Efficient Hybrid Algorithms for Plan

Recognition and Detection of Suspicious

and Anomalous Behavior

Dorit Avrahami-Zilberbrand Gal A. Kaminka

The MAVERICK GroupComputer Science Department

Bar Ilan University, IsraelDorit_avrahami@yahoo.com

dorit_avrahami@yahoo.com 2

Plan Recognition: Motivation

Inferring the intentions, plans, goals of an agent Based on observations of its interactions with environment

Recognizing the internal state of an agent NLP, intrusion detection systems, surveillance

Challenges Multi featured observations Lossy observations, duration constrains, interleaved plans

Goal: Efficient Algorithms for Plan Recognition Dealing with plan recognition challenges Incorporating observer biases and preferences Maintaining efficient plan recognition

dorit_avrahami@yahoo.com 3

Efficient Hybrid Model for Plan Recognition

SBR: Fast and Complete Symbolic Plan Recognition

Efficient matching of Complex multi-features observations Handling lossy observations, Interleaved goals, duration

constraints Avoiding computation of hypotheses

UPR: Utility based Plan Recognition Choosing hypotheses based on utility to the observer Low likelihood hypotheses with costs are not ignored

Highly Efficient Symbolic recognizer efficiently filters hypotheses Utility based recognizer ranks only small number of hypotheses

dorit_avrahami@yahoo.com 4

Detecting Anomalous and Suspicious Behavior

Utilize plan recognition to detect suspicious behavior Negative behavior plan library Positive behavior plan library

Utilize symbolic algorithms for abnormal activity Walking in wrong direction Long time to pass security check

Detect activities with danger to the observer Leaving articles unattended

dorit_avrahami@yahoo.com 5

Related work Symbolic reactive plan recognition

RESC (Tambe et al 1995) RESL (Kaminka et al 2000)

Probabilistic approaches Bayesian network (Huber et al 1994) Grammar representation (Pynadath et al 2000) Hidden Markov models (Han et al 1999, Bui 2003)

Hybrid approach Probabilistic plan recognition (Geib,Goldman 2001)

dorit_avrahami@yahoo.com 6

Related work - cont Most plan recognition researches ignore utilities Reasoning about the utility for the observed agent

Mao et al.,2004, Suzic 2005 Reasoning about the utility for the observer

RESC (Tambe et al.,1995) - takes a heuristic approach Using influence diagrams is inhibitory for real time

Howard et al.,1984 Our Approach:

Choosing hypotheses based on utility to the observer Highly efficient Not heuristic

dorit_avrahami@yahoo.com 7

Background: Hierarchical Plan Library

Directed acyclic connected graph

Vertices denote plan steps Edges

Vertical (decomposition) edges Horizontal (sequential) edges

Self cycles – durations Each plan step contains

conditions Plan path - root to leaf path

security

position X-Ray coffee

dorit_avrahami@yahoo.com 8

The Symbolic Recognizer(Avrahami-Zilberbrand and Kaminka IJCAI,MOO

2005)

Input: vector of observed features Efficiently matches observations to plan steps

Feature Decision Tree (FDT) Tagging and propagating

Tags with observation time-stamp and propagates Output: paths tagged with time-stamp t Advantages

Handles key capabilities in plan recognition Efficient – linear time in the plan library size

dorit_avrahami@yahoo.com 9

Feature Decision Tree - FDT

Nodes correspond to observation features Branches represents possible values of feature Leaf points to the matching plan steps

attack

pass position pass

Have ball ?

Opp-Goal Visible?

destination from players

yes

no

yesno

farnear

kick

Pass

very far

Uniform-number

321

Position

Plan Librar

yFDT

score

kick

root

Pass

dorit_avrahami@yahoo.com 10

Matching Runtime

• 5,50,100 top plans• depth 3-5• 30 observations per

point

Significant improvement in matching runtime

dorit_avrahami@yahoo.com 11

Symbolic Recognizer - Example

root

securityentrance board

position

coffee

X-Ray

Shop

position

without bag

position X-Ray

position coffee gate

with bag

without bag

with bag

1

1

1

1

22

22

1 1

1

2

2

22

2

coffee

security

positionposition

position

position

without bag

with bag

without bag

withbag

1

dorit_avrahami@yahoo.com 12

UPR: Utility Based Plan Recognizer:

Compute expected utility to the observer for each hypothesis Build on Hierarchical HMM representation (Fine et al,. 1998)

Add an end state for each level Add edges from each plan step to the end state

Add utility information on the edges (utilities are shown in diamonds)

Use UPR algorithm to rank symbolic algorithm resultsentrance

position X-rayEnd

0.5

0.2

0.8

0.2

coffee

0.8

0.50.2

10

dorit_avrahami@yahoo.com 13

Plan Library - exampleroot

walk with article

1

Endstop put

pick

0.8

0.1

0.4

0.1

0.1

0.2

0.1

0.7

0.1

0.1

0.8

-10101

32

start 1 0.3

0.110

The transition allowing an agent to leave a suitcase has large cost

dorit_avrahami@yahoo.com 14

UPR Naive algorithm Formally

Let Wk= w1 … wn be one of the previous hypotheses Let Xi= x1 … xn be one of the current hypotheses The most probable hypothesis is:

Multiply the probability and utility for each current hypothesis Traverse the library from previous path to current path Multiply appropriate probabilities and utilities Return the most costly hypothesis

Naive algorithm O(N2T) (N: plan library size, T:number of observations)

Complexity O(NTD) (D: depth of the plan library ~ logN)

kiiw

kikik

X

i

X

i WXUWXPWPnsobservatioXUX )|()|()()|(ˆ maxargmaxarg

dorit_avrahami@yahoo.com 15

Detecting Anomalous and Suspicious Behavior System

SBR

UPR

Set Of Hypotheses

Observations sequence

Anomalous Behavior

Suspicious Behavior

Plan Library

Empty?

High Cost?

Yes

No

Set Of Hypotheses

Yes

No

dorit_avrahami@yahoo.com 16

Detecting Anomalous Behavior

Utilizing SBR Non matching activities marked as

abnormal Learning the plan library

Simple learning algorithm Experiments

Video clips from Caviar Projects AVNET data

dorit_avrahami@yahoo.com 17

Simple Learning Algorithm Divides the work area into grid Input

Train set of valid trajectories Grid size Position overlap

Output set of trajectories, each a sequence of grid cells

Grid size determines model relaxation

dorit_avrahami@yahoo.com 18

CAVIAR Data Contains number of video clips with different

scenarios Used this data to simulate real tracker

Add noise with normal distribution

dorit_avrahami@yahoo.com 19

CAVIAR Data Precision - Number of elements correctly labeled as anomalous,

divided by total number of elements labeled as anomalous. Recall - Number of elements correctly labeled as anomalous,

divided by total number of elements are actually anomalous.

dorit_avrahami@yahoo.com 20

CAVIAR Data – U Turn Plan library relaxation set to 15

dorit_avrahami@yahoo.com 21

AVNET Data

Standing for long time

Start

Turn point

False positives rate 2.37% (non-suspects that classified as suspects)

dorit_avrahami@yahoo.com 22

Detecting Suspicious Behavior

Three different recognition tasks Leaving Unattended articles Catching a dangerous driver Air Combat environment

dorit_avrahami@yahoo.com 23

Leaving Unattended Articles

Walk Stop Put/Pick Walk

dorit_avrahami@yahoo.com 24

Catching A Dangerous Driver

Confusion error rates for different thresholds for dangerous and safe driver

dorit_avrahami@yahoo.com 25

Air Combat environment RESC (Tambe & Rosenbloom 1995)

Used an example of agents in a simulated air-combat environment

Heuristically prefers a single worst-case hypothesis Regardless to the hypothesis likelihood

UPR (our approach) Incorporates the biases of an observing pilot much more

cleanly Takes likelihood of hypotheses when computing expected

cost Can ignore improbable (but still possible) worst-case

hypotheses Allows also modeling optimistic observers

dorit_avrahami@yahoo.com 26

Summary and Future work

Hybrid Plan Recognition Symbolic recognizer efficiently filters hypotheses Incorporating observer biases and preferences Complexity O(TN2) O(TND) Utility based engine ranks only small number of

hypotheses Detecting anomalous and suspicious behavior Future work

Dealing with more challenges e.g., Multi Agents

Testing on more applications e.g., cyber-security Dorit_avrahami@yahoo.c

om

dorit_avrahami@yahoo.com 27

UPR : Probabilities State transition probability matrix

The probability of horizontal transition from i to j plan step Self cycle edges also represented by this matrix

Interrupt probability represented by edge to end state

Vertical transition probability matrix The probability of executing one of the first children

entrance

position X-rayEnd

0.5

0.2

0.8

0.2

coffee

0.8

0.50.2

)2.0:,8.0:(, endxRaya positionji

)5.0:,5.0:(, positioncoffeeentranceji

dorit_avrahami@yahoo.com 28

UPR : Utilities As in the probabilistic reasoning we have 3 kinds of

utilities: State transition utility matrix

The utility of horizontal transition from i to j plan step Interrupt utility represented by edge to end state Vertical transition utility matrix

The utility of executing one of the first childrenentrance

position X-rayEnd

0.5

0.2

0.8

0.2

coffee

0.8

0.50.2

)10:,0:(, endxRayE positionji

)0:,3:(, positioncoffeeentranceji

3

10

dorit_avrahami@yahoo.com 29

UPR Naïve Algorithm Complexity

Naive algorithm Traverse the plan library from previous leaf to

current leaf Multiply probabilities on edges Select the most costly hypothesis

Complexity O(N2T) N is the plan library size T is the number of observations

Can we do better ?

dorit_avrahami@yahoo.com 30

Efficient Algorithm for UPR Propagate probabilities and utilities up and down in

plan library Choose random leaf tagged with t-1 Propagate up Expected utility of plans tagged with t-1 Propagate down Expected utility to leaves tagged with t

For example: Naive: CB*BA*AE*EG+DB*BA*AE*EG Efficient UPR: (CB+DB)*BA*AE*EG

A

B

C D

E

F G

tt-1 t-1

complexity O(NTD)

D~LogN