N123-164 TITLE: Reducing Bandwidth Requirements for Cybersecurity Information Exchanges

TECHNOLOGY AREAS: Information Systems, Sensors

ACQUISITION PROGRAM: Computer Network Defense (ACAT IV) Acquisition

RESTRICTION ON PERFORMANCE BY FOREIGN CITIZENS (i.e., those holding non-U.S. Passports): This topic is "ITAR Restricted". The information and materials provided pursuant to or resulting from this topic are restricted under the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120 - 130, which control the export of defense-related material and services, including the export of sensitive technical data. Foreign Citizens may perform work under an award resulting from this topic only if they hold the "Permanent Resident Card", or are designated as "Protected Individuals" as defined by 8 U.S.C. 1324b(a)(3). If a proposal for this topic contains participation by a foreign citizen who is not in one of the above two categories, the proposal will be rejected.

OBJECTIVE: Develop an efficient or optimal means of reducing or compressing cybersecurity monitoring information and data collection for transmission via low bandwidth links.

DESCRIPTION: Within cybersecurity, Computer Network Defense (CND) relies partially on sensors to observe hosts and networks. Functions include pattern or signature matching against known hostile profiles, anomaly detection, log file collection and analysis, and raw packet capture and analysis. Many of these processes, especially raw packet capture, generate large amounts of raw collection.

Many incidents occur at locations remote from a cybersecurity incident response team. Often response discovery and analysis requires physically shipping storage media. Incident responses need to occur in minutes or hours, not days.

The target cybersecurity communications formats, schemas, and protocols for CND-related incident and sensor collection include:
� Security Content Automation Protocol (SCAP) � NIST IR-7511
� Incident Object Description and Exchange Format (IODEF) - RFC 5070
� Cybersecurity Exchange Framework (CYBEX) � X.15000-X.1589

Additionally, cybersecurity systems collect raw log files from hosts, servers, routers, switches, and other devices, commonly analyzed using AWStats, WebLogExpert. Some cyber security systems collect and analyze raw packet data (packet sniffing) within a network, commonly analyzed using WIRESHARK or similar software.

Upon actual incident detection, a response team must analyze what occurred, classify the cause, review attack vectors, determine the impact scope, and assemble evidence for later prosecution.

PHASE I: Conceptualize and design an innovative solution to reduce the total bandwidth required to exchange information from a remote subscriber LAN back to a centralized computer incident response team (CIRT).

The phase 1 deliverable will address at least these factors:
� Minimum essential information exchange for the common formats
� Methods for collecting, organizing, and compressing a minimum essential incident exchange, given the various sensors
� Examples of exchange messaging sizes for typical incidents, such as virus/worm infection, change in configuration,
� Optimal method for selecting and reducing actual incident collection requests to pass all monitoring and collection content about an incident. Provide metrics that show optimality methodology.
� Identifying analysis tasks most efficiently processed remotely that can further reduce bandwidth requirements
� Propose a phased, minimum bandwidth application for a designated sensor system � details to be provided at Phase 1 kickoff

PHASE II: Provide a practical implementation of an optimized solution researched and designed in Phase I. Testing and evaluation should be accompanied to illustrate both feasibility and practicality. This phase will demonstrate transaction for various combinations of incident data exchange.

PHASE III: Transition this technology into current Navy systems supporting the Naval Cyber Defense Operations Command (NCDOC).

PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: The concept of a cybersecurity incident response team is not new to the commercial world. The bandwidth savings achieved from this proposal can be applied to both government and industry realms.

REFERENCES:
1. CYBEX - http://www.sigcomm.org/ccr/papers/2010/October/1880153.1880163 <x-excid://6B4F0000/uri:http://www.sigcomm.org/ccr/papers/2010/October/1880153.1880163>

2. SCAP - http://scap.nist.gov/ <x-excid://6B4F0000/uri:http://scap.nist.gov/>

3. IODEF - http://www.ietf.org/rfc/rfc5070.txt <x-excid://6B4F0000/uri:http://www.ietf.org/rfc/rfc5070.txt>

KEYWORDS: bandwidth savings; sensors; incident reponse; packet compression; packet information extraction; low bandwidth

** TOPIC AUTHOR (TPOC) **

DoD Notice:   Between July 26 and August 26, 2012, you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. Their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting August 27, 2012, , when DoD begins accepting proposals for this solicitation.

However, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS (12.3 Q&A) during the solicitation period for questions and answers, and other significant information, relevant to the SBIR 12.3 topic under which they are proposing.

If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at (866) 724-7457 .

Return