Stopping Malware and Researching Threats (SMART)

Mailing list:

(To subscribe, you need to click subscribe and then click the link in the email sent to you afterwards. For awareness: this often goes to junk mail.)

Github page: (this is often the best place to find all the drafts in one up-to-date place)

Draft charter:



Co-chairs: Kathleen Moriarty, Kirsty P

Next Meeting: IETF 105 in Montreal: Wednesday 22nd July 2019, 09:00 EDT.

What is SMART?

SMART (Stopping Malware and Researching Threats) is a new proposed Research Group in the IRTF, which aims to become the centre of expertise on attack defence for the IETF (Internet Engineering Task Force) – the organisation that designs the protocols for the Internet.

We want to:

  • Research methods to efficiently and effectively detect, mitigate, prevent or eliminate threats.
  • Guide IETF protocol development.
  • Become the authority on attack defence and prevention in the IETF/IRTF.

SMART is a forum for research and case studies to provide an understanding of attacks and the threat landscape, utilising research and expertise from industry and academia, so that when protocol design decisions are made, they are made with a better understanding of the consequences to cyber defence and attacks.

Latest work

Our work is best demonstrated through some of our existing drafts, which can be found on our Github page or the IETF datatracker.


The SMART draft charter should give you a reasonable idea of what SMART aims to achieve and the kind of work you'll find going on in this research group.


CLESS attempts to establish the capabilities and limitations of endpoint-only security solutions and explore potential alternative approaches.


CLESS discusses endpoints in general terms. It has been suggested that there are classes of endpoints that have different characteristics. Those classes may have completely different threat landscapes and the endpoints may have completely different security capabilities. In support of the work on CLESS, this document provides a taxonomy of endpoints that is intended to provide a foundation for further work on CLESS and research on approaches to providing endpoint security alternatives in a diverse group of settings.


Describes open questions in supporting usable security at the UI level. The questions are split into defining a set of manageable security tasks for countering the most common attacks, and the UI elements for signalling whether an intended action is secure.


RFC 3552 introduces a threat model that does not include endpoint security. In the fifteen years since RFC 3552 security issues and cyber attacks have increased, especially on the endpoint. This document proposes a new approach to Internet cyber security protocol development that focuses on the user of the Internet, namely those who use the endpoint and are the most vulnerable to attacks.


Coordinating Attack Response at Internet Scale (CARIS) 2, sponsored by the Internet Society, took place 28 February and 1 March 2019 in Cambridge, Massachusetts, USA. Participants spanned regional, national, international, and enterprise CSIRTs, operators, service providers, network and security operators, transport operators and researchers, incident response researchers, vendors, and participants from standards communities.

This workshop continued the work started at the first CARIS workshop, with a focus for CARIS 2 on scaling incident prevention and detection as the Internet industry moves to stronger and a more ubiquitous deployment of session encryption.


RFC3552 provides guidance to authors in crafting RFC text on Security Considerations. The RFC is more than fifteen years old. With the threat landscape and security ecosystem significantly changed since the RFC was published, RFC3552 is a candidate for update. This draft proposes that, prior to drafting an update to RFC3552, an examination of recent, published Security Considerations sections be carried out as a baseline for how to improve RFC3552. It suggests a methodology for examining Security Considerations sections in published RFCs and the extraction of both quantitative and qualitative information that could inform a revision of the older guidance.

What is CARIS 2?

CARIS (Co-ordinating Attack Response at Internet Scale) is a series of workshops, sponsored by the Internet Society. The first Co-ordinating Attack Response at Internet Scale (CARIS) workshop was held in June 2015. That workshop was written up as RFC 8073.

CARIS2 was held 28 February – 1 March 2019 and brought together diverse groups on the topic of attack defence at scale. One goal of CARIS2 was to improve mutual awareness of the participating organisations, to understand their roles, and improve communication between them. Another key outcome of the workshop was to provide input to the Internet Research Task Force (IRTF) proposed research group SMART. In conversations during the workshop, we recognised the benefits of engaging incident responders early in protocol development; so as not to be blindsided by changes, to have a better understanding of what to expect as protocols evolve, and then have ways to develop new techniques to protect systems or detect attacks. A full write-up of CARIS2 will be available in due course.

The page for CARIS 2 is here:

What does SMART plan to do?

[From our proposed charter:] SMART will research the effects, both positive and negative, of existing, proposed and newly published protocols and Internet standards on attack defence. It will gather evidence from information security practitioners and researchers on methods used to defend against attacks and make this available to protocol designers, implementers and users. As a result, designers, implementers and users of new protocols will be better informed about the possible impact on attack prevention and mitigation. The SMART RG aims to guide IETF protocol development and become the hub of expertise on attack defence in the IETF/IRTF.

We're meeting at IETF 105 in Montreal on Wednesday 22nd July 2019.

The threat landscape is broad, and so is the research we're interested in! We want evidence-based research and case studies on a range of topics:

  • case studies of previous incidents and attacks: how they were prevented, detected, mitigated
  • best practice, e.g. use of DMARC, to prevent phishing
  • new methods for prevention, detection and mitigation – including automation
  • reports and statistics on the current threat landscape
  • how to spot slow and bulk data exfil from a network reliably
  • endpoint detection capabilities and limitations
  • threat detection on encrypted traffic
  • or research we are completely unaware of!

We’d like to get a mix of industry and academic engagement in SMART and the wider IETF, because of their unique views of attacks and defences.

How can I get involved?

Your involvement can vary from signing up to the mailing list, submitting research papers or case studies to the group, presenting research/case studies at a SMART meeting, attending a SMART meeting (you don’t need to be a member to do so), or authoring/contributing to a draft.


SMART is bringing many new people to the IETF/IRTF meetings, so here are some pointers for those who are unfamiliar with these meetings, to get you started.

For a start: yes, this group is about cyber defence and cyber security. However, the word "cyber" is considered a buzzword in some circles at IETF, so we call it "attack defence" instead. You can see what we roughly mean by the word cyber here.

Details of the week-long IETF 105 meeting are on the IETF pages - including the agenda, how to register, the attendees list, and more. IRTF meetings are co-located with the IETF. SMART meets for 1.5 hours on Wednesday 22nd July for IETF 105, but we hope you will find other sessions that will interest you during the rest of the day. You don't need to be a member to attend the meetings.

For academics, there is a free guest pass to attend the IRTF, which is valid for one day; this includes SMART.

If you are interested in participating remotely, please find the information you need to do so here.

Last modified 3 years ago Last modified on 12/07/19 15:48:51