Saturday, May 22, 2010

Darpa Wants Code To Spot ‘Anomalous Behavior’

By Noah Shachtman
May 20, 2010 | 10:22 am
Courtesy Of "The Wired DangerRoom"

Can software catch a cyberspy’s tricky intentions, before he’s started to help the other side? The way-out researchers at Darpa think so. They’re planning a new program, “Suspected Malicious Insider Threat Elimination” or SMITE, that’s supposed to “dynamically forecast” when a mole is about to strike. Also, the code is meant to flag “inadvertent” disclosures “by an already trusted person with access to sensitive information.”

“Looking for clues” that suggest a turncoat or accidental leaker is about to spill (.pdf) “could potentially be easier than recognizing explicit attacks,” Darpa notes in a request for information. But even that simpler search won’t be easy. “Many attacks are combinations of directly observable and inferred events.” Which is why SMITE’s program managers are interested in techniques to figure out “the likely intent of inferred actions, and suggestions about what [that] evidence might mean.” That goes for “behaviors both malicious and non-malicious.”

Step one in starting that process: Build a ginormous database to store all kinds of information on would-be threats. “The next step is to determine whether an individual or group of individuals is exhibiting anomalous behavior that is also malicious.” That’s a toughie — something anomalous in one context might be perfectly normal in another. One possible solution, the SMITE paper adds, could be detecting “deceptive” activities, which are a sign of cyberspying. Or cheating on your taxes. Or carrying on an office affair. Or playing World of Warcraft on the job. Depending on the situation.

Over at The Register, Lew Page quips: “It will no doubt be a comfort for anyone in a position of trust within the U.S. information infrastructure to know that mighty military algorithms and hybrid engines will soon sniff your every move so as to forecast any context-dependent malice on your part — and then in some unspecified way (remember what the E in SMITE stands for) eliminate you as a threat.”

More likely, the program is just a way to do some basic research into algorithms’ ability to understand human intent. But since every Darpa program has to have some sort of military application — no matter how far-fetched — the agency has cooked up this cyberspy-fighting scenario.

Anyway, our spies tell us that Darpa is planning a SMITE workshop for mid-June in northern Virginia.

No comments:

Post a Comment