Stopping Malware and Researching Threats (SMART)

Mailing list:

(To subscribe, you need to click subscribe and then click the link in the email sent to you afterwards. For awareness: this often goes to junk mail.)

Draft charter:


Github page:


Co-chairs: Kathleen Moriarty, Kirsty P

Next Meeting: Monday 25th March 2019, 16:10-18:10.

What is SMART?

SMART (Stopping Malware and Researching Threats) is a new proposed Research Group in the IRTF, which aims to become the centre of expertise on attack defence for the IETF (Internet Engineering Task Force) – the organisation that designs the protocols for the Internet.

We want to:

  • Research methods to efficiently and effectively detect, mitigate, prevent or eliminate threats.
  • Guide IETF protocol development.
  • Become the authority on attack defence and prevention in the IETF/IRTF.

SMART is a forum for research and case studies to provide an understanding of attacks and the threat landscape, utilising research and expertise from industry and academia, so that when protocol design decisions are made, they are made with a better understanding of the consequences to cyber defence and attacks.

What is CARIS 2?

CARIS (Co-ordinating Attack Response at Internet Scale) is a series of workshops, sponsored by the Internet Society. The first Co-ordinating Attack Response at Internet Scale (CARIS) workshop was held in June 2015. That workshop was written up as RFC 8073.

CARIS2 was held 28 February – 1 March 2019 and brought together diverse groups on the topic of attack defence at scale. One goal of CARIS2 was to improve mutual awareness of the participating organisations, to understand their roles, and improve communication between them. Another key outcome of the workshop was to provide input to the Internet Research Task Force (IRTF) proposed research group SMART. In conversations during the workshop, we recognised the benefits of engaging incident responders early in protocol development; so as not to be blindsided by changes, to have a better understanding of what to expect as protocols evolve, and then have ways to develop new techniques to protect systems or detect attacks. A full write-up of CARIS2 will be available in due course.

The page for CARIS 2 is here:

What does SMART plan to do?

[From our proposed charter:] SMART will research the effects, both positive and negative, of existing, proposed and newly published protocols and Internet standards on attack defence. It will gather evidence from information security practitioners and researchers on methods used to defend against attacks and make this available to protocol designers, implementers and users. As a result, designers, implementers and users of new protocols will be better informed about the possible impact on attack prevention and mitigation. The SMART RG aims to guide IETF protocol development and become the hub of expertise on attack defence in the IETF/IRTF.

We're meeting at IETF 104 in Prague on Monday 25th March 2019.

The threat landscape is broad, and so is the research we're interested in! We want evidence-based research and case studies on a range of topics:

  • case studies of previous incidents and attacks: how they were prevented, detected, mitigated
  • best practice, e.g. use of DMARC, to prevent phishing
  • new methods for prevention, detection and mitigation – including automation
  • reports and statistics on the current threat landscape
  • how to spot slow and bulk data exfil from a network reliably
  • endpoint detection capabilities and limitations
  • threat detection on encrypted traffic
  • or research we are completely unaware of!

We’d like to get a mix of industry and academic engagement in SMART and the wider IETF, because of their unique views of attacks and defences.

How can I get involved?

Your involvement can vary from signing up to the mailing list, submitting research papers or case studies to the group, presenting research/case studies at a SMART meeting, attending a SMART meeting (you don’t need to be a member to do so), or authoring/contributing to a draft.


SMART is bringing many new people to the IETF/IRTF meetings, so here are some pointers for those who are unfamiliar with these meetings, to get you started.

For a start: yes, this group is about cyber defence and cyber security. However, the word "cyber" is considered a buzzword in some circles at IETF, so we call it "attack defence" instead. You can see what we roughly mean by the word cyber here.

Details of the week-long IETF 104 meeting are on the IETF pages - including the agenda, how to register, the attendees list, and more. IRTF meetings are co-located with the IETF. SMART meets for two hours on Monday 25th for IETF 104, but we hope you will find other sessions that will interest you during the rest of the day. You don't need to be a member to attend the meetings.

For academics, there is a free guest pass to attend the IRTF, which is valid for one day; this includes SMART.

If you are interested in participating remotely, please find the information you need to do so here.

Last modified 3 months ago Last modified on Mar 13, 2019, 2:17:04 AM