Adversarial Detection, Inference & Defensive Response (ADIDRUS)

Insider threat poses one of the most problematic cyber challenges facing the warfighter today. This threat to Air Force assets is particularly insidiousas trusted individuals have easy access to sensitive and classified information. Galois, Inc. has developed a multi-layered attack inference engine called ADIDRUS, originally designed to help UAVs fight through cyber attacks. ADIDRUS continuously monitors sensor inputs as error-correction data to make inferences over a set of hierarchical models and generate hypotheses that best account for the observed behavior. ADIDRUS uses these hypotheses to guide context-appropriate responses, (e.g., quarantining suspicious system components). The purpose of this STTP is to apply the ADIDRUS capability to insider threat mitigation. The ADIDRUS hierarchical architecture is naturally suited to doing hypothesis generation within a context (in this case, normal enterprise workflows). Instead of relying only on passive indicators to identify potential insiders, the ADIDRUS system uses active indicators to learn more effectively the difference between false positives and true positives. Finally, by automating most of the analysis of insider threat behavior, the system does triage for the human analysts, who can then concentrate on the highest probability cases for further investigation.