Summary
Modern computing systems act as black boxes in that they accept inputs and generate outputs but provide little to no visibility of their internal workings.
This greatly limits the potential to understand cyber behaviors at the level of detail necessary to detect and counter some of the most important types of cyber threats, particularly advanced persistent threats (APTs). APT adversaries act slowly and deliberately over a long period of time to expand their presence in an enterprise network and achieve their mission goals (e.g., information exfiltration, interference with decision making and denial of capability). Because modern computing systems are opaque, APTs can remain undetected for years if their individual activities can blend with the background “noise” inherent in any large, complex environment.
Beyond the APT problem, a lack of understanding of complex system interactions interferes with (and sometimes completely inhibits) efforts to diagnose and troubleshoot less sophisticated attacks or non-malicious faulty behavior that spans multiple applications and systems.
The Transparent Computing (TC) program aims to make currently opaque computing systems transparent by providing high-fidelity visibility into component interactions during system operation across all layers of software abstraction, while imposing minimal performance overhead.
The program will develop technologies to record and preserve the provenance of all system elements/components (inputs, software modules, processes, etc.); dynamically track the interactions and causal dependencies among cyber system components; assemble these dependencies into end-to-end system behaviors; and reason over these behaviors, both forensically and in real-time. By automatically or semi-automatically “connecting the dots” across multiple activities that are individually legitimate but collectively indicate malice or abnormal behavior,
TC has the potential to enable the prompt detection of APTs and other cyber threats, and allow complete root cause analysis and damage assessment once adversary activity is identified. In addition, the TC program will integrate its basic cyber reasoning functions in an enterprise-scale cyber monitoring and control construct that enforces security policies at key ingress/exit points, e.g., the firewall.
The intent of the TC program is to develop basic technologies that are separable and usable in isolation (e.g., within a given software layer/application environment, such as web middleware), while exploring the best way to integrate multiple TC technologies in an experimental prototype.
The program will aim to produce basic technologies and an experimental prototype comprising a multilayer data collection architecture and an analysis/enforcement engine that will enable both proactive enforcement of desirable policies (permissible/impermissible interactions) and near-real-time intrusion detection and forensic analysis. It is expected that this prototype will provide a starting point for technology transition.
The TC program held a Proposers' Day on December 15, 2014.
This program is now complete
This content is available for reference purposes. This page is no longer maintained.