DARPA takes aim at insider threats

Military researchers want protection from insider threats to important data

Looking to protect its massive networks from myriad insider security threats, the Defense Advanced Research Projects Agency rolled out a project that would let security personnel quickly detect and stop network insiders stealing or distributing military or government information.

Disgruntled insiders, working from within an organization, are a principal source of computer crimes. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often lets them gain unrestricted access to cause damage to the system or to steal system data, a recent Government Accountability Office report found.

What would your ultimate network security look like?

DARPA stated the first step in meeting this challenge is to create a scalable, distributed infrastructure to securely collect, store, access, process, and correlate relevant data from heterogeneous sources over extended periods of time. The next step is to determine whether an individual or group of individuals is exhibiting anomalous behavior that is also malicious.

The program the agency is interested in developing now is known as the Cyber Insider Threat (CINDER) and it looks to bring what DARPA calls novel approaches to detect ongoing activities conducted in support of adversary goals within government and military interest systems and networks . The goal of CINDER will be to greatly increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks, DARPA stated.

"CINDER starts with the premise that most systems and networks have already been compromised by various types and classes of adversaries. These adversaries are already engaged in what appear to be legitimate activities, while actually supporting adversary missions. Thus, this program does not focus on intrusion prevention but instead seeks to identify ongoing missions at various points in their lifecycles with extremely high confidence and without false alarms," DARPA stated.

A few of the goals of CINDER include:

  • The development of scalable algorithms, data input sources, and dimensional components of missions.
  • The ability to identify the redundancies that exists in the approach to correct false negatives and reduce false positives.
  • The necessity to define how much of a reduction in throughput/capabilities the adversary would have to accept to perform their mission undetected with the proposed mission detection in place (.01%; .001%; .0001%; 0000001%?)

Cinder is just the latest DARPA project that looks to eradicate the insider threat.  The agency in May  issued a call for automated technologies that can sniff out and alert security personnel  to people with access to sensitive information and information systems who may be looking to maliciously damage, steal or change data or programs.

DARPA stated the first step in meeting this challenge is to create a scalable, distributed infrastructure to securely collect, store, access, process, and correlate relevant data from heterogeneous sources over extended periods of time. The next step is to determine whether an individual or group of individuals is exhibiting anomalous behavior that is also malicious.

DARPA said that such analysis is very heavily dependent on the context of the individual, groups of individuals and any data involved. Part of the challenge is detecting deceptive behavior. Deceptive behavior is characteristic of malicious intent which leads to the problem of assigning intent to observed behaviors.

The new systems could utilize forensic-like techniques that can be used to find clues, gather and evaluate evidence and combine them deductively. Many attacks are combinations of directly observable and inferred events.

What DARPA will be looking for are techniques to "derive information about the relationship between deductions, the likely intent of inferred actions, and suggestions about what evidence might mean and dynamically forecast context-dependent behaviors both malicious and non-malicious. Also of interest are on-line and off-line algorithms for feature extraction and detection in billions of nodes as well as hybrid engines where deduction and feature detection mutually inform one another."

These aren't DARPA's first forays into the dark underbelly of computing.  Earlier this year it announced the $43 million Cyber Genome Program it hopes will develop technologies that will help law enforcement types collect, analyze and identify all manner of digital artifacts.

Follow Michael Cooney on Twitter: nwwlayer8   

Layer 8 Extra

Check out these other hot stories:

NASA Kepler spacecraft spots 2 new planets crossing same star

NSF awards $20M to jazz up university research networks

IBM: Cybersecurity problems are hitting record levels

Recovery Act has bolstered energy technology, VP Biden says

Open source tools at heart of DARPA's virtual satellite network

Philadelphia not showing any brotherly blogger love: City wants $300 license fee

Tool takes aim at ad attacks

NASA universe-watching satellite losing its cool

Group wants to protect privacy as electronic toll systems grow

Do we need a Federal law for electronics recycling?

NASA's head techie seeks brightest systems engineers of the future

FTC busts domain name scammers

NASA wants small robots to land on the Moon

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies