processing events in probabilistic risk assessment
Post on 12-Jul-2015
203 Views
Preview:
TRANSCRIPT
Processing events in
probabilistic risk
assessment
9th International Conference on Semantic Technologies for Intelligence, Defense, and
Security (STIDS). November 20, 2014
Annotated presentation—see Notes Page view.
Three event-informed person risk models
1. MC (“Carbon”):
Information disclosure risk Belief that a (candidate) member person
P will disclose an organization’s private information
Life (“macro”) events Education, employment Crime, civil judgment Bankruptcy, credit …
2. MS (“Silicon”):
IT system insider exploitation risk Belief that a user will access, disclose,
or destroy an organization’s computer network-resident information)
Computer network (“micro”) events Log in after hours Access “decoy” file Copy file to…
External location
Thumb drive
3. MG = MC • MS
NOTE: Carbon and Silicon are names of Haystax Analytic Products
2
Issue: Apply event evidence to person attribute concept random variables (RVs) in a risk assessment Bayesian network (BN), modeling events’ changing relevance over time.
Given: Person P Events E, in P’s past or present Generic person BN B
Risk-related person attribute concept RVs (Boolean)
Concept-relating probabilistic influences
A reference time t (in an ordered set T of such points)
Develop: Person-specific BN BP reflecting E Beliefs in P’s attribute concept at t, per BP
(P’s historical risk profile over T)
Theme
3
Reliable
Trustworthy
…CommittedToSchool CommittedToCareeer
CommitsMisdemeanor
School events Employment events
Law
enforcement
events
…
…
Elided B with ingested event categories (MC)
Approaches to realizing BP
1. Event “ingestion”:
For each event e in E, …
Include a new event RV δ indicating person attribute concept π in BP
Specify per-event half life decay as new temporal relevance RV ρ
Enter hard evidence finding on δ
Appropriate when events are of a given type τ are individually salient
Feasible when |E| << |nodes(B )|
Ingestion
π ρ
δ
event
concept relevance
5
Life events timeline (MC)
Three event-informed person risk models
1. MC (“Carbon”):
Information disclosure risk 100s of RVs B extracted from official policy /
guidelines (under in situ test)
Life (“macro”) events 10s of types 10s of events / person 10s of years of data
Ingestion only (“hard” salience)
10s of rules
2. MS (“Silicon”):
IT system insider exploitation risk 10s of RVs B eyeballed (preliminary proof of
concept)
Computer network (“micro”) events 10s of types 100Ks of events / person 1.5 years of data
Summarization, primarily (“soft” salience) 1s of ingestion rules
3. MG = MC • MS
Three event-informed person risk models
2. MS (“Silicon”):
IT system insider exploitation risk Belief that a user will access, disclose,
or destroy an organization’s computer network-resident information)
Computer network (“micro”) events Log in after hours Access “decoy” file Copy file to…
External location
Thumb drive
3. MG = MC • MS
Approaches to realizing BP
2. Event “summarization”:
For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into temporal buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Useful when ⌐(|E| << |nodes(B )|)
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
Summarization
9
Summarize events over a practically unlimited duration, by using temporal buckets of geometrically increasing size.
Infer salience from event volume variation w.r.t. a person’s own and the population’s history.
Weight buckets per desired temporal relevance decay.
Summarization elements (per RV)
10
Summarization metric: Count (CopyDecoyToExternal)
MS
0
100
200
300
400
500
600
141664
Day
Co
un
t
Bucket
11
Summarization metric: Variation re self (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
141664
Day
Var
iati
on
: sel
f
Bucket
12
Summarization metric: Variation re all (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
1 4 16 64
Day
Var
iati
on
: all
Bucket
13
Summarization metric: Variations mean (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
141664
Day
Var
iati
on
s m
ean
Bucket
14
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63
Susp
icio
n w
arra
nt
Day
Approaches to realizing BP
2. Event “summarization”:
For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into temporal buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Useful when ⌐(|E| << |nodes(B )|)
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
Summarization
16
Computer network events timeline (MS)
17
(defparameter *Influences*
'((ExploitsITSystemAsInsider
(:ImpliedByDisjunction
(CommitsITExploitation
(:ImpliedBy (DestroysInformationUnauthorized)
(AccessesInformationUnauthorized) ; Ingested: HandlesKeylogger_Event
(DisclosesInformationUnauthorized) ; Ingested: CopyFileToWikileaks_Event
(StealsInformation))) ; Ingested: CopyFileToCompetitor_Event
(WarrantsITExploitationSuspicion
(:ImpliedBy (WarrantsInformationDestructionSuspicion
(:IndicatedBy (:Strongly (DeleteFileOnOthersPC_Summary))
(:Moderately (DeleteFileOnLabsPC_Summary))))
(WarrantsUnauthorizedInformationAccessSuspicion
(:IndicatedBy (:Moderately (AfterHoursLogin_Summary))
(:Weakly (OpenFileOnOthersPC_Summary))))
(WarrantsUnauthorizedInformationDisclosureSuspicion
(:IndicatedBy (:Strongly (CopyOthersFileToThumb_Summary)
(CopyDecoyToExternal_Summary))
(:Moderately (OpenDecoyFile_Summary)
(AcquireDecoyFile_Summary)
(CopyFileToExternal_Summary))
(:Weakly (CopyFromThumbToOwnPC_Summary)
(CopyOwnFileToThumb_Summary)
(CopyOthersFileToExternal_Summary)))))
(:RelevantIf (:Locally (:Absolutely (Untrustworthy))))
(:MitigatedBy (:Locally (:Strongly (HasRole-ITAdmin)))))))))
Influence graph specification (MS)
18
Computer network events timeline (MS)
Combined timeline (MG = MC • MS)
20
Temporal relevance nodes participate in belief propagation in BP—making their beliefs (so, effective temporal relevance) subject to departure from nominal specification.
Multiple temporal and/or semantically close events’ relevance nodes reinforce each other—inducing temporal relevance beyond nominal specification. 5 simultaneous events’ decay only 6% after half life interval. We might naively expect 50%.
Summarization largely insulates a temporal relevance node from surrounding belief propagation.
Ingestion issue: Interacting temporal relevance nodes
21
Allegro Common Lisp® (ACL)
AllegoGraph® Lisp direct client
Allegro Prolog macros (e.g., select)
Lisp macros (e.g., iterate-cursor)
ACL API to the Netica® API
Netica® API
Supporting software “stack”
22
(defIngestionRule RestrainingOrder
(+process-reportedEvent ?person ?*asOfDate)
(reportedEvent ?person
?*asOfDate
?event
!agent:ProtectiveRestrainingOrder
?*startDate
?*endDate
?*ongoing?
?*reportDate)
(lisp (create-EventConceptIndication
?person
:IndicatedConcept CommitsDomesticViolence
:+IndicatingEvent ?event
:Terminus :end
:DeltaDays (- ?*asOfDate ?*endDate)
:HalfLife (* 6 365)
:Strength :strong
:Polarity :positive)))
Ingestion rule (MC)
23
(defOntologyInstance !data:P (Person))
(defOntologyInstance
!data:PHighSchoolAttendance
(SchoolAttendance)
(riskRatingSubject !data:P)
(schoolCredentialAward !data:PDiplomaAward)
(startDate "2000-09-04")
(endDate "2004-06-15"))
(defOntologyInstance !data:PDiplomaAward
(SchoolCredentialAward)
(riskRatingSubject !data:P)
(startDate "2004-06-15")
(schoolCredentialAwarded HighSchoolDiploma))
(defOntologyInstance !data:PEmployment
(Employment)
(riskRatingSubject !data:P)
(startDate "2004-07-05")
(endDate "2009-09-05"))
(defOntologyInstance !data:PMisdemeanorAssault
(PoliceOffense)
(riskRatingSubject !data:P)
(offenseChargeSchedule Misdemeanor)
(startDate "2007-06-30"))
(defOntologyClass Person (Thing)
(hasGender Gender :Functional))
(defOntologyClass Gender (Thing)
(:enumeration Male Female OtherGender))
(defOntologyType Date !xsd:date)
(defOntologyClass Event (Thing)
(riskRatingSubject Person :Functional)
(startDate Date (:cardinality 1))
(endDate Date :Functional)
(sourceReport Report :Functional))
(defOntologyClass PointEvent (Event)
(hasConsequentEvent Event))
(defOntologyClass DurativeEvent (Event)
(hasSubEvent Event))
(defOntologyClass ProtectiveRestrainingOrder
(PointEvent))
Ontology and data specifications (MC)
24
Questions ?
Thank you.
25
Extras…
Approaches to realizing BP
1. Event “ingestion”:
For each event e in E, …
Include a new event RV δ indicating person attribute concept π in BP
Specify per-event half life decay as new temporal relevance RV ρ
Enter hard evidence finding on δ
Appropriate when events are of a given type τ are individually salient
Feasible when |E| << |nodes(B )|
2. Event “summarization”:
For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into geometrically larger buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Needed when ⌐(|E| << |nodes(B )|)
Ingestion
π ρ
δ
event
concept relevance
Approaches to realizing BP
Summarization
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
28
π ρ
δ
π ρ
Δ
δ1 δnδ2 …
BN fragment patterns
Ingestion
Multi-ingestion
(bridge to summarization)
29
Life events timeline (MC)
30
Event type instance count
Summarization metric: Count (CopyDecoyToExternal)
MS
31
Summarization metric: Variation re self (CopyDecoyToExternal)
Event type historical variation re self
MS
32
Summarization metric: Variation re all (CopyDecoyToExternal)
Event type historical variation re all
MS
33
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
Event type summary RV likelihood (suspicion warrant)
MS
top related