Skip to Main Content U.S. Department of Energy
Information and Infrastructure Integrity Initiative

Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat

Principal Investigator: FL Greitzer
Technical Advisor: FL Greitzer, Predictive Defense Focus Area

Purpose of the research

  • Define framework for a predictive/adaptive insider threat detection model
  • Develop/test proof-of-concept algorithms for components of the model

Key idea

Prediction vs. Forensics – Innovative methods for modeling and analysis of historical/current system data to predict possible malicious exploits


Incorporation of organizational (non-cyber) data to enhance predictive capability and extend time horizon for proactive defense/mitigation


The "insider" is an individual currently or at one time authorized to access an organization's information system, data, or network; such authorization implies a degree of trust in the individual. The insider threat refers to harmful acts that trusted insiders might carry out; for example, something that causes harm to the organization, or an unauthorized act that benefits the individual.

The insider threat is manifested when human behavior departs from compliance with established policies, regardless of whether it results from malice or a disregard for security policies. The types of crimes and abuse associated with insider threats are significant; the most serious include espionage, sabotage, terrorism, embezzlement, extortion, bribery, and corruption. Malicious activities include an even broader range of exploits, such as copyright violations, negligent use of classified data, fraud, unauthorized access to sensitive information, and illicit communications with unauthorized recipients.

Insider attacks were recognized by SANS Institute as 5th most serious security menaces for 2008. Surveys, such as the E-Crime Watch Survey (PDF), reveal that current or former employees and contractors are the second greatest cybersecurity threat, exceeded only by hackers, and that the number of security incidents has increased geometrically in recent years. A 1997 DoD Inspector General report1 found that 87 percent of identified intruders into DoD information systems were either employees or others internal to the organization. More generally, recent studies of cybercrime (such as the E-Crime Watch Surveys of 2004, 2005, and 2006) in both government and commercial sectors reveal that while the proportion of insider events is declining (31% in 2004 and 27% in 2006), the financial impact and operating losses due to insider intrusions are increasing and of those companies experiencing security events, the majority (55%) report at least one insider event (up from 39% in 2005).

Learn more about Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat. See a video clip about combatting the insider threat using PNNL's advanced reasoning system for enhanced decision making.

Project Management