Hackathon helps improve DARPA’s Plan X

The program looks to make it easier to visualize a network and recognize malicious activity.

Army illustration DARPA Plan X

The Defense Advanced Research Projects Agency recently hosted a week-long hackathon as part of its Plan X program, which is developing ways to plan, conduct and assess cyberwarfare in the same way the military handles kinetic warfare, with the help of various communities ranging from academia to industry and military users. The program also tries to make it easier for people to visualize a network and check its status, as well as automating the identification of intrusions.

According to two participants from the Army, Capt. James McColl and Capt. Justin Lanahan, the hackathon, held in Arlington, Va., focused on analyzing large network data sets that might indicate nefarious network activity. Teams sought to discover the best way to analyze data and code algorithms that could ultimately improve Plan X.   

“The overarching idea for the week is ‘big data analytics,’” Lanahan said in an Army release. “The data we have been given is what they call 'net flow.' It contains a minimal subset of all the traffic traversing a network. It tells us what the IP address was, the destination where that packet was going, how big the packet was, and the time that it happened, for instance.”

Participants worked together to discover more efficient methods of identifying things out of the ordinary while accurately differentiating between various anomalies on the network due to misconfiguration.  “Maybe you're seeing network traffic at 2 a.m., when no user should be working…But when we investigate, we could see that it's a system update, when the Windows updates come out. It could be just that generating traffic. It's an anomaly, but it's not nefarious,” Lanahan said. “Or it could be somebody with a hard drive stealing company data.”

A version of Plan X was displayed during the hackathon, with some participants demonstrating how it could be used as an all-seeing eye of sorts in monitoring network activity. Utilizing the touchscreen, a user can zoom into portions of the network and even touch individual components that reveal identifying information and provide status updates. Portions of the network that change color, pulse or change shape could be indicating an infection. These indicators, or symbology, are required to more rapidly alert users of problems on the network as they happen, Lanahan said. 

For one Army official, the benefit of concepts such as Plan X is the ability to understand a network the same way the physical world is understood – or in the operational sense, the way kinetic operation domains such as air, land and sea are understood. “We need technology to help us translate something we can't touch or feel easily into something we can rationalize about,” said Ian MacLeod, technical director of the Army Cyber Command's Advanced Concepts and Technologies Directorate. “The domain of cyberspace is larger than any other domain. And with the speed at which it operates, we need computers to help us understand it,” MacLeod said. “When Plan X gets in the hand of operators...we will bring the military operational mindset to this domain. It helps us to understand the domain a little better.”

One advantage of Plan X is that threats can be addressed or even fixed through pre-written software, meaning users don’t have to be well versed in coding or computer science to operate it. This will help put the minds of commanders at ease that are responsible for monitoring thousands of computers and ensuring their safety along with the safety and security of other network components.