Scientific advances to Continuous Insider Threat Evaluation (SCITE)

The SCITE program is focused on modeling and forecasting the performance of the automated portion of an insider threat detection enterprise (detectors, indicators and algorithms) in detecting users who satisfy analyst-specified definitions of potential threats (e.g., users who are substantially dissatisfied with work, strongly object to certain policies, actively engaged in espionage activities, proactively hiding undeclared sources of income, etc.).

SCITE will perform research to advance the practice of insider threat detection through two separate research thrusts. The first research thrust will develop a new class of automated indicators, called active indicators, and associated automated detection tools that are designed to detect espionage activities. Current practice and research is heavily focused on passive indicators that monitor existing data sources for indicative behaviors. Active indicators introduce stimuli into a user’s environment that are designed to evoke responses that are far more characteristic of malicious users than normal users. For example, a stimulus that suggests that certain file-searching behaviors may be noticed is likely to be ignored by a normal user engaged in work-related searches, but may cause a malicious user engaged in espionage to cease certain activities.

The second research thrust will develop a methodology to build Inference Enterprise Models (IEM) that model the automated portions of insider threat detection enterprises and forecast the performance of those enterprises in detecting a diverse array of analyst-defined potential threats. An inference enterprise is comprised of the data, tools, people and processes that are employed to make specific inferences – in this case, inferences about whether a user is a potential threat. An IEM is a model of an inference enterprise that forecasts the performance of existing and hypothesized inference enterprises in making the correct inferences. In the case of SCITE, a correct inference is a correct determination of whether or not an individual is a potential threat.

Agency Contact Information

IARPA, Office for Anticipating Surprise
ATTN: IARPA-BAA-15-09
Office of the Director of National Intelligence
Intelligence Advanced Research Projects Activity
Washington, DC 20511
Fax: 301-851-7672
Electronic mail: dni-iarpa-baa-15-09@iarpa.gov

Program Manager

Dr. Paul Lehner