论文信息 - Analysis and Detection of Malicious Insiders

Analysis and Detection of Malicious Insiders

This paper summarizes a collaborative, six month ARDA NRRC 1 challenge workshop to characterize and create analysis methods to counter sophisticated malicious insiders in the United States Intelligence Community. Based upon a careful study of past and projected cases, we report a generic model of malicious insider behaviors, distinguishing motives, (cyber and physical) actions, and associated observables. The paper outlines several prototype techniques developed to provide early warning of insider activity, including novel algorithms for structured analysis and data fusion. We report the assessment of their performance in an operational network against three distinct classes of human insiders (an analyst, application administrator, and system administrator), measuring timeliness and accuracy of detection. 1 This effort was performed at The MITRE Corporation at the Northeast Regional Research Center (NRRC) which is sponsored by the Advanced Research and Development Activity in Information Technology (ARDA), a U.S. Government entity which sponsors and promotes research of import to the Intelligence Community which includes but is not limited to the CIA, DIA, NSA, NGA, and NRO.

[1] Michael Hayden. The Insider Threat to U.S. Government Information Systems , 1999 .

[2] Thomas Bozek,et al. Research on Mitigating the Insider Threat to Information Systems - #2 , 2000 .

[3] W. J. Webster. A Review of FBI Security Programs , 2002 .

[4] Katherine L. Herbig,et al. Espionage against the United States by American citizens, 1947-2001 , 2003 .

[5] Lance Spitzner,et al. Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..