SITIS Archives - Topic Details
Program:  SBIR
Topic Num:  OSD11-IA6 (OSD)
Title:  Active Software Defense to Reduce Threat Capability Effectiveness
Research & Technical Areas:  Information Systems

Acquisition Program:  
  Objective:  Develop innovative software protection technology containing the ability to support the active defense of critical software applications.
  Description:   Current software application defenses are largely passive in nature [1]. When an attack is detected, these defenses often impose indirect penalties (e.g., deleting cryptographic keys or zeroing memory) in such a manner that it forces the adversary to reacquire the software and hardware assets, but impose no real-time penalties on the attacker that prevent the application from becoming compromised in the first place [2] [3]. The focus of this topic is to develop intelligent and cooperative software protection agents that can deploy active defensive countermeasures [4] and be used in conjunction with other forms of software protection. The desired software protection system should meet the following requirements: (1) have the ability to monitor, in real-time, protected end-nodes and report suspicious activity indicating a possible attack; (2) have the ability to gather forensic information on the protected host related to the attack; (3) have the ability to synthesize and assess the collected information to form a response to an attack; and (4) have the ability to impose direct penalties on the attacker within the boundaries of the protected host or network environment. The software protection solution should contain the ability to perform surveillance as well as protection, and should have the ability to discriminate between a legitimate user and an attacker. Using the captured surveillance information, the solution should have the ability to react to an attack (e.g., terminating the network connection, stopping malicious processes, or denying the use of attack tools). Surveillance information of interest includes, but is not limited to, knowledge of the attacker’s behavior, attack tools and methods used, the type of information being sought in the attack, and the origin of attack. In the absence of connectivity with human operators, the active defensive system must have the ability to act autonomously and respond to an attack, contingent upon meeting pre-determined criteria. Proportional and subtle responses to an attack are important elements in the protection scheme. Responses must only occur once it is determined with a high degree of certainty that the host or network the application resides on is under attack or has been compromised, and the proposal should specify a policy for when such penalties will be invoked and with what severity.

  PHASE I: 1) Research and develop a concept for an active software defense that meets the above mentioned requirements. Operating systems of interest include Linux or Windows. 2) Provide design and architecture documents of a prototype tool that demonstrates the feasibility of the concept. 3) Provide a minimal software prototype that meets one or more of the four requirements listed above.
  PHASE II: 1) Based on the results from Phase I, refine and extend the design of the active software defensive system prototype to a fully functioning solution. 2) Provide test and evaluation results demonstrating the ability of the prototype to deploy active countermeasures on attackers.

  PHASE III DUAL-USE APPLICATION: Active software defensive technology will serve to protect critical intellectual property by preventing attacks in real-time, gathering forensic evidence concerning the attack, or invoking a penalty on the attacker; and as such will find application in both the government and commercial sectors. Commercial applications can use the active defensive software protection technology described above to monitor, control, debug, configure, authenticate, update, and patch critical software and data with a reduced risk of exploitation [5]. Enterprise software that has embedded situational awareness can be used to authenticate and ensure trust in end-node applications.

  References:   [1] Dr. Mikhail J. Atallah, Eric D. Bryant, and Dr. Martin R. Stytz, “A Survey of Anti-Tamper Technologies,” CrossTalk: The Journal of Defense Software Engineering, November, 2004, http://www.stsc.hill.af.mil/crossTalk/11/0411Atallah.pdf [2] Wm. A. Wulf, “Cyber Security: Beyond the Maginot Line,” Presented before the House Science Committee, U.S. House of Representatives, Oct 10, 2001, http://www.nae.edu/nae/naehome.nsf/weblinks/MKEZ-542KBP?OpenDocument [3] Cyber officials: Chinese hackers attack ‘anything and everything’ http://www.fcw.com/article97658-02-13-07-Web&printLayout, Feb. 13, 2007. [4] Laurent OUDOT, Digital Active Self-defense, http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-oudot-up.pdf, 2004. [5] Check Point Introduces New Active Defense Security Category: Unveils SmartDefense for Advanced, Real-Time Protection Against All Types of Network Attack, http://www.checkpoint.com/press/2002/smartdefense042502.html

Keywords:  Software Protection, Software Agents, Covert Communications, Software Countermeasures, Situational Awareness, Active Defense

Questions and Answers:
Q: The question is if developing cyber attack classification and designing real-time response based on the classification could be considered within this project? I would welcome an opportunity to discuss details, but have been unable to reach TPOC.
A: Yes, cyber attack classification with real-time response is precisely what we are looking for.
The phone number in the solicitation is old, and is being updated in SITIS now.

Record: of