An Ontological Approach to the Document Access Problem of Insider Threat ISI 2005, (May 20) Boanerges Aleman-Meza 1 Phillip Burns 2 Matthew Eavenson 1 Devanand Palaniswami 1 Amit P. Sheth 1 (1) LSDIS Lab, Computer Science Dept., University of Georgia, USA (2) CTA – Computer Technology Associates USA

6/21/ Objective & Approach Determine if (classified) documents reviewed an IC analyst satisfy his/her “need to know”  Characterization of “need to know” w.r.t. ontology  Characterizing document content in terms of ontology  Discovering weighted semantic relationships between document content and “need to know”

6/21/ Characterizing “Need to Know” using an a Semantic Approach (using Ontology) Requires domain ontology  models important concepts & relationships of domain (schema), captures factual knowledge (instances) Relate analyst’s need to know to concepts & relationships in ontology  e.g. terrorist organization, funding sources, facilitators, members, methods

6/21/ “Need to know” = context of investigation 26,489 entities 34,513 (explicit) relationships Add relationship to context

6/21/ Characterizing document content in terms of ontology “Semantic Annotation” Correlate words/phrases from document with entities/relationships in ontology Entity identification Meta-data added to document (from associated ontological knowledge) Active area of research but practically useful technology now available Constrained to content of ontology

6/21/2004 6

7 Semantic Relationships between Document & “Need to Know” Semantic associations: relationships between document concepts & “need to know” concepts are discovered and ranked Ranking based on multiple factors  no. of links, types of links, location in ontology, … Ranking indicates degree of semantic “closeness”  and therefore, how related document is to “need to know”

6/21/ Highly relevant Closely related Ambiguous Not relevant Undeterminable Documents Ranking

6/21/ Research Content Discovery & Ranking of semantic semantic associations Characterizing “need to know” in terms of ontological concepts & relationships Meta-data annotation of data and (semi- structured & unstructured) documents  correlation of document content & concepts in ontology

6/21/ In this project we are addressing: Discovery of Semantic Associations per entity per document Input/Visualization/Management of Context of Investigation Scalability on number of documents & ontology size  Performs well with thousand documents Ranking of documents Research Challenges

6/21/ “Closely related entities are more relevant than distant entities” E = {e | e  Document } E k = {f | distance(f, e  E) = k } Ranking of Documents Relevance

6/21/ Components of Document Relevance (specific entities) Abu Abdallah Turkmenistan Konduz Province … Context of Investigation Entities belong to classes in the Context type(entity)  Context 1. Relationships constrains Relationship  [Class] 2. Entities match a list of entities of interest (in the Context) entity  Entities-List 3.

6/21/ Schematic of Ontological Approach to the Legitimate Access Problem Semagix Freedom

6/21/ Conclusions New Semantic Approach to the challenging problem Viability demonstrated on a small scale Significant new research that builds upon the latest Semantic Platform Many applications of this approach: vendor vetting, knowledge discovery, ….

6/21/ Acknowledgements Semagix provided technology to populate ontology using knowledge extraction, and (semi-)automatic metadata extraction from documents (Freedom toolkit). NSF-funded projects provided core research: " Semantic Association Identification and Knowledge Discovery for National Security Applications " (Grant No. IIS ) and " Semantic Discovery: Discovering Complex Relationships in Semantic Web " (Grant No. IIS )

6/21/ References 1. B. Aleman-Meza, C. Halaschek, I.B. Arpinar, A. Sheth, Context-Aware Semantic Association Ranking. Proceedings of Semantic Web and Databases Workshop, Berlin, September , pp B. Aleman-Meza, C. Halaschek, A. Sheth, I.B. Arpinar, and G. Sannapareddy. SWETO: Large-Scale Semantic Web Test-bed. Proceedings of the 16th International Conference on Software Engineering and Knowledge Engineering (SEKE2004): Workshop on Ontology in Action, Banff, Canada, June 21-24, 2004, pp R. Anderson and R. Brackney. Understanding the Insider Threat. Proceedings of a March 2004 Workshop. Prepared for the Advanced Research and Development Activity (ARDA) K. Anyanwu and A. Sheth ρ-Queries: Enabling Querying for Semantic Associations on the Semantic Web The Twelfth International World Wide Web Conference, Budapest, Hungary, 2003, pp K. Anyanwu, A. Maduko, A. Sheth, SemRank: Ranking Complex Relationship Search Results on the Semantic Web, In Proceedings of the 14th International World Wide Web Conference, Japan 2005 (accepted, to appear) 6. K. Anyanwu, A. Maduko, A. Sheth, J. Miller. Top-k Path Query Evaluation in Semantic Web Databases. (submitted for publication), C. Halaschek, B. Aleman-Meza, I.B. Arpinar, A. Sheth Discovering and Ranking Semantic Associations over a Large RDF Metabase Demonstration Paper, VLDB 2004, 30th International Conference on Very Large Data Bases, Toronto, Canada, 30 August - 3 September, B. Hammond, A. Sheth, and K. Kochut, Semantic Enhancement Engine: A Modular Document Enhancement Platform for Semantic Applications over Heterogeneous Content, in Real World Semantic Web Applications, V. Kashyap and L. Shklar, Eds., IOS Press, December 2002, pp

6/21/ References (cont) 9. M. Rectenwald, K. Lee, Y. Seo, J.A. Giampapa, and K. Sycara. Proof of Concept System for Automatically Determining Need-to-Know Access Privileges: Installation Notes and User Guide. Technical Report CMU-RI-TR-04-56, Robotics Institute, Carnegie Mellon University, October, _3.pdf 10. C. Rocha, D. Schwabe, M.P. Aragao. A Hybrid Approach for Searching in the Semantic Web, In Proceedings of the 13th International World Wide Web, Conference, New York, May 2004, pp M.A. Rodriguez, M.J. Egenhofer, Determining Semantic Similarity Among Entity Classes from Different Ontologies, IEEE Transactions on Knowledge and Data Engineering (2): A. Sheth, C. Bertram, D. Avant, B. Hammond, K. Kochut, and Y. Warke. Managing Semantic Content for the Web. IEEE Internet Computing, (4): A. Sheth, B. Aleman-Meza, I.B. Arpinar, C. Halaschek, C. Ramakrishnan, C. Bertram, Y. Warke, D. Avant, F.S. Arpinar, K. Anyanwu, and K. Kochut. Semantic Association Identification and Knowledge Discovery for National Security Applications. Journal of Database Management, Jan-Mar 2005, 16 (1): Boanerges Aleman-Meza, Phillip Burns, Matthew Eavenson,Devanand Palaniswami, Amit Sheth. An Ontological Approach to the Document Access Problem of Insider Threat

6/21/ Security and Terrorism Part of SWETO Ontology

6/21/ Semantic Annotation Document searched for entity names (or synonyms) contained in ontology Then document entities are annotated with additional information from corresponding entities in ontology including named relationships to other entities Following chart is example  Highlighted text are entities found corresponding to concepts in ontology  XML is corresponding meta-data annotation

6/21/ Relevance Measures for Documents (relating document content to IA “need to know” Relevance engine input  the set of semantically annotated documents  the context of investigation for the assignment  the ontology schema represented in RDFS, and the ontology instances represented in RDF Relevance measure function used to verify whether the entity annotations in the annotated document can be fit into the entity classes, entity instances, and/or keywords specified in the context of investigation.

6/21/ The Big Picture

SWETO – Ontology Schema Visualization See SemDis project of LSDIS Lab, University of Georgia

6/21/ Relevance Measures for Documents (relating document content to IA “need to know” (cont) Documents classified as:  Highly relevant Document entities directly related  Closely related Document entities related through strong semantic associations  Ambiguous Document entities related through weak semantic associations  Not relevant Document entities not related to “need to know”  Undeterminable Document entities not found in ontology

6/21/ IA Context of Investigation (characterization of “Need to Know”) We define the context of investigation as a combination of the following: A set of entity classes and relationships, and/or a negation of a set of entity classes and relationships A set of entity instance names, and/or a negation of a set of entity instance names A set of keyword values that might appear at any attribute of the populated instance data, and/or a negation of a set of keyword values

6/21/ Context of Investigation (cont) Goal is to capture, at a high level, the types of entities, (or relationships), that are considered important. Relationships can be constrained to be associated with specified class types  E.G. It can be specified that a relation ‘affiliated with’ is part of the context only when it is connected with an entity that belongs to a specific class, say, ‘Terror Organization’

6/21/ Ranking of Documents Relevance Four groups of document-ranking: -Not Related Documents -unable to determine relation to context -Ambiguously Related Documents -some relationship exists to the context -Somehow Related Documents -Entities are closely related to the context -Highly Related Documents -Entities are a direct match to the context Cut-off values determine grouping of documents w.r.t. relevance -These are customizable cut-off values (more control and more meaningful parameters compared to say automatic classification or statistical approaches) “Inspection” of a document is possible via (a) original document or (b) original document with highlighted entities