2025 End User Challenge Statement

CS01: AI-Powered Automated Analysis of Privileged Access Management Session Logs and Screen Recordings

Challenge

Develop a cost-effective, standalone AI component that seamlessly integrates with existing Privileged Access Management (PAM) systems to autonomously analyse session screen recordings and log data for irregular or suspicious user behaviour.

The solution should address the inefficiencies and potential for oversight in manual reviews, whilst overcoming the interpretive challenges of non-natural language logs to provide accurate, actionable security insights.

Background

PAM serves as an identity security mechanism that identifies and obstructs unauthorised entry to vital assets while monitoring the activities of privileged users
during their access to these critical resources. The system records user sessions through logs and screen video captures.

Whenever there is a requirement to perform changes to the system (such as patches or updates to certain component), the administrator or the vendor will do it through the organisation’s PAM setup. The PAM solution will perform recording of the entire session from logon to the completion of the change. This is required as a regulation for CII (OT).

Analysing these recordings is currently done manually, which is tedious and timeconsuming. The commands are difficult to interpret because they are not written in natural language (system commands) and operators could open multiple command prompt in a single terminal. The video recordings are long and cumbersome to review, making it easy for important details to be overlooked. In addition, there are a lot of videos accumulated in the organisation over the past few years, manual review of these videos will take a long time. Therefore, there is a clear need for a cost-effective, private AI driven internal solution that can be easily integrated into the existing PAM framework to automate and improve the analysis process (extract, analyse, classify, and alert/report). The AI solution should operate across the four stages from the analysis process.

For example, in an OT environment, when data diode bypass occurs, a vendor will RDP to the terminal server and access the target device for troubleshooting or maintenance. The AI should be able to review the vendor’s actions via screen recordings after the session has ended and flag any suspicious activities during a post-event audit. This includes identifying malicious actions such as attempting to access devices other than the intended target, or deviations from standard plant activities like the creation of new accounts or changes to firewall rules.

Another example is in an IT environment, where users typically access servers to perform upgrades or patching in accordance with release notes. The AI should be capable of reviewing the user’s actions via session recordings after the event has concluded and flagging any deviations from the release notes or unexpected and suspicious activities during the post-event audit.

Requirements

The solution should encompass, but not be limited to, the following features:

1. Extract and process data from PAM solutions, handling both text-formatted
   logs and screen recording videos.
2. Conduct behavioural analysis after PAM sessions to ensure compliance with benchmarks.
3. Identify and flag anomalies from internal administrator and third-party support staff during post-session analyses.
4. Recognise acceptable behaviours that may deviate from benchmarks but are not considered security risks.
5. Allow for benchmark and configuration settings to be input in various formats, including change management request (could be in document or email format) release notes and natural language instructions.
6. Performance standards: Achieve minimum 80% accuracy with maximum 20% false positive rate for deployment; 95% accuracy with maximum 5% false positive rate for production usage.
7. Utilise User and Entity Behaviour Analytics (UEBA) training with ‘golden images’ and typical user behaviour patterns as references.
8. Operate efficiently without excessive bandwidth, time, or processing power
   consumption.
9. Classify the confidence level of detected anomalies into categories such as HIGH, MEDIUM, and LOW.
10. Provide post-session alerts for detected anomalies.
11. Enable querying of recording contents using natural language.
12. Generate analysis reports in a user-friendly format.
13. An advantageous feature would be the capability for the solution to automatically conduct real-time behavioural analysis, assess user actions against established benchmarks or blacklisted processes, and where necessary, proactively manage and restrict user access to specific assets.

Additional Information

1.  Compatible with various PAM solutions on the market. Integrate smoothly
   with existing PAM systems without complex setup procedures or loss of
   existing PAM features.
2. Be compatible with both Information Technology (IT) and OT environments, accommodating one-way data transfer from OT to IT using Data Diodes.
3. Function in offline environments, particularly in Operational Technology (OT) settings.
4. The solution may be a non-video analytic tool, provided it meets the requirement.
5. Training of the AI model would be executed with sensitive data privacy and concerns.
6. Operate efficiently without excessive bandwidth, time, or processing power consumption.

2025 End User Challenge Statement

CS03: Inter-Agency Cryptocurrency Investigation Collaboration Platform

Challenge

Develop a secure, real-time information sharing platform that enables multiple agencies to collaborate on cryptocurrency investigations while maintaining operational security and avoiding duplication of investigative efforts across blockchain addresses and entities.

Background

Singapore and the surrounding region face increasing illicit activities including money laundering, fraud, ransomware attacks and cross-border crimes, which increasingly leverage digital assets/cryptocurrencies.

Currently, authorities conduct cryptocurrency investigations independently, leading to duplication of efforts when multiple agencies unknowingly investigate the same wallet addresses or entities. This siloed approach creates inefficiencies that strain agencies’ resources as cryptocurrency crime volume increases and investigations get more complex.

Existing market solutions are primarily blockchain analysis tools for individual users rather than secure, multi-agency collaboration platforms that can support sensitive information sharing whilst maintaining strict access controls and operational security requirements.

Requirements

The solution should encompass, but not be limited to, the following features:

1. Secure database with bulk upload functionality for cryptocurrency
   information such as wallet addresses with associated investigation
   metadata
2. Wallet address clustering and relationship mapping functionality
3. Quick wallet address lookup to verify existing agency interest
4. Real-time duplicate detection and alert notification when multiple agencies input identical wallet addresses or associations with known wallet address clusters
5. Automated OSINT enrichment for wallet addresses of interest
6. Real-time newsfeed on crypto security incidents, exploits and local crypto news
7. Configurable role-based access control by agencies, departments and user roles.
8. User authentication integration with official authentication system
9. Comprehensive analytics dashboard with metrics on wallets, duplicates detected, and platform usage statistics
10. Comprehensive audit trail for all logins and data access
11. Knowledge base repository for investigation
12. API integration with user-specified commercial blockchain intelligence databases for deeper insights on wallet addresses and wallet clustering relationships.
13. Darknet monitoring to identify compromised or exposed agency-controlled wallet addresses.
14. Secure wallet seed phrase management with encryption and multi-level access control