Anomaly Detection at Multiple Scales

Last updated
Anomaly Detection at Multiple Scales
Establishment2011
Sponsor DARPA
Value$35 million
GoalDetect insider threats in defense and government networks
Website www.darpa.mil

Anomaly Detection at Multiple Scales, or ADAMS was a $35 million DARPA project designed to identify patterns and anomalies in very large data sets. It is under DARPA's Information Innovation office and began in 2011 [1] [2] [3] [4] and ended in August 2014 [5]

The project was intended to detect and prevent insider threats such as "a soldier in good mental health becoming homicidal or suicidal", an "innocent insider becoming malicious", or "a government employee [who] abuses access privileges to share classified information". [2] [6] Specific cases mentioned are Nadal Malik Hasan and WikiLeaks source Chelsea Manning. [7] Commercial applications may include finance. [7] The intended recipients of the system output are operators in the counterintelligence agencies. [2] [6]

A final report was published on May 11, 2015, detailing a system known as Anomaly Detection Engine for Networks, or ADEN, developed by the University of Maryland, College Park, whose goal was to "identify malicious users within a network." Using multiple datasets from Wikipedia, Slashdot, and others, researchers were able to identify vandals and malicious users on a website using both conventional algorithms and artificial intelligence. [8]

The Proactive Discovery of Insider Threats Using Graph Analysis and Learning was part of the ADAMS project. [6] [9] The Georgia Tech team includes noted high-performance computing researcher David Bader (computer scientist). [10]

See also

Related Research Articles

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

<span class="mw-page-title-main">Peiter Zatko</span> American computer security expert

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He is currently the chief information officer of DARPA. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

<span class="mw-page-title-main">David Bader (computer scientist)</span> American computer scientist

David A. Bader is a Distinguished Professor and Director of the Institute for Data Science at the New Jersey Institute of Technology. Previously, he served as the Chair of the Georgia Institute of Technology School of Computational Science & Engineering, where he was also a founding professor, and the executive director of High-Performance Computing at the Georgia Tech College of Computing. In 2007, he was named the first director of the Sony Toshiba IBM Center of Competence for the Cell Processor at Georgia Tech.

<span class="mw-page-title-main">Georgia Institute of Technology College of Computing</span>

The College of Computing is a college of the Georgia Institute of Technology, a public research university in Atlanta, Georgia. It is divided into four schools: the School of Computer Science, the School of Interactive Computing, the School of Computational Science & Engineering, and the School of Cybersecurity and Privacy. The College of Computing's programs are consistently ranked among the top 10 computing programs in the nation. In 2022, U.S. News & World Report ranked the Computer Science graduate program #6 in the U.S. In 2016, Times Higher Education and the Wall Street Journal ranked the College #5 in the world.

In data analysis, anomaly detection is generally understood to be the identification of rare items, events or observations which deviate significantly from the majority of the data and do not conform to a well defined notion of normal behavior. Such examples may arouse suspicions of being generated by a different mechanism, or appear inconsistent with the remainder of that set of data.

Data loss prevention (DLP) software detects potential data breaches/data exfiltration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments.

Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to the operation of security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

PRODIGAL is a computer system for predicting anomalous behavior among humans, by data mining network traffic such as emails, text messages and server log entries. It is part of DARPA's Anomaly Detection at Multiple Scales (ADAMS) project. The initial schedule is for two years and the budget $9 million.

Cyber Insider Threat, or CINDER, is a digital threat method. In 2010, DARPA initiated a program under the same name to develop novel approaches to the detection of activities within military-interest networks that are consistent with the activities of cyber espionage.

An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

<span class="mw-page-title-main">Salvatore J. Stolfo</span> American computer scientist

Salvatore J. Stolfo is an academic and professor of computer science at Columbia University, specializing in computer security.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

<span class="mw-page-title-main">Yuval Elovici</span> Israeli computer scientist

Yuval Elovici is a computer scientist. He is a professor in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev (BGU), where he is the incumbent of the Davide and Irene Sala Chair in Homeland Security Research. He is the director of the Cyber Security Research Center at BGU and the founder and director of the Telekom Innovation Laboratories at Ben-Gurion University. In addition to his roles at BGU, he also serves as the lab director of Singapore University of Technology and Design’s (SUTD) ST Electronics-SUTD Cyber Security Laboratory, as well as the research director of iTrust. In 2014 he co-founded Morphisec, a start-up company, that develops cyber security mechanisms related to moving target defense.

<span class="mw-page-title-main">Raheem Beyah</span> American computer engineer

Raheem Beyah is an American computer engineer, researcher, and educator. As of January 15, 2021 he is the Dean of the College of Engineering and Southern Company Chair at the Georgia Institute of Technology. Prior to becoming the Dean, he was the vice president for Interdisciplinary Research and the Motorola Foundation Professor and the executive director of Georgia Tech's online masters in cyber security program. Beyah is also the co-founder and chair of industrial security company Fortiphyd Logic, Inc.

The Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) is a physical computing platform developed by the MIT Lincoln Laboratory as a testbed for network security applications. Use of the platform is restricted to the United States military, though some academic organizations can also use the platform under certain conditions.

References

  1. "ADAMS". DARPA Information Innovation Office. Archived from the original on 2012-01-21. Retrieved 2011-12-05.
  2. 1 2 3 "Anomaly Detection at Multiple Scales (ADAMS) Broad Agency Announcement DARPA-BAA-11-04" (PDF). General Services Administration. 2010-10-22. Archived from the original (PDF) on 2012-04-06. Retrieved 2011-12-05.
  3. Ackerman, Spencer (2010-10-11). "Darpa Starts Sleuthing Out Disloyal Troops". Wired . Retrieved 2011-12-06.
  4. Keyes, Charley (2010-10-27). "Military wants to scan communications to find internal threats". CNN . Retrieved 2011-12-06.
  5. "DARPA ADAMS Project".
  6. 1 2 3 "Georgia Tech Helps to Develop System That Will Detect Insider Threats from Massive Data Sets". Georgia Institute of Technology. 2011-11-10. Retrieved 2011-12-06.
  7. 1 2 "Video Interview: DARPA's ADAMS Project Taps Big Data to Find the Breaking Bad". Inside HPC. 2011-11-29. Retrieved 2011-12-06.
  8. Subrahmanian, V. S. (11 May 2015). "Final Report for the DARPA ADAMS Project" (PDF). Retrieved 4 August 2024.
  9. Brandon, John (2011-12-03). "Could the U.S. Government Start Reading Your Emails?". Fox News. Archived from the original on December 3, 2011. Retrieved 2011-12-06.
  10. "Anomaly Detection at Multiple Scales". Georgia Tech College of Computing . Retrieved 2011-12-06.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.