processing events in probabilistic risk assessment
TRANSCRIPT
Processing events in
probabilistic risk
assessment
9th International Conference on Semantic Technologies for Intelligence, Defense, and
Security (STIDS). November 20, 2014
Annotated presentation—see Notes Page view.
Three event-informed person risk models
1. MC (“Carbon”):
Information disclosure risk Belief that a (candidate) member person
P will disclose an organization’s private information
Life (“macro”) events Education, employment Crime, civil judgment Bankruptcy, credit …
2. MS (“Silicon”):
IT system insider exploitation risk Belief that a user will access, disclose,
or destroy an organization’s computer network-resident information)
Computer network (“micro”) events Log in after hours Access “decoy” file Copy file to…
External location
Thumb drive
3. MG = MC • MS
NOTE: Carbon and Silicon are names of Haystax Analytic Products
2
Issue: Apply event evidence to person attribute concept random variables (RVs) in a risk assessment Bayesian network (BN), modeling events’ changing relevance over time.
Given: Person P Events E, in P’s past or present Generic person BN B
Risk-related person attribute concept RVs (Boolean)
Concept-relating probabilistic influences
A reference time t (in an ordered set T of such points)
Develop: Person-specific BN BP reflecting E Beliefs in P’s attribute concept at t, per BP
(P’s historical risk profile over T)
Theme
3
Reliable
Trustworthy
…CommittedToSchool CommittedToCareeer
CommitsMisdemeanor
School events Employment events
Law
enforcement
events
…
…
Elided B with ingested event categories (MC)
Approaches to realizing BP
1. Event “ingestion”:
For each event e in E, …
Include a new event RV δ indicating person attribute concept π in BP
Specify per-event half life decay as new temporal relevance RV ρ
Enter hard evidence finding on δ
Appropriate when events are of a given type τ are individually salient
Feasible when |E| << |nodes(B )|
Ingestion
π ρ
δ
event
concept relevance
5
Life events timeline (MC)
Three event-informed person risk models
1. MC (“Carbon”):
Information disclosure risk 100s of RVs B extracted from official policy /
guidelines (under in situ test)
Life (“macro”) events 10s of types 10s of events / person 10s of years of data
Ingestion only (“hard” salience)
10s of rules
2. MS (“Silicon”):
IT system insider exploitation risk 10s of RVs B eyeballed (preliminary proof of
concept)
Computer network (“micro”) events 10s of types 100Ks of events / person 1.5 years of data
Summarization, primarily (“soft” salience) 1s of ingestion rules
3. MG = MC • MS
Three event-informed person risk models
2. MS (“Silicon”):
IT system insider exploitation risk Belief that a user will access, disclose,
or destroy an organization’s computer network-resident information)
Computer network (“micro”) events Log in after hours Access “decoy” file Copy file to…
External location
Thumb drive
3. MG = MC • MS
Approaches to realizing BP
2. Event “summarization”:
For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into temporal buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Useful when ⌐(|E| << |nodes(B )|)
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
Summarization
9
Summarize events over a practically unlimited duration, by using temporal buckets of geometrically increasing size.
Infer salience from event volume variation w.r.t. a person’s own and the population’s history.
Weight buckets per desired temporal relevance decay.
Summarization elements (per RV)
10
Summarization metric: Count (CopyDecoyToExternal)
MS
0
100
200
300
400
500
600
141664
Day
Co
un
t
Bucket
11
Summarization metric: Variation re self (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
141664
Day
Var
iati
on
: sel
f
Bucket
12
Summarization metric: Variation re all (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
1 4 16 64
Day
Var
iati
on
: all
Bucket
13
Summarization metric: Variations mean (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
141664
Day
Var
iati
on
s m
ean
Bucket
14
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
MS
0
0.2
0.4
0.6
0.8
1
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63
Susp
icio
n w
arra
nt
Day
Approaches to realizing BP
2. Event “summarization”:
For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into temporal buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Useful when ⌐(|E| << |nodes(B )|)
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
Summarization
16
Computer network events timeline (MS)
17
(defparameter *Influences*
'((ExploitsITSystemAsInsider
(:ImpliedByDisjunction
(CommitsITExploitation
(:ImpliedBy (DestroysInformationUnauthorized)
(AccessesInformationUnauthorized) ; Ingested: HandlesKeylogger_Event
(DisclosesInformationUnauthorized) ; Ingested: CopyFileToWikileaks_Event
(StealsInformation))) ; Ingested: CopyFileToCompetitor_Event
(WarrantsITExploitationSuspicion
(:ImpliedBy (WarrantsInformationDestructionSuspicion
(:IndicatedBy (:Strongly (DeleteFileOnOthersPC_Summary))
(:Moderately (DeleteFileOnLabsPC_Summary))))
(WarrantsUnauthorizedInformationAccessSuspicion
(:IndicatedBy (:Moderately (AfterHoursLogin_Summary))
(:Weakly (OpenFileOnOthersPC_Summary))))
(WarrantsUnauthorizedInformationDisclosureSuspicion
(:IndicatedBy (:Strongly (CopyOthersFileToThumb_Summary)
(CopyDecoyToExternal_Summary))
(:Moderately (OpenDecoyFile_Summary)
(AcquireDecoyFile_Summary)
(CopyFileToExternal_Summary))
(:Weakly (CopyFromThumbToOwnPC_Summary)
(CopyOwnFileToThumb_Summary)
(CopyOthersFileToExternal_Summary)))))
(:RelevantIf (:Locally (:Absolutely (Untrustworthy))))
(:MitigatedBy (:Locally (:Strongly (HasRole-ITAdmin)))))))))
Influence graph specification (MS)
18
Computer network events timeline (MS)
Combined timeline (MG = MC • MS)
20
Temporal relevance nodes participate in belief propagation in BP—making their beliefs (so, effective temporal relevance) subject to departure from nominal specification.
Multiple temporal and/or semantically close events’ relevance nodes reinforce each other—inducing temporal relevance beyond nominal specification. 5 simultaneous events’ decay only 6% after half life interval. We might naively expect 50%.
Summarization largely insulates a temporal relevance node from surrounding belief propagation.
Ingestion issue: Interacting temporal relevance nodes
21
Allegro Common Lisp® (ACL)
AllegoGraph® Lisp direct client
Allegro Prolog macros (e.g., select)
Lisp macros (e.g., iterate-cursor)
ACL API to the Netica® API
Netica® API
Supporting software “stack”
22
(defIngestionRule RestrainingOrder
(+process-reportedEvent ?person ?*asOfDate)
(reportedEvent ?person
?*asOfDate
?event
!agent:ProtectiveRestrainingOrder
?*startDate
?*endDate
?*ongoing?
?*reportDate)
(lisp (create-EventConceptIndication
?person
:IndicatedConcept CommitsDomesticViolence
:+IndicatingEvent ?event
:Terminus :end
:DeltaDays (- ?*asOfDate ?*endDate)
:HalfLife (* 6 365)
:Strength :strong
:Polarity :positive)))
Ingestion rule (MC)
23
(defOntologyInstance !data:P (Person))
(defOntologyInstance
!data:PHighSchoolAttendance
(SchoolAttendance)
(riskRatingSubject !data:P)
(schoolCredentialAward !data:PDiplomaAward)
(startDate "2000-09-04")
(endDate "2004-06-15"))
(defOntologyInstance !data:PDiplomaAward
(SchoolCredentialAward)
(riskRatingSubject !data:P)
(startDate "2004-06-15")
(schoolCredentialAwarded HighSchoolDiploma))
(defOntologyInstance !data:PEmployment
(Employment)
(riskRatingSubject !data:P)
(startDate "2004-07-05")
(endDate "2009-09-05"))
(defOntologyInstance !data:PMisdemeanorAssault
(PoliceOffense)
(riskRatingSubject !data:P)
(offenseChargeSchedule Misdemeanor)
(startDate "2007-06-30"))
(defOntologyClass Person (Thing)
(hasGender Gender :Functional))
(defOntologyClass Gender (Thing)
(:enumeration Male Female OtherGender))
(defOntologyType Date !xsd:date)
(defOntologyClass Event (Thing)
(riskRatingSubject Person :Functional)
(startDate Date (:cardinality 1))
(endDate Date :Functional)
(sourceReport Report :Functional))
(defOntologyClass PointEvent (Event)
(hasConsequentEvent Event))
(defOntologyClass DurativeEvent (Event)
(hasSubEvent Event))
(defOntologyClass ProtectiveRestrainingOrder
(PointEvent))
Ontology and data specifications (MC)
24
Questions ?
Thank you.
25
Extras…
Approaches to realizing BP
1. Event “ingestion”:
For each event e in E, …
Include a new event RV δ indicating person attribute concept π in BP
Specify per-event half life decay as new temporal relevance RV ρ
Enter hard evidence finding on δ
Appropriate when events are of a given type τ are individually salient
Feasible when |E| << |nodes(B )|
2. Event “summarization”:
For each event type τ represented in E, … Include an event “summary” RV Δ
indicating π in B Develop a likelihood summarizing the
impact of events τ collected into geometrically larger buckets
Enter likelihood finding on Δ
Appropriate when the salience of events type τ tends to depend on trends w.r.t. an individual or a population thereof
Needed when ⌐(|E| << |nodes(B )|)
Ingestion
π ρ
δ
event
concept relevance
Approaches to realizing BP
Summarization
π ρ
Δ
δ1 δnδ2 …events
concept relevance
summary
28
π ρ
δ
π ρ
Δ
δ1 δnδ2 …
BN fragment patterns
Ingestion
Multi-ingestion
(bridge to summarization)
29
Life events timeline (MC)
30
Event type instance count
Summarization metric: Count (CopyDecoyToExternal)
MS
31
Summarization metric: Variation re self (CopyDecoyToExternal)
Event type historical variation re self
MS
32
Summarization metric: Variation re all (CopyDecoyToExternal)
Event type historical variation re all
MS
33
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
Event type summary RV likelihood (suspicion warrant)
MS