Upload
nadine-brown
View
26
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Acquiring & Exploiting Knowledge for Predicting Acts of Terrorism. Rocky Termanini. PhD, CISSP Software Process Improvement Network (SPIN) Northrop Grumman, E2 Conference, Redondo Beach, CA April 6; 9:00 – 12:00 AM. The US Government is learning it the hard way : - PowerPoint PPT Presentation
Citation preview
Copyright 2010, Rocky M. Termanini 1
Acquiring & Exploiting Knowledge for Predicting Acts of Terrorism
Rocky Termanini. PhD, CISSP Software Process Improvement Network (SPIN)
Northrop Grumman, E2 Conference, Redondo Beach, CAApril 6; 9:00 – 12:00 AM
Copyright 2010, Rocky M. Termanini 2
The US Government is learning it the hard way:
Predictive Models do not work unless you have been deeply involved in the fabric of the culture and religion of the country…
Copyright 2010, Rocky M. Termanini 3
The US Government Did not pay much attention to the History of Egypt
Copyright 2010, Rocky M. Termanini 4
Step two: in the CEWPS plan: to realistically represent the social, cultural, and behavioral theories” about why people act the way they do”.
Step three: let commanders run mock battle plans against these modeled Iraqis, to see how they might react.
Step one: dump everything we know about a country like Iraq, and “create systems that mirror the actual communities.”
Copyright 2010, Rocky M. Termanini
We’re building an is artificially intelligent
reasoning machine that extract knowledge
from historical bombing episodes and offer
solid prediction and combat upcoming
attacks...
Prior Attack Attack Post Attack
Event E(t)
Objective
Copyright 2010, Rocky M. Termanini 8
Specifically speaking,
1. creating a Knowledge database of past attacks;
2. identifying trends in the attacks; 3. determining the correlation between
attacks 4. using analysis to calculate the
probabilities of future attacks and their location.
Objective
Copyright 2010, Rocky M. Termanini
CEWPS™ offers four robust advantages:
• Early Warning Prediction of incoming attack.
• Early Warning Detection
• Evidential Reasoning to improve degree of certainty
• Memorizing attacks for future similar attacks
9
CEWPS Holistic vision
Copyright 2010, Rocky M. Termanini 10
Early-warning is not about predicting the future …It is about preventing specific events (terror attacks) from happening at the right time
Early Warning Rationale
Copyright 2010, Rocky M. Termanini 11
Terrorism
What is It?
Why do we worry about it
What can we do to circumvent it
Copyright 2010, Rocky M. Termanini 12
Jihadism: Originally had a significantالجهاد meaning to represent Islam expansion…Now, it has a twisted meaning to represent Islamic terrorism
Mujahedeen: Radical warriors who practice Islamic terrorism under the name of Jihad. They are dedicated to destroying anything that is not Islamic. They believe their action will win them the Paradise.
المجاهدين
Let’s define some term
Copyright 2010, Rocky M. Termanini
Abu Nidal organization (ANO) Abu Sayyaf Group (ASG) Al-Aqsa Martyrs Brigade Ansar al-Islam (AI) Armed Islamic Group (GIA) ‘Asbat al-Ansar
Aum Supreme Truth (Aum) Aum Shinrikyo Basque Fatherland and Liberty (ETA) Communist Party of Philippines/New People’s Army (CPP/NPA) Al-Gama’a al-Islamiyya (Islamic Group, IG) HAMAS (Islamic Resistance Movement) Harakat ul Mujahidin (HUM) Hizballah (Party of God) Islamic Movement of Uzbekistan (IMU) Jaish-e-Mohammed (JEM) Jemaah Islamiya (JI) Al-Jihad (Egyptian Islamic Jihad, EIJ) Kahane Chai (Kach) Kongra-Gel (KGK, formerly Kurdistan Workers’ Party, PKK, KADEK) Lashkar-e-Tayyiba (LT)
Lashkar I Jhangvi (LJ) Liberation Tigers of Tamil Eelam (LTTE) Mujahedin-e Khalq Organization (MEK) National Liberation Army (ELN)—Colombia Palestine Islamic Jihad (PIJ) Palestine Liberation Front (PLF) Popular Front for the Liberation of Palestine (PFLP) Popular Front for the Liberation of Palestine–General Command (PFLP-GC) Al-Qaida Real IRA (RIRA) Revolutionary Armed Forces of Colombia (FARC) Revolutionary Nuclei (RN) Revolutionary Organization 17 November (17 November) Revolutionary People’s Liberation Party/Front (DHKP/C) 135Salafi st Group for Call and Combat-GSPC Sendero Luminoso (Shining Path or SL) United Self-Defense Forces/Group of Colombia (AUC)
U.S. RECOGNIZED TERRORIST ORGANIZATIONS WORLDWIDE
Copyright 2010, Rocky M. Termanini 21
http://www.youtube.com/watch?v=bel7Trt49hE
http://www.youtube.com/watch?v=KOTH_xv6O4o&feature=related
Copyright 2010, Rocky M. Termanini 24
Abdul Rahman Ghazi
Nationality: Iraqi, KurdSect: Sunni, Married two kids; engineer; Joined Al-Quada 2005; explosive knowledge- HighTraining in Pakistan.JihadistFrequent visitor to UAE…brother works accountantPlan: Killing Shi’a PolicemenSuicide in 2009 Baghdad…
Copyright 2010, Rocky M. Termanini 25
Mustapha Hamwai Jalali
Nationality: Yemeni, Sect: Sunni, Single; Accountant; Joined Al-Quada 2006; explosive knowledge- HighTraining in Yemen, Accountant in IraqJihadistBrother works in Dubai…HSBC bankPlan: Killing US troopsSuicide in 2009 Basra, Iraq
Copyright 2010, Rocky M. Termanini 26
Faysal Hasan
Nationality: Iraqi, from Baghdad Sect: Shi’a, Single; Architect; Joined Muqtada al-Sadr 2006; explosive knowledge- HighTraining in Lebanon’s Hezbollah.JihadistPlan: Killing US touristsSuicide in 2009 Mosel, Iraq
Copyright 2010, Rocky M. Termanini 27
Mohammed Abdul Salam
Nationality: Egyptian, CairoSect: Sunni, Single; Journalist; Married to a Palestinian girl Najwa, Joined Muslim Brotherhood 2004; Army officer, explosive knowledge- HighTraining in Mauritania.Jihadist, RadicalPlan: Killing US troops in an Humvee
Copyright 2010, Rocky M. Termanini 28
The Jihad War
• Believe 9/11 is an inside job• Very savvy politically• Highly educated• Islamic war against enemies of God• Not afraid to die• Driven by radical Islamism• Residual anger and vengeance• Desire to go to Heaven• They only can do it “once” • They prefer to attack Americans outside the US
Copyright 2010, Rocky M. Termanini
We can improve our Homeland
security against suicide bombing,
by learning from previous attacks,
in the world...
Copyright 2010, Rocky M. Termanini 31
Outcome
Store &
Predict
Created by external sensation or internal reflection
Experience & knowledge Relationship
Experience
Neurological image of the experience in the brain
Knowledge
Event
Copyright 2010, Rocky M. Termanini 32
If we inject the human knowledge and experience into the machine, we will be able to build an intelligent system that employs expert judgment and extensible reasoning capability
Copyright 2010, Rocky M. Termanini
There are many registries and data repositories on terrorism....but, they are disparate , non-normalized, non-correlative
Copyright 2010, Rocky M. Termanini
Most Episodes partially documented, incomplete and follow no standards
Copyright 2010, Rocky M. Termanini
Episode
Episode
Episode
Episode
Episode
Episode
Episode
Episode
Attack Episodes have lots in common
attack
attack
attack
attack attack
attack
attack
attack
Copyright 2010, Rocky M. Termanini
They all have common features
Episode
Tstart Tend
Each episode is a stochastic Process
Copyright 2010, Rocky M. Termanini
Episode
A suicide Episode has 6 basic attributes
•A Plan
•Actors
•Target
•Time
•Locatio
n
•Damag
e
Copyright 2010, Rocky M. Termanini
Each episode has three Phases
PlanningPlanning Recovery
Φ1 Φ3 Φ2
Forecast Zone
Tstart Tend
• Casualties• Destruction• Disruption• Social Trauma
Emergency Response
attack
Copyright 2010, Rocky M. Termanini
The Process of Credible Prediction
SB-1 SB-2 SB-3
P(t)3P(t)2P(t)1
P(t)0
SB-T
A(t)0M(t)1 M(t)2 M(t)3M(t)0
Prediction Period
Bombing where Prediction Failed
Predi
ctor
had
relia
ble
data
to p
redi
ct p
ositi
ve
Predi
ctor
issu
ed a
n
aler
t
Atta
ck c
augh
t
befo
re d
eton
atio
n
Copyright 2010, Rocky M. Termanini
The Process of Credible Prediction
SB-1 SB-2 SB-3
P(t)3P(t)2P(t)1
P(t)0
SB-T
A(t)0M(t)1 M(t)2 M(t)3M(t)0
Pred
ictio
n Pe
riod
Bombing where Prediction Failed
Predi
ctor
had
relia
ble
data
to p
redi
ct p
ositi
ve
Predi
ctor
issu
ed a
n
aler
t
Atta
ck c
augh
t
befo
re d
eton
atio
n
When prediction shorter, prevention gets better
Copyright 2010, Rocky M. Termanini 47
The Major Building Blocks
Outcome Reasoner
Early Warning Broadcaster
Attack Analyzer
Attack Collector (KM)
48
Build Collecting grids
Collect Bombing Episodes
Dispatch &Alert
Normalize &Characterize
CreateSemantic
Knowledge
By indicators
Analyze & Validate
BuildBombingPatterns
Match Rules
Build Reasoning
Model
Ontology Components&Semantic Rules
Bayesian Refinement Recursion
Save Episode Analysis
Copyright 2010, Rocky M. Termanini
Graph-G The Global Cyber Malware Data Collection Grid Global Terror Episode Collection Grid
Copyright 2010, Rocky M. Termanini
The Intelligence Data Grid
The Activity Monitoring
Grid
The Demographic Grid
Global TerrorSteady Updates
Steady Updates
Steady Updates
The Cognitive Early Warning Prediction System (CEWPS™)
Steady Updates
Copyright 2010, Rocky M. Termanini
MonitoringSources
Unstructured Attack Episodes Are Collected, Filtered And Transformed Into A Patterns
Local Law Enforcement
US/Global Intelligence
Grids
Disparate Unstructured
Attacks
Attack Collectors
On
tolo
gic
al a
nd
Sem
anti
c T
ran
sfo
rmat
ion
Knowledge Base
Semantic attack Patterns
Copyright 2010, Rocky M. Termanini 53
Terrorism is the domain
Ontology is used to represent a suicide attack as a knowledge model
Jihad
Faith
HeavenSacrifice
Suicide
Copyright 2010, Rocky M. Termanini 54
Semantic is to derive significant knowledge from words
Jihad
Sacrifice
Suicide
• Fighting for Islam• Dedication to Islam• Showing Courage• Heaven is the award
• Go to Heaven• Destroy Enemy of God• Be an example to others• Koran teaches us to kill enemies of Allah
• I am not afraid of dying• I am enlisted in Mohammed’s Army• Sacrifice is the best way to die for Islam• Paradise is the desired place
Copyright 2010, Rocky M. Termanini
Bombing Predictor
Scenario Builder
BomberProfile
BombingHistory
ExplosivesKnowledge
Potential Locations
Potential Occasions
SuspectVehicles
Knowledge Collector Match
Alerts
Pre-emptive Alerts
DispatchPredicted Scenario
Attack Clues incoming
The Architecture of The Cognitive Early Warning Predictor System (CEWPS)
Human Experience
Semantic Bombing Episodes Knowledge Base
Improvements
Dispatch Early Warning
Bayesian and HeuristicProcessing
Copyright 2010, Rocky M. Termanini
Attack Knowledge Database
The Reasoner
Data include Semantic Rules
CEWPS™ extracts credible forecasts and prediction about Bombing Attack
Attack Models with Higher Degree of
CertaintyIncoming Attack Clues
Broadcast Alert to Agencies
Select Optimal Predictive Attack
Apprehend Terrorists
56
Urgent Response ModeOntological and
Semantic Transformation
Attack knowledge
Models
Copyright 2010, Rocky M. Termanini
US/Global Intelligence
Sources
MonitoringSources
Each Attack Episode is Transformed into a Distinct Pattern
DemographicSources
All the attributes are semantically connected
Copyright 2010, Rocky M. Termanini
Rea
son
ing
En
gin
e
CEWPS Semantic Knowledge Base
Attack Pattern
Dynamic Prediction Queries
Selected Pattern
Library of Attack Patterns
As a finding is entered, the propagation algorithm updates the beliefs attached to each relevant node in the network
A query produces the information to propagate through the network and the belief functions of several nodes are updated
Copyright 2010, Rocky M. Termanini
What Is it?It is a network-based model involving uncertainty
What is it used for?Intelligent decision aids, data fusion, feature recognition, intelligent diagnostic aids, automated free text understanding, data mining
Where did it come from?Cross fertilization between the artificial intelligence, Operations Research,, and statistic…
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
Network represents a knowledge structure that models the relationship between medical difficulties, their causes and effects, patient information and diagnostic tests
Visit to Asia
Tuberculosis
XRay Result Dyspnea
BronchitisLung Cancer
Smoking
Patient Information
Diagnostic Tests
Tuberculosisor Cancer
Medical Difficulties
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
Relationship knowledge is modeled by deterministic functions, logic and conditional probability distributions
Patient Information
Diagnostic Tests
Visit to Asia
Tuberculosis
Tuberculosisor Cancer
XRay Result Dyspnea
BronchitisLung Cancer
SmokingTuber
Present
Present
Absent
Absent
Lung Can
Present
Absent
Present
Absent
Tub or Can
True
True
True
False
Medical DifficultiesTub or Can
True
True
False
False
Bronchitis
Present
Absent
Present
Absent
Present
0.90
0.70
0.80
0.10
Absent
0.l0
0.30
0.20
0.90
Dyspnea
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
Propagation algorithm processes relationship information to provide an unconditional or marginal probability distribution for each nodeWhich is called the belief function of that node
TuberculosisPresentAbsent
1.0499.0
XRay ResultAbnormalNormal
11.089.0
Tuberculosis or CancerTrueFalse
6.4893.5
Lung CancerPresentAbsent
5.5094.5
DyspneaPresentAbsent
43.656.4
BronchitisPresentAbsent
45.055.0
Visit To AsiaVisitNo Visit
1.0099.0
SmokingSmokerNonSmoker
50.050.0 Patient Information
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
Interviewing the patient produces more information the “Visit”As this data is entered, the propagation algorithm updates the beliefs attached to each relevant node in the network
TuberculosisPresentAbsent
5.0095.0
XRay ResultAbnormalNormal
14.585.5
Tuberculosis or CancerTrueFalse
10.289.8
Lung CancerPresentAbsent
5.5094.5
DyspneaPresentAbsent
45.055.0
BronchitisPresentAbsent
45.055.0
Visit To AsiaVisitNo Visit
100 0
SmokingSmokerNonSmoker
50.050.0
Copyright 2010, Rocky M. Termanini
TuberculosisPresentAbsent
5.0095.0
XRay ResultAbnormalNormal
18.581.5
Tuberculosis or CancerTrueFalse
14.585.5
Lung CancerPresentAbsent
10.090.0
DyspneaPresentAbsent
56.443.6
BronchitisPresentAbsent
60.040.0
Visit To AsiaVisitNo Visit
100 0
SmokingSmokerNonSmoker
100 0
Example from Medical Diagnostics
Further interviewing of the patient produces the finding “Smoking” is “Smoker”…This information propagates through the network
Copyright 2010, Rocky M. Termanini
TuberculosisPresentAbsent
0.1299.9
XRay ResultAbnormalNormal
0 100
Tuberculosis or CancerTrueFalse
0.3699.6
Lung CancerPresentAbsent
0.2599.8
DyspneaPresentAbsent
52.147.9
BronchitisPresentAbsent
60.040.0
Visit To AsiaVisitNo Visit
100 0
SmokingSmokerNonSmoker
100 0
Example from Medical Diagnostics
Finished with interviewing the patient, the physician begins the examination, and he now moves to specific diagnostic tests such as an X-Ray, which results in a “Normal” finding which propagates through the network…information from this finding propagates backward and forward
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
The physician also determines that the patient is having difficulty breathing, so “Present” is entered for “Dyspnea” which propagated through the network.The doctor might now conclude that the patient has bronchitis and does not have tuberculosis or lung cancer
TuberculosisPresentAbsent
0.1999.8
XRay ResultAbnormalNormal
0 100
Tuberculosis or CancerTrueFalse
0.5699.4
Lung CancerPresentAbsent
0.3999.6
DyspneaPresentAbsent
100 0
BronchitisPresentAbsent
92.27.84
Visit To AsiaVisitNo Visit
100 0
SmokingSmokerNonSmoker
100 0
Copyright 2010, Rocky M. Termanini
Bayesian Nets Modeling
•Behavior prediction of serial killers patient •Prediction of Plagiarism in Academia•speech and speaker recognition....•Military Surprise Attacks•Cancer diagnosis•Google search•SPAM Filtering•FBI Face recognition (Biometrics)•Site profiler for Military against terrorism•Modeling Oil drilling
Copyright 2010, Rocky M. Termanini
Arrive to airport
Meeting-1Restaurant
Phone Call-1
Arrive to Friend’s Home
Track Itinerary
FBI Check
Check INS
Records
AirportBiometric Picture
Rented car from HERTZ Overseas
Call-2
Call Main Cell Overseas
Check e-mail
Given Instructions
Picked up by friend
Phone Company
State Department
Pattern Check-1
Meeting-2Restaurant
Check Local Universities
Restaurant Under
Surveillance
Target not
identified
Track ISP
3 visas from 3 countries
Check owner
records
E-mailForensics
Two locations identified
Plan to visit location-1
Registered But did not
attend
Plan to visit location-2
Rendez-vous time set
Target Somewhatidentified
Diagram – E Unstructured Sequence Diagram Of The Attack Before Becoming A Pattern (Part-1)
RaiseFlag-1
RaiseFlag-2 Query
Knowledge Base
RaiseFlag-3
Bayes Acyclic Attack Network (Part-1)
Bayes is a scientific approach to quantify our degree of certainty on the basis of incomplete information
Copyright 2010, Rocky M. Termanini
Terroristrehearse
attack
E-mails sent to
headquarters
FBI Notified Surprise
Arrest
Query Knowledge
Base
Get go-ahead
with attack
Caught On CCTV
Camera
Grids sent more data on Jamal
CEWPS predict 65%
Attack
E-mail intercepted
Visit-1 to Penn
StationTake
Pictures
CEWPS is processing
data
Phone calls to
headquarters
Visit-1 to WTC
Amtrak Notified
July3dAttack date
CEWPS predict 87%
Attack FBI atPenn
Station
Thursday 2:45 PM
Document and send
to KB
Bayes Acyclic Attack Network (Part-2)
Bayes is a scientific approach to quantify our degree of certainty on the basis of incomplete information
Copyright 2010, Rocky M. Termanini 77
Trafficking Services
White Slavery Services Spying Services
Suicide Services
Terror as a Service
Hacking Services
Terrorism Service Providers
Cyberterrorism is big time on the cloud
Drug Traffiking Services
Copyright 2010, Rocky M. Termanini 78
The CEWPS™ Cloud Services
Data Collection Services
Early Warning Services
Attack Prediction Services
Subscriber Network
VPN Gateway
Secure VPN Connection
Copyright 2010, Rocky M. Termanini 80
Thank you
For Further Questions or inquires
Dr. Rocky Termanini
Email: [email protected]