SlideShare une entreprise Scribd logo

Anomaly Detection at Multiple Scales (Waltzman)

Michael Scovetta
Michael Scovetta

Presentation from the Colloquium on Future Directions in Cyber Security on Nov 7, 2011.

TechnologieSanté & Médecine
1  sur  6
Télécharger pour lire hors ligne
Rand Waltzman Program Manager, Information Innovation Office Anomaly Detection at Multiple Scales DARPA Cyber Colloquium Arlington, VA November 7, 2011 Approved for Public Release, Distribution Unlimited.
The problem… • Why didn’t we see it coming? • Robert Hanssen • Aldrich Ames • Ana Belen Montes • The trail of evidence was obvious after the fact • Why is it so hard to pick up the trail before the fact? • Answer: • Difficult to characterize anomalous v normal behaviors • Malicious activities distributed over time and cyberspace • Weak signal in a noisy background • Enormous amount of data Approved for Public Release, Distribution Unlimited
How much data? • Find evidence of an insider at Fort Hood: • 65,000 soldiers at Fort Hood • Represent the e-mail and text message traffic as a graph • Nodes represent persons • Links represent e-mail or text messages • Analyze 47,201,879,000 links between 2,336,726 nodes over one year • Find evidence against one person over the entire DoD: • E-mail and text message traffic only • Analyze 755,230,064,000 links between 37,387,616 nodes over one year • And this does not include web-searches, file accesses, applications run, and many other forms of cyber observable behavioral data. Approved for Public Release, Distribution Unlimited
Anomaly Detection at Multiple Scales (ADAMS) • Focus on malevolent insiders that started out as good guys • Research organized into four coordinated thrusts • Topic analysis • Develop signatures for areas of responsibility • Detect straying from tasked topic areas, or produces unexpected content • System use • Temporal sequences of system and file accesses • Patterns of behavior • Social interactions and networks • Indicators • Social exchanges • Psychological state • Personal temperament and mental health • Distress, instability, or other vulnerability Detect the signs that they are turning before or shortly after they turn Approved for Public Release, Distribution Unlimited
Example: Insider Threat Scenarios in StackOverflow.com • Data set with 645 thousand users, 5.5 million question posts, and 12 million responses • Use of human controlled alias accounts (aka Sock Puppets) for voting fraud • 9 inserted sock puppet voting fraud schemes • Oregon State University graph analytics detected 7 out of 9 schemes and 310 out of 535 sock puppets. Approved for Public Release, Distribution Unlimited.
Contact Information • If you would like to pursue topics discussed in this presentation, please send your ideas to • rand.waltzman@darpa.mil Approved for Public Release, Distribution Unlimited

Recommandé

Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Alex Pinto
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
#FluxFlow
#FluxFlow#FluxFlow
#FluxFlowBernardo Najlis
 
Cyber Security - An Overview
Cyber Security - An OverviewCyber Security - An Overview
Cyber Security - An Overviewrobustbrad
 
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA (European Emergency Number Association)
 
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingSANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingAlex Pinto
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonPatricia M Watson
 

Recommandé

Deep Web and Digital Investigations
Deep Web and Digital Investigations Deep Web and Digital Investigations
Deep Web and Digital Investigations Damir Delija
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Alex Pinto
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration TestingMd Samsul Kabir
 
#FluxFlow
#FluxFlow#FluxFlow
#FluxFlowBernardo Najlis
 
Cyber Security - An Overview
Cyber Security - An OverviewCyber Security - An Overview
Cyber Security - An Overviewrobustbrad
 
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA (European Emergency Number Association)
 
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingSANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing
SANS CTI Summit 2016 - Data-Driven Threat Intelligence: SharingAlex Pinto
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonPatricia M Watson
 
Osint
OsintOsint
OsintKamal Rathaur
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
Misinfosec frameworks Cansecwest 2019
Misinfosec frameworks Cansecwest 2019Misinfosec frameworks Cansecwest 2019
Misinfosec frameworks Cansecwest 2019bodaceacat
 
CansecWest2019: Infosec Frameworks for Misinformation
CansecWest2019: Infosec Frameworks for MisinformationCansecWest2019: Infosec Frameworks for Misinformation
CansecWest2019: Infosec Frameworks for Misinformationbodaceacat
 
Terp breuer misinfosecframeworks_cansecwest2019
Terp breuer misinfosecframeworks_cansecwest2019Terp breuer misinfosecframeworks_cansecwest2019
Terp breuer misinfosecframeworks_cansecwest2019bodaceacat
 
6. FOMS _Data Mining_ Analysis_ Eric Robson
6. FOMS _Data Mining_ Analysis_ Eric Robson6. FOMS _Data Mining_ Analysis_ Eric Robson
6. FOMS _Data Mining_ Analysis_ Eric RobsonFOMS011
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
Social Network Analysis - an Introduction (minus the Maths)
Social Network Analysis - an Introduction (minus the Maths)Social Network Analysis - an Introduction (minus the Maths)
Social Network Analysis - an Introduction (minus the Maths)Katy Jordan
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaDr Stylianos Mystakidis
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
Data Management for Undergraduate Research
Data Management for Undergraduate ResearchData Management for Undergraduate Research
Data Management for Undergraduate ResearchRebekah Cummings
 
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in MalwareMeasuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in MalwarePriyanka Aash
 
Phd Colloquium Spatial Analysis
Phd Colloquium Spatial AnalysisPhd Colloquium Spatial Analysis
Phd Colloquium Spatial Analysisalistairleak
 
Secondary data analysis with digital trace data
Secondary data analysis with digital trace dataSecondary data analysis with digital trace data
Secondary data analysis with digital trace dataAndrea Wiggins
 
Data science for advanced dummies
Data science for advanced dummiesData science for advanced dummies
Data science for advanced dummiesSaurav Chakravorty
 
AISA - v6 - Damien Manuel
AISA - v6 - Damien ManuelAISA - v6 - Damien Manuel
AISA - v6 - Damien ManuelDamien Manuel
 
Data 101: A Gentle Introduction
Data 101: A Gentle IntroductionData 101: A Gentle Introduction
Data 101: A Gentle IntroductionHamilton Public Library
 
Is data publication the right metaphor?
Is data publication the right metaphor?Is data publication the right metaphor?
Is data publication the right metaphor?Research Data Alliance
 
Is data publication the right metaphor?
Is data publication the right metaphor?Is data publication the right metaphor?
Is data publication the right metaphor?Mark Parsons
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 

Contenu connexe

Similaire à Anomaly Detection at Multiple Scales (Waltzman)

Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsSloan Carne
 
Misinfosec frameworks Cansecwest 2019
Misinfosec frameworks Cansecwest 2019Misinfosec frameworks Cansecwest 2019
Misinfosec frameworks Cansecwest 2019bodaceacat
 
CansecWest2019: Infosec Frameworks for Misinformation
CansecWest2019: Infosec Frameworks for MisinformationCansecWest2019: Infosec Frameworks for Misinformation
CansecWest2019: Infosec Frameworks for Misinformationbodaceacat
 
Terp breuer misinfosecframeworks_cansecwest2019
Terp breuer misinfosecframeworks_cansecwest2019Terp breuer misinfosecframeworks_cansecwest2019
Terp breuer misinfosecframeworks_cansecwest2019bodaceacat
 
6. FOMS _Data Mining_ Analysis_ Eric Robson
6. FOMS _Data Mining_ Analysis_ Eric Robson6. FOMS _Data Mining_ Analysis_ Eric Robson
6. FOMS _Data Mining_ Analysis_ Eric RobsonFOMS011
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanFelipe Prado
 
Social Network Analysis - an Introduction (minus the Maths)
Social Network Analysis - an Introduction (minus the Maths)Social Network Analysis - an Introduction (minus the Maths)
Social Network Analysis - an Introduction (minus the Maths)Katy Jordan
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaDr Stylianos Mystakidis
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertISSA LA
 
Data Management for Undergraduate Research
Data Management for Undergraduate ResearchData Management for Undergraduate Research
Data Management for Undergraduate ResearchRebekah Cummings
 
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in MalwareMeasuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in MalwarePriyanka Aash
 
Phd Colloquium Spatial Analysis
Phd Colloquium Spatial AnalysisPhd Colloquium Spatial Analysis
Phd Colloquium Spatial Analysisalistairleak
 
Secondary data analysis with digital trace data
Secondary data analysis with digital trace dataSecondary data analysis with digital trace data
Secondary data analysis with digital trace dataAndrea Wiggins
 
Data science for advanced dummies
Data science for advanced dummiesData science for advanced dummies
Data science for advanced dummiesSaurav Chakravorty
 
AISA - v6 - Damien Manuel
AISA - v6 - Damien ManuelAISA - v6 - Damien Manuel
AISA - v6 - Damien ManuelDamien Manuel
 
Is data publication the right metaphor?
Is data publication the right metaphor?Is data publication the right metaphor?
Is data publication the right metaphor?Research Data Alliance
 
Is data publication the right metaphor?
Is data publication the right metaphor?Is data publication the right metaphor?
Is data publication the right metaphor?Mark Parsons
 

Similaire à Anomaly Detection at Multiple Scales (Waltzman) (20)

Osint
OsintOsint
Osint
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
Misinfosec frameworks Cansecwest 2019
Misinfosec frameworks Cansecwest 2019Misinfosec frameworks Cansecwest 2019
Misinfosec frameworks Cansecwest 2019
 
CansecWest2019: Infosec Frameworks for Misinformation
CansecWest2019: Infosec Frameworks for MisinformationCansecWest2019: Infosec Frameworks for Misinformation
CansecWest2019: Infosec Frameworks for Misinformation
 
Terp breuer misinfosecframeworks_cansecwest2019
Terp breuer misinfosecframeworks_cansecwest2019Terp breuer misinfosecframeworks_cansecwest2019
Terp breuer misinfosecframeworks_cansecwest2019
 
6. FOMS _Data Mining_ Analysis_ Eric Robson
6. FOMS _Data Mining_ Analysis_ Eric Robson6. FOMS _Data Mining_ Analysis_ Eric Robson
6. FOMS _Data Mining_ Analysis_ Eric Robson
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Defcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scanDefcon 23 - damon small - beyond the scan
Defcon 23 - damon small - beyond the scan
 
Social Network Analysis - an Introduction (minus the Maths)
Social Network Analysis - an Introduction (minus the Maths)Social Network Analysis - an Introduction (minus the Maths)
Social Network Analysis - an Introduction (minus the Maths)
 
UW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social MediaUW Cybersecurity Lecture 9 - Social Media
UW Cybersecurity Lecture 9 - Social Media
 
Technical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvertTechnical track chris calvert-1 30 pm-issa conference-calvert
Technical track chris calvert-1 30 pm-issa conference-calvert
 
Data Management for Undergraduate Research
Data Management for Undergraduate ResearchData Management for Undergraduate Research
Data Management for Undergraduate Research
 
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in MalwareMeasuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware
Measuring the Speed of the Red Queen's Race; Adaption and Evasion in Malware
 
Phd Colloquium Spatial Analysis
Phd Colloquium Spatial AnalysisPhd Colloquium Spatial Analysis
Phd Colloquium Spatial Analysis
 
Secondary data analysis with digital trace data
Secondary data analysis with digital trace dataSecondary data analysis with digital trace data
Secondary data analysis with digital trace data
 
Data science for advanced dummies
Data science for advanced dummiesData science for advanced dummies
Data science for advanced dummies
 
AISA - v6 - Damien Manuel
AISA - v6 - Damien ManuelAISA - v6 - Damien Manuel
AISA - v6 - Damien Manuel
 
Data 101: A Gentle Introduction
Data 101: A Gentle IntroductionData 101: A Gentle Introduction
Data 101: A Gentle Introduction
 
Is data publication the right metaphor?
Is data publication the right metaphor?Is data publication the right metaphor?
Is data publication the right metaphor?
 
Is data publication the right metaphor?
Is data publication the right metaphor?Is data publication the right metaphor?
Is data publication the right metaphor?
 

Plus de Michael Scovetta

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client BackdoorMichael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesMichael Scovetta
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsMichael Scovetta
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Michael Scovetta
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)Michael Scovetta
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationMichael Scovetta
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 

Plus de Michael Scovetta (20)

Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic Surprise
 
Stackjacking
StackjackingStackjacking
Stackjacking
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
 
Attacking the WebKit Heap
Attacking the WebKit HeapAttacking the WebKit Heap
Attacking the WebKit Heap
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Smooth CoffeeScript
Smooth CoffeeScriptSmooth CoffeeScript
Smooth CoffeeScript
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android Smartphones
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst Practices
 
HTML5 Web Security
HTML5 Web SecurityHTML5 Web Security
HTML5 Web Security
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programs
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)
 
High Assurance Systems (Fisher)
High Assurance Systems (Fisher)High Assurance Systems (Fisher)
High Assurance Systems (Fisher)
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal Verification
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)
 

Dernier

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Dernier (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Anomaly Detection at Multiple Scales (Waltzman)

  • 1. Rand Waltzman Program Manager, Information Innovation Office Anomaly Detection at Multiple Scales DARPA Cyber Colloquium Arlington, VA November 7, 2011 Approved for Public Release, Distribution Unlimited.
  • 2. The problem… • Why didn’t we see it coming? • Robert Hanssen • Aldrich Ames • Ana Belen Montes • The trail of evidence was obvious after the fact • Why is it so hard to pick up the trail before the fact? • Answer: • Difficult to characterize anomalous v normal behaviors • Malicious activities distributed over time and cyberspace • Weak signal in a noisy background • Enormous amount of data Approved for Public Release, Distribution Unlimited
  • 3. How much data? • Find evidence of an insider at Fort Hood: • 65,000 soldiers at Fort Hood • Represent the e-mail and text message traffic as a graph • Nodes represent persons • Links represent e-mail or text messages • Analyze 47,201,879,000 links between 2,336,726 nodes over one year • Find evidence against one person over the entire DoD: • E-mail and text message traffic only • Analyze 755,230,064,000 links between 37,387,616 nodes over one year • And this does not include web-searches, file accesses, applications run, and many other forms of cyber observable behavioral data. Approved for Public Release, Distribution Unlimited
  • 4. Anomaly Detection at Multiple Scales (ADAMS) • Focus on malevolent insiders that started out as good guys • Research organized into four coordinated thrusts • Topic analysis • Develop signatures for areas of responsibility • Detect straying from tasked topic areas, or produces unexpected content • System use • Temporal sequences of system and file accesses • Patterns of behavior • Social interactions and networks • Indicators • Social exchanges • Psychological state • Personal temperament and mental health • Distress, instability, or other vulnerability Detect the signs that they are turning before or shortly after they turn Approved for Public Release, Distribution Unlimited
  • 5. Example: Insider Threat Scenarios in StackOverflow.com • Data set with 645 thousand users, 5.5 million question posts, and 12 million responses • Use of human controlled alias accounts (aka Sock Puppets) for voting fraud • 9 inserted sock puppet voting fraud schemes • Oregon State University graph analytics detected 7 out of 9 schemes and 310 out of 535 sock puppets. Approved for Public Release, Distribution Unlimited.
  • 6. Contact Information • If you would like to pursue topics discussed in this presentation, please send your ideas to • rand.waltzman@darpa.mil Approved for Public Release, Distribution Unlimited