TITLE: Forensic Models of Cyberspace Behaviors
TECHNOLOGY AREA(S): Human
Systems, Information Systems
ACQUISITION PROGRAM: OPNAV
OBJECTIVE: Develop an
intelligent modeling framework for cyberspace threat actor behaviors that
traces their genealogy and supports predicting their future evolution.
threat actors develop tactics, techniques, and procedures (TTP) that evolve
over time in response to environmental stimuli. This evolution may be triggered
by the actors’ growing expertise or changing goals, or by changes in their
targets such as discovery of threat actor tactics or improved defenses. In the
absence of such stimuli, however, these behaviors tend to remain fairly
constant with regard to any given goal.
Longitudinal studies of threat actors could identify inflection points in their
behavior patterns, which in turn would provide valuable intelligence for
defensive cyberspace operations (DCO). For example, the deployment of a new
security control that lessens the effectiveness of an adversarial tactic would
reasonably cause the threat actor to change behaviors if they still want to
accomplish a similar goal. This change would confirm the effectiveness of the
new control similarly to how one uses battle damage assessment (BDA)
techniques. On the other hand, an unexpected change in TTP would tell the
defenders that something of interest happened to the threat actor. If DCO
personnel can find no known events that correlate to such changes, they would
likely want to investigate further.
There are few techniques that support forensic analyses of cyberspace behaviors
and many of these are focused on external attacks involving malware. To the
extent that such studies are being performed, they are manually done by highly
skilled analysts. This approach requires significant investments of staff,
time, and money. It seems plausible to leverage machine learning (ML)
techniques to identify, classify and track discrete cyberspace events and to
infer the behaviors, and ultimately the goals, to which they are related. Such
use of ML, coupled with large sensor networks, would yield an unprecedented
ability to monitor what our adversaries are doing, how they are adapting to
changing conditions, and their likely goals.
This STTR topic seeks novel approaches to building scalable models of
cyberspace threat actor behaviors that lend themselves to analysis by both
humans and machines. The models should be autonomously fitted to data from
existing sensors in order to detect and classify adversarial behaviors and
infer their goals. Furthermore, the models should automatically detect changes
in behaviors, such as the introduction of new tools or procedures. Scalability
of the proposed solution is an important consideration since the data sets are
known to be very large.
PHASE I: Determine the
feasibility of analyzing cyberspace observables, comparing them to behavior
models, detecting the incorporation of new tools and procedures, and inferring
adversaries’ goals. Identify classes of adversarial behavior that lend
themselves to this analysis. Develop a detailed design for an intelligent
system that collaborates with a human operator to identify the likeliest goals
for an adversarial operation. Develop a Phase II plan.
PHASE II: Develop a prototype
system that can classify adversarial behaviors, detect changes over time, and
correlate those changes to known events. Demonstrate the prototype in a
realistic information technology (IT) environment. Study and describe how this
capability may be augmented with autonomous responses such as defensive
countermeasures or deception.
PHASE III DUAL USE
APPLICATIONS: Commercialize the technology. The solution developed in Phase II
will be productized for general use across Government, commercial, and research
organizations. Examples of such applications may include verification and
validation of network security protocols, the development of objective criteria
for assessing behavioral changes following TTPs, or the development of
experimentation testbeds for cyber operations training.
1. Maymí, F., Bixler, R.,
Jones, R., & Lathrop, S. "Towards a definition of cyberspace tactics,
techniques and procedures." Big Data (Big Data), 2017 IEEE International
2. Stillions, R. “On TTPs.”
Blogspot, 22 Apr. 2014, ryanstillions.blogspot.com/2014/04/on-ttps.html
3. Santarcangelo, M. “Exploit
Attacker Playbooks to Improve Security.” CSO from IDG, 12 July 2017.
KEYWORDS: Cyberspace Operations;
Machine Learning; TTP; tactics, techniques, and procedures
** TOPIC NOTICE **
These Navy Topics are part of the overall DoD 2019.A STTR BAA. The DoD issued its 2019.1 BAA STTR pre-release on November 28, 2018, which opens to receive proposals on January 8, 2019, and closes February 6, 2019 at 8:00 PM ET.
Between November 28, 2018 and January 7, 2019 you may communicate directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2019 when DoD begins accepting proposals for this BAA.
However, until January 23, 2019, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.
Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.
Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.
Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at firstname.lastname@example.org