TECHNOLOGY AREAS: Information Systems, Battlespace

ACQUISITION PROGRAM: JPEO JTRS ACAT ID

RESTRICTION ON PERFORMANCE BY FOREIGN CITIZENS (i.e., those holding non-U.S. Passports): This topic is "ITAR Restricted." The information and materials provided pursuant to or resulting from this topic are restricted under the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120 - 130, which control the export of defense-related material and services, including the export of sensitive technical data. Foreign Citizens may perform work under an award resulting from this topic only if they hold the "Permanent Resident Card", or are designated as "Protected Individuals" as defined by 8 U.S.C. 1324b(a)(3). If a proposal for this topic contains participation by a foreign citizen who is not in one of the above two categories, the proposal will be rejected.

OBJECTIVE: To develop sensor-based network defense architecture for the implementation of next generation cyber security algorithms. Two concrete objectives will be pursued: (1) implementation of algorithms to detect highly distributed, stealth cyber-attacks and their geolocation on a world map and (2) provisioning of a practical and scalable framework for future implementation of state-of-the-art cyber security algorithms.

DESCRIPTION: Navy systems (sea, air, ground and space) are increasingly integrated in IP-based global networks that are under intense attack by sophisticated adversaries. In a conflict, this attack would be expected to intensify. There are numerous documented intrusions to Navy, DOD, government and private computer systems illustrating that the problem at this point is not keeping intruders and attackers out at the borders, but rather a constant and pro-active defense through the entire network.

An example of a highly distributed, stealth cyber-attack is botnet attack. The technology could detect botnet attacks by gathering information that may come from distributed sensors; the technology should then be able to geolocate the worldwide source of active botnets attacking a specific US target onto a dynamic world map. The technology should also be able to detect which types of such activities are likely to be malicious and which are likely to be benevolent (e.g., flash crowds activities), while minimizing as much as possible the presence of false positives and negatives. The framework should provide for the future detection of a potentially large and evolving family of highly distributed attacks (known or unknown today) and name what such attacks could be. Investigation and development of such attacks and their detection algorithms is also part of the topic objective.

While this topic encourages novel solutions, examples of state-of-the-art algorithms can also be found in recent scientific publications. For instance, [FAN10] presents a new algorithm to detect botnets that are highly distributed and stealth; it is the objective of this topic to design and implement a framework that allows for the implementation of such type of algorithms in a convenient, robust and scalable manner.

PHASE I: Design a concept that manages large amounts of recorded information and presents the results in a real-time and concise manner. Identify (1) methods to efficiently extract key features from network traffic for the analysis of cyber security incidents, (2) methods to efficiently store large amounts of historical information obtained from the network and (3) algorithms to process such data and provide intelligence to network managers and decision making agents.

A preference will be given to proposed technologies that build on existing frameworks. An example of a framework is provided by BRO�the powerful network analyzer developed by ICIR [VER99].
The outcome of Phase I will be architecture and a preliminary prototype demonstrating the feasibility of the design at a small scale.

PHASE II: Demonstrate state-of-the-art algorithms that can detect and protect against highly distributed, low frequency stealth attacks [GIR09, FAN10] using the proposed framework. Such package will be capable of geolocating the attacks and present them in a multi-resolution world map that network managers and decision making agents will be able to use. The outcome of Phase II will be a full implementation of the design and prototype delivered in Phase I, providing technology that can be tested in a real-life environment. Of special interest are technologies that can be integrated using COTS/GOTS.

PHASE III: Phase III will seek to receive feedback from the real-life tests of the technology, tune the technology to satisfy the potential customers, and commercialize the technology. Special interest will be put into dual-use applications, by targeting both government and industrial/consumer uses. Examples of industrial/consumer applications that should be pursued include but are not limited to for-profit organizations responsible to manage large amounts of digital information such as cloud computing and Internet service providers.

PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: The proposed technology will enable communities of interest to develop and understand activity and behavior on their networks by increasing the fidelity of the networks.

REFERENCES:
(1) [FAN10] Fang Yu, Yinglian Xie, and Qifa Ke, "SBotMiner: Large Scale Search Bot Detection," International Conference on Web Search and Data Mining, February 2010.

(2) [GIR09] F. Giroire, J. Chandrashekar, N. Taft, E. M. Schooler, D. Papagiannaki, "Exploiting Temporal Persistence to Detect Covert Botnet Channels," RAID, September 2009.

(3) [ROS09] J. Ros-Giralt, J. Ezick, P. Szilagyi, R. Lethin, "High-Speed Parallel Processing of Protocol-Aware Signatures," in High Performance Embedded Computing (HPEC), September 2009.

(4) [ROS10] J. Ros-Giralt, P. Szilagyi, J. Ezick, D. Wohlford, R. Lethin, "Generation of
High-Performance Protocol-Aware Analyzers with Applications in Intrusion Detection Systems," in SPIE Defense, Security, and Sensing 2010, April 2010.

(5) [VER99] Vern Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, 31(23�24), pp. 2435�2463, December 1999.

KEYWORDS: Cyber Networks, Cyber Security, BotNets, Cyber Defense, Network Analyzer

** TOPIC AUTHOR (TPOC) **

DoD Notice:   Between November 10 and December 12, 2010, you may talk directly with the Topic Authors to ask technical questions about the topics. Their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting December 13, 2011, when DoD begins accepting proposals for this solicitation.

However, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS (11.1 Q&A) during the solicitation period for questions and answers, and other significant information, relevant to the SBIR 11.1 topic under which they are proposing.

If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at (866) 724-7457 or email weblink.