Internet Tomography/Topography

Background

An insider threat can be defined as the potential for an authorized user of an information system to intentionally or unintentionally cause harm to their information system. Harmful acts include the undesirable modification, disclosure, or denial of service to that information system and any of its components (i.e., hardware, software, networks, applications, services, or data). Within the information technology (IT) environment, an organization can have both implicit and explicit security policies. In this environment, an insider threat can be more narrowly defined as the potential violation of system security policy by an authorized user. To address the major Federal capability gap of insider threats, more advanced methods of document control and management are being developed.

Technology Implementation

Through this project, the Cyber Security Research and Development (CSRD) Program within the U.S. Department of Homeland Security is seeking more advanced methods of document control and management, which provide users with an unalterable account of document access and dissemination. In addition, research and development is being conducted to create solutions that prevent document tampering and maintain the integrity of the information, associated sensitivity labels, and any dissemination controls in the document.

In partnership with the Science and Technology Directorate, Washington State University is developing a Graph-Based Anomaly Detection (GBAD) system. The goal of GBAD is to analyze the structure of actions taken during the course of various IT activities, such as document control and management systems; to learn normative patterns of activity; to detect small deviations from the normal pattern; and to present anomalies to analysts including the entire framework of events surrounding nefarious activities.

In addition, the ITT Corporation is working on a document-based management technology that provides security for network content. Neither secure nor tracked, unmanaged network content can potentially be read and edited by insiders even if they do not have access control or accountability. ITTs technology will provide policy-based access to documents, application features, and marked content; cradle-to-grave tracking of a users interaction within the document; and the use of certificates, usernames, and passwords to facilitate authentication and encryption.

Significant Impact

Advanced insider threat detection technologies will provide both the government and private industry with the capability to secure sensitive information. The government will have greater control of critical infrastructure information, and the private sector will be able to better monitor valuable and highly sensitive proprietary information as well as the flow of and access to electronic funds.