Abstract

Abstract insiders (an analyst, application administrator, and system administrator), measuring timeliness This paper summarizes a collaborative, six and accuracy of detection. month ARDA NRRC1 challenge workshop to characterize and create analysis methods to counter sophisticated malicious insiders in the 1. The Threat: Malicious Insiders United States Intelligence Community. Based An insider as anyone in an organization with approved upon a careful study of past and projected cases, access, privilege, or knowledge of information systems, we report a generic model of malicious insider information services, and missions. A malicious insider behaviors, distinguishing motives, (cyber and (MI) is one motivated to adversely impact an organiza-physical) actions, and associated observables. tion’s mission through a range of actions that compro-The paper outlines several prototype techniques mise information confidentiality, integrity, and/or avail-developed to provide early warning of insider ability. This research explores three fundamental hy-