You are here

Advanced Persistent Cyber Threat Anomaly Detection



TECHNOLOGY AREA(S): Information Systems

ACQUISITION PROGRAM: PEO Integrated Warfare Systems (IWS) 1.0, AEGIS Integrated Combat System.

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with section 5.4.c.(8) of the solicitation. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.

OBJECTIVE: Develop a real-time capability for anomaly based detection of cyber-attacks in Internet Protocol (IP) based Combat System networks.

DESCRIPTION: Cyber-attack is a growing concern in military and commercial markets due to the increased sophistication and proliferation of hacker implements such as Denial of Service (DoS) tactics and zero day threats. Conventional approaches such as data encryption and virus definition files deployed through anti-virus software and associated updates are unable to address the increased complexity of today’s cyber-attacks. Commercially available technologies for preventing attacks are not updating real-time to protect against emerging threats or assessing compounded system vulnerabilities, a Navy specific need for ensuring protection and operational availability of the combat and weapon systems integral to mission success. By developing a cyber-protection system architecture possessing the ability to detect an imminent cyber-attack on a real-time basis from one or more vectors, the Navy can protect vital data and communication equipment and software and prevent system failures due to cyber threats.

The Advanced Persistent Threat (APT) is a cyber-adversary that attempts to gain a stealthy foothold on a targeted system (Ref. 1). The APT can remain present (persist) within the targeted system for extended periods without being detected. An APT can potentially observe military tactics, techniques, and procedures for executing a mission. The APT can observe and corrupt the data used to plan and execute the mission posing a loss of life, risk to the war fighter, as well as mission failure. Being stealthy, the APT would have the opportunity to deny the execution of the mission at a time of the APT’s choosing. The APT may accomplish this objective by depositing malware onto the target system via social engineering or supply chain infiltration. A layered defense in-depth strategy mitigates the APT, but additional capabilities to assess system health and behavior against the APT are desired so that if an APT is detected, the APT may be eliminated, isolated, or presented with disinformation to assure mission success.

The APT may target a system through any combination of three cyber-attack vectors: Data At Rest, meaning the files on the disk drives; Data in Execution, meaning data and computer programs in memory; and Data in Transit, meaning the data moving across a network.

State of the art techniques used to detect and mitigate the APT include file integrity checkers, anti-virus tools, automated computer log reviewers, network access controlled appliances, and rule-based System Information and Event Management (SIEM) tools. Heuristic algorithms are needed to compliment near real-time rule-based approaches to thwart the APT.

Current cyber techniques utilize code-signature mechanisms, such as virus definition files, which contain a set of digital signatures for previously identified malicious code, as well as real-time data encryption such as “https” protocol, Public Key Infrastructure (PKI) and NSA approved Triple Data Encryption Standard (Triple DES) to achieve cyber security. Such methods are more than adequate for communications with a validated network peer and supporting non real-time detection of the potential compromise of a suspect system utilizing file-scanning techniques. For low-bandwidth communications, rudimentary pseudo-real-time uses of code-signature techniques (such as email-scanning virus-detection processes) are used to help validate incoming data and prevent cyber-attack. The ability to detect a cyber-attack from one or more vectors, and pre-emptively secure the system from that pending attack (or immediately mitigate the effects of the attack if prevention is impossible), becomes a critical issue.

There is a need for a cyber-protection tool with the capability to detect imminent, un-documented cyber-attacks. The foundations of this system shall be derived from the development of pattern recognition sensors and algorithms developed by the proposer. The system will be capable of identifying and classifying cyber-attack methods based on data collected through network traffic, computer usage logs, and load monitoring software. Proposed cyber-protection architectures would need the capability to detect and identify cyber-attacks from multiple vectors including network-based attacks, system infiltration attempts (zero-day and otherwise), and other malicious access and data infiltration techniques (Ref. 1). This will be accomplished in a manner that would allow continued system operation (Ref. 2) and for the deployment of appropriate attack-dependent cyber countermeasures designed to either eliminate the specific attack, or mitigate the effects of the specific attack, before extensive damage occurs. The software should not affect system message latency and have a low false alarm rate. Software testing to prove concept accuracy in pattern recognition will be done by the small business. Software certification will be a joint effort between the small business and the systems integrator.

PHASE I: During Phase I, the company will develop a concept for a real-time low or no latency anomaly detection capability for Combat Systems. The company will show the feasibility of this concept with a set of real-time pattern detection models, methods, and algorithms capable of identifying and classifying potential cyber-attack vectors and methods. These models, methods and algorithms would be based on real-time data collected through network traffic and load monitoring software, as well as real-time predictive algorithms enabling the potential classification of the attack within a period adequate to enable real-time attack mitigation and response. For example, a fast discovery scan to sequentially map a network for attack should be recognized within minutes while a shrewd adversary may wait hours between seemingly random connection attempts. Feasibility will be demonstrated by numerical, probability of detection analyses comparing sample baseline system and data attributes, and system and data attributes associated with experimental cyber-attacks. The Phase I Option, if awarded, will include the capabilities description to develop the software in Phase II.

PHASE II: Based on the results of Phase I and the Phase II Statement of Work (SOW), a prototype software with real-time capability will be delivered that could be integrated with any hardware and software systems. The prototype must be capable of demonstrating real-time attack pattern detection and attack classification prediction models in a timeframe commensurate with the requisite real-time attack response requirement. The company shall provide a detailed test plan to demonstrate the deliverable identifies the APT. A Phase III qualification and transition plan will be provided at the end of Phase II.

PHASE III DUAL USE APPLICATIONS: During Phase III, the company will support the Navy in the system integration and qualification testing for the software developed in Phase II. This will be accomplished through land-based and ship integration and test events. Private Sector Commercial Potential: Cyber-attacks on commercial companies have grown exponentially with ever-increasing sophistication in the types of attack. Public sector organizations deal with the ramifications of these attacks after the fact versus being able to respond to them in a real-time preventative manner. The technology developed under this effort would be directly applicable to the commercial need to respond to the same sorts of attack that the DoD is facing. Many DoD protocols and interface requirements are based on commercially accepted standards which facilitates a viable technology transition of this topic’s technology to the commercial market.


  • Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, Ph.D. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" (PDF). Lockheed Martin Corporation Abstract. 13 March 2013. 4 June 2015. retrieved from
  • McDowell, Mindy. "Security Tip (ST04-015) Understanding Denial-of-Service Attacks” Department of Homeland Security United States Computer Emergency Readiness Team. 06 February 2013. 15 April 2015.
  • Department of Defense Instruction, No. 8500.2, “Information Assurance (IA) Implementation. 6 February 2003.

KEYWORDS: Detect and identify cyber-attacks from multiple vectors; detect a potentially imminent cyber-attack; cyber-protection architectures; network-based DoS; malicious access and data infiltration techniques; pattern detection models

US Flag An Official Website of the United States Government