[LINK] DARPA: "Enhanced Attribution" research proposals

Stephen Loosley stephenloosley at zoho.com
Tue May 10 16:49:47 AEST 2016 

Enhanced Attribution 

Office: Defense Advanced Research Projects Agency (DARPA)
Research Solicitation Number: DARPA-BAA-16-34


Synopsis:  Added: Apr 22, 2016 4:49 pm

DARPA is soliciting innovative research proposals in the area of cyber attribution. 

The goal of the Enhanced Attribution (EA) program is to develop technologies for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators; and the means to share such information with any of a number of interested parties without putting at risk the sources and methods used for collection. 

Proposed research should investigate innovative approaches that enable revolutionary advances in science, devices, or systems. 

Point of Contact: Enhanced-Attribution at darpa.mil 

Ref: https://www.fbo.gov/index?s=opportunity&mode=form&id=93c091efb6a2252556aa8530cdce71ed&tab=core&tabmode=list&=
Additional PDF: https://www.fbo.gov/utils/view?id=138959e641d75afda40b9bedb5ec8d2b


DARPA BAAs are posted on the Federal Business Opportunities (FBO) website (https://www.fbo.gov/).

The following information is for those wishing to respond to this BAA. 

Background

Malicious actors in cyberspace currently operate with little fear of being caught due to the fact that it is extremely difficult, in some cases perhaps even impossible, to reliably and confidently attribute actions in cyberspace to individuals.  The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure.  Cyber campaigns spanning jurisdictions, networks, and devices are only partially observable from the point of view of a defender that operates entirely in friendly cyber territory (e.g., an organization’s enterprise network).  The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection.  The current characterization of malicious cyber campaigns based on indicators of compromise, such as file hashes and command-andcontrol infrastructure identifiers, allows malicious operators to evade the defenders and resume operations simply by superficially changing their tools, as well as aspects of their tactics, techniques, and procedures.  The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options (e.g., economic sanctions under EO-13694).

Program Scope

The Enhanced Attribution program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the Government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods.

The program will develop techniques and tools for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators, and the means to share such information with any of a number of interested parties (e.g., as part of a response option).  

The program seeks to develop: 

 technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures; 

 techniques to decompose the software tools and actions of malicious cyber operators into semantically rich and compressed knowledge representations; 

 scalable techniques to fuse, manage, and project such ground-truth information over time, toward developing a full historical and current picture of malicious activity; 

 algorithms for developing predictive behavioral profiles within the context of cyber campaigns; and 

 technologies for validating and perhaps enriching this knowledge base with other sources of data, including public and commercial sources of information

---

More information about the Link mailing list