Detecting Malicious Insiders in Military Networks
MITRE CORP BEDFORD MA
Pagination or Media Count:
Given that a network is only as strong as its weakest link, a key vulnerability to network centric warfare is the threat from within. This paper summarizes several recent MITRE efforts focused on characterizing and automatically detecting malicious insiders within modern information systems. Malicious insiders MI adversely impact an organizations mission through a range of actions that compromise information confidentiality, integrity, andor availability. Their strong organizational knowledge, varying range of abusive behaviors, and ability to exploit legitimate access makes their detection particularly challenging. Crucial balances must be struck while performing MI detection. Detection accuracy must be weighed against minimizing time-to-detect and aggregating diverse audit data must be balanced against the need to protect the data from abuse. Key lessons learned from our MI research include the need to understand the context of the users actions, the need to establish models of normal behavior, the need to reduce the time to detect malicious behavior, the value of non cyber-observables, and the importance of real-world data collections to evaluate potential solutions.
- Computer Systems Management and Standards