Algorithm Sought to Analyze Insider BehaviorAir Force Wants Near-Real-Time Detection
In a call for proposals aimed at small businesses, posted on Tuesday, the Air Force is asking outside developers to "define, develop and demonstrate innovative approaches for determining 'good' (approved) versus 'bad' (disallowed/subversive) activities, including insiders and/or malware." For their initial efforts, the Air Force will pay up to $100,000.
The proposal says current techniques that monitor illicit activities only address the most blatant violations of policy or the grossest deviations from accepted behavior. Most systems concentrate their resources on repelling attacks at the network borders with little attention devoted to threats that evade detection and/or emanate from within. The proposal states:
"As such, there currently exists a great need across the federal, military and private sectors for a viable and robust means to provide near-real-time detection, correlation and attribution of network attacks, by content or pattern, without use of reactive previously-seen signatures. Many times, these trusted entities have detailed knowledge about the currently-installed host and network security systems, and can easily plan their activities to subvert these systems."
In the first phase, Air Force planners envision the development of a prototype algorithm that incorporates heuristic analysis for determining approved versus disallowed or subversive activities, including insiders and/or malware. The awarded contractor also would propose an architecture and perform a feasibility analysis of the algorithm and architecture during the initial phase.
In the second phase, the contractor would implement the best approach from Phase 1 in an experimental hardware/software environment, representative of the Air Force cyber infrastructure. They'd be asked to correlate Phase 1 analysis with experimental results as well as analyze the prototype system with respect to performance, scalability, cost, security and vulnerability.