Past Solicitations
Application of Network Measurement Science: Predict, Assess Risk, Identify (and Mitigate) Disruptive Internet-scale Network Events (PARIDINE)

This BAA solicitation (HSHQDC-17-R-00059) is a call issued against Department of Homeland Security (DHS), Science & Technology (S&T), Cyber Security Division (CSD), 5-Year Broad Agency Announcement (BAA), HSHQDC-17-R-B0002 Amendment 1. All terms and conditions of the DHS S&T CSD 5-Year BAA HSHQDC-17-R-B0002, Amendment 1, apply to this solicitation unless otherwise noted herein. The overall Application of Network Measurement Science (ANMS) program has several major goals, each corresponding to a separate BAA. The first goal (and the focus of this PARADINE BAA) is to define, identify, produce and report operational instances of disruptive events, accompanied by attribution that captures root cause analysis. The second goal, not included in this BAA, is to predict (with attribution) emerging or unfolding Network/Internet-scale Disruptive Events (NIDEs) based on a thorough understanding of the characteristics of a variety of such events and the current Internet state. The third goal, also not included in this BAA, is to develop a risk analysis tool that supports prediction, what-if scenario exploration, and attribution. Technologies developed under these BAAs should be designed to demonstrate the ability to automatically use very early indications of attack, network instability, broader network behavior, or other domain information to understand the actual properties and details of a Network/ Internet-scale Disruptive Event (NIDE).


TTA 1 - Definition, Identification, and Production of Network / Internet Disruptive Events (NIDEs)

This TTA intends to generate an approach to sensing, quantifying, and categorizing Network/Internet-scale Disruptive Events (NIDEs) by constructing definitions and applying them to identify instances of NIDEs. For consistency, repeatability, and correctness, technical approaches should describe a method of defining NIDEs that encompass NIDE attributes described in Section 2.5 and 2.6. NIDE production encompasses specifying algorithms that use the NIDE structure definitions to identify NIDEs in existing or new data and research testbeds. As a result, deliverable requirements include algorithms, a collection of data with evidence of NIDEs, and reports summarizing the efficacy of applying the proposed NIDE structure definition (including pointing out any gaps that make NIDE identification difficult or infeasible). Production-ready code for identification and reporting of NIDEs is a desired outcome for this TTA. Specific goals for this TTA are as follows: 3.1.1 TTA #1 Goal 1 - NIDE Identification Document (NID). The first goal for this TTA is to define a Network/Internet-scale Disruptive Event (NIDE) in terms of quantifiable metrics and classifications, as well as documenting required sensors and data to measure the NIDEs, and produce a NIDE Identification Document (NID). The NID must fully define the taxonomy for classifying NIDEs and provide context to explain the development approach as well as the relationship of the NIDE classifications to NIDE scenarios. For example, although it is clear when some events disrupt Internet service, this is not always the case. When a hurricane takes out the infrastructure of an area, it is clearly a disruptive event. A NID will address the parameters needed to identify and quantify that a NIDE has occurred, perhaps by defining the number of consumers that were disconnected from the Internet and the length of time for the disruption. Other applicable causes of NIDEs could be: cable cuts, or BGP hijacking events such as when traffic from one country is maliciously routed through another country. Another consideration applicable to NIDE definition could be an event when service is degraded but not completely cut off. The goal of the work in this part of TTA #1 is not so much to offer an authoritative general definition of incidents such as DDoS, but rather to identify reliable defining characteristics of such events, that will lay the foundation for a common framework for defining disruptive events and scientifically and empirically determining ranges of values for NIDE attributes (e.g., m minutes of p% drops for networks of scale S). 3.1.2 TTA#1 Goal 2 - NIDE Analysis Framework Document (NAFD). The second goal of the TTA is to develop an analysis methodology and techniques to sense and identify NIDEs, preferably for identification in near-real-time, and document the results in a NIDE Analysis Framework Document (NAFD). Technical approaches should consider data inputs required to identify NIDEs based on NIDE scenarios. A relevant approach could address varied data inputs from a single source to fusing data from many sources. Examples of monitoring infrastructures include: Trinocular ( - an edge network monitor; BGPmon ( - a tool that monitors BGP routes; Internet Atlas ( - a tool providing the physical representation of the Internet; the FCC Measuring Broadband in America (MBA) for measuring consumer broadband performance; and Archipelago ( an Internet topology monitoring tool. The state-of-the-art is that it takes days to months to get analysis results from the currently available tools, and even when analysis becomes available it is usually based on a single data source.

TTA 2 - Attribution of Network / Internet Disruptive Events

Associating identities and root causes with a NIDE is a problem that entails developing methods that support comprehensive root cause analysis and new attribution techniques for disruptive events. Attribution techniques should produce an identifier (this might be a multi-dimensional artifact, not just a simple string or name) and a metric for attribution quality (i.e., some judgement of the confidence of the attribution procedure or the amount of confidence in the sources of information used to derive it). Attribution should be seen as one property of a NIDE and an attempt at identifying the systems, locale, or other originator of an event. For this TTA, novel attribution techniques are not meant to produce a detailed legally-justifiable personal identification or jump the gap between the cyber and human identity, although this is a desired outcome if feasible. Specific goals for this TTA are as follows: 3.2.1 TTA#2 Goal 1 - Create methods and tools for performing attribution of NIDEs. Using publically available data sources, novel and efficient attribution of these events is of interest, particularly where multi-source data fusion can assist in developing a strong hypothesis for a root cause analysis. Such attribution should be able to encompass both simple triggering conditions involving a single event (e.g., a BGP misconfiguration or an undersea cable cut) as well as activities distributed in time and space. Notably, such analysis may involve attribution of several coordinated root causes or entities. Note: Proprietary data sources may be used if available. The deliverables associated with this goal start with creation of a NIDE Attribution Methodology Document (NAMD), which will document the concept of how attribution will be applied to NIDES including documenting required characteristics or meta-data. Using the NAMD, the next deliverable will be a study that implements the NAMD ("NAMD Study"). The study will need to document the data sources, analysis, and application of the NIDE Application Methodology to the study. Progressing, the NAMD Study serve as a basis to automate the NAMD ("NAMD Automation Suite") and identify requirements for where tools and algorithms should be applied to NIDE attribution, as well as a Concept of Operations (CONOPS). The NAMD Automation Suite will then be used for NIDE attribution analysis. Ultimately, the objective of this goal is to automate as much NIDE attribution analysis as possible, while accounting for where human analysis is required. 3.2.2 TTA#2 Goal 2 - NIDE attribution quality analysis. Perfect attribution may be difficult or impossible to determine for any given incident, so attribution artifacts should accommodate varying degrees of detail and provide a metric expressing the quality of the attribution. For NIDEs where a determination of attribution is not possible, an explanation of the gaps or obstacle should be provided. This goal will serve as a validation of the NAMD and will document a metrics-based approach to expressing attribution confidence. The deliverables associated with this goal includes a report analyzing the study implementing the NAMD, and then subsequent analyses of NAMD automation.

Key Dates
Solicitation Open Date:
Registration Deadline:
07/19/2017 04:30 PM ET
Submission Deadline:
07/19/2017 04:30 PM ET

Amendments and Q&As
amendment icon Amendment # 1
Posted Date 6/21/17

( The purpose of this Amendment is to change the due date to: 07/19/2017 Also to correct the acronym ...)
(Read Full)

The purpose of this Amendment is to change the due date to: 07/19/2017 Also to correct the acronym PARADINE to PARIDINE.

Back to Past Solicitations List