Вы находитесь на странице: 1из 93

CYBER-ATTACK AUTOMATED UNCONVENTIONAL

SENSOR ENVIRONMENT (CAUSE)


PROPOSERS DAY

January 21, 2015

Office for Anticipating Surprise


INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

CAUSE Program Proposers Day Agenda


Time

Topic

9:00am 9:15am

Welcome Remarks

9:15am 9:45am

IARPA Overview and Remarks

9:45am 10:30am

CAUSE Program Overview

10:30am 10:45am

Break

10:45am 11:15am

Contracting Overview

11:15am 11:45am

CAUSE Program Questions & Answers

11:45am 1:00pm

No Host Lunch

1:00pm 2:30pm

5-minute Capability Presentations

2:30pm 4:00pm

Networking and Teaming Discussions

Speaker
Mr. Robert Rahmer
Program Manager, IARPA
Dr. Peter Highnam
Director, IARPA
Mr. Robert Rahmer
Program Manager, IARPA
Break
Mr. Tarek Abboushi
IARPA Acquisitions
Mr. Robert Rahmer
Program Manager, IARPA
Lunch
Attendees
(No Government)
Attendees
(No Government)

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Proposers Day Goals


Familiarize participants with IARPA's interest in research to
develop methods for detecting and forecasting cyber-attacks.
Ask questions and provide feedback; this is your chance to
alter the course of events.
Foster discussion of synergistic capabilities among potential
program participants, i.e., foster teaming. Take a chance:
someone might have a missing piece of your puzzle

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Disclaimer
This presentation is provided solely for information and
planning purposes.
The Proposers Day Conference does not constitute a formal
solicitation for proposals or proposal abstracts.
Nothing said at Proposers Day changes requirements set
forth in a Broad Agency Announcement (BAA).

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Schedule
Full Proposals are due ~45 days after BAA is published.
Once BAA is released, questions can only be submitted and
answered in writing via the BAA guidance.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

IARPA Overview

Dr. Peter Highnam

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Office of the Director of National Intelligence


Central Intelligence Agency

Department of State

Defense Intelligence Agency

National Security Agency

Department of Energy

National Geospatial-Intelligence
Agency

Department of the Treasury

National Reconnaissance Office

Drug Enforcement Administration

Army

Federal Bureau of Investigation

Navy

Department of Homeland Security

Coast Guard

Air Force

Marine Corps

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

IARPA Mission and Method


IARPAs mission is to invest in high-risk/high-payoff research
that has the potential to provide the U.S. with an overwhelming
intelligence advantage over our future adversaries

Bring the best minds to bear on our problems


Full and open competition to the greatest possible extent
World-class, rotational, Program Managers

Define and execute research programs that:


Have goals that are clear, measureable, ambitious and credible
Employ independent and rigorous Test & Evaluation
Involve IC partners from inception to finish
Run from three to five years
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Office of Incisive Analysis


Maximizing Insight from the Information We Collect, in a
Timely Fashion

Large Data Volumes


and Varieties

Social-Cultural and
Linguistic Factors

Providing powerful
new sources of
information from
massive, noisy data
that currently
overwhelm analysts.

Analyzing language and


speech to produce
insights into groups and
organizations.

Improving Analytic
Processes
Dramatic enhancements
to the analytic process
at the individual and
group level.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Office of Smart Collection


Dramatically Improve the Value of Collected Data

Novel Access

Provide technologies for


reaching hard targets in
denied areas

Asset Validation and


Identity Intelligence
Detect the trustworthiness
of others
Advance biometrics in
real-world conditions

Tracking and Locating

Accurately locate HF
emitters and low-power,
moving emitters with a
factor of ten improvement
in geolocation accuracy

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

10

Office of Safe and Secure Operations


Counter Emerging Adversary Potential to Deny our Ability to Operate
Effectively in a Globally-Interdependent and Networked Environment

Computational
Power

Trustworthy
Components

Revolutionary
advances in science
and engineering to
solve problems
intractable with todays
computers

Getting the benefits of


leading-edge hardware
and software without
compromising security

Safe and Secure


Systems
Safeguarding mission
integrity in a hostile
world

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

11

Office for Anticipating Surprise


Detecting and Forecasting Significant Events

S&T
Intelligence

Indications &
Warnings

Detecting and
forecasting the
emergence of new
technical capabilities.

Early warning of social


and economic crises,
disease outbreaks,
insider threats, and
cyber attacks.

Strategic
Forecasting
Probabilistic forecasts of
major geopolitical trends
and rare events.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

12

How to engage with IARPA


Website: www.IARPA.gov
Reach out to us, especially the IARPA PMs. Contact information on the website.
Schedule a visit if you are in the DC area or invite us to visit you.

Opportunities to Engage:
Research Programs
Multi-year research funding opportunities on specific topics
Proposers Days are a great opportunity to learn what is coming, and to influence the program

Seedlings
Allow you to contact us with your research ideas at any time
Funding is typically 9-12 months; IARPA funds to see whether a research program is warranted
IARPA periodically updates the topics of interest

Requests for Information (RFIs) and Workshops


Often lead to new research programs, opportunities for you to provide input while IARPA is
planning new programs

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

13

Concluding Thoughts
Our problems are complex and truly multidisciplinary
Technical excellence & technical truth

Scientific Method

Peer/independent review

Full and open competition

We are always looking for outstanding PMs


How to find out more about IARPA:
www.IARPA.gov

Contact Information
Phone: 301-851-7500
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

14

CYBER-ATTACK AUTOMATED
UNCONVENTIONAL SENSOR ENVIRONMENT
(CAUSE) Program Overview

Mr. Robert Rahmer, Program Manager


IARPA Office for Anticipating Surprise
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

CAUSE Overview
CAUSE is a multi-year research and development program.
It seeks to develop new automated methods for forecasting
and detecting cyber-attacks, hours to weeks earlier than
existing methods.
The CAUSE Program aims to develop and validate
unconventional multi-disciplined sensor technology that will
forecast cyber-attacks and complement existing advanced
intrusion detection capabilities.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

16

Background
Cyber attacks evolve in a phased approach, which includes
activities and observations before a significant event occurs:
target reconnaissance, planning, and delivery.
Detection of new cyber events and phenomena typically
occurs in later phases of an attack
Analysis occurs post-mortem to discover indicators from
earlier phases.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

17

Background
Cyber Threat Intelligence capabilities often report threat actor
activities, behaviors, and planning through observables from
publicly available data, such as social media, news, chat,
blogs, message boards, and many others, providing the
means to infer motivations and intentions.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

18

Background
Published research states some of these publicly available
data sources are useful in the early detection of other events
such as disease outbreaks and macroeconomic trends.
News feeds, Twitter, blogs, and web search queries

2014 Verizon Data Breach Investigations Report


Victims of data breaches are notified by external parties >75%
of the time.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

19

Current Research
Cyber attack prediction research has evolved, utilizing a
combination of techniques:
Detailed knowledge of internal network infrastructures
Analysis of known vulnerabilities
Intrusion detection sensors for monitoring of an event in
progress to predict future phases of an attack.

Analysis of cyber actor behaviors and cultural dimensions has


shown correlations between groups and cyber activities.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

20

Current Research
IARPAs Open Source Indicators (OSI) program developed
methods for detecting / anticipating unexpected societal
events (e.g., political crises, disease outbreaks) by fusing data
of multiple types from multiple sources and utilizing ensemble
machine learning methods.
Few have researched methods for a probabilistic warning
system for cyber defense that focuses on utilizing sensors
external to an enterprise.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

21

Key Technical Challenges


Identify and evaluate unconventional and technical indicators
in the earlier phases of cyber attacks that are leading indicators
of later stages of the attack.
Looking for well-executed, non-traditional, creative ideas (e.g.,
black market sales analysis, cyber actor behavior models)

Create highly efficient algorithms that will process massive data


streams from diverse data sets to extract signals from noisy data.
Create techniques to fuse traditional technical indicator sensor
data and alternate unconventional indicator data sources to
develop automated probabilistic warnings.
Identify and evaluate techniques that enable sharing of disparate
threat contextual information and indicators among multiple
organizations and security professionals to forecast an attack.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

22

Evaluation
Teams will deliver real-world cyber-attack warnings.
The goal is to Beat the Security Incident Reports.
Teams choose sensors, data, and methods.
Teams are rewarded for early and accurate warnings of as many
reportable events as possible.
Warning delivered to IARPA =
{Time stamp, Probability of attack, Cyber-attack details}
Event details =
(Event-Class, [Attacker], [Target], Event Time)
Performers will send additional context about events which will be
valuable to end users.
Competitive forecasting tournament the delivery of successive,
better warnings is expected; each warning will be scored separately.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

23

Industry Scope
CAUSE is a research program, not an operational activity.
In earlier phases, CAUSE will focus research on a particular U.S.
business sector(s) that will be identified in the BAA. IARPA is
choosing a business sector(s) with the following characteristics:

Organizations that have a variety of business areas


Sufficiently representative
Variety of attack types
Variety of existing external bad actors

Variety of publicly available data


Good ground truth data for training and testing
Suggestions for data sharing partnerships with business
sector(s) are welcome, please submit an index card.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

24

Events and Scoring


At kickoff, the Government team expects to provide a large
list of significant cyber security events that occurred over the
last 6 -18 months, for which an early warning would have
been valuable.
After kickoff, Government team expects to provide monthly
ground truth cyber security events for the last month, for
which a warning would have been expected.
Starting in Month 6, teams will deliver warnings to IARPA.
Starting in Month 12, warnings delivered to IARPA are
scored against Program milestones.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

25

Events and Scoring


Scoring
Lead time:

Time warning delivered to IARPA compared to


Time of earliest report of a security incident.
Not necessarily time of event

Probability score:

Accuracy of probability assigned to security


event.
Utility Time:
Time warning delivered to IARPA compared to
the actual time of the security event.
Quality of Warning: Match between event forecasted/detected and
true event.
Recall and False Discovery Rate (FDR)

Other assessments, qualitative and quantitative, will be performed by the


Government team to evaluate each teams approach. Approaches will also be
evaluated on the context within the warnings, as judged by potential users.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

26

Metrics
Lead Time (Drives earlier event detection)
Time between warning and security incident report.
Teams will be asked to identify successive warnings for the same
event. The Government team will use this information for assessment
of teams approach for early detection.

Probability Score
Quadratic score = 1 (o-p)2
p is the probability assigned to the warning, o is ground truth:
1 if the event occurred, 0 if the event didnt occur within 7 days.

Utility (Drives forecasting)


Time between warning and the actual event occurred as recorded in
the security incident report. 3 day minimum is the goal. The
Government team will use this information for assessment of teams
approach to forecasting.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

27

Metrics Quality of Warning


For each warning we calculate the quality q = 1+2+3+4
1 ~ Attack Classification;
2 ~ Attacker;
3 ~ Target;
4 ~ Event Time
This provides partial credit for partial warnings.
Quality will use a typology of threat actors and targets to calculate the
difference between ground truth for an attack; e.g., target:
Typology, 3 = (Industry, Organization, Logical Address, Vulnerability)
Compare warning target with true target to get the vector
(x1, x2, x3, x4), xi = 0 if false, xi = 1 if true
Location quality = x1 + x1x2 + x1x2x3 + x1x2x3x4
For the time of the event, use 1- min(|predicted time actual time|,7)/7
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

28

Metrics & Scoring - Example


Warning
Warning

Time
Stamp

Probability
Source of
Attack Type
of Event
Attack

CW1:

8/1/2015

.25

CW2:

8/3/2015

.40

CW3:

8/6/2015

.75

Ground
8/10/2015
Truth:

Remote
Exploit
Remote
Exploit
Remote
Exploit
Remote
Exploit

Victim

Time of
Attack

Unknown

Business A 8/4/2015

IP w.x.y.z

IP a.b.c.d

IP w.x.y.z
IP w.x.y.z

IP a.b.c.d,
Vuln x-1
IP a.b.c.d,
Vuln x-1

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

8/4/2015
8/4/2015
8/4/2015

29

Metrics & Scoring - Example


Quality Scores: (Victim)
Industry

Organization

Logical
Address

CW1:

Industry X

Business A

.5

CW2:

Industry X

Business A

IP a.b.c.d

.75

CW3:
Ground
Truth:

Industry X

Business A

IP a.b.c.d

Vuln x-1

Industry X

Business A

IP a.b.c.d

Vuln x-1

Warning

Overall
Scores

Warning
CW1:
CW2:
CW3:

Vulnerability Score

Lead
Time

Probability
Score

Utility
Time

Quality
Score

9 Days
7 Days
4 Days

.44
.64
.94

3 Days
1 Day
0 Days

2.5
3.08
3.67

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

30

Metrics
Recall:
Number of cyber events identified by Government team for which performer
team sent a warning to IARPA with non-zero lead time and quality
Total number of relevant cyber events identified by Government team

False Discovery Rate:


Number of false warnings identified by Government team for which performer
team sent a warning to IARPA
Total number of cyber event warnings sent to IARPA by performer team

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

31

Cyber-attack Events
Examples of events to forecast:
Cyber Event
Type
Unauthorized
Access

Description
An individual gains logical access without permission to a network,
system, application, data, or other resource.

Denial of
Service (DoS)

An attack that successfully prevents or impairs the normal


authorized functionality of networks, systems or applications by
exhausting resources.
Malicious Code Successful installation of malicious software that infects an
operating system or application.
Scans/Probes/ Activity that seeks to access or identify a computer, open ports,
Attempted
protocols, service, or any combination for later exploit. This activity
Access
does not directly result in a compromise or denial of service.

If you have any suggestions, please submit an


index card!
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

32

Warning Generation
It is expected that the technology developed under this effort
will have no human in the loop.
Experts can help develop and train the system, but they
will not manually generate warnings, guide the system, or
filter warnings before they are sent to IARPA.
Teams systems must include an audit trail for each warning,
listing relevant evidence and weights.
Warnings that are related should be explicitly identified for
additional evaluation by the Government team.
Successive warnings for the same event,
Warning for mutually exclusive events.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

33

Program Structure

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

34

Program Structure
Phase 1 (18 months): External Data Sources
Identify predictive threat signals from technical and unconventional
Goal 1
sources
Goal 2 Perform data classification and training for model development
Goal 3 Generate Warnings
Phase 2 (12 months): Data Fusion w/Internal Data Sources
Goal 1 Create a data fusion model for integrating external and internal data
Goal 2 Research highly effective algorithms for processing massive data
Goal 3 Generate Warnings
Phase 3 (12 months): Solution Flexibility Enhancement
Goal 1 Evaluate solutions flexibility to integrate within a new organization
Goal 2 Evaluate capability for forecasting cyber attacks across multiple
organizations
Goal 3 Generate Warnings
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

35

Milestones
Metric

Phase 1

Phase 2

Phase 3

Mean Lead Time

2 days

3 days

5 days

Mean Probability Score

2.4

3.2

Mean Utility Time

1 day

2 days

3 days

Mean Quality Score

3.5

Recall

0.5

0.7

0.8

False Discovery Rate


(FDR)

< 0.5

< 0.2

< 0.1

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

36

What CAUSE is not


Not a program focused on:
Identification of specific individuals
Collection mechanisms that require directed participation by
individuals

Not narrowly focused on a single data source or type


Not a program on developing intrusion detection
capabilities leveraging internal data
Not a program focused on insider threats
Not a program on data visualization
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

37

Data
Acquisition/collection of external data will require resources
(time and budget) by each team, and data requirements will
likely overlap across teams.
In later phases, performers will use internal data from
participating U.S. business sector organization(s).
Performers may want to access their own or another
organizations internal technical data sources earlier in the
program to aid R&D of novel sensors to support future program
goals.
BAA will ask bidders to identify internal data sources required
to extract novel signals from participating U.S. business sector
organization(s).
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

38

CAUSE Notional Data Flow Diagram

External Unconventional
Sensor Data

Phase 1 Phase 2

Data Collection and Processing

Industry Data Provider(s)


External Unconventional
Sensor Data

Ground
Truth

Data Collection and Processing

Data Collection and Processing

PerformerPerformer
1
2Performer n
Forecasting
ForecastingForecasting
Model Model
Model

PerformerPerformer
1
2Performer n
Forecasting
ForecastingForecasting
Model Model
Model
Phase 1
Warnings

Internal
Sensor Data

Normalization
& Encoding

Warning Ingest and Review


Phase 2 Data Provider Protected Enclave TBD

Phase 2
Warnings
T&E Scoring

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

39

Team Composition
Given the combination of technical challenges, we anticipate
teams will possess expertise in:

Computer science
Data science
Social and Behavioral science
Mathematics and statistics
Content extraction
Information theory
Cyber-security
Software development

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

40

Teaming
Because of the many challenges presented by this
program, both depth and diversity will be beneficial.
Throughput. Consider all that you will need to do, all the ideas you will
need to test.
Make sure you have enough people with the right expertise to do the job.
Sufficient resources to follow critical path while still exploring alternatives
risk mitigation

Completeness. Teams should not lack any capability necessary for


success, e.g., mitigate any dependency risks
Tightly knit teams.
Clear, strong, management, and single point of contact
No loose confederations
Each team member should be contributing significantly to the program
goals. Explain why each member is important, i.e., if you didnt have them,
what wouldnt get done?

Remember, you may be very accomplished, but can you do it all?


INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

41

Summary
CAUSE seeks to develop new automated methods for
forecasting and detecting cyber-attacks, hours to weeks
earlier than existing methods.
The Program aims to develop and validate unconventional
multi-disciplined sensor technology that will forecast cyberattacks and complement existing advanced intrusion
detection capabilities.
We are looking for well-executed, creative ideas for
unconventional sensors.
The BAA supersedes anything presented or said at the
Proposers Day by IARPA.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

42

Questions?

If you have questions, suggestions, and


comments please submit an index card now!

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

43

Contracting Overview

Mr. Tarek Abboushi

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

Doing Business with IARPA - Recurring Questions

Questions and Answers (http://www.iarpa.gov/index.php/faqs)


Eligibility Info
Intellectual Property
Pre-Publication Review
Preparing the Proposal (Broad Agency Announcement (BAA) Section 4)
Electronic Proposal Delivery (https://iarpa-ideas.gov)

Organizational Conflicts of Interest


(http://www.iarpa.gov/index.php/working-with-iarpa/iarpas-approach-to-oci)

Streamlining the Award Process


Accounting system
Key Personnel

IARPA Funds Applied Research


RECOMMENDATION: Please read the entire BAA
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

45

Responding to Q&As
Please read entire BAA before submitting questions
Pay attention to Section 4 (Application & Submission
Info)
Read Frequently Asked Questions on the IARPA @
http://www.iarpa.gov/index.php/faqs
Send your questions as soon as possible
CAUSE BAA: dni-iarpa-baa-15-06@iarpa.gov
Write questions as clearly as possible
Do NOT include proprietary information
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

46

Eligible Applicants
Collaborative efforts/teaming strongly encouraged
Content, communications, networking, and team formation are
the responsibility of Proposers

Foreign organizations and/or individuals may participate


Must comply with Non-Disclosure Agreements, Security
Regulations, Export Control Laws, etc., as appropriate, as
identified in the BAA

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

47

Ineligible Organizations
Other Government Agencies, Federally Funded Research and
Development Centers (FFRDCs), University Affiliated
Research Centers (UARCs), and any organizations that have a
special relationship with the Government, including access to
privileged and/or proprietary information, or access to
Government equipment or real property, are not eligible to
submit proposals under this BAA or participate as team
members under proposals submitted by eligible entities.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

48

Intellectual Property (IP)


Unless otherwise requested, Government rights for data
first produced under IARPA contracts will be UNLIMITED.
At a minimum, IARPA requires Government Purpose
Rights (GPR) for data developed with mixed funding
Exceptions to GPR
State in the proposal any restrictions on deliverables relating
to existing materials (data, software, tools, etc.)

If selected for negotiations, you must provide the terms


relating to any restricted data or software, to the
Contracting Officer
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

49

Pre-Publication Review
Funded Applied Research efforts, IARPA encourages:
Publication for Peer Review of UNCLASSIFIED research

Prior to public release of any work submitted for publication,


the Performer will:
Provide copies to the IARPA PM and Contracting Officer
Representative (COR/COTR)
Ensure shared understanding of applied research implications
between IARPA and Performers
Obtain IARPA PM approval for release

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

50

Preparing the Proposal


Note restrictions in BAA Section 4 on proposal submissions
Interested Offerors must register electronically IAW instructions on:
https://iarpa-ideas.gov
Interested Offerors are strongly encouraged to register in IDEAS at least
1 week prior to proposal Due Date
Offerors must ensure the version submitted to IDEAS is the Final
Version
Classified proposals Contact IARPA Chief of Security

BAA format is established to answer most questions


Check FBO for amendments & IARPA website for Q&As
BAA Section 5 Read Evaluation Criteria carefully
e.g. The technical approach is credible, and includes a clear
assessment of primary risks and a means to address them
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

51

Preparing the Proposal (BAA Sect 4)


Read IARPAs Organizational Conflict of Interest (OCI) policy:
http://www.iarpa.gov/index.php/working-with-iarpa/iarpas-approach-to-oci

See also eligibility restrictions on use of Federally Funded Research and


Development Centers, University Affiliated Research Centers, and other
similar organizations that have a special relationship with the
Government
Focus on possible OCIs of your institution as well as the personnel
on your team
See Section 4: It specifies the non-Government (e.g., SETA,
FFRDC, UARC, etc.) support we will be using. If you have a
potential or perceived conflict, request waiver as soon as possible

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

52

Organizational Conflict of Interest (OCI)


If a prospective offeror, or any of its proposed subcontractor
teammates, believes that a potential conflict of interest exists or may
exist (whether organizational or otherwise), the offeror should promptly
raise the issue with IARPA and submit a waiver request by e-mail to the
mailbox address for this BAA at dni-iarpa-baa-15-06@iarpa.gov.
A potential conflict of interest includes but is not limited to any instance
where an offeror, or any of its proposed subcontractor teammates, is
providing either scientific, engineering and technical assistance (SETA)
or technical consultation to IARPA. In all cases, the offeror shall identify
the contract under which the SETA or consultant support is being
provided.
Without a waiver from the IARPA Director, neither an offeror, nor its
proposed subcontractor teammates, can simultaneously provide SETA
support or technical consultation to IARPA and compete or perform as
a Performer under this solicitation.
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

53

Streamlining the Award Process


Cost Proposal we only need what we ask for in BAA
Approved accounting system needed for Cost Reimbursable
contracts
Must be able to accumulate costs on job-order basis
DCAA (or cognizant auditor) must approve system
See http://www.dcaa.mil , Audit Process Overview - Information
for Contractors under the Guidance tab
Statements of Work (format) may need to be revised
Key Personnel
Expectations of time, note the Evaluation Criteria requiring
relevant experience and expertise
Following selection, Contracting Officer may request your review of
subcontractor proposals
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

54

IARPA Funding
IARPA funds Applied Research for the Intelligence
Community (IC)
IARPA cannot waive the requirements of Export
Administrative Regulation (EAR) or International Traffic in
Arms Regulation (ITAR)
Not subject to DoD funding restrictions for R&D related to
overhead rates

IARPA is not a DOD organization

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

55

Disclaimer
This is Applied Research for the Intelligence Community
Content of the Final BAA will be specific to this program
The Final BAA is being developed
Following issuance, look for Amendments and Q&As
There will likely be changes
The information conveyed in this brief and discussion is for
planning purposes and is subject to change prior to the
release of the Final BAA.

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

56

QUESTIONS ?

INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

57

CAUSE Program Q&A

Mr. Robert Rahmer, Program Manager


IARPA Office for Anticipating Surprise
INTELLIGENCE ADVANCED RESEARCH PROJECTS ACTIVITY (IARPA)

ADI TECHNOLOGIES

RepKnight Social
Networks OSINT (Open
Source Intelligence) as a
complement to SIGINT,
MILINT, HUMINT

George Barros
Social Media Engineer/
CISO
ADI Technologies, Inc.
gbarros@repknight.com
(703) 734-9626
www.aditechnologies.com

Predicting Cyber Attacks through Interaction and Actor Behavior Modeling and Event Detection in
Dark Web, Black Market and Underground Forums
Robert Filar
Battelle Cyber Innovations
filarr@battelle.org

Ernest Hampson, Ph.D.


Battelle Cyber Innovations
hampsone@battelle.org
ABSTRACT

Current state-of-the-art cyber security technology relies heavily on signatures to derive threats or
anomalies. While this approach has proven valuable in the past, attacks have grown in sophistication and
these techniques have led to cyber security practitioners to focus on the effects of an attack as opposed
to determining and mitigating the cause. A shortcoming of these systems is a lack of novel sources for
data enrichment and probabilistic warnings based on unconventional data sources. One such source is
the significant amount of cyber threat activity that occurs within Dark Web, black market and
underground forums/marketplaces. However, unlike traditional social media, forum data presents
problems when performing social network analysis and event detection. Properly modeling interactions
among nefarious actors can lead to accurate depictions of threat community behavior. This technique
aids in uncovering illicit networks, identifying influential members, and generating accurate social
graphs.
In its proposed research for CAUSE, Battelle will seek to enhance its technology called DarkScout that
collects and integrates forum, marketplace and social content with flexible tools for the structured
consumption of irregular media in hostile web environments. DarkScout uses language-agnostic
algorithms to collect, organize and analyze contextual information surrounding media items to uncover
community structures, and adversary pattern-of-life, trends, motivation, intent and capabilities. Further,
SME-developed ontologies provide a foundation for performing event detection and training text
analysis classifiers to extract potential indicators of cyber attack. The identification of anomalous events
is augmented with pattern-of-life analysis to provide a temporal view of incoming threats.
In its CAUSE-supported research, Battelle will augment Interaction Modeling, Actor Behavior Models
and integrate technology to analyze and de-anonymize Bitcoin sale/purchase activity to capture
communication exchanges more accurately within threat-actor forums and enrich it with temporal event
data, yielding robust information propagation models. Propagation models provide definitive analysis of
how far and how fast information spreads, and indicates threat momentum. Entity extraction of technical
indicators will inform propagation models to provide a realistic view of whether threat actors are
seeking to exploit an attack vector, and provide early warning of cyber attacks via a robust Application
Programming Interface. Battelle will seek to work with other researchers who are developing advanced
Intrusion Detection Systems and network sensor systems that would benefit from enriched data sources
and models depicting threat-actor behavior and activity.

Battelle Cyber Innovations


Lead Investigator: Dr. Ernest Hampson

Research Areas

Cyber Command and


Control Technologies

Anonymous Internet
Communications

Network Security

Firmware Reverse
Engineering

Cyber/Threat
Intelligence

Hardware Reverse
Engineering

Software/Malware
Reverse Engineering

Mobile Security

Integrated Circuit
Exploitation

Foreign Materiel
Exploitation

Silicon Hardware Firmware Operating System Application

Business Sensitive

Qualification and Capabilities

DarkScout: Automated
collection, organization and
analysis of Dark Web/
Underground content.

PEAR: Next-generation
mis-/non-attributable
internet communications
via asynchronous routing.

ECAT: Authentication of
electronic components in the
supply chain via statistical
analysis of noise signals

Cantor Dust: Statistical


binary analysis platform for
unknown data streams

BIOS-HV: Type 1 hypervisor


for pre-boot environments
with automated analysis &
manipulation capabilities

Attack of the Clones: 0day and N-day vulnerability


discovery across massive
firmware libraries

Spinning Top: Authentication


bypass and remote access to
smartphones via baseband
exploitation

ICE: Novel methods for


flash memory extraction
using Photon Emission
Microscopy.

Specific Capabilities and Teaming Needs


Battelle will develop an automated collection and analysis
platform that provides enriched data sources and
probabilistic threat warnings derived from Dark Web,
black market and underground web forums and market
places. Battelle seeks teammates who are:
developing advanced intrusion detection systems,
and/or network sensor systems
that would ingest these models, combine them with other
technical indicators to provide accurate cyber-attack early
warning and mitigation.
4

Contact Information

Tami Peli
V.P., Director of Business Development
Battelle Cyber Innovations
peli@battelle.org
571-227-6314 (office)
781-856-8098 (mobile)
http://www.battelle.org/ourwork/national-security/cyberinnovations
5

Dr. Paulo Shakarian is an Assistant Professor at Arizona State University where he works in the Big
Data group. He specializes in advanced data analytics, network science, artificial intelligence, and cybersecurity. Specific application domains have included intelligence analysis, counter-insurgency, counterIED, law-enforcement, and cyber-security. His previous work has been presented at major academic
venues including KDD, AAMAS, and ESORICS as well as industry conferences such as ShmooCon. His
work has been funded by the ARO, DARPA, IARPA, and USAF A2II. Shakarians work on analyzing
geospatial data resulted in the "SCARE" software for locating weapons caches that was used by Task
Force Paladin in Afghanistan and also featured in The Economist. His work on social network data
analytics resulted in the "GANG" and "SNAKE" software packages that are currently in use by the
Chicago Police and also featured in Popular Science. Dr. Shakarian is also the author of two books,
including Elseviers Introduction to Cyber-Warfare. Previously, Dr. Shakarian was a commissioned
officer in the U.S. Army where he worked in a variety of intelligence positions that include combat tours
in Operation Iraqi Freedom. He is a recipient of the Bronze Star and Army Commendation Medal for
Valor.

Contcat information:

Paulo Shakarian, Ph.D.


Assistant Professor and
Director, Cyber-Socio Intelligent Systems (CySIS) Lab
Arizona State University
BYENG 408
699 S. Mill Ave.
Tempe, AZ 85281
(480) 727-5290 (o)
(480) 965-2751 (f)
shak@asu.edu
http://shakarian.net/paulo

Florida Center for Cybersecurity (FC2)


University of South Florida (USF)
Adaptive Immersion Technologies (AIT)
The Florida Center for Cybersecurity (FC), with ongoing funding from the Florida State
Legislature, is an initiative to lead and coordinate cybersecurity research, education and outreach
across the state and beyond. FC brings access to researchers across all 12 institutions in
Floridas State University System (SUS) as well as collaborative engagement among
government, defense and business communities.
The University of South Florida (USF) is a high-impact, global research university, classified by
the Carnegie Foundation for the Advancement of Teaching as a community engaged university
and as a the top tier of research university, a distinction attained by only 2.2 percent of all
universities. USF is home to the Program in National and Competitive Intelligence, an
Intelligence Community Center of Academic Excellence. USF and FC2 also have been
designated by the National Security Agency (NSA) and the Department of Homeland Security
(DHS) as a National Center of Academic Excellence in Information Assurance/ Cybersecurity
for academic years 2014-2019. USFs School of Information has distinctive capabilities and
subject matter expertise in (1) Cyber Intelligence collection and analysis of information
concerning the intentions, capabilities, activities of adversaries and competitors in the cyber
domain; (2) Applying intelligence analytic methods and technologies to the cyber domain; (3)
Adversary characterization, risk/threat assessment, and threat actor behavior; and (4) Integrating
collection and knowledge management technologies to improve the efficiency of cybersecurity
operations. Key personnel include Scuba Steve Gary Former Chief of Cyber Intelligence,
US Special Operations Command, who holds an active clearance and an MS in Cyber Operations
and; Dr. Randy Borum (Cleared) Psychologist and former science advisor to the DNI and
IARPA who specializes in applying intelligence analytic methods to the cyber domain, strategy
and analytic decision making.
Adaptive Immersion Technologies (AIT) develops simulation-based personnel selection,
training, and performance management systems that promote human resilience in physically,
cognitively, and psychologically taxing performance domains. They tailor systems to integrate a
trilogy of performance solutions through prediction, enhancement, and support, using a synthesis
of concepts from data science, human simulation, and adaptive assessment technology to
optimize human performance. AIT has distinctive capabilities and subject matter expertise in (1)
Novel machine learning applications to complex human performance prediction problems; (2)
Computational modeling of human performance; (3) Technology-enabled training, performance
assessment and diagnosis employing modern psychometric theory; and (4) Algorithm
development, optimization, and benchmarking for real time, simulation-based assessment.
Contact:
Scuba Steve Gary
Assistant Professor of Practice
School of Information, University of South Florida
sgary@usf.edu

Florida Center for Cybersecurity


(FC2)
University of South Florida
(USF)
Adaptive Immersion Technologies
(AIT)
Unique Qualifications & Capabilities:
FC2:
Access to researchers across 12 institutions in
Floridas State University System (SUS)
Academic and Research Outreach across Florida
Top Secret Facility Clearance
USF:
Cyber Intelligence collection and analysis of
information concerning the intentions, capabilities,
activities of adversaries and competitors in the cyber
domain
Using analytic and visual cognition (through data
visualization) to enhance human sensor capabilities
for cyber anomaly detection and forecasting
Combining information analytics and structured
intelligence analytic techniques to develop
operationally relevant threat actor profiles in the
cyber domain (e.g., categories, database)
Discerning attack/activity trends within an industry or
sector to develop probabilistic risk/threat
assessments (e.g., targets, tactics)
Integrating collection and knowledge management
technologies to improve the efficiency of
cybersecurity operations
AIT:
Novel machine learning applications to complex
human performance prediction problems
Computational modeling of human performance
Technology-enabled performance assessment and
diagnosis
Computer-adaptive assessment and training
employing modern psychometric theory
Algorithm development, optimization, and
benchmarking for real time, simulation-based
assessment
Open to collaborative research, to include:
Cyber Intelligence
Human Sensors
Machine Learning
Computational Modeling of Human Performance

Advancing cybersecurity
through outreach, research
and collaboration with
academia, industry and
government.

CAUSE-specific Capabilities & Interests:


Developing novel methodologies for measuring
behavioral signatures of individual operators
and networks of operators
Pattern recognition of complex patterns of free
cyber attack activities within distributed,
networked environments
Evolution and application of machine learning
algorithms for complex pattern recognition
within the cyber domain
Algorithm boosting for enhanced detection
accuracy with low base rate events useful for
forecasting critical cyber events
Develop database to categorize cyber threat
actor profiles based on capabilities, intentions,
targets, activities
Predictive cyber threat analysis for threat/risk
assessments
Using analytic and visual cognition (through
data visualization) to enhance human sensor
capabilities for cyber anomaly detection and
forecasting
Cyber threat actor trend analysis
Key Members Experience (Clearance Status):
Scuba Steve Gary Former Chief of Cyber
Intelligence, US Special Operations
Command. MS in Cyber Operations. (Cleared)
Dr. Randy Borum Psychologist. Intelligence
analytic methods in the cyber domain. Strategy
and decision making. (Cleared)
Dr. Phillip Mangos President and Chief
Scientist of Adaptive Immersion Technologies,
a Florida-headquartered small business.
(Pending)
Adam Sheffield Program Manager, FC2 &
HUMINT Targeting Analyst. (Cleared)
Scuba Steve Gary
Assistant Professor of Practice
School of Information, University of South Florida
sgary@usf.edu
813-974-3520

Galois and Adversarial Reasoning


Galois, Inc. is interested in applying our experience in the area of adversarial reasoning to
the IARPA CAUSE program. The Adversarial Reasoning effort at Galois comprises
three complementary threads:
1. Investigating the nature of deception and counterdeception, particularly as it
applies to the cyber domain. Cyber adversaries rely on deceptive attack
techniques, and understanding patterns of deception enables accurate predictions
and proactive counterdeceptive responses.
2. Developing strategic, cognitive and game-theoretic approaches to developing
cyber actor models, with a focus on understanding how to reason about the
beliefs, intentions, and objectives of cyber adversaries.
3. Formulating techniques that allow for robust reasoning under conditions of
extreme uncertainty and ambiguity, especially in those circumstances where
statistical data is absent, and the only evidence available is likely to be
fragmentary or conflicting.
We have both prior and ongoing unclassified work with DOD agencies to research and
prototype these capabilities. For the IARPA CAUSE opportunity, we are interested in
partnering with other performers with expertise and interest in any of the following areas:
Methods to manage and extract huge amounts of streaming and batch data
Development of models to generate probabilistic warnings of future cyber events
Multiple sensors not typically used in the cyber domain
About Galois
Galois, Inc. is a computer science R&D firm with the mission to create trustworthiness
in critical systems. Founded in 1999, and located in Portland, Oregon, Galois applies
cutting-edge computer science and mathematics to solve difficult technological problems.
Over its 15-year life, Galois has worked to bring rigorous, mathematically based
techniques to challenges in domains such as software correctness, cryptography, cyberphysical systems, mobile security, machine learning, and human computer interaction.
Galois continues to work with a wide variety of government and commercial clients,
particularly in the DOD and IC.

David Burke, PI
Galois, Inc.
Creating trustworthiness in critical systems
Founded in 1999, 50+ employees, based in
Portland OR.
Numerous DOD, IC, Government & Commercial
clients.
Extensive experience in domains such as software
correctness, mobile security, cyber physical
systems, computer security, cryptography, machine
learning, and human-computer interaction.

Adversarial Reasoning Program at Galois:


1. Nature of deception and counterdeception,
particularly as applied to the cyber domain.
2. Strategic/Game Theoretic thinking about
adversaries and cyber actor models,
incorporating beliefs, intentions, and goals.
3. Techniques that apply in conditions of extreme
uncertainty (ambiguity vs. risk).
We have both prior and ongoing efforts with DOD
agencies on these topics come talk to me for more
details.

The CAUSE Program anticipates:


1. methods to manage and extract huge amounts of
streaming and batch data.
2. the development of models to generate probabilistic
warnings for future cyber events.
3. multiple sensors not typically used in the cyber
domain.
4. application and introduction of new and existing
features from other disciplines to the cyber domain.
Were interested in talking to potential partners in any of
these areas who are both enthusiastic and ambitious about
their offerings.

Contact Information

David Burke
Research Program Lead
Galois, Inc.
davidb@galois.com
(503) 330-9512
www.galois.com

IBMs Cognitive Cyber Security Defense (CCD) is a big data and analytic solution that
employs machine learning techniques to provide an adaptive and agile defensive
posture in real-time. It is an integrated solution with proven machine learning models
from IBM Research with the ability to build new families of Cyber models to react to the
ever changing Advanced Persistent Threat (APT) environment. The Cognitive Cyber
Security Defense solution is designed to scale from an entry-basic configuration up to a
full-capability system depending on your cyber defense needs. It provides a machine
learning workbench for the development of your own predictive cyber models. These
models can perform behavior analytics as well as target specific DNS related attack
types as well as behavior modeling of netflow data. Key attributes of the system are:
1. The CCD solution is an APT detector comprised of a family of pretrained
machine learning models outputted to rich visualization
2. Solution runs on x-86 infrastructure running RHEL 6.1 or higher
3. It can connect to existing Cyber SIEM, Big Data or Cloud Solutions
4. The Models dynamically update with changing threat vectors
5. We have field tested this solution with numerous customers from Utilities to
telcos to a large commercial entities

IBM Cognitive
Cyber Defense
IARPA CAUSE
IBM S MACHI NE L E A R NING CYBER SECUR ITY
SO L U TI ON

21 January 2015
Greg Porpora
IBM Federal Chief Engineer Cognitive Computing & Analytics

IBMs Cognitive Cyber Defense


Advanced Persistent Threat (APT) Network Detector
Machine Learning Based APT Detector comprised of a family of
Supervised and Unsupervised models
Analyzes Net Flow and/or DNS data in real-time
Can scale to 32TB per day
Advanced reporting capabilities
Botnet topology reconstruction via I2

Cyber Command Center View


Deep Forensic drill down

Cots Based Technology : SPSS, Infosphere Streams, Cognos BI

Open APIs with support to Hadoop clouds, Qradar, SIEMs,


other data repositories
2014 IBM Corporation 2014 IBM Corporation

Netflow & DNS -based Advanced Persistent


Threat Anomaly Detection

Detect anomalous behavior as it appears

Real-time detection in seconds of unknown attacks

Can easily scale to 32TB per day ingest

Models dynamically adapt to changing signatures


Visualization
Ingest Live
Netflow &
DNS
Data

Extract
Netflow &
DNS
Features

Anomaly
Detection
via Trained
Models

Dynamically
Retrain Models
3
2014 IBM Corporation

Cognitive Cyber Defense basic real-time Cyber analysis


workflow inside Infosphere Streams
Blacklist
&
Whitelist
Monitor
both in and
out
PCAP-DNS

Net Flow

Base Models

WHOIS or Maxmind

Beaconing-Exfiltration tests
Compare detected Fast Flux DNS and associated IP
addresses performing Intrusion to outbound DNS-IP traffic
for matches
Match real-time behavior-signature to historically derived
and dynamically updated

Network Behavior
Modeling
Fast Fluxing
DNS Amplification
Attacks
DNS Poisoning
DNS Tunneling
Net Flow Behavior
Modeling

CCD Visualizing Threats

(Cognos)
APT Detection
Forensic Analysis

(i2)
Botnet Topology and
Attack Reconstruction

Adaptive Profiling

2014
IBM Corporation

Who we are:
Small, veteran-owned
business started in 2001
42 technical staff 17 PhD,
19 MS degrees
Premium services in
decision & risk analysis,
operations research, and
systems engineering
GSA MOBIS and SeaPort
schedules
TS facility clearance

IDI is looking to partner with


a cyber security firm to
research and develop
decision analytics in
support of Cyberspace
Operations.

What we do:
Decision Support Tools
and Analytics Research
- Cyber Risk Tool
- Cyber Risk Metrics
Extract from raw data
descriptive and predictive
analytics
Multidisciplinary projects
that typically merge social
and behavioral science with
technical approaches
Build probabilistic models
for environments under
conditions of uncertainty
(e.g., Multivariate Analysis,
Bayesian Networks)
Dennis Buede, President
dbuede@innovativedecisions.com
Judith Jacobson, BD
jjacobson@innovativedecisions.com
Richard Brown, Principal Analyst
rbrown@innovativedecisions.com
www.innovativedecisions.com
703-861-3678

Innovative Analytics, Better Decisions

UNCLASSIFIED

SAILBOAT
SAILBOAT Overview

Active Inference to Behavior Model

Semi-Active Inference-Level
Behavior-Observing Automated Telemetry
Passive
Sensors

Operational
Tools

Semi-active Sensors
Designed To
Inference Goals

Secondary
(Inferred)
Data

Roles
Organizational
Geolocation

Passive
Primary
Data

Motives
Methods

Legacy
Inference

Opportunities
Knowledge propagation

Active Inference Direct to Behavior

Protocols

Transactions
Packets

Inter-session features

Sessions

Atypical Semi-Active Sensor Techniques


Knowledge/Belief Injection &
Propagation Sensors

Watering- Hole
Techniques

Example: Certificate compromise rumor injection, Computer service behavior deviations based on
followed by semi-active detection of certificate
triggering events or identifying client behavior /
rejection by candidate actors.
attributes.

Canary Content Placement &


Exfiltration Sensors

Spear-Flushing

Inference
Goals

Actors

Legacy
Inference

Opportunistic, passive cyber data generally drives


inferencing into models for Actors, Roles, Locations,
Organizations and thence to predictive behavior models
such as Motives, Methods, and Opportunities, but may
result in sparse, low confidence data. Adding active
sensor components specifically to produce behavioral
evidence, we infer more directly to the predictive models,
and prioritize efforts where resulting inferences are most
valuable.

I.E. Reverse spear-fishing: induction of secondary


behavior based on targeted content.

I.E. decoy content with active or semi-active


monitoring of sharing and leak sites.

Potential Advantages

Example Narrative
Actor A is high-knowledge and motivated, and has similar
attributes with actor B, who is known to have opportunity to
access a sensitive asset, but there is no correlating primary
evidence that A and B are connected. Through canary or
watering hole techniques, an Actor A session is presented
with evidence of a compromise of a particular root
certificate. The semi-active sensor then uses watering-hole
techniques to test when and if Actor B has reconfigured to
reject certificates signed by the rumored compromised root
certificate. Timing and other data (searches, chatter) may
clearly indicate actor models A and B may be merged, or
indicate direct-knowledge transfer that indicates close
knowledge transfer graph adjacency. A merger of A and B
further completes the Motive, Method, and Opportunity
characteristics of the Actor model, and indicates
probable attack on the accessible asset.

Increased Yield of Critical Inferences


Design target of what knowledge is needed rather than
what is easily collected
Operational yields with automated effort
Opportunistic sensors combine with automated
operational capabilities.
Reusable components and techniques
Watering hole infrastructure can be tasked with multiple
sensors and goals
Knowledge propagation sensor pattern can be realized
in several technologies.

Risk Mitigation
Risks include the leaking of data state of the model.
Mitigations:
Probabilistic sensor behavior dithering.
Hard limits on state-driven sensor action exposures.

UNCLASSIFIED

EMERGING DOMAINS
INTELLIGENT SYSTEMS FOR FORECASTING AND DETECTING CYBER ATTACKS

Figure 1: Matrix of SoarTechs core capabilities, related applications and relevant examples.
The
Challenge:

Potential
Approach:

Current approaches to detecting cyber attacks are reactive and shallow. They are
reactive because they focus on what adversaries have done in the past, rather than
anticipating what they may do in the future. They are shallow because they focus on
cyber observables without reasoning about adversaries goals and objectives.
Applying SoarTechs core capabilities (shown in Figure 1) we have experience to
combine innovative analytics on observables with sophisticated behavioral models of
cyber actors that can support both cognitive reasoning (extending the model through
experience and explaining reasoning to humans) and Monte Carlo exploration (for
probabilistic forecasting over multiple possible futures).

ENHANCING CYBERSPACE DEFENSE THROUGH BIDIRECTIONAL BEHAVIORAL MODELS


SoarTech POCs:
Dylan Schmorrow, Ph.D.
Chief Scientist
703.424.3138

Denise Nicholson, Ph.D., CMSP


Director of X
407.616.7651

H. Van Dyke Parunak, Ph.D.


Senior Scientist
734.395.3253

dylan.schmorrow@soartech.com
denise.nicholson@soartech.com
van.parunak@soartech.com
We are interested in discussing partnerships and collaborations.
Below are the logos of a few of our Sponsors and Partners for related research.

INTELLIGENT SYSTEMS FOR FORECASTING


AND DETECTING CYBER ATTACKS
OUR EXPERTISE
AND PROVEN
CAPABILITIES
AUTONOMY

ADAPTATION
HUMAN/SYSTEM
INTERFACE

DECISION SUPPORT

BEHAVIOR MODELING

CYBER SIMULATION

Multi-Future Probabilistic
Forecasting
Multiple agents search
alternative paths through
complex behavior models in
parallel
Any-time forecast adjusts in
real time to incoming data;
runs 104x faster than real
time
Yields probability distribution
over alternative futures to
support ACH and mitigate
cognitive anchoring

Cognitive Red-Team
Agents
Enables scalable,
repeatable wargaming
and testing of security and
network infrastructure

Cyber Sandbox for


Attack & Defense Training
Agent-based cyber ecology
provides autonomous
adversaries and legitimate
users
Dynamic Tailoring adapts
adversaries and
environment to maximize
learning

Relevant Research
to be Leveraged:

Learned behavior model


exposes novel attack
vectors
Agents acting as virtual
assistants allow human
experts to focus on high
level goals

Constructive sims are readily


available for continuous
training and evaluation

Research Area of Interest:


Current approaches to detecting cyber attacks are reactive and shallow:
reactive because they focus on what adversaries have done in the
past, rather than anticipating what they may do in the future.
shallow because they focus on cyber observables without reasoning
about adversaries goals and objectives.
SoarTech combines innovative analytics on observables with
sophisticated behavioral models of cyber actors that can support both:
cognitive reasoning (extending the model through experience and
explaining reasoning to humans) and
Monte Carlo exploration (for probabilistic forecasting over multiple
possible futures).

ENHANCING CYBERSPACE DEFENSE THROUGH


BIDIRECTIONAL BEHAVIORAL MODELS

POCS
Dylan Schmorrow, Ph.D.
Chief Scientist
703.424.3138
dylan.schmorrow@soartech.com

Denise Nicholson, Ph.D., CMSP


Director of X
407.616.7651
denise.nicholson@soartech.com

H. Van Dyke Parunak, Ph.D.


Senior Scientist
734.395.3253
van.parunak@soartech.com

Cyber-attack Automated Unconventional Sensor Environment (CAUSE)


SRA International, Inc.
Joseph Pemberton
joe_pemberton@sra.com
703-803-1882
Abstract
The growth of cyber incidents, from identify theft to full-scale attacks on corporate and
Government cyber assets, highlights the importance of cyber defense to the economic and
political security of the country. Existing cyber defense methods typically focus on forensic
assessments to answer the question, what happened? rather than attempting to predict cyberattacks before they occur. SRA is actively researching ways to improve cyber defense
capabilities for our customers. We have extensive experience providing cyber security services
to a wide variety of Government agencies. Our subject matter experts understand the current
cyber defense landscape, and we have experience and relationships with a wide range of cyber
security solution vendors.
SRA has developed and markets NetOwl, a suite of text and entity analytics products. We
have recently expanded NetOwls ontology to cover counterterrorism, intelligence, military,
homeland security, law enforcement, business, compliance, and cyber security related areas. Our
cyber security ontology integrates cyber-event concepts from the U.S. Department of Defense,
US-CERT, and other cyber security organizations, and terminology for critical infrastructure
such as energy, financial, and telecommunications facilities and organizations prime targets of
cyber-attacks that could affect U.S. security. Our expanded cyber security ontology is designed
to allow organizations to process large volumes of unstructured content and automatically
identify key cyber-related events as well as entities involved in these cyber events
Our team includes Context Relevant which provides an optimized machine learning pipeline for
analyzing complex data sets. Context Relevant software helps data scientists process
unstructured (e.g., dirty/messy) data, including Open Source data, process millions of input
dimensions, and automatically general and explore hundreds of thousands of models in parallel.
Their tools have been used to general efficient prediction of future events. With our teammates,
we are currently investigating the combination of NetOwl, deep machine learning methods, and
big data processing to the problem of analysis and prediction of cyber-attacks. In particular, we
are investigating ways to combine both structured and unstructured (messy) data from traditional
and nontraditional sources to enable early stage detection of cyber-attacks.
SRA is eager to join the IARPA CAUSE Program, and we are looking for additional teammates
to help round out our team.

SRA International
Joseph Pemberton
Current Teammates:
Context Relevant
Bromium

SRA is interested in new techniques for


analyzing adversary behavior and to help
identify and predict cyber attacks
Our planned approach integrates machine
learning, big data, hypervisors, microvisors,
and entity extraction techniques to detect
indicators of malicious cyber activity

SRA provides cyber security solutions to a


wide range of Government customers
We know the limitations of existing cyber tools
We understand Government cyber defense needs

Our team includes:


SRA entity analysis experts and tools to efficiently
extract content from unstructured data
Big data and machine learning experts who model
large, high-dimensional problem spaces efficiently

We are looking for academic and small


business partners to augment our team
capabilities:
Unstructured Data Analysis
Machine Learning
Big Data Analysis
Practical Cyber Security Experience
Data modeling

Contact Information

Joseph Pemberton
Technical Director
SRA International
joe_pemberton@sra.com
703-803-1882
www.sra.com

ViON Data Adapt Analytics A2000


ViON Big Data Analytic Platform | S O L U T I O N |B SROI ELFU T I O N B R I E F
Threat Detection & Prevention

About ViON

Identity Analytics for National Security


Our modern world is a place where national security, critical
infrastructure and national resources may be at risk due to the actions of

ViON is a veteran-owned, privately held


company with over 34 years of experience
building IT enterprise solutions for
government and commercial customers.
Being independent allows for streamlined
decision making and nimble responses to
our customers needs.
ViON works with the largest and most
innovative OEM suppliers in the industry
to design and implement solutions that
meet any IT storage or server need.
Partners include IBM, Brocade, Cisco,
EMC, Hitachi Data Systems, NetApp, and
many more.

small groups of people with anti-social agendas. Those with malicious


intent are typically highly motivated to operate covertly, going to great
lengths to obscure their identities, relationships and organizational
affiliations.
A key weapon in the fight against crime, civil unrest and terrorism is
timely and actionable information. Better recognition of identities,
relationships and affiliations can provide the hidden intelligence needed
to anticipate and prevent catastrophe. To harness data from all available
sources and extract actionable intelligence demands unique softwaredriven capability. ViONs Data Adapt Analytics A2000 appliance for
Threat Prediction and Prevention, based upon the Cisco UCS platform,
is powered by IBM software specifically designed to recognize attempts

Known for our engineering expertise and


exacting standards, our team ensures that
only those with the highest level of
training, experience, and industry
certifications design, install, maintain, and
support our breadth of solutions.

to obscure identities and relationships.

The Data Adapt Analytics Solution


The ViON Data Adapt Analytics A2000 appliance utilizes proven entity
resolution and analysis capabilities that have been used for years within
government organizations that protect national security. These mission
requirements range from borders and port entry to complex counterinsurgency and inside threat detection.
The A2000 was architected to ingest all available data sources. The
analytical engine detects intersections in the data that reveal clues about
identities and relationships, continuously learning with each new set of
data. In this way the data itself reveals the clues that it hides, providing
the critical Non Obvious Relationship Awareness. This approach also
reveals multiple degrees of separation between people, essential for
mapping out social networks. Behavioral and pattern-based analytics
create the ability to observe coordinated movements that would
otherwise avoid detection. These analytics are configurable based on
thresholds and risk scores that determine who is alerted, when and how.
By integrating all these capabilities into a scalable x86 hardware
platform, ViON has created a new generation of solution that delivers the
value of a complex custom enterprise software system but with the same
speed, ease and economy of an appliance.

ViON Data Adapt Analytics A2000 Threat Detection & Prevention

| S O L U T I O N B R I E F

Mission Optimized Threat Prediction &Prevention Capabilities


The systems sophisticated disambiguation technologies were specifically created to penetrate the cultural ambiguities,
fabrications & identity misrepresentation tactics nefarious groups and individuals use to hide. It uncovers and links
obvious and non-obvious relationships which may reveal criminal syndicates, gangs, revolutionary organizations or
terrorist cells. Capabilities include:

Full attribution: Achieve greater accuracy with an entity resolution and analytic engine that accumulates a
history as opposed to a snapshot of each individual or company in the database over time.

Relationship resolution: Identify & compare non-obvious relationships between addresses, phone numbers, email addresses, and other characteristics discovered and linked across multiple individuals

Link analysis: Analyze, visualize, and extend these relationships building complex structures, revealing the
hierarchies and methods of operation employed by criminal, terrorist and fraudulent networks

Real-time changes: Compare identity records to the database upon receipt to determine if it resolves an
existing record, is new, or requires and unresolve of an existing record.

Self-healing and self-correcting: Automatically examine and update any entity in the repository that would be
affected based on new observations.

Autonomic real-time alerting: Automatically check against existing information and generate alerts allowing for
detailed analysis of involved parties as new data is ingested.

Global name resolution: Apply linguistic rules automatically to find matches through cultural context via
patented IBM technology.

Behavioral and pattern analysis: Uncover coordinated activities and patterns that provide the capacity to
anticipate a pending threat event via deep data mining and statistical analysis.

Why Data Adapt Analytics Solutions?


More than simply bundling hardware and software, the secret to Data Adapt Analytics offerings such as Threat
Prediction & Prevention is purposeful design. Lessons learned from numerous prior projects have been incorporated into
the product so that customers can begin with configuring the system to their environment, data and mission rather than
locating and hiring the highly specialized skills needed to operationalize the different software components. Integrated
technologies and accelerators are combined in different ways unique to the characteristics of a given mission. The
application exploits the right mix of system resources (processing power, memory and storage, for example) for deeper
levels of optimization to achieve the desired scale, performance, analysis, and user experience.

To learn more of how the ViON Data Adapt Analytics solutions can help you, please visit www.vion.com.

196 Van Buren Street | Herndon, Virginia 20170


(571) 353-6000 | (800) 761-9691 | vion.com
All product names mentioned may be trademarks and/or registered of their respective companies. All rights reserved.

March 2014, Version 1.0