Utilization Of Inference Engine Technology For Navy Cyber Situational Awareness
Navy SBIR 2013.2 - Topic N132-140
SPAWAR - Ms. Elizabeth Altmann - [email protected]
Opens: May 24, 2013 - Closes: June 26, 2013

N132-140 TITLE: Utilization Of Inference Engine Technology For Navy Cyber Situational Awareness

TECHNOLOGY AREAS: Information Systems

RESTRICTION ON PERFORMANCE BY FOREIGN CITIZENS (i.e., those holding non-U.S. Passports): This topic is "ITAR Restricted". The information and materials provided pursuant to or resulting from this topic are restricted under the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120 - 130, which control the export of defense-related material and services, including the export of sensitive technical data. Foreign Citizens may perform work under an award resulting from this topic only if they hold the "Permanent Resident Card", or are designated as "Protected Individuals" as defined by 8 U.S.C. 1324b(a)(3). If a proposal for this topic contains participation by a foreign citizen who is not in one of the above two categories, the proposal will be rejected.

OBJECTIVE: Develop a means of employing inference engine technology to improve accuracy and speed to response for Navy Cyber Situational Awareness (NCSA) application.

DESCRIPTION: Fleet Cyber Command/U.S. Tenth Fleet (FCC/C10F) is the operational entity responsible for assuring timely, trusted, and comprehensive situational awareness of the cyberspace domain. FCC/C10F currently relies on a variety of disparate tools many of which are based on unique display and database technologies. The current solution fails to meet the objective of providing an integrated, tailorable Cyber Situational Awareness (SA) capability that can incorporate dynamic data feeds synchronized with the maritime operating environment. FCC/C10F desires a Cyber SA system that can utilize data obtained from disparate tools by dynamically consolidating the most relevant information in an amalgamated display. Support of this objective necessitates a means to provide: (1) a well-coordinated picture of Cyber SA, (2) the ability to perform deep analysis of input data from a single source, (3) a solution that is adaptable to new threats and data feeds, (4) agile software development cycles, and (5) a long-term sustainment strategy.

The research question is to explore the extent to which inference engine technology can improve accuracy and speed to response by making inferences from multiple Cyber SA data sources. WolframAlpha is one such example of an inference engine technology.

Of particular interest is the determination of how quickly and directly the technologies can select desired output formats (i.e. visualization, text) appropriate for a particular scenario. As an example an NCSA analyst may receive information from a data source indicating that a particular device has been compromised within a Navy protected enclave. The analyst would likely want to know the location of the device along with any other information related to why the device may be compromised. Inference engine technology has the potential to make associations that may indicate causal or contributing factors to the device compromise. Inference engine technology can also serve to display any such associations in ways that are more meaningful to an analyst such that they are able to more readily determine a response and mitigation.

Data sources in support of NCSA include NetOps (Enterprise Networks Systems Management [ENMS]) and Computer Network Defense [CND] (for example, Host Based System Security [HBSS] and Assured Compliance Assessment Solution [ACAS]); SPACE; Signal Intelligence (SIGINT); and Information Operations (IO). Candidate data sources will include any form of output produced from any system or device within those primary groups (e.g., processed alerts, audit logs, raw data).

In the above example, the indication of a device compromise might result from an ENMS source. The ACAS and HBSS sources could contain information related to the device in question. In such a case the additional ACAS and HBSS data sources would likely contain information identifying causal or contributing events resulting in the device compromise. In addition the data sources could indicate a potential escalation of further device compromise. The accuracy of the correlation of events from such data sources is a key component to Cyber SA. The speed to response is key to contain and correct the situation. Inference engine technology has the potential to make associations related to device query and present the results in a manner that enables an analyst to respond rapidly.

PHASE I: Determine the applicability and relative benefits of inference engine technology to NCSA (candidate inference engine technologies to be discussed at kickoff). Establish control and baseline metrics from which to quantify potential improvements to NCSA accuracy and speed to response. Determine the extent to which the benefit of inference engine technology can be improved through tailoring. Identify other aspects of inference engine technology that may provide additional NCSA utility or new capability.

The phase 1 deliverable will address at least these factors:
� Baseline control metrics of existing NCSA solution accuracy and speed to response
� Initial improvements to NCSA accuracy and speed to response resulting from the use of inference engine technology
� Further improvements to NCSA accuracy and speed to response resulting from tailoring of inference engine technology
� Aspects of inference engine technology that may provide additional NCSA utility or new capability

PHASE II: Provide a practical implementation of the solution researched and designed in Phase I, whether it is an extension of existing inference engine technology or a completely new inference engine technology. Testing and evaluation should be accompanied to illustrate both feasibility and practicality. The solution should also show how the solution can be aligned with NCSA agile development methodologies. Disclosures to the operational environment may be made, making work under Phase II potentially classified.

PHASE III: Transition the proposed solution to current Navy systems that support NCSA.

PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: The big data analytics component realized from this topic also affects industry. Scoping the research and development to improve accuracy and speed would also benefit industry components that already use current solutions.

REFERENCES:
(1) "Analytics in a Big Data Environment" - http://www.redbooks.ibm.com/redpapers/pdfs/redp4877.pdf

(2) "Fact Sheet: Big Data Across the Federal Government" (pg. 1) - http://www.whitehouse.gov/sites/default/files/microsites/ostp/big_data_fact_sheet_final.pdf

KEYWORDS: cyber situational awareness; inference engine; big data; analytics;

** TOPIC AUTHOR (TPOC) **
DoD Notice:  
Between April 24 through May 24, 2013, you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. Their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is
not allowed starting May 24, 2013, when DoD begins accepting proposals for this solicitation.
However, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS (13.2 Q&A) during the solicitation period for questions and answers, and other significant information, relevant to the SBIR 13.1 topic under which they are proposing.

If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at (866) 724-7457 or email weblink.