You are here

AMBER (Automatic Monitoring [and Mitigation] with Block-chain-Enabled Reporting)

Award Information
Agency: Department of Defense
Branch: Defense Logistics Agency
Contract: SP4701-21-P-0010
Agency Tracking Number: L202-002-0011
Amount: $99,999.00
Phase: Phase I
Program: SBIR
Solicitation Topic Code: DLA202-002
Solicitation Number: 20.2
Timeline
Solicitation Year: 2020
Award Year: 2021
Award Start Date (Proposal Award Date): 2020-12-02
Award End Date (Contract End Date): 2021-06-01
Small Business Information
531 Esty Street
Ithaca, NY 14850-3250
United States
DUNS: 603978321
HUBZone Owned: No
Woman Owned: No
Socially and Economically Disadvantaged: No
Principal Investigator
 Zak Fry
 (607) 273-7340
 zfry@grammatech.com
Business Contact
 Derek Burrows
Phone: (607) 351-5698
Email: dburrows@grammatech.com
Research Institution
N/A
Abstract

GrammaTech proposes AMBER (Autonomic Monitoring [and Mitigation] with Blockchain-Enabled Reporting), a framework to harden Internet of Things (IoT) devices against cyber-attacks. AMBER builds on existing GrammaTech technologies to provide an end-to-end security solution, including (1) a framework for automatically generating and installing runtime verification policies and attack mitigation techniques on devices; (2) a distributed, blockchain-based logging framework to encode and report perceived attacks across devices, supporting secure, redundant real-time reporting and forensic playback; and (3) a Reasoning Engine (RE) server that performs offline forensic and remediation work to mitigate future attacks, as well as reporting attacks to administrators and analysts. Commercial, off-the-shelf devices increasingly incorporate network connectivity, leveraging IoT-style deployments to support remote monitoring and control. Unfortunately, many of these devices lack the software sophistication and resilience to stave off cyber-attacks. As a result, attackers use them to compromise networks and impede operations. AMBER will provide increased device resilience against the entire attack spectrum. For example, consider an AMBER deployment in a logistical staging warehouse featuring IoT connected devices, including IP-based security cameras, GPS-enabled delivery trucks, and HVAC controllers. AMBER will embed monitors into the devices’ firmware using binary instrumentation, in order to watch for anomalous behavior at runtime. Suppose an attacker uses a known exploit against an IP-based security camera to retrieve credentials, including passwords (such as the real-world vulnerability CVE 2013-1605). When this attack occurs, AMBER’s embedded firmware monitors will identify the anomaly, take action to prevent the attack (e.g., disable connections from the attacker’s IP address), and log the attack and response as part of the DLT blockchain, which is then propagated across the entire staging warehouse. When any AMBER-secured device containing this blockchain synchronizes with the RE server, it will report the updated blockchain, informing the server of the attack and the local mitigation actions. The RE server will report this attack to the local administrator, as well as using a combination of planning and ML to secure the camera’s firmware against future attacks of the same kind. In summary, AMBER is a holistic monitor-and-response system that will operate across the Defense Logistics Agency’s (DLA) cyber-infrastructure to defend against cyber-attacks, preserve forensic attack information in a distributed, real-time and replayable way, and use this forensic information to prevent similar attacks. Leveraging GrammaTech’s existing binary rewriting and autonomic technologies, AMBER will identify, assess, report, and mitigate cyber-attacks against devices with varying capabilities, architectures, and “size, weight, and power” (SWaP) constraints.

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government