DARPA SMOKE project seeks to model computer hackers behavior to help improve cyber security defenses

ARLINGTON, Va. – U.S. military researchers are asking the computer industry to develop ways to detect, manage, and defeat typical cyber hackers behavior and make them part of the computer and design process.

Officials of the U.S. Defense Advanced Research Projects Agency (DARPA) in Arlington, Va., issued a broad agency announcement on Tuesday (HR001122S0006) for the Signature Management Using Operational Knowledge and Environments (SMOKE) project.

SMOKE seeks also to measure the risk of cyber threats in real-time; and find new ways for red team ethical hackers to maintain their evasiveness as they help train cyber security experts root-out malicious cyber behavior.

Military computer networks are under persistent threat from malicious cyber hackers, so network security experts must be able to assess their cyber vulnerabilities and defenses by using red team ethical hackers and blue team cyber defenders.

Related: Military cyber security: threats and solutions

Red team exercises are designed to exceed simple penetration testing, and emulate cyber attacker behaviors as realistically as possible, to form a picture of network defense readiness.

Towards the aim of realism, red teams use tactics that mimic advanced cyber threats to evade network defenders and assess how critical networks fare against a determined cyber attack.

A core aspect of red team security assessments are procedures to build domain names, IP addresses, virtual servers, and other components to control red team tools. This infrastructure must exist openly on the public Internet and emits signals that, if detected too easily, can end the assessment quickly without much gain, but at considerable expense.

Signatures are patterns of the way an organization performs cyber operations. Attribution is the ability to link a cyber attack to a likely hacker. Red team members don’t want the blue team to attribute attacks to likely perpetrators too quickly, which can weaken a cyber security assessment.

Related: The essentials of trusted computing and cyber security

The ability to emulate sophisticated threats, evade detection, and reduce signatures requires a significant amount of time and expertise. Today, furthermore, the demand for network security assessments is greater than the supply.

SMOKE seeks to develop tools to automate the deployment of automated cyber threats that will enable red teams to increase the effectiveness of cyber security assessments. these tools also could provide red teams with longer cyber security assessment because of their ability to remain hidden.

DARPA researchers want industry to develop tools that enable automated and scalable emulated cyber threats. SMOKE will prototype components that enable red teams to plan, build, and deploy cyber infrastructure that is informed by machine-readable signatures of sophisticated cyber threats.

To ensure realism, DARPA experts will evaluate SMOKE components on real-world networks controlled by SMOKE performers and government partners — first on emulated environments, and perhaps later on live networks.

Related: DOD information security aims to boost embedded computing cyber defense against computer hackers

The SMOKE program seeks breakthrough approaches in abstracting away complexities of diverse network environments; operating in partially denied environments, reasoning under uncertainty, and reacting to unforeseen detection and/or attribution events; measuring tradeoffs among efficiency and effectiveness of plans in terms of speed and evasion; overcoming state space explosion of typical models for cyber infrastructure planning; developing mechanisms to acquire, manage, and maintain infrastructure elements that conform to signature management policies; executing infrastructure changes in accordance with real-time attribution assessments and plan contingencies; discovering latent associations between infrastructure artifacts; automating expert judgments used to build and traverse infrastructure associations; and expanding knowledge of adversary infrastructure.

SMOKE is a three-year effort divided into two 18-month phases: developing, demonstrating, and evaluating individual components; and comparative evaluations formed by integrating program components.

SMOKE has two technical areas: automated planning and execution of attribution-aware cyber infrastructure; and generating infrastructure signatures.

Companies interested should upload proposals no later than 31 Jan. 2022 to the DARPA BAA website at https://baa.darpa.mil. Email questions or concerns to the DARPA SMOKE BAA coordinator and technical point of contact at SMOKE@darpa.mil. More information is online at https://sam.gov/opp/6ab1fdaedfd6411ba966025cd74e467c/view.

Menu