Topic Information Award/Contract Number Proposal Information Company Performance

Enhanced Distributed Denial of Service Defense

HSHQDC-15-C-00016 HSHQDC-15-R-00017-H-SB015.1-003-0008-I
(HSHQDC-15-R-00017 Phase I)
Border Gateway Protocol Distributed Denial of Service Attack Alert Extension (DDoS-AE)

Blue Ridge Envisioneering, Inc.
14450 Broadwinged Dr.
Gainesville, VA 20155-5932


Our approach will be to design and develop a BGP extension called the DDoS Alert Extension (DDoS-AE) and a web-based central service (CS) that will leverage existing infrastructure and established protocols to enable real-time distribution of DDoS alert messages. A prototype unit running the DDoS-AE will be designed using innovative new hardware such as FPGAs and GPUs to aid in the detection and mitigation of DDoS attacks. The proposed alert messages will contain message classification information that can be used by routers to implement targeted filters to block and/or throttle DDoS traffic. The proposed system will provide routers and network operators with standard interfaces for generating DDoS alerts, allowing multiple sources and ever evolving techniques to facilitate DDoS traffic classification and identification. Additionally, this work will investigate techniques utilizing information already present in BGP to supplement the DDoS packet classifiers to aid in DDoS alert generation. Unlike other DDoS mitigation techniques, this proposed effort does not require network operators to replace existing network equipment; it also has the unique advantage of leveraging existing BGP peer knowledge and relationships. The CS allows DDoS-AE nodes that may not have BGP peers using the extension, to reap the benefits of the alert network, as well as providing a commercialization opportunity to allow human operators. CS will also provide network operators a robust interface for monitoring, reporting, and responding to attacks, greatly increasing the immediate effectiveness of the extension without requiring wide-spread adoption.

Privacy Protecting Analytics for the Internet of Things

HSHQDC-15-C-00021 HSHQDC-15-R-00017-H-SB015.1-004-0019-I
(HSHQDC-15-R-00017 Phase I)
Personally Indentifiable Information (PII) Guard

Progeny Systems Corporation
9500 Innovation Drive
Manassas, VA 20110-2210


Progeny System proposes a Personally Identifiable Information (PII) Guard architecture solution that acts as a gateway for organizations that desire to access Social Internet of Things (SIoT) while needing to adhere to privacy protection policy with minimal loss of actionable information. Addressing SIoT is forward thinking of the evolutionary trend towards a ubiquitous computing paradigm where thing and human type sensors and embedded systems are interconnected. The technical approach is to PII protect information retrieved from both thing and human type sensors and embedded processors containing PII such as surveillance video, face recognition cameras, License Plate Recognition (LPR) cameras, databases and social networks. A guard architecture approach does not require institutionalized privacy protection across global SIoT to ensure privacy protection of information, providing 100% confidence in adhering to PII protection policies. PII protected analytics with temporal, spatial, geographical, group and customizable extent functionality is provided within the PII Guard, maintaining actionable information in the absence of PII. The ability to specify domain ontologies is provided to improve analytics performance by organizing and ranking information artifacts based on ontology correlation. Both PII anonymization and de-identification PII protection methods are supported where the latter can be re-identified as situations and policy permit. To address scalability, the Apache Hadoop architecture is used which is designed to provide distributed storage and processing of Big Data on computer clusters. Commercial applications include intelligence use-cases such as counter terrorism, disaster relief, public safety and security, and law enforcement.