Oct 14, 2010
Each time we see an incident like a soldier in good mental health becoming homicidal or suicidal or an innocent insider becoming malicious we wonder why we didn’t see it coming. When we look through the evidence after the fact, we often find a trail – sometimes even an “obvious” one. The question is can we pick up the trail before the fact giving us time to intervene and prevent an incident? Why is that so hard? Because we generally need to look through an enormous amount of data and don’t know where to look or what to look for. In particular, we generally don’t have a good understanding of normal versus anomalous behaviors and how these manifest themselves in the data.
The general goal of the ADAMS program is to create, adapt and apply technology to the problem of anomaly characterization and detection in massive data sets. The importance of anomaly detection is due to the fact that anomalies in data translate to significant, and often critical, actionable information in a wide variety of application domains.
While technology developed for ADAMS will have applicability in many domains, we will use the problem of insider threat detection as a focal point in order to make sure that the work is well grounded. We define insider threat as malevolent (or possibly inadvertent) actions by an already trusted person in a secure environment with access to sensitive information and information systems and sources. The focus is on malevolent insiders that started out as “good guys.” The specific goal of ADAMS is to detect anomalous behaviors before or shortly after they turn. Operators in the counterintelligence community are the target end-users for ADAMS insider threat detection technology.