DARPA Is Soliciting Innovative Research Proposals In The Area Of Cyber Attribution

Cyber attacks have become a global nuisance these days. Due to the global nature of Internet and cyberspace, it is very difficult to ascertain the source of such cyber attacks in many cases. Further, different countries have different laws that make it really difficult to prosecute and extradite the cyber criminal. In short, conflict of laws in cyberspace is a major hurdle before the international law enforcement of cyber law and cyber attacks. Authorship attribution for cross border cyber attacks is directly attributable to this scenario.

The US Defense Advanced Research Projects Agency (DARPA) is trying to solve this problem of authorship attribution and it has invited innovative research proposals in the area of cyber attribution. This is in addition to the recent proposal to expand the scope of Rule 41 of the Federal Rules of Criminal Procedure by the US Supreme Court that has conferred a long arm jurisdiction upon US courts.

The goal of the Enhanced Attribution program of DARPA is to develop technologies for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns. The objective is to not only collect and validate this pertinent information, but to create the means to share such information with any of a number of interested parties without putting at risk the sources and methods used for collection. Proposed research should investigate innovative approaches that enable revolutionary advances in science, devices, or systems. Specifically excluded is research that primarily results in evolutionary improvements to the existing state of practice.

Malicious actors in cyberspace currently operate with little fear of being caught due to the fact that it is extremely difficult, in some cases perhaps even impossible, to reliably and confidently attribute actions in cyberspace to individuals. The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure. Cyber campaigns spanning jurisdictions, networks, and devices are only partially observable from the point of view of a defender that operates entirely in friendly cyber territory (e.g., an organization’s enterprise network). The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection. The current characterization of malicious cyber campaigns based on indicators of compromise, such as file hashes and command-and control infrastructure identifiers, allows malicious operators to evade the defenders and resume operations simply by superficially changing their tools, as well as aspects of their tactics, techniques, and procedures. The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options.

The Enhanced Attribution program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the Government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods.

The program will develop techniques and tools for generating operationally and tactically relevant information about multiple concurrent independent malicious cyber campaigns, each involving several operators, and the means to share such information with any of a number of interested parties (e.g., as part of a response option). The program seeks to develop:

(a) technologies to extract behavioral and physical biometrics from a range of devices and vantage points to consistently identify virtual personas and individual malicious cyber operators over time and across different endpoint devices and C2 infrastructures;

(b) techniques to decompose the software tools and actions of malicious cyber operators into semantically rich and compressed knowledge representations;

(c) scalable techniques to fuse, manage, and project such ground-truth information over time, toward developing a full historical and current picture of malicious activity;

(d) algorithms for developing predictive behavioral profiles within the context of cyber campaigns; and

(e) technologies for validating and perhaps enriching this knowledge base with other sources of data, including public and commercial sources of information.