PrintPrint

Awards

Topic Information Award/Contract Number Proposal Information Company Performance
Period
Award/Contract
Value
Abstract

H-SB04.2-001
Cross-Domain Attack Correlation Technologies

NBCHC050144 0423005
(FY04.2 Phase II)
Cross-domain security alert sharing: Worminator

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY 10010-1002

10/01/2005
to
09/30/2008
$750,000.00

This proposal by CounterStorm, Inc. (formerly System Detection) concerns the second phase of research, development, and commercial release of Worminator, an innovative and effective approach to anonymously sharing and correlating security information in real-time. The overriding principle of Worminator is that cross-domain collaboration enhances accuracy and efficacy by enabling rapid detection of worms, zero-day exploits, and slow-and-stealthy attacks currently undetected by existing products. The overarching goal of this Phase 2 effort is to fully incorporate the Worminator technology into CounterStorm`s AntiWorm-1 commercial security product, providing an effective defense against emerging threats. CounterStorm`s Phase 1 effort oversaw the successful development and deployment of the first-generation Worminator architecture at commercial and academic sites. Using Worminator to correlate alerts from CounterStorm's Surveillance Detection Engine, we demonstrated a dramatic reduction in the alert stream, yielding a manageable number of actionable alarms. This Phase 2 effort is organized into four components. First, we will extend Worminator`s collaboration capabilities beyond the sharing of attack source addresses. As a part of this effort, we will integrate Worminator with CounterStorm's Payload Anomaly Sensor (PAYL is the topic of another SBIR Phase 2 proposal). PAYL and Worminator together provide real-time sharing of automatically-generated content signatures to inoculate collaborating sites against attack. Second, we aim to support anonymous collaboration. Third, we plan a fully commercialized implementation of Worminator as an extension of CounterStorm's AntiWorm-1 architecture. Finally, in collaboration with Columbia University, we plan to conduct a comprehensive study of real-world attack behaviors over time, including coverage, response rates, and efficiency under different exchange algorithms. Incorporation of the Worminator technology enhances AntiWorm-1 by allowing rapid and anonymous sharing and correlation of threat information in real time, thus giving sites the ability to block malicious activity before it is seen locally.

H-SB04.2-002
Real-Time Malicious Code Identification

NBCHC050142 0423004
(FY04.2 Phase II)
Packet Content Payload Anomaly Detection

CounterStorm Inc.
15 W. 26th Street
7th Floor
New York, NY 10010-1002

10/01/2005
to
09/30/2007
$750,000.00

This proposal by CounterStorm Inc. (formerly System Detection) concerns the second phase for research, development and commercial release of a novel method to detect malicious code exploits in network traffic. The successful Phase 1 project led to several new innovations and improvements, and commercial development is under way. The PAYL Payload Anomaly Detection sensor will be completely implemented in the CounterStorm AntiWorm-1 product platform and introduced to commercial and government sites. New features of the PAYL anomalous payload detection sensor created under Phase 1 funding demonstrated highly accurate detection and generate signatures for zero-day worm exploits. Experimental evidence demonstrated that "site-specific models" trained and used for testing by PAYL can detect new worms with high accuracy in a collaborative security system. In Phase 2 we continue to build on a new approach that correlates ingress/egress payload alerts to identify the worm's initial propagation. The method also enables automatic signature generation very early in the worm's propagation stage. These signatures can be deployed immediately to network firewalls and content filters to proactively protect other hosts. Tests and evaluations of sensor performance are also proposed for Phase 2. Collaborative research and development by CounterStorm and Columbia University will address several basic problems dealing with handling encrypted content traffic and scaling the sensor to high speed network rates. Significant engineering activities are needed to embed solutions to these performance issues into the CounterStorm AntiWorm-1 Platform. The speed of gigabit networks strains the limits of what can be detected in real-time, especially when decrypting content flows. There are currently no Commercial Off-the-Shelf (COTS) solutions offered today that provide highly efficient content-based anomaly detectors operating on high-speed networks without packet loss. By overcoming these obstacles, we can provide the first effective content-based anomaly detection system to secure high speed networks. The CounterStorm AntiWorm-1 platform with PAYL technology improves accuracy for all worm detection and blocking. More importantly, PAYL facilitates the detection and blocking of non-scanning 'zero-day' worms, adding a significant layer of security to critical IT infrastructures for commercial and government entities.