DARPA tries to know when to hold 'em

New tools for detecting insider threats could take a lesson from poker players

The Defense Advanced Research Projects Agency wants to make it harder for spies or informers in an organization to leak data to the outside world. The goal of the Cyber Insider Threat (CINDER) program is to develop new technologies and techniques to detect ongoing activities in government and military networks.

In the wake of recent data breaches, such as the WikiLeaks incident, the Defense Department has become very concerned about keeping its operational information within its firewalls. DARPA’s broad agency announcement for the CINDER program asks potential applicants to design solutions with the assumption that “most systems and networks have already been compromised by various types and classes of adversaries.”

The announcement notes that what sets insider threats apart from other types of attacks is the use of normal, day-to-day activities to collect data. To detect insiders, DARPA is asking interested organizations to develop algorithms that can spot "tells" — a term derived from poker that describes a tic or trait that a player unknowingly displays when bluffing. For example, a keen-eyed poker player might notice that a particular opponent always taps his finger on his knee when playing a poor hand. The next time he does it, that "tell" signals that he's holding a weak hand and trying to bluff. On the other hand, if he's betting aggressively and not tapping his knee, it probably means he's confident that he's got some strong cards.

The algorithms would look for signs that an employee or service member might be gathering data in an unauthorized manner.

CINDER does not focus on intrusion detection but on normal, everyday activities within government firewalls to expose hidden operations and systems. According to DARPA, CINDER is a three-phase program. The announcement covers Phase I and seeks to establish a fundamental understanding of different types of adversary missions and the techniques and approaches for identifying them as part of an insider threat. Phase II will create a system able to detect multiple enemy missions within a network, and Phase III will scale Phase II to a real-world network environment.

Because individual activities can potentially create a torrent of false positives, the announcement specifies that organizations develop systems to identify specific types of cyber missions and the tells that an agent would make to gather data and take it out of the network.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.