Analysis and Detection of
Malicious Insiders
March 2005
Mark Maybury, The MITRE Corporation
Penny Chase, The MITRE Corporation
Brant Cheikes, The MITRE Corporation
Dick Brackney, Advanced Research and Development Activity in Information Technology
Sara Matzner, University of Texas
Tom Hetherington, University of Texas
Brad Wood, BBN Technologies
Conner Sibley, BBN Technologies
Jack Marin, BBN Technologies
Tom Longstaff, Carnegie Mellon University
Lance Spitzner, Honey Net Consortium
Jed Haile, Honey Net Consortium
John Copeland, Georgia Institute of Technology
Scott Lewandowski, MIT Lincoln Laboratory
ABSTRACT
This paper summarizes a collaborative, six month ARDA NRRC1 challenge
workshop to characterize and create analysis methods to counter sophisticated
malicious insiders in the United States Intelligence Community. Based
upon a careful study of past and projected cases, we report a generic
model of malicious insider behaviors, distinguishing motives, (cyber
and organizaphysical) actions, and associated observables. The paper
outlines several prototype techniques developed to provide early warning
of insider activity, including novel algorithms for structured analysis
and data fusion. We report the assessment of their performance in an
operational network against three distinct classes of human insiders
(an analyst, application administrator, and system administrator), measuring
timeliness and accuracy of detection.

Additional Search Keywords
insider threat, malicious insider, information assurance, cyber indications
and warning, observables taxonomy, assets, data fusion, attack graphs,
honeypots, StealthWatch, Robert Hanssen
|