The following is the second installment of our MARCIM Semantic Wiki Newsletter, sent May 1, 2012 to those involved in the MARCIM technology demonstration. If you are interested in being added to the mailing list for these newsletters, please email Lmooney@milcord.com.
|
The following is our first MARCIM Semantic Wiki Newsletter, sent March 9, 2012 to those involved in the MARCIM technology demonstration. If you are interested in being added to the mailing list for these newsletters, please email Lmooney@milcord.com.
|
|
|
From January-February 2012 Milcord participated in Cobra Gold military exercises in Thailand, demonstrating our MARCIM (US Marine Corps Civil Information Management) Semantic Wiki. This is the second year we have participated in the exercises; last year, Laura Cassani represented Milcord by presenting our sociocultural knowledge base. You can read Laura’s post here for background on the exercises, and details about our participation in Cobra Gold 2011. Since then, we’ve developed another knowledge base built upon a Semantic Wiki platform, tailored to support the Civil Information Management needs identified in Thailand.
Conducting a training on the Semantic Wiki at the CJCMOTF in Korat, Thailand
The MARCIM Semantic Wiki supports real time data collection, visualization, and analysis by automatically ingesting assessments and surveys conducted by Civil Military Operations (CMO) teams submitted via mobile devices, and semantically tagging and generating relationships with the field collected data. During Cobra Gold 2012, the MARCIM Semantic Wiki was placed in the hands of the exercise’s planning and operations team. This team, stationed at the CJCMOTF (Combined Joint Civil Military Operations Task Force) in Korat, Thailand, is responsible for overseeing all CMO activity within the country. I spent three weeks observing, interacting with, and supporting the users, and, based on their feedback, we customized the Wiki so that it could best assist and advance the efforts of CMO personnel. It was incredible to see how the Wiki evolved throughout the exercises from being something that was built on a conceptual level by Milcord to being a living, breathing tool that took shape around user feedback as we worked continuously to tailor the Wiki so that it could confer the utmost benefit to the troops. On a daily basis within the CJCMOTF, the staff used the Wiki to submit their daily reports, analyze demographic information within the area of operations, monitor team activity, and visualize responses to surveys and assessments.
Dynamic pie chart analyzing the primary medical issues of patients at a flood relief medical event
During my time in Thailand, I gained an appreciation for the nature of the data collected during CMO missions; information is collected about the local infrastructure, medical needs of the population, progress being made at engineering sites, as well as sentiments of the Thai people toward the troops. Instead of placing this data onto inaccessible hard drives where it is unlikely to be utilized, the Wiki structures the data and places it into an analyzable form for users, thus presenting the value of the aggregated data to the troops. In addition to helping the troops understand the impact they’re making on the ground, the aggregation and analysis of this data also prevents duplication of effort by CMO teams by alerting them to what has already been achieved within the area of operation, and what activities and projects should be prioritized in the future.
Automated tables and charts analyzing the progress being made at an engineering site
Although our work within the CJCMOTF kept me busy, I was still able to sneak in some sightseeing. I visited the Weekend Market in Bangkok (the largest market in Thailand), toured the Royal Palace and Wat Pho, and visited Khmer ruins within Korat. The entire trip was a culinary escapade, and I quickly developed an appetite for som tam (spicy papaya salad with shrimp) and chai yen (Thai iced tea).
Since our participation in Cobra Gold 2012, we have been invited to participate in a number of other exercises, including Balikatan 2012 exercise in the Philippines, Pacific Partnership 2012 exercise in Southeast Asia and Oceania, and Black Sea Rotational Force 2012 operation in Eastern Europe. We look forward to posting further updates on the evolution of the MARCIM Semantic Wiki as we progressively gain insights from these operations and exercises!
In our companion Domestic Political Violence Model blog, we published yesterday the list of countries predicted to have increases in political violence for 2011 to 2015. The map below shows the countries with expected increase in political violence grouped by Very High Risk, High Risk, and Medium Risk. Our forecast is based on four different models. In the Very High Risk category, all four models predicted an increase. In the High Risk category, three models predicted an increase. In the Medium Risk category, half of the models predict an increase in violence. The countries in each category are sorted based on the size of the mean residual, so the states with the most pent-up demand for violence are listed at the top. The residuals imply that these are states that we expect to observe increases in violence although not necessarily high levels of violence. So United Kingdom and Israel are not expected to have the same level of violence but are expected to have the same magnitude increase in political violence.
United Kingdom, Israel, Sri Lanka, Iran, Colombia, Zimbabwe, South Africa, Haiti, Egypt, Philippines, Guinea-Bissau, Venezuela, Chile, Syria, Chad, Belarus, Guinea, Kyrgyzstan, Greece make up the very high risk list. Israel, Sri Lanka, Iran, Colombia, South Africa, Egypt, Chile, Syria, Chad, Belarus, and Kyrgyzstan are returning countries from our 2010-2014 forecast. Of our 2010-2014 forecast, Syria, Egypt, and Libya saw the most violent protest in the Arab Spring of 2011. United Kingdom, Zimbabwe, Haiti, Philippines, Guinea-Bissau, Venezuela, Guinea, and Greece are the new additions to our very high risk list. United Kingdom tops the list as the pent-up demand for increased violence was certainly evident in the London Riots over the Summer of 2011. Greece saw substantial increase in political violence due to the measures introduced by the Greek government to address the debt crisis.
It is worth noting that our 2011-2015 forecast model is based on events dataset which captures both the frequency and the intensity of political violence from 1990 to 2010. Similarly, our 2010-2014 forecast model is based on events dataset which captures both the frequency and the intensity of political violence from 1990 to 2009. We publish our forecast based on our acquisition date of the event dataset. As the event dataset is available on a real-time basis – albeit at a higher cost, we can publish our forecast in real-time if needed.
Using a regression model applied to a large number of drivers of conflict variables spanning numerous open source social science datasets, our model uses a novel Negative Residuals technique. Negative Residuals result from the model predicting higher levels of violence than actually experienced, indicating nation states that are pre-disposed to increasing levels of violence based on the presence of environmental conditions and drivers of conflict with demonstrated correlation with measured political violence. In our model, the magnitude of future political violence directed towards the state is heightened by coercion, often thought of as violations of physical integrity rights, and by coordination, or the tools by which groups can associate and organize against the state. Conversely, the magnitude of political violence is lessened by capacity, defined as the ability of the state to project itself throughout its territory.
For the event dataset, we use the Integrated Data for Event Analysis (IDEA) framework. IDEA event dataset is based on the Reuters Global News Service, and organized in a “who” did “what” to “whom” manner for each particular event. This framework allows researchers to isolate events of interest for their particular project. Using this framework allows us to capture and isolate domestic anti-government violence. For the dependent variable, our model uses the Goldstein scores that captures the overall level and intensity of domestic antigovernment violence within a state in a given year.
Surveys and interviews form the central methodology for analyzing and discovering attitudes and opinions in social science research. With the advent of Web, online surveys have become an efficient way for researchers to collect and analyze large amounts of data. The popularity of the online survey tools like SurveyMonkey , Zoomerang, SurveyGizmo , etc. are testament to the productivity enabled by surveys. However, surveys represent a top-down rigid methodology forcing the survey designer to account for all possible answers up front, which is an impossible feat. In contrast, interviews allow the unanticipated information to bubble up bottoms up from the respondents. For instance, Integrity Watch Afghanistan (IWA), Afghan Perceptions and Experiences with Corruption: A National Survey 2010 primary data, involves interviewing randomly selected 6,500 respondents in 32 provinces on over 100 questions that deal with sectors where people experienced corruption; levels of bribes people paid to obtain services; what type of access people had to essential services; who people trusted to combat corruption; and experiences with corruption in the judiciary, police, and land management. However, the interview methodology is expensive and time-consuming as it requires implementation by research companies with expertise in effective research design, and precise management of data collection over several months.
Is there an alternative to surveys and interviews in social science research? Prof. Salganik’s team at Princeton came up with a hybrid approach, “wiki surveys”, that combines the structure of a survey with the open-endedness of an interview. To date, various organizations have created more than 1000 wiki surveys on the project Web site – All Our Ideas, generating in 45,000 ideas with 2 million votes. Wiki surveys range from the New York City Mayor’s Office’s engagement with citizens in shaping the city’s long term sustainability plan to the Catholic Relief Services surveying their 4000 employees to find out what makes an ideal relief worker. The figure below shows how the third question in Tactical Conflict Assessment Planning Framework (TCAPF) would be be implemented as a wiki survey:
Inspired by extending the kittenwar concept to ideas, the user interface guides the respondent to choose between two random alternatives, while encouraging the respondents to add their ideas into the mix of alternative responses. The additional ideas are added into the survey’s marketplace and voted up or down by the other survey-takers. Prof. Salganik says that “One of the patterns we see consistently is that ideas that are uploaded by users sometimes score better than the best ideas that started it off. Because no matter how hard you try, there are just ideas out there that you don’t know.”
All Our ideas have some basic visualization features to make sense of the wiki survey responses. Here is the visualization for the responses – “What do you think the Digital Public Library of America (DPLA) should be like?”:
It is worth noting that the top scoring 15 ideas starting with DPLA interoperability with Government Printing Office (GPO), Defense Technical Information Center (DTIC), an National Records Archive Administration (NARA) are all uploaded ideas not in the original set of alternatives. A powerful argument for crowd sourcing!
Admittedly, we still need boots on the ground to collect TCAPF data in Afghanistan given the demographics of the people we want to reach. On the other hand, wiki surveys hold great potential in reaching the younger generation fueling the Arab spring and the like.
In our Building Intent project, we developed a geoprofiling algorithm that predicts the location of facilities that support adversary operations in the urban environment. Geoprofiling is a technique that is widely used in serial crime investigations. In our project, we researched and developed a building intent inference system based on terrorist preferences, building characteristics, and social network behavior. Our approach learns the utility function that the adversaries are using, and classifies and predicts the potential utility of a facility to the adversaries based on the derived metadata of each facility using influence networks.
For terrorist preferences, we have studied Military Studies in the Jihad Against the Tyrants: The Al-Qaeda Training Manual in order to find building use tactics that the adversary is training its recruits, and found a significant number of building use related tactics and procedures embodied in these manuals. In collaboration with the Terrorism Research Center in Fulbright College, University of Arkansas, we then studied the international terrorism cases in the American Terrorism Study, and found empirical evidence that shows the practice of terrorism manual tactics in the observed data. Based on these findings, we developed a baseline set of indicators for modeling building intent, and researched the likely causal connections among these variables. We then built extractors to derive a set of metadata for these indicators, and used machine learning algorithms to find the causal connections between the incidents or events and building attributes, and model parameters, and build classifiers based terrorist process preferences , building characteristics, and guilt by association data.
As shown in the figure below, our geoprofiling algorithm does a nice job in predicting the Japanese Red Army terrorist Yu Kikumura’s residence in New York based on the American Terrorism study. Here the blue markers signify police stations and white arrows signify the egress points. As shown in the figure, Yu Kikumura’s residence at 327 East 34th Street, NY is in the red hotspot area predicted by our algorithm. Avoiding police stations and ease of egress were two of the primary factors in Kikumura’s choice of housing. Not only is his apartment equidistant from the nearest police departments – all of which are over one kilometer away – it’s back-alley access road to the underground Queens Memorial Tunnel provides a quick get-away by car. In addition, the examination of the residence floor plan reveals that the apartment building had numerous staircases (one of which is private to the unit) to the basement level with a rear exit.
The Al Qaeda Training Manual gives several instructions for renting a residence as shown in the table below. For instance, it is preferable to rent apartments on the first floor for ease of egress, avoid apartments near police stations and government buildings, and in isolated or deserted locations, rent in newly developed areas, and the like. In particular, the Al Qaeda Training Manual calls for the use if the following tactics in renting an apartment:
So how does the location of Bin Laden’s secret hideout in in Abbottabad follow the advice of the Al Qaeda Training Manual? Not that closely. Bin Laden clearly did not follow the tactics for selecting a ground floor location by living on the third floor, for avoiding police stations and government buildings by selecting a location near the Pakistan Military Academy, for finding an apartment in newly developed areas where people do not know each other by choosing a neighborhood with retired Army Generals, and for preparing ways of vacating the premises in case of a surprise attack by not building exit stairs. The only tactic that Bin Laden has used from the list above is avoiding an isolated location. One wonders if Bin Laden made a concerted effort to avoid his own tactical advice in order to thwart geoprofiling techniques. Perhaps another consideration that will need to be taken into account in future geoprofiling is the assistance from outside forces, given the possible connection to a support network that included elements of the Pakistani military or intelligence services in the Abottabad area.
This past month Milcord participated in the Cobra Gold military exercises in Thailand, demonstrating our Office of the Secretary of Defense Human Social Cultural Behavior (HSCB) Modeling Program project, a Socio-Cultural Knowledgebase using a Semantic Wiki. Cobra Gold is an annual joint training exercise held in Thailand and sponsored by the U.S. Pacific Command and the Royal Supreme Thai Command. One of the world’s largest multinational exercises, it draws participants from 24 nations, including the armed forces of Thailand, Republic of Singapore, Japan, Republic of Indonesia, Republic of Korea and the United States. Nearly 13,000 military personnel, approximately 7,300 of them American troops, participated in Cobra Gold 2011. The event improves participating nations’ ability to conduct relevant and dynamic training while strengthening relationships between the militaries and local communities.
Participating in the exercises was a fantastic experience, as we traveled across the country speaking with Soldiers and Marines at various bases gaining valuable feedback regarding how our tool can support socio-cultural data management for complex operations with the ultimate objective of transitioning our ONR supported R&D into operational use in the field.
One of the highlights of the trip, in meeting with a group that had recently deployed to Afghanistan, we used the Socio-Cultural Knowledgebase to look up the exact area of their deployment and view information about the tribal dynamics, provincial and district contextual knowledge, and data on political figures and powerbrokers relevant for their area. For the Afghanistan and Pakistan area, the Semantic Wiki covers more than 3,000 tribes and ethnic groups, documenting their traditional alliances, disputes, human terrain map, and other pertinent information to operations. The wiki also has articles for almost 700 individuals of significance for the region.
Our use of a semantic wiki platform enables the representation of the human terrain knowledge as facts and relationships. The representation of this knowledge in a semantic wiki has the additional advantage for faceted browsing and answers engine queries. For instance, the semantic wiki can answer questions like “What are the tribes in Kandahar Province and their traditional disputes?” as a table which dynamically is generated every time a new fact is added that fits this question. Getting firsthand feedback from the very people you want your research to support is a rewarding experience. We hope to be able to return next year and participate in the field exercises, showing how our tool can directly support socio-cultural knowledge management for civil affairs and humanitarian operations. The picture above is from the opening ceremony of the exercise in Chiang Mai as I present our Socio-Cultural Knowledgebase using a Semantic Wiki to the dignitaries in attendance while the picture below is from our travelling road show.
Additionally, while it was quite the busy schedule for the two and half weeks I was there, we were still able to find time for sightseeing, taking in historic temples, a Muay Thai boxing match, and even a visit to a fish spa. And of course, sampling the incredible array of Thai street food was amazing; I still dream of the delicious steamed pork buns I had in Bangkok and Chiang Mai.
Mobile devices such as the iPod Touch and iPhone have spurred the “every soldier a sensor” vision into reality. Inspired by the rapid-transition success of TIGR, we built an Android App – RouteRisk – for risk-based route planning to investigate the design issues involved to support server infrastructure, Web services and soldier-sourced tactical data input requirements.
Current path planning systems such as the US Army’s Battlespace Terrain Reasoning and Awareness – Battle Command (BTRA-BC) involve time intensive terrain analysis computations, and require an expert user with GIS experience and knowledge of terrain analysis. These systems do not provide an easy-to-use web accessible interface by the boots on the ground. As a planning and re-planning system, RouteRisk calculates risk and recommends routes based on soldier-sourced data provided through tactical intelligence and route planning systems like TIGR (Tactical Ground Reporting), DCGS-A (Distribute Common Ground System – Army), and BFT (Blue Force Tracker). And when new intelligence is discovered, like a previously unreported poppy field by a soldier on patrol or an S2, that the intelligence gets pushed out to all units, because the servers and smartphones are connected through the cloud.
RouteRisk leverages our Risk Based Route Planning web service solution developed in earlier projects. Risk-based Route Planning is a Google Maps web service application allowing the user to plan safe routes in Baghdad, Iraq by avoiding known hotspots and predicted hotspots learned from patterns of past incidents. The web service application generates a risk surface from the incident reports using a Bayesian spatial similarity approach. Our Bayesian model learns the causal relationship between attack characteristics (such as attack type, the intended target, emplacement method, explosive device characteristics, etc.) and spatial attributes (distance to proximal features such as overpasses, government facilities, police checkpoints, etc.). For a given region, we use spatial attributes (distance to nearest overpass, major religion, within 300m of district border, neighborhood) as evidence in the model and we perform inference on the data.
By selecting the “Route” tab on the main navigation, the user can easily create a new route plan. The map is launched and the user is instructed to tap points on the map to define waypoints for the route (starting, intermediate and ending locations). To drag waypoints the user would Press-and-Hold. Optionally, the user can also bookmark locations or search for locations by placename (e.g. “Camp Helmand” or “Paktika District”) or grid reference. By pressing and holding down on waypoints, the user can choose among several actions to perform, such as “move waypoint” or “define time window”. Once a pair of waypoints are defined or a new one is added, a route plan is automatically computed and shown using the current routing preferences and selected factors. The user can change the routing preferences by clicking a button that animates the corner of the map to curl up and reveal the routing preferences. The user can select preferences such as “fastest route” or “shortest distance” or “safest route”.
We are currently researching the software architecture design alternatives for adding voice control capabilities to our RouteRisk app.
I attended the 6th Annual GFIRST National Conference organized by US-CERT. GFIRST stands for Government Forum of Incident Response and Security Teams. This year’s theme was: Building Today, Shaping Tomorrow – Ensuring an Effective Response Capability to Manage Risks in Cyberspace. The conference was well attended with some talks standing room only in a 300-person conference room. Most commercial information security vendors interested in this space were participating exhibitors in the accompanying expo. I will not be able to cover some of the really interesting presentations in this public forum due to the sensitivity of the topics, but here are a couple of tidbits for general consumption.
“Emerging Threats in 2010″ by Dave Marcus, Director of Security Research and Communications, McAfee Labs was one of my favorite presentations of the conference. Dave Marcus, who blogs at Reclaim Hacking, posited that he can make anyone click on malicious malware by mining personal information from the social media aggregated by several services. Dave uses Twitscoop to find the trending topics for messaging that the recipient will be interested in, uses Bing to figure out what OS the user is is using and what the user is yapping about so that he can send targeted malware on the right platform like Android, MacOS, etc., mines pic tags using PicFog (alert: potential offensive material), uses Twittermap to deliver malware to folks attending an event, mines twitter trends using Trendistic, uses hashtags.org to track trends, uses Openbook that mines Facebook, and designs url’s by appending keywords to tinyURL. Openbook exposes the awful default privacy settings in Facebook as lots of users don’t know how to set their preferences. After listening to this presentation, I have no doubt a determined adversary can figure out anyone’s hot button to push to deliver targeted malware. So what can you do? Check the privacy settings of your social media accounts, start using url expanders, install safe browsing plug-in’s …
Dawn Capelli and Adam Cummings of CERT gave a nice talk on insider threat by presenting their empirical analysis of the MERIT database, which covers 157 fraud, 116 sabotage, 77 theft, 120 espionage, 44 miscellaneous cases, and SpyDR (Spy Data Repository) espionage database, which covers 120 cases. Their findings show that sabotage is perpetrated by former employees who insert malicious code before leaving while fraud is carried out typically by help desk person recruited from outside. Their recommendations: enable message tracking on your mail server, use Splunk to track mail flow to competitors, foreign entities, etc., look for email with size over a certain size, do continuous logging, targeted monitoring, real time alerting. You can find more detailed information on this research here.
Aaron Shelmire and Ed Stoner of CERT presented their Dynamic DNS and Fast Flux analysis. They started their analysis with a malicious software catalog and appended the malware domains list with ISC-SIE A, MX, NS records. They define a fast flux domain as one that resolves to at least 25 different IPs on 20 ASNs. It was a good chance to validate each other’s results. For instance, Shelmire and Stoner see 1.5%-2% fast flux in malware. Our FastFluxMonitor detects flux about 1.4% – 4% in malware domain feeds. Their high level findings were similar to the trends we observed in our Botnet Threat Intelligence database.
Our presentation in the Event Detection via DNS and Route Monitoring session was received well. Daniel Massey discussed how to detect network route prefix hijacking via BGP monitoring. Our presentation focused on the use of the botnet social networks in detection and mitigation. In summary, our Botnet Threat Intelligence solution provides two levels of evidence as shown in the table below. Our guilt by association score is based upon a domain’s, nameserver’s, or IP’s relationship to other malicious entities through the historical social network knowledge. In contrast, our fast flux score is based on the domain’s or nameserver’s real-time behavior. Guilt by association scores provide pre-zero day intelligence while fast flux scores provide near-real time situation assessment.
