Labs look to go private with cyber defenses

The Department of Homeland Security's Cybersecurity Division is looking for a few good companies that can help it commercialize cyber-defense technology developed by some of the world's premier research labs.

The technologies, developed by national, federally funded labs – including Oak Ridge, Sandia, and Los Alamos -- are aimed at protecting a variety of electronic intrusion and attack points on enterprise and federal networks. DHS's Cybersecurity Division showcased the hardware and software for potential private investors in Washington D.C. on Dec. 18 under its Science and Technology Directorate's Transition to Practice (TTP) program.

TTP looks to commercialize or license the technology to private industry, or set up partnerships with industry, said Michael Pozmantier, program manager of the Cybersecurity Division in DHS's S&T Directorate.

With federal agencies, private critical infrastructure providers and commercial enterprise networks all feeling increased pressure to meet the cyber threat, joint development efforts under TTP are more vital than ever, said Andy Ozment, senior director for cybersecurity at the White House. "We can't secure information without working together. We need innovation and new approaches."

The TTP program, said Ozment, can produce technological solutions that he ultimately hopes wind up in the hands of not only private industry, but a range of federal and private infrastructure IT managers who need to protect IT resources from cyberattack. "We want to empower the CIO at agency and department levels" with new capabilities, he said.

At the Dec. 18 program in Washington, developers from the national labs gave short presentations on their technologies and blocked out time to meet with potential commercial investors, licensees and co-developers.

Their technology ranged from protection for removable media to the adaptation of biotechnology-based systems that sniff out cyberattackers' trails using techniques honed in analyzing DNA. Among the eight presentations made at the program were technologies aimed at protecting individual devices, servers and networks.

Logan Lamb, a developer at Oak Ridge, said the lab’s USB-ARM removable media protection architecture is based on a driver that brokers all communication between removable media and a computer's operating system. Removable media, like thumb drives, have been a constant source of worry for network operators because they can access a computer directly, avoiding network protections. Thumb drives were reportedly the source of the notorious Stuxnet virus that crippled Iranian nuclear development programs and another virus that infected U.S. defense networks overseas.

USB-ARM, said Lamb, blocks all communications to a computer until a set of user-defined criteria, like McAfee antivirus, AVG anti-virus and executable detection engines have finished analyzing the removable media for threats.

MLSTONES, a set of analytical tools developed by Pacific Northwest National Lab, is based on biotechnology and bioinformatics developed to trace DNS proteins among human families. In a computer network, the tools can be used to find associations among the vast sea of data flowing through the network, picking out those that look similar to build a profile of cyberattackers' intrusions, according to Elena Peterson, a PNW Lab developer. The tools create "cyber proteins" based on data types, aligning those proteins into "families" with split-second timing. Those family groups can reduce the amount of data that needs to be analyzed, she said.

Oak Ridge National Labs' "Choreographer" system acts much like a minefield for attackers, said ORNL developer Craig Shue. The system performs a clever server bait-and-switch, drawing attackers away from active public-facing servers using fake "honeypot" servers as bait. The system can shift the fake and legitimate servers' network addresses on demand, giving only valid users the right addresses. The technique, said Shue, can reduce attacker effectiveness from 100 percent to less than 1 percent.

Pathscan, Los Alamos National Labs' detection system, can track down intruders once they are inside a network. According to LANL developer Joshua Neil, Pathscan targets hackers' transverse behavior in the network by building models of normal network activity, passively monitoring network traffic and comparing it to behavioral models. The system breaks the network into millions of small paths and monitors each to test whether the traffic moving over it is normal compared to the models.

DHS S&T, said Pozmantier, is "foraging" at the national labs for the next TTP round, beginning another 36-month process of finding and fostering development of additional candidate technologies. TTP, he said, has seen a steady uptick in the volume of candidate technologies, from an initial 35 two years ago, when the program began, to more than 100 in fiscal 2014.