Military Spends $4.4M To Supersize Net Monitoring

coondoggie writes "Bigger, better, faster, more are the driving themes behind the advanced network monitoring technology BBN Technologies is building for the military. The high-tech firm got a $4.4 million contract today from the Defense Advanced Research Projects Agency (DARPA) to develop novel, scalable attack detection algorithms; a flexible and expandable architecture for implementing and deploying the algorithms; and an execution environment for traffic inspection and algorithm execution. The network monitoring system is being developed under DARPA's Scalable Network Monitoring program which seeks to bolt down network security in the face of cyber attacks that have grown more subtle and sophisticated."

Military Spends $4.4M To Supersize Net Monitoring

[Shadow Wrought]

That sounds like a lot, but it did come with fries.

Re:Military Spends $4.4M To Supersize Net Monitori

[Hatta]

It doesn't actually sound like all that much to me. Frankly, I'm surprised that they're not spending 10x as much already. Of course, maybe they are...

Re:

[Rayeth]

Considering the requirements laid out in TFA, I am exceedingly dubious that they will come up with anything for this price tag. Also note this same company got $13 Million for a program to quickly translate documents for the military. I'm guessing that one will also go nowhere. Security and Translation are two notoriously difficult things to get right.

Re:

[cavis]

Wrong, wrong, wrong... Net Monitoring is one of those disciplines that has no end. Hackers, viruses, and Trojans are ever changing. New threats, sites, and IPs appear every day. It is much like chess: your opponent makes a move, you counter it, and he makes yet another move. No one's network is without its threats, no matter the manufacturer or operating system.

What do I base my statements on? I do network security full-time for about 50,000 users.

Re:

[ahabswhale]

Well DARPA invented the internet (not to mention a large number of other achievements that are significantly more sophisticated). What are your qualifications, Mr. Smartguy, for forming an opinion on what can be done?

Re:

[NotBornYesterday]

Not only that, guess who had the ARPANET contract? BBN. I dealt with them for years, and they are a very capable organization. Chances are they can deliver what they say.

Re:

[BPPG]

Is this guys a bot? I've seen this exact comment in at least one other thread.

Re:

[Chaymus]

So much for ordering off the dollar menu.

Re:

[Chief_Wiggum]

In Soviet America, net surfs YOU!

Re:

[b4upoo]

That's such a tiny budget that it in effect suggests that no real work is being done at all.
        These days building a new high school can eat up more than 16 million dollars. Net security and monitoring migh call for a multi billion dollar project.

Re:Military Spends $4.4M To Supersize Net Monitori

[billcopc]

Actually it sounds like far too little.

The root of the problem is that the USA has been pissing everyone else off for the better part of a century. Were it not for that key fact, the military probably wouldn't be afraid of everyone everywhere, including their own citizens.

Interesting

[iXiXi]

$4.4 million for a system to detect what one person getting paid nothing will circumvent within days/hours/minutes of implementation.

Re:Interesting

[RandoX]

All that money, down the tubes.

Re:

[Xacid]

That's just a bit shortsighted don't you think? That's like saying the money poured into all the anti-malware software was a waste despite continually keeping many computers safer than without.

Re:

[iXiXi]

No, not shortsighted, just realistic. The fact remains that enormous amounts of money is spent to thwart these attackers and most of them don't get paid $4.4 million to hack.

Re:

[RingDev]

I didn't read the article, but it doesn't sound like they are getting paid to develop was of thwarting, only detecting, based on monitoring network traffic.

Even if the attacker changes their vector and packages, the goal would appear to be to pick up on the trends of network traffic in assaults to better identify weak points, communications bottle necks, sources, etc...

-Rick

Re:

[pha3r0]

No, not shortsighted, just realistic. The fact remains that enormous amounts of money is spent to thwart these attackers and most of them don't get paid $4.4 million to hack.

I had to comment here (also note i logged in to make this) while I have not much tech experience, I have a lot of life experience. And that experience has taught me that criminals will work for nearly free becasue of there own psychological problems.

I used to steal cars, not smart of course, no I did not make much money, I just did it because it was fun... Now why do we hack class?

Re:

[bws111]

Should we also apply this thinking to other fields as well? Don't spend money on medical research, some new unpaid virus will come along and make us sick anyway. Don't spend money trying to cure hunger, some unpaid natural disaster will come along and kill people anyway. Don't spend money on science, any questions answered just lead to more questions anyway.

Re:

[iXiXi]

Unfortunately, you read into what I am saying here. I am not being critical of the project. I am merely stating a fact that it is a shame that there is so much money that is being spent to try to handle internet thugs.

Re:

[bws111]

Ah, sorry about that. Yes, you are correct in that regard.

Re:

[Darkness404]

Ummm... Honestly it is a waste. 98% of malware is written for one platform. Windows. Which, as everyone who knows anything about technology knows, Windows is one big security hole. The money spent on blocking individual viruses could be better used in stopping flaws that allow viruses access.

Re:

[Darkness404]

Yes *A* Mac virus, compare that with the *thousands* of current Windows viruses. Sure there is probably even *A* Linux virus or even *A* Plan9 virus, but most viruses are written for Windows and the fact that there are like 1 current virus for alternate OSes isn't as bad as the *thousands* of Windows ones.

Re:

[morgan_greywolf]

The money spent on blocking individual viruses could be better used in stopping flaws that allow viruses access.

By 'stopping flaws' do you mean sending money to Microsoft, or just outright replacing Windows?

Because only one of those two options is likely to work well.

Re:

[moxley]

One reason for this is because windows is the dominant platform, especially for those who are not that technically literate; (and likely those who are own at least one machine running windows).

Certianly I am not saying that OSX and linux (or any unix variant) don't present more of a challenge, but if their adoption was as widespread and in as many areas as windows there would likely be much, much more malware to contend with.

All in all there is no perfect system. There will likely always be something to exp

Re:

[Jackmn]

The money spent on blocking individual viruses could be better used in stopping flaws that allow viruses access.

Users are willing to run software from untrusted sources and give it administrative access when prompted. In my limited experience, this is far and away the most common cause of infections. There is nothing that can be done to prevent this (in any operating system). This can be somewhat mitigated by providing a repository for trusted software (as implemented in most Linux distributions), but there

Re:

[bob_herrick]

You raise a good point. This program is just one of many, some public, mostly private, that act as a sort of immune system for the internet. The various malware evolves and gets to exploit each and every weakness that gets found. Having another potentially 'evolving' element of the immune system sounds like a good idea to me. Defending a single point with a single system does not strike me a sensible way to run things.

Re:

[camperslo]

Although monitoring is important, it seems like it might be more cost effective to release code that spreads and patches vulnerable/infected machines. If the number of those could be cut way down, maybe DDoS attacks wouldn't be such a threat.

There's already malware that removes other malware to increase the available resources. If malware can do that, why not something friendly doing it?

While antivirus products do help people, I can see why some would question their value.
If a home or auto security produ

$4.4 million is almost enough ...

[cohomology]

to cater the meetings to discuss the project.

Re:

[lazycam]

It's likely they missed a few zeros [slashdot.org].

Re:

[fyoder]

to cater the meetings to discuss the project.

There might be enough left over for a few print outs of the ping man page or something else networky.

Re:

[Captain Splendid]

$4.4 million is almost enough to cater the meetings to discuss the project.

No kidding. Factor in another $4 mil for hookers and blow, and then we can worry about actual money going to curb our civil liberties.

Re:

[Xtravar]

They make their own pr0n at Abu Ghraib.

$.4.4 million?

[wezzul]

$.4.4 million? So is that like $440k? $400,000.40?

Above thread is NOT off topic...

[RudeIota]

As posted by CmdrTaco:
$.4.4 million

That's not off topic. The post as it reads right now is "$.4.4 million". Sure, we can assume it is 4.4 million because it seems like an nonsensical number otherwise, but this is very unclear and should be corrected.

Novel...

[RudeIota]

to develop novel, scalable attack detection algorithms

'novel' just doesn't carry the same meaning anymore. USPTO is a prime example.

Re:

[pimpimpim]

You are so very right. Several of the higher-ranked scientific journals don't accept articles that contain claims of novelty. I think phys rev lett is an example. Because that's just not the way science works, it is based upon an incremental increase of understanding.

As for the rest, 4.4 million is about enough to have a team of about 10 low paid scientists work for 3 years (not just the salary, at least half goes to administrative overhead anyway). Good for them, of course, but hardly a major project.

Re:

[nicolas.kassis]

>

This article asks for nothing specific other than 'algorithms' to detect things. They didn't say anything like network (AI) behavioral based IDS. Nothing new here, move along.

from the article "New technologies and applications provide new attack routes and have made traditional signature-based and anomaly detection-based defensive measures inadequate in both speed and sensitivity, BBN added." Anomaly detection is mentioned. They claim that signature based and other techniques they have tried didn't work quite to what they wanted. Nothing new in that. IDS have never been perfect.

Re:

[khallow]

We also need to keep in mind that the US Department of Defense has its own networks some which it relies on even during battle. While I'm sure that the presence of this technology will encourage other agencies to use it intrusively on public networks, this technology isn't in itself compromising the privacy of the citizens of the US.

Money down the drain

[ZarathustraDK]

If there's one thing the government hasn't learned yet it is paying money to some company about something they don't understand is generally a bad idea.

It's all fun and games until some kid from Finland renders your new-bought toy obsolete.

Sounds cheap for the job

[Sun Chi]

The article doesn't say, but it seems logical that they would want the US military network to be able to handle both an attack like the one launched earlier this year against Georgia's internet infrastructure (likely by Russia) and the almost-certainly Russian-based one during actual armed conflict this week.

DoD has a budget of about $439.3 billion and DARPA gets $3.2 billion of that (according to Wikipedia). $4.4 million doesn't sound like that much out of that kind of budget, but I'd be interested in what

Re:

[hesaigo999ca]

I am sure it just had to do with buying a bunch more of brand new routers, that weren't
coming with pre-installed malwares from the chinese. They would have to replace all the router intfrastructure and that is probably what is costing this money. My 2 cents

Re:

[blueg3]

Both of these services are located on the wrong side of a hostile network and are woefully inaccurate when really understanding the content of the document is necessary.

Re:

[tehcyder]

they never heard of babelfish or google translator i take it

I wouldn't want people's lives depending on either of those two if I was in the military. They're at "send three and fourpence we're going to a dance" levels of accuracy at the moment.

Encryption

[nurb432]

Ok people, is it time yet? We need to encrypt ALL traffic.

Re:

[Bryansix]

I don't need to encrypt crap. You just need to stop accepting non-encrypted traffic. Then you will be safe.

Re:

[nurb432]

There goes 90% of the internet today then.

Even 'knowledgeable' sites like /. haven't stepped up to the plate yet.

At least my side of the email traffic is, but pretty sure the other side isn't, since people still don't understand.

Re:

[Anonymous Coward]

Oh yeah, because slashdot definitely requires the best encryption available today, as we share very precious information like funny comments.

Re:

[nurb432]

The content isn't the point. Doesn't matter what the content is, its not the governments business unless you are under a court blessed surveillance order.

Re:

[nickruiz]

Maybe DARPA should sponsor The Pirate Bay's efforts [slashdot.org] to encrypt internet traffic instead. Different goals, but same means. Wouldn't that be ironic?

Re:

[nurb432]

Not sure if its even different goals. Its to protect people's privacy.

Re:

[Bill, Shooter of Bul]

My data is always encrypted. Even this message appearing to inform users that I always encrypt my data, is actually the result of a one time pad code sending a message to my minions to do the bidding proscribed for today.

Goals cannot be met as stated

[tucuxi]

That is lots of fundamental research we are talking about. I am no expert in network monitoring, but 4.4M to solve the following problems seems like peanuts:

Probability of detection of malicious traffic greater than 99% per attack launched

While some types of traffic are obviously not ham (say, spoofed IPs or syn scans), assigning intent to raw data flows requires nothing less than strong AI. Think of spam - anybody can fool a spam filter, no matter what filter, given enough time and motivation. You can also fool the human reading the mail, for that matter...

A false alarm rate while monitoring traffic of not more than one false alarm per day.

This makes a whitelist approach a lot harder. My guess is that any decent system will flag many, many things, and prioritize some over others. That way it is up to the network operator to dig deeper or not into each individual incident, using the program's classification as a starting point. I have no idea why email programs don't allow you to rank messages on "perceived spamminess" - it would make digging for false positives and negatives a lot easier...

Support capabilities at conventional gateway line speeds of 1Gbps in Phase I of the contract, while Phase II will demonstrate the scalability of this capability at gateway line speeds of 100Gbps.

This part, together with the "very high scalability" requirement, is the icing on the cake. It is impossible to detect complex threats in real-time, so the best bet would be to layer defenses. Very fast reflexes for certain behavior (say, DDOS), longer mulling times for patterns that are more deeply hidden (say, a covert channel somewhere).

In any case, 4.4M is peanuts to meet these goals at full strength. The most probable outcome is some fundamental research, partial successes, and another grant in a few years (possibly to a different team) to try to get further along the track.

Re:

[Yvanhoe]

Probability of detection of malicious traffic greater than 99% per attack launched

While some types of traffic are obviously not ham (say, spoofed IPs or syn scans), assigning intent to raw data flows requires nothing less than strong AI.

I would like to add that the remaining 1% happens to be the preferred vector of Chinese attacks. Many Human Rights NGO received apparently totally legit emails about current events with an infected .doc or a .pdf (itself containing perfectly interesting information)

Re:

[rootooftheworld]

There was this funky "stupid filter" thing. Can it be used as a spam filter? Bots may be a lot of things, but they ain't smart. And the ones who get down to create 'non-stupid' templates might as well send spam manualy. Just my $0.02.

4.4 million? So What?

[Kostya]

Ever work on a big project? One that was over due by a significant amount? Yeah, easily $4M.

That amount is like the military paying someone to think about it and give them a paper on it. I've been on civilian-side government projects that were well beyond $4M. Sounds like someone got a "sure, toss some cash at it and see what happens" approval, but not an official "this is a priority, make it so" approval.

Now, $40M is where we start to see some serious thinking about the issue. Yeah, it's an arbitrary a

Skynet?

[Darkfire79]

Can we name it Skynet?

The good news...

[religious freak]

I think the military really understands how big a threat cyber attacks are/will be. Thank Jebus.