Intelligence Analyses and the Insider Threat

Abstract

In the intelligence community, the existence of a malicious insider poses a severe threat to information, to the actual analytic process, and, ultimately, to any decision-making process relying on such information and analyses. An analyst with malicious intent can create irreversible short-term, as well as long-term, damage that is hard to detect. In this paper, we propose a novel methodology that detects malicious analysts who attempt to manipulate decision makers' perceptions through their intelligence reports. This detection method relies on each analyst's working style, which we assume to be consistent from task to task. In order to measure an analyst's degree of consistency, we employ a user-modeling technique that automatically builds a computational model of each analyst based on observation of their activities. We hypothesize that inconsistency is mainly caused by malicious actions. Therefore, the detection method evaluates how consistent an analyst is across different tasks and raises an alert if any significantly large inconsistency is detected. A normalization procedure is employed which allows us to compare across a group of analysts and is shown to reduce noise and amplify inconsistency that is due to malicious actions. We show that this improves detection performance. Our experiments demonstrate the effectiveness of our approach in detecting malicious insiders. In the experiments, the percentage of malicious insiders grouped with legitimate ones is varied, and results are collected with and without normalization in order to provide a comprehensive analysis of our approach.