Restricted Research - Award List, Note/Discussion Page

Fiscal Year: 2014

2064  The University of Texas at San Antonio  (23624)

Principal Investigator: Beebe, Nicole

Total Amount of Contract, Award, or Gift (Annual before 2011): $ 334,089

Exceeds $250,000 (Is it flagged?): Yes

Start and End Dates: 4/15/13 <> 4/14/16

Restricted Research: YES


Department, Center, School, or Institute: Center for Education and Research on Information and Infrastructure Security (CERI2S)  

Title of Contract, Award, or Gift: Detecting Threatening Insiders with Lightweight Media Forensics

Name of Granting or Contracting Agency/Entity: The NAVSUP Fleet Logistics Center San Diego

Program Title: none
CFDA Linked: Basic and Applied Scientific Research


This project will develop and empirically test a new approach for detecting potentially hostile insiders, by looking for individuals whose storage behavior diverges from their prior behavior and/or their peers. In a collaborative effort with the Naval Postgraduate School (NPS) via their award under DHS BAA-11-02, The University of Texas at San Antonio (UTSA) will empirically demonstrate the ability to detect anomalous user activity by identifying client workstations upon which user activity is statistically deviant from historical norms from a variety of perspectives. UTSA will develop and test the optimal clustering algorithm, develop and test the data aggregation agent and visualization components for the management console, and provide the final development of outlier detection and visualization technology based on NPS conducted test results. The proposed system will provide DHS and other organizations with an ability to detect hostile insiders—specifically insiders that are collecting information on their computers either for personal use that is inconsistent with organizational norms (as is the case with pornography), or collecting information with the intent of later exfiltration (as is the case with those stealing sensitive information). Its utility manifests itself in the proposed statistical approach, which account for the fact that signature-based insider detection seldom works because each insider case is unique. Its utility also rests in the lightweight nature of the proposed system. This will not place excessive computational or infrastructure burden on organizations. Last, its utility is derived from the fact that this approach is significantly different from signature-based detection algorithms used in the past that have been largely unsuccessful.

Discussion: No discussion notes


Close Window