processing events in probabilistic risk assessment robert c. schrag, edward j. wright, robert s....
TRANSCRIPT
Processing events in probabilistic risk
assessmentRobert C. Schrag, Edward J. Wright,
Robert S. Kerr, Bryan S. Ware
9th International Conference on Semantic Technologies for Intelligence, Defense, and
Security (STIDS). November 20, 2014
Annotated presentation—see Notes Page view.
Three event-informed person risk models
1. MC (“Carbon”):
Information disclosure risk Belief that a (candidate) member person
P will disclose an organization’s private information
Life (“macro”) events Education, employment Crime, civil judgment Bankruptcy, credit …
2. MS (“Silicon”):
IT system insider exploitation risk Belief that a user will access, disclose,
or destroy an organization’s computer network-resident information)
Computer network (“micro”) events Log in after hours Access “decoy” file Copy file to…
External location Thumb drive
3. MG = MC • MS
3
Issue: Apply event evidence to person attribute concept random variables (RVs) in a risk assessment Bayesian network (BN), modeling events’ changing relevance over time.Given: Person P Events E, in P’s past or present Generic person BN B
Risk-related person attribute concept RVs (Boolean) Concept-relating probabilistic influences
A reference time t (in an ordered set T of such points)
Develop: Person-specific BN BP reflecting E Beliefs in P’s attribute concept at t, per BP
(P’s historical risk profile over T)
Theme
4
Reliable
Trustworthy
…CommittedToSchool
CommittedToCareeer
CommitsMisdemeanor
School events Employment events
Lawenforcement
events
…
…
Elided B with ingested event categories (MC)
Approaches to realizing BP
1. Event “ingestion”:For each event e in E, …
Include a new event RV δ indicating person attribute concept π in BP
Specify per-event half life decay as new temporal relevance RV ρ
Enter hard evidence finding on δ
Appropriate when events are of a given type τ are individually salient
Feasible when |E| << |nodes(B )|
Ingestion
π ρ
δ
event
concept relevance
6
Life events timeline (MC)
Three event-informed person risk models
1. MC (“Carbon”):Information disclosure risk 100s of RVs B extracted from official policy /
guidelines (under in situ test)Life (“macro”) events 10s of types 10s of events / person 10s of years of dataIngestion only (“hard” salience)
10s of rules
2. MS (“Silicon”):IT system insider exploitation risk 10s of RVs B eyeballed (preliminary proof of
concept)Computer network (“micro”) events 10s of types 100Ks of events / person 1.5 years of dataSummarization, primarily (“soft” salience) 1s of ingestion rules
3. MG = MC • MS
Three event-informed person risk models
2. MS (“Silicon”):
IT system insider exploitation risk Belief that a user will access, disclose,
or destroy an organization’s computer network-resident information)
Computer network (“micro”) events Log in after hours Access “decoy” file Copy file to…
External location Thumb drive
3. MG = MC • MS
Approaches to realizing BP
2. Event “summarization”:For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into temporal buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Useful when ⌐(|E| << |nodes(B )|)
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
Summarization
10
Summarize events over a practically unlimited duration, by using temporal buckets of geometrically increasing size.Infer salience from event volume variation w.r.t. a person’s own and the population’s history. Weight buckets per desired temporal relevance decay.
Summarization elements (per RV)
11
Summarization metric: Count (CopyDecoyToExternal)
MS
0
100
200
300
400
500
600
141664
Day
Coun
t
Bucket
12
Summarization metric: Variation re self (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
141664
Day
Varia
tion:
sel
f
Bucket
13
Summarization metric: Variation re all (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
1 4 16 64
Day
Varia
tion:
all
Bucket
14
Summarization metric: Variations mean (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
141664
Day
Varia
tions
mea
n
Bucket
15
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63
Susp
icio
n w
arra
nt
Day
Approaches to realizing BP
2. Event “summarization”:For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into temporal buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Useful when ⌐(|E| << |nodes(B )|)
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
Summarization
17
Computer network events timeline (MS)
18
(defparameter *Influences* '((ExploitsITSystemAsInsider (:ImpliedByDisjunction (CommitsITExploitation (:ImpliedBy (DestroysInformationUnauthorized) (AccessesInformationUnauthorized) ; Ingested: HandlesKeylogger_Event (DisclosesInformationUnauthorized) ; Ingested: CopyFileToWikileaks_Event (StealsInformation))) ; Ingested: CopyFileToCompetitor_Event (WarrantsITExploitationSuspicion (:ImpliedBy (WarrantsInformationDestructionSuspicion (:IndicatedBy (:Strongly (DeleteFileOnOthersPC_Summary)) (:Moderately (DeleteFileOnLabsPC_Summary)))) (WarrantsUnauthorizedInformationAccessSuspicion (:IndicatedBy (:Moderately (AfterHoursLogin_Summary)) (:Weakly (OpenFileOnOthersPC_Summary)))) (WarrantsUnauthorizedInformationDisclosureSuspicion (:IndicatedBy (:Strongly (CopyOthersFileToThumb_Summary) (CopyDecoyToExternal_Summary)) (:Moderately (OpenDecoyFile_Summary) (AcquireDecoyFile_Summary) (CopyFileToExternal_Summary)) (:Weakly (CopyFromThumbToOwnPC_Summary) (CopyOwnFileToThumb_Summary) (CopyOthersFileToExternal_Summary))))) (:RelevantIf (:Locally (:Absolutely (Untrustworthy)))) (:MitigatedBy (:Locally (:Strongly (HasRole-ITAdmin)))))))))
Influence graph specification (MS)
19
Computer network events timeline (MS)
Combined timeline (MG = MC • MS)
21
Temporal relevance nodes participate in belief propagation in BP—making their beliefs (so, effective temporal relevance) subject to departure from nominal specification.Multiple temporal and/or semantically close events’ relevance nodes reinforce each other—inducing temporal relevance beyond nominal specification. 5 simultaneous events’ decay only 6% after half life interval. We might naively expect 50%.
Summarization largely insulates a temporal relevance node from surrounding belief propagation.
Ingestion issue: Interacting temporal relevance nodes
22
Allegro Common Lisp® (ACL)AllegoGraph® Lisp direct client
Allegro Prolog macros (e.g., select)
Lisp macros (e.g., iterate-cursor)
ACL API to the Netica® APINetica® API
Supporting software “stack”
23
(defIngestionRule RestrainingOrder (+process-reportedEvent ?person ?*asOfDate) (reportedEvent ?person ?*asOfDate ?event !agent:ProtectiveRestrainingOrder ?*startDate ?*endDate ?*ongoing? ?*reportDate) (lisp (create-EventConceptIndication ?person :IndicatedConcept CommitsDomesticViolence :+IndicatingEvent ?event :Terminus :end :DeltaDays (- ?*asOfDate ?*endDate) :HalfLife (* 6 365) :Strength :strong :Polarity :positive)))
Ingestion rule (MC)
24
(defOntologyInstance !data:P (Person))
(defOntologyInstance !data:PHighSchoolAttendance (SchoolAttendance) (riskRatingSubject !data:P) (schoolCredentialAward !data:PDiplomaAward) (startDate "2000-09-04") (endDate "2004-06-15"))
(defOntologyInstance !data:PDiplomaAward (SchoolCredentialAward) (riskRatingSubject !data:P) (startDate "2004-06-15") (schoolCredentialAwarded HighSchoolDiploma))
(defOntologyInstance !data:PEmployment (Employment) (riskRatingSubject !data:P) (startDate "2004-07-05") (endDate "2009-09-05"))
(defOntologyInstance !data:PMisdemeanorAssault (PoliceOffense) (riskRatingSubject !data:P) (offenseChargeSchedule Misdemeanor) (startDate "2007-06-30"))
(defOntologyClass Person (Thing) (hasGender Gender :Functional))
(defOntologyClass Gender (Thing) (:enumeration Male Female OtherGender))
(defOntologyType Date !xsd:date)
(defOntologyClass Event (Thing) (riskRatingSubject Person :Functional) (startDate Date (:cardinality 1)) (endDate Date :Functional) (sourceReport Report :Functional))
(defOntologyClass PointEvent (Event) (hasConsequentEvent Event))
(defOntologyClass DurativeEvent (Event) (hasSubEvent Event))
(defOntologyClass ProtectiveRestrainingOrder (PointEvent))
Ontology and data specifications (MC)
25
Questions ?
Thank you.
26
Extras…
Approaches to realizing BP
1. Event “ingestion”:For each event e in E, …
Include a new event RV δ indicating person attribute concept π in BP
Specify per-event half life decay as new temporal relevance RV ρ
Enter hard evidence finding on δ
Appropriate when events are of a given type τ are individually salient
Feasible when |E| << |nodes(B )|
2. Event “summarization”:For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into geometrically larger buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Needed when ⌐(|E| << |nodes(B )|)
Ingestion
π ρ
δ
event
concept relevance
Approaches to realizing BP
Summarization
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
29
π ρ
δ
π ρ
Δ
δ1 δnδ2 …
BN fragment patterns
Ingestion
Multi-ingestion(bridge to summarization)
30
Life events timeline (MC)
31
Bucket Day
Event type instance count
Summarization metric: Count (CopyDecoyToExternal)
MS
32
Summarization metric: Variation re self (CopyDecoyToExternal)
Bucket Day
Event type historical variation re self
MS
33
Summarization metric: Variation re all (CopyDecoyToExternal)
Bucket Day
Event type historical variation re all
MS
34
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
Day
Event type summary RV likelihood (suspicion warrant)
MS