System would monitor feds for signs they're 'breaking bad'

This story has been updated to correct references to the Fort Hood shooting.

Researchers backed by the Defense Advanced Research Projects Agency are developing a system than could scan up to 250 million text messages, e-mail messages and file transfers a day in search of anomalies that could help identify insider threats or employees who might be about to “break bad.”

The system, dubbed PRODIGAL, for Proactive Discovery of Insider Threats Using Graph Analysis and Learning, will combine graph processing, anomaly detection and relational machine learning on a massive scale to create a prototype Anomaly Detection at Multiple Scales (ADAMS) system, according to a release from the Georgia Institute of Technology, which is working with four other organizations on the project.

PRODIGAL, which would be used initially to monitor the communications in civilian government and military organizations where employees have agreed to be monitored, is intended to identify “rogue” individuals — such as a potential mass-attack gunman, terrorist or spy — before they act, Georgia Tech said.

Related stories:

Lab’s behavioral system can catch insider threats

DARPA’s new cyber tack: Think, act like a hacker

Analysts now have the capacity to investigate about “five anomalies per day out of thousands of possibilities,” said Georgia Tech professor David Bader, co-principal investigator on the project. “Our goal is to develop a system that will provide analysts for the first time a very short, ranked list of unexplained events that should be further investigated.”

DARPA and the Army Research Office are supporting the two-year, $9 million project. Science Applications International Corp. is leading the project, which also includes researchers from Oregon State University, the University of Massachusetts and Carnegie Mellon University.

The idea of a system that scans a quarter-billion e-mails and terabytes of information has already touched off concerns that the government will be monitoring everyone’s e-mails, but Bader told Fox News that the scans work only on internal systems with the users’ consent, not across the Internet.

In a video interview at the SC11 high-performance computing conference in Seattle in November, Bader said the system would scan the communications of people with security clearances for signs that they might be “breaking bad.”

For example, he referred to the Fort Hood gunman, who killed 13 people and wounded 29 others in 2009 and was later linked to al-Qaida, and Bradley Manning, the U.S. soldier accused of giving confidential information to WikiLeaks. In those cases, there were clues that went unheeded. The ADAMS project was to create a system that can put those clues together “before something happens,” Bader said.

Bader said the system would be used only on sensitive networks whose users are aware that communications are being monitored and have agreed to it as part of their security clearance.

When completed, ADAMS could represent a breakthrough in “the capabilities of counter-intelligence community operators to identify and prioritize potential malicious insider threats against a background of everyday cyber network activity,” according to Georgia Tech’s announcement.

It will analyze massive datasets gathered from activities such as network logins, e-mails, instant messages and file transfers looking for patterns that indicate the potential for trouble.

Because of its scope, the project represents a big-data challenge for the researchers.

“We need to bring together high-performance computing, algorithms and systems on an unprecedented scale because we're collecting a massive amount of information in real time for a long period of time,” Bader said. “We are further challenged because we are capturing the information at different rates — keystroke information is collected at very rapid rates and other information, such as file transfers, is collected at slower rates.”


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

Reader Comments

Mon, Dec 12, 2011

Back when I was running part of our Agency's email system, I told some of our users that if they wanted to mimic Ollie North, they had better have their Congressional immunity/pardon lined up,because I will catch them and I will crucify them.

Mon, Dec 12, 2011 Pseu_An www

That thied department Cain forgot is the Dept. of Publicly Funded Research for Private Sector Economic Gain.

Thu, Dec 8, 2011 earth

SkyNet gets both its distrust of humans and the algorithms to identify “disloyalty” to the government. However that is defined (the algorithm defines it after all). Hook it up to the automated threat to launch system for the ICBMs mentioned a few months back and you have all the essential ingredients, no (artificial or human) intelligence needed. (Nor displayed.). Just don’t allow the “threat” identified by the later system be fed into the former without strict definition matching.

Combine this with the recent push to exchange data between corporations and intelligence/security agencies, and you know eventually they will, (did I just go on the list, what exactly does it take, can boundaries even be defined given whatever algorithm is embedded, what happens to your right to face your accuser) at what point will “disloyalty” to a brand be considered an offence.

Finally, given that “muslims” were chosen to replace “Russians” as the boogy bear to justify military budgets in the late 90’s, how long till this is used to pick Muslims to disappear into gitmo? (Assuming they aren’t secretly supported for PR reasons instead, Ft Hood style)

Wed, Dec 7, 2011

If somebody is dumb enough to use their work PC for illicit comms, how much of a threat are they? Now that 50 bucks a month buys cell service with email and web, seems like anyone with two brain cells would go that way.

Wed, Dec 7, 2011 Cowboy Joe

I've said it before but it bears repeating, the only true protection anyone has on the internet is to be so boring nobody gives a damn about you...most of us are probably a lot safer than we'd like to think.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group