Sifting through petabytes: PRODIGAL monitoring for lone wolf insider threats

By Darlene Storm

Homeland Security Director Janet Napolitano said the “risk of ’lone wolf’ attackers, with no ties to known extremist networks or grand conspiracies, is on the rise as the global terrorist threat has shifted,” reported CBSNews. An alleged example of such a lone wolf terror suspect is U.S. citizen Jose Pimentel, who learned “bomb-making on the Internet and considered changing his name to Osama out of loyalty to Osama bin Laden.” He was arrested on charges of “plotting to blow up post offices and police cars and to kill U.S. troops.” But the CSMonitor reported the FBI decided Pimentel was not a credible threat. It’s unlikely Pimentel will be able to claim “entrapment” since he “left muddy footprints on the Internet” which proves “his intent was to cause harm.” The grand jury decision against Pimentel was delayed until January, as others described “the Idiot Jihadist Next Door” as just another “homegrown U.S. terrorist wannabe.”

But lone wolf insider threats certainly do exist and, after they’ve gone bad, people wonder why no one saw the lone wolf employee problem coming. It can allegedly take years for an individual to become radicalized and that person may not even realize it’s happening. With support from DARPA, Georgia Tech announced that it will help find lone wolf insider threats by developing a system capable of sifting through mindbogglingly massive datasets, terabytes and petabytes (1,000 terabytes). The “two-year, $9 million project will create a suite of algorithms that can detect multiple types of insider threats by analyzing massive amounts of data – including email, text messages and file transfers – for unusual activity.”

DARPA’s Anomaly Detection at Multiple Scales (ADAMS) system is being designed to run new large-scale, complex algorithms “using graph analysis and machine learning approaches to try to explain unanswered, unexplainable events.” It will find nontraditional pattern recognition clues and behavioral changes over long periods of time by hovering up petabytes of recorded logs from simple actions like sending email, accessing file, logging in, plugging in a USB, and other such records. Project co-principal investigator David A. Bader, a professor with a joint appointment in the Georgia Tech School of Computational Science and Engineering and the Georgia Tech Research Institute (GTRI), added, “We are further challenged because we are capturing the information at different rates – keystroke information is collected at very rapid rates and other information, such as file transfers, is collected at slower rates.”

While most people have sent a disgruntled email to their boss, and such actions may get logged, these emails are not what leads to the serious insider threats that need to be detected. As it stands now, analysts are drowning in data and it is humanly impossible to investigate the “tens of thousands” of daily logged anomalous events. PRODIGAL (Proactive Discovery of Insider Threats Using Graph Analysis and Learning), part of ADAMS, will go through about a quarter billion IMs, texts, emails, and other daily digital records to identify the five most serious threats per day so that analysts may have time to scrutinize them.

In a video interview about using Big Data Analytics to find personnel that might be on the verge of ‘Breaking Bad,’ Bader gave simplistic examples of what might be analyzed over long periods of time to find the employees who “may not realize they are going down the slippery slope.” He said, “Maybe someone starts shifting their workday by five minutes a day, until they are working at night instead of the day. Maybe someone changes what they eat in the cafeteria. Maybe they come in unexpectedly or unexplained at two in the morning. Those are the sorts of patterns we may start to look for, start to understand.” If such anomalous behaviors can be explained “then it lowers the profile,” yet might help “stitch together” info to spot lone wolf type of problems.

While traditional security looks at intruders from the outside, PRODIGAL is looking for threats coming from the inside. When asked if this is a bit like Big Brother spying on Big Brother, Bader said no. In fact, he said, “No spying takes place.” This will be used only where people have explicitly agreed to be monitored like “defense contractors, government agencies, and military on information networks.” Everyone who is inside with a security clearance “has the keys to the castle and they know the monitoring is taking place.”

There may eventually be commercial applications for such PRODIGAL predictive analytics like when looking for insider trading, but this project “only works with big datasets where everyone has agreed to be monitored” and it’s looking very hard at the lone wolf problem. However “the very existence of such a project is sure to unnerve citizens,” FoxNews stated before claiming citizens will ask, “Is the government reading my emails? Are they already monitoring me?… PRODIGAL’s ability to scan reams of data is clearly the next step in tracking unusual activity, and it’s guaranteed to raise a red flag.”

Anthony Howard, a “security expert who has consulted for the Department of Homeland Security,” told FoxNews, “Some people say it’s one step further toward a police state.” He added, “Since people tend to be imperfect, the data captured can easily be mishandled. Where does it end?” Yet “Bader equated the PRODIGAL system to Raytheon SureView, an internal scanning system that looks for suspicious activity and alerts federal agencies about possible threats. Another system is the Einstein project, which was developed after 9 / 11 and scans government employees for key words and links suspicious activity to National Security Agency databases.”

One woman told FoxNews that she’s “convinced the federal government is reading her emails. But she’s all right with that. I assume it’s part of the Patriot Act and I really don’t mind. I figure I’m probably boring them to death.” After seeing that article, lmliberty added to this by saying “Big Brother is reading your email without a warrant.” Furthermore, people like that woman who don’t “care about the Constitution, particularly the 4th Amendment nor the rule of law,” are “the problem” and “poster children for what’s wrong with America today.”

While I didn’t “hear” that Big Bro is using this system to scarf up and read your email without a warrant, here’s the Interview: DARPA’s ADAMS Project Taps Big Data to Find the Breaking Bad video so can judge for yourself if you believe it’s a threat to American citizens.

Darlene Storm (not her real name) is a freelance writer with a background in information technology and information security.

David A. Bader
David A. Bader
Distinguished Professor and Director of the Institute for Data Science

David A. Bader is a Distinguished Professor in the Department of Computer Science at New Jersey Institute of Technology.