PROACTIVE EMERGING THREAT DETECTION (PREVENT)

In today’s world, terrorist and other hostile threats to both domestic and international peace can appear almost anywhere. When acts of aggression or harmful events occur, post forensic analyses are conducted to determine cause, methods and associated patterns, which are then used to avoid similar events in the future.

The adversaries are creative however, improvising and creating new tactics every day. Consequently, there is a need for a proactive and predictive capability to detect threat activities before harmful events occur. In many cases, anomalous behaviors can be indicators or predictors of hostile activities, and if detected, they can generate alerts in real time, helping to thwart an action before it occurs and provide an opportunity to save lives. Raytheon has developed such a capability in an analytical tool, PRoactiVE emergiNg Threat detection (PREVENT), based on a dynamic stochastic network, to assess unusual patterns or behaviors as they happen.

PREVENT detects an emergent threat behavior in real time by computing an instability metric of the stochastic network. It provides early warning to operators based on this detection, who then conduct further analysis on the identified participants in the anomalous behavior. PREVENT is a general behavior analysis capability and has been applied to detect emerging threats in many environments, such as cyber/computer networks, oil rig operations, air traffic and littoral activities. This article presents an overview of the tool’s functionality along with its performance in example cases.

A functional block diagram of PREVENT is shown in Figure 1. It operates by the collection, correlation and categorization of events, forming a dynamic stochastic network depicted in the figure as a network graph diagram. Events are collected from multiple data sources, each corresponding to an agent (“who”), event type (“what”) and event time (“when”). As they are received and processed, the network is formed, or learned, consisting of sparse super nodes shown as large ellipses with dense local nodes contained therein. Events in the network are represented by lines or connections (called edges) between the nodes. The nodes are represented by the agents associated with the events. As agents interact over time, connections are made or broken. These connections increase or decrease in strength with the number of events the agents have in common, shown by the thickness (or weight) of the edges between the two nodes. Sets of densely connected nodes in the network are modeled as a super node, which represents events and agents associated with one type of data source. The sparse connectivity between super nodes reflects the relationship of events/agents between the different data sources.

Figure 1 : PREVENT functional block diagram

For example, if one data source provides computer network activities and another telephone network activities, then one super node corresponds to computer network events and the other to telephone network events. The nodes within each super node correspond to agents (people) using the computer and telephone network, respectively. When several computers are exchanging data, the IP address (and associated user) of each computer is represented by a node within that super node, and connections (edges) are made between them reflecting the specific data exchanges. Similarly, in the telephone network super node, each phone device (and associated person) is a node, and any calls among these phones are reflected in the edges between them. If a node in the computer network calls a phone in the telephone network, a voice over IP (VOIP) call or text message for example, then a connection between these two super nodes is made.

In this fashion, PREVENT learns the network structure as different data sources and events are available. Periodically, PREVENT estimates the stability of the network’s current state. For this, it summarizes key statistics about each active agent such as configuration (the number and type of events in which it is participating), duration of events and its connections both within the super node and to other super nodes. The difference between current and previous empirical distributions of network activity is computed, and if the magnitude of this difference is above a specified threshold, PREVENT generates associated alert(s) to the operator or analyst. With this information, further specific monitoring can be started; additional data sources or sensors activated; or an appropriate course of action initiated to stop further threats or harmful activity. The period for network stability calculation and alert thresholds are configured based on the specific environment and events being monitored.

A SWARMING BOAT USE CASE

The capabilities of PREVENT are readily demonstrated in the swarming boats scenario shown in Figure 2. The scene involves a strait with both fishing areas and shipping lanes populated by different types of vessels such as cargo ships, fishing boats, pleasure craft and military vessels. As shown in the figure, activities include cargo ships navigating through the strait via one of two shipping lanes; fishing by four groups of fishing boats (green circular formations); military vessels in the shipping lane moving faster than the cargo ships; and twelve small fast boats disguised as pleasure craft, manned by persons (agents) ultimately planning to take aggressive action against the military vessels. As the scenario plays out, groups of the fast boats enter each fishing area and stop among the fishing boats. Then after some time, they set an intercept course for the military vessel(s).

Figure 2 : Swarming boat scenario

The data source for PREVENT in this scenario was events created from vehicle tracks received from multiple radar sensors. Raytheon’s Intersect SentryTM product generated events from the tracks using different analytics, such as proximity, heading changes, speeds above and below limits, acceleration and deceleration. PREVENT then processed the events and the agents (vessels) associated with the events to dynamically form the stochastic network used to detect anomalous behavior. Figure 3 is a plot of the network stability metric computed by PREVENT throughout the scenario. The instability can be seen to rise above the threshold whenever there is anomalous behavior of fast moving craft, such as traveling between fishing clusters, an initial swarming toward the shipping lane and finally, converging on a target. Although the instability is above the threshold early in the scenario (before 1000 seconds have elapsed), PREVENT ignores the detections as the network is still being formed. After the network matures, PREVENT acts on all detections by generating alerts to the operator.

Figure 3 : Anomalous behavior detection in the case of swarming boats

OIL DRILLING USE CASE

PREVENT has been demonstrated to work on real-world data associated with oil drilling activities. Figure 4 shows an Intersect Sentry operator screen monitoring an offshore area of interest with ongoing oil drilling operations. Similar to the previous swarming boats case above, Intersect Sentry extracts events analytics from the real-time track data such as loitering, immediate proximity and immediate proximity exit. In this longer scenario, PREVENT uses the events and the associated agents (or actors) to learn the network and then computes the instability metric over a period of days, detecting and reporting anomalous behavior(s). The number of alerts per day reported by PREVENT is shown in Figure 5. The typical activities correspond to oil drilling and the associated craft’s movement. The anomalous behavior corresponds to an adversary’s craft steaming to join the drilling activity. The increase in reported alerts shown in Figure 5 is associated with the Identified ship (ID 33499), a driver of network instability as it steamed to join drilling activity over five separate alerts. This matches the truth for that time period, shown in the zoomed scenario area in the center of the operators screen in Figure 4.

Figure 4 : Intersect Sentry operator screen monitoring activities near area of interest. Center screen is the zoomed area of anomalous ship activity.

PREVENT’s architecture is designed to scale. PREVENT has been integrated with DockerTM1 and Raytheon Space and Airborne Systems’ (SAS) Adaptive Technique Manager (ATM), which enables distribution of PREVENT across multiple systems and computational parallelization of events and stochastic network learning. SAS ATM is an event-driven workflow manager for performing both man-in-the-loop and fully automated missions. It consists of a web interface, sensor adapters, event processors and technique manager. Sensor adapters receive data from different sensors or data sources and convert the data into streaming events. The event processor receives these events from the sensor adapter and generates events analytics which are used by PREVENT to learn the stochastic model previously described. Docker is a lightweight, open, scalable and secure commercial tool. It can accelerate software development, eliminate environmental inconsistencies and easily distribute the sharing of content or application to many platforms. By integrating PREVENT with ATM and Docker, it can be scaled to environments with millions of events and tens of thousands of actors.

Figure 5 : Alerts per day reported by PREVENT

In addition to scalability, PREVENT is architected to be a real-time proactive analytics tool. For example, in the oil drilling scenario depicted in Figure 4 with 840 actors and 60,000 events, PREVENT was able to process the data and arrive at the anomalous event in less than a minute on a laptop computer. PREVENT can ingest data from multiple disparate sources simultaneously and can learn relationships among those sources and actors. Future work includes integrating PREVENT as part of Raytheon SAS’s Cyber Electro Magnetic Battle Management (CEMBM) product for predictive analytics and to detect anomalous spectrum behaviors of adversaries. Based on how the spectrum is denied and used by the adversaries, Electronic Warfare Officers can maneuver and counter adversarial attempts to deny spectrum to U.S. military forces.

In summary, PREVENT is a novel approach for detecting emergent threat behavior through the modeling of events and actors as a dynamic stochastic network. It utilizes an unsupervised learning approach for real-time proactive analytics and can easily model new domains simply by defining a new set of associated actors and events. PREVENT’s forensic capability allows learned configurations to be stored as a sequence with associated time stamps and then later analyzed to determine associations between actors, events and activities. PREVENT is an important analytic tool for Raytheon and its customers — providing a capability to thwart harmful events and save lives.

– Dr. Shubha Kadambe

1An open-source container-based platform for effective application development and deployment (https://opensource.com/resources/what-docker)