You are here

Novel Detection Mechanisms for Advanced Persistent Threat

Description:

with performance acceptable for operational deployment. DESCRIPTION: Existing CNDSP alert generation tools are based on the identification of known signatures and thus are not appropriate for the detection of advanced persistent threats in which the attacker explicitly avoids the use of known signatures. This leaves analysts with the time consuming process of analyzing raw data to identify such advanced persistent threats or leaves detection until after the attacker"s compromise exhibits identifiable external behavior. While anomaly detection techniques have been examined by the research community, their TP and FP rates have typically left them undeployable. The need is to achieve true positive (TP) and false positive (FP) rates in non-signature based techniques that are deployable, i.e., high percent of TPs and very low number of FPs in relation to the number of TPs. PHASE I: Develop approaches to solve the aforementioned problem of non-signature based anomaly detection with high TP and low FP rates on full packet analysis. The performer will develop detailed analysis of predicted performance that validates the TP and FP positive rates will be acceptable for deployment in large-scale CNDSP operations. The Phase I must show the initial concept design as well as modeling of key elements to support the aforementioned validation results. A design plan identifying the progression from theoretical approach to prototype and full development along with testing and validation protocols must be developed. PHASE II: Execute the Phase I design plan. Develop, test, and validate implementations of top contending algorithms from Phase I. Show progress with initial performance goals and show appropriate milestone to extend these goals to a desirable CNDSP operational state. Demonstrate framework in a controlled laboratory environment at a minimum with potential for field demonstration in an existing CNDSP operational networking environment. PHASE III DUAL USE APPLICATIONS - Military: It is intended that these algorithms and associated implementations be transitioned to CNDSP groups for operational deployment. It is intended that a Phase III is encapsulated in a capstone demonstration at TRL that exceeds TRL 6. - Commercial: The resulting algorithms and associated implementations should have wide applicability to commercial network defense and network monitoring organizations or groups. The algorithms and performance metrics will have potential values to the R & D community as an indication of future research directions and the potential for solving the true challenge problems in the cybersecurity domain.
US Flag An Official Website of the United States Government