Algorithm Sought to Analyze Insider Behavior Air Force Wants Near-Real-Time Detection
The Air Force is seeking an entrepreneurial innovator to develop technology to analyze the conduct of insiders to determine if they pose a threat to government IT systems.

In a call for proposals aimed at small businesses, posted on Tuesday, the Air Force is asking outside developers to "define, develop and demonstrate innovative approaches for determining 'good' (approved) versus 'bad' (disallowed/subversive) activities, including insiders and/or malware." For their initial efforts, the Air Force will pay up to $100,000.

The proposal says current techniques that monitor illicit activities only address the most blatant violations of policy or the grossest deviations from accepted behavior. Most systems concentrate their resources on repelling attacks at the network borders with little attention devoted to threats that evade detection and/or emanate from within. The proposal states:

"As such, there currently exists a great need across the federal, military and private sectors for a viable and robust means to provide near-real-time detection, correlation and attribution of network attacks, by content or pattern, without use of reactive previously-seen signatures. Many times, these trusted entities have detailed knowledge about the currently-installed host and network security systems, and can easily plan their activities to subvert these systems."

In the first phase, Air Force planners envision the development of a prototype algorithm that incorporates heuristic analysis for determining approved versus disallowed or subversive activities, including insiders and/or malware. The awarded contractor also would propose an architecture and perform a feasibility analysis of the algorithm and architecture during the initial phase.

In the second phase, the contractor would implement the best approach from Phase 1 in an experimental hardware/software environment, representative of the Air Force cyber infrastructure. They'd be asked to correlate Phase 1 analysis with experimental results as well as analyze the prototype system with respect to performance, scalability, cost, security and vulnerability.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network