240 likes | 398 Views
Semantics Based Threat Assessment and Threat Knowledge Representation/Applications for Intelligence, Defense, and Homeland Security (May 10). Dave Lush, SME Aha! Analytics. Contents. Purpose Background Statement of the Need Implications Proposed Approach
E N D
Semantics Based Threat Assessment and Threat Knowledge Representation/Applications for Intelligence, Defense, and Homeland Security (May 10) Dave Lush, SME Aha! Analytics
Contents • Purpose • Background • Statement of the Need • Implications • Proposed Approach • Semantic Apps/Technologies Primer • Ontology Driven Threat Assessment and Threat Knowledge Representation/Applications • The Key Semantic Technologies Revisited • More Implications • Summary/Conclusions
Purpose(s) To communicate some ideas/concepts regarding Semantics Based Threat Assessment and Threat Knowledge Representation/Applications for Intelligence, Defense, and Homeland Security
Quick Background • Breath Taking Change! • Threat • Requirements • Technology • Complexity • Collective Externalized Threat Knowledge Not In Good Shape • It Is Quite Sub-Optimal for Discovery and Extraction of Specific Relevant Knowledge Regarding the Threat • It Is Not Sufficiently Operationalized • Lots of Envisioning and Initiatives Going On But No Break Through Yet
Statement of Core Need Regarding Threat Data, Info, Knowledge National Security Players (including machines) Must Be Able to Quickly Receive, Discover, Access, and Acquire the Specific Pieces of Threat Data, Information, Knowledge That They Need and That They Have Security Clearance Level to Receive
Implications in Terms of Major Knowledge Mgt and Sharing Requirements: • Intelligence, DoD, and DHS Elements Must Capture and Manage Complete Digital Characterizations of Simple and Complex Threat Objects, Situations, and Associated Objects/Concepts • Must Capture These Characterizations With Requisite Structure, Detail, and Data Type • Must Capture and Manage the Threat Knowledge In Product Neutral Form So It Can Serve As the Single Source and Be Readily Re-purposed (Multi-channel, Single Source) • Must Capture and Manage the Requisite Meta-data at the Attribute and Attribute Value Level In Order To Enable: • Automated Distribution of Data and Derived Products to Different Security Domains • Rich Content Tagging of the Data and Derived Dynamic Products
Implications in Terms of Major Knowledge Mgt and Sharing Requirements: • Must Develop, Capture, Manage, and Apply Externalized (Digital) Machine Readable Conceptual Models/Instantiations (Ontologies) of the Threat Objects & Concepts • In Order to Provide a Common Conceptual Foundation for Information (Database) Models, Engineering Models, and Content Mark-up • To Capture Structured Threat Characterizations in Machine Readable Form Conducive to Application of Semantic Technologies • Must Develop, Capture, and Manage Dynamic Product Components (and Associated Meta-data)ThatDraw Upon the Pre-positioned Threat Characterizations, Manipulate the Data in a Specified Way, and Render a Component of a Product Presentation • Must Develop, Capture, Manage Intelligence Product Portlets Which Are Made Up of the Components Cited Above and When Invoked Execute the Components to Provide Access to, Delivery of Topical and Specific (Operationalized) Intelligence
Proposed Approach • Significant Application of Semantic Technologies • They Are Ready for Prime Time • Technologies Include: RDF, SPARQL, OWL, SPIN • Ontology Driven Threat Assessment (ODTA) • Formulation and Constant Refinement of Conceptual Model of the Threat Under Study Is at Center of the Assessment • Perhaps Based on Top Level System Model (SysML) Proposed by OMG (http://www.omgsysml.org/ ) • Ontology Based Threat Representation • Threat Entity Is Specified With an Ontology Expressed in OWL • Ontology Authored Via Graphical Ontology Authoring/Editing Tool e.g. Top Quadrant Composer • Capture/Management of Simple Intelligence Facts • Captured As RDF Triples (Subject-Predicate-Object) • Managed Via RDF Triple Store e.g. Oracle RDF • Semantic Query and Inferencing • Application of SPARQL and SPARQL Inferencing Notation (SPIN) (http://spinrdf.org/) • Enables Powerful Query and Inferencing Against the Threat Ontologies and Intelligence Facts
Some Definitions/Observations • What’s an Ontology?: • In general, a specification of a conceptualization. • More specifically, an externalized conceptual model expressed in terms of concepts and relationships between concepts. • Even more specifically, a conceptual model of a piece of reality of interest expressed in terms concepts, things, and relationships between concepts and things. • Ontologies and Associated Semantic Artifacts Expressed in the Appropriate Machine Readable Language Enable Computer Applications to Leverage Semantics e.g. • Semantically Enriched Query • Data Integration at the Semantic Level • Operationalized Intelligence Via Ontologies of the Threat
Semantic Applications • Semantic Applications Leverage/Apply Machine Readable Semantics and Semantic Technologies to Achieve Their Objectives • The Core Constructs for Semantic Technologies/Applications Are the Relationship Graph, Taxonomy, and Ontology • Semantic Applications Use Machine Readable Relationship Graphs, Taxonomies, and Ontologies to Express and Leverage Relevant Semantics • Semantics Are Expressed As Subject-Predicate-Property (Object) Triples Using RDF or As Classes/Instances and Associated Relationships and Attributes Using OWL which is an expansion of RDF. RDF and OWL Are Ultimately XML-based Languages • RDF Triples and OWL Ontologies Are Captured and Managed Via RDF Triple Store Capability (e.g. Oracle 11g Spatial) • RDF and OWL Databases Are Queried Via SPARQL Protocol and RDF Query Language (SPARQL)
The Core Semantic Technologies • Graphs/Taxonomy/Ontology Constructs • RDF Language for Expressing Machine Readable Graphs/Taxonomies • OWL Language for Expressing Machine Readable Ontologies • Authoring/Editing Tools for RDF/OWL • RDF Triple Store (e.g. Oracle 11g Spatial, AllegroGraph)) • Semantic Query (SPARQL) • Rules and Inferencing e.g. SPARQL Inferencing Notation (SPIN) • Semantic Applications Frameworks, Platforms e.g. Java Jena, the Top Braid suite • RDF (Entity/Relationship) Extraction
Ontology Based Intel Analysis & Threat Characterization Externalizing Conceptual Models CONCEPTUAL MODEL Cognitive and Ontology Development Processes Incoming Observations and Data ONTOLOGY DEVELOPMENT METHODOLOGIES AND TOOL(S) ANALYST A Major Challenge of the New Intel Analyst Tradecraft Is to Externalize and Formalize The Analysts’ Conceptual Models to Become Machine Readable Ontologies or Information Models Which Can “Drive” Intel Knowledge Mgt and Virtual Production EXTERNALIZED MACHINE READABLE INFORMATION MODEL OR ONTOLOGY Figure 6: Externalizing Conceptual Models
Conceptual Model of the Threat Purposes Capabilities Vulnerabilities Behavior (behavioral models) Structure (structural models) Signatures Parametrics (physics/math) Conceptual Model of the Threat(the SysML Template)
SysML consistent generic concept map for a threat system SysML is OMG system modeling language built upon UML Figure 1a: C-map of a Conceptual Model of the Threat
The Threat Model and Its Instantiation Conceptual Model of the Threat Purposes Capabilities Vulnerabilities Behavior Structure Signatures Parametrics Source Data & Engineering Models & Other Tools + + Assumptions & Constraints Arguments & Rationales Instantiated Model of the Threat Key Findings (Purposes Capabilities Vulnerabilities) = Structure Behavior Signatures Parametrics Figure 2: Instantiation of the Conceptual Model
Key Assumptions Structured Threat Assessment Structured Threat Assessment Key Intelligence Questions Conceptual Model Instantiated Conceptual Model Arguments & Rationales Source Citations
Model Driven Analysis & Knowledge Capture Collaboration and Peer Review INTERNALIZED CONCEPTUAL MODEL ANALYST ANALYST Cognitive and Conceptual Model Development Processes Incoming Observations and Data ANALYST CONCEPTUAL MODEL DEV METHODOLOGIES AND TOOL(S) ANALYSIS AND CONCEPTUAL MODEL INSTANTIATION METHODS/TOOL(S) A core element of a threat assessment is the conceptual model of the threat. The model is “instantiated” with data and metadata derived from the source INT data and results of analysis of that data. The instantiated model is used to ascertain key facts and assertions regarding the nature of the threat. Threat Knowledge Base • Conceptual Model • (Ontology) & • Instantiation • Structure • Behavior • Parametrics • Capabilities • Signatures • Structured Threat Assessment • Key Intelligence Questions • Key Assumptions • Sources • Conceptual Model • Instantiated Conceptual Model • Arguments/Rationales A Major Challenge of the New Intel Analyst Tradecraft Is to Externalize and Formalize The Analysts’ Conceptual Models to Become Machine ReadableOntologies or Information Models Which Can “Drive” Intel Knowledge Mgt and VirtualProduction Figure 4: Externalizing Conceptual Models
Ever Increasing Structure Conceptual Modeling & Knowledge Capture Digital Production & Dissemination Analysis & Assessment Data Exploitation & Knowledge Extraction Dynamic Products & Portlets Structured Labeled Threat Knowledge Exploited Data & Extracted Knowledge Analysis Results more structure less structure Key Observations: The knowledge extraction processes extract structured knowledge from unstructured input streams. The knowledge capture processes capture structured knowledge that results from analysis/assessment. The more our knowledge of the threat is captured and managed in highly structured and labeled form the more flexibility and nimbleness we have when it comes to getting the knowledge to the right customer at the right time and in the right form. So, it would behoove us to cause our knowledge of the threat to become more and more structured as we move from exploitation and knowledge extraction, through analysis/assessment, to knowledge capture and management. Unstructured textual information must be accommodated in the resultant threat knowledge but it should be present within the context of an appropriately conceived and structured information model.
Threat Ontology, Intel Facts, and the SPIN Stack • This Is About Application of Semantic Technologies to Threat Assessment, Capture, and Application (Query and Inferencing) • RDF, RDF Triple Extraction/Management, Web Ontology Language (OWL), SPARQL Protocol and RDF Query Language (SPARQL), and SPARQL Inferencing Notation (SPIN) • The Basic Process • Capture Threat Assessments Via Ontologies Expressed in OWL • Facilitate Ontology Population Via RDF Extraction from Traditional Intel Documents and Export From RDBMS Data Bases • Capture/Store/Manage Simple Intelligence Facts Via RDF and RDF Triple Store • Deploy and Apply the SPARQL Inferencing Notation (SPIN) Technology Stack • Execute SPARQL Queries and Inferences Against the Threat Ontology and the Related Intelligence Facts Using the SPIN Stack • The Basic Benefits • Threat Is Precisely Defined in Machine Readable Form Via Open Standards • Threat Knowledge Easily Queried and Navigated to Acquire Specific Threat Knowledge • Threat Characterization Combined with Intelligence Facts When Processed by SPIN Can Yield Implicit or Intrinsic Knowledge Not Readily Apparent • Ontology Based Threat Assessments, SPARQL, and SPIN Enable Machine to Machine Intel Support to Ops
Figure 3: SPINing Threat Ontologies Threat Ontology and the SPIN Stack Can Operationalize Intelligence machine to machine Acquire & Mediate Threat Knowledge (SPARQL, XSLT) Intel Application In Operational Context Policy Maker Client Ops Client Threat Ontology KB (RDF/OWL) Intel Fact KB (RDF) Traditional Threat KB (Doc & RDBMS) SPIN Stack (RDF) SAVANT KB Capture Intelligence Facts Develop Threat Ontology Modify & Extend SPIN Stack Extract/Export Threat Characterization These stores collectively constitute operationalized intelligence DB Admin Knowledge Engineer Analyst SPIN (SPARQL Inferencing Notation)
The Key Technologies Revisted • Concept Mapping and System Modeling Tools • XML, RDF/RDFS, OWL • RDF Triple Store • SPARQL Protocol and RDF Query Language (SPARQL) • SPARQL Inferencing Notation (SPIN) • Semantic Application Development Platform (e.g. Top Braid)
More Implications • Externalized Conceptual Models of the Threat Are at the Core of the Threat Assessment; This Becomes Core Tenant of Analyst Tradecraft • Threat Concepts Expressed As Ontologies and Supporting Assertions/Facts Using RDF and OWL and Appropriate Authoring/Editing Tools • Requires a Paradigm Shift and Development of Analyst Competencies/Skills in Conceptual Modeling and Ontology Development • Several Very Important Benefits • Development/Refinement of Externalized Conceptual Model of the Threat Throughout the Assessment Facilitates Communication, Collaboration, Vetting, Completeness, Accuracy, Clarity, etc. • Threat Is Represented Via Highly Structured , Standards Based, Product Neutral, Machine Readable Construct Which Can Be Readily Queried and Which Can Drive Inferencing; Enables Rapid Acquisition of Specific Knowledge Chunks/Facts
Conclusions/Summary • The Time Has Come to Apply Semantic Technologies to Threat Assessment, Threat Knowledge Representation, and Associated Applications • Threat Knowledge Can Be Represented in Machine Readable Form Enabling Powerful Query, Inferencing, and Mediation Capabilities and Basically Operationalizing Intelligence • The Same Technologies Can Also Be Used in AFISRC2 Applications Using Threat and ISRC2 Ontologies • There Are Many Possibilities!