Preliminary Results From Invoking Artificial Neural Networks To Measure Insider Threat Mitigation

摘要

Insider threat mitigation programs have traditionally focused on preventative (measures implemented before access is granted) and protective (measures taken after access is granted) strategies to mitigate insider threats to nuclear facilities. These approaches tend to focus on identifying and deterring problematic or malevolent behaviors of individuals instead of evaluating collective behaviors observed in the facilities. This approach may result in an overreliance on generic job task analysis and detection of aberrant behavior that may not fully account for patterns of workplace behavior, may inadvertendy ignore facility recovery operations, and seemingly struggles to identify clear measures of mitigation effectiveness. In response, emerging research hypothesizes utilizing empirical data from increasingly networked security and facility "health-monitoring" systems to improve, and automate, portions of insider threat mitigation programs. These advances are based on differentiating between malicious intent and natural "organizational evolution" to explain observed anomalies in collective workplace dynamics, trends, and patterns. This paper summarizes related research performed as a collaborative effort between the U.S. National Nuclear Security Administration's International Nuclear Security Program (NNSA/INS), Sandia National Laboratories (Sandia), and the University of Texas at Austin (UT-Austin). Empirical data on work patterns collected with the commercially available ReconaSense artificial neural network (ANN) at UT's Nuclear Engineering Teaching Laboratory (NETL)-a TRIGA MARK II research reactor facility-were used to explore the improved capability to detect off-normal personnel activities and identify elevated risk levels for suspected regions. More specifically, this new insider threat mitigation approach was tested against three scenarios: attempted access to the intrusion detection system panel, attempted off-hour access to the reactor bay, and scouting potential access to the fuel storage facility. Signals collected included door access readers, video surveillance, area radiation monitors, and personnel radiation detection portals. The preliminary results were promising, suggesting that such a "facility health monitoring" approach-supported by ANN data analysis-helps to quantitatively describe insider threat detection and mitigation. While additional studies are needed to fully understand and characterize the benefits of such an approach, the results of this initial study of one particular commercially available option are very promising for demonstrating a new framework for insider threat detection and mitigation utilizing artificial neural networks and data analysis techniques.