Intent-Driven Insider Threat Detection in Intelligence Analyses

When decisions need to be made in government, the intelligence community (IC) is tasked with analyzing the situation. This analysis is based on a huge amount of information and usually under severe time constraints. As such, it is particularly vulnerable to attacks from insiders with malicious intent. A malicious insider may alter, fabricate, or hide critical information in their analytical products, such as reports, in order to interfere with the decision making process. In this paper, we focus on detecting such malicious insiders. Malicious actions such as disinformation tend to be very subtle and thus difficult to detect. Therefore, we employ a user modeling technique to model an insider based on logged information and documents accessed while accomplishing an intelligence analysis task. We create a computational model for each insider and apply several detection metrics to analyze this model as it changes over time. If any deviation of behavior is detected, alerts can be issued. A pilot test revealed that the computed deviations had a high correlation with insiderspsila cognitive styles. Based on this finding, we designed a framework that minimized the impact of differences in cognitive styles. In our evaluation, we used data collected from intelligence analysts, and simulated malicious insiders based on this data. A high percentage of the simulated malicious insiders were successfully detected.