Kneber Botnet - less fluxy but more stealthy

The recent news story about the Kneber botnet based on the excellent work done by the NetWitness team and informative posts by Dancho Danchev and others brought the ZeuS Trojan botnet into limelight. In contrast to some misleading reports, the security community has been following this botnet, which infected more than 75,000 computer systems at nearly 2,500 companies, for quite a long time. We have been tracking ZeuS with our Fast Flux Monitor for some time as well. Given the recent interest in this botnet, we decided to analyze the reported ZeuS data using our Fast Flux Monitor database to provide some additional insight. Most of the domain, nameserver and IP entities associated with the attacking infrastructure reported in the NetWitness Kneber report have been in our FastFluxMonitor database. What is interesting is that most of the reported Kneber domains and nameservers are not exhibiting fast flux behavior. For instance, all of the reported Kneber domains for the Trojan installers resolve to 1 to 4 IPs, which is not enough for using a fast flux evasion scheme. The number of domains the Kneber Trojan installers resolve to are shown in the table below.

ZeuS Installer.jpg

Comparing the ZeuS network graph with the various botnets in our database reveals that ZeuS botnet has a different network graph than others like Avalanche, Conficker, Gumblar and Pushdo. The figure below shows the domain, nameserver and IP connectivity for the Avalanche botnet:


In this graph, the blue, red, green nodes denote the IPs, domains, and nameservers addresses, respectively. Each cluster represents a set of entities where any two nodes can be linked through the domain, nameserver and IP connectivity . The Avalanche graph has one large cluster and six small clusters, making it easy to discover the various entities of this botnet. In contrast, the same graph for the ZeuS botnet shown below has one large cluster and over 200 small clusters, thus making it hard to discover the various entities of this botnet.

ffm_zeus_network jpeg.jpg

Referring to the data shown in the table above, the reported Kneber domains and nameservers belong to one of the small clusters on the right. These clusters consist of domains and nameservers that do not exhibit fast flux behavior. Whether the small clusters represent the discreet probe of networks by large criminal organizations, or small operator hosting set-ups that downloaded free phishing kits, the ZeuS botnet is stealthier than the others by relying on a large number of smaller clusters used for attack campaigns.

We will present our comparative analysis of the Avalanche, Conficker, Gumblar, Pusdhdo, and ZeuS at the NATO IST-091 Symposium on "Information Assurance and Cyber Defence", which will provide an explanation for the difference.

Operation Aurora - Searching for Stars, Finding Comets

When the ‘Operation Aurora, AKA trojan.hydraq’ controversy surfaced, we investigated the role, if any, of fast-flux botnets in the reputed exfiltration attacks from Chinese-supported actors against 33 US technology companies. Our preliminary results using FastFluxMonitor found no direct indication of fast-flux activity associated with the reported domain names. But just as astronomers may detect comets when observing stars, we did find associations between nameservers with fast-flux history and some of the domains and IPs involved in the attacks. In the FastFluxMonitor table below, we see that three of the reported domains used in these attacks share the same nameserver,, which is registered to Chinese network operator, CHINANET, ASN 4134, the leading ASN worldwide in terms of Conficker activity. domains-table-feb-11

Building on this finding, we then used FastFluxMonitor to discover more than 600 bots associated with fast-flux behavior registered to this ASN. In the FastFluxMonitor table below, we see that a few of the nameservers associated with a known-spamming IP from this ASN,, are classified as fast-flux. While the IP in question is not classified as fast-flux, its association with nameservers that are fast-flux is reason for suspicion.


With guilt-by-association, domain names or IPs associated with these nameservers are suspicious, irrespective of whether the individual IPs or domains are classified as fast-flux. Cyber-defenders can apply this intelligence as a proactive measure to filter access to or from these domains, IPs, and nameservers. As exfiltration attacks are often complex attacks preceded by social engineering probes such as spear-phishing, proactive measures such as real-time filtering are essential. Perimeter and vulnerability-based defenses are necessary, but insufficient, measures against social engineering attacks.

News Scan – Cyber Security

  • “… unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.” – “In Digital Combat, U.S. Finds No Easy Deterrent”, NY Times, Jan 26, 2010
  • ‘Had this attack employed more sophisticated hosting or resolution techniques like fast flux, even the IP addresses would have been useless..” – “Finding Aurora (googlehack)”, NetWitness Blog, Jan 15, 2010

Concept Map vs. PowerPoint for Briefings

What has PowerPoint given the knowledge worker besides universality? PowerPoint features like automatic generation of slides from outlines, structured knowledge constructs like tables, graphs, and charts support knowledge organization and communication. Although most PowerPoint features have been available since the early days of Mac software such as MORE and Cricket Graph, it is the ubiquity of PowerPoint that created a backlash against the uniformity it imposes on thinking, organizing , sharing of knowledge concepts. In his essay The Cognitive Style of Powerpoint: Pitching Out Corrupts Within, Edward Tufte argues that PowerPoint templates weaken verbal and spatial reasoning, and corrupt statistical analysis by analyzing the NASA briefings preceding the Columbia disaster.

In the government space we serve, the situation is not different. As reported in the Wall Street Journal, PowerPoint has become an ingrained part of the defense culture. For instance, PowerPoint Ranger is now a derogatory term used for a military professional who excels in slidemaking than warfighting. In fact, Margaret Hayes at the National Defense University posits that "You can't speak with the U.S. military without knowing PowerPoint." In the Armed Forces Journal essay, Dumb-dumb Bullets, T. X. Hammes goes further to argue that PowerPoint is "actively hostile to thoughtful decision-making", and has "decreased the quality of the information provided to the decision-maker".

From a cognition perspective, would you ask a first grader to build a PowerPoint presentation to see their grasp of a concept? No. Luckily for us, thanks to the pioneering work of Joseph D. Novak at Cornell and others, there is something that educators are using for such assignments in K-12 and higher education: Concept Maps. A concept map is a graphical network diagram where each node represents a concept, and the labelled links depicts the relationships between concepts. Here is a concept map that describes what a concept map is.

CMap of Concept Maps.tiff

What is special about this representation? The teacher sees the limitation of the student's understanding, and multiple students can collaboratively build a concept map for shared understanding. Is that possible in PowerPoint? No. It is simply not possible to assess an author's level of understanding of the subject domain from a PowerPoint deck as lack of communication skills often masks the knowledge gaps in the underlying domain.

As articulated by Joseph D. Novak, meaningful learning involves the assimilation of new concepts and propositions into existing cognitive structures. What this means that the viewer needs to first identify her/his known cognitive map of the presented concept and then detect the additions to this concept map for true learning. In other words, the viewer of a presentation always tries to find the answers to the following questions:

  • What do I already know in the presented topic?
  • What are the additional knowledge chunks that complement what I already know?
  • Can I trust the presented addition to my knowledge base?

On answering these questions, concept maps trump PowerPoint presentations, which explains their popularity in learning environments. Concept mapping is not a religion espoused by some education crusaders as the effectiveness of concept maps has been studied empirically. In an experiment conducted at the Naval Postgraduate School, Concept Maps were empirically demonstrated to be more effective than PowerPoint on key measures of knowledge transfer and rapidity in creation. In an anonymous survey at the American University in Cairo, a majority of students stated that doing concept maps required them to look at the assigned reading in more depth. A study conducted at a nursing school in Bangkok, Thailand showed that concept mapping is effective in assisting nursing students to summarize their own concepts and improve their nursing core competency in primary medical care.

There are other advantages of using Concept Maps in presentations. Jim Benson in his blog post makes the interesting point that concept maps create a continuous conversational flow with no breaks while noting that PowerPoint creates an unhealthy distraction of "What's coming next?". Steven Kaminski writes that most business PowerPoint presentations, with a little extra work, would be better—even much better—without it because the speaker becomes an audio aid for the PowerPoint slides instead of the presentation being a visual aid for the speaker, which is the case for concept maps.

In addition to several commercial software packages, there are several open source concept mapping tools. The Visual Understanding Environment (VUE) project at Tufts, and CMap Tools at the Institute of Human and Machine Cognition (IHMC) have large active community of users. We don't have to wait until Concept Maps become a part of the Microsoft Office suite to start using them. Do we?

Cyber-Terrorism/Warfare – The Emergent Threat: Strategies for Survival

Last night I attended a panel discussion entitled, Cyber-Terrorism/Warfare – The Emergent Threat: Strategies for Survival” at Boston University. While the cyber threat is not a new one, it is something that the intelligence community and the Department of Defense have more recently become invested in examining in some depth. One of the first questions raised to the panel involved defining the problem. What is the difference between cyber-crime, cyber-terrorism, and cyber-warfare? To give my own humble two cents, it would seem that the distinction is the same as in conventional operations. What distinguishes between criminal acts and terrorist attacks is the end goal. In crime, the action, for example robbing somebody, is the end goal. The point is to get the money. In terrorism, the end goal is beyond the intended target. There is a political message inherent in the act that is targeted at an audience beyond the victims. Additionally, cyber-warfare would also have a political motive, and to quote Clausewitz, the action would simply be a continuation of politics by other means. To make the distinction between cyber-warfare and cyber-terrorism, it would matter what the intended target was.  Terrorism is usually distinctive from war because it targets noncombatants, or individuals not in a "declared state of war".  Therefore, the attacks against the Marine barracks in Lebanon in 1983 that killed more than 200 servicemembers was considered terrorism, because the barracks, while being a military target, was housing Marines that were part of a peacekeeping force in the country, and therefore, not in a declared state of war.


The tricky part comes in when one tries to attribute a cyber-attack to a particular actor. Dr. Leonid Reyzin, a cryptology expert stated that our best defense against an attack is to harden our systems. Many government systems do not employ state-of-the art cryptology mechanisms (e.g., many sensitive systems currently use one password for numerous people). Additionally, he pointed out that life-critical systems, systems that if comprised could result in loss-of-life, should be completely disconnected from business networks altogether. He gave an example of a computer virus that spread through email systems, and eventually infected the business system of a nuclear power plant. Due to the fact that the power plant’s business system and critical systems were on the same network, the virus comprised and actually shut off the safety mechanisms of the plant.

Arthur Hulnick, a veteran of 30+ years in the intelligence community, stated that resources to address the cyber threat would best be spent on hiring the best and brightest people. He added that there were too many hurdles to hiring the right people in the intelligence community due to security concerns. Reliance on the polygraph and issues with traveling abroad or having foreign connections (despite the fact that you want bi-cultural or foreign language speakers that often have spent time in these places) prevent people from contributing to the effort.

Another question that was brought up to the panel involved the development of cyber-warfare doctrine. How can one reliably develop a strategy for engagement when there is the issue of attributing an attack to a particular state or actor? Is there a proportional response? Does one respond with offensive cyber capabilities against a country that may not have known their systems were breached? Is there a way to declare this policy for deterrence purposes? Joseph Wippl, another career CIA officer, stated that a robust international effort to share information and best practices would be the best preventive defense against cyber attacks. Dr. Robert Popp, a former DoD official in OSD and DARPA, stated that resources would best be allocated to develop offensive capabilities that could overwhelm our adversaries, hopefully providing some level of deterrence.

Overall, it was interesting and informative evening however, it seems that while there has been much discussion on the subject, there are many more questions than answers.

NAACSOS Annual Conference

Last week we presented work entitled, “A Systems Dynamics Model of Counterinsurgency in Southern Afghanistan” at the North American Association for Computational Social and Organization Sciences at the Center for Social Dynamics and Complexity at ASU. NAACSOS (which will be changing its name soon to the much more digestible acronym CSSS – Computational Social Science Society) is scholarly society seeking to advance social science through the application of computer simulation and other computer-based methods to the analysis of complex social systems and processes. In a break from our normal conference circuit, there were a small number of presentations focusing on global security issues. The largest percentage of papers addressed developments in agent-based modeling. In particular, the most interesting advance from this perspective involved the integration of GIS technologies and 3-D agents for visualization in agent-based models. Capturing more realistic movement of humans as agents in a model will allow for greater complexity, with particular implications for evacuation and disaster management and planning.

Our paper focusing on Southern Afghanistan was well received and fostered a lively debate. Our presentation related to our work to build a campaign design tool for counterinsurgency and stability, security, reconstruction, and transition (SSTR) operations. In this project we are researching the root causes of insurgency and instability and fusing this knowledge to doctrinal components to find vulnerability points in the insurgent system, modeling the insurgent environment for use by operational commanders in answering what-if type strategic planning and resource allocation questions in the design of campaigns. Our approach supports analysts, planners, and practitioners involved in asymmetric operations by providing operationally relevant information on the relationships between factors driving the insurgency and leverage points identified through counterinsurgency measures, helping to build a more effective campaign design for complex operations.

Integrated Feedback Loops of Instability in Southern Afghanistan:

Integrated Feedback Loops of Insurgency in Southern Afghanistan

The main questions that were raised during the presentation revolved around the utility of relying on the Counterinsurgency Field Manual, given its conceptual approach to operations. This is a familiar criticism we have heard regarding the Field Manual, which was released in 2006. Additionally, a major focus of the conference was on validation of models. Given that our model is more of a conceptual framework for critical thinking as opposed to a black box model, that our project is based on qualitative rules from peer-reviewed and authoritative sources, we offered a different approach to traditional model validation requirements.

The most relevant presentation for our work in complex operations was from the U.S. Army TRADOC Analysis CenterCultural Geography Model Use in Support of Human in the Loop Experimentation”. This project involved developing an agent-based model of a civilian population to determine responses to government and stability force actions in a counterinsurgency environment. The population was based on data from the city of Amara in Iraq. This model was interesting in that the population was the center-of-gravity, to use Clausewitzian terms, rather than more traditional insurgency-focused representations.

An additional paper of interest involved work out of George Mason University focusing on an agent-based model of kinship relationships in Pakistan. This presentation focused on developing a model based on qualitative rules from anthropological research that informs a template for the actual computer code. While this work is still in its early stages, the goal is to enable prediction of alliance formation.

A personal highlight of the conference revolved around the presentation by Zachary Schaffer on “The Foundress’ Dilemma: An Agent-Based Model of Colony-Founding Strategy in Ants”. This research was looking at the phenomenon whereby unrelated ant foundresses (queen ants essentially that found new colonies) can form seemingly altruistic cooperatives with other foundresses in establishing new colonies. In learning about cooperative colony foundation, I was able to tour the various species of ant colonies kept at the Center for research. Satisfying my itch for an ant farm growing up, it was a fascinating experience.

Phishing Websites Flux Their Way

The recent article "Tracking Devious Phishing Websites" in MIT Technology Review reports that 10 percent of phishing sites are using fast flux techniques to hide themselves. ICANN describes fast flux as ‘rapid and repeated changes to host and/or name server resource records, which result in rapidly changing the IP address to which the domain name of an Internet host or name server resolves’. Fast flux is used by botnets to conceal the Command and Control server to foil takedown. Such botnets are used in DDoS, spam, phishing, malware delivery and exfiltration. In particular, the use of fast flux increases the survival rate of a phishing botnet by about 27% as discussed in the Technology Review article.

Over the last 18 months, we have tracked over 280,000 fast flux domain, IP, and nameserver entities, and witnessed the fast flux infrastructures to evolve from nascent to widespread use. Our ACM paper "Behavioral Analysis of Fast Flux Service Networks" compares  the characteristics (e.g. size, lifespan, growth, etc.) of spam, phishing, and malware botnets. Figure below shows the lifespan distribution of fast flux malware (blue), phishing (green), and spam (red) botnets in our current collection. Here the x-axis scale shows the lifespan of an inactive fast flux botnet in number of days. The y-axis shows the number of inactive domains corresponding to specific lifespan measured in days.


In comparison to botnets used for spam and malware, phishing botnets live less than a week. In contrast, spam botnets live up to 90 days whereas malware botnets live up to 30 days.We suspect that phishing botnets receive the attention of brand protection takedown services as they target well-established brands. In contrast, malware delivery and spam botnets distribute their pain across the general population, thus avoiding retaliation.

Current domain and/or IP blacklist approach may be useful for malware delivery and spam botnets as they tend to stay a while. In contrast, such blacklist approaches are clearly inadequate to cope with phishing botnets with a short lifespan. As industry research by Cyveillance suggests that “the majority of the damage caused by phishing attacks is realized during the first 24 hours after an attack is launched”, near real-time detection capability of phishing botnets is imperative.

Semantic Annotation for Knowledge Management

Do you remember your annotation home-works from literature courses? Researching the qualifications of an author, figuring out the topic, tone, rhetorical strategy, audience, and purpose of an essay, or thinking about the connections between what you just read and other work in the field ... Imagine everyone being able to put such facts and relations into a machine understandable form and having machines harvest those relations on our behalf. That is what semantic wikis enable.

Semantic annotation defines the domain concepts and relations between concepts. Formally, an annotation is a tuple consisting of annotation (subject, object, relation, and context) as defined in "Annotation and Navigation in Semantic Wikis" by Eyal Oren et al. Our Semantic Wiki for Complex Operations uses Semantic MediaWiki, that allows annotations to a wiki page. For instance the insurgency page has the following annotation:

* [[has characteristic::Popular Support]]

Here the subject of the annotation is the 'insurgency' concept represented by this wiki page, 'has characteristic' is the annotation relation, and 'popular support' is the object of the annotation. While Semantic MediaWiki only allows single level annotations of wiki pages and does not formally separate the page and the concept it represents, we think it still serves as the widely adopted standardized semantics syntax necessary for semantic wiki applications to take off.

Annotation clearly introduces an additional burden on the knowledge worker. So unless the return on investment on semantic annotation provides value to the community that the wiki serves, it would be hard to expect widespread adoption. Semantic MediaWiki extensions provide such value. Again referring back to our Semantic Wiki for Complex Operations, the wiki page for each social science data set (e.g. Minorities at Risk Project Dataset, CIRI Human Rights Data Project, etc.) is annotated by using the built-in 'category' attribute:

Category: Dataset

That is, each social science dataset in our Complex Operations wiki is annotated to be of category dataset. Clicking on the link Dataset above gives a table that lists currently avaiable social science datasets in our wiki:


In a traditional wiki, this table needs to be manually specified by:

wiki syntax.tiff

In contrast, semantic annotation enables us to generate this table dynamically using only one statement in Semantic MediaWiki:

{{ #ask: [[Category:Dataset]]

| ?title

| ?year }}

As this example illustrates, semantic annotation provides a significant ROI to the knowledge worker in knowledge organization. Moreover, when a researcher adds another dataset to our wiki, this table will automatically include the new dataset, thus improving knowledge maintenance.

Semantic Wikis for Communities of Practice

The term community of practice (CoP) was coined by Jean Lave, a social anthropologist. Its value in learning was popularized by Etienne Wenger, an educational theorist. CoP denotes a group of people who share a passion about a common topic, and deepen their knowledge and expertise in this domain by interacting with each other on an ongoing basis. According to Etienne Wenger, a community of practice defines itself along three dimensions and its characteristics can be captured by:

The domain. A community of practice is is something more than a social network. "It has an identity defined by a shared domain of interest. Membership therefore implies a commitment to the domain, and therefore a shared competence that distinguishes members from other people".

The community. "In pursuing their interest in their domain, members engage in joint activities and discussions, help each other, and share information. They build relationships that enable them to learn from each other".

The practice. "Members of a community of practice are practitioners. They develop a shared repertoire of resources: experiences, stories, tools, ways of addressing recurring problems—in short a shared practice. This takes time and sustained interaction".

In developing and nurturing Communities of Practice, Etienne Wenger talks about the diverse and distributed internal leadership:
• The inspirational leadership provided by thought leaders and recognized experts
• The day-to-day leadership provided by those who organize activities
• The classificatory leadership provided by those who collect and organize information in order to document practices
• The interpersonal leadership provided by those who weave the community's social fabric
• The boundary leadership provided by those who connect the community to other communities
• The institutional leadership provided by those who maintain links with other organizational constituencies, in particular the official hierarchy
• The cutting-edge leadership provided by those who shepherd "out-of-the-box" initiatives.
McDermott goes further and states learning is in the relationships between people:

Learning traditionally gets measured as on the assumption that it is a possession of individuals that can be found inside their heads… Learning is in the relationships between people. Learning is in the conditions that bring people together and organize a point of contact that allows for particular pieces of information to take on a relevance; without the points of contact, without the system of relevancies, there is not learning, and there is little memory. Learning does not belong to individual persons, but to the various conversations of which they are a part.

In the book Seven Principles for Cultivating Communities of Practice, Etienne Wenger, Richard McDermott, and William M. Snyder argue that while communities of practice develop organically, a carefully crafted design can drive their evolution. Here are the seven principles:
1. Design for evolution
2. Open a dialogue between inside and outside perspectives
3. Invite different levels of participation
4. Develop both public and private community spaces
5. Focus on value
6. Combine familiarity and excitement
7. Create a rhythm for the community
There is additional research on what makes online CoP's flourish. Jennifer Preece posits that etiquette, empathy and trust in communities of practice can be developed by understanding people’s needs; representing the community’s purpose clearly; putting minimalist policies in place that can be changed as norms develop; supporting knowledge creation, exchange and storage; supporting communication and socialization online; encouraging empathy by enabling participants to recognize each other and their similarities; supporting trust by ensuring that identity is revealed and past behavior is tracked.
In the paper Learning with Semantic Wikis, Sebastian Schaffert and his colleagues lists the benefits of semantic wikis in the learning process. First, they argue that semantic annotations lead to reflection about knowledge. For instance, the student needs to reflect on the content while reorganizing the wiki material. In fact, the teacher can assess the student's progress by analyzing the change history. Second, semantic Wikis enable the teacher and students to share formal models, and build of a common model collaboratively. Finally, reasoning and inference capabilities of Semantic Web technologies can lead to discovery of knowledge without active user search. In the paper Using a Semantic Wiki in Communities of Practice, Adil El Ghali and his colleagues articulate the advantages of adding semantics to wikis like semantic search and navigation, a more intuitive interface, intelligent awareness, tagging, folksonomy management, linking CoP content to external resources, etc.

The development of Communities of Practice is the charter of Army Knowledge Online. Here is a paper and related presentation that articulates the thrust in DoD. We are in the process of putting these ideas into practice in our Semantic Wiki for Complex Operations project.

ECPR 5th General Conference

Last week we attended and presented a paper at the European Consortium for Political Research (ECPR) 5th General Conference in Potsdam, Germany. ECPR is a scholarly association focused on the training, research and cross-national co-operation of political scientists. From our  viewpoint, the percentage of papers dealing with fragile states was significantly smaller than papers dealing with inward issues (i.e. EU) in contrast to the situation that we would normally see on our side of the Atlantic. In terms of exhibitors, the Bartelsmann Transformation Index (BTI) was of particular interest to our research on complex operations. BTI, which is published bi-annually, promotes democracy under the rule of law and market economy with social safeguards. For instance, Uruguay joined the top 10 performers while Poland fell out of this group in the most recent edition. Another exhibitor GIGA, which has a Focus Afrika publication, indicated that they will soon start publishing their data, which is great news to the research community. One of the interesting sessions addressed the question: Is a workable peace-building concept possible? Gilles Carbonnier's paper on the role of non-state actors in resource-rich fragile states in the context of the Extractive Industries Transparency Initiative. The paper defined a set of criteria such as proportionality, non-discrimination, neutrality and independence for humanitarian assistance to differentiate from development assistance. Although indicators for these metrics are sparse, the provincial distribution of economic aid can be effectively used a proxy for measuring these metrics. Thomas Biersteker's paper on peacekeeping in theory and practice gave a nice overview of the process in building the UN Peacebuilding Commission (UNPBC), which was created to address gaps in the global response to armed conflict and conflict recurrence. The commission's charter is to  support fragile societies recovering from the devastation of war within two years after the cessation of hostilities. Since its inception in 2005, UNPC has disbursed about $250M of funds mostly in African countries.

Our paper on rumors presented by Dr. Karen Guttieri was received well and generated several questions. Rumor - information that is unsubstantiated yet widely shared - is rife during social conflict. In this paper, we analyzed rumors reported in The Baghdad Mosquito after the United States-coalition invasion of Iraq in March 2003, and mapped rumor types against public opinion polling and timeline of events that includes both insurgency and inter-sectoral conflict. Our paper shows that rumors have the potential to develop actionable cultural intelligence. The analysis of rumors can identify specific concerns and fears of a population that explain behavior and affect local cooperation with US counterinsurgency efforts. Furthermore, rumors can be used to assess foreign public opinion and measure the effectiveness of a hearts and minds campaign. While we have focused on Iraq, the concept of incorporating rumors as an intelligence source is applicable to virtually any country as long as the content analysis and rumor remedies are tailored for the culture in which they occur.

Peter Kotzian's paper on social norms analyzed the importance of macro and micro level variables allowing the individual to change its beliefs about whether a particular norm is still valid or not. The empirical findings based on survey data from 24 countries show that there are no effects of social trust on norm compliance. What makes people comply with norms is not blind trust but the belief, based on information, that the norm is still effective; hence, it is rational to comply. David  Westlund's paper on rational belief changes for collective agents was an interesting formal model to study the emergent collective beliefs from the belief systems of individual agents. This model shows that the collective must believe exactly the same as at least one of its members. Dörte  Dinger's paper analyzed partner perceptions in German-Italian bilateral relations by studying the press coverage of the incident created by Berlusconi remarks. - perennial incompetence

Over the last couple of years, we have used to submit proposals to civilian Federal agencies. Our experience has been uniformly dismal. After our recent experience, it is clear this system is getting worse. Let's start with the poor design that forces the applicant to use a rich client to cram each form and attachment into a single document. I guess it must have been designed when the majority of users were using dial up. Initially this client was a PureEdge Viewer, which was a clunky application. The replacement of PureEdge was applauded in the research community. Recently, replaced the PureEdge form with an Adobe Reader form, which is - sad to report - even worse. If you update Adobe Reader, you will lose all of the attached forms you filled. The application generates a single pdf file for submission but insists that you submit the document through the Adobe application, which does not work.

Why can't the user upload the final document??? Why can't review the best practices in the government like DoD proposal submission systems and emulate it? Why can't develop a Web based system?

Such a poor design will generate a huge amount of customer support calls. It does. The caliber of the support folks is not capable of resolving these issues. You get canned responses like try resetting your password. If you do, you get hung up in ether because of the heavy volume of use. If you want to speak with someone who is technical, good luck. Tier 2 support takes 2-5 days response.

If we were in the minority in such criticism, it would have been unfair to call incompetent. Alas we are not. Just look at the posts at blog. Here are some recent posts. Here is another. Here some academic workaround suggestions from BerkeleyOhio State, Michigan Tech, Clemson, University of Michigan. OMB Director is quoted as saying that is a casualty of increased usage. It is sad that agencies are using a system that is light years away from state of the art to seek innovation.

The Inheritance

Perhaps now more than at any other time in our nation's history, the United States faces a multitude of strategic threats and challenges. Rogue regimes, militant Islamist networks, and changing power balances from rising nations such as China, to failing states such as Pakistan, threaten to upend the security and stability of the United States. 


As a research assistant for The Inheritance: The World Obama Confronts and the Challenges to American Power, a book by David E. Sanger, Chief Washington Correspondent for The New York Times, I had the opportunity to dive deep into issues ranging from Chinese military modernization to cyber-security to the Iranian nuclear program. My research took me into the Pakistani nuclear establishment and the militant threat emanating from the tribal areas to the post-invasion environment in Afghanistan and the personalities shaping the debate on counterinsurgency in the post-9/11 world. 


The democratization of technology involving nuclear materials, cyber-attacks, and biological agents, has provided non-state actors access to weapons that were previously the purview of states. The multifaceted nature of these complex issues will require greater interagency cooperation and knowledge transfer, in particular in the civil-military field. Securing the homeland from the threat of radiological weapons will require a robust intelligence effort abroad to root out shadowy networks dealing in such materials, such as those of A.Q. Khan, increased focus on securing at-risk facilities in Russia and the former Soviet states through initiatives like Cooperative Threat Reduction, and increasing collaboration between the scientific community and government entities such as the Domestic Nuclear Detection Office to bring cutting edge research and technology to the detection of radioactive materials crossing our borders. 


In the cyber-security realm, bolstering public-private partnerships between government entities such as the military and intelligence community, and corporations, financial institutions, and public utilities, often the targets of cyber-attacks, will be important in developing detection and response capabilities and formulating comprehensive rules of engagement. In addition to the military component of COIN operations, civilian teams specializing in security-sector reform, judicial and political affairs, economic development, and infrastructure, will be operating in the battlespace to bolster host government legitimacy, the center of gravity in the campaign. Given the shared responsibilities in the civil-military field on these issues, fostering knowledge integration and cooperation between the various branches of government, military, and civilian stakeholders is of paramount importance to ensuring unity of effort. 


The Inheritance is a researched-backed analysis of the challenges we currently face, a legacy of the opportunities missed after 9/11.  While I may be biased because of my involvement with the book, I strongly recommend it to anyone interested in understanding the challenges confronting Obama and the complexities of the geopolitical environment. 

Military Logistics Summit

We attended IDGA’s Military Logistics Summit held on June 8-10, 2009 in Vienna, VA. The focus of this year's summit is to support major deployment, re-deployment, and distribution operations. Milcord's presentation entitled Risk-Based Route Planning for Sense and Respond Logistics for the Military Logistics University covered the technology behind our Adaptive Risk-based Convoy Route Planning solution. Our presentation had a diverse audience ranging from logistics contractors in Pakistan to Logisticians at large System Integrators, from high level US Army officers to academic researchers. A logistics contractor posed the question: "I love your risk based route planning system. I wish we had a system like this. Most logistics material are carried by private subcontractors like us (under contract to a Prime like Mersk) in Pakistan and Afghanistan. Even if the Army has this system, it won't do us any good." It was an interesting question that shined a light on the lack of information sharing between DoD and second /third tier military contractors in the supply chain, and generated a nice discussion among attendees.

Another interesting question on our presentation was the concern about the predictability of a route. Minimal distance routes are deterministic and pose a security risk because they can easily be determined by the adversary. In contrast, minimal risk route is not deterministic (changes with events on the field), which gives a better protection against predictability by the adversary. The risk surface (computed per road segment) changes with every incident, intel report, weather, traffic, etc., which, in turn, affects the route minimal risk route.

Another question: "If a bridge is blown down the road, how long does it take the Urban Resolve data set to update itself? " This is an issue that even commercial COTS GPS tools struggle with random events like road closings due to construction. Our current solution gives a manual workaround for such conditions by letting the user define an intermediate way point and  dragging the route away from the bridge. Crowd-sourcing can also help address this issue by arming users with power to dynamically update road availability by adding road blocks on their GPS units.  Crowd sourcing also brings about data integrity issues in that user specified changes would not be put into the database as every soldier would have a different viewpoint.

There were several other interesting presentations and exhibitions. Dr. Irene Petrick's talk on Digital Natives and 4'th Generation Warfare generated an active interaction with the audience.  She presented survey results that compare the value systems of Traditionals, Baby Boomers, Gen X and Gen Y, articulated where Digital Natives can add value to warfighting, and pose challenges organizational management. On the gadget front, Safe Ports demoed an eye scanner  based on infrared so it even recognizes you through your sun glasses.

Milcord presents Risk-based Route Planning at the Military Logistics Summit

Milcord, LLC. - WALTHAM, MA – Milcord LLC presented and demonstrated its ‘Risk-Based Route Planning for Sense and Respond Logistics’ at the Military Logistics Summit in Vienna VA, June 8 – 10.   The presentation covered the technology behind Milcord’s Adaptive Risk-based Convoy Route Planning solution; an advanced technology demonstration developed in multiple SBIR contracts with the Army Geospatial Center and Office of Secretary of Defense.  Milcord’s system is designed to address concerns about route safety and predictability.  Approaches based on ‘minimal distance’ routes are deterministic and pose a security risk because they can easily be determined by the adversary. In contrast, ‘minimal risk’ route planning is not deterministic (changes with events on the field), which gives a better protection against predictability by the adversary. The risk surface (computed per road segment) changes with every incident, intelligence report, weather, traffic, etc., which, in turn, affects the route minimal risk route. A demonstration is available at Milcord’s public wiki; About Milcord: Since 2003 Milcord has been delivering knowledge management technologies and solutions for a range of applications including cyber defense, human and social modeling, geospatial intelligence, and information management. Milcord’s federal customers include Air Force Research Laboratory, Office of Naval Research, Army Research Labs, Army Geospatial Center, Office of Secretary of Defense, Department of Energy, and NASA.  For more information see

Milcord awarded R&D contract under ONR HSCB program to develop Semantic Wiki for Complex Operations Community

Milcord, LLC. - WALTHAM, MA – Milcord LLC announced a multi-year award under DoD’s Human Social Culture Behavior (HSCB) Modeling Program to develop a semantic wiki for the Complex Operations community.  The HYKNOCO (Hybrid Knowledge Management framework for Complex Operations) project is funded by the Office of Naval Research under the HSCB Modeling Program.  Milcord is leading a team consisting of the Naval Postgraduate School, University of Maryland, University of California – Davis, and IAVO. About Milcord: Since 2003 Milcord has been delivering knowledge management technologies and solutions for a range of applications including cyber defense, human and social modeling, geospatial intelligence, and information management. Milcord’s federal customers include Air Force Research Laboratory, Office of Naval Research, Army Research Labs, Army Geospatial Center, Office of Secretary of Defense, Department of Energy, and NASA.  For more information see

Milcord awarded Phase II contract from Air Force Research Laboratory to develop Campaign Planning Tool

Milcord, LLC. - WALTHAM, MA – Milcord LLC began work on its ‘Predictive Societal Indicators of Radicalism’ project, a Phase II SBIR (Small Business Innovation Research) R&D contract to develop a Campaign Planning Decision Support Tool for COIN (Counterinsurgency) and Stability Operations.  The project is funded by Air Force Research Laboratory.  In this project Milcord will use its CKM (Course of Action Knowledge Management Framework) to build a data and knowledge management system, Human Terrain and Geospatial models, and advanced analytics that will allow COIN and Stability Operations teams to prepare the human and physical terrain, discover patterns, predict course of action, and plan campaigns across logical lines of operation. Milcord is joined in this effort by Prof. David Cingranelli of the CIRI Human Rights Data Project and his team. About Milcord: Since 2003 Milcord has been delivering knowledge management technologies and solutions for a range of applications including cyber defense, human and social modeling, geospatial intelligence, and information management. Milcord’s federal customers include Air Force Research Laboratory, Office of Naval Research, Army Research Laboratory, Army Geospatial Center, Office of Secretary of Defense, Department of Energy, and NASA.  For more information see

Milcord awarded Phase II contract from Air Force Research Laboratory to develop software learning agent for AOC operations

Milcord, LLC. - WALTHAM, MA – Milcord LLC commenced work on its ‘Commander’s Learning Agent (CLearn) ’ project, a Phase II SBIR (Small Business Innovation Research) R&D contract sponsored by Air Force Research Laboratory.  In this project Milcord will use its CKM (Course of Action Knowledge Management Framework) to build a software learning agent for AOC operations. Traditional decision aid software requires the manual input of commander’s intent. There is a need to automatically capture the commander’s current mission, augment with contextual knowledge, and assign priorities to resources supporting the commander’s mission. About Milcord: Since 2003 Milcord has been delivering knowledge management technologies and solutions for a range of applications including cyber defense, human and social modeling, geospatial intelligence, and information management. Milcord’s federal customers include Air Force Research Laboratory, Office of Naval Research, Army Research Laboratory, Army Geospatial Center, Office of Secretary of Defense, Department of Energy, and NASA.

Notes from CSIIRW-09

We attended and presented at the Cyber Security and Information Intelligence Research Workshop, April 13-15, 2009 at Oak Ridge National Labs (ORNL). . The audience numbered about 150 attendees, with academic and government representing the biggest segment, and a few representatives from government, systems integrator , and technology providers. In his keynote, Dr. Doug Maughan from DHS reviewed and assessed federal cyber initiatives from 2003 to the present. While noting that the amount of activity around cyber security is encouraging, Doug challenged the cyber security research community to be “bolder and riskier in their thinking”, to do a better job of capitalizing on the increased interest, and to come together on an agreement for a “National Cyber Security R&D Agenda”. In other featured presentations, Dr. Nabil Adam from DHS and Rutgers University introduced issues and programs at the intersection of Cyber and Physical Systems Security. SCADA and Smart Grid systems were highlighted. In his “Are we on the Right Road” presentation, George Hull from Northrop Grumman confronted basic challenges. With 5.4 million unique malware samples discovered in 2007, and companies like Symantec now doing up to 300 updates per day, signature-based systems don’t and can’t work. And as systems become ever more complex, the complexity works against security and reliability. Hull suggested that cyber security is not about the endpoints or the network. Rather, the real focus needs to be defending the information. Dr. Robert Stratton from Symantec presented findings from Symantec’s Internet Security Threat Report (April 2009). Of particular interest to Milcord was the finding that in 2008 “Symantec observed an average of 75,158 active bot-infected computers per day in 2008, an increase of 31 percent from the previous period.”

The panel discussions surfaced some points for pondering, including observations that as venture capitalists seem to be moving away from cyber security as an investment area the government needs to fill the void in R&D funding. Some questioned the effectiveness of some government cyber R&D programs like NSF, going so far as to refer to it as ‘welfare for scientists’, disconnected from real-world needs, and unlikely to produce innovation that results in deployable systems.

Milcord presented findings from its DHS-sponsored botnet research on the Behavioral Analysis of Fast Flux Service Networks. Specifically we discussed behavioral patterns of domains, name servers, and bots that we discovered from our FastFlux Monitor into the short-term behavior, long-term behavior, organizational behavior, and operational behavior of botnets that use fast flux service networks.

Milcord delivers ‘NextGen’ Web 2.0 version of ‘Information Bridge’ service for DOE

Milcord, LLC. - WALTHAM, MA – Milcord LLC delivered a  ‘Next Generation’ concept prototype of DOE’s Information Bridge search service. The prototype was developed under an SBIR (Small Business Innovation Research) R&D project sponsored by DOE’s Office of Scientific and Technical Information (OSTI). The goal of the project is to develop search extensions to the Information Bridge service that support authoritative sources of Web 2.0 ‘rich media’ content types (videos, blogs, podcasts) relevant to the field of renewable energy. In the NextGen system, a user query returns not only text documents ranked by relevance but also relevant videos, blogs, and podcasts based on their authority score. About Milcord: Since 2003 Milcord has been delivering knowledge management technologies and solutions for a range of applications including cyber defense, human and social modeling, geospatial intelligence, and information management. Milcord’s federal customers include Air Force Research Labs, Office of Naval Research, Army Research Labs, Army Geospatial Center, Office of Secretary of Defense, Department of Energy, and NASA.  For more information see

The Efficiency of Security

Last week I visited a number of military and civilian Federal agencies in DC, MD, and VA. My experience in getting into these agencies was uniformly the same - long, cumbersome, and confusing. Now we all agree that the Federal agencies should control access to their facilities for security after all we are talking about national security. However, the question that begs to be answered is: Is this the most efficient and effective process to enforce security for access to our Federal government agencies? At every entrance, the visitor hand writes in a log her/his name, organization, citizenship status, name of the person to be visited, etc. Any re-transcription of this ineligible content into a digital format would introduce typographical errors, thus defeating the very purpose of the data being collected. Most agencies also require the serial number of the laptop to be logged as well. I wonder how many visitors put down the serial numbers for their laptop battery or wireless card? This to me sounds more of an appearance of security than security itself. 

So how can this process be improved? There are so many effective online meeting solutions that can be used to emulate for physical access to a Federal government building like Cisco webex, GoToMeeeting, Office Live Meeting and so on. The common thread of these systems is that the person who is hosting the meeting (the official at the Federal government agency in our case) will specify the location (a physical instead of a virtual location in our case) , date, time and invite attendees, which result in the generation of a unique event ID. Such a system can be easily extended to obtain the additional information (e.g. citizenship, laptop serial number)  required. In addition, such event management systems would issue a password to be able to attend the meeting. 

Imagine visiting a Federal agency where you can generate the necessary paperwork at a kiosk by supplying the meeting ID and password. In such a world, the security personnel would do where they would add the greatest value: verifying the credentials of the visitor and authorizing access similar to boarding an airplane. Once the system is IT based then additional checks on the visitor's credentials can be performed using web services. If the tracking of a laptop is critical, then such a kiosk can automatically determine the MAC address of the laptop ensuring additional safety. Imagine the millions of hours saved if every Federal agency adopted such a system.