Bifrost: A Statistical Analysis Framework for Detecting Insider Threat Activities on Cyber Systems - Monitoring Network Resources Against Hosts Who Exhibit Threat Characteristics of Insider Activity

This report has been professionally converted for accurate flowing-text e-book format reproduction. The purpose of this research is to investigate, design and implement a statistical analysis-based insider threat detection product deployable to resource-disadvantaged systems and provide organizations with a method for baselining the network profiles and host activities unique to their operational environments. Our system design seeks to alert the system and its operators to invest greater monitoring resources against hosts who exhibit threat characteristics of insider activity and prevent such activities from inflicting harm on the system and/or causing an information-loss event for the organization. This system provides an initial starting point for future work, implementing one means of detecting insider threat activities; this implementation results in best- and worst-case detection rates of ~74% and ~68.2%, respectively, against our test data. We believe our framework provides a reasonable starting point for future work and improvement.

This compilation includes a reproduction of the 2019 Worldwide Threat Assessment of the U.S. Intelligence Community.

Significant effort and expense have been spent protecting information systems from external malicious threats, but relatively little has been done to evaluate the actions of legitimate users to prevent them from engaging in malicious or otherwise damaging activity. As seen in the recent DoD leaks by Edward Snowden, Bradley Manning, and Reality Winner, the insider threat possesses significant destructive potential against national security, international relations, and global commerce interests. While external threat protection systems, like antivirus software, are established to be viable threat prevention means and are ubiquitous on modern information technology (IT) systems, detection and prevention systems focused on insider threats and are far less common. Previous work to improve insider threat detection and prevention includes efforts to apply existing frameworks and techniques to malicious activity detection, but they are disparate in their methods of classifying and assigning threat potential to the various user activity indicators. These differing means of describing malicious indicators and responding to threats are also often not applicable to the DoD due to the restrictions imposed by network authorization/validation processes and concerns unique to national security systems. We seek to alleviate this issue by producing a systems-agnostic solution capable of detecting insider activity within any organization's network without the need for integration or communications with any other external system.