Notice

Competition document: predictive cyber analytics

Updated 6 September 2018

1. Introduction

This Defence and Security Accelerator (DASA) competition seeks proposals to develop novel predictive approaches in the cyber security domain. This will allow defence and security to better prepare for, detect and counter future cyber threats, thereby reducing their impact and likelihood of success.

In Phase 1 of this competition funding of up to £1 million is available. By the end of this phase, we want to see proof-of-concept demonstrations at around Technology Readiness Level (TRL) 3 operating within a representative business enterprise system.

Additional funding is anticipated to be available for future competition phases, which will aim to develop technology to a higher TRL and into fully deployable software solutions, focussed less on business enterprise systems and more towards the unique systems, circumstances, threats and opportunities that defence and security faces.

The call closes at midday on 5 November 2018.

2. Competition scope

2.1 Background

Traditional cyber security methods only respond to known threats. However, as our understanding of adversaries and attack patterns improves, and increased computing power and data growth continues to drive the artificial intelligence (AI) revolution, new possibilities are emerging to get ahead of threats and predict future cyber-attacks.

Computing infrastructure is a key component of nearly all modern defence systems and provides another attack surface for adversaries. Cyber security has been in an arms race for decades, with hackers continuously exposing new vulnerabilities and developers racing to patch them.

Past approaches to cyber defence have traditionally been reactive, relying on black/white lists, known (virus/malware) signatures, and more recently on broader machine-learning anomaly-detection methods. Such methods are forensic or, at best, real-time. There has been limited effort in predicting events related to a cyber-attack (prior to, or during the attack) and very few fully-developed and deployable tools exist with predictive capability.

Forecasting future events is not a new concept and predictive analytics already drives many areas of industry. We are interested in novel approaches to cyber security that can predict the most likely offensive cyber events and/or predict optimal defensive cyber actions, to enable proactive defence in a hostile and contested cyber environment.

2.2 Scope

Preferred approaches will focus on forecasting future cyber threats, attacks, events and actions (offensive or defensive), that allow defence and security to better prepare for, anticipate and counter future cyber threats, thereby reducing the impact of an attack and its likelihood of success.

Proposals may make use of any source of cyber data that defence or security could reasonably be expected to have access to. These should be Open Source Datasets, and traditional sources might include:

• network traffic captures
• network vulnerability scans
• software vulnerability databases
• signature databases

Less traditional sources might include:

• intelligence on adversaries and their attack patterns: such as tactics, techniques and procedures (TTPs) or kill-chains
• proactive intelligence gathering through interaction with the adversary (via the use of honeypots)
• network meta-data (misconfigured services, known badness such as extraneous virus/malware infections)

Predicting vulnerabilities in hardware or software, monitoring the `health’ of a system, and traditional forensic or real-time analytics are only acceptable if used to inform a larger predictive engine.

Proposals that make use of open-source data formats (for example, in threat intelligence reporting, sharing and ingesting; or in traffic captures) are strongly encouraged.

3. Competition challenges

Phase 1 is anticipated to:

• adapt and implement predictive approaches from other industries to the cyber security domain
• create and implement novel predictive analytics specific to the cyber security domain
• exploit empirical observation-based models of attackers to make predictions (for example of adversary tactics, techniques and procedures; of kill-chains; of attacker competency levels)
• automate the assimilation of (text-based) knowledge collected for many systems (such as known risks or vulnerabilities), and transfer that knowledge to new systems that have the same (or similar) components and operating procedures
• develop approaches to recognise patterns of life that are not time-based, but sequence based
• build on alerts from reactive methods to forecast future offensive cyber events, and thereby predict optimal cyber defences

3.1 Clarification of what we want

We are keen to see proposals that exploit intelligence on adversary attack patterns (such as knowledge of various groups and their TTPs), although we are open to all concepts and ideas related to prediction in the cyber security domain.

Proposals should highlight how subsequent phases will build on the first phase of development. The initial phase may be demonstrated within a representative business enterprise environment but subsequent phases should be applicable to the unique systems, circumstances, threats and opportunities that defence and security faces.

Your proposal should include:

• innovation
• novel ideas for defence and/or security
• a clear demonstration of the pathway to future exploitation
• clear demonstration of how the proposed work builds on existing published or open knowledge

3.2 Clarification of what we do not want

For this competition we are not interested in proposals for:

• consultancy, paper-based studies or literature reviews
• solutions that do not offer significant benefit to defence/security
• proposals that only offer a written report
• proposals that cannot demonstrate feasibility within the Phase 1 timescale of 6 months
• minor improvements in existing high TRL (TRL 5+) technologies
• demonstrations of off-the-shelf products requiring no experimental development
• identical resubmission of a previous bid to DASA or MOD without modification
• incremental improvements on existing technology
• proposals which offer no real long-term prospect of integration into defence capabilities
• proposals with no real prospect of out-performing existing technological solutions
• proposals that develop theoretical models, or that lack implementation to real data
• proposals that ingest social media feeds or other public data of a personal nature

4. Exploitation

It is important that over the lifetime of DASA competitions, ideas are accelerated towards appropriate end-users, to enhance capability. How long this takes will be dependent on the nature and starting point of the innovation. Early identification and appropriate engagement with potential users during the competition and subsequent phases is essential.

All proposals to DASA should articulate the development in TRL of the output over the lifetime of the contract and how this relates to improved operational capability. For this competition it is envisaged that proposals will start at around TRL 2. The deliverables in your proposal (especially the final proof-of-concept demonstration) should be designed to provide evidence that you have reached the intended TRL (around TRL 3) by the end of the contract. The final proof-of-concept demonstration should evidence that full development of the solution would indeed provide improved operational capability to the user.

Subsequent phases will focus on TRL >3. The evidence generated during Phase 1 should support the development of the proposal for Phase 2, with the aim of making it as easy as possible for potential collaborators to identify the innovative elements of your proposal in order to consider routes for exploitation.

It is important right from the start that DASA and end users understand how your idea will deliver longer term improvements to defence and/or security capability and how it could be integrated with other relevant capabilities. Therefore, you may wish to include some of the following information, where known, to help the assessors understand your exploitation plans:

• the intended defence and/or security users of your final product and whether you have engaged with these end-users or their procurement organisation
• the current TRL of the innovation and where you realistically think it will be by the end of Phase 1
• awareness of, and alignment to, any existing end user procurement programmes
• the anticipated benefits (for example, in cost, time or improved capability) that your solution will provide to the user
• whether it is likely to be a standalone product or integrated with other technologies or platforms
• expected additional work required beyond the end of the contract to develop an operationally deployable commercial products (for example, ‘scaling up’ for manufacture, cyber security, integration with existing technologies or environmental operating conditions)
• additional future applications and markets for exploitation
• wider collaborations and networks you have already developed or any additional relationships you see as a requirement to support exploitation
• requirements for access Government Furnished Assets (GFA) for example data, equipment, materials and facilities (noting we cannot guarantee the availability of GFA)
• how you intend to demonstrate the outputs at the end of this phase, what form the proof-of-concept demonstration would take and whether it will require any special facilities (for example, outdoor space, specific venue)
• how your product could be tested in a representative environment in later phases
• any specific legal, commercial or regulatory considerations for exploitation

5. How to apply

Proposals for funding to meet these challenges must be submitted by midday on Monday 5 November 2018 via the DASA submission service for which you will be required to register.

The initial Phase 1 funding of £1 million is expected to fund approximately 5 to 10 proposals. The cost to DASA per proposal must be in the range of £100k to £300k (although you may choose to use additional funds from elsewhere to meet the challenge). If successful, Phase 1 contracts will be awarded for a duration of 6 months.

Additional funding for further phases to increase TRL further is anticipated to be available. Any further phases will be open to applications from all suppliers and not just those that submitted Phase 1 successful bids.

Further guidance on submitting a proposal can be found here.

5.1 What your proposal must include

The proposal should focus on this proof of concept phase but should also include a brief outline of the next stages of work required for exploitation.

When submitting a proposal, you must complete all sections of the online form, including an appropriate level of technical information to allow assessment of the bid and a completed finances section. The proposal must clearly demonstrate a response to each of the DASA assessment criteria.

A project plan with clear milestones and deliverables must also be provided. Deliverables must be well defined and designed to provide evidence of progress against the project plan and the end-point for this phase. This must include an initial milestone for delivery by end of March 2019; note that contracts are anticipated to start in January 2019 for a duration of 6 months. Overall, deliverables must include source code; a proof-of-concept demonstration; and a written report. Intellectual property will be treated in accordance with clause 10 in the Short Form Contract (SFC).

A resourcing plan should also be provided that identifies, where possible, the nationalities of those proposed Research Workers that you intend working on this phase. In the event of proposals being recommended for funding, the DASA reserves the right to undertake due diligence checks including the clearance of proposed Research Workers. Please note that this process will take as long as necessary and could take up to 6 weeks in some cases for non-UK nationals.

You should identify any ethical/legal/regulatory factors within your proposal and how the associated risks will be managed, including break points in the project if approvals are not received, must be included. Further details are available in the DASA guidance.

In addition, requirements for access to GFA should be included in your proposal with information on how you intend to access them and any steps you have already taken to achieve this.

Completed proposals must comply with the financial range set for this Phase which is between £100k to £300k per proposal. Applications will be rejected if they do not comply with this bracket.

Proposals must include costed participation at the following two DASA events:

• a collaboration event
• a demonstration event

Both events will be held in the UK.

5.2 Public facing information

A brief abstract will be requested if the proposal is funded. This will be used by DASA and other government departments as appropriate, to describe the project and its intended outcomes and benefits. It will be used for inclusion at DASA events in relation to this competition and placed on the DASA website, along with your company information and generic contact details.

5.3 How your proposal will be assessed

All proposals will undergo an initial sift to check compliance with the competition document. We may also undertake a pre-sift of proposals based on fit to the competition document and standard DASA assessment criteria.

Proposals will then be assessed against the standard DASA assessment criteria by subject matter experts from the MOD (including Dstl), other government departments and front-line military commands. You will not have the opportunity to comment on assessors comments.

DASA reserves the right to disclose on a confidential basis any information it receives from bidders during the procurement process (including information identified by the bidder as Commercially Sensitive Information in accordance with the provisions of this competition) to any third party engaged by DASA for the specific purpose of evaluating or assisting DASA in the evaluation of the bidder’s proposal. In providing such information the bidder consents to such disclosure. Appropriate confidentiality agreements will be put in place.

Further guidance on how your proposal is assessed is available on the DASA website.

After assessment, proposals will be discussed internally at a Decision Conference where, based on the assessments, budget and wider strategic considerations, a decision will be made on the proposals that are recommended for funding.

Proposals that are unsuccessful will receive brief feedback after the Decision Conference.

5.4 Things you should know about DASA contracts

Please read the DASA terms and conditions which contain important information for suppliers. For this competition we will be using the Short Form Contract (SFC).

Funded proposals will be allocated a Technical Partner as a technical point of contact. In addition, the DASA team will work with you to support delivery and exploitation.

Deliverables from DASA contracts will be made available to MOD, front-line commands, and may be subject to review by relevant government departments.

The full-rights outputs of funded work may be exposed to international government partners. This is to promote international collaboration and to give projects the best chance of exploitation through exposure to a larger scope of requirements. This will only be done under the protection of existing inter-governmental memoranda of understanding.

6. Phase 1 dates

Competition open	Thursday 6 September 2018
Dial in	Tuesday 2 October 2018
Pre bookable 1-1 telecom sessions	Wednesday 3 October 2018
Competition closes	Monday 5 November at midday
Contracting	Aim to start contracts beginning of January 2019 and end 6 months later in July 2019

Demonstration and collaboration event dates will be communicated to successful applicants once confirmed.

6.1 Supporting events

• Tuesday 2 October 2018 – A dial-in session providing further detail on the problem space and a chance to ask questions in an open forum. If you would like to participate, please register on the Eventbrite page.
• Wednesday 3 October 2018 – A series of 20 minute one-to-one teleconference sessions, giving you the opportunity to ask specific questions. If you would like to participate, please register on the Eventbrite page.

7. Help

Competition queries including on process, application, technical, commercial and intellectual property aspects should be sent to accelerator@dstl.gov.uk, quoting the competition title.

While all reasonable efforts will be made to answer queries, DASA reserves the right to impose management controls if volumes of queries restrict fair access of information to all potential suppliers.