Malicious actors are currently able to compromise and use with impunity large numbers of devices owned and operated by third parties. Such collections of compromised and conscripted devices, commonly referred to as botnets, are used for criminal, espionage, and computer network attack purposes (often a combination of all three). Recent examples of botnets and similar malicious code include Mirai, Hidden Cobra, WannaCry, and Petya/NotPetya. The potential scale of their effects make such malware a national security threat. The May 11, 2017, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure specifically identifies botnets as a high priority national security issue.

Improving the security posture of Department of Defense (DoD) networks alone is insufficient to counter such threats to national security, as the majority of botnet nodes reside in neutral networks (“gray space”). Current incident response methods are too resource- and time-consuming to address the problem at scale. Active defense methods are insufficiently precise and predictable in their behavior, posing a risk that they may cause processing issues or other side effects. What is needed is the ability to identify and neutralize botnets and other large-scale malware from compromised devices and networks in a scalable, timely, safe, and reliable manner, in accordance with appropriate privacy and other legal authorities. To achieve the necessary scale and timeliness, such a capability must be effective even if the owners of botnet conscripted networks are unaware of the infection and are not actively participating in the neutralization process.

The HACCS program will investigate the feasibility of creating safe and reliable autonomous software agents that can effectively counter malicious botnet implants and similar large-scale malware. The program will do so by developing a quantitative framework and established parameters for their safe, reliable, and effective use. HACCS performers will develop the techniques and algorithms necessary to measure the accuracy of identifying botnet-infected networks, the accuracy of identifying the type of devices residing in a network, and the stability of potential access vectors. The program will take an experimental approach to verify the implementation of such autonomous agents and the rules under which they operate, and to measure the effectiveness of denying, degrading, and disrupting botnets and individual botnet implants without affecting the systems and networks on which they reside.

The HACCS program seeks to: