The following is a sampling of potential problems.
The list will change as the list of problems is finalized.
Naval Special Warfare Group 3, USSOCOM
Underwater wearable physiological sensors and Geo location for Dive Teams.
National Geospatial Intelligence Agency (NGA) and Joint Improvised Threat Defeat Agency
Open Source Analytics for Indications and Warnings (I&W). Sponsor – (JIDA)
National Security Agency (NSA)
Agile, Resilient Networks
Currently networks are mostly static, allowing attackers time to discover, observe, and develop attacks. The static nature then helps the attacker stay hidden. Enabling the network layout and architecture to shift more frequently and unpredictably, in effect reducing the time available for recon and planning of attacks, increases both the difficulty of stealthy attacks and the network resistance to those attacks. The research challenge are to: Develop approaches to enabling computing networks to pivot, creating a dynamically changing attack landscape, and to exhibit resiliency recovering from hacker attacks. Discover formal scientific underpinnings for the design of trusted systems by building both the theory of how to create science and specific artifacts of security science work.
Integrity of Integrated Circuits
Integrated circuits (ICs) can be modified such that they have additional potentially malicious functionality or they are fraudulent in other ways. Improving this confidence is vital for trust in both computing systems and in embedded devices that operate in military weapons systems and critical infrastructures. The research challenge is improve the confidence in the integrity of Integrated Circuits (IC).
Naval Special Warfare Group 3, USSOCOM
Underwater wearable physiological sensors and Geo location for Dive Teams.
National Geospatial Intelligence Agency (NGA) and Joint Improvised Threat Defeat Agency
Open Source Analytics for Indications and Warnings (I&W). Sponsor – (JIDA)
National Security Agency (NSA)
Agile, Resilient Networks
Currently networks are mostly static, allowing attackers time to discover, observe, and develop attacks. The static nature then helps the attacker stay hidden. Enabling the network layout and architecture to shift more frequently and unpredictably, in effect reducing the time available for recon and planning of attacks, increases both the difficulty of stealthy attacks and the network resistance to those attacks. The research challenge is to:
Integrity of Integrated Circuits
Integrated circuits (ICs) can be modified such that they have additional potentially malicious functionality or they are fraudulent in other ways. Improving this confidence is vital for trust in both computing systems and in embedded devices that operate in military weapons systems and critical infrastructures. The research challenge is:
SCADA Security
An Industrial Control System (ICS) device constitutes the lowest level of a Supervisory Control and Data Acquisition (SCADA) network. ICS devices are comprised of sensors and actuators that monitor and control industrial and manufacturing processes such as:
1) facilities management and 2) power and utilities distribution, protection, and control. Any malfunction in an ICS device can cause a tremendous amount of damage to the environment and to expensive equipment including motors, power grids, transformers, water purification equipment, chemical- hydrocarbon-nuclear production equipment, and public infrastructure resources. This could possibly result in the loss of human life. If an ICS device malfunctions as the result of malicious code, it is plausible that such malware would likely report (to the higher levels of the SCADA network) that the system is functioning nominally in order to conceal its existence. Hence, for critical ICS devices there is a need to develop a monitoring technique to determine if an ICS device is executing malicious code. The research challenge is:
Personal, Mobile Device Sensor Data
Increasingly, smartphones are manufactured with an array of sophisticated sensors that can be used to collect a variety of useful information. This information is increasingly used by the private sector to market specific goods and services to the owner of the device (laptop, phone, tablet). The research challenge is:
Wafer Scale Lightweight Multi-Frequency Reconfigurable RF Systems
There is a need for lightweight multi-frequency reconfigurable RF-based systems for cyber applications. Current systems are too bulky and not flexible enough in function to provide for application to more than one problem space. With the commercial development of 3-dimensional and wafer scale integration technologies, there may exist new methodologies for fabricating reconfigurable low size, weight, and power systems that would have a broader use case. The research challenge is:
Predictive Analytics
Decision makers in multiple countries and agencies must understand the effectiveness and risks of a set of possible actions. The research challenge is:
Internet of Things #1 - Security Elements
The Internet of Things (loT) includes existing products such as smartphones as well as a rapidly growing field of emerging devices such as smart TV’s, appliances, etc. IoT will provide new avenues of attack but also will create an opportunity "to get things right the first time" if a number of important challenges are addressed early on. The research challenge is:
Internet of Things #2 – New Security Elements
Develop high payoff technologies and approaches able to provide new security capabilities that are significantly more effective than current practice or commercial tools currently available. The research challenge is
Mobile Platform Security and Malware Analysis
Traditional malware software analysis has focused on reverse engineering a suspect code to determine what it does at an instruction level. While this approach provides a complete analysis of the malware, it’s time consuming and labor intensive. Rather than traditional software reverse engineering, can we rapidly develop sufficient information about the software to be able to make informed guesses about the malware’s origins, its workings, its likely next action, and the possibility of continuing normal operations despite the malware’s presence. The research challenge is:
Modeling Cyber Attacks
Though originally developed in the context of signal processing, Information theory has expanded to encompass many application domains. One such application is computer network defense, specifically the understanding and modeling of the stages of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action. The research challenge is:
Exploit-Resistant Computer Architectures
DoD systems are under continual cyber attack. This may occur when an unsuspecting (and legitimate) user clicks on a link that opens an avenue for exploitation. It may also occur because a malicious actor has discovered an exploitable feature that is built into the host or network technologies and uses it to gain entry into DoD. When exploits are discovered, they are most typically mitigated by the deployment of new configuration settings. These system changes alter the system behavior to remove opportunities necessary for the exploit to achieve success on the DoD targeted systems. The research challenge is:
Shorten the Timeline for Malicious Event Attributions
Given a plurality of data sources that provide insights on current malicious events, methods are needed to identify indicators that provide unique characteristics and assign them to unique malicious actors. Much of this data fills in small portions of a larger attribution picture for adversaries of interest. The advanced capabilities necessary to perform the following essential functions to make this mission more time efficient are lacking. The research challenge is:
Analytics for the Characterization and Mitigation of Malicious Executables
The number of malware samples continues to challenge our analysis capabilities and poses a disruptive threat to the cybersecurity domain - the problem domain is non- uniform, and currently each analyst applies a unique set of tools and processes to perform the analysis tasks. As malicious cyber actors grow in their level of sophistication, they often obfuscate their applications to make reverse-engineering very time consuming and costly. The DoD is in need of science- based approaches to perform classification on the malicious executables and to create a representation that helps to inform DoD of the perceived Malicious Level of Impact (MLI) of the analyzed samples. The research challenge is:
Creating a Model for Representing and Addressing Cyber Threats on a Global Scale
The typical methodology used in addressing intrusion has been to instrument portions of the global network to gain insights into the activities of numerous cyber actors. The goal is to move to a model that has global perspective. “Cyber actors” can use any single or set of technologies to send any data via any communications channel to any location on the physical globe. By parsing this statement, we have potentially, described the means of tracking, locating, and attributing the source of each discovered cyber threat. Much of cyberspace is already instrumented by various DoD and commercial companies. Many of the sensors provide localized views
into particular regions of the global network and feed that information back to the sensor owners. DoD accesses this information using a diverse set of data sources, but the analytics applied to the data have not generally considered a holistic perspective. New cyber analytics are needed to apply our knowledge based on the 5-layer model shown in Figure 1 to provide the insights necessary to get ahead of the planned activities of malicious cyber actors.
Using figure 1 as a basis for identifying, characterizing, and assessing cyber personas and their respective Tactics, Techniques, and Procedures (TTPs), we can better understand each actor’s mission motives and predict how they may go about achieving their goals. With this insight, we can better plan (along with partner organizations) how best to thwart their attempts and protect DoD cyber assets. The research challenge is:
Currently networks are mostly static, allowing attackers time to discover, observe, and develop attacks. The static nature then helps the attacker stay hidden. Enabling the network layout and architecture to shift more frequently and unpredictably, in effect reducing the time available for recon and planning of attacks, increases both the difficulty of stealthy attacks and the network resistance to those attacks. The research challenge is to:
- Develop approaches to enabling computing networks to pivot, creating a dynamically changing attack landscape, and to exhibit resiliency recovering from hacker attacks.
- Discover formal scientific underpinnings for the design of trusted systems by building both the theory of how to create science and specific artifacts of security science work.
Integrity of Integrated Circuits
Integrated circuits (ICs) can be modified such that they have additional potentially malicious functionality or they are fraudulent in other ways. Improving this confidence is vital for trust in both computing systems and in embedded devices that operate in military weapons systems and critical infrastructures. The research challenge is:
- Improve the confidence in the integrity of Integrated Circuits (IC).
SCADA Security
An Industrial Control System (ICS) device constitutes the lowest level of a Supervisory Control and Data Acquisition (SCADA) network. ICS devices are comprised of sensors and actuators that monitor and control industrial and manufacturing processes such as:
1) facilities management and 2) power and utilities distribution, protection, and control. Any malfunction in an ICS device can cause a tremendous amount of damage to the environment and to expensive equipment including motors, power grids, transformers, water purification equipment, chemical- hydrocarbon-nuclear production equipment, and public infrastructure resources. This could possibly result in the loss of human life. If an ICS device malfunctions as the result of malicious code, it is plausible that such malware would likely report (to the higher levels of the SCADA network) that the system is functioning nominally in order to conceal its existence. Hence, for critical ICS devices there is a need to develop a monitoring technique to determine if an ICS device is executing malicious code. The research challenge is:
- Help secure critical US ICS/SCADA infrastructure by protecting ICS devices from cyberattacks
Personal, Mobile Device Sensor Data
Increasingly, smartphones are manufactured with an array of sophisticated sensors that can be used to collect a variety of useful information. This information is increasingly used by the private sector to market specific goods and services to the owner of the device (laptop, phone, tablet). The research challenge is:
- What can academia do to harvest, fuse, and evaluate the rich sensor data that can be found on all of today’s smartphones/tablets?
- What novel capabilities can be developed by fusing sensor data emanating from built-in sensors, such as accelerometers, gyroscopes, bolometers, light and sound sensors, etc?
Wafer Scale Lightweight Multi-Frequency Reconfigurable RF Systems
There is a need for lightweight multi-frequency reconfigurable RF-based systems for cyber applications. Current systems are too bulky and not flexible enough in function to provide for application to more than one problem space. With the commercial development of 3-dimensional and wafer scale integration technologies, there may exist new methodologies for fabricating reconfigurable low size, weight, and power systems that would have a broader use case. The research challenge is:
- Can a system be fabricated where the major components are each reconfigurable to be adaptable to any environment?
- What is the feasibility of using MEMS-based technologies in a completely reconfigurable system?
- How much could of the size, weight, and power be reduced from conventional systems if 3- dimensional and/or wafer scale integration technologies are employed?
Predictive Analytics
Decision makers in multiple countries and agencies must understand the effectiveness and risks of a set of possible actions. The research challenge is:
- Create analytics that, given a situational awareness model, can predict the structural and dynamic effects of actions taken on a large-scale network.
- Develop models of large, multi-modal, multi-scale networks that utilize dynamic Bayesian approaches. Approaches should be easily scalable, with integrated ensembles of models (physical plus behavioral). Models should be based on theories of information networks.
- Develop optimized algorithms and architectures that meet speed-fidelity-platform constraints. Optimized algorithms should be capable of handling:
- Streaming analytics o Dynamic analytics
- Complex, integrated, multi-scale architectures (edge sensors + commodity computing + specialized HPC)
- Geographically distributed analytics
Internet of Things #1 - Security Elements
The Internet of Things (loT) includes existing products such as smartphones as well as a rapidly growing field of emerging devices such as smart TV’s, appliances, etc. IoT will provide new avenues of attack but also will create an opportunity "to get things right the first time" if a number of important challenges are addressed early on. The research challenge is:
- Develop low power security techniques/technologies
- Develop “fail properly” techniques
- Learn from existing fault tolerant ideas
- Identifying proper use of resets that are not cyber accessible would be beneficial
- Separation of logical networks sharing the same physical networks
- The security elements seem naturally suited to utilizing advances in neuromorphic computing
Internet of Things #2 – New Security Elements
Develop high payoff technologies and approaches able to provide new security capabilities that are significantly more effective than current practice or commercial tools currently available. The research challenge is
- How can we understand the behavior of large and complex systems (the Internet of Things) without building the entire system?
- Can we develop a theoretical framework for understanding the behaviors and interactions of complex networks to support the identification of normal and abnormal network behaviors/interactions and the development of network control mechanisms that can be used to promote desired and suppress undesired network behaviors/interactions
- How do we quickly determine whether the application software running on IoT devices or communications equipment does what it’s supposed to do and nothing more?
- What are the necessary requirements for securely aggregating data in a network and for authenticating the information and entities that are part of a network? How do we know whether an unauthorized device is present on a network?
Mobile Platform Security and Malware Analysis
Traditional malware software analysis has focused on reverse engineering a suspect code to determine what it does at an instruction level. While this approach provides a complete analysis of the malware, it’s time consuming and labor intensive. Rather than traditional software reverse engineering, can we rapidly develop sufficient information about the software to be able to make informed guesses about the malware’s origins, its workings, its likely next action, and the possibility of continuing normal operations despite the malware’s presence. The research challenge is:
- Malware Identification Methods. Develop methods to characterize malware based on its behaviors, potential functionality, identification as unauthorized software, that can distinguish malware and unauthorized software on a system, that will speed selection of an effective response.
- Malware Attribution. Develop mechanisms and methods to rapidly develop attribution for the malware back to the author, controller, or the source of the release.
- Malware Countermeasures. Develop methods and mechanisms to counter malware without having to use extreme measures such as taking a system down or wiping out and rebuilding a system. Develop novel techniques and new paradigms to deal with malware already on a system and render it ineffective while still maintaining system availability for legitimate operations.
- Resiliency to Malware. Make a system (hardware and/or software and/or applications) resilient to malware so legitimate operations continue as normal and malware is ignored and unable to achieve its objectives.
Modeling Cyber Attacks
Though originally developed in the context of signal processing, Information theory has expanded to encompass many application domains. One such application is computer network defense, specifically the understanding and modeling of the stages of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action. The research challenge is:
- Discover and identify actors participating in a cyberattack; determine their roles; estimate the current stage of attack;predict a future event or condition, e.g., imminent stage transition of an attack; andsemi-automatically generate and maintain a multimedia document that describes that event or condition.
Exploit-Resistant Computer Architectures
DoD systems are under continual cyber attack. This may occur when an unsuspecting (and legitimate) user clicks on a link that opens an avenue for exploitation. It may also occur because a malicious actor has discovered an exploitable feature that is built into the host or network technologies and uses it to gain entry into DoD. When exploits are discovered, they are most typically mitigated by the deployment of new configuration settings. These system changes alter the system behavior to remove opportunities necessary for the exploit to achieve success on the DoD targeted systems. The research challenge is:
- Understand classes of exploit- enabling characteristics such that the basis for exploit- resistant computer architectures may be defined. The basic premise is that exploit- resistant architectures may exist only if all of the system characteristics susceptible to exploitation are identified and neutralized.
- Exploit-resistant computer architectures must be able to function within the DoD environment with no loss of end-user functionality. As researchers pursue this question, we will discover the essence of successful exploits. Such a discovery can lead to the establishment of operational business rules to help us better discover and mitigate exploitation attempts by sophisticated cyber adversaries.
Shorten the Timeline for Malicious Event Attributions
Given a plurality of data sources that provide insights on current malicious events, methods are needed to identify indicators that provide unique characteristics and assign them to unique malicious actors. Much of this data fills in small portions of a larger attribution picture for adversaries of interest. The advanced capabilities necessary to perform the following essential functions to make this mission more time efficient are lacking. The research challenge is:
- Quickly and unambiguously match the of malicious act or to the malicious cyber event, by extracting key features from the available data (types, properties, and interrelationships) to enable cybersecurity practitioners to associate the event to the processes that infer classes of specific malicious activity based on the available data
Analytics for the Characterization and Mitigation of Malicious Executables
The number of malware samples continues to challenge our analysis capabilities and poses a disruptive threat to the cybersecurity domain - the problem domain is non- uniform, and currently each analyst applies a unique set of tools and processes to perform the analysis tasks. As malicious cyber actors grow in their level of sophistication, they often obfuscate their applications to make reverse-engineering very time consuming and costly. The DoD is in need of science- based approaches to perform classification on the malicious executables and to create a representation that helps to inform DoD of the perceived Malicious Level of Impact (MLI) of the analyzed samples. The research challenge is:
- Tools and capabilities to quickly assess malware samples to understand and assess new methodologies for piercing defensive boundaries and exploiting and attacking networks.
- Creation of an Abstract Machine Representation (AMR) that is derived from the binary format of the sample.
- Identify measurable attributes about the malicious executables that provide a high level of confidence in their potential MLI value, and their functional intent.
Creating a Model for Representing and Addressing Cyber Threats on a Global Scale
The typical methodology used in addressing intrusion has been to instrument portions of the global network to gain insights into the activities of numerous cyber actors. The goal is to move to a model that has global perspective. “Cyber actors” can use any single or set of technologies to send any data via any communications channel to any location on the physical globe. By parsing this statement, we have potentially, described the means of tracking, locating, and attributing the source of each discovered cyber threat. Much of cyberspace is already instrumented by various DoD and commercial companies. Many of the sensors provide localized views
into particular regions of the global network and feed that information back to the sensor owners. DoD accesses this information using a diverse set of data sources, but the analytics applied to the data have not generally considered a holistic perspective. New cyber analytics are needed to apply our knowledge based on the 5-layer model shown in Figure 1 to provide the insights necessary to get ahead of the planned activities of malicious cyber actors.
Using figure 1 as a basis for identifying, characterizing, and assessing cyber personas and their respective Tactics, Techniques, and Procedures (TTPs), we can better understand each actor’s mission motives and predict how they may go about achieving their goals. With this insight, we can better plan (along with partner organizations) how best to thwart their attempts and protect DoD cyber assets. The research challenge is:
- How do we maintain or re-acquire mission coverage on cyber actors should any number of their behaviors in Figure 1 change?
- WHERE: What information maybe derived from the model to determine where best to observe or engage the activities of specific cyber actors?
- HOW: What new perspectives on cyber tradecraft may be learned when cyber activity is viewed within a more global context?
- BEHAVIORS: Can such a model be created to capture past cyber actor behavior and predict patterns of future behavior?
- MOTIVATORS: Can we predict the manifestation of cyber activities associated with future geopolitical events?
