PrintPrint

Awards

Topic Information Award/Contract Number Proposal Information Company Performance
Period
Award/Contract
Value
Abstract

H-SB04.2-001
Cross-Domain Attack Correlation Technologies

NBCHC050004 0421021
(FY04.2 Phase I)
A New Generation of Collaborative Cross-domain Security Technologies: Worminator

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY 10010-1002

11/01/2004
to
05/15/2005
$99,628.00

This proposal, a collaboration between Columbia University and System Detection Inc., concerns the research of a new collaborative, cross-domain security system, which we call Worminator, to detect and prevent the exploitation of and attack against networked computer systems, especially those critical to the nation's infrastructure. The core concept is to deploy a number of strategically placed sensors across the internet that detect stealthy attacks and share this information in real-time among anonymous sites as an early warning of impending attack. The alerts include "profiles" of attackers and suspect packet content signatures indicative of new zero-day attacks and worm outbreaks. We seek to establish scientific proof that correlating scan and probe alerts - specifically, the detection of intelligence gathering and probing activities that attempt to deliver malicious code - across many sites produces a more accurate means of predicting latter attack stages and that the system in question scales to large numbers of participating sites. The proof of concept system will also demonstrate the means by which information about sources and profiles of new attacks are represented efficiently, and effective methods of distributing alert information in real-time maintaining the anonymity and privacy among the participants.

H-SB04.2-001
Cross-Domain Attack Correlation Technologies

NBCHC050144 0423005
(FY04.2 Phase II)
Cross-domain security alert sharing: Worminator

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY 10010-1002

10/01/2005
to
09/30/2008
$750,000.00

This proposal by CounterStorm, Inc. (formerly System Detection) concerns the second phase of research, development, and commercial release of Worminator, an innovative and effective approach to anonymously sharing and correlating security information in real-time. The overriding principle of Worminator is that cross-domain collaboration enhances accuracy and efficacy by enabling rapid detection of worms, zero-day exploits, and slow-and-stealthy attacks currently undetected by existing products. The overarching goal of this Phase 2 effort is to fully incorporate the Worminator technology into CounterStorm`s AntiWorm-1 commercial security product, providing an effective defense against emerging threats. CounterStorm`s Phase 1 effort oversaw the successful development and deployment of the first-generation Worminator architecture at commercial and academic sites. Using Worminator to correlate alerts from CounterStorm's Surveillance Detection Engine, we demonstrated a dramatic reduction in the alert stream, yielding a manageable number of actionable alarms. This Phase 2 effort is organized into four components. First, we will extend Worminator`s collaboration capabilities beyond the sharing of attack source addresses. As a part of this effort, we will integrate Worminator with CounterStorm's Payload Anomaly Sensor (PAYL is the topic of another SBIR Phase 2 proposal). PAYL and Worminator together provide real-time sharing of automatically-generated content signatures to inoculate collaborating sites against attack. Second, we aim to support anonymous collaboration. Third, we plan a fully commercialized implementation of Worminator as an extension of CounterStorm's AntiWorm-1 architecture. Finally, in collaboration with Columbia University, we plan to conduct a comprehensive study of real-world attack behaviors over time, including coverage, response rates, and efficiency under different exchange algorithms. Incorporation of the Worminator technology enhances AntiWorm-1 by allowing rapid and anonymous sharing and correlation of threat information in real time, thus giving sites the ability to block malicious activity before it is seen locally.

H-SB04.2-002
Real-Time Malicious Code Identification

NBCHC050007 0421001
(FY04.2 Phase I)
Real-time Malicious Code Detection in Network Traffic: The PAYL Payload Anomaly Detector

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY 10010-1002

11/01/2004
to
05/15/2005
$98,597.00

This proposal, a collaboration between Columbia University and System Detection Inc., concerns the research of a new payload anomaly detector, we call PAYL, that has been demonstrated to detect malicious code in network traffic. The core concept is to statistically model normal content and detect anomalous packet content indicative of malicious exploit code. The approach is very fast to compute, is state-less, does not parse the input stream, generates a small model, and can be easily modified to an incremental online learning algorithm to deal with changing network traffic. The method provides a compact signature of newly detected exploits, and preserves the privacy of content data. We believe the method will be highly competitive with other approaches that are based upon code emulation or simulation techniques. We focus on solving the false positive problem, typically associated with anomaly detectors, by employing other correlated models to identify true positives with high accuracy and confidence by analyzing only a subset of network data in each packet or connection. The successful results of the research and development will be commercialized by System Detection Inc., by embedding a new plug-in detector to their Antura security product for the prevention of new attack exploits.

H-SB04.2-002
Real-Time Malicious Code Identification

NBCHC050142 0423004
(FY04.2 Phase II)
Packet Content Payload Anomaly Detection

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY 10010-1002

10/01/2005
to
09/30/2007
$750,000.00

This proposal by CounterStorm Inc. (formerly System Detection) concerns the second phase for research, development and commercial release of a novel method to detect malicious code exploits in network traffic. The successful Phase 1 project led to several new innovations and improvements, and commercial development is under way. The PAYL Payload Anomaly Detection sensor will be completely implemented in the CounterStorm AntiWorm-1 product platform and introduced to commercial and government sites. New features of the PAYL anomalous payload detection sensor created under Phase 1 funding demonstrated highly accurate detection and generate signatures for zero-day worm exploits. Experimental evidence demonstrated that "site-specific models" trained and used for testing by PAYL can detect new worms with high accuracy in a collaborative security system. In Phase 2 we continue to build on a new approach that correlates ingress/egress payload alerts to identify the worm's initial propagation. The method also enables automatic signature generation very early in the worm's propagation stage. These signatures can be deployed immediately to network firewalls and content filters to proactively protect other hosts. Tests and evaluations of sensor performance are also proposed for Phase 2. Collaborative research and development by CounterStorm and Columbia University will address several basic problems dealing with handling encrypted content traffic and scaling the sensor to high speed network rates. Significant engineering activities are needed to embed solutions to these performance issues into the CounterStorm AntiWorm-1 Platform. The speed of gigabit networks strains the limits of what can be detected in real-time, especially when decrypting content flows. There are currently no Commercial Off-the-Shelf (COTS) solutions offered today that provide highly efficient content-based anomaly detectors operating on high-speed networks without packet loss. By overcoming these obstacles, we can provide the first effective content-based anomaly detection system to secure high speed networks. The CounterStorm AntiWorm-1 platform with PAYL technology improves accuracy for all worm detection and blocking. More importantly, PAYL facilitates the detection and blocking of non-scanning 'zero-day' worms, adding a significant layer of security to critical IT infrastructures for commercial and government entities.