Outline

• Intelligence Analysis Problem
• Computer aided plan recognition approach
• Research priorities

Overview

Alert Overload * US security agencies had information necessary to prevent 9/11, but drowned in sea of information and pieces not put together

Intelligence Analyst's Desktop: have to put information from a variety of sources in a sea of information.

CAPRe Presentation

Group intelligence by evidence of goal * reduces cognitive load on analysts * prioritize * crisp presentation of intent, rather than trying to assemble observations * earlier recognition of hostile behavior

CAPRe Complements and Exploits other Approaches * Data mining: complements broad-shallow analysis with CAPRE's narrow-deep causal approach * Alert correlation: CAPRe relies on the focused grouping of alerts with correlation techniques.

Technique

Two-phased reasoning to generate open hypotheses and score them. Based on hypotheses will try to issue more information requests.

Representation

Hierarchical Task Network

Templates (e.g. Bribe): tasks, conditions, effects. Allow for partial template instantiation. Information gathering requests can be issued to try and fill missing information.

Two-phased Reasoning

Seedling generation: explanations for each observation in isolation. work way towards higher-level goal. Not the computational bottleneck (fraction of a second).

Seedling composition: * try to combine seedlings consistently and score. Examine each element of the powerset of seedlings. * hostile domain: assume that enemy may be trying to game system. * Search through the elements in order of increasing cardinality. * Computational bottleneck * An element is a hypothesis if: * the template paths are consistent * the bindings are consistent * all conditions are satisfied

Experiments

Varied signal-to-noise, vary number of attack steps, vary noise coherence, fixed attack plan.

broke down at 25 events

Research goals

• two orders of magnitude increase in alert cluster size (25 -> 2500)
• probabilistic reasoning
• integrated information gathering planning
• try experimenting with tripwire events rather than brute force all events

Applications

• NASA: recognize astronaut/pilot's intent. proactive assistance, capture slips (instrument mode errors, frequent action trumping a similar infrequent action).

Q and A

• test data synthesize by subject matter experts (confidentiality issue)
• terrorists do stand out. If everyone of suspicious background were to visit nuclear power plants, problem would be much harder.
• want analysts to focus on mental exercise of dreaming up plans
• hasn't seen anything that looked at alert streams on analysts desks to see if anything could have been detected.