You are here

Active Software Defense to Reduce Threat Capability Effectiveness


TECHNOLOGY AREAS: Information Systems

OBJECTIVE:  Develop innovative software protection technology containing the ability to support the active defense of critical software applications.

DESCRIPTION:  Current software application defenses are largely passive in nature [1].  When an attack is detected, these defenses often impose indirect penalties (e.g., deleting cryptographic keys or zeroing memory) in such a manner that it forces the adversary to reacquire the software and hardware assets, but impose no real-time penalties on the attacker that prevent the application from becoming compromised in the first place [2] [3].

The focus of this topic is to develop intelligent and cooperative software protection agents that can deploy active defensive countermeasures [4] and be used in conjunction with other forms of software protection.  The desired software protection system should meet the following requirements: (1) have the ability to monitor, in real-time, protected end-nodes and report suspicious activity indicating a possible attack; (2) have the ability to gather forensic information on the protected host related to the attack; (3) have the ability to synthesize and assess the collected information to form a response to an attack; and (4) have the ability to impose direct penalties on the attacker within the boundaries of the protected host or network environment.

The software protection solution should contain the ability to perform surveillance as well as protection, and should have the ability to discriminate between a legitimate user and an attacker.  Using the captured surveillance information, the solution should have the ability to react to an attack (e.g., terminating the network connection, stopping malicious processes, or denying the use of attack tools).  Surveillance information of interest includes, but is not limited to, knowledge of the attacker’s behavior, attack tools and methods used, the type of information being sought in the attack, and the origin of attack.  In the absence of connectivity with human operators, the active defensive system must have the ability to act autonomously and respond to an attack, contingent upon meeting pre-determined criteria.  Proportional and subtle responses to an attack are important elements in the protection scheme.  Responses must only occur once it is determined with a high degree of certainty that the host or network the application resides on is under attack or has been compromised, and the proposal should specify a policy for when such penalties will be invoked and with what severity.

An example of a system employing active defense is a protection system that (upon attack detection) can intelligently and proportionally respond to the attack, including sending a warning to a system administrator for a benign policy violation, redirecting an attacker to a honeypot for intelligence gathering, terminating a network connection, or covertly degrading the target application prior to piracy by the adversary.


1)  Research and develop a concept for an active software defense that meets the above mentioned requirements.  Operating systems of interest include Linux or Windows.

2)  Provide design and architecture documents of a prototype tool that demonstrates the feasibility of the concept.

3)  Provide a minimal software prototype that meets one or more of the four requirements listed above. 


1)  Based on the results from Phase I, refine and extend the design of the active software defensive system prototype to a fully functioning solution.

2)  Provide test and evaluation results demonstrating the ability of the prototype to deploy active countermeasures on attackers.

PHASE III DUAL-USE APPLICATION:  Active software defensive technology will serve to protect critical intellectual property by preventing attacks in real-time, gathering forensic evidence concerning the attack, or invoking a penalty on the attacker; and as such will find application in both the government and commercial sectors.  Commercial applications can use the active defensive software protection technology described above to monitor, control, debug, configure, authenticate, update, and patch critical software and data with a reduced risk of exploitation [5].  Enterprise software that has embedded situational awareness can be used to authenticate and ensure trust in end-node applications.

US Flag An Official Website of the United States Government