A lightweight infrastructure for detection and mitigation of insider threats in distributed environments
Agency / Branch:
DOD / MDA
The insider threat remains one of the most difficult to detect -- left alone to mitigate -- threats against information systems. The overall objective of the effort (Phase I and Phase II) is to produce and prototype a Distributed Insider Threat Detection System (DITDS) for distributed environments, capable of identifying and quantifying emerging insider threats against the network, allowing for timely mitigation. Instead of relying on large centralized databases for tracking the evolution of the multi-stage attacks, we propose an interactive methodology, with sensor data being fetched from the hosts as needed in the evaluation process. Our solution includes: (1) A heterogeneous, distributed sensor suite, which, under request from the DITDS manager, gather information from multiple nodes; (2) Given the readings from the multiple sensors, continuous evaluation of the network with respect to known multi-stage attack scenarios, and continuous search for new attack scenarios; (3) mechanisms centered on mobile agents for inoculating the various components of the network against a detected attack, and (4) mechanisms for integrating behavioral information about the users into the decision making process. The College of Computing at the Georgia Institute of Technology will serve as the University partner. Lockheed Martin Information Assurance (LMIA) will serve as a subcontractor, providing data sets representative of insider attacks. These data sets will be collected using LMIA's DAIWatch(TM) system.
Small Business Information at Submission:
Joao B. Cabrera
Research Institution Information:
SCIENTIFIC SYSTEMS CO., INC.
500 West Cummings Park - Ste 3000 Woburn, MA 01801
Number of Employees:
GEORGIA INSTITUTE OF TECHNOLOGY
505 Tenth Street, NW
Atlanta, GA 30332
Sherry A. Levy
Nonprofit college or university