Using Maximum Entropy for Rapid Cyber Warfare Deduction and Inference - A Demonstration

1. Using Maximum Entropy for Rapid Cyber Warfare Deduction and Inference - A Demonstration DARPA IA&S Joint PI Meeting 17-23 July 2000 Philip Calabrese, Ph.D. SSC SD

2. The Complexity Problem • Need: To calculate logical & probabilistic solutions for cyber warfare situations as we do for numerical problems • Roadblock: The complexity of uncertain information stands in the way of standard probability calculations arising from even simple situations • Solution: The maximum entropy principle defeats ignorance-generated complexity & quickly yields the most likely probability distribution

3. Relative (Conditional) Entropy • The relative entropy function for probability distribution P given a priori probability distribution Q: • H(P,Q) = Si pi log pi/qi • pi is the probability according to P of the ith outcome and qi is the a priori probability according to Q of the ith outcome • The most likely probability distribution P, given a priori distribution Q is the one that minimizes H or maximizes - Si pi log pi/qi

4. Maximum Entropy Methods • Rigorously Bayesian • Manages Missing Information • Defeats Information Complexity • Scalable to Large, Real-World Problems • Easily Updated with New Information • Easily Incorporates Expert Knowledge • Output Easily Interpreted

5. Demonstration of SPIRIT • Vincennes Incident (A tense situation) • Airplane detected heading straight toward own ship • Track origin is an Iraqi dual-use airfield • No response to IFF interrogation • Distance closing to missile attack range • Track elevation is increasing • Is this likely to be an attack?

6. Three Cyber Intrusion Sensors • Sensors 1, 2 & 3 respectively monitor a cyber-system for Anomalous Behavior, Misuse and Specification Violations • Sensors 1, 2 & 3 detect 70%, 80% & 45% respectively of such Incidents • False Alarm Rates for Sensors 1, 2 & 3 are 0.20, 0.02 and 0.0 respectively • Estimate the Combined Detection Rate and Error Rate given such an Incident in the Monitored Area • Assume a 10% overall Incident Rate

7. Cyber Terrorism Example • Variables • Weapons (malicious code, DB-corruption, …) • Targets (servers, data bases, telecomm, …) • Categories of Terrorist Organization (hackers, …) • Specific Terrorist Organizations (Bin Laden, …) • Countermeasures (firewalls, detection, …) • Anti-Terrorist Organizations (DoD, CIA, FBI, …) • Rules describing cyber terror situations • If organization type = hackers then with probability about 0.9, targets = servers or targets = data bases • ...

8. Research Issues • Deductions, Inferences and Complex Compositions given Uncertain Conditional Information • Methods for Judiciously Pruning Conditional Information when Over-specification (Inconsistency) occurs • Confidence Intervals for the Maximum Entropy Distribution among all Consistent Probability Distributions

9. References • W. Rödder, “Conditional logic and the Principle of Entropy”, Artificial Intelligence 117 (Feb. 2000), 83-106 • SPIRIT: An entropy using expert system developed by Professor Wilhelm Rödder of Fern Univ. Hagen, Germany; http://www.fernuni-hagen.de/BWLOR/spirit/ • P. G. Calabrese, "A theory of conditional information with applications", IEEE Transactions of Systems, Man and Cybernetics, Special Issue on Conditional Event Algebra, Vol. 24, Number 12, Dec. 1994, 1676-1684 • J.E. Shore, R.W. Johnson, Axiomatic derivation of the principle of maximum entropy and the principle of minimum cross entropy, IEEE Transactions on Information Theory Vol. 26, No. 1, Jan. 1980, 26-37