Darpa Wants Code to Spot ‘Anomalous Behavior’ on the Job
By Noah Shachtman
May 20, 2010
Can software catch a cyberspy’s tricky intentions, before he’s started to help the other side? The way-out researchers at Darpa think so. They’re planning a new program, “Suspected Malicious Insider Threat Elimination” or SMITE, that’s supposed to “dynamically forecast” when a mole is about to strike. Also, the code is meant to flag “inadvertent” disclosures “by an already trusted person with access to sensitive information.”
“Looking for clues” that suggest a turncoat or accidental leaker is about to spill (.pdf) “could potentially be easier than recognizing explicit attacks,” Darpa notes in a request for information. But even that simpler search won’t be easy. “Many attacks are combinations of directly observable and inferred events.” Which is why SMITE’s program managers are interested in techniques to figure out “the likely intent of inferred actions, and suggestions about what [that] evidence might mean.” That goes for “behaviors both malicious and non-malicious.”
Step one in starting that process: Build a ginormous database to store all kinds of information on would-be threats. “The next step is to determine whether an individual or group of individuals is exhibiting anomalous behavior that is also malicious.” That’s a toughie — something anomalous in one context might be perfectly normal in another. One possible solution, the SMITE paper adds, could be detecting “deceptive” activities, which are a sign of cyberspying. Or cheating on your taxes. Or carrying on an office affair. Or playing World of Warcraft on the job. Depending on the situation.