Description:
OBJECTIVE: Develop an efficient or optimal means of reducing or compressing cybersecurity monitoring information and data collection for transmission via low bandwidth links. DESCRIPTION: Within cybersecurity, Computer Network Defense (CND) relies partially on sensors to observe hosts and networks. Functions include pattern or signature matching against known hostile profiles, anomaly detection, log file collection and analysis, and raw packet capture and analysis. Many of these processes, especially raw packet capture, generate large amounts of raw collection. Many incidents occur at locations remote from a cybersecurity incident response team. Often response discovery and analysis requires physically shipping storage media. Incident responses need to occur in minutes or hours, not days. The target cybersecurity communications formats, schemas, and protocols for CND-related incident and sensor collection include: Security Content Automation Protocol (SCAP) NIST IR-7511 Incident Object Description and Exchange Format (IODEF) - RFC 5070 Cybersecurity Exchange Framework (CYBEX) X.15000-X.1589 Additionally, cybersecurity systems collect raw log files from hosts, servers, routers, switches, and other devices, commonly analyzed using AWStats, WebLogExpert. Some cyber security systems collect and analyze raw packet data (packet sniffing) within a network, commonly analyzed using WIRESHARK or similar software. Upon actual incident detection, a response team must analyze what occurred, classify the cause, review attack vectors, determine the impact scope, and assemble evidence for later prosecution. PHASE I: Conceptualize and design an innovative solution to reduce the total bandwidth required to exchange information from a remote subscriber LAN back to a centralized computer incident response team (CIRT). The phase 1 deliverable will address at least these factors: Minimum essential information exchange for the common formats Methods for collecting, organizing, and compressing a minimum essential incident exchange, given the various sensors Examples of exchange messaging sizes for typical incidents, such as virus/worm infection, change in configuration, Optimal method for selecting and reducing actual incident collection requests to pass all monitoring and collection content about an incident. Provide metrics that show optimality methodology. Identifying analysis tasks most efficiently processed remotely that can further reduce bandwidth requirements Propose a phased, minimum bandwidth application for a designated sensor system details to be provided at Phase 1 kickoff PHASE II: Provide a practical implementation of an optimized solution researched and designed in Phase I. Testing and evaluation should be accompanied to illustrate both feasibility and practicality. This phase will demonstrate transaction for various combinations of incident data exchange. PHASE III: Transition this technology into current Navy systems supporting the Naval Cyber Defense Operations Command (NCDOC). PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: The concept of a cybersecurity incident response team is not new to the commercial world. The bandwidth savings achieved from this proposal can be applied to both government and industry realms. REFERENCES: 1. CYBEX - http://www.sigcomm.org/ccr/papers/2010/October/1880153.18801632. SCAP - http://scap.nist.gov/
