Threat Assessment
The events of 9/11 made us aware of the need to assess various types of threats for their possibility to cause
actual catastrophic events. These threats may be targeted to populated cities or to some small local town.
Not only are the entity under attack is important, surrounding entities such as escape routes, threat
protection centers, bridges, public buildings, populated areas, schools, etc are also important. These threats
in the world today may require support persons to react quickly to emergency situations and to assess, plan
and manage those threats often based on incomplete and imprecise information.
Upon receipt of the threat such as a treat against LargeTownUSA (LTUSA) on July 17, the only known
facts are the date and location of the threat. Reasoning to assess or plan for such a threat with this limited
information is certainly not possible. However, we can discern data about events related to the date and
the location. Are their any events such as parades, rallies, or other gatherings planned for that date. Are
there any flight plans logged for that date which might need investigation. Is there critical infrastructures in
the location of LTUSA that would be critical in choosing it for a target. Where are the roads, railways, and
structures.
While threat assessment tools and techniques are in their infancy, Dr. Stoecklin is investigating a
combination of data mining and case based reasoning to both assess and plan for a potential threats. The
data miner allows for searching for more information about the threat so the reasoner can make good
assessments regarding threats.
This research involves many aspects of data mining and changes to the normal paradigm of the case based
reasoner. The tool under development contains three components including a (1) graphical component to
display the situation, (2) a case based reasoner to reason about the features of the threat, and (3) a data
miner to gather and analyze data for missing feature information into the reasoner. It utilizes an adaptive
reflective software technique with data described in XML [Hay99, Sch98].
Graphical Component
The graphical component will provide the ability to visualize the situation. This component will allow the
visualization of a location, infrastructure entities, people and other entities. Since this component is also
build using the meta data architecture, addition of new features into the visualization is often a simple task.
The component also will allow for the movement of those entities to allow the user to see graphically the
entire threat situation.
Data Miner
The data miner will be used to gather information to better describe the features of the threat case. The
case, described by its features may not be complete. Mining techniques will be dynamically selected and
used to search existing databases described in XML and data related hyperlinks. This data can include
items such as nearby infrastructure entity locations, flight patterns, other transportation schedules, etc.
Various techniques of data mining will be used depending on the needed data. Data found from the internet
might include events planned on a date, attendees of an event, expected routes, etc. Upon completion of
the mining and identification of additional known feature data, the reasoner returns to search the case bases
again to determine if more data is necessary to identify the case.
Case Based Reasoner
In case based reasoning (CBR) systems, cases represent concrete features of experiences. Cases are stored
in problem-solution pairs describing a threat episode. Generally, the case-based problem solving process
involves navigating through the solutions in a“solution space,” guided by the similarity of a given problem
features to those represented by the cases stored in a case library. This is illustrated in the unshaded portion
of Figure 1, adopted from [Sch02].
As a new problem is encountered, the CBR system searches for those cases in the case library whose
problem descriptions are similar, according to some similarity metric, to that of the given problem. The
solution(s) of the most similar case(s) is (are) then used as a starting point for devising a solution to the new
problem. The CBR system creates a solution to the new problem by adapting the solutions from the cases
that were retrieved. This adaptation process is sometimes automatic, but can require human assistance.
Our reasoner has made extensive use of the adaptive software architecture techniques described in such
works as [Yod00]. The adaptive CBR utilizes metadata to determine which comparator methods are to
be used for specific case features during the similarity matching part of case retrieval step (Step 2).
The modified mining reasoner for threat assessment has the capability of investigating known threats
with partial or complete sets of data and mining to complete the sets. Mining will include various
techniques for features such as heterogeneous data sources, hyperlinked internet data, and other
information targeted as features of the known threat.
The mining case base reasoner stores not only fully described cases representing potential episodes of
threats but it also stores partially defined cases or episodes since a full description of the problem may not
be known. The new process added to the traditional case based reasoning process is shown in the shaded
area below.
Formulate
Problem
1.0
proble
m/
problem
descripti
on
probl
em
Environment
Search
Archives
2.0
incompl
ete
similar
cases
similar
cases
Mine for
Data
6.0
Report
Results
5.0
problem
descripti
on
Cases
Archive
measure of
success/fail
ure
compl
ete
simila
r
cases
Select/
Adapt
3.0
Databas
es
resul
ts
solution/respo
nse
Internet
data
Generate
Response to
Problem
4.0
generated
response
Figure 1 Traditional Case Based Reasoner Process
The resulting system will have the capability of investigating known threats with partial or complete sets of
data, searching for the data needed to complete sets, and reasoning about the threat. This approach shows
promise for the extension of reasoning with incomplete and imprecise information using a case based
reasoner.
[Hay99] Hayes, C. and P. Cunningham. “Shaping a CBR view with XML.” Case-Based Reasoning
Research and Development, Proceeding of the Third International Conference on Case-Based
Reasoning, ICCBR-99, Lecture Notes in Computer Science, LNAI v 1650, Springer Verlag,
1999.
[Lie96] Lieberherr, K. J. Adaptive Object-Oriented Software: The Demeter Method with Propagation
Patterns, PWS Publishing Company, 1996.
[Sch02] Schwartz, D. G., S. Stoecklin, and E. Yilmaz. “A case-based approach to network intrusion
detection.” Proceedings of the Fifth International Conference on Information Fusion, IF'02,
Annapolis, MD, 2002, pp. 1084-1089.
[Shi98]
Shimazu, H. “A textual cased-based reasoning system using XML on the world-wide web.”
Advances in Case-Based Reasoning, Proceedings of 4th European Workshop, EWCBR-98,
Lecture Notes in Computer Science, LNAI v 1488, Springer Verlag, 1998, pp. 274-285.
[Yod00] Yoder, J. W. and R. Razavi. “Metadata and adaptive object-models.” ECOOP '2000 Workshop
Reader, Lecture Notes in Computer Science, LNCS v 1964, Springer Verlag, 2000.