Military Spends $4.4M To Supersize Net Monitoring 76
coondoggie writes "Bigger, better, faster, more are the driving themes behind the advanced network monitoring technology BBN Technologies is building for the military.
The high-tech firm got a $4.4 million contract today from the Defense Advanced Research Projects Agency (DARPA) to develop novel, scalable attack detection algorithms; a flexible and expandable architecture for implementing and deploying the algorithms; and an execution environment for traffic inspection and algorithm execution. The network monitoring system is being developed under DARPA's Scalable Network Monitoring program which seeks to bolt down network security in the face of cyber attacks that have grown more subtle and sophisticated."
Re:Military Spends $4.4M To Supersize Net Monitori (Score:3, Informative)
Goals cannot be met as stated (Score:5, Informative)
That is lots of fundamental research we are talking about. I am no expert in network monitoring, but 4.4M to solve the following problems seems like peanuts:
Probability of detection of malicious traffic greater than 99% per attack launched
While some types of traffic are obviously not ham (say, spoofed IPs or syn scans), assigning intent to raw data flows requires nothing less than strong AI. Think of spam - anybody can fool a spam filter, no matter what filter, given enough time and motivation. You can also fool the human reading the mail, for that matter...
A false alarm rate while monitoring traffic of not more than one false alarm per day.
This makes a whitelist approach a lot harder. My guess is that any decent system will flag many, many things, and prioritize some over others. That way it is up to the network operator to dig deeper or not into each individual incident, using the program's classification as a starting point. I have no idea why email programs don't allow you to rank messages on "perceived spamminess" - it would make digging for false positives and negatives a lot easier...
Support capabilities at conventional gateway line speeds of 1Gbps in Phase I of the contract, while Phase II will demonstrate the scalability of this capability at gateway line speeds of 100Gbps.
This part, together with the "very high scalability" requirement, is the icing on the cake. It is impossible to detect complex threats in real-time, so the best bet would be to layer defenses. Very fast reflexes for certain behavior (say, DDOS), longer mulling times for patterns that are more deeply hidden (say, a covert channel somewhere).
In any case, 4.4M is peanuts to meet these goals at full strength. The most probable outcome is some fundamental research, partial successes, and another grant in a few years (possibly to a different team) to try to get further along the track.