Included data shall not be disclosed outside the Government or outside this context and shall not be duplicated, used or disclosed in-whole or in-part for anypurpose. Disclosure of this information is made subject to 35 USC 205 and individuals are subject to 18 USC 1905 against further disclosure.
Cyberspace Sciences & InformationIntelligence Research (CSIIR) Group
Computational Sciences andEngineering Division
HIT-IT Heuristic Identification & Tracking of Insider Threat
POCs: Frederick T. Sheldon Ph.D., 865-576-1339 [email protected] K. Abercrombie, Ph.D., 865-241-6537 [email protected]
• Problem– Insider sourced espionage, sabotage, and fraud
are the number one cyber threat.• Cost estimates US $250B/yr resulting from mods
of data, security mechs, unauth NW connections,covert channels, physical damage/ destructionincluding information extrusion/ exfiltration.
• Technical Approach– Identify and model characteristic activities and
relationships among cyber assets and players– Multi-level sensing monitors and profiles
host/user, network and enclave behaviors– Uses Times Series, Bayesian and Hidden
Markov models of dependency relationships(e.g., spoofing) combined with supervisedlearning algorithms (e.g., SVMs)• Refined by threat behavior assessments for
converging to more efficient/effective hierarchicaland discrete event models
• Benefit– Comprehensive list of monitored threat
behavior attributes supports insider profiling,deterrence and prevention
– Role-based access control facilitates anextensible array of host and network-basedsensor capabilities
