Predictive Adaptive Classification Model for Analysis and Notification: Internal Threat
Principal Investigator: FL Greitzer
Technical Advisor: FL Greitzer, Predictive Defense Focus Area
This Laboratory-Directed Research and Development project is being conducted under the Predictive Defense focus area of PNNL's Information & Infrastructure Integrity Initiative. Current practice in addressing the insider cyber threat is to monitor the network and individual systems in order to identify when someone is not following established policy or is abusing their authorized level of access in a way that is harmful to the organization. This involves the use of tools such as Firewall logs or IDS systems on networks or host systems that produce records of activity are later reviewed. Thus, current practice is reactive (post-hoc). A major research challenge is to effectively reduce the time between defection and detection, even to the point where detection of "threat indicators" can help to predict such exploits before they are completed. Major accomplishments include a review of prior research and practice in insider threat detection tool development (establishing the technical/scientific basis for the work), development of conceptual design for the envisioned predictive/adaptive functions of the model-illustrated in the diagram below showing the processing of incoming sensor data to infer observations, processing of observations to infer indicators, and analysis of indicators to gauge extent of threat (malicious behaviors). The research also described threat indicators that address cyber and social/organizational factors as precursors to malicious exploits. Current focus is on implementing selected classification algorithms and reasoning components of the predictive model.