Portable Analytics for Multi-Stage Cyber Attack Investigation

Navy STTR 24.A - Topic N24A-T019
ONR - Office of Naval Research
Pre-release 11/29/23   Opens to accept proposals 1/03/24   Now Closes 2/21/24 12:00pm ET    [ View Q&A ]

N24A-T019 TITLE: Portable Analytics for Multi-Stage Cyber Attack Investigation

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Sensing and Cyber; Trusted AI and Autonomy

OBJECTIVE: Develop forward-deployed portable analytics to automate initial stages of cyber attack investigation in connectivity-disadvantaged tactical platforms. The technology is needed to reconstruct attack stories, distilling the most important related events from vast quantities of low-level system and network data.

DESCRIPTION: As cyber attacks continue to escalate in complexity and Advanced Persistent Threat (APT) actors shift to using low-and-slow multi-stage attacks, cyber intrusion detection has come to be treated as a Big Data problem. Modern approaches require that a wide variety of information and sensor streams come together in an integrated analysis environment, with human and machine analytics combing the data feeds, hunting for needles in the haystack.

However, in connectivity-disadvantaged tactical environments, all of the fine-grained cyber event data (interface calls, low-level system logs, packet captures, event attestation, etc.) generated by a platformís information systems is unable to be streamed back to a centralized repository in a timely manner. This results in limitations for cyber attack investigations: either central analysis relies on incomplete, untimely, or reduced-precision data, or analytics expecting a global picture have to be pushed out to edge nodes, simultaneously reducing their effectiveness and separating them from the cyber hunt experts best equipped to make use of them.

To better address the problem of conducting effective Defensive Cyber Operations (DCO) on systems where connectivity is Denied, Degraded, Intermittent, or Limited (DDIL), new technology is needed to enable a multi-stage forensics approach to cyber event analysis and investigation. To feed later stages of analysis, portable analytics designed to be edge deployed need to be developed that distill the rich, onboard system and network event data, enabling the platform to make the most efficient use of any upstream connection.

The analytics must not rely on having any backhaul connectivity or onboard operator expertise beyond a most basic set of hints such as an operator noticing that a service crashed or that a subsystem was behaving oddly. The analytics should seek out connections and sequences in the system and network data that map to possible attack tactics, techniques, and procedures (TTPs), then bundle relevant data for priority offboarding to a more centralized analysis platform where it could be further triaged.

PHASE I: Define and develop a concept for automated rapid cyber forensics that can enable multi-stage cyber attack investigation and meet the constraints outlined in the Description. Provide a model of how the analytics would feed the cyber event distillation. Phase I Option, if exercised, would develop the initial distillation capability to create the full prototype in Phase II.

PHASE II: Develop a containerized portable analytic capability to validate the concepts defined in Phase I. Demonstrate attack story reconstruction and key data distillation by ingest on several different types of system and network data. The prototype should be deployable on a connectivity-disadvantaged edge node and able to inform a cyber big data platform by the end of Phase II.

PHASE III DUAL USE APPLICATIONS: Integrate the Phase II developed portable analytics prototype to a program as a component to a DCO system. Field containerized analytic with appropriate data ingestors and capability to integrate with existing data fabrics. Commercial use includes cyber security analysis in various sectors such as automotive, IoT, robotics, agricultural, and industrial control.


  1. Alsaheel, A.; Nan, Y.; Ma, S.; Yu, L.; Walkup, G.; Celik, Z.B.; Zhang, X. and Xu, D. "ATLAS: A sequence-based learning approach for attack investigation." 30th USENIX Security Symposium, 2021.
  2. Pei, K.; Gu, Z.; Saltaformaggio, B.; Ma, S.; Wang, F.; Zhang, Z.; Si, L.; Zhang, X. and Xu, D. "Hercule: Attack story reconstruction via community discovery on correlated log graph." Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC), 2016.
  3. Navarro, J.; Deruyver, A. and Parrend, P. "A systematic survey on multi-step attack detection." Computers & Security, 76, 2018, pp.214-249.
  4. Hassan, W.U.; Noureddine, M.A.; Datta, P. and Bates, A. "Omegalog: High-fidelity attack investigation via transparent multi-layer log analysis." Network and distributed system security symposium (NDSS), 2020.
  5. Milajerdi, S.M.; Gjomemo, R.; Eshete, B.; Sekar, R. and Venkatakrishnan, V.N. "Holmes: real-time apt detection through correlation of suspicious information flows." IEEE Symposium on Security and Privacy (IEEE S&P), 2019.

KEYWORDS: Cyber, Defensive Cyber Operations, Forensics, Sequence Learning, Situational Awareness, Artificial Intelligence/Machine Learning, AI/ML, Denied, Degraded, Intermittent, or Limited, DDIL


The Navy Topic above is an "unofficial" copy from the Navy Topics in the DoD 24.A STTR BAA. Please see the official DoD Topic website at www.defensesbirsttr.mil/SBIR-STTR/Opportunities/#announcements for any updates.

The DoD issued its Navy 24.A STTR Topics pre-release on November 28, 2023 which opens to receive proposals on January 3, 2024, and now closes February 21, (12:00pm ET).

Direct Contact with Topic Authors: During the pre-release period (November 28, 2023 through January 2, 2024) proposing firms have an opportunity to directly contact the Technical Point of Contact (TPOC) to ask technical questions about the specific BAA topic. Once DoD begins accepting proposals on January 3, 2024 no further direct contact between proposers and topic authors is allowed unless the Topic Author is responding to a question submitted during the Pre-release period.

SITIS Q&A System: After the pre-release period, until January 24, 2023, at 12:00 PM ET, proposers may submit written questions through SITIS (SBIR/STTR Interactive Topic Information System) at www.dodsbirsttr.mil/topics-app/ by logging in and following instructions. In SITIS, the questioner and respondent remain anonymous but all questions and answers are posted for general viewing.

Topics Search Engine: Visit the DoD Topic Search Tool at www.dodsbirsttr.mil/topics-app/ to find topics by keyword across all DoD Components participating in this BAA.

Help: If you have general questions about the DoD SBIR program, please contact the DoD SBIR Help Desk via email at [email protected]

Topic Q & A

1/22/24  Q. 1. Are there size, hardware or power limitations for the "portable device"? eg. would "briefcase" sized device be acceptable or something like a thumb drive be preferred?
2. What types of ports/connections should the device be designed around?
   A. 1. The intention is that the software analytics are portable, e.g., easily packaged up and run on different systems. This solicitation does not require the development of any new hardware devices.
2. This solicitation does not require the development of any new hardware devices.
1/2/24  Q. Is the use of AI a requirement for the submission?
   A. No, proposers may leverage any approach/algorithm that addresses the topicís needs.

[ Return ]