Military Spends $4.4M To Supersize Net Monitoring

coondoggie writes "Bigger, better, faster, more are the driving themes behind the advanced network monitoring technology BBN Technologies is building for the military. The high-tech firm got a $4.4 million contract today from the Defense Advanced Research Projects Agency (DARPA) to develop novel, scalable attack detection algorithms; a flexible and expandable architecture for implementing and deploying the algorithms; and an execution environment for traffic inspection and algorithm execution. The network monitoring system is being developed under DARPA's Scalable Network Monitoring program which seeks to bolt down network security in the face of cyber attacks that have grown more subtle and sophisticated."

Military Spends $4.4M To Supersize Net Monitoring

[Shadow+Wrought]

That sounds like a lot, but it did come with fries.

Interesting

[iXiXi]

$4.4 million for a system to detect what one person getting paid nothing will circumvent within days/hours/minutes of implementation.

Re:Interesting

[RandoX]

All that money, down the tubes.

Re:Interesting

[Xacid]

That's just a bit shortsighted don't you think? That's like saying the money poured into all the anti-malware software was a waste despite continually keeping many computers safer than without.

Re:Interesting

[iXiXi]

No, not shortsighted, just realistic. The fact remains that enormous amounts of money is spent to thwart these attackers and most of them don't get paid $4.4 million to hack.

Re:Interesting

I hope they don't get clogged!

Re:Interesting

[RingDev]

I didn't read the article, but it doesn't sound like they are getting paid to develop was of thwarting, only detecting, based on monitoring network traffic.

Even if the attacker changes their vector and packages, the goal would appear to be to pick up on the trends of network traffic in assaults to better identify weak points, communications bottle necks, sources, etc...

-Rick

Re:Interesting

[Darkness404]

Ummm... Honestly it is a waste. 98% of malware is written for one platform. Windows. Which, as everyone who knows anything about technology knows, Windows is one big security hole. The money spent on blocking individual viruses could be better used in stopping flaws that allow viruses access.

Re:Interesting

[bob_herrick]

You raise a good point. This program is just one of many, some public, mostly private, that act as a sort of immune system for the internet. The various malware evolves and gets to exploit each and every weakness that gets found. Having another potentially 'evolving' element of the immune system sounds like a good idea to me. Defending a single point with a single system does not strike me a sensible way to run things.

Re:Interesting

Haven't you heard? People are looking at Mac virus's now...

Re:Interesting

[morgan_greywolf]

The money spent on blocking individual viruses could be better used in stopping flaws that allow viruses access.

By 'stopping flaws' do you mean sending money to Microsoft, or just outright replacing Windows?

Because only one of those two options is likely to work well.

Re:Interesting

[Darkness404]

Yes *A* Mac virus, compare that with the *thousands* of current Windows viruses. Sure there is probably even *A* Linux virus or even *A* Plan9 virus, but most viruses are written for Windows and the fact that there are like 1 current virus for alternate OSes isn't as bad as the *thousands* of Windows ones.

Re:Interesting

[pha3r0]

No, not shortsighted, just realistic. The fact remains that enormous amounts of money is spent to thwart these attackers and most of them don't get paid $4.4 million to hack.

I had to comment here (also note i logged in to make this) while I have not much tech experience, I have a lot of life experience. And that experience has taught me that criminals will work for nearly free becasue of there own psychological problems.

I used to steal cars, not smart of course, no I did not make much money, I just did it because it was fun... Now why do we hack class?

Re:Interesting

I think you meant down the "series of tubes"

Re:Interesting

[bws111]

Should we also apply this thinking to other fields as well? Don't spend money on medical research, some new unpaid virus will come along and make us sick anyway. Don't spend money trying to cure hunger, some unpaid natural disaster will come along and kill people anyway. Don't spend money on science, any questions answered just lead to more questions anyway.

Re:Interesting

[iXiXi]

Unfortunately, you read into what I am saying here. I am not being critical of the project. I am merely stating a fact that it is a shame that there is so much money that is being spent to try to handle internet thugs.

Re:Interesting

[bws111]

Ah, sorry about that. Yes, you are correct in that regard.

Re:Interesting

[camperslo]

Although monitoring is important, it seems like it might be more cost effective to release code that spreads and patches vulnerable/infected machines. If the number of those could be cut way down, maybe DDoS attacks wouldn't be such a threat.

There's already malware that removes other malware to increase the available resources. If malware can do that, why not something friendly doing it?

While antivirus products do help people, I can see why some would question their value.
If a home or auto security product handled everything but one door, or one window, it wouldn't be worth very much.

It seems like vendors whose products are full of holes should be picking up some of the maintenance costs and liability for damages associated with the flaws.

Perhaps systems running problematic OS releases, and users with a history of prior viral traffic, should see a separate routing path through ISPs allowing ISPs to cut them off, or provide heavy filtering to some services, in the event of an outbreak.

Re:Interesting

Microsoft already has the money and it hasn't helped so far.

Re:Interesting

[moxley]

One reason for this is because windows is the dominant platform, especially for those who are not that technically literate; (and likely those who are own at least one machine running windows).

Certianly I am not saying that OSX and linux (or any unix variant) don't present more of a challenge, but if their adoption was as widespread and in as many areas as windows there would likely be much, much more malware to contend with.

All in all there is no perfect system. There will likely always be something to exploit when you are taking user convenience into the equation.

Re:Interesting

[Jackmn]

The money spent on blocking individual viruses could be better used in stopping flaws that allow viruses access.

Users are willing to run software from untrusted sources and give it administrative access when prompted. In my limited experience, this is far and away the most common cause of infections. There is nothing that can be done to prevent this (in any operating system). This can be somewhat mitigated by providing a repository for trusted software (as implemented in most Linux distributions), but there will still be many users willing to do anything to install some kitty cat cursors they saw in a banner ad.

Which, as everyone who knows anything about technology knows, Windows is one big security hole.

No, this is just crap people like to spew on Slashdot. NT (in its time), 2000 (again, in its time), and XP are all reasonably secure compared to Linux (Vista contains a great deal of new code, so exploits for it will likely pop up for some time to come). Of course, if you are really serious about security, then OpenBSD blows both Windows and most Linux distributions out of the water.

$4.4 million is almost enough ...

[cohomology]

to cater the meetings to discuss the project.

Re:$4.4 million is almost enough ...

[lazycam]

It's likely they missed a few zeros.

Re:$4.4 million is almost enough ...

[fyoder]

to cater the meetings to discuss the project.

There might be enough left over for a few print outs of the ping man page or something else networky.

Re:$4.4 million is almost enough ...

[Captain+Splendid]

$4.4 million is almost enough to cater the meetings to discuss the project.

No kidding. Factor in another $4 mil for hookers and blow, and then we can worry about actual money going to curb our civil liberties.

Re:Military Spends $4.4M To Supersize Net Monitori

[Hatta]

It doesn't actually sound like all that much to me. Frankly, I'm surprised that they're not spending 10x as much already. Of course, maybe they are...

Wow

The most practical use I can see for this is capturing pr0n for military use. (you figure out "use")

Re:Wow

[Xtravar]

They make their own pr0n at Abu Ghraib.

$.4.4 million?

[wezzul]

$.4.4 million? So is that like $440k? $400,000.40?

Re:Military Spends $4.4M To Supersize Net Monitori

[Rayeth]

Considering the requirements laid out in TFA, I am exceedingly dubious that they will come up with anything for this price tag. Also note this same company got $13 Million for a program to quickly translate documents for the military. I'm guessing that one will also go nowhere. Security and Translation are two notoriously difficult things to get right.

Re:Military Spends $4.4M To Supersize Net Monitori

[Chaymus]

So much for ordering off the dollar menu.

Re:Military Spends $4.4M To Supersize Net Monitori

It doesn't actually sound like all that much...

Whoooosh!

It doesn't actually sou...

Whoooosh!

It doe...

Whoooosh!

Whoooosh! That was a preemptive whooosh.

Re:Military Spends $4.4M To Supersize Net Monitori

[Chief_Wiggum]

In Soviet America, net surfs YOU!

Novel...

[RudeIota]

to develop novel, scalable attack detection algorithms

'novel' just doesn't carry the same meaning anymore. USPTO is a prime example.

Re:Novel...

[pimpimpim]

You are so very right. Several of the higher-ranked scientific journals don't accept articles that contain claims of novelty. I think phys rev lett is an example. Because that's just not the way science works, it is based upon an incremental increase of understanding.

As for the rest, 4.4 million is about enough to have a team of about 10 low paid scientists work for 3 years (not just the salary, at least half goes to administrative overhead anyway). Good for them, of course, but hardly a major project.

Re:Military Spends $4.4M To Supersize Net Monitori

The business model for this type of research is to not solve the problem. If you solve the problem, how are you going to get paid next year? You have to solve enough of the problem to show that you can make progress on it, but leave enough on the table for the next contract.

Nothing new...

Sounds a lot like they are trying to build SNORT. Maybe instead of developing something new they should take a look at what's already out there. While your average 'security joe' isn't going to understand how the management of snort is VERY scalable, it is pretty easy once you are capable of scripting =) Simply buy the commercial version of SNORT from SourceFire...

As for gripes and complaints on snort being single threaded and not able to handle large amounts of traffic. Garbage. I've managed clusters of snort collectors taking in over a gbit per snort process, multi-gbit per server. Break up your rulesets into smaller ones and only load once in a process that is related. Run multiple instances of snort on a single interface...blam, you've got an analysis engine that is scalable and easily controllable through scripting that you can customize rules for and its efficient. Look for whatever you want with a snort box.

This article asks for nothing specific other than 'algorithms' to detect things. They didn't say anything like network (AI) behavioral based IDS. Nothing new here, move along.

Re:Nothing new...

[nicolas.kassis]

>

This article asks for nothing specific other than 'algorithms' to detect things. They didn't say anything like network (AI) behavioral based IDS. Nothing new here, move along.

from the article "New technologies and applications provide new attack routes and have made traditional signature-based and anomaly detection-based defensive measures inadequate in both speed and sensitivity, BBN added." Anomaly detection is mentioned. They claim that signature based and other techniques they have tried didn't work quite to what they wanted. Nothing new in that. IDS have never been perfect.

yay the government will always protect me!

There comes a time when people have to either accept responsibility for themselves or they have to bow before the government they demand take care of them and remove responsibility. This is one of those times.

People demand that the government protect their computers, so the people who have them and store attractive data do not have to. People demand that the government filter their TV content so parents dont have to. People blame everyone but themselves when something bad happens, often with litigation as the consequence of trying to force blame elsewhere.

Those that do cybercrimes are not the real problem, those that leave their networks open to multi-year old attacks are the problem. The same can be said of TV, video games, music, etc - they arent the problem, people who dont want that stuff in their homes have an easy alternative - change the channel, dont buy the game/cd/etc and stop begging the government to control things more.

If the government abuses the power that the people demanded it assume, whose fault is that? Hint its not the governments, its their very nature to always expand their power and abuse what power they have, its the people that demanded the government do more, and themselves did less.

Re:yay the government will always protect me!

[khallow]

We also need to keep in mind that the US Department of Defense has its own networks some which it relies on even during battle. While I'm sure that the presence of this technology will encourage other agencies to use it intrusively on public networks, this technology isn't in itself compromising the privacy of the citizens of the US.

Money down the drain

[ZarathustraDK]

If there's one thing the government hasn't learned yet it is paying money to some company about something they don't understand is generally a bad idea.

It's all fun and games until some kid from Finland renders your new-bought toy obsolete.

Re:Military Spends $4.4M To Supersize Net Monitori

[ahabswhale]

Well DARPA invented the internet (not to mention a large number of other achievements that are significantly more sophisticated). What are your qualifications, Mr. Smartguy, for forming an opinion on what can be done?

Sounds cheap for the job

[Sun+Chi]

The article doesn't say, but it seems logical that they would want the US military network to be able to handle both an attack like the one launched earlier this year against Georgia's internet infrastructure (likely by Russia) and the almost-certainly Russian-based one during actual armed conflict this week.

DoD has a budget of about $439.3 billion and DARPA gets $3.2 billion of that (according to Wikipedia). $4.4 million doesn't sound like that much out of that kind of budget, but I'd be interested in what they actually come up with. Doubt the general public will see anything created by this project for at least 10 years, though.

Re:Sounds cheap for the job

[hesaigo999ca]

I am sure it just had to do with buying a bunch more of brand new routers, that weren't
coming with pre-installed malwares from the chinese. They would have to replace all the router intfrastructure and that is probably what is costing this money. My 2 cents

Re:Military Spends $4.4M To Supersize Net Monitori

[cavis]

Wrong, wrong, wrong... Net Monitoring is one of those disciplines that has no end. Hackers, viruses, and Trojans are ever changing. New threats, sites, and IPs appear every day. It is much like chess: your opponent makes a move, you counter it, and he makes yet another move. No one's network is without its threats, no matter the manufacturer or operating system.

What do I base my statements on? I do network security full-time for about 50,000 users.

Re:Your support will be appreciated

[BPPG]

Is this guys a bot? I've seen this exact comment in at least one other thread.

babelfish

"BBN earlier this year got $13 million in additional funding from DARPA to develop a system that quickly converts documents in foreign languages into English so that military personnel can react more rapidly to threats."

they never heard of babelfish or google translator i take it

Re:babelfish

[blueg3]

Both of these services are located on the wrong side of a hostile network and are woefully inaccurate when really understanding the content of the document is necessary.

Re:babelfish

[tehcyder]

they never heard of babelfish or google translator i take it

I wouldn't want people's lives depending on either of those two if I was in the military. They're at "send three and fourpence we're going to a dance" levels of accuracy at the moment.

Above thread is NOT off topic...

[RudeIota]

As posted by CmdrTaco:
$.4.4 million

That's not off topic. The post as it reads right now is "$.4.4 million". Sure, we can assume it is 4.4 million because it seems like an nonsensical number otherwise, but this is very unclear and should be corrected.

Encryption

[nurb432]

Ok people, is it time yet? We need to encrypt ALL traffic.

Re:Encryption

[Bryansix]

I don't need to encrypt crap. You just need to stop accepting non-encrypted traffic. Then you will be safe.

Re:Encryption

[nickruiz]

Maybe DARPA should sponsor The Pirate Bay's efforts to encrypt internet traffic instead. Different goals, but same means. Wouldn't that be ironic?

Re:Encryption

[nurb432]

There goes 90% of the internet today then.

Even 'knowledgeable' sites like /. haven't stepped up to the plate yet.

At least my side of the email traffic is, but pretty sure the other side isn't, since people still don't understand.

Re:Encryption

[nurb432]

Not sure if its even different goals. Its to protect people's privacy.

Re:Encryption

Oh yeah, because slashdot definitely requires the best encryption available today, as we share very precious information like funny comments.

Re:Encryption

[nurb432]

The content isn't the point. Doesn't matter what the content is, its not the governments business unless you are under a court blessed surveillance order.

Re:Encryption

[Bill,+Shooter+of+Bul]

My data is always encrypted. Even this message appearing to inform users that I always encrypt my data, is actually the result of a one time pad code sending a message to my minions to do the bidding proscribed for today.

Fake Cisco

[binaryseraph]

So does that mean they bought Real Cisco routers and not the nock-offs from china with the HUGE security holes?

Goals cannot be met as stated

[tucuxi]

That is lots of fundamental research we are talking about. I am no expert in network monitoring, but 4.4M to solve the following problems seems like peanuts:

Probability of detection of malicious traffic greater than 99% per attack launched

While some types of traffic are obviously not ham (say, spoofed IPs or syn scans), assigning intent to raw data flows requires nothing less than strong AI. Think of spam - anybody can fool a spam filter, no matter what filter, given enough time and motivation. You can also fool the human reading the mail, for that matter...

A false alarm rate while monitoring traffic of not more than one false alarm per day.

This makes a whitelist approach a lot harder. My guess is that any decent system will flag many, many things, and prioritize some over others. That way it is up to the network operator to dig deeper or not into each individual incident, using the program's classification as a starting point. I have no idea why email programs don't allow you to rank messages on "perceived spamminess" - it would make digging for false positives and negatives a lot easier...

Support capabilities at conventional gateway line speeds of 1Gbps in Phase I of the contract, while Phase II will demonstrate the scalability of this capability at gateway line speeds of 100Gbps.

This part, together with the "very high scalability" requirement, is the icing on the cake. It is impossible to detect complex threats in real-time, so the best bet would be to layer defenses. Very fast reflexes for certain behavior (say, DDOS), longer mulling times for patterns that are more deeply hidden (say, a covert channel somewhere).

In any case, 4.4M is peanuts to meet these goals at full strength. The most probable outcome is some fundamental research, partial successes, and another grant in a few years (possibly to a different team) to try to get further along the track.

Re:Goals cannot be met as stated

[Yvanhoe]

Probability of detection of malicious traffic greater than 99% per attack launched

While some types of traffic are obviously not ham (say, spoofed IPs or syn scans), assigning intent to raw data flows requires nothing less than strong AI.

I would like to add that the remaining 1% happens to be the preferred vector of Chinese attacks. Many Human Rights NGO received apparently totally legit emails about current events with an infected .doc or a .pdf (itself containing perfectly interesting information)

Re:Goals cannot be met as stated

In any case, 4.4M is peanuts to meet these goals at full strength. The most probable outcome is some fundamental research, partial successes, and another grant in a few years (possibly to a different team) to try to get further along the track.

As I pointed out elsewhere in the thread, that's how this sort of organization works. If you solve the whole problem, where will your next paycheck come from? Better to solve part of the problem to show you can make progress and leave the rest on the table for the next contract.

Re:Goals cannot be met as stated

$4.4M is definitely not enough given the goals. Having worked on such DARPA proposals before, this would probably fund a 6-person team for 18-months (the Phase-I part).

The clincher is the other components apart from the detection algorithms: "a flexible and expandable architecture for implementing and deploying the algorithms; and an execution environment for traffic inspection and algorithm execution." Anyone who knows this space understands that the above statements can mean pretty much anything :-)

Re:Goals cannot be met as stated

[rootooftheworld]

There was this funky "stupid filter" thing. Can it be used as a spam filter? Bots may be a lot of things, but they ain't smart. And the ones who get down to create 'non-stupid' templates might as well send spam manualy. Just my $0.02.

Not nearly enough to accomplish the task

The cost of the test hardware alone would exceed 4.4 million, if this is really to be tested on 10+ Gbps gateways. You're talking long-haul DWDM or perhaps "experimental" hardware if you want a valid test. It ain't cheap.

4.4 million? So What?

[Kostya]

Ever work on a big project? One that was over due by a significant amount? Yeah, easily $4M.

That amount is like the military paying someone to think about it and give them a paper on it. I've been on civilian-side government projects that were well beyond $4M. Sounds like someone got a "sure, toss some cash at it and see what happens" approval, but not an official "this is a priority, make it so" approval.

Now, $40M is where we start to see some serious thinking about the issue. Yeah, it's an arbitrary amount, but warfare grade network inspection and defense? $40M would be a drop in the bucket for R&D for such a system. $4M is a joke.

What about content inspection?

In minesweeper, if you find a square with an 8 in it, any square within the immediate vicinity is gauranteed to be a Bomb. The President of Chrysler, Jim Press, explains his company's shrinkage.

Re:Military Spends $4.4M To Supersize Net Monitori

[b4upoo]

That's such a tiny budget that it in effect suggests that no real work is being done at all.
        These days building a new high school can eat up more than 16 million dollars. Net security and monitoring migh call for a multi billion dollar project.

Ooh 4.4 mil !

[bondjamesbond]

I know law firms who have a bigger annual budget than that.

Skynet?

[Darkfire79]

Can we name it Skynet?

Re:Military Spends $4.4M To Supersize Net Monitori

[NotBornYesterday]

Not only that, guess who had the ARPANET contract? BBN. I dealt with them for years, and they are a very capable organization. Chances are they can deliver what they say.

Re:Military Spends $4.4M To Supersize Net Monitori

[billcopc]

Actually it sounds like far too little.

The root of the problem is that the USA has been pissing everyone else off for the better part of a century. Were it not for that key fact, the military probably wouldn't be afraid of everyone everywhere, including their own citizens.

The good news...

[religious+freak]

I think the military really understands how big a threat cyber attacks are/will be. Thank Jebus.