ph.D. graduate. The number 10 is some what fitting as 10 years have passed since I started taking doctoral level courses at ODU, first as a non-degree student, before officially enrolling in the Computer Science program. If you search mythology, numerology, literature, or religion you will find various meanings and themes around the number 10. The one I find most fitting for the doctoral degree is completion of a cycle, endings and beginnings where knowledge gained during the journey is now available to you.

On November 16, 2022, I defended my dissertation research "A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities (video)."  I sincerely appreciate the willingness of Dr. Weigle, Dr. Nelson, and the Web Science and Digital Libraries (WS-DL) research group to join me in tackling a cybersecurity challenge. My dissertation committee members, Dr. Ross Gore and Dr. Faryaneh Poursardar, offered valuable insight which served to make my findings much more impactful.  We all learned a lot along the way and even managed to make some connections with concepts from information retrieval.

The goal of my research was to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations that an organization can use to prioritize its vulnerability management strategy will offer significant improvements over what is currently realized using the Common Vulnerability Scoring System (CVSS). We focused on types of attacks and attackers to create two ranking policies that could be powered by the data sets in the study to facilitate a data-driven approach for ranking CVE-IDs as they are published weekly. We used techniques from information retrieval to the rank the quality of the defined threat-centric policies using 13,862 vulnerabilities published between 2019 and 2021. Evaluation using nDCG and a paired t-test showed a average 71.5% improvement over the CVSS base score for escalating CVE-IDs for mitigation that fit the criteria for tactics and techniques employed by known Advanced Persistent Threat (APT) groups. Further, we measured the ROI of patching and realized a 23.3% reduction in annual unit costs.

Figure 1: nDCG@20 for the CVSS Base Score versus the General Threat policy for organizations in the education subsector

We also provided a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We identified the data mining steps needed to acquire, standardize, and integrate publicly available cyber intelligence data sets into a robust knowledge graph from which stakeholders can infer business logic related to known threats. The complete graph, as defined in our knowledge graph schema, provides the framework that allows security teams to be very granular in describing and tracking adversarial behavior.

Figure 2: Graph shows the traceability from APT groups (dark orange) operating in China (yellow) to the exploit of CVE-2021-38000 (red node) based on the techniques employed (brown)

At the end of your academic tenure it is customary to provide recommendations and advice that might be fitting for current and future Ph.D. students. I was already well entrenched in my professional career and, like others, balancing a multitude of work and family responsibilities when I started this journey. I'll tailor my advice towards those who path looks similar to mine. In keeping with the original theme of this blog post, here are 10 things you should know:

  1. Make sure you consider the amount of work required. A 40-hour work week leaves precious time for studies
  2. Choose your topic early and start writing while you're completing course work
  3. You've taken on a second job. Maintaining a schedule is essential to keep your sanity
  4. Be organized and document everything. This will be useful when you need to repeat some portion of your research
  5. Be resilient and understand that a good idea can sometimes yield bad results
  6. Leverage resources including your professional colleagues. Talking about your research can spawn new approaches
  7. Plan where you want your Ph.D. to take you (e.g., elevating your current position or pursuing a different path)
  8. Try to maintain balance. It's okay to spend time with family and friends
  9. Backup your data and documents in multiple places
  10. Keep reminding yourself how good you'll feel when you finish

Finally, I'm glad I was able to stay on course and hopeful my insight proves beneficial for other working professionals like me. I look forward to continued involvement with ODU and the WS-DL group as we finish some of the future work noted in my dissertation. 

-- Corren McCoy (@CorrenMcCoy)