DOD SBIR 24.4 Annual

Release Date
October 3rd, 2023
Open Date
October 3rd, 2023
Due Date(s)
March 31st, 2025
Close Date
March 31st, 2025
Topic No.


User and Entity Behavior Analysis


Department of DefenseN/A


Type: SBIRPhase: BOTHYear: 2024


The Department of Defense (DOD) is seeking proposals for the topic of "User and Entity Behavior Analysis" as part of their SBIR program. The objective of this research is to develop a UEBA capability that serves as a Policy Decision Point (PDP) in the Tactical Zero Trust Architecture (ZTA). The UEBA will analyze user and entity behavior by collecting activity data and applying advanced analytics to detect anomalies. The solution will leverage data already collected and normalized by the Elastic Stack and incorporate various sources such as Active Directory, endpoint systems, firewalls, and vulnerability scans. The UEBA should include a flexible REST API for obtaining telemetry and making authorization decisions. The project will be conducted in three phases. Phase I requires a proof of concept in the form of a whitepaper, demonstrating the feasibility of developing the UEBA capability. Phase II involves developing a prototype to collect and interpret data, display risk score changes, and allow human decision-making based on alerts. Phase III focuses on dual-use applications, such as embedding AI/ML pattern recognition into cybersecurity operations and applying UEBA to IoT, healthcare, and finance sectors. The project duration is not specified, but the solicitation is open until March 31, 2025. For more information and to submit proposals, interested parties can visit the DOD SBIR website at [solicitation_agency_url].


OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Network Systems-of-Systems


OBJECTIVE: This User and Entity Behavioral Analysis (UEBA) will streamline authentication to the network and services while transparently securing mission critical services such a warfighting applications, through granular role-based access control. As implemented, this UEBA solution will be a critical enabler to the Army’s Zero Trust Architecture (ZTA) implementation. It would substantially improve the tactical network’s cybersecurity posture.


DESCRIPTION: The U.S. Army requires a novel User and Entity Behavioral Analysis (UEBA) capability that serves as or feeds a Policy Decision Point (PDP) in the Tactical Zero Trust Architecture (ZTA). Behavior analysis is the process of collecting activity data on people and nonperson entities, applying advanced analytics and comparing the results to accepted baselines and peer activities. This UEBA will leverage data that is already collected and normalized by the Elastic Stack. This data includes Active Directory Domain, Active Directory Certificate Services, Windows endpoint, Linux endpoint, Palo Alto Firewall, Suricata Intrusion Detection System, Zeek Network Sensor, Netflow, and Cisco IOS events. It will also incorporate Nessus Security Center vulnerability and asset scan reports. This capability can execute within the Elastic Stack as a collection of detection engine rules, entity analytics or a Machine Learning model, or it can execute as a stand-alone virtual machine or container. The UEBA should include a well-documented and flexible REST API that enables Policy Enforcement Points (PEPs) to obtain necessary telemetry to obtain and enforce authorization decisions.


PHASE I: The government is looking for a proof of concept, in the form of a whitepaper, that details the feasibility of developing a novel User and Entity Behavioral Analysis (UBEA) capability that serves as a policy decision point. The proof of concept will assume the ability to utilize data already collected by systems in the PEO C3T portfolio and normalized by the Elastic Stack implementation deployed on the tactical network. The model shall determine a user's normal battle rhythm and be able to alert a human in the loop of a change in the user's risk score. The authoritative human in the loop will be able to make a decision to terminate the user's session or elevate for further analysis.


PHASE II: The prototype will be developed to demonstrate the UEBA ability to collect and interpret data. The demonstration shall also show the ability to display a risk score change of a user based on behavioral anomalies and the ability for a human in the loop to make a decision on access based on that alert.



UEBA seeks to embed AI/ML pattern recognition into cybersecurity operations to automatically detect anomalous behavior in a digital environment. ​
Regarding zero trust (ZT) requirements, corporate research underscores that UEBA architecture inherently gives users a ZT solution as it provides maximum network visibility into all users, devices, asset, and entities. ​
Corporates and investors forecast start-ups augmenting current UEBA technology will imbue it with predictive analytics, creating “contextually aware” multimodal algorithms, and/or ensuring more robust interoperable and API infrastructure. ​
Current market applications, including start-up usage, for UEBA are:​
		Internet of Things (IoT) – UEBA can monitor both human activity on devices as well as anomalous behavior on connected devices.​
		Healthcare – similar to IoT, the healthcare use case includes patient portals and securing hardware.​
		Finance – track and flag suspicious behavior across a myriad of devices. ​





KEYWORDS:  User and Entity Behavioral Analysis (UEBA); Zero Trust Architecture; Authentication; Network; Data; Active Directory