Embed Size (px)
DESCRIPTION
Semantics Based Threat Assessment and Threat Knowledge Representation/Applications for Intelligence, Defense, and Homeland Security (May 10). Dave Lush, SME Aha! Analytics. Contents. Purpose Background Statement of the Need Implications Proposed Approach - PowerPoint PPT Presentation
Citation preview
1
This Briefing is:UNCLASSIFIED
Aha! Analytics2278 Baldwin Drive
Phone: (937) 477-2983, FAX: (866) 450-3812
Semantics Based Threat AssessmentSemantics Based Threat Assessment and and
Threat Knowledge Representation/Applications Threat Knowledge Representation/Applications for for
Intelligence, Defense, Intelligence, Defense, and and
Homeland Security Homeland Security
(May 10)(May 10) Dave Lush, SMEAha! Analytics
2
UNCLASSIFIED
UNCLASSIFIED
ContentsPurposeBackground Statement of the NeedImplicationsProposed ApproachSemantic Apps/Technologies PrimerOntology Driven Threat Assessment and Threat
Knowledge Representation/ApplicationsThe Key Semantic Technologies RevisitedMore ImplicationsSummary/Conclusions
3
UNCLASSIFIED
UNCLASSIFIED
Purpose(s)
To communicate some ideas/concepts
regarding
Semantics Based
Threat Assessment and Threat Knowledge Representation/Applications
for
Intelligence, Defense, and Homeland Security
4
UNCLASSIFIED
UNCLASSIFIED
Quick BackgroundBreath Taking Change!
Threat
Requirements
Technology
Complexity
Collective Externalized Threat Knowledge Not In Good Shape It Is Quite Sub-Optimal for Discovery and Extraction of
Specific Relevant Knowledge Regarding the Threat
It Is Not Sufficiently Operationalized
Lots of Envisioning and Initiatives Going On But No Break Through Yet
5
UNCLASSIFIED
UNCLASSIFIED
Statement of Core Need Regarding Threat Data, Info, Knowledge
National Security Players (including machines)
Must Be Able to
Quickly Receive, Discover, Access, and Acquire the
Specific Pieces
of
Threat Data, Information, Knowledge
That They Need and
That They Have Security Clearance Level to Receive
6
UNCLASSIFIED
UNCLASSIFIED
Implications in Terms of Major Knowledge Mgt and Sharing Requirements:
Intelligence, DoD, and DHS Elements Must Capture and Manage Complete Digital Characterizations of Simple and Complex Threat Objects, Situations, and Associated Objects/Concepts
Must Capture These Characterizations With Requisite Structure, Detail, and Data Type
Must Capture and Manage the Threat Knowledge In Product Neutral Form So It Can Serve As the Single Source and Be Readily Re-purposed (Multi-channel, Single Source)
Must Capture and Manage the Requisite Meta-data at the Attribute and Attribute Value Level In Order To Enable: Automated Distribution of Data and Derived Products to Different Security
Domains
Rich Content Tagging of the Data and Derived Dynamic Products
7
UNCLASSIFIED
UNCLASSIFIED
Implications in Terms of Major Knowledge Mgt and Sharing Requirements:
Must Develop, Capture, Manage, and Apply Externalized (Digital) Machine Readable Conceptual Models/Instantiations (Ontologies) of the Threat Objects & Concepts In Order to Provide a Common Conceptual Foundation for Information (Database)
Models, Engineering Models, and Content Mark-up
To Capture Structured Threat Characterizations in Machine Readable Form Conducive to Application of Semantic Technologies
Must Develop, Capture, and Manage Dynamic Product Components (and Associated Meta-data) That Draw Upon the Pre-positioned Threat Characterizations, Manipulate the Data in a Specified Way, and Render a Component of a Product Presentation
Must Develop, Capture, Manage Intelligence Product Portlets Which Are Made Up of the Components Cited Above and When Invoked Execute the Components to Provide Access to, Delivery of Topical and Specific (Operationalized) Intelligence
8
UNCLASSIFIED
UNCLASSIFIED
Proposed Approach Significant Application of Semantic Technologies
They Are Ready for Prime Time
Technologies Include: RDF, SPARQL, OWL, SPIN
Ontology Driven Threat Assessment (ODTA) Formulation and Constant Refinement of Conceptual Model of the Threat Under Study Is
at Center of the Assessment
Perhaps Based on Top Level System Model (SysML) Proposed by OMG (http://www.omgsysml.org/ )
Ontology Based Threat Representation Threat Entity Is Specified With an Ontology Expressed in OWL
Ontology Authored Via Graphical Ontology Authoring/Editing Tool e.g. Top Quadrant Composer
Capture/Management of Simple Intelligence Facts Captured As RDF Triples (Subject-Predicate-Object)
Managed Via RDF Triple Store e.g. Oracle RDF
Semantic Query and Inferencing Application of SPARQL and SPARQL Inferencing Notation (SPIN) (http://spinrdf.org/)
Enables Powerful Query and Inferencing Against the Threat Ontologies and Intelligence Facts
9
UNCLASSIFIED
UNCLASSIFIED
Some Definitions/Observations What’s an Ontology?:
In general, a specification of a conceptualization.
More specifically, an externalized conceptual model expressed in terms of concepts and relationships between concepts.
Even more specifically, a conceptual model of a piece of reality of interest expressed in terms concepts, things, and relationships between concepts and things.
Ontologies and Associated Semantic Artifacts Expressed in the Appropriate Machine Readable Language Enable Computer Applications to Leverage Semantics e.g. Semantically Enriched Query
Data Integration at the Semantic Level
Operationalized Intelligence Via Ontologies of the Threat
10
UNCLASSIFIED
UNCLASSIFIED
Semantic Applications Semantic Applications Leverage/Apply Machine Readable
Semantics and Semantic Technologies to Achieve Their Objectives
The Core Constructs for Semantic Technologies/Applications Are the Relationship Graph, Taxonomy, and Ontology
Semantic Applications Use Machine Readable Relationship Graphs, Taxonomies, and Ontologies to Express and Leverage Relevant Semantics
Semantics Are Expressed As Subject-Predicate-Property (Object) Triples Using RDF or As Classes/Instances and Associated Relationships and Attributes Using OWL which is an expansion of RDF. RDF and OWL Are Ultimately XML-based Languages
RDF Triples and OWL Ontologies Are Captured and Managed Via RDF Triple Store Capability (e.g. Oracle 11g Spatial)
RDF and OWL Databases Are Queried Via SPARQL Protocol and RDF Query Language (SPARQL)
11
UNCLASSIFIED
UNCLASSIFIED
The Core Semantic Technologies Graphs/Taxonomy/Ontology Constructs
RDF Language for Expressing Machine Readable Graphs/Taxonomies
OWL Language for Expressing Machine Readable Ontologies
Authoring/Editing Tools for RDF/OWL
RDF Triple Store (e.g. Oracle 11g Spatial, AllegroGraph))
Semantic Query (SPARQL)
Rules and Inferencing e.g. SPARQL Inferencing Notation (SPIN)
Semantic Applications Frameworks, Platforms e.g. Java Jena, the Top Braid suite
RDF (Entity/Relationship) Extraction
12
UNCLASSIFIED
UNCLASSIFIED
Ontology Based Intel Analysis & Threat Characterization
CONCEPTUAL MODEL
EXTERNALIZEDMACHINE READABLEINFORMATION MODEL
ORONTOLOGY
A Major Challenge of the New IntelAnalyst Tradecraft Is to Externalize and Formalize The Analysts’ Conceptual Models to Become Machine Readable Ontologies or Information Models Which Can “Drive” Intel Knowledge Mgt and Virtual Production
ANALYST
Incoming Observations and
Data
Cognitive andOntology
DevelopmentProcesses
Externalizing Conceptual Models
ONTOLOGY DEVELOPMENTMETHODOLOGIES
ANDTOOL(S)
Figure 6: Externalizing Conceptual Models
13
UNCLASSIFIED
UNCLASSIFIED
Conceptual Model of the Threat(the SysML Template)
PurposesCapabilities
Vulnerabilities
Structure(structural models)
Behavior(behavioral models)
Parametrics(physics/math)
Conceptual Model of the Threat
Signatures
14
UNCLASSIFIED
UNCLASSIFIED
Figure 1a: C-map of a Conceptual Model of the Threat
SysML consistentgeneric concept map for a threat system
SysML is OMG systemmodeling languagebuilt upon UML
15
UNCLASSIFIED
UNCLASSIFIED
The Threat Model and Its Instantiation
+
+
Key Findings (Purposes
CapabilitiesVulnerabilities)
StructureBehavior
Parametrics
Instantiated Model of the Threat
Assumptions&
Constraints
=
Figure 2: Instantiation of the Conceptual Model
Source Data &Engineering
Models &Other Tools
Signatures
Arguments&
Rationales
PurposesCapabilities
VulnerabilitiesStructure Behavior
Parametrics
Conceptual Model of the Threat
Signatures
16
UNCLASSIFIED
UNCLASSIFIED
Structured Threat Assessment
InstantiatedConceptual
Model
ConceptualModel
KeyAssumptions
Structured Threat Assessment
Arguments&
RationalesSourceCitations
KeyIntelligenceQuestions
17
UNCLASSIFIED
UNCLASSIFIED
18
UNCLASSIFIED
UNCLASSIFIED
Model Driven Analysis & Knowledge Capture
A Major Challenge of the New Intel Analyst Tradecraft Is to Externalize and Formalize The Analysts’ Conceptual
Models to Become Machine Readable Ontologies or Information Models Which Can “Drive” Intel Knowledge Mgt and
Virtual Production
ANALYST
Incoming Observations and
Data
Cognitive andConceptual Model Development
Processes
CONCEPTUAL MODEL DEV METHODOLOGIES AND TOOL(S)
ANALYST ANALYST INTERNALIZEDCONCEPTUAL MODEL
Collaborationand
Peer Review
Figure 4: Externalizing Conceptual Models
ANALYSIS AND CONCEPTUAL MODEL INSTANTIATION
METHODS/TOOL(S)
Threat Knowledge Base
A core element of a threat assessment is the conceptual model of the threat.
The model is “instantiated” with data and metadata derived from the source INT data and results of analysis of that data.
The instantiated model is used to ascertain key facts and assertions regarding the nature of the threat.
Structured Threat Assessment
Key Intelligence QuestionsKey AssumptionsSourcesConceptual ModelInstantiated Conceptual ModelArguments/Rationales
Conceptual Model(Ontology) &Instantiation
StructureBehaviorParametricsCapabilitiesSignatures
19
UNCLASSIFIED
UNCLASSIFIED
Ever Increasing Structure
Key Observations:
The knowledge extraction processes extract structured knowledge from unstructured input streams.
The knowledge capture processes capture structured knowledge that results from analysis/assessment.
The more our knowledge of the threat is captured and managed in highly structured and labeled form the more flexibility and nimbleness we have when it comes to getting the knowledge to the right customer at the right time and in the right form.
So, it would behoove us to cause our knowledge of the threat to become more and more structured as we move from exploitation and knowledge extraction, through analysis/assessment, to knowledge capture and management.
Unstructured textual information must be accommodated in the resultant threat knowledge but it should be present within the context of an appropriately conceived and structured information model.
less structure more structure
Analysis&
Assessment
DataExploitation
&KnowledgeExtraction
Exploited Data&
ExtractedKnowledge
AnalysisResults
Dynamic Products
&Portlets
Structured LabeledThreat
Knowledge
ConceptualModeling
& Knowledge
Capture
DigitalProduction
&Dissemination
20
UNCLASSIFIED
UNCLASSIFIED
Threat Ontology, Intel Facts, and the SPIN Stack This Is About Application of Semantic Technologies to Threat
Assessment, Capture, and Application (Query and Inferencing) RDF, RDF Triple Extraction/Management, Web Ontology Language (OWL), SPARQL
Protocol and RDF Query Language (SPARQL), and SPARQL Inferencing Notation (SPIN)
The Basic Process Capture Threat Assessments Via Ontologies Expressed in OWL
Facilitate Ontology Population Via RDF Extraction from Traditional Intel Documents and Export From RDBMS Data Bases
Capture/Store/Manage Simple Intelligence Facts Via RDF and RDF Triple Store
Deploy and Apply the SPARQL Inferencing Notation (SPIN) Technology Stack
Execute SPARQL Queries and Inferences Against the Threat Ontology and the Related Intelligence Facts Using the SPIN Stack
The Basic Benefits Threat Is Precisely Defined in Machine Readable Form Via Open Standards
Threat Knowledge Easily Queried and Navigated to Acquire Specific Threat Knowledge
Threat Characterization Combined with Intelligence Facts When Processed by SPIN Can Yield Implicit or Intrinsic Knowledge Not Readily Apparent
Ontology Based Threat Assessments, SPARQL, and SPIN Enable Machine to Machine Intel Support to Ops
21
UNCLASSIFIED
UNCLASSIFIED
Figure 3: SPINing Threat Ontologies
SAVANTKB
Extract/ExportThreat
Characterization
Traditional Threat KB
(Doc & RDBMS)
ThreatOntology
KB (RDF/OWL)SPIN Stack
(RDF)
Acquire & MediateThreat Knowledge(SPARQL, XSLT)
Policy Maker Client
Analyst KnowledgeEngineer
Threat Ontology and the SPIN StackCan Operationalize Intelligence
Intel FactKB
(RDF)
Capture Intelligence
Facts
Develop Threat Ontology
DB Admin
Intel ApplicationIn
OperationalContext
Ops Client
machine to machine
These storescollectively constitute
operationalized intelligence
Modify & ExtendSPINStack
SPIN (SPARQL Inferencing Notation)
22
UNCLASSIFIED
UNCLASSIFIED
The Key Technologies Revisted Concept Mapping and System Modeling Tools
XML, RDF/RDFS, OWL
RDF Triple Store
SPARQL Protocol and RDF Query Language (SPARQL)
SPARQL Inferencing Notation (SPIN)
Semantic Application Development Platform (e.g. Top Braid)
23
UNCLASSIFIED
UNCLASSIFIED
More Implications Externalized Conceptual Models of the Threat Are at the Core of
the Threat Assessment; This Becomes Core Tenant of Analyst Tradecraft
Threat Concepts Expressed As Ontologies and Supporting Assertions/Facts Using RDF and OWL and Appropriate Authoring/Editing Tools
Requires a Paradigm Shift and Development of Analyst Competencies/Skills in Conceptual Modeling and Ontology Development
Several Very Important Benefits Development/Refinement of Externalized Conceptual Model of the Threat
Throughout the Assessment Facilitates Communication, Collaboration, Vetting, Completeness, Accuracy, Clarity, etc.
Threat Is Represented Via Highly Structured , Standards Based, Product Neutral, Machine Readable Construct Which Can Be Readily Queried and Which Can Drive Inferencing; Enables Rapid Acquisition of Specific Knowledge Chunks/Facts
24
UNCLASSIFIED
UNCLASSIFIED
Conclusions/Summary The Time Has Come to Apply Semantic Technologies to Threat
Assessment, Threat Knowledge Representation, and Associated Applications
Threat Knowledge Can Be Represented in Machine Readable Form Enabling Powerful Query, Inferencing, and Mediation Capabilities and Basically Operationalizing Intelligence
The Same Technologies Can Also Be Used in AFISRC2 Applications Using Threat and ISRC2 Ontologies
There Are Many Possibilities!
