Print Print  
Award Information
Proposal Number: 0423005
Proposal Title: Cross-domain security alert sharing: Worminator
Topic Number: H-SB04.2-001
Phase: Phase II
Topic Title: Cross-Domain Attack Correlation Technologies
Organization: CounterStorm Inc.
Address: 15 W. 26th Street
7th Floor
New York, NY 10010-1002  
Abstract: This proposal by CounterStorm, Inc. (formerly System Detection) concerns the second phase of research, development, and commercial release of Worminator, an innovative and effective approach to anonymously sharing and correlating security information in real-time. The overriding principle of Worminator is that cross-domain collaboration enhances accuracy and efficacy by enabling rapid detection of worms, zero-day exploits, and slow-and-stealthy attacks currently undetected by existing products. The overarching goal of this Phase 2 effort is to fully incorporate the Worminator technology into CounterStorm`s AntiWorm-1 commercial security product, providing an effective defense against emerging threats. CounterStorm`s Phase 1 effort oversaw the successful development and deployment of the first-generation Worminator architecture at commercial and academic sites. Using Worminator to correlate alerts from CounterStorm's Surveillance Detection Engine, we demonstrated a dramatic reduction in the alert stream, yielding a manageable number of actionable alarms. This Phase 2 effort is organized into four components. First, we will extend Worminator`s collaboration capabilities beyond the sharing of attack source addresses. As a part of this effort, we will integrate Worminator with CounterStorm's Payload Anomaly Sensor (PAYL is the topic of another SBIR Phase 2 proposal). PAYL and Worminator together provide real-time sharing of automatically-generated content signatures to inoculate collaborating sites against attack. Second, we aim to support anonymous collaboration. Third, we plan a fully commercialized implementation of Worminator as an extension of CounterStorm's AntiWorm-1 architecture. Finally, in collaboration with Columbia University, we plan to conduct a comprehensive study of real-world attack behaviors over time, including coverage, response rates, and efficiency under different exchange algorithms. Incorporation of the Worminator technology enhances AntiWorm-1 by allowing rapid and anonymous sharing and correlation of threat information in real time, thus giving sites the ability to block malicious activity before it is seen locally.
Award/Contract Number: NBCHC050144
Period of Performance: 10/01/2005 - 09/30/2008
Award/Contract Value: $750,000.00
Award/Obligated Amount: $750,000.00