Attack-Centric Autonomic Detector of Insider Adversaries (ACADIA)

The Federal Plan for Cyber Security and Information Assurance R&D identifies insider cyber attacks as one of the highest threats to the national security infrastructure (2005), and according to a CERT Insider Threat Study (Keeney et al., 2005), the majority of insider attacks are detected only after a system has been corrupted or disabled entirely. As a consequence, there exists a great need across government, military, and private sectors for a robust means for the early detection and analysis of behavioral changes and attack precursors. To address this need we are pleased to submit this proposal to design, develop, and evaluate an Attack Centric Autonomic Detector of Insider Adversaries (ACADIA). Following the recommendations of the GIG IA Independent Framework Technical Reports Alternative I: Host Monitoring and Detection, Network Analysis (2000), we will focus on the prevention of insider attacks using redundancy, artificial diversity, and multi-layered policy mechanisms; ACADIA also detects unusual activity and social-behavioral changes by monitoring and aggregating cyber-activity data at the host level and by performing analysis and anomaly reporting at the network level. Our Phase I effort demonstrated that ACADIA has the potential to provide early predictions and detection of the occurrence, of insider misuse and attacks. BENEFIT: All users of military, government, and commercial cyber infrastructures are potential insider threats to those infrastructures. An effective solution for detecting, monitoring, and preventing insider threats and specifically a system that detects attack precursors thus allowing an organization to react in time to prevent an attack can be used by these organizations to protect information assets from cyber attacks such as data exfiltration, data corruption, and other forms of sabotage and industrial espionage. We anticipate that this effort will further development of our commercial CONNECT product and enable us to effectively market it to the cyber-security market.