DARPA looking for automated insider threat spotter

Published 19 May 2010

The U.S. National Counterintelligence Strategy asserts that “Trusted insiders — are targeting the US information infrastructure for exploitation, disruption, and potential destruction”; DARPA, the Pentagon research arm, is soliciting idea for technology which will automatically spot — and eliminate — insider threat to U.S. information infrastructure

DARPA, the U.S. military research arm, announced earlier this week that it was pursuing yet another intriguing, push-the-envelope scheme. The agency is now soliciting ideas for some kind of automated technology able to spot “increasingly sophisticated malicious insider behavior.”

Lewis Page writes that the U.S. National Counterintelligence Strategy asserts that “Trusted insiders … are targeting the US information infrastructure for exploitation, disruption, and potential destruction.” DARPA wants to tackle the problem with a new project called Suspected Malicious Insider Threat Elimination (SMITE). The agency states: “We define insider threat as malevolent (or possibly inadvertent) actions by an already trusted person with access to sensitive information and information systems and sources.”

Unspecified technology is to be developed to spot and root out those who pose a threat to U.S. information infrastructure from within. The DARPA IT directors do not offer any details on how this is to be done, but they offer some general ideas:

Security is often difficult because the defenses must be perfect, while the attacker needs to find only one flaw. An emphasis on forensics could reverse the burden by requiring the attacker and his tools to be perfect, while the defender needs only a few clues to recognize an intrusion is underway.

Topics of interest include … suggestions about what evidence might mean and [ways to] forecast context-dependent behaviors both malicious and non-malicious.

Also of interest are on-line and off-line algorithms for feature extraction and detection in enormous graphs (as in billions of nodes) as well as hybrid engines where deduction and feature detection mutually inform one another.

Page notes the DARPA’s futuristic research projects, because of their futuristic nature, do not always yield results, or if they do, they may mutate into something different from what its creators intended.