Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MARCH 09, 2003 FBO #0464
SOLICITATION NOTICE

A -- BAA03-18 - DYNAMIC QUARANTINE OF COMPUTER-BASED ATTACKS AGAINST MILITARY ENTERPRISE NETWORKS

Notice Date
3/7/2003
 
Notice Type
Solicitation Notice
 
Contracting Office
Other Defense Agencies, Defense Advanced Research Projects Agency, Contracts Management Office, 3701 North Fairfax Drive, Arlington, VA, 22203-1714
 
ZIP Code
22203-1714
 
Solicitation Number
BAA03-18
 
Archive Date
3/21/2004
 
Point of Contact
Anthony Cicala, Contracting Officer, Phone (XXX)XXX-XXX, Fax (XXX)XXX-XXX,
 
E-Mail Address
acicala@darpa.mil
 
Description
BROAD AGENCY ANNOUNCEMENT (BAA) 03-18 ? DYNAMIC QUARNATINE OF COMPUTER-BASED ATTACKS AGAINST MILITARY ENTERPRISE NETWORKS SOL: BAA03-18, CLOSING DATE: 6 March 2004 POC: Dr. Anup K. Ghosh, DARPA/ATO [aghosh@darpa.mil] FAX: (703) 696-9781 WEB: http://www.darpa.mil/ E-MAIL: BAA03-18@darpa.mil PROGRAM OBJECTIVES AND DESCRIPTION The Defense Advance Research Projects Agency (DARPA) is soliciting proposals for DARPA?s Advanced Technology Office (ATO) to perform research, development, modeling, design, and testing to support the Dynamic Quarantine of Worm-Based Attacks Against Military Enterprise Networks program. The objectives of this program are to: (1) develop technologies to automatically and dynamically quarantine zero-day (or novel) worms to a peak infection proportion of 1% of vulnerable machines that would otherwise infect approximately 100% of vulnerable machines in military enterprise networks, and (2) to reduce the time to recovery after attack for mission-critical applications that run distributed over vulnerable machines from days and hours to minutes and seconds. The dynamic quarantine program starts with the premise that next generation computer worms will saturate military enterprise networks on the order of minutes and seconds, rather than days and hours. As such, human-centered response will be insufficient to counter the threat and to maintain mission integrity in the face of worm attacks. Military enterprise networks play a key role in the deployment and sustainment of war-fighting forces. Network-centric warfare demands robust networks that can respond automatically and dynamically to self-propagating malicious code that defines the worm-based threat. Furthermore, future worms will exploit vulnerabilities in software systems that are not known a priori. These worms are known as zero-day worms in that neither the worm, nor the vulnerability it exploits will be known a priori, and thus preventable via software patches or anti-viral signatures. Existing products, technical approaches, and organizational infrastructures are insufficient to detect and react to this threat on the time-scale and network scale necessary to counter the damage that future worms can cause. This program seeks the definition of a strategy and development of its associated architectures, algorithms, and technology to: (1) detect worm-based threats; (2) dynamically quarantine infections to localized sectors to prevent propagation of infections; (3) extract, compute, and distribute generalizable signatures intra-enterprise faster than worm propagation rates and inter-enterprise via peering relationships; (4) select cost-optimized and mission-aware responses to infection that will ensure the cost of the response is not greater than the cost of the stimulus event or infection; (5) clean-up, recovery, or reconstitution of data and infected systems; (6) capture worm code, analyze payload, trigger mechanisms, predict propagation vectors, identify code lineage and attribution. The key research challenges that must be addressed in an integrated solution are: (1) detecting and responding to highly stealthy, passive, or contagion worms, in addition to traditional scanning and topological worms; (2) reacting quicker than extremely fast-moving worms such as target-listed worms; (3) distinguishing worm traffic and behavior from legitimate traffic; (4) being robust to ambient and malicious false positives; (5) identifying corrupted components and data to enable automatic reconstitution after attack; and (6) ensuring the cost of the response is much less than the cost of the event. Offerors must state in proposals their plan for providing deliverables for installation, training, manuals, etc. required for evaluation by the testing facility, as well as travel costs. Offerors should support the technical feasibility of their concept or idea and demonstrate and discuss successive phases leading toward technology development, validation and transition. SCOPE AND FUNDING (Dynamic Quarantine Defenses): Subject to the terms and conditions of the DoD Appropriations Act, the Government anticipates award of two (2) to three (3) contracts/agreements to develop the capability to dynamically quarantine worms that attack military enterprise networks. Total technology development funding is anticipated to be approximately $5.5M in Program Year (PY) 1, $9.0M in PY2, and $12.5M in PY3. The base and option periods for this project are expected to continue through FY 2006. The Government reserves the right to change all of these values as it deems necessary. This effort will be divided into two phases of 18 months each. Testing will be conducted in regular intervals inside of each 18 month period. The goal of Phase I will be to develop the architecture, protocols, detection and response algorithms, and prototype implementations to dynamically quarantine worms of varied types to 10 percent of the vulnerable population of machines. At the end of 18 months, detection mechanisms must have a false alarm rate of less than or equal to 10 per day while containing all worms released on a controlled test bed to 10 percent of the vulnerable population of machines. In addition, the time to recovery for a mission-critical applications and data, running on a test-bed network infected with a worm will be less than or equal to 60 minutes after infection. The goal of Phase II will be to implement the architectures, protocols, and algorithms developed in Phase I into network and host devices such as logic-enhanced routers for line-speed network performance, logic-enhanced network interface cards for fine-grained host-based responses, and potentially other host-based approaches such as software instrumentation of operating systems or applications. In addition, Phase II work will include further development and refinement of Phase I algorithms to meet Phase II goals as well as respond to increasingly stealthy and dangerous worm types. The quantitative goals for Phase II are to develop devices capable of detecting and containing worm infections to 1 percent of vulnerable machines, with a false alarm rate of less than or equal to 1 per day, while minimizing the time to recovery for mission-critical applications running on a test-bed network infected with a worm will be less than or equal to 6 minutes after infection. Offerors should propose a Phase I base effort supporting the technical feasibility of their concept or idea and its implementation and follow-on Phase II pre-priced options that further lead toward successful completion of program go/no-go milestones. It is envisioned that the base effort proposed will not exceed 18 months, and the successive phase or option proposed will not exceed 18 months. Offerors should not propose total efforts exceeding 36 months. Any such proposal doing so maybe disregarded. Offerors can address both Phase I and Phase II, or Phase I only. Offerors should propose an initial 18-month Phase I baseline effort, with a follow-on Phase II effort with pre-priced options. It is possible that a separate solicitation will be issued at a later date, focusing solely on the Phase II effort. Proposals that focus only on Phase II will not be considered for this solicitation. Any offeror may submit a proposal in accordance with the requirements and procedures identified in this BAA. These requirements and procedures include the form and format for proposals. Offerors for the technology development of dynamic quarantine defenses may be foreign firms or may team with foreign firms as long as the firm meets criteria in this solicitation and the Government is permitted to conduct business with the firm. Offerors for the technology development of dynamic quarantine defenses may also include foreign personnel as part of their proposed resources as long as these personnel qualify technically and possess the proper security clearances ultimately required. Program Go/No-Go Milestone Schedule The following program milestones have been established by DARPA management as the means for determining whether sufficient progress is being made to warrant continued funding of the program. Phase I Program Go/No-Go Milestones Passing Criteria Containment Worms released on testbed must be contained to 10% of vulnerable machines by dynamic quarantine defenses. False positive rate False positive rate of detector components are not exceed 10 false alarms/day. Time to recovery The time to recovery for infected systems shall not exceed 60 minutes. Phase II Program Go/No-Go Milestones End of Program Metric Goals Containment Worms released on testbed must be contained to 1% of vulnerable machines by dynamic quarantine defenses. False positive rate False positive rate of detector components are not exceed 1 false alarm/day. Time to recovery The time to recovery for infected systems shall not exceed 6 minutes. These milestones were chosen in order to achieve the overall program goals within the desired timeframe for program completion. Proposers should describe how their approach will enable successful attainment of part or all of the program milestones. TEST AND EVALUATION Test and evaluation of approaches and technologies developed in this program will be performed by an independent third party in a government laboratory facility in Arlington, VA with government furnished equipment. The establishment of reliable, defensible, and widely accepted benchmarks for evaluating worm defense technologies is, by itself, a challenging problem. Furthermore, the scope of possible worm attacks is very broad: different spreading mechanisms, topologies, target population demographics, ease of firewall penetration, polymorphism to thwart signature specifications, and combinations of multiple modes and/or hybrid mechanisms. Consequently, validation of dynamic quarantine defenses must adequately address this multi-faceted threat. Accordingly, DARPA seeks independently proposed approaches for the test and evaluation of dynamic quarantine approaches against the set of defined go/no-go milestones. Proposed approaches should address the measures to be evaluated, the assessment method, the design of experiment approach, the use of any mission-critical applications to be deployed in the networked environment and related simulated or actual workload. Any requirements that will be placed on performers for interfaces, instrumentation, protocols or formats, should be included. Proposed approaches should address non-interference, portability, repeatability, cost-effectiveness, and security issues with test and evaluation. In addition, approaches for scaling machines such as deployment of multiple virtual machines per physical machine and approaches for clean-up and system reset after experiment runs are encouraged. Approaches that include various life-cycle validation techniques with frequent periodic validation exercises are encouraged, though only experimental validation is required for go/no-go milestone evaluation. Offerors should propose approaches for the test and evaluation of dynamic quarantine defenses against representative next generation computer-based worms within a closed-network environment without requiring the development of such worms. DARPA does not encourage, nor intends to fund the development of computer-based worms. Approaches that develop high-fidelity worm simulation environments, emulation via widely deployed software daemons, or other worm emulation techniques should be explored. In addition to describing approaches for representing testing of next-generation worm types and behaviors, offerors must include rationale and measures for why and to what extent the proposed worm simulation/emulation will model worms with high fidelity and how these will be used to measure dynamic quarantine defenses. Finally, offerors for test and evaluation must describe how their own and other performers? intellectual property, software, hardware, and data which they will execute and evaluate will be properly secured via technical and legal means. Offerors should support the test and evaluation of dynamic quarantine technology within DARPA?s Technology Integration Center, Arlington, VA. Offerors should propose a base 18 month effort with a follow-on pre-priced optional 18-month effort in concert with the Dynamic Quarantine program schedule. The proposed schedule should permit test and evaluation of technology developers? approaches well within the 18-month time window for go/no-go milestone evaluation. Offerors should not propose total efforts exceeding 36 months. Any such proposal doing so maybe disregarded. Proposals for test and evaluation should clearly label their proposal as such, so as not to be construed as a technology development proposal for dynamic quarantine technologies. SCOPE AND FUNDING (Test and Evaluation): Subject to the terms and conditions of the DoD Appropriations Act, the Government anticipates award of a single contract/agreement to develop the capability to design experiments and evaluate dynamic quarantine defenses against malicious worm attacks on military enterprise networks. Total test and evaluation funding is anticipated to be approximately $0.9M in Program Year (PY) 1, $1.0M in PY2, and $1.5M in PY3. The base and option periods for this project are expected to continue through FY 2006. The Government reserves the right to change all of these values as it deems necessary. The test and evaluation effort will follow the program schedule of two 18-month phases. Testing will be conducted in regular intervals inside each of the 18-month periods. The goal of the test and evaluation effort is to evaluate the dynamic quarantine approaches against the program-defined go/no-go milestones. Offerors can address both Phase I and Phase II, or Phase I only. It is possible that, depending on what proposals are submitted, a separate solicitation will be issued at a later date, focusing solely on the Phase II test and evaluation effort. Proposals that focus only on Phase II will not be considered for this solicitation. Offerors? personnel for the test and evaluation must be US citizens. Offerors in the test and evaluation organization will not be permitted to be a technology developer within the dynamic quarantine program.
 
Record
SN00274180-W 20030309/030307213848 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.