Preliminary Results From Invoking Artificial Neural Networks To Measure Insider Threat Mitigation

Insider threat mitigation programs have traditionally focused on preventative (measures implemented <i>before </i>access is granted) and protective (measures taken <i>after </i>access is granted) strategies to mitigate insider threats to nuclear facilities. These approaches focus on identifying and deterring problematic or malevolent behaviors of <i>individuals</i> instead of evaluating <i>collective</i> behaviors observed in the facilities. This approach has resulted in an overreliance on generic job tasks analysis and detection of aberrant behavior that does not account for patterns of workplace behavior, ignores facility recovery operations, and lacks adequate measures of mitigation effectiveness. In response, emerging research hypothesizes utilizing empirical data from increasingly networked security and facility “health-monitoring” systems to improve, and automate, portions of insider threat mitigation programs. These advances are based on differentiating between malicious intent and natural “organizational evolution” to explain observed anomalies in collective workplace dynamics, trends, and patterns. This paper summarizes related research performed as a collaborative effort between the U.S. National Nuclear Security Administration’s International Nuclear Security Program (NNSA/INS), Sandia National Laboratories (Sandia), and the University of Texas at Austin (UT-Austin). Empirical data on work patterns collected with the commercially available ReconaSense artificial neural network at UT’s Nuclear Engineering Teaching Laboratory (NETL)—a TRIGA MARK II research reactor facility—were used to explore the improved capability to detect off-normal personnel activities and identify elevated risk levels for suspected regions. More specifically, this new insider threat mitigation approach was tested against three scenarios: attempted access to the intrusion detection system panel, attempted off-hour access to the reactor bay, and scouting potential access to the fuel storage facility. Signals collected included door access readers, video surveillance, area radiation monitors, and personnel radiation detection portals. The preliminary results were promising, suggesting that such a “facility health monitoring” approach helps to quantitatively describe insider threat potential and evaluate mitigation effectiveness. SAND2020-1172A SNL is managed and operated by NTESS under DOE NNSA contract DE-NA0003525