Trapping Malicious Insiders in the SPDR Web

Keywords: insider threat detection, network security, plan recognition.

Absract: The insider threat has assumed increasing importance as our dependence on critical cyber information infrastructure has increased. In this paper we describe an approach for thwarting and attributing insider attacks. The Sense, Prepare, Detect, and React (SPDR) approach utilizes both a highly intelligent software reasoning system to anticipate, recognize, respond to, and attribute attacks as well as a widely distributed set of hardware-based sensor-effectors to provide alerts used by the reasoning system and to implement responses as directed by it. Using hardware sensor-effectors greatly reduces the risk that a savvy malicious insider can bypass or cripple the system's monitoring and control capabilities. In this paper we describe the prototype SPDR system and the results of its successful evaluation by an independent, DARPA-sponsored Red Team. We conclude with thoughts on possible SPDR enhancements and further research.

Haigh, J. T., Harp, S. A., O'Brien, R. C., Payne, C. N., Gohde, J., & Maraist, J. (2009, January 5-8). Trapping Malicious Insiders in the SPDR Web. Proceedings of the 42nd Hawaii International Conference on System Sciences, Waikoloa, Big Island, HI. - [PDF]