An Advanced Reasoning System for Enhanced Decision Making
What if you could predict someone's malicious intentions...and take proactive action to mitigate or prevent an attack? Pacific Northwest National Laboratory is performing research on advanced reasoning technologies to facilitate information fusion and sensemaking processes and enhance analytic decision making. A current focus is combating the insider threat.
Insider Threat: Current State of Research and Practice
- Today's approaches to insider threat are forensic based and limited in data types/sources for analysis
- Insider threat is a "wicked" problem that requires a comprehensive solution—combining information from diverse sources to analyze MOTIVATION as well as CAPABILITY and OPPORTUNITY
- PNNL has developed a comprehensive analytic approach that is unique in the ability to integrate multiple data types and sources, including PSYCHOSOCIAL data and network/IT monitoring logs
- PNNL's semantic graph based DOMAIN INDEPENDENT reasoning system ("CHAMPION") is modeled after human pattern recognition/decision processes
- CHAMPION has several innovative architecture/design features that foster scalability—pursuing a patent for this technology
Adaptive Cyber-defense using an Auto-associative Memory Paradigm (ACAMP)
This internally funded Laboratory-Directed R&D project funded by the Pacific Northwest National Laboratory's Information and Infrastructure Integrity Initiative seeks to develop advanced methods of pattern recognition in cyber data streams, enabling more secure systems. The research is visionary in its employment of a conceptual model informed by a functional mimicry of the neocortex—the ultimate pattern recognition system—that seeks to develop an unprecedented dynamic, adaptive cyber defense system with potential applications to diverse problem domains. As implemented, the system being developed performs Columnar Hierarchical Auto-associative Memory Processing In Ontological Networks—hence we refer to the system as CHAMPION.
CHAMPION is a hierarchical structure of modified Case-Based Reasoning (CBR) components. The classical approach to CBR is to retrieve similar cases to the current problem from a case library. Then each case is reviewed to see if it is a viable solution to the problem. If it is, apply the solution, and on to the next problem. If there are no viable solutions in the library, the most similar case is revised to be a viable solution. If the new solution works, the case is retained in the library for future use. The CBR component of the CHAMPION architecture is the Associative Memory Column, or AMC. The CBR cycle is implemented in each AMC. There are several innovative twists in the particular CBR implementation we have adopted; among the most important is the process of checking the current problem against rules that define why each case is in the case library, instead of the classical CBR approach of comparing the current problem against all cases. In following this "memory prediction framework" design, the CHAMPION system reflects the design philosophy espoused by Jeff Hawkins in On Intelligence and it is consistent with the naturalistic decision making framework described by Gary Klein's Recognition Primed Decision Making model.
The ACAMP project has developed the CHAMPION system to be domain agnostic, i.e., independent of the application domain. This is done by carefully maintaining a domain-independent reasoning system, but an application-specific knowledge representation that has been developed using a formal ontological language specification. The selected application domain of focus is the problem of recognizing and anticipating malicious behaviors such as malware or insider threat exploits. The functional requirements of the reasoner are to create and store sequences of behavioral patterns; to recall sequences of patterns auto-associatively to produce dynamic detection capability within a "memory-prediction" framework; to store the sequences of patterns in invariant forms, enabling adaptation and generalization; and to conduct reasoning in a hierarchy of reasoners to facilitate growth and "learning" functions of the reasoning system.
Distinctive Features of this Innovative Reasoning System
- Approach integrates social and technical systems data
- Approach is proactive rather than forensic
- Reasoning process addresses behavioral level (semantics) as well as syntax (signatures)
- Unique "memory prediction framework" functionally modeled after neocortex processing. Functional design is consistent with naturalistic decision making models.
- Reasoning system is domain-independent (knowledge representation is tailored to application with formal ontological language specification).
- Therefore the system is applicable to diverse problems:
- Insider Threat
- Malware detection
- Threat analysis/prediction
- Nonproliferation analysis/ prediction
For further information:
Dr. Frank L. Greitzer,
Pacific Northwest National Laboratory
Pacific Northwest National Laboratory