Through the Secure and confidential rule matching, the Communications Security Establishment (CSE) is seeking a system that would evaluate the pattern matching signatures in insecure environments without revealing either the signatures themselves or the portions of the corpus matched by those signatures.
Solution proposals can only be submitted by a small business that meets all of the following criteria:
- for profit
- incorporated in Canada (federally or provincially)
- 499 or fewer full-time equivalent (FTE) employees*
- research and development activities that take place in Canada
- 50% or more of its annual wages, salaries and fees are currently paid to employees and contractors who spend the majority of their time working in Canada*
- 50% or more of its FTE employees have Canada as their ordinary place of work*
- 50% or more of its senior executives (Vice President and above) have Canada as their principal residence*
The program will fund the eligible organizations that proposed solutions on matching signatures:
- Have the capability of matching a collection of simple rules on a corpus of unencrypted text.
- Have rules as simple character strings.
- Keep the rules confidential (encrypted) during the matching process.
- Keep it impossible to deduce the rules by analyzing the execution of the instructions of the matching system during run time.
- Keep the matching objects (objects that indicates which rule matched where in the corpus) confidential (encrypted). In other words, there is no way, for an unauthorized observer, to figure out what rule matched where in the corpus.
- Provide mechanisms to encrypt/decrypt the signatures and the corresponding “matching objects” with a key that will only be available to individuals with the appropriate security clearance.
- Provide a rule matching system that is running with integrity. The rules are matched without errors, exactly as the system would run without encryption.
- Fit in a reduced form factor equivalent to 4 unit spaces in a standard data center rack.
In addition, the proposed solutions should:
- Scale to support a higher number of signatures (target is 20 000).
- Allow for more complex rule specification. The objective is to be able to replicate the Suricata (open-source IDS) rule specification language.
- Increasingly demonstrate the ability to support more complex signatures. For example, string matching with wild-cards, simple multi-criteria Boolean rules and regular expressions.
- Be able to match signatures on unencrypted packetized network traffic (as opposed to a simple unencrypted text corpus).
- Have the performance, given the reduced form factor, to match 20 000 signatures at a rate of 1 Gbits/s of packetized network traffic.
- Have an algorithmic scalability relative to the number of strings, their length and the number of matches in the corpus has to match the complexity of the best multiple string matching algorithms that run without encryption. O(size_of_text + number_of_match_occurences_in_corpus).
Deadline DateClosing date: May 21, 2020, 14:00 Eastern Daylight Time
Contact Name: Government of Canada
E-mail Address: SIC-ISC@pwgsc.gc.ca