Human Behavior, Insider Threat, and Awareness Project

home > projects > Human Behavior, Insider Threat, and Awareness Project

THE CHALLENGE

 

Even as tools and technologies are being improved to protect critical national infrastructures against external attack, malicious insiders, intent on damaging an organization or turning a profit, remain a pervasive and challenging problem. In an insider attack, the attacker uses legitimate rights and privileges for inappropriate reasons. Such attacks are difficult to detect and defend against: insiders exist at all levels of an organization; broad internet connectivity enables anyone to be a potential “insider”; technologies enforcing useful access rights either do not exist or are difficult to use;and insiders often do only small, hard-to-detect amounts of damage at a time.

PROJECT OVERVIEW

 

The Human Behavior, Insider Threat, and Awareness research project, supported by the Institute for Information Infrastructure Protection (I3P),brings together cross-disciplinary researchers at leading national facilities to develop a scalable infrastructure for detecting, monitoring, and preventing insider attacks with due regard for the ethical, legal, and economic needs of users and organizations. Much of the science for understanding insider threats is still immature, with results difficult to measure. This research project will provide a foundation both for understanding insider threats and for developing methods to protect critical infrastructures against insider attacks:

• Early prototypes of new approaches will be available for demonstration and use.
• New insights into enterprise bestpractice will inform training programs that might reshape the ways that employees think about their actions.
• Industry and government stakeholders will have a role in making project solutions useful in their real-world settings.
  

WHAT MAKES THIS PROJECT UNIQUE?

 

Most platforms for detecting insider threats monitor network traffic for signs of unusual behavior. However, centralized monitoring systems capable of etecting subtle inside attacks will clog a large enterprise’s network. This project will produce a scalable, decentralized platform for event monitoring and filtering, balancing its use with the legal, economic, ethical and technical concerns about detection, mitigation and prevention techniques. Project team members will study ways to use incentives to discourage inappropriate behavior. Project “capture the flag” and honeypot exercises will be used to test hypotheses and develop behavioral descriptions of suspicious, inappropriate, or illegitimate events and activities. Privacy preservation mechanisms will be used when alerts are generated by the underlying monitoring system to establish sufficient corroborating evidence before revealing identity information. hese mechanisms will avoid false positives: mistakenly claiming malfeasance about someone who did nothing wrong.

PROJECT GOALS

• Categorize and differentiate kinds of insider attack and motivation: abuse of privileges, gathering of inappropriate information, sabotage, etc.
• Address the ethical, legal, and privacy concerns about monitoring for insider threats.
• Measure the impact of insider threats and of actions taken to address them.
• Identify methods for distinguishing harmful and malicious from normal online behavior.
• Build threat models from real-world data supplied  by industry partners.
• Model malicious insiders’ strategies and explore the incentive mechanisms to mitigate their threats.
• Construct monitoring and filtering software that delivers high performance, even on large networks.
• Support business decisions about insider threats and mitigation strategies.
• Forecast the potential evolution of insider threats.
  

RESEARCH APPROACH

Project activities are of two types:

 

• By exploring technology, the team will develop a lightweight, robust, and scalable eventprocessing infrastructure that can be deployed in a range of organizations.
• By defining environmental constraints, researchers will develop a methodological framework for handling insider behaviors and understanding the ethical, legal and policy choices available to technologists and policymakers.
  

 

TEAM MEMBER

• RAND Corporation
• The MITRE Corporation
• Columbia University
• Cornell University
• Center for Education and Research in Information Assurance and Security. Purdue University
• School of Informatics. Indiana University
• Institute for Security Technology Studies. Dartmouth College

FOR MORE INFORMATION

Project Leader: Shari Lawrence Pfleeger, (703)413-1100 x5525
I3P Associate Director for Research: (603) 646-0692