Slide Hello everyone,

1 My name is Ferda and I am thrilled to be here today to

introduce myself as a Research Associate at Imperial
College. With over 20 years of experience in software
companies as an engineer, team leader, and project manager.

My academic background includes a BSc in engineering and

an MSc and Ph.D. in Information Systems, where I focused
on security visualization, enterprise security, decision
management on security expenditures, and more. During my
time at Imperial College, I worked as a postdoc at the
Institute for Security Science and Technology, where I
published papers on decision management in healthcare
cybersecurity and attack graph generation.

Later, my interest in smart contract coding security led me to

join the Infrastructure DAO project. With my knowledge of
smart contracts and blockchain, I am confident in my ability
to contribute and make a meaningful impact on this one.

I am currently working on finding gaps for use of DAO

systems for infrastructure projects. This includes searching
for infrastructure problem types that can be handled using
DAOs

and improving ways of monitoring the effiicency and

comparing DAO systems in terms of financial, governance,
and community formation aspects.

For today’s presentation I chose two topics. The first one is

related to my current project, DAO for infrastructure. The
second one is one of my recent projects. I completed that one
during the period of my ISST appointment. That one focuses
on automatic attach graph generation.

Slide
2
Slide • Blockchain: Blockchain is a
3 distributed and decentralized digital
ledger technology that records
transactions across multiple
computers (nodes) in a secure and
immutable manner. Each transaction
is added to a "block" and linked to
the previous block, creating a chain
of blocks, hence the name
"blockchain." This technology
enables trustless and transparent
interactions, as all participants have
access to the same ledger, and no
single entity has full control over the
data. Blockchain's most prominent
application is in cryptocurrencies like
Bitcoin, but its potential goes far
beyond, with applications in supply
chain management, voting systems,
finance, and more.
• Smart Contract: A smart
contract is a self-executing program
or code that runs on a blockchain
network. It automatically executes
the terms and conditions of a contract
when specific conditions are met.
Smart contracts eliminate the need
for intermediaries, such as banks or
legal systems, as they operate
directly on the blockchain. Once
deployed, smart contracts are
tamper-resistant and irreversible,
ensuring transparency and trust
among involved parties. Smart
contracts have diverse applications,
including automated payments,
decentralized applications (dApps),
and complex financial agreements.
• A DApp, short for
Decentralized Application, is a
software application that operates on
a decentralized network, typically
utilizing blockchain technology.
Unlike traditional applications that
rely on centralized servers, DApps
run on a peer-to-peer network of
nodes, ensuring transparency and
security. They leverage smart
contracts to automate functions and
enforce rules without the need for
intermediaries.
Key characteristics of DApps include
their decentralized nature,
transparency, security, and reliance
on smart contracts. DApps have a
 wide range of applications, from
decentralized finance (DeFi)
platforms and supply chain
management to gaming and social
networking. By leveraging
blockchain's features, DApps
empower users with greater control
over their data and interactions,
fostering a new paradigm of
decentralized software applications.
4-DAO (Decentralized Autonomous
Organization): A DAO is a fully
decentralized organization that
operates through smart contracts on a
blockchain. It is governed by a set of
predefined rules and algorithms,
removing the need for traditional
hierarchical management structures.
DAOs allow members to participate
and make decisions by holding
voting power based on their
contributions to the organization. As
autonomous entities, DAOs execute
predefined actions and distribute
rewards without the need for central
control. They are designed to be
transparent, democratic, and resilient
to external interference.
5-Governance refers to the process
and mechanisms by which decisions
are made, rules are established, and
actions are executed within a
Decentralized Autonomous
Organization (DAO).

Slide Before we dive into the specifics of

4 our presentation, I'd like to take a
moment to discuss how we can use
DAOs (decentralized autonomous
organizations) for infrastructure
projects. By leveraging the power of
DAOs, we can provide a more
resilient infrastructure lifecycle.

This slide illustrates the typical

phases of an infrastructure project
and our approach to using DAOs.
Essentially, DAOs are organizations
that operate based on rules encoded
in a computer program. They are
transparent and controlled by their
members, rather than a centralized
management.

Let's take a closer look at how DAOs

 can be used in the infrastructure
project lifecycle. The first phase is
the proposal phase, which can be
open to all DAO members. The
proposals can be selected through
various ways, such as a voting
system. Once a proposal is selected,
a smart contract can be created to
implement the rules of the project
after securing the finance and a
proper tendering phase. This
contract, along with any related
contracts, can be deployed onto a
blockchain, providing full
transparency throughout the project's
lifecycle.

Even maintenance requests can be

automatically generated based on
operational metrics. When the
contract is no longer needed, or if it
is found to be unsuccessful, it can be
terminated, and physical parts can be
recycled or repurposed. This
approach allows for greater
efficiency and sustainability in
infrastructure projects.

Slide
5 The key focus of my current and
recent research is the creation of a
cross-chain community decision
management design which is part of
infrastructure DAO project.

As we all know, managing cross-

chain communities between multiple
blockchains can be quite challenging
due to the differences in design
philosophies, technicalities, and
governance models of each
blockchain. However, it can also
offer benefits which we will be
discussing later in this presentation.

To effectively manage cross-chain

communities, there are a few crucial
elements that need to be in place.
Firstly, clear communication,
collaboration, and coordination
between the various communities are
essential.
Secondly, a deep understanding of
the unique characteristics and needs
 of each blockchain is vital.
Finally, in order to put this in place
in real world, a willingness to work
together towards common goals and
a shared vision with multiple
communities is necessary.

In summary, managing cross-chain

communities can be both challenging
and rewarding. With careful
consideration, planning, and
execution, it is possible to overcome
these challenges and unlock the full
potential of a cross-chain community
decision management system.

Slide Due to different design philosophies,

6 technical standards, and governance
models of the chains we may restrict
the design with a few compatiple
chains only.

For example, in this preliminary

design view, I restricted it with
Ethereum and xDai. This way
managing a cross-chain community
becomes less complex. The number
of chains can be increased gradually
if a need occurs later.

This preliminary design has the

following parts.

Community:
• Is the main contract in the
system.
• The system requires
providing a specific community and
membership structure which is
different than the permission and
role management but should work
together with that. Community
would be consisted of members
which correspond to account-chainid
pairs. It will also hold community
specific attributes which will be used
for decisions and also community
tokens.

DecisionManager:
• Is a utility contract which
provides the core decision-making
 functionality for the system.
• Can adopt multiple voting
systems, enabling communities to
choose the method of voting that
works best for them for each
decision.
• It encapsulates the Proposal
structure.

Proposal:
• A structure designed to be
used by multiple voting systems,
allowing communities to propose and
vote on decisions.

CrossChainToken:
• A token contract which
assumes usage in multiple chains,
allowing for the use of same token
types from different chains in
decision making.
• Another approach is using
token conversion which is planned to
be facilitated by an external Oracle,
allowing for comparison and
standardization across chains.

Proxies:
• Multiple proxies may be used
for different contracts in the system
to provide upgradability for the other
contracts in the system, enabling
future changes and improvements.

Bridge:
• An of course this preliminary
design includes bridges between to
make transactions or to share data
between chains as expected but not
restricted with that.

Slide Typicaly a voting system should be in

7 place but we extended it such that
different voting systems can be
encapsulated by the decision-making
system.

The decision-making system may

involve chain weights and may use
 them along with conversion of chain
specific tokens to fiat pegged
currencies or it may depend on
some other more sophisticated
mechanism.

• This is a sample proposal

structure.
• In this version, we use the
keccak256 hash of the voter and
voted members' address and chainId
to create a unique key for each vote
or voted member. This way, we can
avoid any confusion or conflicts that
may arise due to the same addresses
being used in different chains.

• We do not hold simply the

number of approvals or rejections but
instead votes to be able to process
them based on selected different
votingTypes which we also store as
part of the proposal.

Slide
8
In order to manage a cross-chain
community effectively, it is
important to have clear and
transparent communication channels
between the various communities, as
well as mechanisms for resolving
disputes and making decisions
together.

Another important aspect of cross-

chain community management is
education and outreach. In order to
encourage adoption and engagement,
it is important to educate users about
the benefits and unique features of
each blockchain, and to provide
resources and support to help them
get started.

In conclusion, managing a cross-

chain community even compatible
blockchains requires a combination
of technical infrastructure, clear
communication, education and
outreach, and effective governance.
By working together and leveraging
the strengths of each blockchain, a
 cross-chain community can provide a
rich and vibrant ecosystem for
developers, users, and businesses.

Slide Cross-chain communities and

9 decision-making systems have
several benefits, including

increased interoperability which

enables new use cases and
applications leveraging different
capabilities and futures from multiple
chains,
access to a wider range of users and
assets increasing liquidity,
reduced transaction fees, and
improved security by protecting our
assets and data from a single point of
failure problems.

Such a system can be used in the

context of infrastructure projects in
developing countries, including
public works projects, urban
planning, renewable energy projects,
transportation projects, and disaster
response and recovery efforts. By
involving a range of stakeholders in
the decision-making process, these
projects can be developed in a way
that meets the needs of the local
community and promotes sustainable
development.

Slide The motivation behind creating an

10 automatic attack graph generator
stems from the increasing complexity
and sophistication of cyber threats,
which makes manual analysis time-
consuming and error-prone. By
automating the generation of attack
graphs, cybersecurity professionals
can gain a comprehensive view of
potential attack paths and
dependencies, facilitating proactive
threat mitigation and enhancing
overall system security.
Slide • Threat: A potential event or
11 action that can harm or exploit a
system's security.
• Attack: An intentional and
malicious action carried out to
exploit vulnerabilities and
compromise a system's security.
• Vulnerability: A weakness or
flaw in a system that can be
exploited by attackers to gain
unauthorized access or cause harm.
• Attack Graph: A visual
representation of potential attack
paths and their dependencies in a
system's network.
• CVE (Common
Vulnerabilities and Exposures): A
unique identifier assigned to publicly
known software vulnerabilities.
• CWE (Common Weakness
Enumeration): A list of common
software weaknesses and
vulnerabilities.
• Security Control: Measures
and mechanisms implemented to
protect and mitigate risks to a
system's security.
• Security Cost: The expenses
associated with implementing
security measures and managing
potential security incidents.

Slide • About MITRE:

12 • MITRE Corporation is a
not-for-profit
organization that
operates Federally
Funded Research and
Development Centers
(FFRDCs).
• It was founded in 1958
and is based in Bedford,
Massachusetts, USA.
• MITRE focuses on
providing technical
expertise and research to
address complex
challenges for various
government agencies and
the public interest.
• Mission:
• MITRE's mission is to
solve problems for a
safer world by working
 in the public interest and
advancing national
security, public safety,
and healthcare.
• Areas of Expertise:
• Cybersecurity and
Information Assurance
• Healthcare and Medical
Systems
• Defense and National
Security
• Infrastructure and
Environment
• Judicial and Criminal
Justice
• Collaboration and Impact:
• MITRE collaborates
with government
agencies, academia, and
industry partners to
deliver innovative
solutions and best
practices.
• Its work has a significant
impact on critical areas
of national importance.
• Common Vulnerabilities
and Exposures (CVE):
• MITRE maintains the
CVE List, providing a
standard identifier for
known vulnerabilities in
software and hardware
products.
• It enables consistent
vulnerability
management and
facilitates vulnerability
sharing across the
cybersecurity
community.
• Common Weakness
Enumeration (CWE):
• MITRE maintains the
CWE List, which
identifies common
software weaknesses and
vulnerabilities.
• CWE helps in
understanding and
mitigating software
security weaknesses and
assists in secure software
development.
• ATT&CK (Adversarial
 Tactics, Techniques, and Common
Knowledge):
• MITRE ATT&CK is a
knowledge base that
describes the actions and
behaviors of real-world
cyber adversaries.
• It assists cybersecurity
professionals in
understanding and
countering cyber threats
effectively.
• Cybersecurity Challenges
and Competitions:
• MITRE organizes cyber
competitions and
challenges to foster
innovation and cultivate
cybersecurity talent.
• Public Interest Research:
• MITRE conducts
research in various
domains, including AI
ethics, privacy, and
policy, to address social
and ethical concerns.
• Contributions to Open
Source:
• MITRE actively
contributes to open-
source projects, sharing
knowledge and tools
with the broader
community.

Slide
13

Slide
14
Slide
15

Slide
16

Slide • Declarative Programming: In

17 Prolog, you describe what you want
to achieve, not how to achieve it.
• Logic-Based: Prolog
programs consist of facts, rules, and
queries represented as logical
statements.
• Pattern Matching: Prolog
excels at pattern matching and
unification, making it ideal for
symbolic computations.
• Backtracking: Prolog utilizes
backtracking to explore multiple
solutions to a problem.
Slide In this example, we have defined
18 facts about who likes which food
items and a rule to determine if two
people are friends based on a
common liking for the same food
item.

Upon running the query, Prolog will

use the defined rule to check if John
and Mary are friends since they both
like chocolate.

Slide After introducing prolog we may

19 continue describing how the attack
specific data is used in the system. In
the first row, as you see there are
multiple potential security problems.
These are initial findings by prolog
system. On top of that we …

Slide Here, I want to show sample CVE

20 records…

Slide
21

Slide
22
Slide
23

Slide
24

Slide
25

Slide
26

Slide
27

Slide
28
Slide
29

Slide Thank you for your attention today.

30 I hope you found this presentation
informative and valuable. If you have
any further questions or feedback,
please feel free to reach out to me
privately. Thank you again.