You are here

Assessing Virtual Private Network (VPN) Networthiness (AVN)

Description:

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Sensing and Cyber, Advanced computing and Software OBJECTIVE: The Assessing Virtual Private Network (VPN) Networthiness (AVN) SBIR topic seeks to develop and demonstrate techniques and systems for automatically analyzing third-party commercial VPN solutions to determine the actual operational privacy profile/performance of such services. DESCRIPTION: Following the COVID-19 pandemic, and the concomitant increase in remote work, organizations and teleworkers sought solutions to keep their connections private and their workplace communications confidential. In other scenarios around the world, populations have sought private and secure solutions to circumvent restrictions on internet access placed on them by authoritarian regimes. It is therefore unsurprising that commercial VPN services have experienced substantial increases in demand over recent years [1, 2, 3]. The surge in VPN service demand has caused an increase in supply to the extent that (for example) the Google Play Store houses several hundred different apps that offer free (for examples, see [4]) and paid VPN services advertising increased privacy, high-speed bandwidth, large numbers of egress servers, access to censored websites, etc. [5] Even though users may be able to easily differentiate between fast and slow VPN services by merely using the service, unfortunately there are no outward signs they can use to quantify the privacy provided by VPN services. As such, users who employ such services to increase their privacy, may in fact be revealing their data to remote networks of less trustworthiness than their own local networks [6, 7]. It is therefore important to be able to proactively and continuously evaluate the properties and quality of protection that a commercial VPN solution offers. With rare exception [8], existing reviews of VPN services are typically conducted by technology journalists and are therefore limited to assessments of the VPN performance (e.g., speed), price, user friendliness (e.g., ease-of-use), features and supported protocols (e.g., see [9]).The AVN SBIR topic seeks to address this shortfall by developing and demonstrating techniques and systems for automatically analyzing third-party commercial VPN solutions to determine their networthiness, where networthiness considerations align with those of the Department of Defense (DoD) and Intelligence Community (IC) [10]. PHASE I: The AVN SBIR topic is soliciting Direct to Phase 2 (DP2) proposals only, which must include supporting documentation of Phase I feasibility. Phase I feasibility must be demonstrated through evidence of: a completed proof of concept/principal or basic prototype system; definition and characterization of system properties/technology capabilities desirable for DoD/IC/government and civilian/commercial use; and capability/performance comparisons with existing state-of-the-art technologies/methodologies (competing approaches). Entities interested in submitting a DP2 proposal must provide documentation to substantiate that the scientific/technical merit and feasibility described above has been achieved and also describe the potential commercial applications. DP2 Phase I feasibility documentation should include, at a minimum: • technical reports describing results and conclusions of existing work, particularly regarding the commercial opportunity or DoD/IC insertion opportunity, risks/mitigations, and technology assessments; • presentation materials and/or white papers; • technical papers; • test and measurement data; • prototype designs/models; • performance projections, goals, or results in different use cases; and, • documentation of related topics such as how the proposed AVN solution can enable accurate and reliable analysis of third- party VPN solutions. The collection of Phase 1 feasibility material will verify mastery of the required content for DP2 consideration. DP2 proposers must also demonstrate knowledge, skills, and abilities in the technical areas of software engineering, network security, privacy, analytics, and machine learning. For detailed information on DP2 requirements and eligibility, please refer to the DoD Broad Agency Announcement and the DARPA Instructions for this topic. PHASE II: The AVN DP2 SBIR topic seeks to develop and demonstrate techniques and systems for automatically analyzing third-party commercial VPN solutions to determine the actual operational privacy profile/performance of such services. AVN solutions will provide an objective quantification of the privacy-related performance of third-party VPN services across platforms (e.g., Android, iPhone, PC, MAC, Ubuntu, etc.). Ideal solutions would require limited manual intervention and not rely on information elicited by the VPN service provider. AVN approaches will need to provably scale with the large number of available and future commercial VPN services. Ideally, AVN solutions would enable a user to tailor analyses to specific requirements as VPNs offer varying privacy protections that are not uniformly valuable to every user. DP2 proposals should: • describe a proposed framework design/architecture to achieve the above stated goals; • present a plan for maturation of the framework to a demonstrable prototype system; and • detail a test plan, complete with proposed quantitative metrics for privacy, and for verification and validation of the prototype system performance. Phase II will culminate in a prototype system demonstration using one or more compelling use cases consistent with commercial opportunities and/or insertion into a DARPA program, for example, the Signature Management using Operational Knowledge and Environments (SMOKE) [11] program, which seeks to develop data-driven tools to automate the planning and execution of threat-emulated cyber infrastructure needed for network security assessments. The Phase II Option period will further mature the technology for insertion into a DoD/ IC Acquisition Program, another Federal agency, or commercialization into the private sector. The below schedule of milestones and deliverables is provided to establish expectations and desired results/end products for the Phase II and Phase II Option period efforts. Schedule/Milestones/Deliverables: Proposers will execute the research and development (R&D) plan as described in the proposal, including the below: • Month 1: Phase I Kickoff briefing (with annotated slides) to the DARPA Program Manager (PM) including: any updates to the proposed plan and technical approach, risks/mitigations, schedule (inclusive of dependencies) with planned capability milestones and deliverables, proposed metrics, and plan for prototype demonstration/validation. • Months 4, 7, 10: Quarterly technical progress reports detailing technical progress to date, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (while this would normally report progress against the plan detailed in the proposal or presented at the Kickoff briefing, it is understood that scientific discoveries, competition, and regulatory changes may all have impacts on the planned work and DARPA must be made aware of any revisions that result), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 12: Interim technical progress briefing (with annotated slides) to the DARPA PM detailing progress made (including quantitative assessment of capabilities developed to date), tasks accomplished, risks/mitigations, planned activities, technical plan for the second half of Phase II, the demonstration/verification plan for the end of Phase II, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 15, 18, 21: Quarterly technical progress reports detailing technical progress made, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (with necessary updates as in the parenthetical remark for Months 4, 7, and 10), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM. • Month 24: Final technical progress briefing (with annotated slides) to the DARPA PM. Final architecture with documented details; a demonstration of the ability to automatically analyze third-party commercial VPN solutions; documented application programming interfaces; and any other necessary documentation (including, at a minimum, user manuals and a detailed system design document; and the commercialization plan). • Month 30 (Phase II Option period): Interim report of matured prototype performance against existing state-of-the-art technologies, documenting key technical gaps towards productization. • Month 36 (Phase II Option period): Final Phase II Option period technical progress briefing (with annotated slides) to the DARPA PM including prototype performance against existing state-of-the-art technologies, including quantitative metrics for assessment of privacy features/capabilities. PHASE III DUAL USE APPLICATIONS: AVN has potential applicability across DoD/IC/government and commercial entities. For DoD/IC/government, AVN is extremely well-suited for proactive and continuous assessment of privacy features/performance of various VPN services. AVN has the same applicability for the commercial sector and has the potential to provide individuals worldwide with reliable private connections and communications. Phase III refers to work that derives from, extends, or completes an effort made under prior SBIR funding agreements, but is funded by sources other than the SBIR Program. The Phase III work will be oriented towards transition and commercialization of the developed AVN technologies. For Phase III, the proposer is required to obtain funding from either the private sector, a non-SBIR Government source, or both, to develop the prototype into a viable product or non-R&D service for sale in government or private sector markets. Primary AVN support will be to national efforts to help secure government, commercial, and personal networks and devices against advanced persistent threats that target vulnerable VPN devices. Results of AVN are intended to improve understanding of the risks associated with VPNs, across government and industry. REFERENCES: 1. “The Impact of COVID-19 on VPN Usage and Streaming Habits”, https://www.cartesian.com/the-impact-of-covid-19-on-vpn-usage-and-streaming-habits/ 2. “VPN Demand Surges Around the World”, https://www.top10vpn.com/research/vpn-demand-statistics/ 3. “Four Risks to Consider with Expanded VPN Deployments”, https://www.f5.com/labs/articles/cisotociso/four-risks-to-consider-with-expanded-vpn-deployments 4. “Free VPN Ownership & Security Investigations Update”, https://www.top10vpn.com/research/free-vpn-investigations/ownership-risk-index-update/ 5. Muhammad Ikram, Narseo Vallina-Rodriguez, Suranga Seneviratne, Mohamed Ali Kaafar, and Vern Paxson. 2016. An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps. In Proceedings of the 2016 Internet Measurement Conference (IMC '16). Association for Computing Machinery, New York, NY, USA, 349–364. https://doi.org/10.1145/2987443.2987471. Available at https://www.cs.umd.edu/class/spring2017/cmsc818O/papers/vpn-app-risks.pdf 6. O. Akgul, R. Roberts, M. Namara, D. Levin and M. L. Mazurek, "Investigating Influencer VPN Ads on YouTube," 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 876-892, doi: 10.1109/SP46214.2022.9833633. Available at https://www.cs.umd.edu/~akgul/papers/vpn-ads.pdf 7. Free VPNs are bad for your privacy”, https://techcrunch.com/2020/09/24/free-vpn-bad-for-privacy/ 8. Grauer, Yael. “Security and Privacy of VPNs Running on Windows 10.” Consumer Reports Digital Lab. 2021. Available at https://digital-lab-wp.consumerreports.org/wp-content/uploads/2021/12/VPN-White-Paper.pdf 9. https://www.top10vpn.com/reviews/ 10. https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/ 11. Defense Advanced Research Projects Agency, SMOKE Broad Agency Announcement HR001122S0006 (2021) (Available at https://sam.gov/opp/6ab1fdaedfd6411ba966025cd74e467c/view) KEYWORDS: custom analytics, network security, privacy, virtual private network
US Flag An Official Website of the United States Government