Overviews - Cyberspace Sciences and Information Intelligence Research

Overviews

Advanced Processing for MASINT Data – A patented methodology for condition change quantification from complex, non-linear, process-indicative, time-serial data is available for further development. The technology includes a nonlinear filter to remove confounding artifacts (e.g., sinusoidal variation in three-phase electrical data), while retaining the amplitude and phase information about the relevant signal. The ORNL technology detects and predicts a rich variety of equipment faults in motors and motor-driven components via analysis of motor current, voltage, power, acceleration, torque, and stress and strain. Success for this large array of diverse processes gives confidence that the paradigm may work for any nonlinear system. ORNL is working on use of this technology for processing of Measurement and Signal INTelligence (MASINT) data. A second is use of the technology for monitoring of condition change, as one or more process parameters are varied nonlinearly and dynamically, to provide feedback on disruption of an adversary’s critical equipment. A third forewarns of failure due to crack growth in a critical structure via analysis of stress and strain data - Hively (Fact Sheet)

Adaptable, Intelligent, Malfeasance Detection (AIMD) – Recent successful cyber attacks against computer networks at several major government sites have clearly demonstrated that dangerous vulnerabilities are unaddressed. Cyber security was previously addressed via Network Intrusion Detection Systems (NIDS), together with firewalls and virus detection. However, such defenses are much less effective against these new attacks.

The Cyber Security and Information Infrastructure Research Group (CSIIR) at Oak Ridge National Laboratory has listed the most critical threats as social engineering, malware and companyware, advanced malware, and the nuanced insider.

Social engineering is the art of tricking users into enabling an exploit.
Malware is software deliberately inserted into a system for a harmful purpose.
Companyware is functionality that benefits the software vendor (but not the user) and can create exploitable vulnerabilities. Companyware is automatically installed with commercial software and is contractually protected from reverse-engineering and analysis.
Advanced malware includes zero-day attacks, polymorphic binaries, process hiding, targeted exploitation (e.g., spear phishing), and covert channels for data exfiltration.
Insider threats arise from inadvertent, neglectful, indifferent, and malicious activity. Most users fit in one of these categories, and the perfectly trustworthy insider is rare.

These diverse threats are far more difficult to counter than traditional cyber attacks, and are poorly addressed even by distributed NIDS.

CS&IIR addresses these threats and vulnerabilities through construction of a network-based, Adaptable, Intelligent, Malfeasance Detection (AIMD) system that relies on sophisticated, multi-dimensional decision algorithms, rather than signature-based detection. AIMD construction has three distinct components to complement existing cyber security tools:

Data collection. To augment existing data collection, the AIMD project will deploy Commercial-off-the-shelf (COTS) computers as sensors to collect data on internal network activity. The goal is user-transparent, transportable, scalable sensors;
Advanced data fusion and decision algorithms analyze the sensor data to give attack alarms. Viable decision algorithms include support vector machines, random forests, Bayesian belief networks, neural nets, clustering, and anomaly detection. The goal is adaptive, intelligent fusion of the sensor data into meaningful alarms for cyber operations staff;
Training data for the decision algorithms will rely on novel combinations of sensor data. Automatic feedback from cyber operations staff can be inferred by their HTML interactions with the data.

The objective is real-time awareness of incidents and a near-real-time response capability to dramatically reduce the impact of network malfeasance – Neergaard/Ferragut/MacIntyre/ Sheldon/Hively (Fact Sheet)

ADNA (Anomaly Detection via Nonlinear Analysis) – A significant number of cyber attacks generate traffic flow profiles that deviate from regular traffic patterns. In particular, the denials of service attacks generate traffic flows that flood the network, thereby cutting off the access to the service or host. A very recent review [Albert et al 2002] describes network dynamics in terms of statistical mechanics. Network traffic has had a wide spectrum of time scales in the range of milliseconds to a day. This time scale is fast compared to changes in the network topology. Network intrusions typically occur over time scales of seconds to less than one hour. Moreover, these intrusion attempts are driven by automated deterministic processes or a person, seeking an exploitable weakness. The dynamics of such a deterministic process are hidden within a background of normal network traffic. The objective is then the detection of significant anomalous dynamics amid a background of statistically normal network traffic.

Research will be in conducted three phases to address this problem. The first phase will use OpNet network simulator to generate well characterized and controlled data without anomalies, as a base case. We will also use OpNet to generate data with anomalies, as test cases. We will compare the base case and test case data via the phase-space dissimilarity (PSD) approach, seeking indication of significant change. The objective of this task is validation of the PSD approach for such data, as a function of the increasing presence of the anomalies. The second phase will extend the work from the first phase to real data from our network test bed under well characterized and controlled conditions. Analogous to the first phase, such data will be obtained both without (base case) and with (test case) intrusion anomalies. We will compare the base case and test case data via the PSD method, again seeking indication of significant change as a function of the type and increasing presence of anomalies. Indeed, recent research by Akritas et al. (2002) found deterministic behavior in such real data via conventional nonlinear measures of dimensionality and correlation time. They also found that removal of the high-frequency (noisy) part of the data permitted extraction of the regular part of the network data, which had lower dimensionality and well defined time correlations. Consequently, this phase may be enhanced by application of our novel, zero-phase quadratic filter [Hively et al 1995] for separation of low- and high-frequency components.

The third phase will apply the PSD methodology to much more real data with different types and levels of anomalies. The objective of this phase is improvement of detection over the different types and levels of anomalies. The approach for this phase will involve optimization of the parameters that the PSD paradigm uses for representing the nonlinear dynamics. This phase will seek to maximize the rate of true positives (detection of an anomaly when one really occurs), plus the rate of true negatives (no detection of an anomaly when one does not occur). Our recent work on forewarning of epileptic seizures [Hively and Protopopescu 2002] has developed an approach to maximize this total true rate, which we will apply here – Hively. (Fact Sheet)

Critical Component Failure Forewarning (C2F2) – C2F2 is an ongoing research initiative leveraging several ORNL patents to develop the capability and the ability to detect, identify, and prevent critical component failures before events occurs so proactive remediation can be performed. The capability to remotely, autonomously, and intelligently identify mission-critical systems component failure with high level confidence prior to actual systems failure leads toward greater operational readiness, the ability to increase and maintain operational tempo and the resultant increase in cost efficiency, reduction in mission down-time, and operational and maintenance cost. The Critical Component Failure Forewarning (C2F2) system combines years of research efforts and technical breakthrough and integrates the combined capabilities of several scientific and engineering laboratories, and manufacturing organizations. The consortium has patented and implemented a model-independent methodology to assess condition change in complex systems from process-indicative data of limited precision and modest length. The approach was validated on well-controlled data from model chaotic systems. Present machine applications include forewarning of failure in motors and motor-driven components in nuclear-grade equipment, such as bellows-coupling, gearbox, bearing, rotating blade, and spindle. Examples of specific faults to date include: imbalance, misalignment, broken rotor, air gap offset, turn-to-turn short, overloaded gearbox, crack in a rotating blade, motor-driven bearing failure due to inner raceway crack, drill-bit wear, and machine tool chatter. Test results to date have yielded a total true rate of 17/17. Consistent success for such diverse applications gives confidence C2F2 forewarning paradigm has wide applicability - Hively ORNL is working on use of this technology for processing of Measurement and Signal INTelligence (MASINT) data. A second is use of the technology for monitoring of condition change, as one or more process parameters are varied nonlinearly and dynamically, to provide feedback on disruption of an adversary’s critical equipment. A third forewarns of failure due to crack growth in a critical structure via analysis of stress and strain data - Hively

Cultural And Media Influences on Opinion (CAMIO) – Actionable intelligence analysis and threat assessments require incorporating estimates of the intentions, decision-making, and most likely behaviors of different groups and individuals. Models are central to intelligence analysis. Understanding the behavioral aspects of target individuals and groups, estimating future social dynamics for specific segments of the population, and incorporating different cultural traits into intelligence assessments is fundamental to determining appropriate courses of action. The ability to spot indicators of events; anticipate developments of strategic concerns; identify opportunities and vulnerabilities; and to create timely opportunities and vulnerabilities is an essential function of analysts. Since most intelligence problems are complex and involve many different aspects of social science (psychology, anthropology, political science, economics, sociology, social psychology, etc.) it is important to integrate relevant social science concepts into the modeling methods used by analysts.

A key variable in these types of analyses is an understanding of the population within which groups coexist and interact. Insight into the nature of a particular culture or the general population of a nation is necessary for a comprehensive evaluation of any situation. Furthermore, understanding how a population is affected by internal and external messages from the media or other organizations provides policy makers with an additional tool to determine or influence strategy.

The Cultural And Media Influences on Opinion (CAMIO) simulation of group behavior is an agent-based computational model that can be used to examine the opinions; issue stances, political allegiances or other judgments held by members of a particular group within a society and examine how these opinions change or can be influenced to change over time. Of particular interest is changes caused by an external organization such as the international or internal media. CAMIO is a model of how small groups of acquaintances form from larger populations and change over time; how opinions spread throughout the groups; how an outside entity, such as the media, can influence the spread of such opinion; and how this population of small groups may become polarized or unified around a particular issue – Warren. (Fact Sheet)

Digital Asset Protection (DAP) - With the recent trend of malware exploiting rootkits – a so-called emerging hybrid malware - virus, Trojan, and worm scanners are not sufficient for protection. Digital assets stored anywhere in the computer are at risk to any type of exploitation. The hybrids use rootkit technology to remain undetected by the best scanners and manual inspection from system administrators thus allowing any type of malicious activity on the infected system. Extensive efforts have focused on detecting Malware rootkits and have resulted with some success. Nevertheless, malware rootkits continue to evolve with each new one advancing the exploits while the detectors lag in keeping up. A compromised system can remain so as long as the installed malware rootkit continues to evade the scanners and inspections. Therefore, it is imperative that active measures are installed to protect designated digital assets that are as sophisticated as or better than these emerging hybrid malware. Digital assets that are to be protected include files (the storage of the asset and its support data), directories, registers, executing programs, and processes. Our technical solution, called an Asset Protection Node (APN), pro-actively protects these assets that reside on the same host computer. A centralized portal is also proposed that provides an operator an enterprise view of their assets. Each APN reports its events and status to the portal, forming an Asset Protection Grid (APG). The APG, with each APN installed on a host and reporting in, provides a collective picture for the operator to determine, view, and respond to an anomalies, patterns, and multiple-host activities.

The CS&IIR solution is for enhancing the protection of cyber digital assets by controlling access and authorizations through the use of rootkit technologies. The unique design for DAP consists of a distributed monitoring system – the Asset Protection Grid, deployed Asset Protection Nodes, and an Asset Protection Portal used as a command center for monitoring the assets dispersed throughout the enterprise system. The first generation of an Asset Protection Node will execute on Windows-based systems with a simple user interface. Asset Protection Nodes will run stand-alone on a computing system and can be configured to communicate with the Asset Protection Portal. The Asset Protection Portal is a secured, web service that will receive events and reports from all Asset Protection Nodes, store the data in a database, provide the user interface for remotely monitoring any Node and tools for identifying network-wide and enterprise-wide activities.

Dependable Survivable Critical Infrastructure (DeSCI) – DeSCI provides overarching capabilities to promote and oversee the transformation of our energy system and to ensure broad public benefit. The requirements of reliability, flexibility, and efficiency are often in conflict in large distributed control systems (e.g., SCADA systems) because the infrastructure is built and tuned independently to meet those individual requirements. Reliability requirements translate into the ability to tolerate and recover from failures and provide a priori (quantifiable) assurances for long-term stability. To realize a self-healing ability, the system must be flexible enough to dynamically adapt through reconfiguration. However, the capacity to be flexible could make the system prone to design or runtime errors and the overhead of flexibility may take away from the performance efficiency of both the control and data planes. To address these conflicting requirements at the outset, the approach must coordinate the creation and distributed layout of control software in the form of autonomous software components or agents specifically designed to meet a priori service quality level needs for large complex system control. ORNL is developing more survivable distributed control architectures that resolve conflicts among the different control loop performance requirements. ORNL is applying innovative graph theoretic algorithms (based on formal models) to decide how to optimally structure our approach: (1) reduce/abstract the size/scale of the National Power Grid problem to realistically manage the problem of validation/assessment, and, (2) make structural/architectural decisions (e.g., identify vulnerabilities/ weaknesses and containment zones, as well as map agents to the grid hierarchy) – Sheldon (Fact Sheet)

Distributed Intrusion Detection and Attack Containment (DIDAC) – DIDAC is an integrated cyber security framework for identifying and containing attacks within an organizational network domain. This framework is distributed, autonomous, and capable of detecting new attacks. It integrates existing cyber security systems and provides a single picture of the entire network, which allows real-time situational awareness of large scale network systems. It consists of individual components for host-level anomaly detection, attack source localization, and attack containment. DIDAC was developed to address the sheer number and sophistication of cyber attacks being made against our nation’s critical computer networks and infrastructure. These networks are being called upon to play a key role in processing, data storage, monitoring and control of critical infrastructures such as energy, transportation, and finance. Disruption of these networks can have highly damaging affects on our Nation. Current cyber security systems are not capable of protecting from all attacks or capable of providing near real-time response. Host-based intrusion detection systems are not sufficient to protect these networks due to the sheer volume, distributed nature of data, and real-time response requirements. Further current systems and technologies only detect known attacks. The DIDAC technologies overcome these limitations – Rao/Shankar

Distributed Zero-Day Attack Detection – Fusing Intrusion Data For Detection and Containment. Fusing information from diverse detectors remains a challenge in the field of intrusion detection. ORNL applied data fusion techniques to fuse alerts generated by different detectors that signal the potential presence of an intrusion. Data fusion has been shown to result in a decrease in false positives while achieving an improved level of detection. By combining detections from fusers on distributed hosts, a system can also detect and track the spread of an intrusion. The advantage of this technique is that dissimilar and independent detectors of intrusion can be combined efficiently without increasing false-alarm rates. To relate the local detection to containment ORNL investigated a mathematical model to analyze intrusion spreading and throttling effects. The results suggest that an autonomous response system that reacts at the local intranet level in under ten seconds can be effective in keeping a majority of aggressive intrusions from spreading unchecked. However, when a system-wide alerting mechanism responds in under approximately a minute, a global infection may be contained even if we relax the local reaction time constraints – Rao, Batsell

EEG Biometric – The need is for a biometric to identify trusted insiders irrefutably. Additional requirements for a biometric are: secure; privacy protecting; capable of meeting Federal standards for reliability and accuracy; and adaptable to regional, state, and local requirements. The objectives are to deter identity deception and to accelerate recognition of trusted personnel (e.g., authorized firearm carriers in air travel, state/regional/local officials, and trusted insiders in critical infrastructure areas). We propose an EEG signature as a new biometric. Authentication would require a living cooperative person, as opposed to inanimate records that can be forged, or passive biometric identifiers that can be extracted from someone who is uncooperative, or even dead. EEG acquisition via an appropriate antenna may allow covert identification of personnel. To meet these needs, Oak Ridge National Laboratory (ORNL) has developed a novel statistical paradigm for capturing an EEG signature (brain-print) from noisy, non-invasive, scalp brain-wave data.

The Solution is protected by six U.S. patents (and two patents pending). The method first rejects data of inadequate quality. Next, the method removes confounding artifacts (e.g., eye blinks and other muscular artifacts) by a novel filter. The artifact-filtered data then are converted to a statistical distribution function (DF) that captures the essence of the brain dynamics. EEG signature analysis requires detection of large dissimilarity between the known EEG signature (enrollment) and test data for true negatives (correct determination that the data are from different people), as well as recognition of insignificant change (small dissimilarity between the enrollment and test data for the same person).

Existing forms of the technology give event forewarning via several sequential occurrences of the dissimilarity measures above a threshold. Examples include forewarning of epileptic seizures from scalp brain waves (total true rate = fT = 56/60); of ventricular fibrillations (fT = 5/5) and fainting (fT = 2/2) from surface heart waves; detection of sepsis onset (fT = 23/23), and breathing difficulty from surface chest sounds (fT = 2/2). Companion work shows forewarning of machine failures from motor power and tri-axial acceleration (fT = 17/17). This approach also provides an indication of machine failure onset. The consistent successes for such diverse applications give strong credibility to the robustness of the novel statistical method. The technology readiness level (TRL) is five, involving integrated, high-fidelity tests of the technology components in realistic environments. R&D Magazine awarded its prestigious R&D100 Award in 2005 to ORNL’s SeizAlert technology, which is a low-cost, compact, prototype PDA device to alert the wearer and medical personnel of an impending epileptic seizure. The technology is licensed to a start-up company for epilepsy forewarning from brain waves, and cardiac-event forewarning from heart waves. A validation trial will soon begin at Cleveland Clinic – Hively. (Fact Sheet)

HIT-IT (Heuristic Identification and Tracking of Insider Threat) – Insiders, those within or closely related to an organization, pose the greatest risk to an organization's information infrastructure. Organizations grant insiders both authorized access to and knowledge of their information systems, primarily computer systems and the organization's network. In the past, insiders have abused this trust by stealing or corrupting data, committing fraud, and modifying performance reports. Because malicious insiders may act within the bounds of their privileges, mitigation of the insider threat differs from that of external threats.

Detection of Undesirable Insider Behavior via Data Mining. Numerous existing systems seek to mitigate the threat that parties external to an organization pose to its information systems. Unfortunately, little research beyond access control strives to mitigate the threat that malicious or uninformed insiders may introduce. These insiders present a particularly insidious problem as they may behave adversely yet act fully within the bounds of their privileges. To assist administrators in detecting both known and novel insider threats, CS&IIR researchers are continuing research and development of a prototype hybrid system that simultaneously utilizes rule-based and data mining techniques. The continuing research is based on work performed at Oak Ridge National Laboratory by Joseph Calandrino, Princeton University, and Steven McKinney, North Carolina State, in 2006. The prototype Heuristic Identification and Tracking of Insider Threat (HIT-IT) system utilizes a technical approach similar to the Minnesota INtrusion Detection System (MINDS), a system under development at the University of Minnesota for the United States Army. While the MINDS objective is automatic detection of cyber attacks via analysis of data from various network sensors, the objective of HIT-IT is identification and tracking of the malicious insider threat. User behavior data is first acquired and then filtered to remove uninteresting patterns. Pre-processing of the data extracts basic features (e.g., number of logins or number of file deletions in a given day) along with derived features, such as statistics on the basic features. Knowledge discovery techniques identify very anomalous data, and the behaviors causing the anomalous scores are automatically identified and graphed for the system administrator. A human analyst (the sys admin in this case) assesses the results to discard false positives and to label the true alarms for inclusion in the signature detection component. Application of the HIT-IT system will illuminate many aspects of user behavior that are currently unexplored, such as consistency of activity over time, uniqueness of user behavior, and the minimum “fingerprint” size necessary to accurately model behavior and isolate anomalies – Calandrino (Princeton U)/McKinney /Neergaard/Sheldon/Ferragut/MacIntyre (Fact Sheet)

ITD (Insider Threat Detection) system – Insiders, those within or closely related to an organization, pose the greatest risk to an organization's information infrastructure. They are purposefully given access to and knowledge of information systems, primarily computer systems and the organization's network, which differentiates insider from external threat. In the past, insiders have used their access privileges to cause harm to organizations by stealing or corrupting data, committing fraud, and modifying performance reports. Due to the authorized access that insiders are given, it is much different detecting threat posed by insiders than for those external to the organization. Common security applications such as firewalls and Intrusion Detection Systems (IDSs) are in place to prevent external threat, but in most cases insiders are not restricted or monitored by these mechanisms. The majority IDSs that have been developed are for detecting external threat, but comparatively little time has been spent researching insider IDSs. During a recent survey conducted by the US Secret Service, 29% of respondents which were able to determine the source of intrusion stated the threat came from insiders. Given this, and that a single malicious insider can cause significant financial damage (500 million dollars in one case) to an organization, it is easy too see the need for research and development of insider threat detection systems.

ITD is based, in part, on research conducted at ORNL during the summer of 2005 by Dr. Seong-Moo Yoo and Dr. Frederick Sheldon (SNORT+). Their research has proved useful in providing a foundation from which to begin this work and identifying Bayesian network software that can be used to implement the Bayesian network for this project. However, ITD is markedly different from SNORT+ and other research conducted in the areas of insider threat detection and distributed intrusion detection. SNORT+ was a plug-in to the existing IDS, Snort. ITD uses Snort as well, but as a resource, where Snort's log data is consumed by the system. In general, the other systems mentioned are targeted at external threat detection, do not use Bayesian networks to determine threat levels, or do not allow dynamic, intelligent modification to rule-sets. The Intelligent Insider Threat Detection (I2TD) system is a distributed, hierarchical, multi-faceted, multi-level, rule based intrusion detection system. The system uses a client-server architecture and provides scalability because of its hierarchical nature. It is multi-faceted in that it monitors an insider's local system activities, their network based activities, and is extensible so other aspects of the information system may be monitored – McKinney (NCSU)/Neergaard/Sheldon/Ferragut (Fact Sheet)

New Paradigm for Knowledge Discovery – The Need for better approaches to knowledge discovery is paramount. A person can read these words and understand the message in real-time (one second or less) via neuron-based processing that has a cycle time of about 10 milliseconds, corresponding no more than 100 neural hops per second. In sharp contrast, modern high-performance computers run at trillions of operations per second, yet cannot perform real-time processing of images, text, or audio data. Consequently, this new paradigm is motivated by the human brain’s far superior speed and depth of insight.

The Solution under development by ORNL’s Cyber-Security and Information Infrastructure Working Group involves application of patented technology to a novel paradigm for knowledge discovery. This new paradigm is described in Jeff Hawkins’ 2004 book, “On Intelligence,” which elucidates four unique features of the human brain, but does not provide any approach for computer implementation. One feature is an irreducible representation for each item that the brain processes. A second feature is auto-associativity among items (e.g., recall of one line of a song that enables remembering the remainder). A third feature is hierarchical processing (e.g., relate the simplest spoken sounds [phonemes] to words, then to phrases, sentences, concepts, then prediction in similar circumstances as a measure of “understanding” or “knowledge”). The fourth feature involves feed-forward links in the processing hierarchy to make the appropriate connections among words, phrases, sentences, and concepts in the context of previous knowledge. The fourth feature also includes feed-back from higher-to-lower levels in the hierarchy for self-consistent extraction of the knowledge in terms of known words (rather than nonsense words), proper syntax, correct grammar, etc. Likewise, image processing extracts (for example) points, lines, polygons, object identification, scene familiarity, and scene changes. Indeed, the same neocortical processing paradigm extracts a hierarchical sequence of patterns for all sensory observations (time-serial data).

The Capability can be computationally implemented by application of patented ORNL technology. This ORNL technology converts time-serial data into a discrete state (or item) in an irreducible representation, y(k), as a unique identifier for the k-th state. State-to-state transitions, y(k)  y(m), are captured by an irreducible representation for the connectivity between these connected states, thus providing auto-associativity among items. The discrete states can be viewed as nodes, and the linkages can be viewed as edges in a network (a graph in the mathematical) of relationships among items (ontology). Clusters of relationships in this complex network form the hierarchical structure of data processing to information and then to knowledge for decision support. Recall of auto-associative sequences enables feed-forward, y(k)  y(m), for higher-level inferences and feed-back, y(m)  y(k), for self-consistent knowledge extraction. The occurrence frequency of these discrete states (items) is called a “feature vector,” from which knowledge discovery inferences are extracted via processing by a “vector machine.” Moreover, links among the discrete states are nodes that form a directed graph, or “feature graph,” which is processed by a “graph machine” for knowledge discovery – Hively. (Fact Sheet)

Portable Weigh-In-Motion (WIM) Source Data System for Weighing and Measuring Cargo – Background: The Department of Defense’s (DoD) Armed Forces must maintain the capability to rapidly project massive combat power anywhere in the world with minimum preparation time. Currently, DoD units use portable individual wheel weight or fixed in-ground static scales, tape measures, and calculators to determine vehicle axle weights, total vehicle and cargo weight and center of balance for vehicles and cargo to be transshipped via railcar, ship, or airlifted in support of military and humanitarian operations. The process of manually weighing and measuring all vehicles and cargo subject to these transshipment operations is time-consuming, labor-intensive, and most importantly is prone to human errors that can result in safety hazards and inaccurate data. The identification, weight and center of balance information on each piece of cargo and vehicle must be manually entered into logistics load planning systems introducing the high likelihood of human key-stroke error into the deployment preparation process. Incorrect information introduced into the Defense Transportation System (DTS) can negatively impact onward movement of cargo and vehicles in theater, needlessly delaying essential supplies and equipment to the soldier and more importantly creates a safety hazard. The importance of having correct, timely information in the DTS for use by all services cannot be overstated. In austere areas of operations, scales may not be available at all, and the vehicle and cargo weight and center of balance must be estimated. This process is even more susceptible to human error. The lack of a standardized airlift-weighing system for joint service use also creates redundant weighing and manual data entry requirements at the cost of scarce resources and time.

Program Initiative Basis and Objective: The WIM program leverages several complementary technology demonstration and development efforts underway in the U.S. Army, U.S. Air Force, and ORNL. WIM is automating the above mentioned manual processes and is mitigating safety and operational concerns. This program is firmly rooted in guidance provided in the DoD Transformation Planning Guidance. The WIM program links together projects under an umbrella concept for coordinated development of hardware as well as interfaces with appropriate command and control, and logistic systems and databases. The synchronized, rapid, spiral development of these technologies are significantly improving the end-to-end flow of military unit equipment and cargo across transportation nodes; processing and loading times of combat units; and the effectiveness and efficiency of existing automated tools and databases. The WIM system is considered to be physical source data-gathering device for the Transportation Coordinators’ Automated Information for Movement System II (TC-AIMS II). The objective of the WIM program is:

Objective 1: Developed a man-portable WIM scale that satisfies the requirement for obtaining accurate vehicular data for air transport at austerely equipped theater facilities. This portable WIM scale can also be used in unit staging areas to complement or replace the fixed scales at power projection platforms. It is capable of obtaining data in static as well as a dynamic weighing mode. A concomitant effort includes upgrading the fixed-site scales at power projection platforms with this WIM technology to conduct dynamic as well as static weighing.
Objective 2: Developed automatic linkages of vehicle/cargo identification data and weight/balance data with military logistics planning systems so that the process is fully automated as well as dynamic.
Objective 3: The third objective is expanding WIM capabilities to include determining vehicle/cargo dimensional data for input into TC-AIMS II, Automated Air Load Planning System (AALPS), and/or Integrated Computerized Deployment System (ICODES).
Objective 4: Extend WIM with capabilities identified for specific homeland and commercial applications (e.g., virtual weigh and inspection station).

The current WIM Generation II system:

Captures vehicle/cargo identification automatically.
Determines (calculate and record) cargo weight, dimensions, and center of balance.
Accepts Cargo Lists from TC-AIMS II, AALPS, and/or ICODES
Updates the real-world “actual” data electronically into AALPS for load planning and manifesting purposes; into TC-AIMS II; and into ICODES for operational planning, deployment, execution purposes and in-transit visibility.

Field tested and evaluated and currently sited at Ft. Lewis, WA, 842nd Trans BN, SDDC at Port of Beaumont, TX, Ft. Eustis, VA, Ft. Bragg, NC, Ft. Drum, WA, Ft. Sill, OK, Wheeler Army Air Field, HI, 20th Seabees Readiness Group (SRG), Gulfport, MS, 31st SRG, Port Hueneme, CA, and ORNL.

WIM Generation II Specifications:

Functionality: Measures Total/Axle Weight (Production Version: ±1% at 1σ; Current R&D Version: ±0.2% at 1σ), Axle Spacing, Center of Balance and Length, Width, Height Dimensions (±1.0˝ plus 1%).
Mobility: Modular Components (Individual Pad Weight: 128 lbs.); Total system: 4΄x4΄x3΄ Conforms to Ethernet and 802.11x wireless standard with WPA security. Encryption available. (Fact Sheet)

Rapid Human Assessment Information Systems (RHAIS) – Analysts and experts in the intelligence community are called upon to perform assessments of individuals, groups, and cultures with respect to specific problems in one or more contexts. Currently, the assessment procedures, data, and knowledge vary diversely and in many cases, assessments are performed manually. With such diversity in techniques and data, there is a high potential for duplication of efforts, little or no sharing of other analysis, and overall inefficiencies. The Rapid Human Assessment Information System (RHAIS) was designed and built to fulfill this need with additional features to empower skilled experts with automating some of the assessment processes and establishing a common knowledge repository.

RHAIS is a software automation tool that facilitates analysts to perform evaluations of human behavior by automating some of the data entry and conclusions about relationships, motivations, cultural values and trends, and the subject of study. RHAIS is used by intelligence experts to formulate and store questionnaires that employ concepts concerning thinking, communications, and behavior that can be answered in a secured, shared, and on-line community. The questionnaire content, format, context-based help information, and the rules applied to analysis and conclusions are all stored in a common data format that can be saved to a relational database, an XML format, and unique formats that includes tools for data mining. The generic approach to questionnaire modeling and presentation allows RHAIS to present a variety of assessments dynamically and to collect multiple and related assessments. As soon as a new questionnaire is created and saved in RHAIS, it is readily available to other users who can begin using it for their analysis.

RHAIS is used by analysts to build assessment forms, perform assessments, obtain evaluation results and decision support, and participate in knowledge sharing and collaboration. The most immediate benefit of RHAIS is the support and assistance for early warning and sustained situation awareness against an adversary or potential adversary. The following are some of the other benefits.

Identifying, preventing, disrupting, deterring, defeating, and countering adversarial threats.
Understanding influencing mechanisms that can be applied towards positive outcomes against adversarial threats.
Understanding the impact of countermeasures on adversarial threats.
Identifying relevant data and/or knowledge to identify and narrow information gaps.
Identifying relevant analytical and behavioral models/tools to meet specific objectives or answer specific questions.
Identifying new technologies and capabilities that may be applied to or may be disruptive from an adversarial threat.

The first type of assessment chosen to be automated by use of RHAIS was an application of Neuro-Linguistic Programming (NLP) concepts to the process of assessing individuals or cultural groups. Selected Meta Program Communication Questionnaire samples and Cultural Patterns Worksheet items published by Robert Dilts were chosen to form the assessment. Use of RHAIS for this type of assessment was designed for skilled analysts that may not be familiar with NLP concepts to ensure that all analysts would be guided to consider the same types of patterns in the strategies or thinking styles of the particular individual, group or culture to be assessed. RHAIS is also designed to be an automated Knowledge Elicitation tool for collecting, cross-referencing, fusing, and archiving knowledge from Subject Matter Experts – Brown-VanHoozer/Fischer/ Schlicher/Warren

SNORT Plus – is a Multi-Level Evidence Based Intrusion Detection System Using Bayesian Network to Detect Insider Threats. The insider threat is one of the most insidious and difficult threats to catch to cyber security specialists and network defenders. To facilitate early and accurate detection of the insider threat, a number of new methods and ideas should be explored. First, there must be a technique to understand the behavior of information system users and to be able to determine that a user’s behavior is not normal. There must be ways to accurately model human behavior against stated security policies. Current intrusion detection systems (IDS) perform poorly in detecting new or previously unseen attacks. They are generally designed to detect (and possibly block) conventional, external, network-based threats. The IDSs might require extensive modification to the rule sets to detect the insider threat. Our modeling on insider threat detection using Netica will be plugged-in to Snort IDS as a preprocessor. Snort is a modern security application with three main functions: it can serve as a packet sniffer, a packet logger, or a network-based IDS. There are also many add-on programs to Snort to provide different ways of recording and managing Snort log files, fetching and maintaining current Snort rule sets, and alerting to let system administrators know when potentially malicious traffic has been seen. – Sheldon/Yoo (UofAL)/Ferragut (Fact Sheet)

TARA (Threat Assessment Risk Analysis) Management – We postulate that a quantitative, formal approach is needed for modeling system security, and proposed the outline of a refinement based approach that integrates security with other dimensions of security, reliability, survivability, and dependability. We describe the significance of the cyber security gap in terms of three dimensions (1) criticality, (2) threat and (3) vulnerability. We have increased criticality due to the emerging economic dependence on the Internet; increased threat, as a consequence of emerging global tensions coupled with an increased sophistication of perpetrators; increased vulnerability because of the increased pervasiveness of computing. Cyber security counter measures on the other hand are primarily defensive, qualitative and ad-hoc. Therefore, it is necessary to bring discipline to security management by providing a logic for specifying security requirements and verifying secure systems against such requirements. There is a need for managing system security by quantifying costs, risks, measures and counter-measures. TARA is based on the following premises:

Enables us to formulate security requirements (imposed by a system’s user), security goals (formulated by a system’s designer/ architect), and security claims (formulated by a system’s V& V team) in a uniform, unambiguous, coherent manner.
Allows us to validate security requirements (do they reflect user needs?), verify security goals (are they consistent with security requirements?) and certify security claims (are they borne out by the implementation?).
Allows us to dispatch security goals among various components of a system, and/or among various alternative methods (avoidance, detection, recovery, containment, etc).
Allows us to manage security measures, in such a way as to maximize the impact of these measures (by checking for complementary, minimizing redundancies, etc).
Allows us to combine security claims in a unified framework that supports formal / automatable reasoning.

The TARA tool is A security specification notation, which details how to capture security requirements of a system in a way that focuses on observable relevant effects rather than hypothetical causes; a security abstraction notation, which captures the security properties of a system; and a security certification formula, which formulates the condition under which a system (represented by its security abstraction) meets a given set of security requirements (represented by security specifications) . – Sheldon/Neergaard/Mili (NJIT)/Richardson (Fact Sheet)

TeGRM (Terrorist Group Radicalization Model) with Bayesian Networks - Many terrorist organizations have origins in nonviolent opposition groups or political parties. If a model could predict whether such splinter movements or radicalized groups are likely to engage in terrorism before the ﬁrst attack, it would be a useful and lifesaving measure. This report presents the foundation for such a tool: a Bayesian network that incorporates environmental factors and terrorist group ‘trigger’ conditions to modify a prior estimation of risk. Both the graph structure and the conditional prior probabilities are derived from publicly available data sets, and each permit extension toward more sophisticated models. Although the node selection and data quality need improvement, this prototype has been successful in predicting current terrorist groups from their historical origins.

Bayesian networks are probabilistic graphical models extensible to a wide variety of diagnostic or predictive applications. The two components of a Bayesian network are a directed, acyclic graph and a series of conditional prior distributions (CPDs). The CPDs represent each node in the graph as a discrete random variable assuming diﬀerent distributions depending on the present state of its parent nodes. Although the nodes themselves may stand for formal random variables, they may also signify any statement of belief. Thus evidence that changes belief at one node propagates through the network, updating probabilities or beliefs at other nodes. For a general introduction to Bayesian networks, see.

Bayesian networks have continued to gain software support, including programs such as Netica and GeNIe, which are capable of learning graph structures and CPDs from data. Bayesian networks are powerful predictive tools, and are relatively easy to create from data sets, but contain several limitations that reduce their suitability for modeling group radicalization. Acyclic graphs are an unrealistic restriction for the origins of terrorist violence, which may feed on past grievances or crises. Strict causality is often difficult to determine: while government crackdowns may radicalize an opposition group’s policies, it is also true that a radical policy shift may spur government crackdowns. Bayesian networks do not allow such ambiguity. And while there are dynamic Bayesian networks that model stochastic processes over time, conventional networks that have found software support do not account for the passage of time, which would seem to have some relevance for group radicalization – J. Williams (UC)/Schryver/Warren (Fact Sheet)

Trust-Based Agent Security Services - A sophisticated trust model has been defined to allow for the autonomous establishment/maintenance of meaningful, individual trust relationships among interacting agents, the monitoring of behavior and adaptation of behavior based on cognitive abilities and on changes in the trust relationships with other agents and the environment. A biologically inspired trust fabric is envisioned that captures the way humans establish and maintain trust relationships (i.e., through experiences from repeated interaction and association with trusted entities). Mechanisms are required that counteract the concerns produced by the mobile code and behavioral changes due to adaptability and flexibility of a mobile agent system. This project has developed the following fundamental components: The identification of threats and trust factors leveraging experiences from previous and related work to focus especially on the requirements and scenarios present in critical cyber infrastructures such as the national power grid (i.e., malicious agents and compromised hosting environments, coordinated attacks, and cascading/common mode fault conditions). A hybrid, multi-level trust model uses trust factors and threat levels to change the status of trust agents place in each other. The model addresses issues on how trust changes over time and enables adaptive, self-correcting behavior and a fine granularity of trust. The hybrid component reflects different computational abilities of components, not typically find in humans (e.g., using cryptographic hardware when trust is established or reevaluated due to recent events). Inter-agent trust communication fabric is provided for agents and hosting environments to exchange information about trust status separate from the functional communication mechanisms between the agents (e.g., if an agent A detects unusual behavior in agent B it should be able to convey a subsequent loss of trust to other agents C and D that interact with B). Protocols for distributed agreement and voting, the exchange of typical behavioral patterns and other contextual information are required. Dynamic reconfiguration, reactive mechanisms and countermeasures: The survivability of the overall system depends much on the agents’ ability to adapt their behavior based on their current and evolving trust beliefs as well as elevated privileges that are bound to certain environmental conditions (i.e. such as increased threat levels, state of emergency) in an effort to provide quick response and recovery from failures. Further, if trust in an agent is lost then this agent should not be assigned critical tasks or be trusted to provide reliable information (i.e., other agents may choose to ignore a rogue agent). Hardware-enhanced security mechanisms for highly trusted to explore hardware secured execution environments as well as semi-mobile agents that reside in the protected compute environments of smart cards including the performance/security tradeoffs in different threat environments – Sheldon/Ferragut (Fact Sheet)

ViMaSS (Virtual Machines for Seamless Security) - Traditional computer security techniques find it difficult to protect user data. Cyber security technology has concentrated on guaranteeing the confidentiality, integrity, reliability and availability of computer system functions. While this paradigm shows promise in protecting computer systems, networks, and applications, it has not been able to protect data. Unlike systems and applications, a fence of protection cannot surround data. By its nature, data is required to be freely accessible to users; if data were locked away from the users, it would cease to be useful data. This raises the possibility of exploitation of data by user-level processes that inveigle themselves into the system. Malware entering a user environment is commonplace. Microsoft Word macros, email worms, and Trojan horses are a few types of malicious programs that need only be processed to run on a target system. Once invoked, these programs can wreak havoc on the target system, collecting, exfiltrating, corrupting, and deleting valuable user data. Computer security specialists know that segregating sensitive data onto machines protected from the network or using trusted multi-level systems is more secure than using standard machines, but the inconvenience of multi-level systems and the inconvenience of maintaining and using multiple machines tends to outweigh any security gains. Users don't like them and won't use them Data ceases to be useful if it is segregated from the normal working environment. Virtual machines, however, promise to grant some of the isolation required by good data security practices without sacrificing the usability that makes data useful.

In this research project, multiple virtual machines are integrated into a production environment by creating a seamless desktop in which multiple virtual machines populate the screen real estate without interacting with each other. Security separation is achieved by creating a segregated machine to run the vulnerable Internet functions in an isolated environment. The email client and web browser, for example, will run on the “Internet” machine. If the user wants data to cross from the Internet machine into the processing core of the machine (where the important, sensitive data is held), the action will be virtually transparent to the user. When the user clicks “Save As”, for example, the Internet computer will transfer the data to a separate virtual machine for scanning. The separate virtual machine contains scanning software and nothing else. Once the data has been scanned for malicious content, it can be transferred to its destination machine. The destination machine puts up the “Save As” dialog that gives the user access to the sensitive file system. The “Save As” dialog (indeed, the entire secured environment) is not visible to the Internet machine. Similarly, URLs requested by the user physically sitting at the terminal can be passed out to the internet machine for network processing when necessary. There is a possibility that despite scanning, malware will be imported into the interior environment. By isolating the interior environment from the network, the VM manager can minimize the possibility that the illicit code will exfiltrate critical data from the interior environment. By integrating the visual output from multiple machines seamlessly on the desktop, the system can provide a familiar environment to the user while maintaining a strong separation between sensitive data and publishable data – Neergaard/Ferragut. (Fact Sheet)

Website provided by the Cyberspace Sciences & Information Intelligence Research Group - Last Updated April 28, 2008
Oak Ridge National Laboratory is managed by UT-Battelle, LLC for the U.S. Department of Energy