| ||The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), which controls the export and import of defense-related material and services. Offerors must disclose any proposed use of foreign nationals, their country of origin, and what tasks each would accomplish in the statement of work in accordance with section 3.5.b.(7) of the solicitation.|| Objective: ||Develop technologies enabling situational awareness for large-scale cyber network defense, assessing the impact of adversarial action against a network, and predicting future adversary attack strategy
|| Description: ||Various documents express a specific need for research in the area of cyber situational awareness. These include the requirements of the Global Information Grid (GIG) for enterprise-wide network defense and situational awareness, the “Federal Plan for Cyber Security and Information Assurance Research and Development” by the National Science and Technical Council lists large-scale cyber situational awareness as one of it’s top technical priorities, and the report to the President, “Cyber Security: A Crisis of Prioritization” lists network monitoring and detection as one of ten top priorities for both civilian and military cyber security.
Current methods for alert correlation to detect and identify network attacks rely on data mining approaches that use features or feature sets of network data to discover an attack. This approach has proven useful but has recurrent issues with false positives, limited scalability, limits on detecting highly complex attacks, and adaptability to detecting new types of attacks.
When considering enterprise-wide network defense, current methods are typically insufficient. Recent advances in applying data fusion techniques to cyber network defense are beginning to demonstrate an ability to detect highly complex cyber attacks such as, email phishing, data exfiltration, and long chains of stepping-stone or island-hoping attacks. A high level description of the approaches currently in development was presented as “A Situation Awareness Model Applied to Multiple Domains,” at SPIE 2005, Orlando FL. The approach was further refined to apply to the cyber domain in “Realizing Situation Awareness within a Cyber Environment”, SPIE 2006. The result of this research has advanced the detection of the situation of a network but has yet to fully enable network situation awareness, the assessment of the impact of a cyber attack, or prediction of an attacker’s next step in the execution of an attack.
Given this background, the intent of this SBIR topic is to address these remaining problems of fully enabling network situation awareness, cyber impact assessment, and attacker prediction.
|| ||PHASE I: Research methods, techniques, and tools that will automatically assess the situation of a large-scale network, the impact of any cyber attacks, and predict future attacker action within the network. Develop and provide a conceptual design and conceptual prototype of the technology.
|| || ||PHASE II: Based on Phase I, develop, implement, and validate a prototype system. The prototype should be sufficiently detailed to evaluate scalability, usability, and self-protection from any compromise of its ability to monitor the network’s situation. Define metrics or measures that can be used to evaluate the sufficiency of the prototype’s ability to present the network situation and impact of attacks.
|| ||DUAL USE COMMERCIALIZATION: Military application: Enabling an analysts’ network situation and impact awareness is critical to cyber network defense for military applications contending with malicious network activity and data theft protection. Commercial application: These technologies directly apply to protecting enterprise networks supporting critical national infrastructures such as electric power, nuclear energy, financial systems, and air traffic control.
|| References: ||1. Steinberg, Alan N., Christopher L. Bowman, and Franklin E. White, October 1998. Revisions to the JDL Data Fusion Model, presented at the Joint NATO/IRIS Conference, Quebec.
2. Endsley, Mica R., March 1995. Toward a Theory of Situation Awareness in Dynamic Systems. In Human Factors Journal, Volume 37(1), pages 32-64.
3. Salerno, John J., Michael Hinman, and Douglas Boulware, “A Situation Awareness Model Applied To Multiple Domains”, In Proc of the Defense and Security Conference, Orlando, FL, March 2005.
4. Tadda, George, John Salerno, Douglas Boulware, Michael Hinman and Samuel Gorton, “Realizing Situation Awareness within a Cyber Environment”, In Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2006, edited by Belur V. Dasarathy, Proceedings of SPIE Vol. 6242 (SPIE, Bellingham, WA, 2006) 624204.
5. Valeur, Fredrik, Giovanni Vigna, Christopher Kruegel, and Richard A. Kemmerer, “A Comprehensive Approach to Intrusion Detection Alert Correlation”, IEEE Transactions on Dependable and Secure Computing, Vol. 1, No. 3, July-September 2004.
|Keywords: ||Cyber Situation Assessment, Cyber Situation Awareness, Cyber Impact Assessment, Cyber Attack Anticipation|