DARPA tries to know when to hold 'em

New tools for detecting insider threats could take a lesson from poker players

The Defense Advanced Research Projects Agency wants to make it harder for spies or informers in an organization to leak data to the outside world. The goal of the Cyber Insider Threat (CINDER) program is to develop new technologies and techniques to detect ongoing activities in government and military networks.

In the wake of recent data breaches, such as the WikiLeaks incident, the Defense Department has become very concerned about keeping its operational information within its firewalls. DARPA’s broad agency announcement for the CINDER program asks potential applicants to design solutions with the assumption that “most systems and networks have already been compromised by various types and classes of adversaries.”

The announcement notes that what sets insider threats apart from other types of attacks is the use of normal, day-to-day activities to collect data. To detect insiders, DARPA is asking interested organizations to develop algorithms that can spot "tells" — a term derived from poker that describes a tic or trait that a player unknowingly displays when bluffing. For example, a keen-eyed poker player might notice that a particular opponent always taps his finger on his knee when playing a poor hand. The next time he does it, that "tell" signals that he's holding a weak hand and trying to bluff. On the other hand, if he's betting aggressively and not tapping his knee, it probably means he's confident that he's got some strong cards.

The algorithms would look for signs that an employee or service member might be gathering data in an unauthorized manner.

CINDER does not focus on intrusion detection but on normal, everyday activities within government firewalls to expose hidden operations and systems. According to DARPA, CINDER is a three-phase program. The announcement covers Phase I and seeks to establish a fundamental understanding of different types of adversary missions and the techniques and approaches for identifying them as part of an insider threat. Phase II will create a system able to detect multiple enemy missions within a network, and Phase III will scale Phase II to a real-world network environment.

Because individual activities can potentially create a torrent of false positives, the announcement specifies that organizations develop systems to identify specific types of cyber missions and the tells that an agent would make to gather data and take it out of the network.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Fri, Sep 3, 2010 Jess Bakersville

With CINDER, the horse already left the barn. This is not a technology or a solution but only one of many similar research projects (ref: TDB alogrithms). If a person pulls the data, sure you might be able to later catch the bad guy but the data is gone, gone, gone. CINDER could not catch a WikiLeak-like insider if he was burning files he's normally work with. The WikiLeaks disaster could have easily been prevented with one of many common and approved (but not widely deployed) Data-At-Rest products that would have automatically only burned encrypted data to the CD/DVD/USB drive, etc. DAR was mandated in 2008ish and only for mobile computers & media. It should be mandatory for all PCs and made part of the FDCC.... imho.

Fri, Sep 3, 2010

Why are sensitive government comms even on the public internet in the first place? FedGov should have had their own IP universe from the day they started assigning domains. Pretty hard to leak through an air gap.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above