Secure and Confidential Rule Matching

*** NEW – May 19, 2020

• An attachment has been added. The document contains questions and answers related to the Challenge.

  ******************************************************

May 8, 2020

New attachment has been added. Please read the document as it provides important information pertaining to the submission of your proposal.

********************************

April 15, 2020

Due to the issues surrounding COVID19, we have decided to extend the solicitation closing date until May 21, 2020.**

This Challenge Notice is issued under the Innovative Solutions Canada Program (ISC) Call for Proposals 003 (EN578-20ISC3). For general ISC information, Bidders can visit the ISC website.

Please refer to the Solicitation Documents which contain the process for submitting a proposal.

Steps to apply:

Step 1: read this challenge

Step 2: read the Call for Proposals

Step 3: propose your solution here

Challenge title: Secure and Confidential Rule Matching

CHALLENGE SPONSOR: Communications Security Establishment (CSE)

Funding Mechanism: Contract

MAXIMUM CONTRACT VALUE:

Multiple contracts could result from this Challenge.

The maximum funding available for any Phase 1 Contract resulting from this Challenge is $150,000.00 CAD (plus tax) including shipping, travel and living expenses, as applicable.

Estimated number of Phase 1 contracts: 2

The maximum funding available for any Phase 2 Contract resulting from this Challenge is $1,000,000.00 CAD (plus tax) including shipping, travel and living expenses, as applicable. Only eligible businesses that have completed Phase 1 could be considered for Phase 2.

Estimated number of Phase 2 contracts: 1

This disclosure is made in good faith and does not commit Canada to contract for the total approximate funding. Final decisions on the number of Phase 1 and Phase 2 awards will be made by Canada on the basis of factors such as evaluation results, departmental priorities and availability of funds

TRAVEL:  

The qualifying implementers will be invited to CSE headquarters to present their proof of concept at the end of phase 1.

CSE headquarter is located at the following address:

1929 Ogilvie Rd.

Ottawa, On.

K1G 3Z4

Challenge Statement Summary

The Communication Security Establishment (CSE) is seeking a system that would evaluate the pattern matching signatures in insecure environments without revealing either the signatures themselves or the portions of the corpus matched by those signatures.

Challenge Statement

The security and intelligence (S&I) community have access to sensitive cyber-threat information that is not always publicly shareable. Often, this sensitive information will be classified (at least for a period of time) and will only be available on a need-to-know basis to individuals who possess the appropriate security clearances.

In the case of cyber-security, the classified information could describe the behaviours, methods and techniques used by actors whose identity is sensitive. It is possible for this information, or a portion thereof, to be encoded with enough precision to detect and monitor threat actors' presence in network traffic and system telemetry, and thereby identify them via their cyber modus-operandi. For this particular challenge, CSE is scoping the effort on detecting patterns of interest in network traffic by encoding signatures expressed using matching rules.

This challenge is to evaluate those rules in insecure environments without revealing either the signatures themselves or the network traffic matching those signatures.

Such a system would allow the provisioning of classified cyber-security signatures in appliances that could be deployed in unclassified networks such as government or national critical infrastructure networks.

Desired outcomes and Considerations

Essential Outcomes

Proposed solutions must:

1. Have the capability of matching a collection of simple rules on a corpus of unencrypted text. 
2. Have rules as simple character strings.
3. Keep the rules confidential (encrypted) during the matching process.
4. Keep it impossible to deduce the rules by analyzing the execution of the instructions of the matching system during run time.
5. Keep the matching objects (objects that indicates which rule matched where in the corpus) confidential (encrypted). In other words, there is no way, for an unauthorized observer, to figure out what rule matched where in the corpus.
6. Provide mechanisms to encrypt/decrypt the signatures and the corresponding "matching objects" with a key that will only be available to individuals with the appropriate security clearance.
7. Provide a rule matching system that is running with integrity. The rules are matched without errors, exactly as the system would run without encryption.
8. Fit in a reduced form factor equivalent to 4 unit spaces in a standard data center rack.

Additional Outcomes

Proposed solutions should: 

1. Scale to support a higher number of signatures (target is 20 000).
2. Allow for more complex rule specification. The objective is to be able to replicate the Suricata (open-source IDS) rule specification language.
3. Increasingly demonstrate the ability to support more complex signatures. For example, string matching with wild-cards, simple multi-criteria Boolean rules and regular expressions.
4. Be able to match signatures on unencrypted packetized network traffic (as opposed to a simple unencrypted text corpus).
5. Have the performance, given the reduced form factor, to match 20 000 signatures at a rate of 1 Gbits/s of packetized network traffic.
6. Have an algorithmic scalability relative to the number of strings, their length and the number of matches in the corpus has to match the complexity of the best multiple string matching algorithms that run without encryption. O(size_of_text + number_of_match_occurences_in_corpus).

Background and Context

CSE is aware of the state-of-the-art in the domain of cryptography, and especially homomorphic encryption. To our knowledge, no product exists that is able to perform an optimized multiple strings matching on a text corpus with the confidentiality and integrity properties described in this challenge. 

In order to ensure all interested industry suppliers obtain common information, CSE will be hosting an online meeting by means of a video conference (WebEx meeting) on Friday February 21^st 2020 from 1:00 p.m. to 3:00 p.m. (EST - Eastern Standard Time – UTC-5) to answer potential questions.

Note that interested industry suppliers must register to this video conference by sending an email to participate to TPSGC.SIC-ISC.PWGSC@tpsgc-pwgsc.gc.ca .

Industry suppliers have to provide full contact details (name, title, company, telephone and email address) by Close of business on Friday February 14^th 2020 to register and to receive full video conference (WebEx meeting) details to join the online meeting. Attendance is limited to industry suppliers and media will not be permitted to attend.

IMPORTANT INFORMATION:

1) In order for CSE to have sufficient time to prepare answers to questions received in both official languages and in time for the video conference; industry suppliers are to submit their questions regarding this CSE Challenge Notice solicitation to TPSGC.SIC-ISC.PWGSC@tpsgc-pwgsc.gc.ca no later than by Close of business on Friday February 14^th 2020.

ENQUIRIES

All enquiries must be submitted in writing to TPSGC.SIC-ISC.PWGSC@tpsgc-pwgsc.gc.ca no later than ten calendar days before the Challenge Notice closing date. Enquiries received after that time may not be answered.