DOLL has developed active cyberdefense systems, and has evaluated these systems on testbeds that are able to simulate a variety of cyberattacks including denial of service, corruption through malware, exfiltration, and process termination. DOLL's approach is intelligent and dynamic in that it treats an attack as a battle for which defensive missions must be planned, and analysis and compensation resources must be allocated in an optimal manner. Thus, the approach leverages DOLL's Mission Modeling technology.
The system incorporates sensor fusion filters, hypothesis generators, and state estimators to develop mission situation awareness. The system uses these first to respond tactically to signs of corruption in key components, and strategically to look for longer attack plans in progress. The first step in the tactical processing is to identify the effect on mission components’ health of the events identified. Included in the state being estimated is the level of trust of components. Based on hypotheses regarding cyber-attack patterns, and subsequent tests to confirm or refute an attack, the system may decide that a particular component can no longer be trusted.
The system also includes resource allocation capabilities that assign hosts to tasks. One way of responding to an attack is to re-configure components, possibly instantiating a component with a particular task on a new host, if the old host is thought to be compromised. Information about task constraints and priorities is used to decide optimal allocation of hosts to component task combinations.