The development of online criminality is a two-edged sword. On the one hand, crimes conducted online are generally harder to attribute than in the ofﬂine world, as they may involve geographically distributed actors relying on relatively complex infrastructure. On the other hand, most online activity can be recorded, used to infer criminal business models or associations, and ultimately help design better security defenses. Carnegie Mellon University has pioneered the collection of online data for assessing the extent and magnitude of online criminal activities. In particular, the Security Analytics research group, led by Prof. Nicolas Christin in Carnegie Mellon's CyLab Security and Privacy Institute, has been continuously monitoring a number of online anonymous ("darknet" or "darkweb") marketplaces since 2011. Through IMPACT, Carnegie Mellon makes data gleaned from these measurements available to the research community in an effort to better understand how online criminal activities are evolving over time.
Founded in 1999, Galois performs computer science research and development for commercial, defense, and intelligence industries. With many of the world's foremost experts in computer science and mathematics, Galois tackles the world's most difficult challenges in computer science. Galois focuses on creating trustworthiness in critical systems where failure is unacceptable, in technical areas such as cryptography, software correctness, cyber-physical systems, and computer security. Technology companies turn to Galois to build reliability, safety and security into their product development from day one. Committed to an entrepreneurial spirit, Galois has launched multiple spin-off companies, including Tozny (www.tozny.com), Free & Fair (www.freeandfair.us), and Formaltech (www.formal.tech). For additional information on Galois www.galois.com.
Galois is developing FIDES under the DHS IMPACT Program. FIDES is a technical disclosure control system for datasets containing sensitive data. Today, such protections are enforced offline via means such as contractual agreements. FIDES automates the process, enabled by the fact that FIDES keeps the data cryptographically secure for its entire lifetime: neither end users nor malicious adversaries can access such data "in the clear" at any time. To use FIDES, data owners specify a risk profile describing allowable uses of the dataset. In turn, data consumers specify a utility profile describing how they wish to make use of the data. These specifications are automatically resolved into technical controls which enforce protections required by the owner while maximizing the utility to the consumer.
At Georgia Tech's College of Computing, researchers engage in collaborative research on various aspects of the cyber threat ecosystem. The results of these efforts have been presented at Black Hat, Virus Bulletin, Countermeasure, DCC, MTEM, CNW, and various other conferences. As active members of the information security community, faculty within the college have served on working groups whose efforts lead to the takedown of large botnets and the arrest of their operators.
Faculty within Georgia Tech's College of Computing are working to leverage their extensive malware analysis experience and continue contributing to the information security community through participation in the Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT). As a follow-up to their success as a previous and current performer under IMPACT, and in response to an award under the IMPACT R&D (HSHQDC-17-R-00030) BAA, faculty will now offer, under TTA #1, both network- and host-level malware datasets for research and/or operational use, to individuals and organizations for whom this data would otherwise be inaccessible.
InferLink's mission is to develop enterprise software and services for aggregating and organizing data from multiple sources, so organizations can effectively collect data and "connect the dots". Our technical focus is on advanced AI and machine learning technology, where our scientists have helped lead the way in developing new techniques and applying them to create practical solutions for real-world problems. InferLink's team has a successful history of bringing new AI technologies to market by launching vertically-focused spinoff companies.
In this project, we are extending InferLink's ActiveSearch technology to support search through collections of resources, such as data sets, software tools and analytics. ActiveSearch is a novel semantic search framework that combines natural language processing (NLP) techniques and a massive ontology so that users can search through information resources in an intuitive fashion.
The "data catalog search" problem addressed in this project differs from document-centric search in several respects. For instance, there may be relatively little meta information associated with a resource. In addition, the search system must support both researchers who are familiar with the catalog, as well as less sophisticated users who are unfamiliar with the resources. Our approach involves extending the semantic search paradigm to automatically identify terms that characterize a data resource, so that a user's query terms can include relevant terms that are not mentioned in the resource's metadata. In addition, we are investigating methods for delivering the technology to significantly improve the search experience for users of the IMPACT portal, as well as similar portals.
University of Southern California, Information Sciences Institute (ISI) Subcontractor: Colorado State University
John Heidemann, USC and Christos Papadopoulos, CSU
Information Sciences Institute is a pioneer in Internet protocol research over the last 30 years. ISI is part of the University of Southern California. Our work occurs as part of the ANT project, where our goal is to improve the Internet by discovering new ways to understand network topology, traffic, use and abuse. Colorado State University in Ft. Collins, Colorado, hosts the Netsec group that has been working on network measurement and security research, as well as global BGP monitoring for the past 10 years.
The LACANIC project's goal is to develop datasets and measurement techniques that improve Internet security and reliability. We distribute these datasets through IMPACT.
As part of this work we:
provide REGULAR DATA COLLECTION to collect long-term, longitudinal data
CURATE DATASETS for special events
MAKE DATA ACCESSIBLE through websites and portals
DEVELOP NEW MEASUREMENT APPROACHES
We provide several types of datasets: anonymized packet headers and network flow data, Internet censuses and surveys for IPv4, Internet hitlists to drive topology studies, Internet outage observations, and DNS and IoT application data.
JAS Global Advisors was founded in 2003 as JAS Communications. We are a unique professional services partnership firm composed of successful tech entrepreneurs and former senior executives of large multinational corporations. Our team works largely within critical infrastructure sectors, and we focus on unique, high-value projects that leverage our diverse and seasoned partners and their ability to tightly integrate business and technology expertise.
JAS, in cooperation with ICANN and other partners, has created the ORDINAL Program which will systematically and responsibly capture data, make that data available to researchers, and promote awareness and education to improve future protocol design and operational practices.
The ORDINAL Program has:
Obtained technical control of corp.com via written agreement with the private owner;
Maintained technical control of approximately 50 other dangerous colliding namespaces currently owned by JAS obtained for research purposes (see page 34 of the final JAS report);
Obtain and maintain technical control of additional potentially dangerous and/or interesting DNS namespaces as possible and appropriate;
Maintain the security of these registrations for a period of 1-year ensuring that they are not sold, transferred, or otherwise become controlled by unknown - possibly malicious - actors;
Create a robust technical hosting, data collection, and storage infrastructure to capture and collect data for researchers regarding these domain registrations;
Collect and store DNS protocol layer data, select application layer data, and raw network PCAPs and make available to qualified, vetted researchers as a part of the DHS IMPACT program;
Engage in awareness campaigns to educate technical architects, protocol designers, and system administrators about the phenomena of DNS namespace collisions.
The Medical Device Interoperability and Cybersecurity Program (MD PnP) is based at the Massachusetts General Hospital, a teaching affiliate of Harvard Medical School, and the Partners HealthCare System. Since 2004, our program has been leading the development of the concepts, capabilities, standards and technologies for creating safe, secure, integrated clinical environments. MD PnP has been working for the past decade with multi-federal-agency and industry support to accelerate medical device interoperability and cybersecurity to enable the creation of complete and accurate electronic health records and the cost-effective development of innovative third party medical "apps" for diagnosis, treatment, research, safety, quality improvements, equipment management, adverse event detection and reporting for networked medical devices in clinical care. The MD PnP vendor-neutral lab/testbed provides a protected pre-clinical environment for prototyping, evaluation, and pre-deployment testing of new technologies and custom configurations to support safe and secure patient care. The lab has an extensive medical device inventory and the network provides core switching technology and wiring topology to enable highly flexible and configurable networking environments. In conjunction with scalable virtualization and storage technologies, this technology ecosystem permits simulating diverse hospital environments. The lab can support wide ranging evaluation and testing including medical device cybersecurity, interoperability, clinical simulation and electronic health records testing.
Healthcare Data Generation and Curation for Cybersecurity Analysis
Electronic medical devices are an essential part of US Healthcare and Public Health (HPH) infrastructure. The lack of medical device data cyber-curation is impeding the development of critical capabilities needed for the cyber protection of hospital clinical environments. But medical device cybersecurity is behind other industries in enabling mitigations, in part due to the complexity of devices and healthcare environments. Medical device network data is not readily available for research due to the complexities of clinical use environments, the regulatory environment for device procurement, and ensuring patient safety. Medical devices are deployed in clinical operational environments, thus cybersecurity researcher access to the devices and data is restricted. Little is understood about how industry-standard network security appliances will interact with medical networks, or the effectiveness of these appliances for HPH. We will address these gaps by generating diverse medical device data sets in a simulated hospital environment and establishing a medical device data repository for use by IMPACT researchers to develop monitoring rulesets and tools based on changes in network behavior under normal clinical operations and abnormal circumstances. This research project will significantly accelerate the deployment of essential capabilities across federal, commercial and defense healthcare programs to protect the US HPH infrastructure and will enable the healthcare provider sector to improve patient protection and improve patient data assurance.
Parsons is a technology-driven engineering services firm with more than 70 years of experience in the engineering, construction, technical, and professional services industries. The corporation is a leader in many diversified markets with a focus on infrastructure, defense, security, and construction. Parsons delivers design/design-build, program/construction management, systems design/engineering, cyber/converged security, and other professional services packaged in innovative alternative delivery methods to federal, regional, and local government agencies, as well as to private industrial customers worldwide.
The Parsons Internet Risk Assessment and Mitigation (I-RAM) project seeks to provide risk analysis, risk management, and decision-making support needed by enterprise owners and operators across the federal government, critical infrastructure, and private sectors, to support an integrated, holistic understanding of the risk inherited through dependence on the Internet infrastructure for critical Internet services. The project will provide data and a data analytics capability to support strategic mission needs of the HSE in order to prevent, protect, mitigate, and recover from cyber disruptions and harm.
Cybersecurity research and practice is becoming increasingly data-driven. Cybercrime indicators and other data can be used to better quantify risks. Data also helps inform proactive defenses by enabling others to learn from what has been targeted previously. Researchers have been using cybersecurity datasets as input to their own work as well as producing datasets as outputs to research for several years. Unfortunately, such data is not always shared with the broader research community, which makes replicating results difficult and developing new innovations using existing data infeasible.
The goal of this research project is to empirically study data usage and production by researchers in order to construct a better picture of the prospects for cybersecurity data sharing. The project examines the published research literature to identify what data is being produced in order to understand the data that can be shared, how we are falling short, and ultimately recommend how sharing can be improved. Additionally, the project analyzes usage data collected for IMPACT, in order to understand how existing datasets are being leveraged by others when shared. Finally, the project seeks to empirically estimate the costs associated with data sharing.
University of California - San Diego, Center for Applied Internet Data Analysis (CAIDA)
KC Claffy, Alberto Dainotti
The Center for Applied Internet Data Analysis (CAIDA), based at the University of California's San Diego (UCSD) Supercomputer Center, is a world leader in Internet measurement and data analysis, with decades of experience in development, implementation, evaluation, and use of measurement platforms as well as with data collection, curation, and responsible sharing. To technical, operational, and policy communities, CAIDA is among the most trusted sources of objective data and carefully validated measurement tools and analyses. CAIDA researchers have published several landmark studies of Internet topology, performance, workload, and security issues and operational aspects.
CAIDA has been involved with the development of the IMPACT program since its inception, and the program supports our data analysis, sharing, and research activities. We believe that identifying and mitigating Internet security threats requires current network data and that development of security technologies critically depends on strategic coordinated data collection and distribution efforts. To fulfill these needs, CAIDA participates in IMPACT program as a Data Provider and as a Decision Analytics-as-a-Service Provider. In the former role, we collect, curate, and archive the state-of-the-art longitudinal and current Internet data, and share these data with vetted security researchers. In the latter role, we aim to develop and support new analytic capabilities that integrate, correlate, and cross-validate multiple sources of measurement and meta-data enabling informed reaction to attacks and other disruptive events. We also support community-building efforts that are responsive to public and private sector needs in cybersecurity research and engage in policy debates about how to improve the return on federal investment in cybersecurity R&D.
The University of Wisconsin-Madison plans to create the world's largest repository of maps of physical internet infrastructure, which includes nodes (e.g., hosting facilities and data centers), conduits/links that connect these nodes, and relevant meta data (e.g., source provenance). The motivation for this work is to create a unified view of infrastructure that would enable consideration of issues of security, robustness and performance among others. The project - called Internet Atlas -includes development of a web portal for the map data that enables visualization and analysis. The process for assembling the physical infrastructure data is based on using search to find maps that are published by service providers and then geocoding those maps to create a consistent representation in the repository.
Blackfire Technology, Inc. (Blackfire) serves as the IMPACT Coordinating Center (ICC), managing the data submission and request processes, providing legal and administrative infrastructure, and developing protocols for the trusted exchange of sensitive data. Blackfire staff provide support and facilitate communication and collaboration among the data providers, data hosts, international partners and researchers who request access to the data.