Processing events in
probabilistic risk assessment
Robert C. Schrag, Edward J. Wright,
Robert S. Kerr, Bryan S. Ware
9th International Conference on Semantic
Technologies for Intelligence, Defense, and
Security (STIDS). November 20, 2014
Annotated presentation—see Notes Page view.
Three event-informed person risk models
1. MC (“Carbon”):
Information disclosure risk
2. MS (“Silicon”):
IT system insider exploitation risk
 Belief that a (candidate) member person
P will disclose an organization’s private
information
 Belief that a user will access, disclose,
or destroy an organization’s computer
network-resident information)
Life (“macro”) events
Computer network (“micro”) events




Education, employment
Crime, civil judgment
Bankruptcy, credit
…
 Log in after hours
 Access “decoy” file
 Copy file to…


3. MG = MC • MS
External location
Thumb drive
Theme
Issue: Apply event evidence to person attribute concept random variables
(RVs) in a risk assessment Bayesian network (BN), modeling events’ changing
relevance over time.
Given:
 Person P
 Events E, in P’s past or present
 Generic person BN B


Risk-related person attribute concept RVs (Boolean)
Concept-relating probabilistic influences
 A reference time t (in an ordered set T of such points)
Develop:
 Person-specific BN BP reflecting E
 Beliefs in P’s attribute concept at t, per BP
 (P’s historical risk profile over T)
2
Elided B with ingested event categories (MC)
Trustworthy
…
Reliable
CommittedToSchool
School events
…
…
CommitsMisdemeanor
CommittedToCareeer
Employment events
Law
enforcement
events
3
Approaches to realizing BP
1. Event “ingestion”:
For each event e in E, …
 Include a new event RV δ indicating
person attribute concept π in BP
 Specify per-event half life decay as
new temporal relevance RV ρ
 Enter hard evidence finding on δ
 Appropriate when events are of a
given type τ are individually salient
 Feasible when |E| << |nodes(B )|
Ingestion
concept
ρ
π
δ
event
relevance
Life events timeline (MC)
5
Three event-informed person risk models
1. MC (“Carbon”):
Information disclosure risk
2. MS (“Silicon”):
IT system insider exploitation risk
 100s of RVs
 B extracted from official policy /
guidelines (under in situ test)
 10s of RVs
 B eyeballed (preliminary proof of
concept)
Life (“macro”) events
Computer network (“micro”) events
 10s of types
 10s of events / person
 10s of years of data
 10s of types
 100Ks of events / person
 1.5 years of data
Ingestion only (“hard” salience)
Summarization, primarily (“soft”
salience)
 10s of rules
 1s of ingestion rules
3. MG = MC • MS
Three event-informed person risk models
2. MS (“Silicon”):
IT system insider exploitation risk
 Belief that a user will access, disclose,
or destroy an organization’s computer
network-resident information)
Computer network (“micro”) events
 Log in after hours
 Access “decoy” file
 Copy file to…


3. MG = MC • MS
External location
Thumb drive
Approaches to realizing BP
2. Event “summarization”:
For each event type τ represented in
E, …
Summarization
concept
ρ
π
Δ
events
δ1
δ2
relevance
summary
…
δn
 Include an event “summary” RV Δ
indicating π in B
 Develop a likelihood summarizing the
impact of events τ collected into
temporal buckets
 Enter likelihood finding on Δ
 Appropriate when the salience of
events type τ tends to depend on
trends w.r.t. an individual or a
population thereof
 Useful when ⌐(|E| << |nodes(B )|)
Summarization elements (per RV)
Summarize events over a practically unlimited duration, by using temporal
buckets of geometrically increasing size.
Infer salience from event volume variation w.r.t. a person’s own and the
population’s history.
Weight buckets per desired temporal relevance decay.
9
MS
Summarization metric: Count (CopyDecoyToExternal)
600
400
300
200
Count
500
100
64 16 4
Bucket
1
Day
0
10
MS
Summarization metric: Variation re self (CopyDecoyToExternal)
0.8
0.6
0.4
0.2
Variation: self
1
0
Bucket
1
Day
64 16 4
11
MS
Summarization metric: Variation re all (CopyDecoyToExternal)
0.8
0.6
0.4
1
4 16 64
0.2
0
Bucket
Day
Variation: all
1
12
MS
Summarization metric: Variations mean (CopyDecoyToExternal)
0.8
0.6
0.4
0.2
Variations mean
1
0
Bucket
1
Day
64 16 4
13
Suspicion warrant
MS
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
1
0.8
0.6
0.4
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63
0.2
0
Day
14
Approaches to realizing BP
2. Event “summarization”:
For each event type τ represented in
E, …
Summarization
concept
ρ
π
Δ
events
δ1
δ2
relevance
summary
…
δn
 Include an event “summary” RV Δ
indicating π in B
 Develop a likelihood summarizing the
impact of events τ collected into
temporal buckets
 Enter likelihood finding on Δ
 Appropriate when the salience of
events type τ tends to depend on
trends w.r.t. an individual or a
population thereof
 Useful when ⌐(|E| << |nodes(B )|)
Computer network events timeline (MS)
16
Influence graph specification (MS)
(defparameter *Influences*
'((ExploitsITSystemAsInsider
(:ImpliedByDisjunction
(CommitsITExploitation
(:ImpliedBy (DestroysInformationUnauthorized)
(AccessesInformationUnauthorized) ; Ingested: HandlesKeylogger_Event
(DisclosesInformationUnauthorized) ; Ingested: CopyFileToWikileaks_Event
(StealsInformation))) ; Ingested: CopyFileToCompetitor_Event
(WarrantsITExploitationSuspicion
(:ImpliedBy (WarrantsInformationDestructionSuspicion
(:IndicatedBy (:Strongly (DeleteFileOnOthersPC_Summary))
(:Moderately (DeleteFileOnLabsPC_Summary))))
(WarrantsUnauthorizedInformationAccessSuspicion
(:IndicatedBy (:Moderately (AfterHoursLogin_Summary))
(:Weakly (OpenFileOnOthersPC_Summary))))
(WarrantsUnauthorizedInformationDisclosureSuspicion
(:IndicatedBy (:Strongly (CopyOthersFileToThumb_Summary)
(CopyDecoyToExternal_Summary))
(:Moderately (OpenDecoyFile_Summary)
(AcquireDecoyFile_Summary)
(CopyFileToExternal_Summary))
(:Weakly (CopyFromThumbToOwnPC_Summary)
(CopyOwnFileToThumb_Summary)
(CopyOthersFileToExternal_Summary)))))
(:RelevantIf (:Locally (:Absolutely (Untrustworthy))))
(:MitigatedBy (:Locally (:Strongly (HasRole-ITAdmin)))))))))
17
Computer network events timeline (MS)
18
Combined timeline (MG = MC • MS)
Ingestion issue: Interacting temporal relevance nodes
Temporal relevance nodes participate in belief propagation in BP—making
their beliefs (so, effective temporal relevance) subject to departure from
nominal specification.
Multiple temporal and/or semantically close events’ relevance nodes
reinforce each other—inducing temporal relevance beyond nominal
specification.
 5 simultaneous events’ decay only 6% after half life interval.
 We might naively expect 50%.
Summarization largely insulates a temporal relevance node from surrounding
belief propagation.
20
Supporting software “stack”
Allegro Common Lisp® (ACL)
AllegoGraph® Lisp direct client
Allegro Prolog macros (e.g., select)
Lisp macros (e.g., iterate-cursor)
ACL API to the Netica® API
Netica® API
21
Ingestion rule (MC)
(defIngestionRule RestrainingOrder
(+process-reportedEvent ?person ?*asOfDate)
(reportedEvent ?person
?*asOfDate
?event
!agent:ProtectiveRestrainingOrder
?*startDate
?*endDate
?*ongoing?
?*reportDate)
(lisp (create-EventConceptIndication
?person
:IndicatedConcept CommitsDomesticViolence
:+IndicatingEvent ?event
:Terminus :end
:DeltaDays (- ?*asOfDate ?*endDate)
:HalfLife (* 6 365)
:Strength :strong
:Polarity :positive)))
22
Ontology and data specifications (MC)
(defOntologyClass Person (Thing)
(hasGender Gender :Functional))
(defOntologyClass Gender (Thing)
(:enumeration Male Female OtherGender))
(defOntologyType Date !xsd:date)
(defOntologyClass Event (Thing)
(riskRatingSubject Person :Functional)
(startDate Date (:cardinality 1))
(endDate Date :Functional)
(sourceReport Report :Functional))
(defOntologyClass PointEvent (Event)
(hasConsequentEvent Event))
(defOntologyClass DurativeEvent (Event)
(hasSubEvent Event))
(defOntologyClass ProtectiveRestrainingOrder
(PointEvent))
(defOntologyInstance !data:P (Person))
(defOntologyInstance
!data:PHighSchoolAttendance
(SchoolAttendance)
(riskRatingSubject !data:P)
(schoolCredentialAward !data:PDiplomaAward)
(startDate "2000-09-04")
(endDate "2004-06-15"))
(defOntologyInstance !data:PDiplomaAward
(SchoolCredentialAward)
(riskRatingSubject !data:P)
(startDate "2004-06-15")
(schoolCredentialAwarded HighSchoolDiploma))
(defOntologyInstance !data:PEmployment
(Employment)
(riskRatingSubject !data:P)
(startDate "2004-07-05")
(endDate "2009-09-05"))
(defOntologyInstance !data:PMisdemeanorAssault
(PoliceOffense)
(riskRatingSubject !data:P)
(offenseChargeSchedule Misdemeanor)
(startDate "2007-06-30"))
23
Thank you.
Questions ?
24
Extras…
25
Approaches to realizing BP
1. Event “ingestion”:
For each event e in E, …
 Include a new event RV δ indicating
person attribute concept π in BP
 Specify per-event half life decay as
new temporal relevance RV ρ
 Enter hard evidence finding on δ
 Appropriate when events are of a
given type τ are individually salient
 Feasible when |E| << |nodes(B )|
2. Event “summarization”:
For each event type τ represented in
E, …
 Include an event “summary” RV Δ
indicating π in B
 Develop a likelihood summarizing the
impact of events τ collected into
geometrically larger buckets
 Enter likelihood finding on Δ
 Appropriate when the salience of
events type τ tends to depend on
trends w.r.t. an individual or a
population thereof
 Needed when ⌐(|E| << |nodes(B )|)
Approaches to realizing BP
Ingestion
concept
Summarization
ρ
π
relevance
concept
ρ
π
δ
event
Δ
events
δ1
δ2
relevance
summary
…
δn
BN fragment patterns
Multi-ingestion
(bridge to summarization)
Ingestion
ρ
π
π
ρ
Δ
δ
δ1
δ2
…
δn
28
Life events timeline (MC)
29
MS
Summarization metric: Count (CopyDecoyToExternal)
Event type instance count
30
MS
Summarization metric: Variation re self (CopyDecoyToExternal)
Event type historical variation re self
31
MS
Summarization metric: Variation re all (CopyDecoyToExternal)
Event type historical variation re all
32
MS
Summarization metric: Suspicion warrant (CopyDecoyToExternal)
Event type summary RV likelihood (suspicion warrant)
33