Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF APRIL 10, 2003 FBO #0496
SOLICITATION NOTICE

A -- Proactive and predictive Information Assurance for Next Generation Systems (P2INGS) PART 1 OF 2

Notice Date
4/8/2003
 
Notice Type
Solicitation Notice
 
Contracting Office
Department of the Air Force, Air Force Materiel Command, AFRL - Rome Research Site, AFRL/Information Directorate 26 Electronic Parkway, Rome, NY, 13441-4514
 
ZIP Code
13441-4514
 
Solicitation Number
Reference-Number-BAA-03-10-IFKA
 
Point of Contact
Arnold Kloven, Contracting Officer, Phone (315) 330-4767, Fax (315) 330-8082,
 
E-Mail Address
klovenj@rl.af.mil
 
Description
PART I OF II OF BAA 03-10-IFKA. Program Manager, Mr. William E. Wolf, AFRL/IFGB, 525 Brooks Road, Rome, NY, 13441-4505, telephone: (315) 330-2278, email: William.Wolf@rl.af.mil. Technical POC, Joseph Giordano, AFRL/IFGB, 525 Brooks Road, Rome, NY, 13441-4505, telephone: (315) 330-4119, e-mail: Joseph.Giordano@rl.af.mil. Contracting POC: AFRL/IFKA, Arnold J. Kloven, Contracting Officer, 26 Electronic Parkway, NY 13441-4514, telephone: (315) 330-4767, email: Arnold.Kloven@rl.af.mil. I. INTRODUCTION: US Air Force Rome Laboratory, acting as the contracting agent for the Intelligence Community's Advanced Research and Development Activity (ARDA), is issuing this BAA to solicit research proposals addressing innovative solutions to cyber-defense for the Intelligence Community's (IC) information infrastructure. This BAA seeks research efforts that advance the state-of-the-art in the following two areas: 1. Advanced Information Assurance (IA) Situational Awareness; 2. Cyber Indications and Warning. For this BAA, each of the above research efforts is subdivided into general and specific research areas of interest. Depending upon availability of funding, ARDA anticipates the award of multiple proposals, but not all acceptable proposals will be awarded. II. GENERAL INFORMATION. An individual proposal may address only one of the two main research areas identified above. However, multiple proposals may be submitted by a single offeror. The research area of primary interest should be clearly identified in the proposal. Proposals must also clearly identify, by BAA paragraph number, the subtopic(s) within the main research area that the proposal is addressing. Multiple subtopics within a research area may be addressed within a single proposal. However, where multiple research topics are addressed, separate technical, cost and deliverable information must be provided for the work proposed. Teaming between industry, independent research centers and academia is encouraged, and commercial technology may be leveraged wherever possible. According to DFARS 235.017-1, certain Federal Labs may submit proposals. For eligible Federal Labs, partnering with a university or private company is not required. From DFARS 235.017-1: "DoD-sponsored FFRDC's that function primarily as research laboratories (C3I Laboratory operated by the Institute for Defense Analysis, Lincoln Laboratory operated by Massachusetts Institute of Technology, and Software Engineering Institute) may respond to solicitations and announcements for programs which promote research, development, demonstration, or transfer of technology (Section 217, Pub.L.103-337)." DoD- and DOE-sponsored FFRDCs may also respond to this BAA. The full list of DoD-and DOE-sponsored FFRDCs is maintained by the National Science Foundation (http://www.nsf.gov/sbe/srs/nsf03308/start.htm). The government shall have unlimited rights to all technical data and software that directly result from this research. The Government may, at its sole discretion, require that research results be documented in a paper suitable for publication in a national and/or international peer-reviewed journal or professional journal. Period of Performance: Phase 1 shall be a base period of 18 months after contract award and incrementally funded in FY03 and FY04. Phase 2 shall be for a period of 12 months and be exercised as an option in FY05 and FY06. Total Funding: Funding for the base effort (FY03/FY04- Phase 1) is anticipated to be $5,000,000 and for the Option effort (FY05/FY06- Phase 2) is anticipated to be $4,000,000. Multiple awards are anticipated. Total funding for this BAA is approximately $9,000,000. Individual Awards: Phase 1 (FY03/FY04) awards are expected to be in the range of $500K to $1,500k with a possible option year award bringing the total to in excess of 2 million dollars. The amount of the award will vary according to the type of effort undertaken. This BAA will remain open for 3 years after the publishing date. The first round deadline is 45 days from publication of this BAA. III. BACKGROUND: The U.S. Intelligence Community (IC) is a large and complex structure of many different Federal organizations. The essential role of the IC is to provide timely, relevant information to U.S. policymakers, decision makers, and war fighters. Accomplishing this mission involves tasking, collecting, processing, analyzing, and disseminating intelligence to a variety of customers. It requires a specialized information infrastructure and a unique security environment that must work behind the scenes and often in highly charged international situations where intelligence information has the potential to remain highly sensitive for many years. In this environment, the stakes are high and confidentiality, integrity, and availability of IC information is extremely critical. For example, due to inadequate security, entire generations of collection or cryptanalytical systems may be compromised, thus reducing intelligence capabilities and wasting large amounts of investments. Further, leaks of information may have international political ramifications and cause lives to be in danger. The risk of compromise will increase as the IC continues to use commercial technologies and share its information electronically among intelligence officers, across agencies and with ad hoc coalition partners. The IC has always been responsible for ensuring that its information is secure. In the non-cyber arena, the IC developed robust systems and procedures to defend its data, sources, and methods. The IC's cyber environment demands the same risk management approach. The Advanced Research and Development Activity (Appendix A) seeks innovative solutions for advanced cyber-defensive capabilities for the Intelligence Community (IC) information infrastructure. Intelligence is as much a key part of cyber-defense as it is in kinetic warfare. There are two major components to cyber defense: IA situational awareness and cyber indications and warning. Both of these capabilities help IC decision makers understand the defensive status of the IC information infrastructure and what could happen in cyberspace between a potential adversary and the defenders of the IC information infrastructure. These two components of cyber-defense are needed to better defend the IC systems and networks. They are also necessary to derive meaningful conclusions from the security incident data the IC collects, to understand the "Big Picture" of the IC networks security state, and to pinpoint security weaknesses for correction. Both cyber defense capabilities are immature and require advanced technologies to include: presentation techniques, modeling of IC mission dependency versus IC system services, and fusion of cyber data with real-world information such as news stories and intelligence reports. IV. OBJECTIVES: Proposals are invited for innovative demonstrable solutions, i.e. proofs of concept, to advance the state of the art in cyber-defense capabilities for the Intelligence Community's information infrastructure. Efforts that leverage existing technologies as a means of achieving research goals are acceptable, but efforts that are largely engineering in nature or that represent only incremental improvements to existing capabilities will not be funded. Technologies sought under this solicitation must be highly resistant to subversion or circumvention by a sophisticated adversary. Respondents must demonstrate confidence in the effectiveness of their solution to resist attack through assurance arguments that address techniques, processes, methodologies, etc. employed to resist subversion and circumvention. The following basic desirable features must be incorporated into any proposed solution: - Ease of Use: User interfaces should be easy to use and be free of internal complexities. Complexity in the user interface fosters disuse and/or potential security breaching work-arounds. -Operational Transparency: Solutions should minimize the visibility of protection and tracking mechanisms, thereby complicating user formulation of breaching strategies. -Portability: Wherever possible solutions should be effective across a broad spectrum of platforms and technologies within the IC information infrastructure. Solutions should be capable of dynamically accommodating a potentially fast-changing security environment, including changes to threat conditions, mission imperatives and personnel status. V. RESEARCH AREAS: 5.1 General Research Interests in IA Situational Awareness. The intent of IA Situational Awareness is to help security analysts and decision makers: - Visualize and understand the cyber defensive environment of their information infrastructure; - Identify what infrastructure components are important to complete key functions; - Understand a potential adversary's courses of actions to adversely effect the critical infrastructure components; and - Where to look for key indicators of malicious activity. It involves the normalization of disparate sensor data, the deconfliction and correlation of sensor data and the display of the results of this analysis. Situational awareness is an integral part of the IC's Information Assurance Common Operational Picture (IA COP). The intent of the IA COP is to provide a graphical, statistical and analytical view of the status of the IC's computer networks and defensive posture. The concept of an IA COP is not new, but several efforts to establish such a capability have achieved limited success. Details about the desired capabilities of an IA COP are provided in DoD Instruction 8530.2, Enclosure E4, Section E4.3.1 ( Appendix B). Despite the importance of an IA Situational Awareness capability and its strategic and operational significance, it is a very immature capability. The aim of this research is to develop new theories, technologies, and tools that significantly improve current IA situational awareness capabilities. 5.1.1 Specific Research Interests. 5.1.1.1 Decision Support and Human-Computer Interface. Security analysts must analyze large volumes of data from existing sensors and network management systems. Emerging research technology will present even more and varied information to the analysts. Technology is needed to help security analysts deconflict, correlate and understand large volumes of data that support answering the questions that are important to them as decision-makers. Research into how best to design the human-computer interface to cyber situation awareness systems is needed in order to better fit the cognitive processes used by the analysts. Even with the most advanced technology, cyber sensors are providing more data than can be easily analyzed without some sort of automation. A particularly difficult problem is finding trends and patterns in attacks or probes that may be in progress. The purpose of this research is to produce techniques, technologies and systems to: - Transform huge volumes of cyber sensor and network management data into a form that can take advantage of human cognitive processing and the functions that security analysts perform; and - Communicate intrusion information to decision makers in manner that better shows the cyber situation, including focus on trends, priority of events requiring immediate attention, and projection of the situation to better enable prompt, safe, and appropriate action in response to a security event. ARDA seeks new ideas for situational awareness that go beyond simply prioritizing existing events. We seek techniques and technologies that abstract events and present these abstractions in a way that enhances the overall situation awareness and facilitates decision-making. Techniques that can quickly and dependably show defensive activity and stealthy intrusive behavior together with other related factors are desirable. In addition, ARDA seeks innovative tools and techniques that: - Provide timely assessments of emerging IA conditions across IC networks to include identification of vulnerabilities, the status of IA Vulnerability Alert (IAVA) compliance and the defensive posture of components within the IC information infrastructure; - Provide various levels of event abstractions and present them in a way that enhances the overall IA situational awareness and facilitate decision-making at different echelon levels within the IC; - Automatically generate reports that can be immediately transmitted (via email, for example) to customer organizations; - Assist IC information infrastructure defenders to answer security related "what if" scenarios; and - Reduce the current manpower-intensive process of collecting, normalizing, analyzing, interpreting and reporting of information about past, current, and evolving security events to include related world events. 5.1.1.2 Modeling. One of the biggest problems in understanding security events (i.e. intrusion alerts) is appreciating how the data relates to the mission of an organization. A major reason for this situation is the lack of understanding of the coupling between the mission and the enabling information system services. The intent of this research is to develop modeling techniques to better determine how critical IC mission functions depend on the underlying information system services. The goal is to capture the intricate web of dependencies between missions and system services to include cascading effects between them. Research into how to project the impact of both abstract attack descriptions and known attacks using a model of system mission and system service dependencies is also desired. Ideas on how to quantitatively measure mission impact, and ways to instrument a system to actually measure the impact are also welcomed. ARDA seeks the development of models that demonstrate how critical IC functions are dependent on information system services and the cascading effort when elements of the model are impacted by an attack. 5.1.1.3 Fusion and Attack Recognition. Assuming there is a capability to properly abstract and prioritize intrusion information, there remains the hard problem of making sense out of the data in the large context of what else is happening inside and outside of the system in which the observations are made. Internal context could include the overall state of the system load, the mode it is in (wartime versus peacetime), current policy and perhaps threat condition that is in effect. External context could include world events such as a regional war, terrorist threats, or some major upgrade that is planned for a system. Such context can dramatically effect the interpretation of the observed events. There are four levels of fusion in the context of physical sensors. These levels seem appropriate as a starting point for this research. Level 1 is called Object Refinement and its primary purpose is identification. Level 1 is concerned with entity detection and recognition. In the cyberspace, this level would consist of schemes that identify events as part of a larger action such as an attack sequence and actually recognizes the particular attack. Level 2 is called Situation Refinement and its primary purpose is situation assessment. Level 2 is concerned with event aggregation and context interpretation. In cyberspace, this might mean the aggregation of a probe sequence for mapping, followed by an attack on a given host, followed by the use of that host to get to a target system as an aggregation of a higher-level attack sequence. Level 3 is called Threat Refinement and is concerned with threat analysis in terms of where an adversary has been and where he might be going. Level 4 is called Process Refinement and is concerned with the meta-data level which associates threats to the defenders strategic interests and projects the threat potential against our own dynamic vulnerability state. The goal of this research is to develop cyber event fusion technology to provide interpretation and a meaningful context to cyber events. Ideas on technology are welcome at all four fusion level, but in the interest of building a strong foundation, emphasis in this round will be on fusion levels 1 and 2. In addition, ADRA seeks advanced tools and techniques to: - Normalize, aggregate, correlate, and fuse data from a wide range of disparate host, and network security event sensors that are deployed across the IC; - Assist defenders of the IC information infrastructure find trends and patterns in attacks or probes that may be in progress; 5.2 General Research Interests in Cyber Indications and Warning. Today's information assurance paradigm is a reactive model that involves detection of, and reaction to attacks once they are underway. There is a pressing need to become predictive and proactive in detecting pre-attack cyber events that occur before malicious activities during the attack stage. This capability should significantly increase the warning time for an attack and provide IC security analysts and decision makers the time to take preventive steps to minimize the impact and losses from cyber-attacks. Joint Publication 1-02, DOD Dictionary of Military and Associated Terms defines Indications and warning (I&W) as those intelligence activities intended to detect and report the imminence of hostilities. More detailed information about cyber I&W is provided in DoD Instruction 8530.2, Enclosure E4.3.2 (Appendix C). During the Cold War, the United States developed robust systems to preclude surprise from nuclear and conventional threats. Unlike these areas, observables related to a campaign of cyber attacks have not been fully developed and cyber I&W remains a challenge that needs to be addressed. Because attack forecasting or cyber I&W provides the early warning necessary to reconfigure adaptive response mechanisms within the IC information infrastructure, it represents a key element for ensuring the survivability of IC information systems and networks. This portion of the BAA focuses on the detection and analysis of pre-attack observables. Observables are information derived from knowledge about the capabilities and tools an adversary could use during the pre-attack stage and security events that are embedded in network traffic. For example, it would be useful to know that the probe rate on a component within the IC information infrastructure has increased and that the attempted stealthiness of those probes has increased. This combined with other information could indicate an adversary's intention to hide the probes and could be an indication of something bigger. ARDA selected this aspect of I&W to create focus and to highlight its particular importance and relevance to the IC. This focus should allow offerors to concentrate on a small part of the I&W problem. The intent of this research is to demonstrate that an adversary's attack intentions can be reliably predicted by an intelligence process that correlates technical information available in network traffic with information about the adversary's capabilities. ARDA is particularly interested in I&W capabilities for sophisticated attacks and where the network sensors are deployed to detect observables in an asymmetric network environment i.e. sensors have access to one, but not both portions of the two way network traffic. ADRA defines sophisticated attacks as those attacks that are nation-state sponsored and therefore have access to almost unlimited resources and capabilities. Due to the need to limit this research to an unclassified environment, this research will focus on an examination of real-world hacker pre-attack activities, the exploits of open source vulnerabilities, open source hacker information and attacks on the NIPRNet i.e. the IC's unclassified network. 5.2.1 Specific Research Interests. 5.2.1.1 Prediction Technologies: ARDA seeks the demonstration of new and novel methodologies and supporting technologies for predicting cyber-attacks that are based on an understanding, of attackers pre attack activities within unclassified networks used by the IC i.e. NIPRNet. This research includes the characterization and testing of pre-attack network observables (indicators). Respondents must demonstrate a prototype capability that correlates network observables with information about the attacker's threat profile. Based on this research, ARDA seeks a prototype capability that significantly increases the warning time associated with a cyber attacks on the NIPRNet. SEE PART II OF II PUBLISHED IN FBO.
 
Record
SN00298562-W 20030410/030408213606 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.