Intelligence and Security Informatics

The ability to identify collusive malicious behavior is critical in today’s security environment. We pose the general problem of

Collusion Set Detection

(CSD): identifying sets of behavior that together satisfy some notion of “interesting behavior”. For this paper, we focus on a subset of the problem (called CSD′), by restricting our attention only to outliers. In the process of proposing the solution, we make the following novel research contributions: First, we propose a suitable distance metric, called the

collusion distance metric

, and formally prove that it indeed is a distance metric. We propose a

collusion distance based outlier detection

(CDB) algorithm that is capable of identifying the

causal dimensions

(

n

) responsible for the outlierness, and demonstrate that it improves both precision and recall, when compared to the Euclidean based outlier detection. Second, we propose a solution to the CSD′ problem, which relies on the semantic relationships among the causal dimensions.

Network Data Mining builds network linkages (network models) between myriads of individual data items and utilizes special algorithms that aid visualization of ‘emergent’ patterns and trends in the linkage. It complements conventional and statistically based data mining methods. Statistical approaches typically flag, alert or alarm instances or events that could represent anomalous behavior or irregularities because of a match with pre-defined patterns or rules. They serve as ‘exception detection’ methods where the rules or definitions of what might constitute an exception are able to be known and specified ahead of time. Many problems are suited to this approach. Many problems however, especially those of a more complex nature, are not well suited. The rules or definitions simply cannot be specified; there are no known suspicious transactions. This paper presents a human-centered network data mining methodology. A case study from the area of security illustrates the application of the methodology and corresponding data mining techniques. The paper argues that for many problems, a ‘discovery’ phase in the investigative process based on visualization and human cognition is a logical precedent to, and complement of, more automated ‘exception detection’ phases.

In this paper, we present an efficient algorithm for finding overlapping communities in social networks. Our algorithm does not rely on the contents of the messages and uses the communication graph only. The knowledge of the structure of the communities is important for the analysis of social behavior and evolution of the society as a whole, as well as its individual members. This knowledge can be helpful in discovering groups of actors that hide their communications, possibly for malicious reasons. Although the idea of using communication graphs for identifying clusters of actors is not new, most of the traditional approaches, with the exception of the work by Baumes et al, produce disjoint clusters of actors, de facto postulating that an actor is allowed to belong to at most one cluster. Our algorithm is significantly more efficient than the previous algorithm by Baumes et al; it also produces clusters of a comparable or better quality.

In this paper, we examine the task of extracting information about terrorism related events hidden in a large document collection. The task assumes that a terrorism related event can be described by a set of entity and relation instances. To reduce the amount of time and efforts in extracting these event related instances, one should ideally perform the task on the relevant documents only. We have therefore proposed some document selection strategies based on information extraction (IE) patterns. Each strategy attempts to select one document at a time such that the gain of event related instance information is maximized. Our IE-based document selection strategies assume that some IE patterns are given to extract event instances. We conducted some experiments for one terrorism related event. Experiments have shown that our proposed IE based document selection strategies work well in the extraction task for news collections of various size.

Association rule mining is an important data analysis tool that can be applied with success to a variety of domains. However, most association rule mining algorithms seek to discover statistically significant patterns (i.e. those with considerable support). We argue that, in law-enforcement, intelligence and counterterrorism work, sometimes it is necessary to look for patterns which do not have large support but are otherwise significant. Here we present some ideas on how to detect potentially interesting links that do not have strong support in a dataset. While deciding what is of interest must ultimately be done by a human analyst, our approach allows filtering some events with interesting characteristics among the many events with low support that may appear in a dataset.

In this paper we present a semantic-based data mining approach to identify candidate viruses as potential bio-terrorism weapons from biomedical literature. We first identify all the possible properties of viruses as search key words based on Geissler’s 13 criteria; the identified properties are then defined using MeSH terms. Then, we assign each property an importance weight based on domain experts’ judgment. After generating all the possible valid combinations of the properties, we search the biomedical literature, retrieving all the relevant documents. Next our method extracts virus names from the downloaded documents for each search keyword and identifies the novel connection of the virus according to these 4 properties. If a virus is found in the different document sets obtained by several search keywords, the virus should be considered as suspicious and treated as candidate viruses for bio-terrorism. Our findings are intended as a guide to the virus literature to support further studies that might then lead to appropriate defense and public health measures.

This paper introduces a new approach to a problem of data sharing among multiple parties, without disclosing the data between the parties. Our focus is data sharing among two parties involved in a data mining task. We study how to share private or confidential data in the following scenario: two parties, each having a private data set, want to collaboratively conduct association rule mining without disclosing their private data to each other or any other parties. To tackle this demanding problem, we develop a secure protocol for two parties to conduct the desired computation. The solution is distributed, i.e., there is no central, trusted party having access to all the data. Instead, we define a protocol using homomorphic encryption techniques to exchange the data while keeping it private. All the parties are treated symmetrically: they all participate in the encryption and in the computation involved in learning the association rules.

Emergency response systems play an important role in homeland security nowadays. Despite this, research in the design of emergency response systems is lacking. An effective design of emergency response system involves multi-disciplinary design considerations. On the basis of emergency response system requirement analysis, in this paper, we develop a set of supporting design concepts and strategic principles for an architecture for a coordinated multi-incident emergency response system

It is widely recognized that multi-modal biometrics has the potential to strengthen border protection by reducing the risk of passport fraud. However, it may take high costs to issue smart-card enabled passports over the world and to process a huge amount of biometric information (on-line). A public key cryptography is another useful tool for verifying a person’s identity in a stringent way, but a key management is one of critical problems arising from the use of cryptographic schemes. For example, a passport-holder should keep a private key in a smart-card-level device while an inspecting officer accesses a corresponding public key in an authentic manner. In this paper, we present a low-cost but highly-scalable method that uses multi-modal biometrics based on face and fingerprints, and public key infrastructures (PKIs) for border control applications. A digital signature in PKIs and multi-modal biometrics are carefully applied in our scheme, in order to reduce the possibility of undesirable factors significantly at nation’s borders without requiring any hardware device in passports. We could print a (publicly readable) barcodes on the passport instead of requiring the smart-card-level devices.

Security administration is an uphill task to implement in an enterprise network providing secured corporate services. With the slew of patches being released by Microsoft, HP and other vendors, system administrators require a barrage of tools for analyzing the risk due to these vulnerabilities. In addition to this, criticalities in patching some end hosts (eg., in hospitals) raises serious security issues about the network to which the end hosts are connected. In this context, it would be imperative to know the risk level of all critical resources (e.g., Oracle Server in HR department) keeping in view the everyday emerging new vulnerabilities. We hypothesize that sequence of network actions by an attacker depends on the social behavior (e.g., skill level, tenacity, financial ability). We extended this and formulated a mechanism to estimate the risk level of critical resources that may be compromised based on attacker behavior. This estimation is accomplished using behavior based attack graphs. These graphs represent all the possible attack paths to all the critical resources. Based on these graphs, we calculate the risk level of a critical resource using Bayesian methodology and periodically update the subjective beliefs about the occurrence of an attack. Such a calculated risk level would be a measure of the vulnerability of the resource and it forms an effective basis for a system administrator to perform suitable changes to network configuration. Thus suitable vulnerability analysis and risk management strategies can be formulated to efficiently curtail the risk from different types of attackers (script kiddies, hackers, criminals and insiders).

A feedback control model has been previously proposed to regulate the number of connections at different levels of a network. This regulation is applied in the presence of a worm attack resulting in a slow down of the spreading worm allowing time to human reaction to properly eliminate the worm in the infected hosts. The feedback model constitutes of two queues, one for safe connections and another for suspected connections. The behavior of the proposed model is based on three input parameters to the model. These parameters are: (i) the portion of new connection requests to be sent to the suspect queue, (ii) the number of requests to be transferred from the suspect to the safe queue, and (iii) the time out value of the requests waiting in the suspect queue. The more we understand the effects of these parameters on the model, the better we can calibrate the model. Based on this necessity, a sensitivity analysis of the model is presented here. The analysis allows for the computation of the effects of changing parameters in the output of the model. In addition, the use of a sensitivity matrix permits the computations of not only changes in one parameter but also combined changes of these parameters. From the sensitivity analysis we have verified our assumption that the changes in the input parameters have no effect on the overall system stability. However, there will be a short period of instability before reaching a stable state.

The threat assessment model used here has been used by researchers at ICT to estimate the “attractiveness” of specific facilities to terrorist organizations. The model uses on-site evaluations of vulnerabilities to build a portfolio of possible attack scenarios. These scenarios are then analyzed using known or estimated sensitivities and target-assessment criteria for the different organizations. The result is a means of rating the different scenarios according to their attractiveness to different types of organization. This enables decision-makers to concentrate resources on most probably scenarios, rather than on worst-case scenarios. The model has provided credible results for actual venues.

Today’s “low-intensity” conflicts do not involve victory or defeat in the conventional sense; instead, each side attempts to achieve a psycho-political victory by influencing people’s thoughts and feelings about the issues in dispute. Casualty statistics are an important element in forming these thoughts and feelings; in turn, a robust incident and casualty database can be an important tool in coming to an accurate understanding of complex conflicts with multiple actors and incident types. For a casualty database to produce meaningful, informative, and accurate results, it must have a rich array of well-defined categories to which to assign incidents and casualty data. It must also be conceived, designed, and administered with a strict adherence to accuracy rather than advocacy as a primary goal.

In today’s globally networked society, there is a dual demand on both information sharing and information protection. A typical scenario is that two parties wish to integrate their private databases to achieve a common goal beneficial to both, provided that their privacy requirements are satisfied. In this paper, we consider the goal of building a classifier over the integrated data while satisfying the

k

-anonymity privacy requirement. The

k

-anonymity requirement states that domain values are generalized so that each value of some specified attributes identifies at least

k

records. The generalization process must not leak more specific information other than the final integrated data. We present a practical and efficient solution to this problem.

The advent and rapid proliferation of internet communication has allowed the realization of numerous security issues. The anonymous nature of online mediums such as email, web sites, and forums provides an attractive communication method for criminal activity. Increased globalization and the boundless nature of the internet have further amplified these concerns due to the addition of a multilingual dimension. The world’s social and political climate has caused Arabic to draw a great deal of attention. In this study we apply authorship identification techniques to Arabic web forum messages. Our research uses lexical, syntactic, structural, and content-specific writing style features for authorship identification. We address some of the problematic characteristics of Arabic in route to the development of an Arabic language model that provides a respectable level of classification accuracy for authorship discrimination. We also run experiments to evaluate the effectiveness of different feature types and classification techniques on our dataset.

This research initiative is an initial investigation into a novel approach for deriving indicators of deception from video-taped interaction. The team utilized two-dimensional spatial inputs extracted from video to construct a set of discrete and inter-relational features. The features for thirty-eight video interactions were then analyzed using discriminant analysis. Additionally, features were used to build a multivariate regression model. Through this exploratory study, the team established the validity of the approach, and identified a number of promising features, opening the door for further investigation.

Text authored by an unidentified assailant can offer valuable clues to the assailant’s identity. In this paper, we show that stylistic text features can be exploited to determine an anonymous author’s native language with high accuracy.

The area of alert fusion for strengthening information assurance in systems is a promising research area that has recently begun to attract attention. Increased demands for “more trustworthy” systems and the fact that a single sensor cannot detect all types of misuse/anomalies have prompted most modern information systems deployed in distributed environments to employ multiple, diverse sensors. Therefore, the outputs of the sensors must be fused in an effective and intelligent manner in order to provide an overall view of the status of such systems. A unified architecture for intelligent alert fusion will essentially combine alert prioritization, alert clustering and alert correlation. In this paper, we address the alert correlation aspect of sensor data fusion in distributed environments. A causal knowledge based inference technique with fuzzy cognitive modeling is used to correlate alerts by discovering causal relationships in alert data.

Keyword filtering is a commonly used way to select, from a set of intercepted messages, those that need further scrutiny. An obvious countermeasure is to replace words that might be on a keyword list by others. We show that this strategy itself creates a signature in the altered messages that makes them readily detectable using several forms of matrix decomposition. Not only can unusual messages be detected, but sets of related messages can be detected as conversations, even when their endpoints have been obscured (by using transient email addresses, stolen cell phones and so on).

The Terrorist Detection System (TDS) is aimed at tracking down suspected terrorists by analyzing the content of information they access. TDS operates in two modes: a training mode and a detection mode. During the training mode TDS is provided with Web pages accessed by a normal group of users and computes their typical interests. During the detection mode TDS performs real-time monitoring of the traffic emanating from the monitored group of users, analyzes the content of the Web pages accessed, and issues an alarm if the access information is not within the typical interests of the group. In this paper we present an advanced version of TDS (ATDS), where the detection algorithm was enhanced to improve the performance of the basic TDS system. ATDS was implemented and evaluated in a network environment of 38 users comparing it to the performance of the basic TDS. Behavior of suspected terrorists was simulated by accessing terror related sites. The evaluation included also sensitivity analysis aimed at calibrating the settings of ATDS parameters to maximize its performance. Results are encouraging. ATDS outperformed TDS significantly and was able to reach very high detection rates when optimally tuned.

This work identifies the limitations of n-way data analysis techniques in multidimensional stream data, such as Internet chatroom communications data, and establishes a link between data collection and performance of these techniques. Its contributions are twofold. First, it extends data analysis to multiple dimensions by constructing n-way data arrays known as

high order tensors

. Chatroom tensors are generated by a simulator which collects and models actual communication data. The accuracy of the model is determined by the Kolmogorov-Smirnov goodness-of-fit test which compares the simulation data with the observed (real) data. Second, a detailed computational comparison is performed to test several data analysis techniques including

svd

[1], and multiway techniques including

Tucker1, Tucker3

[2], and

Parafac

[3].

This paper presents an improved speaker verification technique that is especially appropriate for surveillance scenarios. The main idea is a meta-learning scheme aimed at improving fusion of low- and high-level speech information. While some existing systems fuse several classifier outputs, the proposed method uses a selective fusion scheme that takes into account conveying channel, speaking style and speaker stress as estimated on the test utterance. Moreover, we show that simultaneously employing multi-resolution versions of regular classifiers boosts fusion performance. The proposed selective fusion method aided by multi-resolution classifiers decreases error rate by 30% over ordinary fusion.

To effectively resolve the violent challenges presented by terrorist groups to the security and well-being of their state adversaries, it is crucial to develop an appropriate understanding of all the root causes underlying such conflicts because terrorist insurgencies do not emerge in a political, socio-economic, religious or even psychological vacuum. It could be argued, in fact, that the root causes underlying an insurgency are the initial components driving the terrorist life cycle (TLC) and the terrorist attack cycle (TAC). The TLC refers to why and how terrorist groups are formed, led and organized, the nature of their grievances, motivations, strategies and demands vis-a-vis their adversaries, and the linkages that terrorist groups form with their supporting constituency. These components of the TLC, in turn, affect the TAC—a group’s modus operandi, how they conduct the spectrum of operations, ranging from non-violent to violent activities, and their choice of weaponry and targeting.

It is very important for us to understand the functions and structures of terrorist networks to win the battle against terror. However, previous studies of terrorist network structure have generated little actionable results. This is mainly due to the difficulty in collecting and accessing reliable data and the lack of advanced network analysis methodologies in the field. To address these problems, we employed several advance network analysis techniques ranging from social network analysis to Web structural mining on a Global Salafi Jihad network dataset collected through a large scale empirical study. Our study demonstrated the effectiveness and usefulness of advanced network techniques in terrorist network analysis domain. We also introduced the Web structural mining technique into the terrorist network analysis field which, to the best our knowledge, has never been used in this domain. More importantly, the results from our analysis provide not only insights for terrorism research community but also empirical implications that may help law-reinforcement, intelligence, and security communities to make our nation safer.

This paper describes the development of the Conceptual Model of Counter Terrorist Operations or the CMCTO. The CMCTO is a top down decomposition of the functions that are performed in the Counter Terrorist Domain. The models first decomposes the domain into Functions directed toward terrorists; Functions directed toward victims; and, Functions of support. Each of these functions is further decomposed to varying levels. The paper also includes a comprehensive review of the literature and of the process used.

One of the major problems in Intelligence analysis and counter-terrorism research is the use or, more precisely, misuse of metrics as a means to measure success. Such quantification may be admirable and necessary when dealing with rocket motors or physical phenomena but can be self-defeating and unrealistic when dealing with people and human events which, after all, are the ultimate underpinnings of terrorism, insurgency and political instability. Human behavior is notoriously hard to predict and outcomes without historical perspective difficult to assess. Measures of success that are touted as useful and accurate so often in the real world prove to be little more than intellectual snake oil. Hard quantifiable data that is meaningful is hard to come by, and so we often willingly settle for data that are easily accessible and quantifiable, hoping that our extrapolations are sufficiently accurate to guide or assess a course of action or the conduct of a conflict.

The ability to map the contemporary terrorism research domain involves mining, analyzing, charting, and visualizing a research area according to experts, institutions, topics, publications, and social networks. As the increasing flood of new, diverse, and disorganized digital terrorism studies continues, the application of domain visualization techniques are increasingly critical for understanding the growth of scientific research, tracking the dynamics of the field, discovering potential new areas of research, and creating a big picture of the field’s intellectual structure as well as challenges. In this paper, we present an overview of contemporary terrorism research by applying domain visualization techniques to the literature and author citation data from the years 1965 to 2003. The data were gathered from ten databases such as the ISI Web of Science then analyzed using an integrated knowledge mapping framework that includes selected techniques such as self-organizing map (SOM), content map analysis, and co-citation analysis. The analysis revealed (1) 42 key terrorism researchers and their institutional affiliations; (2) their influential publications; (3) a shift from focusing on terrorism as a low-intensity conflict to an emphasis on it as a strategic threat to world powers with increased focus on Osama Bin Laden; and (4) clusters of terrorism researchers who work in similar research areas as identified by co-citation and block-modeling maps.

Using data that combines information from the Federal Aviation Administration, the RAND Corporation, and a newly developed database on global terrorist activity, we are able to examine trends in 1,101 attempted aerial hijackings that occurred around the world from 1931 to 2003. We have especially complete information for 828 hijackings that occurred before 1986. Using a rational choice theoretical framework, we employ econometric time-series methods to estimate the impact of several major counter hijacking interventions on the likelihood of differently motivated hijacking events and to model the predictors of successful hijackings. Some of the interventions examined use certainty-based strategies of target hardening to reduce the perceived likelihood of success while others focus on raising the perceived costs of hijacking by increasing the severity of punishment. We also assess which specific intervention strategies were most effective for deterring hijackers whose major purpose was terrorism related. We found support for the conclusion that new hijacking attempts were less likely to be undertaken when the certainty of apprehension was increased through metal detectors and law enforcement at passenger checkpoints. We also found that fewer hijackers attempted to divert airliners to Cuba once that country made it a crime to hijack flights. Our results support the contagion view that hijacking rates significantly increase after a series of hijackings closely-clustered in time. Finally, we found that policy interventions only significantly decrease the likelihood of non-terrorist-related hijackings.

In this paper, we employed two machine learning algorithms – namely, a clustering and a neural network algorithm – to analyze the network traffic recorded from three sources. Of the three sources, two of the traffic sources were synthetic, which means the traffic was generated in a controlled environment for intrusion detection benchmarking. The main objective of the analysis is to determine the differences between synthetic and real-world traffic, however the analysis methodology detailed in this paper can be employed for general network analysis purposes. Moreover the framework, which we employed to generate one of the two synthetic traffic sources, is briefly discussed.

Identity resolution is central to fighting against crime and terrorist activities in various ways. Current information systems and technologies deployed in law enforcement agencies are neither adequate nor effective for identity resolution. In this research we conducted a case study in a local police department on problems that produce difficulties in retrieving identity information. We found that more than half (55.5%) of the suspects had either a deceptive or an erroneous counterpart existing in the police system. About 30% of the suspects had used a false identity (i.e., intentional deception), while 42% had records alike due to various types of unintentional errors. We built a taxonomy of identity problems based on our findings.

Intelligence analysts are often faced with large data collections within which information relevant to their interests may be very sparse. Existing mechanisms for searching such data collections present difficulties even when the specific nature of the information being sought is known. Finding unknown information using these mechanisms is very inefficient. This paper presents an approach to this problem, based on iterative application of the technique of latent semantic indexing. In this approach, the body of existing knowledge on the analytic topic of interest is itself used as a query in discovering new relevant information. Performance of the approach is demonstrated on a collection of one million documents. The approach is shown to be highly efficient at discovering new information.

Experiments were conducted to test several hypotheses on methods for improving document classification for the malicious insider threat problem within the Intelligence Community. Bag-of-words (BOW) representations of documents were compared to Natural Language Processing (NLP) based representations in both the typical and one-class classification problems using the Support Vector Machine algorithm. Results show that the NLP features significantly improved classifier performance over the BOW approach both in terms of precision and recall, while using many fewer features. The one-class algorithm using NLP features demonstrated robustness when tested on new domains.

The following presents a method for constructing taxonomies by utilizing the Latent Semantic Indexing (LSI) technique. The LSI technique enables representation of textual data in a vector space, facilitates access to all documents and terms by contextual queries, and allows for text comparisons. A taxonomy generator downloads collection of documents, creates document clusters, assigns titles to clusters, and organizes the clusters in a hierarchy. The nodes in the hierarchy are ordered from general to specific in the depth of the hierarchy, and from most similar to least similar in the breadth of the hierarchy. This method is capable of producing meaningful classifications in a short time.

In this paper, we investigate one-class and clustering problems by using statistical learning theory. To establish a universal framework, a unsupervised learning problem with predefined threshold

η

is formally described and the intuitive margin is introduced. Then, one-class and clustering problems are formulated as two specific

η

-unsupervised problems. By defining a specific hypothesis space in

η

-one-class problems, the crucial minimal sphere algorithm for regular one-class problems is proved to be a maximum margin algorithm. Furthermore, some new one-class and clustering marginal algorithms can be achieved in terms of different hypothesis spaces. Since the nature in SVMs is employed successfully, the proposed algorithms have robustness, flexibility and high performance. Since the parameters in SVMs are interpretable, our unsupervised learning framework is clear and natural. To verify the reasonability of our formulation, some synthetic and real experiments are conducted. They demonstrate that the proposed framework is not only of theoretical interest, but they also has a legitimate place in the family of practical unsupervised learning techniques.

The Internet which has enabled global businesses to flourish has become the very same channel for mushrooming ‘terrorist news networks.’ Terrorist organizations and their sympathizers have found a cost-effective resource to advance their courses by posting high-impact Websites with short shelf-lives. Because of their evanescent nature, terrorism research communities require unrestrained access to digitally archived Websites to mine their contents and pursue various types of analyses. However, organizations that specialize in capturing, archiving, and analyzing Jihad terrorist Websites employ different, manualbased analyses techniques that are inefficient and not scalable. This study proposes the development of automated or semi-automated procedures and systematic methodologies for capturing Jihad terrorist Website data and its subsequent analyses. By analyzing the content of hyperlinked terrorist Websites and constructing visual social network maps, our study is able to generate an integrated approach to the study of Jihad terrorism, their network structure, component clusters, and cluster affinity.

Infectious disease informatics is a subfield of security informatics that focuses on information analysis and management issues critical to the prevention, detection, and management of naturally occurring or terrorist-engineered infectious disease outbreaks. We have developed a research prototype called BioPortal which provides an integrated environment to support cross-jurisdictional and cross-species infectious disease information sharing, integration, analysis, and reporting. This paper reports a pilot study evaluating BioPortal’s usability, user satisfaction, and potential impact on practice.

The inherent lack of control over the Internet content resulted in proliferation of online material that can be potentially detrimental. For example, the infamous “Anarchist Cookbook” teaching how to make weapons, home made bombs, and poisons, keeps re-appearing in various places. Some websites teach how to break into computer networks to steal passwords and credit card information. Law enforcement, security experts, and public watchdogs started to locate, monitor, and act when such malevolent content surfaces on the Internet. Since the resources of law enforcement are limited, it may take some time before potentially malevolent content is located, enough for it to disseminate and cause harm. The only practical way for searching the content of the Internet, available for law enforcement, security experts, and public watchdogs is by using a search engine, such as Google, AOL, MSN, etc. We have suggested and empirically evaluated an alternative technology (automated

question answering

or

QA

) capable of locating potentially malevolent online content. We have implemented a proof-of-concept prototype that is capable of finding web pages that provide the answers to given questions (e.g. “How to build a pipe bomb?”). Using students as subjects in a controlled experiment, we have empirically established that our QA prototype finds web pages that are more likely to provide answers to given questions than simple keyword search using Google. This suggests that QA technology can be a good replacement or an addition to the traditional keyword searching for the task of locating malevolent online content and, possibly, for a more general task of interactive online information exploration.

To balance demand and supply of information, we propose a framework called “

information supply chain

” (ISC). This framework is based on supply chain management (SCM), which has been used in business management science. Both ISC and SCM aim to satisfy demand with high responsiveness and efficiency. ISC uses an information requirement planning (IRP) algorithm to reason, plan, and satisfy needers with useful information. We believe that ISC can not only unify existing information-sharing methods, but also produce new solutions that enable the right

information

to be delivered to the right

recipients

in the right

way

and at the right

time

.

Managing crises requires collecting geographical intelligence and making spatial decisions through collaborative efforts among multiple, distributed agencies and task groups. Crisis management also requires close coordination among individuals and groups of individuals who need to collaboratively derive information from geospatial data and use that information in coordinated ways. However, geospatial information systems do not currently support group work and can not meet the information needs of crisis managers. This paper describes a group interface for geographical information system, featuring multimodal human input, conversational dialogues, and same-time, different place communications among teams.

A method for deriving statistical indicators from the Europe Media Monitor (EMM) is described. EMM monitors world news in real time from the Internet and various News Agencies. The new method measures the intensity of news reporting for any country concerning a particular theme. Two normalised indicators are defined for each theme (j) and for each country (c). The first (I

cj

) is a measure of the relative importance for a given theme to that country. The second (I

jc

) is a measure of the relative importance placed on that country with respect to the given theme by the world’s media. The method has then been applied to news articles processed by EMM for each day during August 2003. This month was characterized by a number of serious terrorist bomb attacks visible both in the EMM data and in the derived indicators. The calculated indicators for a selection of countries are presented. Their interpretation and possible biases in the data are discussed. The data are then applied to identify candidate countries for “forgotten conflicts”. These are countries with high levels of conflict but poorly reported in the world’s media.

A robust image watermarking technique is proposed in this paper. The watermarked image is obtained by modifying the maximum singular value in each image block. The robustness of the proposed algorithm is achieved from two aspects: the stability of the maximum singular values and preprocessing before watermark extraction. Zernike moments are used to estimate the rotation angle, and the translation and scaling distortions are corrected by geometric moment methods. Experimental results show that this algorithm makes a trade-off among the imperceptibility, robustness and capacity.

In the Internet age, software is one of the core components for the operation of network and it penetrates almost all aspects of industry, commerce, and daily life. Since digital documents and objects can be duplicated and distributed easily and economically cheaply and software is also a type of digital objects, software security and piracy becomes a more and more important issue. In order to prevent software from piracy and unauthorized modification, various techniques have been developed. Among them is software watermarking which protects software through embedding some secret information into software as an identifier of the ownership of copyright for this software. This paper gives a brief overview of software watermarking. It describes the taxonomy, attack models, and algorithms of software watermarking.

Data distortion is a critical component to preserve privacy in security-related data mining applications, such as in data mining-based terrorist analysis systems. We propose a sparsified Singular Value Decomposition (SVD) method for data distortion. We also put forth a few metrics to measure the difference between the distorted dataset and the original dataset. Our experimental results using synthetic and real world datasets show that the sparsified SVD method works well in preserving privacy as well as maintaining utility of the datasets.

This paper examines various approaches to analyzing differences in patterns of deception and how deception is evaluated across cultures. The approaches are divided into bottom-up approaches, which examine the foundations of culture and how they affect deception, and top-down approaches, which refer to models of deception and how their dynamics change across cultures. Considerations of the various approaches have led to a conclusion that the most comprehensive method for modeling deception across cultures would be to synthesize the two approaches, rather than consider them as opposing schools of thought.

Detecting deception is a complicated endeavor. Previous attempts at deception detection in computer-mediated communication have met with some success. This study shows how speech act profiling [1] can be used to aid deception detection in synchronous computer-mediated communication (S-CMC). Chat logs from an online group game where deception was introduced were subjected to speech act profiling analysis. The results provide some support to previous research showing greater uncertainty in deceptive S-CMC. Also shown is that deceivers in the specific task tend to engage in less strategizing than non-deceivers.

The Defense Information Infrastructure (DII) connects Department of Defense (DoD) mission support, command and control, and intelligence computers and users through voice, data, imagery, video, and multimedia services, and provides information processing and value-added services. For such a critical infrastructure to effectively mitigate risk, optimize its security posture and evaluate its information assurance practices, we identify the need for a structured and comprehensive certification and accreditation (C&A) framework with appropriate tool support. In this paper, we present an active approach to provide effective tool support that automates the DoD Information Technology Security C&A Process (DITSCAP) for information networks in the DII.

Verification of legitimate access of documents, which is one aspect of the umbrella of problems in the Insider Threat category, is a challenging problem. This paper describes the research and prototyping of a system that takes an ontological approach, and is primarily targeted for use by the

intelligence community

. Our approach utilizes the notion of

semantic associations

and their discovery among a collection of heterogeneous documents. We highlight our contributions in (graphically) capturing the scope of the investigation assignment of an intelligence analyst by referring to classes and relationships of an ontology; in computing a measure of the relevance of documents accessed by an analyst with respect to his/her assignment; and by describing the components of our system that have provided early yet promising results, and which will be further evaluated more extensively based on domain experts and sponsor inputs.

Intelligence analysts are flooded with massive amounts of data from a multitude of sources and in many formats. From this raw data they attempt to gain insight that will provide decision makers with the right information at the right time. Data quality varies from very high quality data generated by reputable sources to misleading and very low quality data generated by malicious entities. Disparate organizations and databases, global collection networks and international language differences further hamper the analyst’s job. We present a web based information firewall to help counter these problems. It allows analysts to collaboratively customize web content by the creation and sharing of dynamic knowledge-based user interfaces that greatly improve data quality, and hence analyst effectiveness, through filtering, fusion and dynamic transformation techniques. Our results indicate that this approach is not only effective, but will scale to support large entities within the Intelligence Community.

Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we investigate the use of sequences of system calls for classifying intrusions and faults induced by privileged processes in Unix Operating system. In our work we applied sequence-data mining approach in the context of intrusion detection system (IDS). This paper introduces a new similarity measure that considers both sequence as well as set similarity among sessions. Considering both order of occurrences as well as content in a session enhances the capabilities of kNN classifier significantly, especially in the context of intrusion detection. From our experiments on DARPA 1998 IDS dataset we infer that the order of occurrences plays a major role in determining the nature of the session. The objective of this work is to construct concise and accurate classifiers to detect anomalies based on sequence as well as set similarity.

Worms have been becoming a serious threat in web age because worms can cause huge loss due to the fast-spread property. To detect worms effectively, it is important to investigate the characteristics of worm traffic at individual source level. We model worm traffic with the multi-fractal process, and compare the multi-fractal property of worm and normal traffics at individual source level. The results show that the worm traffic possesses less multi-fractal property.

In this paper, we propose a “bag of system calls” representation for intrusion detection of system call sequences and describe misuse detection results with widely used machine learning techniques on University of New Mexico (UNM) and MIT Lincoln Lab (MIT LL) system call sequences with the proposed representation. With the feature representation as input, we compare the performance of several machine learning techniques and show experimental results. The results show that the machine learning techniques on simple “bag of system calls” representation of system call sequences is effective and often perform better than those approaches that use foreign contiguous subsequences for detecting intrusive behaviors of compromised processes.

It is important for trusted intranets to focus on network security as a whole with dynamic and formalized analysis. The qualitative and current quantitative methods have difficulties to reach the requirements. After analyzing the attacking process, a Jackson network-based model with absorbing states is proposed, where the absorbing states mean the attacks succeed or fail. We compute the steady-state joint probability distribution of network nodes, the mean time of attack data spent in network, and the probabilities from the network entry node to absorbing states. According to the analysis of the above measures, we analyze the relationship between network security and performance.

While some researchers have exploited the similarity between cyber attacks and epidemics we believe there is also potential to leverage considerable experience gained in other biological domains: phylogenetics, ecological niche modeling, and biomonitoring. Here we describe some new ideas for threat detection from biomonitoring, and approximate graph searching and matching for cross network aggregation. Generic

anomaly aggregation

systems using these methods could detect and model the inheritance and evolution of vulnerability and threats across multiple domains and time scales.

The science of security informatics has become a rapidly growing field involving different branches of computer science and information technologies. Software protection, particularly for security applications, has become an important area in computer security. This paper proposes a joint compiler/hardware infrastructure – CODESSEAL – for software protection for fully encrypted execution in which both program and data are in encrypted form in memory. The processor is supplemented with an FPGA-based secure hardware component that is capable of fast encryption and decryption, and performs code integrity verification, authentication, and provides protection of the execution control flow. This paper outlines the CODESSEAL approach, the architecture, and presents preliminary performance results.

Investigation has been made in the total evacuation of high profile infrastructures like airport terminal, super-highrise building, racecourse and tunnels. With the recent advancement of computer technologies, a number of evacuation modelling techniques has been developed to visualize the evacuation pattern and optimize the evacuation provisions. Computer simulations enable the integration of individual human factors like age, gender, percentage of crowd, mobility impairment, walking speed and patience level into evacuation model. Other behavioural factors like shortest distance, quickest time, adjacent movement and personal space can also be computed. The simulation results can be more realistic and reliable then the traditional hand calculations or code compliance design which cannot consider the actual performance and human factors. The simulation results can be used to characterize the efficiency of total evacuation and to maximize the life safety protection, which is a major concern by general public and authorities for high-profile infrastructures.

Trusted software execution, prevention of code and data tampering, authentication, and providing a secure environment for software are some of the most important security challenges in the design of embedded systems. This short paper evaluates the performance of a hardware/software co-design methodology for embedded software protection. Secure software is created using a secure compiler that inserts hidden codes into the executable code which are then validated dynamically during execution by a reconfigurable hardware component constructed from Field Programmable Gate Array (FPGA) technology. While the overall approach has been described in other papers, this paper focuses on security-performance tradeoffs and the effect of using compiler optimizations in such an approach. Our results show that the approach provides software protection with modest performance penalty and hardware overhead.

This paper presents a prototype design and implementation of secured mobile phones based on embedded fingerprint recognition systems. One is a front-end fingerprint capture sub-system and the other is a back-end fingerprint recognition system based on smart phones. The fingerprint capture sub-system is an external module which contains two parts: an ARM-Core processor LPC2106 and an Atmel Finger Sensor AT77C101B. The LPC2106 processor controls the AT77C101B sensor to capture the fingerprint image. In the fingerprint recognition system, a new fingerprint verification algorithm was implemented on internal hardwares. The performance of the proposed system, with 4.16% equal error rate (EER) was examined on Atmel fingerprints database. The average computation time on a 13 MHz CPU S1C33 (by Epson) is about 5.0 sec.

This paper gives an introduction to an ambitious database project currently running at the International Policy Institute for Counter-Terrorism. The project builds on an extensive database of terrorist incidents dating back to 1968 and adds both content and functionality to make these databases more accessible to researchers. The information on terrorist incidents has been supplemented with information on the organizations responsible, the individual perpetrators, front companies, and monetary sources. The content now being added to the database includes raw historical data from interviews and court documents. This information can provide valuable sociological data for researchers, including how perpetrators were recruited for each attack; their stated motivation; their socio-economic background; what influenced them to join the terrorist organization; etc.

This forecasting methodology identifies 68 indicators of terrorism and employs proven analytic techniques in a systematic process that safeguards against 36 of the 42 common warning pitfalls that experts have identified throughout history. The complete version of this research provides: 1) a step-by-step explanation of how to forecast terrorism, 2) an evaluation of the forecasting system against the 42 common warning pitfalls that have caused warning failures in the past, and 3) recommendations for implementation. The associated CD has the website interface to this methodology to forecast terrorist attacks. This methodology could be applied to any intelligence topic (not just terrorism) by simply changing the list of indicators. The complete version of this research is available in

Forecasting Terrorism: Indicators and Proven Analytic Techniques

, Scarecrow Press, Inc., ISBN 0-8108-5017-6.

To assess the type or spectrum of warfare that a terrorist group is likely to conduct in its operations, this paper proposes an indications and warning (I&W) methodology to comprehensively and systematically map all the significant indicators (as well as sub-indicators and observables) that need to be examined.

Terrorism and insurgency analysis depends critically on qualitative understanding, to ensure that quantitative work is on target. Key concerns include: qualitative analysis distorted by policy expectation, obstructed by compartmentalization and classification, and mistaken when drawing from the wrong history and experience. Open presentation of analytic processes allows more effective judgment of the credibility of analysis and interpretations. Data itself will not be the problem, but rather the constructs and methodologies used to assemble the data into conclusions. These challenges are at the heart of terrorist informatics.

Field proven Root Cause Analysis (RCA) from the industrial sector can assist the terrorism community in decompiling terrorist acts to further understand the mentalities that trigger such events to escalate. RCA is a disciplined thought process that is not specific to any industry or given situation, but specific to the human being. We will focus on how to logically breakdown a seemly complex event into it more manageable sub-components.

After perils of sea such as shipwreck and tsunami, airplane disaster or terrorist raid befell, the rescuing departments will receive omnifarious alarms, asking for help, orders and requests. One of the most important tasks of the work is spreading the search for the lost people and rescuing the people. As the conditions limitation, the rescuing departments can not respond to every request, and can not search and rescue all over the districts at the same time. Thus the decision-makers should make choice among several kinds of search and rescue action schemes, which forms the group decision-making problem of the search and rescue schemes that we will discuss about in this paper.

In this paper we study the problems pertaining to the rules mined from the data that do not always hold in the real world. We argue that the cause-effect relationships are more complicated in the real world than those can be presented by the rules mined using the current data mining techniques. Inspired by the concept of cause-effect relationships, the characteristic of the catalyst in Chemistry, and the theory of Net Force in Physics, we propose a new form of representation of rules by introducing a complex cause-effect relationships, the importance of the factors, and force unit. This form of relationship among attributes consists of all of the related attributes and the number of force units of each attribute and also the degree of importance that is like weight of each attribute to the target attribute. The target attribute of interest results from both the change in direction and the number of force units of the change. We have to consider the net force calculated from all of the related attributes including their degree of importance and the number of force unit on the target attribute.

This paper describes a method for the measurement of root causes of conflicts, as defined in a checklist drawn up by the European Commission’s External Relations Directorate General (DG RELEX) and used for monitoring and early warning. Our approach uses Latent Semantic Analysis (LSA) to measure these conflict indicators on a corpus composed of news articles extracted from the Europe Media Monitor (EMM) archive.

A threat to accurate deception detection is the dynamic nature of deceptive behavior. Deceivers tend to adapt their communication style over time by continuously monitoring their targets for signs of suspiciousness. As a result, deceivers manage to tell lies that sound more and more like truth. Such trends imply that deception detection in later phases of an interaction would be more difficult and thus less accurate than detection in earlier phases. This paper studies dynamic effects that influence deception detection and provides empirical evidence supporting the prediction.

The collection and analysis of financial data, referred to as financial intelligence, is gaining recognition has a key tool in the war on crime in general and terrorism in particular. Money in electronic form leaves a trail which means that individuals cannot easily disappear. There is a burgeoning industry providing sophisticated computer technology and complex mathematical models to mine financial data and single out unusual patterns of transactions. The use of automated monitoring systems is often seen as a powerful ally in the fight against money laundering and terrorist financing, justified by the increase in size of the typical transactional database, and by a desire to keep compliance costs under control. However, the power of automated profiling can result in negative outcomes such as over-reporting and increased expenditure on manual compliance checking.

Latent semantic indexing (LSI) is a robust dimensionality-reduction technique for the processing of textual data. The technique can be applied to collections of documents independent of subject matter or language. Given a collection of documents, LSI indexing can be employed to create a vector space in which both the documents and their constituent terms can be represented. In practice, spaces of several hundred dimensions typically are employed. The resulting spaces possess some unique properties that make them well suited to a range of information-processing problems. Of particular interest for this conference is the fact that the technique is highly resistant to noise. Many sources of classified text are still in hardcopy. Conversion of degraded documents to electronic form through optical character recognition (OCR) processing results in noisy text and poor retrieval performance when indexed by conventional information retrieval (IR) systems. The most salient feature of an LSI space is that proximity of document vectors in that space is a remarkably good surrogate for proximity of the respective documents in a conceptual sense. This fact has been demonstrated in a large number of tests involving a wide variety of subject matter, complexity, and languages. This feature enables the implementation of high-volume, high-accuracy automatic document categorization systems. In fact, the largest existing government and commercial applications of LSI are for automated document categorization. Previous work [1], has demonstrated the high performance of LSI on the Reuters-21578 [2] test set in comparison to other techniques. In more recent work, we have examined the ability of LSI to categorize documents that contain corrupted text. Testing using the Reuters-21578 test set demonstrated the robustness of LSI in conditions of increasing document degradation. We wrote a Java class that degraded text in the test documents by inserting, deleting, and substituting characters randomly at specified error rates. Although true OCR errors are not random, the intent here was simply to show to what extent the text of the documents could be degraded and still retain useful categorization results. Moreover, the nature of comparisons in the LSI space is such that random errors and systematic errors will have essentially the same effects. These results are extremely encouraging. They indicate that the categorization accuracy of LSI falls off very slowly, even at high levels of text errors. Thus, the categorization performance of LSI can be used to compensate for weaknesses in optical character recognition accuracy. In this poster session we present results of applying this process to the much newer (and larger) Reuters RCV1-v2 categorization test set [3]. Initial results indicate that the technique provides robust noise immunity in large collections.

Misuse detection is often based on file permissions. That is, each authorized user can only access certain files. Predetermining the mapping of documents to allowable users, however, is highly difficult in large document collections. Initially, we utilized information retrieval techniques to warn of potential misuse. Here, we describe some data mining extensions used in our detection approach.

As WWW has become a huge information resource, it is very important for us to utilize this kind of information effectively. However, the information on WWW can’t be queried and manipulated in a general way.

Our corpus-based, multivariate approach to the analysis of text is keyed to the interaction of two dozen language features that have shown potential for assessing affect, agency, evaluation and intention. They include public and private or perceptual verbs; several categories of adverbs, modals, pronouns and discourse markers. The language features, which we use as variables, make up what text and corpus linguists define as

stance

. Stance is how people use their words to signal confidence or doubt, appraisal or judgment [1] about topics, values, audiences, situations, or viewpoints. Speakers construct different personae out of the ways they use language features that signal modality, evidentiality, hedging, attribution, concession, or consequentiality.

A mobile robot system usually has multiple sensors of various types. In a dynamic and unstructured environment, information processing and decision making using the data acquired by these sensors pose a signi.cant challenge. Kalman .lter- based methods have been developed for fusing data from various sensors for mobile robots. However, the Kalman .lter methods are computationally intensive. Markov and Monte Carlo methods are even less e.cient than Kalman .lter methods. In this paper, we present an alternative method based on principal component analysis (PCA) for processing the data acquired with multiple sensors.

Infectious disease informatics (IDI) is an emerging field of study that systematically examines information management and analysis issues related to infectious disease prevention, detection, and management. IDI research is inherently interdisciplinary, drawing expertise from a number of fields including but not limited to various branches of information technologies such as data integration, data security, GIS, digital library, data mining and visualization, and other fields such as biostatistics and bioinformatics. Funded by the NSF through its Digital Government and Information Technology Research programs with support from the Intelligence Technology Innovation Center, we have been developing scalable technologies and related standards and protocols, implemented in the BioPortal system, to deal with various data sharing and analysis challenges arising in the field of IDI. BioPortal provides distributed, cross-jurisdictional access to datasets concerning several major infectious diseases (of both humans and animals)

West Nile Virus

(WNV),

Botulism

,

Foot-and-Mouth Disease

(FMD), and

Chronic Wasting Disease

(CWD). It also provides access to test data collected from the BioWatch system, an air pathogen sensing system developed to detect airborne hazards. In addition to data access, BioPortal provides advanced spatial-temporal data visualization and analysis capabilities, which are critically needed for infectious disease outbreak detection and can provide valuable information to facilitate disease outbreak management and response. The intended users of BioPortal include public health researchers and practitioners at all levels of the government including international partners, analysts and policy makers; the general public and students in public health or related fields; and law enforcement and national security personnel involved in counter bioterrorism efforts and emergency preparedness and response.

The international intelligence community is in urgent need of specialized knowledge, tools, models, and strategies to track knowledge of terrorist-related individuals, groups, and activities that could make a significant difference in being able to anticipate, detect, prevent, respond, and recover from major threats and terrorist events. At this demo, we feature a specific suite of tools—The Digital Analysis Environment (DIANE)—and show how this powerful collection and analysis tool set provides intelligence analysts, researchers, and industry consultants and practitioners with the ability to extract open source information, conduct information and data analysis, and identify linkages and relationships between current events and potential future events. This suite of tools falls into what is now considered Terrorism Informatics, a relatively new stream of research using the latest advances in social science methodologies, technologies, and tools.

Intelligence organizations face the daunting task of collecting all relevant pieces of information and to draw conclusions about potential threats in a timely manner. Typical information sources range from news tickers, financial transaction logs and message logs to satellite images and speech recordings. This wealth of data is continuously updated and arrives in high-speed data streams; it needs to be analyzed both in real-time (e.g., to estimate the importance of the information and to generate early threat alerts) and offline by sophisticated data mining tools. This work focuses on the real-time aspects of processing these massive streams of intelligence data. We also show how real-time and data mining components can interact effectively.

Terrorism research has lately become a national priority. Researchers and citizens alike are coming to grips with obtaining relevant and pertinent information from vast storehouses of information gateways, dictionaries, self-authoritative websites, and sometimes obscure government information. Specific queries need to be manually sought after, or left to the mercy of search engines that are generally scoped.

Today’s search technology delivers impressive results in finding relevant documents for given keywords. However many applications in various fields including genetics, pharmacy, social networks, etc. as well as national security need more than what traditional search can provide. Users need to query a very large knowledge base (KB) using semantic similarity, to discover its relevant subsets. One approach is to use templates that support semantic similarity-based discovery of suspicious activities, that can be exploited to support applications such as money laundering, insider threat and terrorist activities. Such discovery that relies on a semantic similarity notion will tolerate syntactic differences between templates and KB using ontologies. We address the problem of identifying known scenarios using a notion of template-based similarity performed as part of the SemDIS project [1, 3]. This approach is prototyped in a system named TRAKS (Terrorism Related Assessment using Knowledge Similarity) and tested using scenarios involving potential money laundering.

While the Web has evolved to be a global information platform for anyone to use, terrorists are also using the Web to their own advantages. Many terrorist organizations and their sympathizers are using Web sites and online bulletin boards for propaganda, recruitment and communication purposes. This alternative side of the Web, which we call the Dark Web, could be analyzed to enable better understanding and analysis of the terrorism phenomena. However, due to problems such as information overload and language barrier, there has been no general methodology developed for collecting and analyzing Dark Web information. To address these problems, we developed a Web-based knowledge portal, called the Dark Web Portal, to support the discovery and analysis of Dark Web information. Specifically, the Dark Web Portal integrates terrorist-generated multilingual datasets on the Web and uses them to study advanced and new methodologies for predictive modeling, terrorist (social) network analysis, and visualization of terrorists’ activities, linkages, and relationships.

New technologies and researches are being developed every day for Intelligent Transportation Systems. How to recognize and maximize the potentials of ITS technologies becomes a big challenge for ITS researchers. Usually people would rely on general search engines like Yahoo!, Google to retrieve related information. The direct problem of these search engines is information overload [1]. Another issue with the search engines is that it’s difficult to keep the web pages up-to-date.

With the development and mature of the Internet and wireless communication techniques the copy and distribution of the digital production becomes easier and faster. The copyright protection is an urgent problem to be resolved. The watermark is a digital code unremovably, robustly, and imperceptibly embedded in the host data and typically contains information about origin, status, and/or destination of the data. Most of present watermarking algorithms embed only one watermark, however one watermark is not sufficient under some circumstances. One of the reasons of privacy is that we cannot trace the responsibility of the pirates. It would come true by means of embedding the different exclusive watermarks belong to the issuer. As the different watermarks are needed at the different time, the multiple watermarks algorithm is required. The reports about multiple watermarks scheme are rather few. Cox et al. extend the single watermark algorithm to embed multiple orthogonal watermarks. The disadvantage is that the original image is needed at the watermark detector, and the watermark capacity is small. Stankovic et al. proposed a scheme utilizing the two-dimensional Radon–Wigner distribution. The lack is that the watermark capacity is small and we cannot judge the validity of the extracted watermark directly. Tao et al. present a multiple watermark algorithm in the DWT (Discrete Wavelet Transform) domain. The binary image is used for the watermark, and is embedded into all frequencies of DWT. The shortage is that the algorithm is not blind.

Wireless networks are becoming increasingly popular with organizations and corporations around the world. With the prospect of increased productivity and convenience at a reduced cost through the use of wireless, many organizations have introduced wireless networks into their infrastructures in a hope to reap its benefits. However, the adoption of wireless technologies brings with it new security concerns. The possibility that the signals from a wireless local area network (WLAN) being transmitted beyond the physical boundaries of an office make it easier for cyber criminals to monitor network traffic, disrupt data flows, and break into networks. The prospect of a breach of security becomes even more dangerous given that 70 percent of the data transmitted through wireless access points is unencrypted. These risks have elevated the importance of wireless security. With this increased concern for wireless security issues, a well thought-out and implemented wireless security policy is paramount. The goal of this work is to make the reader aware of the weakness in current wireless security models and to lay a framework of a reliable wireless security policy for sensitive organizations. We also examine a case study, the Department of Defense, of real world implementation of wireless security policies, analyzing their deficiencies based on our proposed framework.

Early first and second generation (1G and 2G, respectively) wireless telecommunication networks were

isolated

in the sense that their signaling and control infrastructure was not directly accessible to end subscribers.

The vision of the next generation 3G wireless telecommunication network is to use IP technologies for control and transport.

The introduction of IP technologies has opened up a new generation of IP-based services that must interwork with traditional 3G wireless telecommunication networks.

Cross Network Services

will use a combination of

Internet-based data

and

data from the wireless telecommunication network

to provide services to the wireless subscriber. They will be multi-vendor, multi-domain, and will cater to a wide variety of needs. An example of such a Cross Network Service is the

Email Based Call Forwarding Service (CFS)

, where the

status of the subscriber’s email inbox

is used to

trigger call forwarding

in the wireless telecommunication network.

Recently web services become an important business tool in e-commerce. The emergence of intelligent, sophisticated attack techniques makes web services more vulnerable than ever. One of the most common attacks against web services is a denial of service attack.

In the past active worms have taken hours if not days to spread effectively. This gives sufficient time for humans to recognize the threat and limit the potential damage. This is not the case anymore. Modern viruses spread very quickly. Damage caused by modern computer viruses (example – Code red, sapphire and Nimda) is greatly enhanced by the rate at which they spread. Most of these viruses have an exponential spreading pattern. Future worms will exploit vulnerabilities in software systems that are not known prior to the attack. Neither the worm nor the vulnerabilities they exploit will be known before the attack and thus we cannot prevent the spread of these viruses by software patches or antiviral signatures. Hence there is a need to control fast spreading viruses automatically since they cannot be curtailed only by human initiated control. Some of the automatic approaches like quarantining the systems and shutting down the systems reduce the performance of the network. False positives are one more area of concern. Feedback control strategy is desirable in such systems because well-established techniques exist to handle and control such systems. Our technique is based on the fact that an infected machine tries to make connections at a faster rate than the machine that is not infected. The idea is to implement a filter, which restricts the rate at which a computer makes connection to other machines. The delay introduced by such an approach for normal traffic is very low (0.5-1 Hz). This rate can severely restrict the spread of high-speed worm spreading at rates of at least 200 Hz. As a first step, we apply feedback control to the first level of hierarchy (i.e., host). We will then expand the model to further levels (e.g., firewalls, IDS) as shown next in the description of the system architecture.

Microsoft’s Internet Explorer (IE) is the most widely used web browser, and the IE’s global usage is reported as 93.9% share in May 2004 according to OneStat.com. The dominant web browser supports an extensible framework with a Browser Helper Object (BHO), which is a small program that runs automatically everytime starting IE. However, malicious BHOs abuse this feature to manipulate the browser events and gather private information, which are also known as

adwares

or

spywares

The term “quality of security service” is first presented by Cynthia Irvine [4]. The original definition is: “quality of security service refers to the use of security as a quality of service dimension and has the potential to provide administrators and users with more flexibility and potentially better service, without compromise of network and system security policies.” The original definition is focused on the quality of security service from the point of view of system administrators and users. We refine and define the term “quality of security service” in relation to security service negotiation among senders and receivers in a network, i.e. we focus on the quality of security service in the network.

This paper presents a method to preserve security in GIS databases and describes a polyinstantiation approach to prevent covert channel in a multilevel secure spatial database. Usually, security is handled by giving users permissions/privileges and database objects security levels. In the case of GIS objects, the complex relationships among them (spatial, topological, temporal, etc.) mean that extra care must be taken when giving levels; otherwise users may see something they are not authorized to see or may be denied access to needed information. Currently, database security is combined with the spatial database system on the fields of facility management, air-traffic control and military area. Although much research in the field of database security have been made, there has been no study in the field of secure spatial database[1,2].

To effectively fight computer crime, it is necessay to locate criminal evidence, from within the computer and the network; this necessitates forensic enquiry so that the evidence will be secured in an appropriate manner, and will be acceptable in a court of law as proof of criminal behavior. Digital evidence is data in computer storage that can be used to prove criminal behavior [1]. The digital evidence, however, is easily copied and modified, is not easy to prove in source and integrity, cannot be well perceived by human senses in the presentation of digital information.

Software security is a key issue in an Internet-enabled economy. In order to prevent software from piracy and unauthorized modification, many techniques have been developed. Software watermarking[1,2] is such a technique, which can be used to protect software by embedding some secret information into the software to identify its copyright owner. In this paper, we discuss algorithms of software watermarking through register allocation.

Mobile agent technology is an evolving paradigm that combines the inherent characteristics of intelligent agents, namely, adaptability, reactivity and autonomy with mobility. These characteristics of mobile agents provide an excellent means of meeting the distributed and heterogeneous requirements of many military applications that involve low bandwidth and intermittently connected networks. In typical military applications, mobile agents can be used to perform

information push

,

information pull

, and

sentinel monitoring

[1].

The use of flash memories, built upon EEPROM technology, increases at an explosive rate due to the high capacity, low cost, and non-volatileness. Many battery-powered mobile devices such as digital cameras, cell phones, and MP3 players use flash memories to implement cost-effective solid-state storage.