eisic.eueisic.eu/eisic2014/downloads/jisic_2014_conf_program_20140916_final.pdfacademic sponsors...

ConferenceProgram

IEEEJISIC2014

Academic Sponsors

Technical Co�Sponsors

IEEE Joint Intelligence & Security Informatics Conference

The Hague, The Netherlands, September 24-26, 2014

ISI/EISIC2014 http://www.eisic.org

The Premier Conference on Intelligence, Safety and Security Informatics

2

IEEE JISIC 2014 – Conference Sponsors

Delft University of Technology PO Box 5 2600 AA Delft, the Netherlands +31 15 27 89 111 http://www.tudelft.nl

Netherlands Forensic Institute PO Box 24044 2490 AA The Hague, the Netherlands +31 70 888 66 66 http://www.forensicinstitute.nl

IEEE Intelligence Transportation Systems Society http://sites.ieee.org/itss

Netherlands Organisation for Scientific Research PO Box 93138 2509 AC The Hague, the Netherlands +31 70 344 06 40 http://www.nwo.nl

Academic Sponsors

Technical Co�Sponsors

City of The Hague PO Box 12 600 2500 DJ The Hague The Netherlands

d

3

IEEE JISIC 2014 – Table of Contents

Table of Contents

IEEE JISIC 2014 Conference Sponsors 2

Table of Contents 3

IEEE JISIC 2014 Conference Organization 4

IEEE JISIC 2014 Message from the General Chairs 11

IEEE JISIC 2014 Message from the Program Chairs 12

IEEE JISIC 2014 Program at a Glance 13

IEEE JISIC 2014 Keynote Speeches 14

IEEE JISIC 2014 Detailed Program 20

IEEE JISIC 2014 Conference Abstracts 24

IEEE JISIC 2014 Tutorials 49

Conference Venue 52

The Hague City Map 53

Information for the Participants 54

IEEE ISI 2015 55

EISIC 2015 56

d

IEEE JISIC 2014 – Conference Organization

4

Steering Committee

Hsinchun Chen University of Arizona, USA

Chris Yang Drexel University, USA

Uwe Glässer Simon Fraser University, Canada

Joel Brynielsson KTH Royal Institute of Technology, Sweden

General Chairs

Mariëlle den Hengst Delft University of Technology & Police Academy of the Netherlands, the Netherlands

Menno Israel Netherlands Forensic Institute, the Netherlands

Daniel Zeng University of Arizona, USA

5


Program Chairs

Cor Veenman Netherlands Forensic Institute, the Netherlands

Alan Wang Virginia Tech, USA

Track Chairs

Jeroep Keppens King’s College London, United Kingdom

John Stasko Georgia Institute of Technology, USA

V.S. Subrahmanian University of Maryland, USA

Niall Adams Imperial College London, United Kingdom

Thomas Holt Michigan State University, USA

Jakub Piskorski Frontex

6


Publicity Chair

Dongsong Zhang University of Maryland, Baltimore County, USA

Web Chair

Panagiotis Karampelas Hellenic American University, USA

Best Paper Selection Committee

Uwe Glässer Simon Fraser University, Canada

Lina Zhou University of Maryland, Baltimore County, USA

Mohammed Hammoudeh Manchester Metropolian University, United Kingdom

Local Arrangement Chair

NFI Academy Netherlands Forensic Institute, the Netherlands

7


Program Committee

Sibel Adali

Rensselaer Polytechnic Institute, USA

Niall Adams

Imperial College London, United Kingdom

Babak Akhgar

Sheffield Hallam University, United Kingdom

Massimiliano Albanese

George Mason University, IUSA

Carlo Aliprandi

Synthema Srl, Italy

Blake Anderson, ,

Mohamed Faouzi Atig

Uppsala University, Sweden

Gerhard Backfried

SAIL LABS Technology AG, Austria

Antonio Badia

University of Louisville, USA

Alejandro Correa Bahnsen

University of Luxembourg, Luxembourg

Guido Barbian

Leuphana University Lueneburg, Germany

Igor Bernik

University of Maribor, Slavonia

Floris Bex

University of Utrecht, the Netherlands

Gabriela Bodea

TNO, the Netherlands

Dean Bodenham


Hervé Borrion

University College London, United Kingdom

Joel Brynielsson

FOI Swedish Defence Research Agency, Sweden

Jose Luis Calvo Rolle

Universidad de A Corunha, Spain

Chien-Lung Chan

Yuan Ze University, Taiwan

Weiping Chang

Central Ploice University, Taiwan

You Chen

Vanderbilt University, USA

Satish Chikkagoudar

Pacific Northwest National Lab, USA

K.P. Chow

The University of Hong Kong, Hong Kong

Wingyan Chung

UNC Fayetteville State University, USA

Tim Croisdale

California State University, Sacramento, USA

Scott Decker

Arizona State University, USA

Leon Deligiannidis

Wentworth Institute of Technology, USA

Norah Dunbar

The University of Oklahoma, USA

David Ebert

Purdue University, USA

Dennis Egan

The George Washington University, USA

Yuval Elovici

Ben-Gurion University, Israel

Alex Endert

Virginia Tech University, USA

Zeki Erdem

TUBITAK BILGEM, Turkey

Shamal Faily

University of Oxford, United Kingdom

Göran Falkman

University of Skövde, Sweden

Guido Ferraro

European Commission Joint Research Center, Italy

Vasco Furtado

University of Fortaleza, Brasil

Monica Gariup

Frontex, Poland

Ross Gayler

La Trobe University, Australia

Uwe Glässer

Simon Fraser University, Canada

Richard Goebel

Hof University, Germany

Bénédicte Goujon

Thales, France

Yuan Gu

Irdeto, China

8


Kafi Hassan

Sprint Corp, USA

Saike He

Bejing University of Posts and Telecommunications,

China

Nick Heard


David Hicks

Aalborg University, Denmark

Thomas Holt

Michigan State University, USA

André J. Hoogstrate

Netherlands Forensic Institute, the Netherlands

Daning Hu

University of Zurich, Switzerland

Nils Jensen

Ostfalia HAW, Germany

Sanjeev Jha

University of New Hampshire, USA

Fredrik Johansson


Lisa Kaati

Uppsala University, Sweden

Dmitri Kalashnikov

University of California, Irvine, USA

Yoshinari Kameda

University of Tsukuba, Japan

Anne Kao

Boeing, USA

Sue Kase

US Army, USA

Jeroen Keppens

King's College London, United Kingdom

Latifur Khan

University of Texas at Dallas, USA

Jorn Kohlhammer

Fraunhoger IGD, Germany

Ana Kovacevic

University of Belgrade, Serbia

Steve Kramer

Paragon Science, USA

Daniel Lawson

University of Bristol, United Kingdom

Seok-Won Lee

Ajou University, South Korea

Jiexun Li

Drexel University, USA

Yunji Liang

Northwestern Polytech University, China

Huan Liu

Arizona State Univ, USA

Jiaqi Liu

Chinese Academy of Sciences, China

Chuan Luo


Ross Maciejewski

Arizona State University, USA

David Maimon

University of Maryland, USA

Aaron Mannes


Luca Mazzola

European Commission Joint Research Centre, Italy

Laura McNamara

Sandia National Lab, USA

Il-Chul Moon

KAIST, South Korea

Robert Moskovitch

Deutsche Telekom Laboratories at Ben-Gurion

University

Dr. Azzam Mourad

Lebanese American University (LAU), Lebanon

Hedi Nasheri

Kent State University, USA

Joshua Neil

Los Amelos National Laboratory, USA

Daniel Neill

Carnegie Mellon University, USA

Federico Neri

Synthema srl, Italy

Chris North


Cyril Onwubiko

Intelligence and Security Assurance, E-Security

Richard Overill

King's College London, United Kingdom

Joon Park

Syracuse University, USA

Mark Patton

University of Arizona, USA

9


Johan Perols

University of San Diego, USA

Rasmus Petersen

Structural Analysis Expert, Denmark

William Pike

Pacific Northwest National Lab, USA

Jakub Piskorski

Frontex, Poland

Jan Platos

VSB - Technical University of Ostrava, Czech Republic

Chaditsa Poulatova

Newcastle University, United Kingdom

Henry Prakken

University of Utrecht/University of Groningen, the

Netherlands

Andrea Pugliese

Univ of Calabria, Italy

Shaojie Qiao

Southwest Jiaotong University, China

Chunfeng Qiu, ,

Galina Rogova

Encompass Consulting, USA

Virgilijus Sakalauskas

Vilnius University, Lithuania

Johan Schubert


Bjorn Schuller

Technische Universität München, Germany

Guenter Schumacher

European Commission Joint Research Center, Poland

Kavun Sergii

Kharkiv national university of economics, Ukraine

Gerardo Simari

University of Oxford, United Kingdom

David Skillicorn

Queen's University, Canada

Martijn Spitters


Yannis Stamatiou

RACTI, Greece

John Stasko

Georgia Institute of Technology, USA

Peng Su

Shandong Jianzhu University, China

V.S. Subrahmanian


Shanmugathasan Suthaharan

University of North Carolina at Greensboro, USA

I-Hsien Ting

National University of Kaohsiung, Taiwan

Róbyn Török

Macquary University, Australia

Daniel Trottier

University of Westminster, United Kingdom

Egon van Den Broek

University of Twente, the Netherlands

Mark van Staalduinen


Jack van Wijk

Eindhoven University of Technology, the Netherlands

Johan van Wilsem

Leiden University, the Netherlands

Bart Verheij

University of Groningen, the Netherlands

Veronica Vinciotti

Brunel University London, United Kingdom

Jozef Vyskoc

VaF s.r.o., Slovak Republic

Klas Wallenius

Saab AB, Sweden

Jenq-Haur Wang

National Taipei University of Technology, Taiwan

Leon Wang

National University of Kaohsiung, Taiwan

Alan Wang


Martijn Warnier

Delft University of Technology, the Netherlands

Chris Weaver

University of Oklahoma, USA

Dave Weston

University of London, United Kingdom

Susanne Wetzel

Stevens Institute of Technology, USA

Christian Wolff

Regensburg University, Germany

William Wong

Middlesex University, United Kingdom

10


Yinghui Wu

University of California, Santa Barbara, USA

Fatos Xhafa

Polytechnic University of Catalonia, Spain

Shouhuai Xu

University of Texas at San Antonio, USA

Slawomir Zadrozny

Systems Research Institute, Polish Academy of

Sciences, Poland

Nan Zhang

The George Washington University, USA

Zhu Zhang


Xiaolong Zheng


Lina Zhou

University of Maryland Baltimore County, USA

JISIC 2014 – Message from the General Chairs

11

Welcome to the 2014 IEEE Joint Intelligence and Security Informatics Conference (JISIC 2014). Since 2003 the IEEE

International Conference on Intelligence and Security Informatics (ISI) (http://www.isiconference.org) is the

leading international scientific conference on interdisciplinary research on information technology for intelligence

and security. Meetings have been held in Tucson, AZ (twice); Atlanta, GA; San Diego, CA; New Brunswick, NJ;

Taipei, Taiwan; Dallas, TX; Vancouver, Canada; and Beijing, China, Washington D.C. and Seattle. In 2011, the

European counterpart of the ISI started as European Intelligence and Security Informatics Conference (EISIC) in

Athens, Greece, followed by Odense, Denmark in 2012 and Uppsala, Sweden in August 2013. Now it is time that

both events meet, such that international researchers on the challenging field of intelligence and security

informatics can share ideas on problems, solutions and new directions. We hope that this year’s conference will

be as successful as previous years for both ISI and EISIC.

We have the pleasure to announce the following range of distinguished keynote speakers: Jeroen Keppens (King’s

College London), Niall Adams (Imperial College London), John Stasko (Georgia Institute of Technology), Thomas

Holt (Michigan State University), V.S. Subrahmanian (University of Maryland) and Judee Burgoon (University of

Arizona).

Organizing a conference requires a considerable amount of work and support from many people and

organizations. We would like to thank all people that have been involved in organizing the conference. In

particular, we are grateful for the great work that has been done by the Program Chairs Cor Veenman

(Netherlands Forensic Institute) and Alan Wang (Virginia Tech). We are also grateful to Panagiotis Karampelas

(Hellenic American University) for his continuous support to keep the website updated. Finally, we want to thank

the NFI Academy for all local arrangements.

The EISIC series will continue next year with EISIC 2015 to be held in Manchester, United Kingdom. The organizing

committee for EISIC 2015 is led by Mohammed Hammoudeh from Machester Metropolitan University. The IEEE

ISI 2015 conference will be held in Baltimore, USA, and will be organized by Anupam Joshi, Tim Finin, Lina Zhou

and Dongsong Zhang from University of Maryland, Baltimore County.

Welcome to The Hague. We hope that you will enjoy JISIC 2014 and your stay in the Netherlands!

Mariëlle den Hengst

Delft University of Technology & Police Academy of the Netherlands

Menno Israël Netherlands Forensic Institute

Daniel Zeng

University of Arizona

JISIC 2014 – Message from the Program Chairs

12

Intelligence and Security Informatics (ISI) is an interdisciplinary field of research that focuses on the development,

use, and evaluation of advanced information technologies, including methodologies, models and algorithms,

systems, and tools, for local, national, and international security related applications. Over the past decade, the

ISI research community has matured and delivered an impressive array of research results that are both

technically innovative and practically relevant.

Academic conferences have been an important mechanism for building and strengthening the ISI community. The

series of international IEEE ISI conferences have been held annually since 2003, and have been followed by

regional ISI conferences such as the Pacific Asia ISI (PAISI) workshop series and the European ISI Conference

(EISIC) series. These conferences have provided stimulating forums for gathering people from previously disparate

communities including those from academia, government, and industry. Participants have included academic

researchers (especially in the fields of information technologies, computer science, public policy, and social and

behavioral studies), law enforcement and intelligence experts, as well as information technology company

representatives, industry consultants and practitioners within the relevant fields.

This year’s joint EISIC/ISI, IEEE Joint Intelligence and Security Informatics Conference (IEEE JISIC 2014), is co-

sponsored by the Delft University of Technology and the Netherlands Forensic Institute, and has also received

technical co-sponsorship from the IEEE Intelligence Transportation Systems Society, the Netherlands Organisation

for Scientific Research (NWO), and the City of The Hague. We would like to express our sincere gratitude to these

sponsors.

IEEE JISIC 2014 received 98 submissions in total, and accepted 28% of the papers. For comparison, EuroISI 2008

received 48 submissions and accepted 52% of the papers, EISIC 2011 received 111 submissions and accepted 27%

of the papers, EISIC 2012 received 70 submissions and accepted 40% of the papers and EISIC 2013 received 87

submissions and accepted 31% of the papers. In conclusion, after the IEEE ISI also the European ISI conference is

making good progress towards becoming a mature scientific venue and has already established itself as the

natural meeting point for the European ISI research community.

The three-day conference program includes paper presentation sessions, a poster session, presentations by

prominent keynote speakers, and three tutorials. We are very pleased with the technical quality of the accepted

submissions, and would like to express our gratitude to all authors for contributing their work. Lastly, we are most

grateful to the program committee members who have generously provided high-quality and constructive review

reports.

Cor Veenman

Netherlands Forensic Institute

Alan Wang

Virginia Tech

IEEE JISIC 2014 – Program at a Glance

13

Wednesday, September 24, 2014

08:00-09:00 Registration 09:00-09:15 Opening: Welcome Session

09:15-09:45 Invited speaker: Pieter-Jaap Aalbersberg, Chief of Police Amsterdam, the Netherlands 09:45-10:45 Keynote: John Stasko 10:45-11:15 Coffee Break 11:15-12:15 Keynote: Niall Adams 12:15-13:15 Lunch Break

13:15-14:45

Tutorial: Real-Time Sentiment Analysis Room 2.1

Track: Cyber and infrastructure security (long papers) Room 2.2

Track: Decisioning and interaction (long papers) Room 2.3 14:45-15:00 Coffee Break

15:00-16:00

Track: Border control (short papers) Room 2.1

Track: Cyber and infrastructure security (short papers) Room 2.2

Track: General / Web analytics (short papers) Room 2.3 16:00-16:15 Coffee Break

16:15-17:15

Track: General (short papers) Room 2.1


Track: General (short papers) Room 2.3 17:25-17:45 Poster-pitch

17:45- Social Event: Ice breaker / Posters Session

Thursday, September 25, 2014

09:00-10:00 Keynote: Thomas Holt

10:00-10:15 Coffee Break

10:15-11:15

Track: Border control (long papers) Room 2.1

Track: Forensic Intelligence (long papers) Room 2.2

Track: General / Web analytics (long papers) Room 2.3 11:15-11:30 Coffee Break

11:30-12:30

Track: Computational criminology (long papers) Room 2.1


Track: General / Web analytics (long papers) Room 2.3 12:30-13:30 Lunch Break 13:30-14:30 Keynote: Judee Burgoon


14:45-16:15

Tutorial: Lawfully-Authorized Electronic Surveillance in Wireless Communication Systems Room 2.1

Track: General (long papers) Room 2.2

Track: General / Web analytics (long papers) Room 2.3 16:15-16:45 Coffee Break

16:45-17:25

Track: Computational criminology (short papers) Room 2.1


Track: General / Web analytics (short papers) Room 2.3 18:30- Conference dinner: Madurodam

Friday, September 26, 2014

09:00-10:00 Keynote: Jeroen Keppens


10:15-11:45

Tutorial: Theory, Framework and Method for Software Design Studies in secutiry and

Intelligence Analysis Work Environments

Room 2.1


Track: General / Web analytics (short papers) Room 2.3 11:45-12:00 Coffee Break 12:00-13:00 Keynote: V.S. Subrahmanian

13:00-14:00 Lunch Break

14

IEEE JISIC 2014 – Keynote Speeches

Jeroen Keppens

Lecturer at Department of Informatics

King’s College London

09:00-10:00 Thursday September 25

Developing Bayesian Models for Assessing the Value of Evidence

Abstract

The standard Bayesian approach to assess the value of a piece of evidence e in differentiating between the

likelihood of an exhaustive pair of mutually exclusive hypotheses h1 and h2 involves computing the likelihood

ratio LR = P(e|h1)/P(e|h2). Bayes’s rule implies that the posterior odds of h1 and h2 = LR × the prior odds of h1

and h2. In other words, LR specifies how ones beliefs in h1 and h2 ought to change in light of certain evidence e,

irrespective of one prior beliefs in those hypotheses. This is precisely the perspective from which a forensic

scientist ought to provide expertise.

Humans, including experts, suffer from a range of cognitive biases when reasoning about the chances of events

occurring. Therefore, the probabilities P(e|hi) in LR are best computed by means of a formal probabilistic

modelling technique, such as Bayesian networks. Using such modelling techniques normally involves (i)

identifying the variables involved in assessing P(e|hi), (ii) identifying relationships of conditional independence

between variables and (iii) defining local conditional probability measures between dependent variables. This

process introduces rigour in the elicitation and specification of LR. There are also a number of peer-reviewed

model templates to assess the value of evidence in certain types of scenario.

Nevertheless, the use of Bayesian methods for assessing the value of evidence remains controversial. In

particular, there have been a number of high profile cases where the application of these methods has lead to

miscarriages of justice. Firstly, there are a number of common errors that are made in the application of Bayesian

methods. Secondly, where the likelihood ratio approach is applied correctly, it may be based on an incorrect

probabilistic model. Models can produce erroneous results if they ignore key variables, make incorrect

independence assumptions or employ inaccurate probability measures. Thirdly, the results from a Bayesian

analysis may be misreported and overstate the conclusions that can be drawn from them. A number of recent

developments in the fields of artificial intelligence and statistics have resulted in methods that can help address

some of these concerns.

In this talk, I will present an overview of the Bayesian likelihood ratio approach and its application to assess the

value of evidence. Next, my talk will identify key problems that arise when applying this approach, with a

particular focus on the challenges involved in constructing probabilistic models with which to apply the approach.

Throughout, I will discuss key developments that can address some of these problems and pinpoint emerging

research challenges.

Jeroen Keppens

Jeroen Keppens obtained a PhD degree in Artificial Intelligence from the University of Edinburgh in 2002. Since

then, he has been working in the fields of artificial intelligence and law, and evidential reasoning, as a postdoc at

the Joseph Bell Centre for Forensic Statistics and Legal Reasoning in Edinburgh and at the University of

Aberystwyth and as a lecturer of Computer Science at King's College London. His research interests include

decision support systems for evidential reasoning, the construction of models for evidential reasoning and the

validation of such models, using methods such as argumentation, approximate, qualitative and probabilistic

reasoning.

15


John Stasko

Professor & Associate Chair at College of Interactivce Computing

Georgia Institute of Technology

09:45-10:45 Wednesday, September 24

The Value of Visualization for Understanding Data and Making Decisions

Abstract

Investigators have an ever-growing suite of tools available for analyzing and understanding their data. While

techniques such as statistical analysis, machine learning, and data mining all have benefits, visualization provides

an additional unique set of capabilities, many of which relate to its interactive capabilities. In this talk I identify

the particular advantages that visualization brings to data analysis beyond other techniques, and I will describe

the situations in which it can be most beneficial. To help support these arguments, I'll present a number of

provocative examples from my own work and others'. One particular system will demonstrate how visualization

can facilitate exploration and knowledge acquisition from a collection of thousands of narrative text documents.

John Stasko

John Stasko is a Professor in and the Associate Chair of the School of Interactive Computing at the Georgia

Institute of Technology. He also is an Honorary Professor in the School of Computer Science at the Univ. of St.

Andrews in Scotland. Stasko is an internationally recognized and widely published researcher in the area of

human-computer interaction, with a specific focus on information visualization and visual analytics.

Stasko has been Papers/Program Co-Chair for the IEEE Information Visualization (InfoVis) Conference, the IEEE

Visual Analytics Science and Technology (VAST) Conference, and the ACM Software Visualization (SoftVis)

Symposium. He has served on numerous journal editorial boards including ACM Transactions on Computer-

Human Interaction, IEEE Transactions on Visualization and Computer Graphics, and Information Visualization. In

Fall 2013 he served as General Chair for the IEEE VIS meeting in Atlanta, the primary research meeting for the

field of data visualization. Stasko was named an ACM Distinguished Scientist in 2011 and an IEEE Fellow in 2014.

He received the IEEE VGTC Visualization Technical Achievement Award in 2012

16


V.S. Subrahmanian

Professor at Department of Computer Science

University of Maryland

12:00-13:00 Friday, September 26

The Global Cyber�Vulnerability Report

Abstract

We report the result of a study of over 4M machines worldwide in 2010 and 2M machines 2011 (using Symantec’s

WINE data set), showing a pattern of attacks attempted against these machines. Using over 10B malware reports,

we are able to analyze selected behaviors of consumers on a country-by-country basis, showing which countries

are more vulnerable to attack than others. Though we had data on many countries, our final report looks at 44

countries for which we had the most data. Joint work with Michael Ovelgonne, Tudor Dumitras, and Aditya

Prakash.

V.S. Subrahmanian

V.S. Subrahmanian is Professor of Computer Science at the University of Maryland and heads the Center for

Digital International Government, having previously served as Director of the University of Maryland's Institute

for Advanced Computer Studies (UMIACS) for 6+ years. Prof. Subrahmanian develops big data analytics including

methods to analyze vast bodies of text, learn models of behaviors of entities from the data, forecast actions by

these entities, and methods to influence these behaviors. He developed the OASYS opinion analysis system which

works on 8 languages and won the 2007 Computerworld Horizon Award, the CARA Cultural Reasoning

Architecture and the SOMA stochastic logical model for building models of group behaviors. He has applied this to

modeling over 45 terror groups worldwide. His SCARE system for identifying locations of IED weapons caches in

Baghdad and in the provinces of Helmand and Kandahar in Afghanistan was the first system to accurately and

efficiently identify locations of weapons caches. He has written six books and edited seven including textbooks on

advanced databases and on multimedia databases. Prof. Subrahmanian has published over 200 articles in leading

international conferences and journals. He is a fellow of both AAAI and AAAS. His work has been described in

articles numerous outlets (e.g. Baltimore Sun, the Economist, Science, Nature, etc). He has served on numerous

editorial boards and government/corporate boards.

17


Niall Adams

Reader in Statistics at Department of Mathematics, Faculty of Natural Sciences

Imperial College London

11:15-12:15 Wednesday, September 24

Plastic card transaction fraud detection

Abstract

We begin with a review of plastic card fraud: The nature and magnitude of the problem. This is followed by a

description of the the data and the operational context in which data analysis procedures operate. Such

procedures have to address specific problems including the rarity of fraudulent behaviour, the volume and

velocity of the data, and the need to handle temporal variation. Supervised and unsupervised learning

approaches are compared and contrasted. We conclude with a recommendation that the most flexible fraud

detection systems will capitalise on carefully engineered combinations of supervised and unsupervised methods.

Niall Adams

Niall Adams has been a member of faculty in the department of Mathematics at Imperial College London since

2000. He presently holds the position of Reader in Statistics. Additionally, since 2011, he has been seconded to

the Heilbronn Institute for Mathematical Research, University of Bristol.

His methodological research interests include classification, anomaly detection and adaptive estimation, with

applications in cyber-security, consumer finance and cell biology. Adams was the recipient of a Winton research

prize in 2011, and was a member of the Imperial College team that won the ³Credit Collections and Risk² prize for

contributions to the credit industry in 2012. He has published 70 refereed journal and conference papers, and

edited 7 books. He has been an associate editor for the Journal of the Royal Statistical Society (series C), Statistical

Analysis and Data Mining, and Intelligent Data Analysis.

18


Thomas Holt

Associate professor at School of Criminal Justice, College of Social Science

Michigan State University

09:00-10:00 Friday, September 26

Assessing the Role of Forums in Facilitating Technological Skill in the White Supremacist Movement

Abstract

Research surrounding radicalization to and use of violence among extremist and terror groups has expanded over

the last decade. Examinations of both the far right and Islamic extremist movements have improved, utilizing

open source data to measure various behavioral and organizational dynamics. Though this has improved our

understanding of the nature of lethal violence among extremist groups, there are still many fundamental

questions that must be addressed. Specifically, there is a need for greater research on the role of the Internet in

radicalization and recruitment as well as creating a venue for cyberattacks against computers and electronic

targets generally. Few studies have considered the technical capabilities of extremist groups with limited

research indicating that Islamic terror groups espouse the use of hacking techniques but lack the ability to

successfully perform attacks on a large scale. Even less research has examined the technical capacity of Far Right

groups operating in the United States. Studies demonstrate the importance of websites and newsgroups in the

spread and promotion of militia groups and white nationalists in the 1980s and 1990s. Few, however, have

examined the ways that technological information is shared within this community and the role of on-line

communications in knowledge generation. It is unclear if the far right acquires information on technology use

from internal or external sources. Furthermore, there is generally little information on the ways that the

information sharing process mirrors that of sophisticated technological subcultures, such as computer hackers.

This exploratory study addresses these issues using a qualitative analysis of a sample of threads from a

technology-specific subforum of a widely used web forum in the Far Right movement. The findings demonstrate

that the process of information sharing is distinct from that of more sophisticated communities, though it utilizes

similar resources as the hacker subculture. In addition, the exchanges between users demonstrate that a white

nationalist identity links participants, while the main posters serve as a sort of technical support community for

the larger forum population. The implications of this study for future research on the technical capacities of

extremists and the integration of a hacker and far right subculture are examined in depth.

Thomas Holt

Thomas Holt is an Associate Professor in the School of Criminal Justice at Michigan State University specializing in

cybercrime, policing, and policy. He received his Ph. D. in Criminology and Criminal Justice from the University of

Missouri-Saint Louis in 2005. He has published extensively on cybercrime and cyberterror in outlets such as Crime

and Delinquency, Sexual Abuse, the Journal of Criminal Justice, Terrorism and Political Violence, and Deviant

Behavior. He has published multiple edited books, including Corporate Hacking and Technology-Driven Crime with

coeditor Bernadette Schell (2011), Crime On-Line: Correlates, Causes and Context, now in its 2nd Edition, and a

co-author of Digital Crime and Digital Terror, 2nd edition (2010). He has also received multiple grants from the

National Institute of Justice and the National Science Foundation to examine the social and technical drivers of

Russian malware writers, data thieves, and hackers using on-line data. He has also given multiple presentations

on computer crime and hacking at academic and professional conferences, as well as hacker conferences across

the country including Defcon and HOPE.

19


Judee Burgoon

Director of Human Communication Research for the Center of the Management of Information

University of Arizona

13:30-14:30 Thursday, September 25

Detecting Security Risks from Automated Analysis of Verbal and Nonverbal Signals

Abstract

Border guards face a daunting task in rapidly detecting from the daily flood of border crossers those travelers who pose

a security threat while allowing low-risk crossers to pass unimpeded. Automated tools are being developed to assist

border guards in this process by analyzing the verbal and nonverbal behaviors of travelers. In this presentation, four

classes of potentially reliable indicators of deception and malicious intent are discussed along with the current tools

available to automatically detect these indicators and return real-time or near-real-time feedback to border personnel.

Kinesic signals are movements of the head, face, eyes, limbs and body that can be analyzed unobtrusively with

computer imaging techniques. These nonverbal signals are among the most revealing indicators of negative emotional

states, high arousal, cognitive difficulties, and overcontrol of movements that may predict a traveler poses a security

risk but also include intentionally manipulated self-presentations to appear credible. Proxemic signals are nonverbal

actions related to interpersonal distancing and spacing that convey avoidance versus approach and may be

manipulated by high-risk travelers to evade detection and convey innocence. Computer imaging techniques may also

capture relevant proxemics signals. Vocalic signals are features of the voice itself that likewise relate to emotional

states, arousal, cognitive difficulties and self-presentation. Some can be manipulated intentionally; others are

involuntary signs of distress. Vocal features can be analyzed with acoustic instrumentation on the fly. Linguistic

indicators are features of a traveler's language constructions that may inadvertently reveal malicious intent and deceit

but may also be intentionally chosen to create favorable impressions. These are most likely to be useful in second-line

screening where agents/officers have longer interactions or with systems in which travelers enter some responses in

text form. Tools exist to translate oral responses, conduct analyses of various language features and return a near-real-

time assessment. Deeper forensic analysis can also be conducted on a post hoc basis or on archived responses from

persons of interest. Illustrations of each type of verbal and nonverbal signal and potential automated tools will be

presented. Prospects for combining them into a multimodal system will be discussed.

Judee Burgoon

Dr. Burgoon is Professor of Communication, Family Studies and Human Development at the University of Arizona,

where she is Director of Research for the Center for the Management of Information and Site Director for the Center

for Identification Technology Research, a National Science Foundation Industry/University Cooperative Research

Center. Previously, she held faculty appointments at the University of Florida and Michigan State University, was a

Distinguished Visiting Scholar at University of Oklahoma and was a Visiting Scholar at Harvard University. She has

authored or edited 13 books and monographs and nearly 300 published articles, chapters and reviews related to

nonverbal and verbal communication, deception, and computer-mediated communication. Her research has been

funded by the National Science Foundation, Department of Defense, Department of Homeland Security, and the Office

of the Director of National Intelligence, among others. Her awards and honors include, from the International

Communication Association, the Steven Chaffee Career Productivity Award, Robert Kibler Mentorship Award, and

election as Fellow; from the National Communication Association, the Distinguished Scholar Award for a lifetime of

scholarly achievement, the Mark L. Knapp Award in Interpersonal Communication and the Charles Woolbert Research

Award for Scholarship of Lasting Impact. A recent survey identified her as the most prolific female scholar in

communication in the 20th century.

20

IEEE JISIC 2014 – Detailed Program

Wednesday, September 24, 2014 08:00-09:00 Registration 09:00-09:15 Opening: Welcome Session

09:15-09:45 Invited speaker

Pieter-Jaap Aalbersberg, Chief of Police Amsterdam, Chair: Mariëlle den Hengst

09:45-10:45 Keynote: The Value of Visualization for Understanding Data and Making Decisions

John Stasko, Chair: Jack van Wijk

10:45-11:15 Coffee Break 11:15-12:15 Keynote: Plastic card transaction fraud detection

Niall Adams, Chair: Cor Veenman


13:15-14:45 Tutorial

Room 2.1 Real-Time Sentiment Analysis

Anna Jurek

13:15-14:45 Track: Cyber and infrastructure security (long papers); Chair: Niall Adams

Room 2.2

Trusted Detection of Sensitive Activities on Mobile Phones using Power Consumption Measurements

Mordechai Guri, Gabi Kedma, Boris Zadov and Yuval Elovici

ALPD: Active Learning Framework for Enhancing the Detection of Malicious PDF Files

Nir Nissim, Aviad Cohen, Robert Moskovitch, Assaf Shabtai, Mattan Edry, Oren Bar-Ad and Yuval Elovici

Resilience of Anti-Malware Programs to Naïve Modifications of Malicious Binaries

Mordechai Guri, Gabi Kedma, Assaf Kachlon and Yuval Elovici

13:15-14:45 Track: Decisioning and Interaction (long papers); Chair: John Stasko

Room 2.3

Overcoming Limited Collaboration Channels in Distributed Intelligence Analysis: Visualization Tools and Design Seeds

Brian Prue, Michael Jenkins, Lauren Stern and Jonathan Pfautz

On the Usability of Augmented Reality for Information Exchange in Teams from the Security Domain

Dragoş Datcu, Marina Cidota, Heide Lukosch and Stephan Lukosch

Maritime Situation Analysis: A Multi-vessel Interaction and Anomaly Detection Framework

Hamed Yaghoubi Shahir, Uwe Glässer, Narek Nalbandyan and Hans Wehn


15:00-16:00 Track: Border control (short papers); Chair: Jakub Piskorski

Room 2.1

Land border permeability and irregular migration using geospatial intelligence from satellite data

Bert Van Den Broek, Robin Schoemaker and Rob Dekker

Studies of Integration Readiness Levels: Case Shared Maritime Situational Awareness System

Rauno Pirinen

Security Components in a One-Stop-Shop Border Control System

Axel Weissenfeld, Lukasz Szklarski and Andreas Kriechbaum-Zabini

15:00-16:00 Track: Cyber and infrastructure security (short papers); Chair: Nicholas Heard

Room 2.2

Statistical frameworks for detecting tunnelling in cyber defence using big data

Daniel Lawson, Patrick Rubin-Delanchy, Niall Adams and Nicholas Heard

Adaptive change detection for relay-like behavior

Dean Bodenham and Niall Adams

An approximate framework for flexible network flow screening

Niall Adams and Daniel Lawson

15:00-16:00 Track: General / Web analytics (short papers); Chair: Uwe Glässer

Room 2.3

Threat detection in tweets with trigger patterns and contextual cues

Martijn Spitters, Pieter Eendebak, Daniel Worm and Henri Bouma

A Service-independent Model for Linking Online User Profile Information

Matthew Edwards, Awais Rashid and Paul Rayson

Exploring Opinion Dynamics in Security-Related Microblog Data

Yuhao Zhang, Wenji Mao and Daniel Zeng



21

16:15-17:15 Track: General (short papers); Chair: Joel Brynielsson

Room 2.1

Automatic Timeline Construction and Analysis For Computer Forensics Purposes

Yoan Chabot, Aurélie Bertaux, Christophe Nicolle and Tahar Kechadi

How Analysts Think (?): Early Observations

B.L. William Wong

Optical Security Document Simulator for Black-Box Testing of ABC Systems

Michael Gschwandtner, Svorad Štolc and Franz Daubner

16:15-17:15 Track: Cyber and infrastructure security (short papers); Chair: Niall Adams

Room 2.2

Filtering automated polling traffic in computer network flow data

Nicholas Heard, Daniel Lawson and Patrick Rubin-Delanchy

Modelling new edge formation in a computer network through Bayesian Variable Selection

Silvia Metelli and Nicholas Heard

Application of a linear time method for change point detection to the classification of software

Alexander Bolton and Nicholas Heard

16:15-17:15 Track: General (short papers); Chair: Uwe Glässer

Room 2.3

Three statistical approaches to sessionizing network flow data

Patrick Rubin-Delanchy, Daniel Lawson, Melissa Turcotte, Niall Adams and Nicholas Heard

AccountabilityFS: A file system monitor for forensic readiness

Rune Nordvik, Yi-Ching Liao and Hanno Langweg

17:25-17:45 Poster pitch

CAPER - Collaborative information, Acquisition, Processing, Exploitation and Reporting for the prevention of

organised crime

Carlo Aliprandi, Juan Arraiza, Sebastian Maier, Gila Molcho, Felipe Melero

Detecting threats of violence in online discussions using bigrams of important words

Hugo Lewi Hammer

Learning to Classify Hate and Extremism Promoting Tweets

Ashish Sureka, Swati Agarwal

Recommending Documents for Complex Question Exploration by Analyzing Browsing Behavior

Alya Abbott, Olga Simek

Passwords are dead: Alternative authentication methods

Dr. Michael Bachmann

Sensemaking and Cognitive Bias Mitigation in Visual Analytics

Margit Pohl, Lisa-Christina Winter, Chris Pallaris, Simon, Attfield, B.L. William Wong

Metal oxide gas sensors technologies for hidden people detection

Andrea Ponzoni, Dario Zappa, Cristina Cerqui, Elisabetta Comini, Giorgio Sberveglieri

Towards a Methodology for Cybersecurity Risk Management Using Agents Paradigm

Parth Bhatt, Per M Gustavsson, Rose-Mharie Ahlfeldt

An interactive Patterns of Life visualisation tool for Intelligence Analysis

Neesha Kodagoda, Simon Attfield, Phong H. Nguyen, Leishi Zhang, Kai Xu, B L William Wong, Adrian Wagstaff, Graham Phillips, James Bulloch, John Marshall, Stewart Bertram

Military Geospatial Profiling Analysis

Oey, Herman-Dick Giok Tjiang

Robust Navigation and Communication in the Maritime Domain: the TRITON Project

Marco Pini, Luca Pilosu, Lene Vesterlund, David Blanco, Fredrik Lindstrˆm, Emiliano Spaltro

Detection of Olfactory Traces by Orthogonal Gas Identification Technologies - DOGGIES

I. Daniilidis, J.-J. Filippi, W. Vautz, E. Dalcanale, S. Zampolli, G. Leventakis, I. Kauppinen, S.Sinisalo, V. Tsoulkas, V. Kassouras, M. Carras, B. Gerard, R. Pinalli, A. Ragnoni, L. Dujourdy, D. Zavali, M. Brun, V. Grizis, A. Argyris, D. Syvridis

When Counting is Not Enough: Limitations of NSA's effectiveness assessment of surveillance technology

Michelle Cayford, Coen van Gulijk, P.H.A.J.M. van Gelder

DOCSCOPE: ID Printing Techniques Signatures

Marc Pic, Clarisse Mandridake, Mathieu hoarau, Kevin Win-Lime

17:45- Social event: Poster session - Ice breaker

22


Thursday, September 25, 2014

09:00-10:00 Keynote: Keynote: Assessing the Role of Forums in Facilitating Technological Skill in the White Supremacist Movement

Thomas Holt, Chair: Daniel Zeng


10:15-11:15 Track Border control (long papers); Chair: Jakub Piskorski

Room 2.1

Understanding the factors affecting UX and technology acceptance in the context of automated border controls

Mari Ylikauppila, Sirra Toivonen and Minna Kulju

On the adequacy of performance models in an adaptive Border Inspection Management system

Jesse Mussgrove, Bojan Cukic and Vittorio Cortellessa [nominated for best paper award]

10:15-11:15 Track: Forensic intelligence (long papers); Chair: Jeroen Keppens

Room 2.2

Resource-based Event Reconstruction of Digital Crime Scenes

Yi-Ching Liao and Hanno Langweg

Addressing The Increasing Volume and Variety of Digital Evidence Using an Ontology

Owen Brady, Jeroen Keppens and Richard Overill

10:15-11:15 Track: General / Web analytics (long papers); Chair: Cor Veenman

Room 2.3

Authorship Analysis of Inspire Magazine through Stylometric and Psychological Features

Jennifer Sikos, Peter David, Nizar Habash and Reem Faraj

Identifying Top Sellers In Underground Economy Using Deep Learning-based Sentiment Analysis

Weifeng Li and Hsinchun Chen


11:30-12:30 Track: Computational criminology (long papers); Chair: Thomas Holt

Room 2.1

Predicting Links in Multi-relational Networks

Bisharat Rasool Memon and Uffe Kock Wiil

11:30-12:30 Track: Cyber and infrastructure security (long papers); Chair: André Hoogstrate

Room 2.2

Time Critical Disinformation Influence Minimization in Online Social Networks

Chuan Luo, Kainan Cui, Xiaolong Zheng and Daniel Zeng

A Selective Defense for Application Layer DDoS Attacks

Yuri Gil Dantas, Vivek Nigam and Iguatemi E. Fonseca

11:30-12:30 Track: General / Web analytics (long papers); Chair: Mariëlle den Hengst

Room 2.3

Twitter Sentiment Analysis for Security-Related Information Gathering

Anna Jurek, Yaxin Bi and Maurice Mulvenna

Mining the Web for Sympathy: The Pussy Riot Case

Anders Westling, Joel Brynielsson and Tove Gustavi

12:30-13:30 Lunch Break 13:30-14:30 Keynote: Detecting Security Risks from Automated Analysis of Verbal and Nonverbal Signals

Judee Burgoon, Chair: Jakub Piskorski


14:45-16:15 Tutorial:

Room 2.1

Lawfully-Authorized Electronic Surveillance in Wireless Communications Systems:

Standard and Requirements Overview

Kafi Hassan

14:45-16:15 Track: General (long papers); Chair: Joel Brynielsson

Room 2.2

DNSSEC Misconfigurations: How incorrectly configured security leads to unreachability

Niels L. M. van Adrichem, Antonio Reyes Lúa, Xin Wang, Muhammad Wasif, Ficky Fatturrahman and Fernando A. Kuipers [nominated for best paper award]

Time-to-event Modeling for Predicting Hacker IRC Community Participant Trajectory

Victor Benjamin and Hsinchun Chen

Practical interception of DECT encrypted voice communications in Unified Communications environments

Iwen Coisel and Ignacio Sanchez

14:45-16:15 Track: General / Web analytics (long papers); Chair: Wauter Bosma

Room 2.3

The Nature of Communications and Emerging Communities on Twitter following the 2013 Syria Sarin Gas Attack

Yulia Tyshchuk, William Wallace, Hao Li, Heng Ji and Sue Kase

Time Profiles for Identifying Users in Online Environments

Lisa Kaati, Fredrik Johansson and Amendra Shrestha [nominated for best paper award]

Predicting Popularity of Forum Threads for Public Events Security

Qingchao Kong, Wenji Mao and Daniel Zeng



23

Thursday, September 25, 2014 - Continued

16:45-17:25 Track: Computational criminology (short papers); Chair: Thomas Holt

Room 2.1 A Case Study in Opportunity Reduction: Mitigating the Dirt Jumper Drive -smart attack

Joel Lathrop and James O'Kane

16:45-17:25 Track: Cyber and infrastructure security (short papers); Chair: André Hoogstrate

Room 2.2

Uninvited Connections: A Study of Vulnerable Devices on the Internet of Things (IoT)

Mark Patton, Eric Gross, Ryan Chinn, Samantha Forbis, Leon Walker and Hsinchun Chen

Challenges to a smooth-running data security audits. Case: A Finnish national security auditing criteria KATAKRI

Jyri Rajamäki

16:45-17:25 Track: General / Web analytics (short papers); Chair: Wauter Bosma

Room 2.3

Ranking Online Memes in Emergency Events Based on Transfer Entropy

Saike He, Xiaolong Zheng, Daniel Zeng, Bo Xu, Guanhua Tian and Hongwei Hao

Causal Inference in Social Media Using Convergent Cross Mapping

Chuan Luo, Xiaolong Zheng and Daniel Zeng

18:30- Conference dinner: Madurodam

Friday, September 26, 2014

09:00-10:00 Developing Bayesian Models for Assessing the Value of Evidence

Jeroen Keppens, Chair: Menno Israël


10:15-11:45 Tutorial

Room 2.1

Theory, Framework and Method for Software Design Studies in Security and Intelligence Analysis

Work Environments

Laura A. McNamara, Kerstan Cole, and Susan Stevens-Adams

10:15-11:45 Track: Cyber and infrastructure security (long papers); Chair: Niall Adams

Room 2.2

Aegis: A Lightweight Tool for Prevent Frauds in Web Browsers

Carlo Silva

Descriptive Analytics: Examining Expert Hackers in Web Forums

Ahmed Abbasi, Weifeng Li, Victor Benjamin, Shiyu Hu and Hsinchun Chen

Inferring itineraries of containerized cargo through the application of Conditional Random Fields

Pedro Chahuara, Luca Mazzola, Claudio Schifanella, Michail Makridis, Aris Tsois and Mauro Pedone

10:15-11:45 Track: General / Web analytics(short papers); Chair: Uwe Glässer

Room 2.3

Towards a Comprehensive Insight into the Thematic Organization of the Tor Hidden Services

Martijn Spitters, Stefan Verbruggen and Mark van Staalduinen

Forecasting Country Stability in North Africa

Steven Banaszak, Elizabeth Bowman, John P. Dickerson and V.S. Subrahmanian

Foraging Online Social Networks

Gijs Koot, Mirjam Huis In 'T Veld and Egon L. van den Broek

11:45-12:00 Coffee Break 12:00-13:00 Keynote: The Global Cyber-Vulnerability Report

V.S. Subrahmanian, Chair: Hsinchun Chen


24

IEEE JISIC 2014 – Conference abstracts

Session: Cyber and infrastructure security

13:15-13:45 Wednesday, September 24, 2014 Room: 2.2

Paper Long

Trusted Detection of Sensitive Activities on Mobile Phones using Power Consumption Measurements Mordechai Guri, Gabi Kedma, Boris Zadov, Yuval Elovici The unprecedented popularity of modern mobile phones has made them a lucrative target for skillful and motivated offenders. A typical mobile phone is packed with sensors, which can be turned on silently by a malicious program, providing invaluable information to the attacker. Detecting such hidden activities through software monitors can be blindfolded and bypassed by rootkits and by anti-forensic methods applied by the malicious program. Moreover, detecting power consumption by software running on the mobile phone is susceptible to similar evasive techniques. Consequently, software based detection of hidden malicious activities, particularly the silent activation of sensors, cannot be considered as trusted. In this paper we present a method which detects hidden activities using external measurement of power consumption. The classification model is acquired using machine-learning multi-label classification algorithms. Our method overcomes the inherent weaknesses of software-based monitors, and provides a trusted solution. We describe the measurement setup, and provide detailed evaluation results of the algorithms used. The results obtained so far support the feasibility of our method.

Paper Long

ALPD: Active Learning Framework for Enhancing the Detection of Malicious PDF Files Nir Nissim, Aviad Cohen, Robert Moskovitch, Assaf Shabtai, Mattan Edry, Oren Bar-Ad, Yuval Elovici Email communication carrying malicious attachments or links is often used as an attack vector for initial penetration of the targeted organization. Existing defense solutions prevent executables from entering organizational networks via emails, therefore recent attacks tend to use non-executable files such as PDF. Machine learning algorithms have recently been applied for detecting malicious PDF files. These techniques, however, lack an essential element-- they cannot be updated daily. In this study we present ALPD, a framework that is based on active learning methods that are specially designed to efficiently assist anti-virus vendors to focus their analytical efforts. This is done by identifying and acquiring new PDF files that are most likely malicious, as well as informative benign PDF documents. These files are used for retraining and enhancing the knowledge stores. Evaluation results show that in the final day of the experiment, Combination, one of our AL methods, outperformed all the others, enriching the anti-virus's signature repository with almost seven times more new PDF malware while also improving the detection model's performance on a daily basis.

Paper Long

Resilience of Anti-Malware Programs to Naïve Modifications of Malicious Binaries Mordechai Guri, Gabi Kedma, Assaf Kachlon, Yuval Elovici The massive amounts of malware variants which are released each day demand fast in-lab analysis, along with fast in-field detection. Traditional malware detection methodology depends on either static or dynamic in-lab analysis to identify a suspicious file as malicious. When a file is identified as malware, the analyst extracts a structural signature, which is dispatched to subscriber machines. The signature should enable fast scanning, and should also be flexible enough to detect simple variants. In this paper we discuss 'naive' variants which can be produced by a modestly skilled individual with publically accessible tools and knowhow which, if needed, can be found on the Internet. Furthermore, those variants can be derived directly from the malicious binary file, allowing anyone who has access to the binary file to modify it at his or her will. Modification can be automated, to produce large amounts of variants in short time. We describe several naïve modifications. We also put them to test against multiple antivirus products, resulting in significant decline of the average detection rate, compared to the original (unmodified) detection rate. Since the aforementioned decline may be related, at least in some cases, to avoidance of probable false positives, we also discuss the acceptable rate of false positives in the context of malware detection.

25


Session: Decisioning and interaction


Paper Long

Overcoming Limited Collaboration Channels in Distributed Intelligence Analysis: Visualization Tools

and Design Seeds Brian Prue, Michael Jenkins, Lauren Stern, Jonathan Pfautz Military intelligence analysis (IA) support tools are often developed using generalized models of IA that fail to take into consideration the real-world constraints put on analysts by factors such as organizational structures and cultures. IA in domains where distributed collaboration is required because direct communication and coordination is infeasible represents a challenge for generalized models of IA. This paper provides our analysis of distributed IA, which we conducted to support the design of software. We present a resulting set of capabilities that have been developed and deployed in an operational community. Our analysis approach and design focuses on extracting requirements and translating them into “design seeds,” or guidelines for implementation, which are later used to verify that the resulting system meets the expressed requirements.

Paper Long

On the Usability of Augmented Reality for Information Exchange in Teams from the Security Domain Dragoş Datcu, Marina Cidota, Heide Lukosch, Stephan Lukosch For operational units in the security domain that work together in teams it is important to quickly and adequately exchange context-related information. Currently, information exchange is based on oral communication only. This paper reports on different scenarios from the security domain in which augmented reality (AR) techniques are used to support such information exchange. The scenarios have been elicited using an end-user centred design approach. To support these scenarios an AR environment has been developed and the usability of the AR support has been evaluated with experts from different operational units in the security domain. The first evaluation shows that the scenarios are well defined and the AR environment can successfully support information exchange in teams operating in the security domain.

Paper Long

Maritime Situation Analysis: A Multi-vessel Interaction and Anomaly Detection Framework Hamed Yaghoubi Shahir, Uwe Glässer, Narek Nalbandyan, Hans Wehn Maritime security is critical for protecting sea lanes, ports, harborsand other critical infrastructure against a broad range of threats and illegal activities like smuggling, human trafficking, piracy and terrorism. Limited resources constrain maritime domain awareness and compromise full security coverage at all times. This situation calls for innovative intelligent systems for interactive situation analysis to assist marine authorities and security personal in their routine surveillance operations. In this paper, we propose a novel situation analysis approach to analyze, detect and differentiate a range of interaction patterns and anomalies of interest for marine vessels that operate over some period of time in relative proximity to each other. We analyze vessel interaction scenarios to model common patterns as probabilistic processes in terms of hidden Markov models. To differentiate suspicious activities from unobjectionable behavior, we explore fusion of data and information from observable behavior (geospatial aspects, kinematic features and contextual information) and maritime domain knowledge from diverse sources. Our experimental evaluation using real-world vessel tracking data shows the effectiveness of the approach.

26


Session: Border control


Paper Short

Land border permeability and irregular migration using geospatial intelligence from satellite data A.C. van den Broek, R.M. Schoemaker, R. J. Dekker Prediction about how migrants move in the preborder terrain is important for effective border control. In this paper we present a method to obtain permeability indicators for accessibility and concealment on the basis of geographical terrain features, derived from high resolution satellite data. The indicators are used to estimate the mobility of migrants. A model to predict the density of migrants arriving at the border, and to assess the impact of security measures, is introduced and discussed. The model was implemented and tested. The results are used as value adding products in pre-operational services for border control. Validation has to be done using actual irregularborder- crossing geo-oriented statistics. By the time this paper was written no such statistics were available.

Paper Short

Studies of Integration Readiness Levels:Case Shared Maritime Situational Awareness System Rauno, Pirinen The research question of this study is: How Integration Readiness Level (IRL) metrics can be understood and realized in the domain of border control information systems. The study address to the IRL metrics and their definition, criteria, references, and questionnaires for validation of border control information systems in case of the shared maritime situational awareness system. The target of study is in improvements of ways for acceptance, operational validation, risk assessment, and development of sharing mechanisms and integration of information systems and border control information interactions and collaboration concepts in Finnish national and European border control domains.

Paper Short

Security Components in a One-Stop-Shop Border Control System Axel Weissenfeld, Lukasz Szklarski, Andreas Kriechbaum-Zabini Each year the number of passengers travelling around the world is steadily increasing. Hence, the efficient handling of border crossings while maintaining a high security is a demanding challenge for the future. In this work we present the key security components for a novel proposed one-stop-shop (OSS) border control system, which tries to achieve greatest throughput of travelers while applying highest security measurements. We collect the main stakeholder’s requirements for an OSS system and assembly the necessary technological solutions so that the proposed OSS system can be operated at all kinds of borders. Thereby, the selected technologies are evaluated and current limitations and constraints described.

27




Paper Short

Statistical frameworks for detecting tunnelling in cyber defence using big data Daniel John Lawson, Patrick Rubin-Delanchy,Nicholas Heard,Niall Adams How can we effectively use costly statistical models in the defence of large computer networks? Statistical modelling and machine learning are potentially powerful ways to detect threats as they do not require a human level understanding of the attack. However, they are rarely applied in practice as the computational cost of deploying all but the most simple algorithms can become implausibly large. Here we describe a multilevel approach to statistical modelling in which descriptions of the normal running of the network are built up from the lower netflow level to higher-level sessions and graph-level descriptions. Statistical models at low levels are most capable of detecting the unusual activity that might be a result of malicious software or hackers, but are too costly to run over the whole network. We develop a fast algorithm to identify tunnelling behaviour at the session level using `telescoping' of sessions containing other sessions, and demonstrate that this allows a statistical model to be run at scale on netflow timings. The method is applied to a toy dataset using an artificial `attack'.

Paper Short

Adaptive change detection for relay-like behaviour Dean Adam Bodenham, Niall Michael Adams Detecting anomalous behaviour in network flow data is challenging for a number of reasons, including both the computational demand associated with a large corporate network and the peculiar temporal characteristics of flow data. Relay-like behaviour refers to the rapid commencement of an out-going flow from a network device following the completion of an in-coming flow. This paper develops a computationally efficient and temporally adaptive methodology for detecting relay-like behaviour. The methodology is demonstrated on a real example of NETFLOW data. In addition to providing a detector, further uses of the methodology for combining anomalous events are discussed.

Paper Short

An approximate framework for flexible network flow screening Niall M. Adams, Daniel John Lawson Network security analysts presently lack tools for routinely screening large collections of network traffic for structures of interest. This is particularly the case when the structures of interest are embodied as summaries of sets of related traffic, essentially behaviour descriptions. This paper sketches a methodology to provide such capability, in the context of flow data. The methodology generates approximate search results, and uses a modular construction to provide the capability to tailor queries for multiple views of the behaviour structure of interest. At core, the methodology involves approximate sequential search procedures. The methodology is framed by a discussion of a large university network.

28


Session: General / Web analytics


Paper Short

Threat detection in tweets with trigger patterns and contextual cues Martijn Spitters, Pieter Eendebak, Daniël Worm, Henri Bouma Many threats in the real world can be related to activities in public sources on the internet. Early detection of threats based on internet information could assist in the prevention of incidents. However, the amount of data in social media, blogs and forums rapidly increases and it is time consuming for security services to monitor all these sources. Therefore, it is important to have a system that automatically ranks messages based on their threat potential and thereby allows security operators to check these messages more efficiently. In this paper, we present a novel method for detecting threatening messages on Twitter based on trigger keywords and contextual cues. The system was tested on multiple large collections of Dutch tweets. Our experimental results show that our system can successfully analyze messages and recognize threatening content.

Paper Short

A Service-indepenent Model for Linking Online User Profile Information Matthew John Edwards, Awais Rashid, Paul Rayson Public user profile information is a common feature of modern websites. These profiles can provide a valuable resource for investigators tracing digital artefacts of crime, but current approaches are limited in their ability to link identities across different platforms. We address this through a service-independent model of user profile information, grounded in the details visible on a number of the most-frequented sites on the web. Building on this, we report the details most widespread across platforms and the number of features visible on each site, thus highlighting details of use to both privacy researchers and investigators attempting to cross-link profiles.

Paper Short

Exploring Opinion Dynamics in Security-Related Microblog Data Yuhao Zhang, Wenji Mao, Daniel Zeng, Ning Zhao, Xiuguo Bao Web social media has become one of the major channels for people to express their opinions, share their feelings and communicate with others. Public opinions often ebb and flow with time due to the occurrence of social events and mutual influence of people on certain topics. The dynamic change of public opinions reflects the evolvement and trend of public attitudes and can facilitate many security-related applications. In this paper, we explore the modeling and detection of opinion dynamics on a specific topic based on textual social media data. We first define three measures to provide a thorough description of opinion dynamics, and identify the key factors that influence opinion changes, namely sentiment, social influence and dynamic factors. We then develop the computational method to capture opinion dynamics in security-related data. A preliminary empirical study is conducted based on the data from Weibo, one of the most popular microblog sites in China. The experimental results show the effectiveness of our method in modeling and predicting opinion dynamics.

29


Session: General


Paper Short

Automatic Timeline Construction and Analysis for Computer Forensics Purposes Yoan Chabot, Aurélie Bertaux, Christophe Nicolle, Tahar Kechadi To determine the circumstances of an incident, investigators need to reconstruct events that occurred in the past. The large amount of data spread across the crime scene makes this task very tedious and complex. In particular, the analysis of the reconstructed timeline, due to the huge quantity of events that occurred on a digital system, is almost impossible and leads to cognitive overload. Therefore, it becomes more and more necessary to develop automatic tools to help or even replace investigators in some parts of the investigation. This paper introduces a multi-layered architecture designed to assist the investigative team in the extraction of information left in the crime scene, the construction of the timeline representing the incident and the interpretation of this latter.

Paper Short

How Analysts Think (?): Early Observations B.L. William Wong In this paper we describe work-in-progress to develop a description of the ways by which intelligence analysts engage in the thinking and reasoning processes when engaged in the intelligence analysis task. Such a model will be used to inform the design the interactive visual interfaces for a next generation intelligence analysis system. We introduce the concepts of fluidity and rigour as key characteristics of the analysts’ thinking landscape.

Paper Short

Optical Security Document Simulator for Black-Box Testing of ABC Systems Michael Gschwandtner, Svorad Štolc, Franz Daubner Ever increasing passenger numbers have prompted the rise of automated border control (ABC) systems. Such systems are expected to perform the identity check of a traveler with the same or higher reliability as a human border guard. One important aspect of such a control is the authentication of the identity document provided by the traveler. To ensure a constant quality of the authentication process it is necessary to subject the ABC system to a thorough testing on a number of different document samples. Given the ever increasing number of eGates in operation all over the world, this testing becomes a technically infeasible task, which may have severe security implications. In this paper, we propose a system that can automate such quality assessments using an optical document simulator. Our simulator uses a similar principle as that of an active display attack, where a mobile device is used to trick automated document readers.

30




Paper Short

Filtering automated polling traffic in computer network flow data Nick Heard, Patrick Rubin-Delanchy, Daniel Lawson Detecting polling behaviour in a computer network has two important applications. First, the polling can be indicative of malware beaconing, where an undetected software virus sends regular communications to a controller. Second, the cause of the polling may not be malicious, since it may correspond to regular automated update requests permitted by the client; to build models of normal host behaviour for signature-free anomaly detection, this polling behaviour needs to be understood. This article presents a simple Fourier analysis technique for identifying regular polling, and focuses on the second application: modelling the normal behaviour of a host, using real data collected from the computer network of Imperial College London.

Paper Short

Modelling new edge formation in a computer network through Bayesian variable selection Silvia Metelli, Nicholas Heard Anomalous connections in a computer network graph can be a signal of malicious behaviours. For instance, a compromised computer node tends to form a large number of new client edges in the network graph, connecting to server IP (Internet Protocol) addresses which have not previously been visited. This behaviour can be caused by malware (malicious software) performing a denial of service (DoS) attack, to cause disruption or further spread malware; alternatively, the rapid formation of new edges by a compromised node can be caused by an intruder seeking to escalate privileges by traversing through the host network. However, study of computer network flow data suggests new edges are also regularly formed by uninfected hosts, and often in bursts. Statistically detecting anomalous formation of new edges requires reliable models of the normal rate of new edges formed by each host. Network traffic data are complex, and so the potential number of variables which might be included in such a statistical model can be large, and without proper treatment this would lead to overfitting of models with poor predictive performance. In this paper, Bayesian variable selection is applied to a logistic regression model for new edge formation for the purpose of selecting the best subset of variables to include.

Paper Short

Application of a linear time method for change point detection to the classification of software Alexander Bolton, Nicholas Heard A computer program’s dynamic instruction trace is the sequence of instructions it generates during run-time. This article presents a method for analysing dynamic instruction traces, with an application in malware detection. Instruction traces can be modelled as piecewise homogeneous Markov chains and an exact linear time method is used for detecting change points in the transition probability matrix. The change points divide the instruction trace into segments performing different functions. If segments performing malicious functions can be detected then the software can be classified as malicious. The change point detection method is applied to both a simulated dynamic instruction trace and the dynamic instruction trace generated by a piece of malware.

31


Session: General


Paper Short

Three statistical approaches to sessionizing network flow data Patrick Rubin-Delanchy, Daniel J Lawson, Melissa J Turcotte, Nicholas A Heard, Niall M Adams The network traffic generated by a computer, or a pair of computers, is often well modelled as a series of sessions. These are, roughly speaking, intervals of time during which a computer is engaging in the same, continued, activity. This article explores a variety of statistical approaches to re-discovering sessions from network flow data using timing alone. Solutions to this problem are essential for network monitoring and cyber-security. For example overlapping sessions on a computer network can be evidence of an intruder 'tunnelling'.

Paper Short

AccountabilityFS: A file system monitor for forensic readiness Rune Nordvik, Yi-Ching Liao, Hanno Langweg We present a file system monitor, AccountabilityFS, which prepares an organization for forensic analysis and incident investigation in advance by ensuring file system operation traces readily available. We demonstrate the feasibility of AccountabilityFS in terms of performance and storage overheads, and prove its reliability against malware attacks.

32


Session: Border control

10:15-11:15 Thursday, September 25, 2014 Room: 2.1

Paper Long

Understanding the factors affecting UX and technology acceptance in the context of automated

border controls Mari Ylikauppila, Sirra Toivonen, Minna Kulju, Minna Jokela The purpose of this paper is to describe the complexity of an Automated Border Control (ABC) context and the factors influencing the experience passengers and border guards have when interacting with ABC systems. Automated border control is expected to make border checks quicker and more efficient as well reducing the cost. At the same time, the purpose is to enhance the level of border security. Automated solutions have been taken into use at many border sites over the past few years and a great deal of effort has been put into the development of ABC technology. But the effects may remain poorer than expected if the usage rates are low or if the process efficiency targets are not reached. One well recognised reason for this is that the process is too cumbersome for users. Thus, it is extremely important to pay attention to the usability and user experience when designing ABC solutions and environments so as to ensure user acceptance and positive impacts on technology integration. By deep research work and gaining an understanding of the field of border control, the main factors affecting the user experience (UX) and general acceptance have been identified. Suitability of technology, operational environment and user profile are all important factors that should be carefully considered in technology development.

Paper Long

On the adequacy of performance models in an adaptive Border Inspection Management system Jesse Musgrove, Bojan Cukic, and Vittorio Cortellessa [nominated for best paper award] In this paper, we present an approach to validation of system performance models for a Border Inspection Management System (BIMS), which guide the tradeoff between the throughput and security requirements. System models used to analyze the operational status of an application and plan for a potentially optimized execution are diverse and increasingly complex. Yet, the practice of software engineering teaches us that optimal operational behavior can be correlated with the simplicity of design and implementation. Adaptive systems are more complex because they typically include monitoring, analysis, planning, and execution (MAPE) loop. Therefore, striving for the “simplest” model that enables appropriate adaptive control actions is a legitimate research direction.

33


Session: Forensic intelligence


Paper Long

Resource-based Event Reconstruction of Digital Crime Scenes Yi-Ching Liao, Hanno Langweg To ensure that the potential evidence is readily available in an acceptable form when an incident or a crime occurs, we propose a resource-based event reconstruction prototype that corresponds to different phases of digital forensics framework, and demonstrate its feasibility by assessing the applicability of existing open-source applications to the proposed prototype. The feasibility study results show that the proposed prototype can enhance the capability of an organization for collecting, preserving, protecting, and analysing digital evidence by regarding system resources as an evidence source and system calls as digital events.

Paper Long

Addressing the Increasing Volume and Variety of Digital Evidence Using an Ontology Owen Brady, Richard Overill, Jeroen Keppens The field of digital evidence must contend with an increasing number of devices to be examined paralleled with increasing diversity. Examiners face a battle to understand what artefacts may exist on these devices. Further, many current forensic tools look to comprehensively examine sources of digital evidence which can generate large amounts of, often spurious, data with no easy means of correlation. This paper proposes the use of an ontology - the Digital Evidence Semantic Ontology (DESO) - that allows an examiner to quickly discover what artefacts may be available on a device before time-consuming processes are commenced - preventing the generation of data that may have no practical value for an investigation. The ontology is then used to classify this data so that equivalent artefacts across devices can be compared to make connections. It demonstrates how this ontology can be adapted to keep track of changes in technology and how it can be used in a laboratory environment.

34




Paper Long

Authorship Analysis of Inspire Magazine through Stylometric and Psychological Features Jennifer Sikos, Peter David, Nizar Habash, Reem Faraj When we read a piece of writing, the meaning we derive from that text often includes information about the authors themselves. Clues to their identity, worldview, and even psychological states are encoded in features such as word choice and sentence structure. This work describes how writing style features can be used to analyze the authorship of extreme jihadist writing. Inspire magazine is an online, English-language magazine published by Al-Qaeda in the Arabian Peninsula. Our work has revealed similarities and disparities in the writing styles of Inspire authors using features such as word choice and sentence structure, as well as semantic and psychological features. The Linguistic Inquiry and Word Count (LIWC) resource is a lexicon that identifies words and phrases associated with a set of cognitive processes and psychological states [1]. LIWC was originally developed to determine the psychological properties of English text but has since been expanded to other languages, including Arabic. Prior to this work, the Arabic-language version of LIWC was limited to a small category of function words and did not have the full analytical power of the English-language version. We show how a method of lexicon expansion, translation, and assessment by a native Arabic speaker was used to produce a more robust Arabic-language version of the resource and is applied to the psychological analysis of Inspire content in both English and Arabic.

Paper Long

Identifying Top Sellers In Underground Economy Using Deep Learning-based Sentiment Analysis Hsinchun Chen The underground economy is a key component in cyber carding crime ecosystems because it provides a black marketplace for cyber criminals to exchange malicious tools and services that facilitate all stages of cyber carding crime. Consequently, black market sellers are of particular interest to cybersecurity researchers and practitioners. Malware/carding sellers are critical to cyber carding crime since using malwares to skim credit/debit card information and selling stolen information are two major steps of conducting such crime. In the underground economy, the malicious product/service quality is reflected by customers’ feedback. In this paper, we present a deep learning-based framework for identifying top malware/carding sellers. The framework uses snowball sampling, thread classification, and deep learning-based sentiment analysis to evaluate sellers’ product/service quality based on customer feedback. The framework was evaluated on a Russian carding forum and top malware/carding sellers from it were identified. Our framework contributes to underground economy research as it provides a scalable and generalizable framework for identifying key cybercrime facilitators.

35


Session: Computational criminology


Paper Long

Predicting Links in Multi-relational Networks Bisharat Rasool Memon, Uffe Kock Wiil Most traditional methods of link prediction in networks deal with homogeneous networks, i.e., networks with a single type of nodes and a single type of relationships. However, most real-life systems modelled by networks comprise multiple types of entities undergoing multiple types of interactions among themselves. In most social settings, for example, the actors are often connected by multiple types of social ties at the same time (friendship, kinship, acquaintance, FB-friend, twitter-follower, LinkedIn-contact, etc.). The types of ties a node already has influences which other ties it will form in the future---thus not only the existing link structure, but the variation in the link structure in terms of relationship types determines the \emph{target} as well as the \emph{type} of the new ties. In this paper we propose a novel method for link prediction in multi-modal and multi-relational networks. Our method is based on semantics of simple and compound relationships in the given network, i.e., a compound relationship represents a well-defined pattern of simple relationships between two typed nodes in the network. We test our method with Sageman's data set of the Salafi Jihad network, which is a heterogeneous network comprising of multiple relationship types.

Paper Long

Modelling and Analysis of Identity Threat Behaviors Through Text Mining of Identity Theft Stories Yongpeng Yang, Monisha Manoharan, K. Suzanne Barber Identity theft, fraud, and abuse are problems affecting all market sectors in society. Identity theft is often a “gateway” crime, as criminals use stolen or fraudulent identities to steal money, claim eligibility for services, hack into networks without authorization, and so on. The available data describing identity crimes and their aftermath is often in the form of recorded stories and reports by the news press, fraud examiners, and law enforcement. All of these sources are unstructured. Hence, in order to analyze identity theft data, this research proposes an approach which involves the collection of online news stories and reports on the topic of identity theft. Our approach preprocesses the raw text and extracts semi-structured information automatically, using text mining techniques. This paper presents statistical analysis of behavioral patterns and resources used by thieves and fraudsters to commit identity theft, including the identity attributes commonly linked to identity crimes, resources thieves employ to conduct identity crimes, and temporal patterns of criminal behavior. Analyses of these results increase empirical understanding of identity threat behaviors, offer early warning signs of identity theft, and thwart future identity theft crimes.

36




Paper Long

Time Critical Disinformation Influence Minimization in Online Social Networks Chuan Luo,kainan Cui,Xiaolong Zheng,Daniel Zeng If a piece of disinformation released from a terrorist organization propagates on Twitter and this adversarial campaign is detected after a while, how emergence responders can wisely choose a set of source users to start the counter campaign to minimize the disruptive influence of disinformation in a short time? This practical problem is challenging and critical for authorities to make online social networks a more trustworthy source of information. In this work, we propose to study the time critical disinformation influence minimization problem in online social networks based on a continuous-time multiple campaign diffusion model. We show that the complexity of this optimization problem is NP-hard and provide a provable guaranteed approximation algorithm for this problem by proving several critical properties of the objective function. Experimental results on a sample of real online social network show that the proposed approximation algorithm outperforms various heuristics and the transmission temporal dynamics knowledge is vital for selecting the counter campaign source users, especially when the time window is small.

Paper Long

A Selective Defense for Application Layer DDoS Attacks Yuri Gil Dantas, Vivek Nigam, Iguatemi Eduardo da Fonseca Distributed Denial of Service (DDoS) attacks remain among the most dangerous and noticeable attacks on the Internet. Differently from previous attacks, many recent DDoS attacks have not been carried out over the network layer, but over the application layer. The main difference is that in the latter, an attacker can target a particular application of the server, while leaving the remaining applications still available, thus generating less traffic and being harder to detect. Such attacks are possible by exploiting application layer protocols used by the target application. This paper proposes a novel defense for Application Layer DDoS attacks (\ADDoS) based on the Adaptive Selective Verification (ASV) defense used for mitigating Network Layer DDoS attacks. We formalize our defense mechanism in the computational system Maude and demonstrate by using the statistical model checker PVeStA that it can be used to prevent \ADDoS. In particular, we show that even in the presence of a great number of attackers, an application running our defense still has high levels of availability. Moreover, we compare our results to a defense based on traffic monitoring proposed in the literature and show that our defense is more robust and also leads to less traffic.

37




Paper Long

Twitter Sentiment Analysis for Security-Related Information Gathering Anna Jurek, Yaxin Bi, Maurice Mulvenna Analysing public sentiment about future events, such as demonstration or parades, may provide valuable information while estimating the level of disruption and disorder during these events. Social media, such as Twitter or Facebook, provides views and opinions of users related to any public topics. Consequently, sentiment analysis of social media content may be of interest to different public sector organisations, especially in the security and law enforcement sector. In this paper we present a lexicon-based approach to sentiment analysis of Twitter content. The algorithm performs normalisation of the sentiment in an effort to provide intensity of the sentiment rather than positive/negative label. Following this, we evaluate an evidence-based combining function that supports the classification process in cases when positive and negative words co-occur in a tweet. Finally, we illustrate a case study examining the relation between sentiment of twitter posts related to English Defence League and the level of disorder during the EDL related events.

Paper Long

Mining the Web for Sympathy: The Pussy Riot Case Anders Westling, Joel Brynielsson, Tove Gustavi With social media services becoming more and more popular, there now exists a constant stream of opinions publicly available on the Internet. In crisis situations, analysis of social media data can improve situation awareness and help authorities to provide better assistance to the affected population. The large amount of activity on social media services makes manual analysis infeasible. Thus, an automatic system that can assess the situation is desirable. In this paper we present the results of training machine learning classifiers to being able to label tweets with one of the sentiment labels positive, neutral, and negative. The classifiers were evaluated on a set of Russian tweets that were collected immediately after the much debated verdict in the 2012 trial against members of the Russian punk rock collective Pussy Riot. The aim for the classification process was to label the tweets in the dataset according to the author's sentiment towards the defendants in the trial. The results show that the obtained classifiers do not accurately and reliably classify individual tweets with sufficient certainty. However, the classifiers do show promising results on an aggregate level, performing significantly better than a majority class baseline classifier would.

38


Session: General


Paper Long

DNSSEC Misconfigurations: How incorrectly configured security leads to unreachability Niels L. M. van Adrichem, Antonio Reyes L ́ua, Xin Wang, Muhammad Wasif, Ficky Fatturrahman, Fernando A. Kuipers [nominated for best paper award] DNSSEC offers protection against spoofing of DNS data by providing authentication of its origin, ensuring integrity and giving a way to authenticate denial of existence by using public-key cryptography. Where the relevance of securing a technology as crucial to the Internet as DNS is obvious, the DNSSEC implementation increases the complexity of the deployed DNS infrastructure, which may manifest in misconfiguration. A misconfiguration not only leads to silently losing the expected security, but might result in Internet users being unable to access the network, creating an undesired unreachability problem. In this paper, we measure and analyze the misconfigurations for domains in four zones (.bg, .br, .co and .se). Furthermore, we classify these misconfigurations into several categories and provide an explanation for their possible causes. Finally, we evaluate the effects of misconfigurations on the reachability of a zone’s network. Our results show that, although progress has been made in the implementation of DNSSEC, over 4% of evaluated domains show misconfigurations. Of these misconfigured domains, almost 75% were unreachable from a DNSSEC aware resolver. This illustrates that although the authorities of a domain may think their DNS is secured, it is in fact not. Worse still, misconfigured domains are at risk of being unreachable from the clients who care about and implement DNSSEC verification while the publisher may remain unaware of the error and its consequences.

Paper Long

Time-to-event Modeling for Predicting Hacker IRC Community Participant Trajectory Victor Benjamin, Hsinchun Chen As computing and communication technologies become ubiquitous throughout society, researchers and practitioners have become motivated to advance current cybersecurity capabilities. In particular, research on the human element behind cybercrime would offer new knowledge on securing cyberspace against those with malicious intent. Past work documents the existence of many hacker communities with participants sharing various cybercriminal assets and knowledge. However, participants vary in expertise, with some possessing only passing curiosity while others are capable cybercriminals. Here we develop a time-to-event based approach for assessing the relationship between various participation behaviors and participation length among hacker Internet Relay Chat (IRC) community participants. Using both the Kaplan-Meier model and Cox’s model, we are able to develop predictions on individuals’ participation trajectory based on a series of message content and social network features. Results indicate that participation volume, discussion of pertinent topics, and social interconnectedness are all important at varying levels for identifying participants within hacker communities that have potential to become adept cybercriminals.

Paper Long

Practical interception of DECT encrypted voice communication in Unified Communications

environments Iwen COISEL, Ignacio SANCHEZ Digital Enhanced Cordless Telephony, DECT, is a worldwide standard for cordless telephony that is frequently integrated into Unified Communications systems both in enterprise and residential environments. DECT supports encryption to protect the confidentiality of the communications whilst allowing the interoperability between products from different models and manufacturers. In this paper we explore, from both a theoretical and a practical standpoint, the security of the DECT cryptographic pairing process which plays a vital role in the security chain of Unified Communications systems involving DECT technology. We demonstrate a practical security attack against the DECT pairing process that is able to retrieve the cryptographic keys and decrypt in real-time any subsequent encrypted voice communication. We also present suggestions for a more secure alternative pairing process that is not vulnerable to this type of passive attack.

39




Paper Long

The Nature of Communications and Emerging Communities on Twitter following the 2013 Syria Sarin

Gas Attacks Yulia Tyshchuk, William Wallace, Hao Li, Heng Ji, Sue Kase Social media has become an important communication tool especially following an extreme event. Research in social psychology has shown that people engage in gathering and “milling” information, and confirmation seeking during the process of forming intent to take action or voice an opinion. Twitter serves as a communications channel where people converge to compile collective intelligence, provide event reporting, and diffuse information. In this paper the investigation of Twitter usage seeks to describe human participation on Twitter following a controversial extreme event – 2013 Syria sarin gas attack. The methodology employed incorporates Natural Language Processing (NLP) and network analysis to trace human response on Twitter to this event. NLP techniques include Named Entity Recognition (NER) used to extract relevant entities (e.g.. countries), Event Extraction (EE) to excerpt relevant events (e.g. conflict, movement, life, etc.), and Stanford Parser to detect actionable verbs discussed by Twitter participants. Network analysis constructs a network based on the Twitter users’ communications, detects communities, extracts their leaders and identifies their roles based on structural properties of the networks. Specifically, the research looked at the Twitter data for two days August 22-23, 2013 following the event. The research suggests that (1) there were no immediate polarization of opinions following the event; (2) the primary event of Twitter communication was the conflict and information about the victims of the event; (3) Twitter communities were too sparse to produce substantial amount of social pressure to force an opinion/opinion shift; (4) top community leaders were news sources, political activists, and select individuals; (5) ‘individual’ leaders political agendas were not revealed.

Paper Long

Time Profiles for Identifying Users in Online Environments Fredrik Johansson, Lisa Kaati, Amendra Shrestha [nominated for best paper award] Many people who discuss sensitive or private issues on web forums and other social media services are using pseudonyms or aliases in order to not reveal their true identity, while using their usual accounts when posting messages on non- sensitive issues. Previous research has shown that if those individuals post large amounts of messages, stylometric techniques can be used to identify the author based on the characteristics of the textual content. In this paper we show how an author’s identity can be unmasked in a similar way using various time features, such as the period of the day and the day of the week when a user’s posts have been published. This is demonstrated in supervised machine learning (i.e., author identification) experiments, as well as unsupervised alias matching (similarity detection) experiments.

Paper Long

Predicting Popularity of Forum Threads for Public Events Security Qingchao Kong, Wenji Mao, Daniel Zeng, Lei Wang Web user’s online interactive behavior with others often makes some user generated contents popular. The modeling and prediction of the popularity of online content are an important research issue for many key application domains. In this paper, we focus on one form of user generated content, forum threads, and their popularity prediction for public events security. To predict the popularity of forum threads, we first define the popularity prediction problem, and identify the dynamic factors that affect the popularity of forum threads. Based on the information of dynamic evolution at the early stage, we propose a popularity prediction algorithm which makes use of the locality property and combines multiple dynamic factors. The proposed algorithm is further evaluated using the Tianya forum dataset on the discussions of various public events. The experimental results show that, compared to the baseline methods, our method achieves relatively better performance in predicting the popularity of forum threads on public events security.

40


Session: Computational criminology


Paper Short

A Case Study in Opportunity Reduction: Mitigating the Dirt Jumper Drive -smart attack Joel Lathrop, James B. O'Kane Over the past few years, a particularly virulent strain of distributed denial-of-service (DDoS) malware known as Dirt Jumper has emerged. It has progressed through several iterations and has recently developed capabilities to circumvent measures employed by certain anti-DDoS hosting providers; this new capability was exposed as a new attack type named \smart. The primary contribution of this paper is to show how the mechanism of the \smart\ attack can itself be exploited to prevent an attacking Dirt Jumper bot from reaching its desired target application webserver as well as tarpitting the botnet,reducing its request rate more than a hundred fold. This opportunity-reduction technique is briefly examined within the crime science framework of situational crime prevention.

41




Paper Short

Uninvited Connections A Study of Vulnerable Devices on the Internet of Things (IoT) Mark Patton, Eric Gross, Ryan Chinn, Samantha Forbis, Leon Walker, Hsinchun Chen The Internet of Things (IoT) continues to grow as uniquely identifiable objects are added to the internet. The addition of these devices, and their remote connectivity, has brought a new level of efficiency into our lives. However, the security of these devices has come into question. While many may be secure, the sheer number creates an environment where even a small percentage of insecure devices may create significant vulnerabilities. This paper evaluates some of the emerging vulnerabilities that exist and puts some figures to the scale of the threat.

Paper Short

Challenges to a smooth-running data security audits. Case: A Finnish national security auditing criteria

KATAKRI Jyri Rajamäki An information security management system (ISMS) provides controls to protect organizations’ most fundamental asset, information. KATAKRI is a Finnish national security auditing criteria that is based on several ISMS standards and best practices. It was initially intended to be used by public sector to audit private sector service providers, but it has been adopted also as a baseline of requirements for private sector security standards. First, this paper explores the expectations for security auditing criteria, processes and auditors. The case study research (CSR) was conducted in the form of interviews (n=25), questionnaires (n=45) and observations. Second, a design science research (DSR) exploits the combined CSR results for designing a model for a well-run ISMS audit. The CSR results shows that the different goals of a security audit can be in conflict. The results also indicate that KATAKRI has defects due to its inconsistency. One task of auditing processes should be collecting information about shortcomings of applied criteria. This paper’s new model for KATAKRI audits includes this activity.

42




Paper Short

Ranking Online Memes in Emergency Events Based on Transfer Entropy Saike He, Xiaolong Zheng, Xiuguo Bao2, Hongyuan Ma, Daniel Zeng, Bo Xu, Guanhua Tian, Hongwei Hao The rapid proliferation of online social networks has greatly boosted the dissemination and evolution of online memes, which can be free text, trending catchphrase, or micro media. However, this information abundance is exceeding the capability of the public to consume it, especially in unusual situations such as emergency management, intelligence acquisition, and crime analysis. Thus, there calls for a reliable approach to rank meme appropriately according to its influence, which will let the public focus on the most important memes without sinking into the information flood. However, studying meme in any detail on a large scale proves to be challenging. Previous bottom-up approaches are often highly complex, while the more recent top-down network analysis approaches lack detailed modeling for meme dynamics. In this paper, we first present a formal definition for meme ranking task, and then introduce a scheme for meme ranking in the context of online social networks (OSN). To the best of our knowledge, this is the first time that memes have been ranked in a model-free manner. Empirical results on two emergency events indicate that our scheme outperforms several benchmark approaches. This scheme is also robust by insensitive to sample rate. In light of the scheme’s fine-grain modeling on meme dynamics, we also reveal two key factors affecting meme influence.

Paper Short

Causal Inference in Social Media Using Convergent Cross Mapping Chuan Luo,Xiaolong Zheng,Daniel Zeng Revealing underlying causal structure in social media is critical to understanding how users interact, on which a lot of security intelligence applications can be built. Existing causal inference methods for social media usually rely on limited explicit causal context, pre-assume certain user interaction model, or neglect the nonlinear nature of social interaction, which could lead to bias estimations of causality. Inspired from recent advance in causality detection in complex ecosystems, we propose to take advantage of a novel nonlinear state space reconstruction based approach, namely Convergent Cross Mapping, to perform causal inference in social media. Experimental results on real world social media datasets show the effectiveness of the proposed method in causal inference and user behavior prediction in social media.

43



10:15-11:45 Friday, September 26, 2014 Room: 2.2

Paper Long

Aegis: A Lightweight Tool for Prevent Frauds in Web Browsers Carlo Marcelo Revoredo da Silva, José Lutiano Costa da Silva, Rodrigo Elia Assad, Ruy José Guerra Barretto de Queiroz e Vinicius Cardoso Garcia Based on its daily use and volume of its applications (both domestic and corporate environment) it cannot be denied that Web Browsers are very important tools. However, due to the increase of its use, the web environment presents itself as an increasingly hostile place where people perform malicious cybercrimes aiming to steal or to tamper sensitive information of the web uses. These illegal activities are often performed by using social engineering techniques through web browser. To mitigate this problem, this paper proposes a tool which is capable to identify the fraud vectors focused on the privacy violation of the web browser users.

Paper Long

Descriptive Analytics: Examining Expert Hackers in Web Forums Ahmed Abbasi,Weifeng Li,Victor Benjamin,Shiyu Hu,Hsinchun Chen In recent years, understanding the people behind cybercrime from a hacker-centric perspective has drawn increased attention. Preliminary exploration in online hacker social dynamics has found that hackers extensively exchange information with others in online communities, including vulnerabilities, stolen data, etc. However, there is a lack of research that explores automated identification and characterization of expert hackers within online communities. In this research, we identify expert hackers and characterize their specialties by devising a scalable and generalizable framework leveraging two categories of features to analyze hacker forum content. The framework encompasses text analytics for key hacker identification and analysis. In the Text Analytics module, we employ an interaction coherence analysis (ICA) framework, to extract interactions among the users in hacker communities as topological feature. In Expert Identification & Analysis, we characterize each hacker with content features extracted with lexicon matching and structural features from the ICA component. Results reveal an interaction network and content-based clustering of key actors within the studied hacker community. Our project contributes to both social media analytics and cybersecurity research as we provide a complete analytical framework to analyze the key hackers from both an interaction network perspective and discussion content perspective. This framework can benefit cyber security researchers and practitioners by offering an inclusive angle for analyzing hacker social dynamics.

Paper Long

Inferring itineraries of containerized cargo through the application of Conditional Random Fields Pedro Chahuara,Luca Mazzola,Michail Makridis,Claudio Schifanella,Aris Tsois,Mauro Pedone This paper proposes a method to infer the itinerary of cargo transported in shipping containers based on a large, heterogeneous and noisy dataset of Container Status Messages. Such itinerary information can be used to improve the risk analysis performed by authorities in their effort to secure the global trade and fight frauds. Our method, based on conditional random fields, is able not only to partition the original noisy dataset into appropriate sequences describing distinct shipments of containerized cargo but also to identify the messages that describe the various stages of the transportation. The experiments performed suggest that conditional random fields provide a high accuracy for this sequential pattern mining problem.

44



10:15-11:45 Friday, September 26, 2014 Room: 2.3

Paper Short

Towards a comprehensive insight into the thematic organization of the Tor hidden services Martijn Spitters, Stefan Verbruggen, Mark van Staalduinen Tor is a popular ‘darknet’, a network that aims to conceal its users’ identities and online activities. Darknets are composed of host machines that cannot be accessed by conventional means, which is why the content they host is typically not indexed by traditional search engines like Google and Bing. On Tor, web content and other types of services can anonymously be made available as so-called hidden services. Obviously, where anonymity can be a vehicle for whistleblowers and political dissidents to exchange information, the reverse of the medal is that it also attracts malicious actors. In our research, we aim to develop a detailed understanding of what Tor is being used for. We applied classification and topic model-based text mining techniques to the content of over a thousand Tor hidden services in order to model their thematic organization and linguistic diversity. As far as we are aware, this paper presents the most comprehensive content-based analysis of Tor to date.

Paper Short

Forecasting Country Stability in North Africa Steven Banaszak, Elizabeth Bowman, John P. Dickerson, V.S. Subrahmanian We develop a novel approach to predict certain type of stability events (battles, battles won by a government, riots/protests, violence against civilians) in countries by monitoring the content of a mix of traditional news, blog, and social media data. Specifically, we show that by monitoring sentiment on both pro- and anti-government entities within a country, even with a relative paucity of longitudinal data (36 time points), we can predict these stability related events with just over 80% classification accuracy. We report on our methods, together with a description of a prototype system called Sentibility that tracks country stability related events. In addition, we cast light on the key entities, sentiments on whom were correlated strongly (positively or negatively) by both Pearson and Spearman correlation coefficients, with such stability events in 3 countries: Egypt, Morocco, and Sudan.

Paper Short

Foraging Online Social Networks Gijs Koot, Mirjam A.A. Huis in ’t Veld, Joost Hendricksen, Rianne Kaptein, Arnout de Vries, Egon L. van den Broek A concise and practical introduction is given on Online Social Networks (OSN) and their application in law enforcement, including a brief survey of related work. Subsequently, a tool is introduced that can be used to search OSN in order to generate user profiles. Both its architecture and processing pipeline are described. This tool is meant as a flexible framework that supports manual foraging (and not replaces it). As such, we aim to bridge science’s state-of-the-art and current security officer’s practice. This article ends with a brief discussion on privacy and ethical issues and future work.

45


Session: Poster session

17:45-19:00 Wednesday, September 24, 2014 Room: Lobby

Paper Poster

CAPER - Collaborative information, Acquisition, Processing, Exploitation and Reporting for the

prevention of organised crime Carlo Aliprandi, Juan Arraiza, Sebastian Maier, Gila Molcho, Felipe Melero European Law Enforcement Agencies are increasingly more reliant on information and communication technologies and are affected by a society shaped by the Internet and social media. The richness and quantity of information available from open sources, if properly gathered and processed, can provide valuable intelligence and help drawing inference from existing closed source intelligence. CAPER is an Open Source INTelligence platform for the prevention of organized crime, created in cooperation with European LEAs. CAPER supports information sharing and multi-modal analysis of open and closed information sources, mainly based on Natural Language Processing (NLP) and Visual Analytics (VA) technologies.

Paper Poster

Detecting threats of violence in online discussions using bigrams of important words Hugo Lewi Hammer Making violent threats towards minorities like immigrants or homosexuals is increasingly common on the Internet. We present a method to automatically detect threats of violence using machine learning. A material of 24,840 sentences from YouTube was manually annotated as violent threats or not, and was used to train and test the machine learning model. Detecting threats of violence works quit well with an error of classifying a violent sentence as not violent of about 10% when the error of classifying a non-violent sentence as violent is adjusted to 5%. The best classification performance is achieved by including features that combine specially chosen important words and the distance between those in the sentence.

Paper Poster

Learning to Classify Hate and Extremism Promoting Tweets

Ashish Sureka, Swati Agarwal Research shows that Twitter is being misused as a platform for online radicalization and contains several hate and extremism promoting users and tweets violating the community guidelines of the website. Manual identification of such tweets is practically impossible due to millions of tweets posted every day and hence solutions to automate the task of tweet classification is required for Twitter moderators or an intelligence and security analyst. We formulate the problem of hate and extremism promoting tweet identification as a one-class classification problem and propose several linguistic features. Experimental results on large and real-world dataset demonstrate that the proposed approach is effective.

Paper Poster

Recommending Documents for Complex Question Exploration by Analyzing Browsing Behavior Alya Abbott, Olga Simek We present a novel approach for recommending documents to users by analyzing user browsing behavior, and demonstrate the effectiveness of our methods using an original data set.

46




Paper Poster

Passwords are dead: Alternative authentication methods Dr. Michael Bachmann The idea of protecting information has been around for many centuries. Modern computers use a system of authentication to protect the machine from unauthorized access. One of the greatest challenges today is that the average user has about 40 personal and professional accounts that rely on user names and passwords for authentication. These logins are rarely unique, hardly ever changed, oftentimes simplistic, and rely on insecure “security questions” fallback options because they are regularly forgotten and reset [1]. The past few years have seen a dramatic increase in the number of data breaches of major corporations and government agencies and that number only continues to grow. These significant breaches make it now more important than ever to find some new ways to access private data. In order for us to stay safe and secure online, we must look at emerging technologies to conceptualize the future of login authentication. From biometrics to sound-based passwords to electronic tattoos and ingestible pills, the future holds numerous ways for us to interact with our machines in a safer and more efficient manner than ever before.

Paper Poster

Sensemaking and Cognitive Bias Mitigation in Visual Analytics Margit Pohl, Lisa-Christina Winter, Chris Pallaris, Simon, Attfield, B.L. William Wong The purpose of the VALCRI project is to develop a new system prototype for information exploitation by intelligence analysts working in law enforcement agencies. Information visualisation will be a core element of the prototype. Such systems have to be designed to support the sensemaking and reasoning processes of the analysts. One of the goals of the project is, therefore, to get a more thorough understanding of sensemaking processes and to develop a set of recommendations for the design of intelligence analysis systems to help analysts in their work.

Paper Poster

Metal oxide gas sensors technologies for hidden people detection Andrea Ponzoni, Dario Zappa, Cristina Cerqui, Elisabetta Comini, Giorgio Sberveglieri This work describes metal oxide gas sensor technologies based on chemiresistor and surface ionization devices with respect to their integration an electronic nose sensing system, namely a sensor array whose collective response is handled through a pattern recognition software. Potentialities and challenges of the proposed approach are presented in the frame of detection of people hidden in cargos and containers.

Paper Poster

Towards a Methodology for Cybersecurity Risk Management Using Agents Paradigm Parth Bhatt, Per M Gustavsson, Rose-Mharie Ahlfeldt In order to deal with shortcomings of security management systems, this work proposes a methodology based on agents paradigm for cybersecurity risk management. In this approach a system is decomposed in agents that may be used to attain goals established by attackers. Threats to business are achieved by attacker’s goals in service and deployment agents. To support a proactive behavior, sensors linked to security mechanisms are analyzed accordingly with a model for Situational Awareness.

47




Paper Poster

An interactive Patterns of Life visualisation tool for Intelligence Analysis Neesha Kodagoda, Simon Attfield, Phong H. Nguyen, Leishi Zhang, Kai Xu, B L William Wong, Adrian Wagstaff, Graham Phillips, James Bulloch, John Marshall, Stewart Bertram POLAR is an experimental test-bed visualisation tool for Patterns of Life analysis, developed on the basis of knowledge elicitation with stakeholders. It uses multiple and coordinated views for exploring geo-temporal datasets. The system has three modes of interaction for addressing different kinds of PoL questions. It supports the exploration of movement patterns with resolutions ranging from intercontinental to local travel and a year or more to just a few minutes.

Paper Poster

Military Geospatial Profiling Analysis Oey, Herman-Dick Giok Tjiang One of the most utilised premeditated terrorist weapons of choice in conflict areas is the Improvised Explosive Device (IED). Sustained casualties create the need for knowledge of defeating such incidents. This paper describes a new empirical multidisciplinary research approach that integrates 3 sciences: Geography, Criminology, Psychology. It uses Mathematics to model enemy behaviour from a geo-spatial point of view. The approach incorporates the physical environment and its impact on the psychology (why) and execution (how) of a premeditated crime.

48




Paper Poster

Robust Navigation and Communication in the Maritime Domain: the TRITON Project Marco Pini, Luca Pilosu, Lene Vesterlund, David Blanco, Fredrik Lindström, Emiliano Spaltro Intentional jamming and spoofing are growing concerns for communication and positioning systems based on Global Navigation Satellite System (GNSS). In the maritime sector, intentional interfering signals might induce poor performance of the GNSS receivers, that, in severe cases, are unable to provide reliable measurements. On board of vessels, the failure of the GNSS receiver propagates to multiple systems, like the Automatic Information System (AIS) transponder, the ship’s gyro calibration system and the digital selective calling system. The AIS itself can suffer from failures due to interference in the VHF band, and the lack of bandwidth makes it difficult to introduce security any security mechanisms. The vulnerability to intentional interference as well as the availability of personal privacy devices easily sold over the Internet motivate attackers who intend to fraud services and get direct benefits.

Paper Poster

Detection of Olfactory Traces by Orthogonal Gas Identification Technologies - DOGGIES I. Daniilidis, J.-J. Filippi, W. Vautz, E. Dalcanale, S. Zampolli, G. Leventakis, I. Kauppinen, S.Sinisalo, V. Tsoulkas, V. Kassouras, M. Carras, B. Gerard, R. Pinalli, A. Ragnoni, L. Dujourdy, D. Zavali, M. Brun, V. Grizis, A. Argyris, D. Syvridis Border security is one of the key challenges to be taken up by Europe in the following years. In particular, the deployment of practical efficient means to detect hidden persons and illegal substances at border crossing points is instrumental in avoiding terrorism, human trafficking or smuggling. This study presents the concept of an “orthogonal” approach to the identification of gas traces identified as pertinent targets for illicit substances (drugs and explosives) as well as for human presence. The techniques employed to perform the analysis are based on completely different physical principles; these are the Mid-Infrared photo-acoustic spectroscopy (MIR-PAS - demonstration of a novel widely tunable integrated MIR source coupled with a miniature photo-acoustic cell) and the Ion mobility spectrometry (IMS) using a non radio-active ionization source.

Paper Poster

When Counting is Not Enough: Limitations of NSA's effectiveness assessment of surveillance

technology Michelle Cayford, Coen van Gulijk, P.H.A.J.M. van Gelder The NSA has justified their surveillance programs by presenting the number of terrorist activities these programs disrupted. This paper finds this method of measuring the effectiveness of surveillance technology by counting successful cases to be not enough. It is only one measure of assessing effectiveness and should not be used in isolation to determine a technology’s effectiveness.

Paper Poster

DOCSCOPE: ID Printing Techniques Signatures

Marc Pic, Clarisse Mandridake, Mathieu hoarau, Kevin Win-Lime DOCSCOPE is an ANR project dedicated to the exploration of new approaches to authenticate ID documents and to detect falsification or counterfeiting. In this paper we focus on the usage of printing techniques signature.

IEEE JISIC 2014 – Tutorials

49

Real─Time Sentiment Analysis

Anna Jurek

13:15-14:45 Wednesday, September 24 Room 2.1

Abstract—Sentiment Analysis Refers to Text analysis, natural language processing and computational linguistics

and it aims to identify and extract subjective information in source data. It is commonly applied while monitoring

social media channels in an effort to recognise the mood of social media posts and tweets by grouping it into

positive and negative results. In the tutorial we introduce the problem of sentiment analysis and review the

state─of─the─art techniques. We discuss the key difficulties and challenges faced in sentiment analysis. From the

application area point of view, the tutorial will focus on real time sentiment analysis for monitoring social media

channels. We will demonstrate how existing open source platforms perform sentiment analysis across major

social media channels and how users can apply such a tools in different decision processes. Finally, we will discuss

how real─time sentiment analysis can be applied in the security domain for tension analysis and crime

prevention.

Outline of this tutorial

• Problem formulation and key concepts

• Text preparation

• Features: Part─of─speech, unigrams, bigrams, negation, intensification

• Supervised and unsupervised approaches to sentiment analysis

• Review of existing Sentiment Analysis algorithms

• Challenges in sentiment analysis

• Application of Sentiment Analysis

• Social media monitoring platforms and real time sentiment analysis

• Real time Sentiment Analysis for tension monitoring and crime prevention

• Directions of future work

Presenter biographical statements

Anna Jurek received MSc degree in Computer Science and MSc in Mathematics from technical University of Lodz

(Poland) in 2006 and 2009, respectively. In 2012, she received the PhD degree in Computer Science from

University of Ulster, UK. Her research interests include machine learning, sentiment analysis and intelligent

systems. Currently, she is working as an associate in Knowledge Transfer Partnership between University of Ulster

and RepKnight Ltd. Her role in the project is developing algorithms for analysing data pulled from social media

channels with the main focus on sentiment analysis.

50


Lawfully-Authorized Electronic Surveillance in Wireless Communications Systems:

Standard and Requirements Overview

Kafi Hassan

14:45-16:15 Thursday, September 25 Room 2.1

Abstract—Voice and data wireless communication devices have become important and convenient way of

communication for most of the people around the world. In many places, the wireless cell Phones are used more

than the traditional landline telephones. Therefore, it become necessary to have the wireless communications

systems support lawfully-authorized electronic surveillance (LAES) as the landline communications did in the past.

In United States, the United States congress has passed a legislation known as the Communications Assistance for

Law Enforcement Act (CALEA) in 1994. CALEA requires both landline and wireless United States carriers to provide

surveillance information to a lawfully authorized law enforcement monitoring center. The J-STD-025-A/B

Standards define the interfaces between a telecommunication service provider (TSP) and a Law Enforcement

Agency (LEA) to assist the LEA in conducting lawfully-authorized electronic surveillance. Wireless networks

continuously evolve to support new voice/data Access Terminals (AT) and new Radio Access Networks (RAN).

These rapid changes of the wireless systems create new challenges that require new innovations and forward

thinking that will allow the electronic surveillance technology to meet and keep up with the wireless technologies.

This tutorial is intended to give an overview of the Lawfully-Authorized Electronic Surveillance standards and

requirements for wireless communications systems from network research and development prospective. This

tutorial describes the standards requirements and challenges on both to the wireless communications networks

and to the surveillance technology. As a final point, this tutorial is used to identify some important open areas

that need further research in the future.

Outline of this tutorial

• Overview of the main system components of the wireless system interception functions: Access, Delivery, Collection, Service provider administration, Law enforcement administration.

• Wireless communication electronic surveillance requirements.


Kafi Hassan is a senior Telecom Design Engineer at the Sprint Corporation’s Network Development Laboratory at

Reston, Virginia. Also, he is an adjunct professor at the George Mason University Computer Forensics Graduate

program. From 1995 to 2006, he worked as a Member of Technical Staff at the Bell Laboratories in Whippany,

New Jersey, doing research and development in design and analysis of wireless communication systems. He has

been a recipient of many professional honors, including the Bell Labs President’s Gold Award in 2000, the Bell

Labs President’s Silver Award in 2002. He has B.S. and M.S. degrees in electrical engineering from University of

North Carolina at Charlotte, and Ph.D. degree in electrical engineering from the Graduate Center of the City

University of New York. Dr. Hassan’s current research interests include network optimization algorithms, network

intrusion detection systems, evolutionary computation algorithms and network resource management

algorithms.

51


Theory, Framework and Method for Software Design Studies in Security and Intelligence

Analysis Work Environments

Laura A. McNamara, Kerstan Cole, and Susan Stevens-Adams

10:15-11:45 Friday, September 26 Room 2.1

Abstract—For security analysts to use new informatics systems effectively, designers and developers must pay

careful attention to the data, information, products, and stakeholders associated with the intended user

community. Given the tremendous variation in the type of work, this is a daunting challenge that can only be

addressed by engaging one’s intended user community. This tutorial provides an overview of principles, methods

and frameworks for developing productive design relationships with one’s intended user community. The tutorial

builds on our team’s approach to eliciting, documenting and analyzing intelligence analysis workflows, including

the resources, tasks, roles and activities that comprise the day-to-day worklives of security analysts. Participants

will leave the tutorial with a thorough introduction to the major social/behavioral science theories, frameworks

and methods used for analytic system design, including human factors, visual analytics, cognitive psychology and

organizational anthropology, tailored for developers who are engaging security analysis workplaces. The tutorial

is open to any security informatics researcher, designer, or system engineer who is seeking assistance with user-

oriented design techniques, but will be particularly useful for researchers who are in the early stages of planning

the design and development of new informatics technologies for an intended user community. We will supply

participants with a detailed annotated bibliography, templates for planning a design study and for data collection

and representation; and practical, engaging guidance that will enable participants to plan a realistic and

productive design study with intelligence and security user communities.


Laura McNamara is a Principal Member of Technical Staff at Sandia National Laboratories and holds a PhD in

Anthropology from the University of New Mexico. Her primary area of interest is developing and implementing

methods for expert knowledge elicitation, user-centered design, and analytic software evaluation in science,

engineering and intelligence analysis domains.

Kerstan Cole received her PhD in Human Factors Psychology from Texas Tech University in 2010. Dr. Cole's

primary area of expertise is the application of human factors methodologies for the design and evaluation of

human-machine systems. She has studied the human element in a variety of domains including driving,

intelligence analysis, synthetic aperture radar, power grid operations, aviation, and nuclear weapons operations.

Dr. Cole has taught several university courses including Human Factors, Research Methods, and Introduction to

Psychology. She has also taught several professional courses offered by the Department of Energy to different

audiences including nuclear criticality safety engineers and other engineers and practitioners employed by

national labs across the U.S.

Susan Stevens-Adams received her PhD in Cognitive/Learning Psychology from the University of New Mexico in

2011. Dr. Stevens-Adams' has expertise in experimental design, human factors and statistics. She has studied the

human element in a variety of domains including false memory, team performance, aviation, nuclear power,

synthetic aperture radar, power grid operations, and nuclear weapons operations. Dr. Stevens-Adams has taught

several university courses including the Introduction to Psychology and has also taught several professional

courses offered by the Department of Energy to different audiences including nuclear criticality safety engineers

and other engineers and practitioners employed by national labs across the U.S.

52

IEEE JISIC 2014 – Conference Venue

New Babylon Meeting Center

The conference will be hosted by New Babylon Meeting Center which is situated next to The Hague Central (Den Haag

Centraal) railway station: the red dot on the map on the next page. The Hague Central railway station can be reached

in 30 minutes from Amsterdam Schiphol Airport by direct train four times every our.

Address

New Babylon Meeting Center The Hague Anna van Buerenplein 41a 2595 DA The Hague

53

IEEE JISIC 2014 – The Hague

The Hague “City of Peace and Justice”

The Hague “City of Peace and Justice” is a perfect venue to host this conference on intelligence and security

informatics as it can be considered the seat of international law. It houses the International Court of Justice, the

Permanent Court of Arbitration, the Hague Academy of International Law, and the extensive Peace Palace Library,

among others. The Hague region has more than 300 security businesses specialized in cybercrime, forensic

research, national security and urban security. The sector has a turnover of €1.5 billion and 10,000 jobs.

The Hague is the seat of the Dutch parliament and government. The heart of the city contains most of the historic

architecture from the medieval, renaissance, and Baroque periods. The Hague offers visitors lots of outdoor cafes

and shopping opportunities. The Hague city center is fairly compact and easily accessible on foot. The Hague,

furthermore, has an efficient system of light rail, trams and busses, running mostly on free tracks allowing for a

fairly speedy ride.

Originally, the Hague was built on the dunes. That is why, just outside the city, one can enjoy the most wonderful

scenery. The Hague is located near the sea and dunes offering splendid leisure activities, either in Scheveningen

or Kijkduin. Sunbathing, sports, walking and bicycling trips, food, drink and nightlife are all the ingredients offered

for a great day at the beach or in the dunes.

More information about The Hague can be found at: http://www.denhaag.nl/en.htm

54

IEEE JISIC 2014 – Information for the Participants Conference Secretariat

Conference registration takes place at the Conference Secretariat, which is located at the entrance of the conference venue. During the hours of the conference, conference participants can turn to the Conference Secretariat with questions about conference arrangements, local transportation, etc.

Coffee Breaks

Coffee, tea, and sandwiches or cakes will be served outside the main auditorium.

Lunch

Lunch will be served at the main auditorium every day.

Ice Breaker Reception/Poster Session

The combined ice breaker reception/poster session will start at 17.25 on Wednesday, September 24, directly after the last session. The posters will be displayed outside the main auditorium where Flip Chart boards will be provided for the presenters. Snacks and drinks will be available and the organizers hope that the conference participants take this opportunity to get to know each other!

Gala Dinner

The gala dinner will take place at Madurodam. To get there take Bus 69 from The Hague Central Station and stop at Madurodam (Noord). Traveltime is approximately 15 minutes.

Wireless Internet

Wireless Internet will be available for the conference participants. Information about how to connect your computer will be available at the conference venue.

Smoking Policy

Smoking is not allowed inside the conference venue.

Mobile Phone Policy

As a courtesy to speakers and attendees please refrain from using mobile phones during the keynote speeches and presentations. Turn your mobile phone to vibrate before entering a session and leave the session if you receive a call.

Information for Presenters

In the main conference, presentations of full papers are allocated 30 minutes and presentations of short papers 20 minutes, including a few minutes for questions and answers after the presentation. A Session Chair introduces the speakers and moderates the questions-and-answer period.

• A laptop with Microsoft office installed will be available in each conference room. Upon request, help will be available to the presenters for the installation of their presentations.

• Projection screen and data projector will be available in the rooms.

55

IEEE ISI 2015

IEEE ISI 2015

May 26-29, 2015

Baltimore, MD, USA Primary Organizers: Anupam Joshi, Tim Finin, Lina Zhou, Dongsong Zhang from University of Maryland, Baltimore

County

EISIC 2015

56

JISIC 2014 – September 24�26, The Hague, the

57

IEEE Joint Intelligence and Security Informatics Conference 2014

September 24�26 2014, The Hague, the Netherlands, http://www.eisic.org

The Premier Conference on Intelligence, Safety and Security Informatics

Designed by Panagiotis Karampelas, EISIC 2013