As the complexity of software is growing software vulnerabilites are also increasing. According to two US based organizations that track vulnerability disclosure, the number of software vulnerabilities has gradually grown year-over-year achieving its highest peak in 2017. Computers are not patched reliably, configured properly, or used safely, allowing widespread exploitation.
Malicious actors are currently able to compromise and use with impunity large numbers of devices owned and operated by third parties. Such collections of compromised and conscripted devices, commonly referred to as botnets, are used for criminal, espionage, and computer network attack purposes (often a combination of all three). Recent examples of botnets and similar malicious code include Mirai, Hidden Cobra, WannaCry, and Petya/NotPetya. To build botnets, hackers infect internet-connected devices with malware that allows them to execute orders from a remote server. Because the virus sits dormant most of the time, the owners of infected devices rarely know their computer, smartphone or toaster has been compromised.
The potential scale of their effects make such malware a national security threat. The May 11, 2017, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure specifically identifies botnets as a high priority national security issue. Improving the security posture of Department of Defense (DoD) networks alone is insufficient to counter such threats to national security, as the majority of botnet nodes reside in neutral networks (“gray space”).
Current incident response methods are too resource- and time-consuming to address the problem at scale. Active defense methods are insufficiently precise and predictable in their behavior, posing a risk that they may cause processing issues or other side effects. What is needed is the ability to identify and neutralize botnets and other large-scale malware from compromised devices and networks in a scalable, timely, safe, and reliable manner, in accordance with appropriate privacy and other legal authorities. To achieve the necessary scale and timeliness, such a capability must be effective even if the owners of botnet conscripted networks are unaware of the infection and are not actively participating in the neutralization process.
DARPA launched HACCS program in 2017 to develop safe, reliable, and effective capabilities for conducting Internet-scale counter-cyber operations to deny adversaries’ use of neutral (gray) systems and networks (e.g., botnets). The Defence Advanced Research Projects Agency (DARPA), along the Pentagon’s Joint Artificial Intelligence Center (JAIC), is seeking to expand the intersection of Artificial intelligence (AI) and cybersecurity and cyber warfare operations, the agency’s Acting Director Peter Highnam said.
Development of AI tools and applications for use in the cyber realm is one of several focus areas Highnam and other senior DARPA leaders plan to delve further into, as part of the agency’s long-term strategy. “When we look into the confluence of AI into cyber, that is a hugely rich space” for the development of advanced technologies, he said. “The speed in which you have to operate has demanded that AI technologies be inserted into that mission space”, he said in July 2020.
Harnessing Autonomy for Countering Cyberadversary Systems (HACCS)
The HACCS program will investigate the feasibility of creating safe and reliable autonomous software agents that can effectively counter malicious botnet implants and similar large-scale malware. The program will do so by developing a quantitative framework and established parameters for their safe, reliable, and effective use.
HACCS performers will develop the techniques and algorithms necessary to measure the accuracy of identifying botnet-infected networks, the accuracy of identifying the type of devices residing in a network, and the stability of potential access vectors. The program will take an experimental approach to verify the implementation of such autonomous agents and the rules under which they operate, and to measure the effectiveness of denying, degrading, and disrupting botnets and individual botnet implants without affecting the systems and networks on which they reside.
The program is investing in three main technologies: systems that uncover and fingerprint botnets across the internet, tools that upload software to infected devices through known security gaps, and software that disables botnet malware once it’s uploaded. Packet Forensics’ technology falls under that first category, the DARPA spokesperson said. Eventually DARPA plans to integrate each of those technologies into a single system that can spot, raid and neutralize botnet-infected devices without any human involvement. Because the tool would only target botnet malware, people could continue using the devices just as they had before, the agency said in the program announcement.
HACCS is divided into three 16-month phases. By the end of Phase III, the various goals include characterizing 80 percent of the IP address space with 95 percent accuracy, find 1,000 n-day botnet vulnerabilities to exploit, demonstrate effectiveness in 10,000 computer-simulated topologies, and finally participate in a Department of Defense exercise.
The HACCS program seeks to:
- Accurately identify and fingerprint botnet-conscripted networks to determine the presence of botnet implants, the number and types of devices present on said networks, and the software services running on these devices with sufficient precision to infer the presence of known vulnerabilities (also referred to as “n-day” vulnerabilities); Botnets often contain evasive and/or covert command and control channels. Proposers should discuss how their solutions would identify and consistently uncover such command and control channels. The primary challenges for TA1 are the accuracy, scale, and speed of botnet identification and device characterization.
- Generate non-disruptive software exploits for a large number of known vulnerabilities that can be used to establish initial presence in each botnet-conscripted network without affecting legitimate system functionality; The primary challenges for TA2 will be scaling vulnerability discovery and exploit generation to complex software running on real operating systems, extending software reasoning systems and technologies to support analysis of classes of vulnerabilities beyond memory corruption, and accurately characterizing the stability and potential side effects of the generated exploits.
- Create high-assurance software agents that safely, reliably, and autonomously navigate within botnet-conscripted networks, identify botnet implants, and neutralize them or otherwise curtail their ability to operate, while minimizing side effects to these neutral systems and infrastructure. The primary challenges for TA3 will be enabling safe and effective autonomy of the agents, and providing correct-by-construction or equivalent assurances to agent generation and operation, with particular attention paid to avoiding or minimizing-and-quantifying disruption of the systems and networks infected by malicious botnet implants.
DARPA Awards for Research
Packet Forensics originally won a $1.2 million HACCS contract on 4 Sept. 2018, and then won a $10 million modification to this contract later that month, and then another $10 million modification in September 2019. Packet Forensics is developing the techniques and software necessary to measure the accuracy of identifying botnet-infected networks, the accuracy of identifying the type of devices residing in a trusted-computing network, and the stability of potential access vectors. Kudu Dynamics LLC in Chantilly, Va.; Sotera Defense Solutions Inc. in Herndon, Va.; and to Aarno Labs LLC in Cambridge, Mass., also have been involved in the HACCS project.
Packet Forensics will measure the effectiveness of denying, degrading, and disrupting botnets and individual botnet implants without affecting the systems and networks where they reside. Packet Forensics will identify and fingerprint not only botnet-conscripted networks to determine the presence of botnet implants, but also the number and types of devices present on said networks, and the software services running on these devices. The company will generate non-disruptive software exploits for many known vulnerabilities that could establish initial presence in each botnet-conscripted network without affecting legitimate system functionality. In addition, Packet Forensics will create software agents that autonomously navigate within botnet-conscripted networks, identify botnet implants, and neutralize them or otherwise curtail their ability to operate, while minimizing network side effects. On this order Packet Forensics will do the work in Virginia Beach, Va., and should be finished by August 2020.
During phase one of the three-part project, Packet Forensics will build a technology capable of scanning some five percent of global IP addresses and detecting botnets with 80 percent accuracy. By the end of the program, DARPA anticipates the system to analyze 80 percent of the global internet and correctly spot botnets 95 percent of the time.
The Defense Advanced Research Projects Agency (DARPA) selected Systems Technology & Research, Woburn, Massachusetts, for a research project under the Harnessing Autonomy for Countering Cyberadversary Systems (HACCS) program. The HACCS program aims to develop technologies for accurately identifying malicious cyber-adversary infiltrated networks, generating reliable software exploits for large numbers of known (n-day) vulnerabilities, and creating effective autonomous software agents that can be inserted in the compromised networks via the n-day exploits to safely and reliably neutralize cyber-adversary software agents.
The company will provide its efforts under a $8,701,466 cost-plus-fixed-fee contract, and the work will be performed in Woburn; Portland, Oregon; and Columbus, Ohio, with an expected completion date of April 2022. Fiscal year 2017 research, development, test and evaluation (RDT&E) funding in the amount of $125,000; and FY 2018 RDT&E funding in the amount of $500,000, are being obligated at time of award.
DARPA also awarded a $7,474,245 cost-reimbursement type contract to Arizona State University, Tempe, Arizona, for the HACCS program. Work will be performed in Tempe, Arizona; Santa Barbara, California; Melbourne, Florida; and Scottsdale, Arizona, with an expected completion date of April 2022. Fiscal year 2017 RDT&E funding in the amount of $93,000; and fiscal year 2018 RDT&E funding in the amount of $400,000 are being obligated at the time of award. On April 10, the agency also selected Kudu Dynamics, Chantilly, Virginia, to support the HACCS program, with a $7,913,091 contract award.