DARPA expands insider threat research

DARPA brings Raytheon software into network anomaly research program

The ability to detect insider threats and behaviors from a plethora of live data is the goal of an ambitious research program being undertaken by the military's Defense Advanced Research Projects Agency (DARPA).

Last week DARPA took a big step toward realizing the potential of the program it calls Anomaly Detection at Multiple Scales (ADAMS) by picking Raytheon to help develop it further.

More on advanced technology work: 7 high-tech programs that want to pick your brain

According to Raytheon, in order to build algorithms to better detect anomalous behaviors, the ADAMS project will use data collected by Raytheon's SureView endpoint audit and investigation software.  Among other features, Raytheon says "SureView monitors offline mobile laptops and detects threats usually hidden by encrypted traffic or files. The policy platform pulls it all together and displays all enterprise activity on a dashboard."

 "The specific goal of ADAMS researchers is to detect anomalous behaviors shortly after a trusted insider "turns" and begins committing malicious acts. Unlike previous insider threat research programs that were limited in size and scope, ADAMS will leverage massive data sets from large computer end-user populations observed in live, operational environments," Raytheon stated.

In talking about its ADAMS project, DARPA cited the November 2005 attack by Major Nidal Hasan, an Army psychiatrist, on soldiers at the Soldier Readiness Center at Fort Hood, Texas. Thirteen people were killed and 43 others were wounded or injured.

From DARPA: The problem ADAMS would address in this instance is that of detecting anomalies in Major Hasan's alleged behavior in time to alert the proper authorities who could intervene before the fact. This problem is particularly difficult because of the staggering amounts of data that must be analyzed. For example, there are about 65,000 personnel at Fort Hood. Under a few simple assumptions, we can show that the data collected for one year would result in a graph containing roughly 4,680,000,000 links between 14,950,000 nodes. There are currently no established techniques for detecting anomalies in data sets of this size at acceptable false positive rates."

According to DARPA:"We collect massive amounts of data that we use to analyze disasters - after they have occurred. However, in too many of those areas we do not have the technology to use the data proactively in order to see problems in the making. In such cases, we are severely limited to using the data reactively or forensically to investigate an event after the fact or address specific concerns derived from haphazard human observation. ADAMS aims to rectify this situation by developing technology for the automated support of proactive use of the massive data sets being collected."

The ADAMS project isn't the only insider threat research DARPA has ongoing.  Last August it rolled out a development project with the goal to let security personnel quickly detect and stop network insiders stealing or distributing military or government information.  Known as the Cyber Insider Threat (CINDER) program, it looks to bring what DARPA calls novel approaches to detect ongoing activities conducted in support of adversary goals within government and military interest systems and networks. The goal of CINDER will be to greatly increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks, DARPA stated.

"CINDER starts with the premise that most systems and networks have already been compromised by various types and classes of adversaries. These adversaries are already engaged in what appear to be legitimate activities, while actually supporting adversary missions. Thus, this program does not focus on intrusion prevention but instead seeks to identify ongoing missions at various points in their lifecycles with extremely high confidence and without false alarms," DARPA stated.

Follow Michael Cooney on Twitter: nwwlayer8  

Layer 8 Extra

Check out these other hot stories:

NASA Mars rover will roll into its ultimate crater destination this week

Top 8 ways feds (and corporate users) can take advantage of green IT

NASA's Juno spacecraft blasts off to investigate Jupiter

NASA satellite may have found water on Mars

Geomagnetic storm predicted for Earth in next 12 hours

Strip club owner undressed for software-based tax scam

20 of the weirdest, wackiest and stupidest sci/tech stories of 2011 (so far!)

DARPA software to spin "dumb" photos or video into intelligence gold

US wants to build cybersecurity protection plan for cars

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.