Darpa Wants Code to Spot ‘Anomalous Behavior’ on the Job

Saturday, May 22, 2010
By Paul Martin

By Noah Shachtman
Wired.com
May 20, 2010

Can software catch a cyberspy’s tricky intentions, before he’s started to help the other side? The way-out researchers at Darpa think so. They’re planning a new program, “Suspected Malicious Insider Threat Elimination” or SMITE, that’s supposed to “dynamically forecast” when a mole is about to strike. Also, the code is meant to flag “inadvertent” disclosures “by an already trusted person with access to sensitive information.”

“Looking for clues” that suggest a turncoat or accidental leaker is about to spill (.pdf) “could potentially be easier than recognizing explicit attacks,” Darpa notes in a request for information. But even that simpler search won’t be easy. “Many attacks are combinations of directly observable and inferred events.” Which is why SMITE’s program managers are interested in techniques to figure out “the likely intent of inferred actions, and suggestions about what [that] evidence might mean.” That goes for “behaviors both malicious and non-malicious.”

Step one in starting that process: Build a ginormous database to store all kinds of information on would-be threats. “The next step is to determine whether an individual or group of individuals is exhibiting anomalous behavior that is also malicious.” That’s a toughie — something anomalous in one context might be perfectly normal in another. One possible solution, the SMITE paper adds, could be detecting “deceptive” activities, which are a sign of cyberspying. Or cheating on your taxes. Or carrying on an office affair. Or playing World of Warcraft on the job. Depending on the situation.

The Rest…HERE

Leave a Reply

Support Revolution Radio