System would monitor feds for signs they're 'breaking bad'

By Kevin McCaney

Researchers backed by the Defense Advanced Research Projects Agency are developing a system than could scan up to 250 million text messages, e-mail messages and file transfers a day in search of anomalies that could help identify insider threats or employees who might be about to “break bad.”

The system, dubbed PRODIGAL, for Proactive Discovery of Insider Threats Using Graph Analysis and Learning, will combine graph processing, anomaly detection and relational machine learning on a massive scale to create a prototype Anomaly Detection at Multiple Scales (ADAMS) system, according to a release from the Georgia Institute of Technology, which is working with four other organizations on the project.

PRODIGAL, which would be used initially to monitor the communications in civilian government and military organizations where employees have agreed to be monitored, is intended to identify “rogue” individuals — such as a potential mass-attack gunman, terrorist or spy — before they act, Georgia Tech said.

Analysts now have the capacity to investigate about “five anomalies per day out of thousands of possibilities,” said Georgia Tech professor David Bader, co-principal investigator on the project. “Our goal is to develop a system that will provide analysts for the first time a very short, ranked list of unexplained events that should be further investigated.”

DARPA and the Army Research Office are supporting the two-year, $9 million project. Science Applications International Corp. is leading the project, which also includes researchers from Oregon State University, the University of Massachusetts and Carnegie Mellon University.

The idea of a system that scans a quarter-billion e-mails and terabytes of information has already touched off concerns that the government will be monitoring everyone’s e-mails, but Bader told Fox News that the scans work only on internal systems with the users’ consent, not across the Internet.

In a video interview at the SC11 high-performance computing conference in Seattle in November, Bader said the system would scan the communications of people with security clearances for signs that they might be “breaking bad.”

For example, he referred to the Fort Hood gunman, who killed 13 people and wounded 29 others in 2009 and was later linked to al-Qaida, and Bradley Manning, the U.S. soldier accused of giving confidential information to WikiLeaks. In those cases, there were clues that went unheeded. The ADAMS project was to create a system that can put those clues together “before something happens,” Bader said.

Bader said the system would be used only on sensitive networks whose users are aware that communications are being monitored and have agreed to it as part of their security clearance.

When completed, ADAMS could represent a breakthrough in “the capabilities of counter-intelligence community operators to identify and prioritize potential malicious insider threats against a background of everyday cyber network activity,” according to Georgia Tech’s announcement.

It will analyze massive datasets gathered from activities such as network logins, e-mails, instant messages and file transfers looking for patterns that indicate the potential for trouble.

Because of its scope, the project represents a big-data challenge for the researchers.

“We need to bring together high-performance computing, algorithms and systems on an unprecedented scale because we’re collecting a massive amount of information in real time for a long period of time,” Bader said. “We are further challenged because we are capturing the information at different rates — keystroke information is collected at very rapid rates and other information, such as file transfers, is collected at slower rates.”

This story has been updated to correct references to the Fort Hood shooting.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

https://gcn.com/articles/2011/12/06/darpa-prodigal-email-monitoring-insider-threats.aspx