1. 1 Spatial Temporal Surveillance

2. 2

3. 3 Geographic Surveillance and Hotspot Detection for Homeland Security: Cyber Security and Computer Network Diagnostics Geographic Surveillance and Hotspot Detection for Homeland Security: Cyber Security and Computer Network Diagnostics Securing the nation's computer networks from cyber attack is an important aspect of Homeland Security. Project develops diagnostic tools for detecting security attacks, infrastructure failures, and other operational aberrations of computer networks. Geographic Surveillance and Hotspot Detection for Homeland Security: Tasking of Self-Organizing Surveillance Mobile Sensor Networks Geographic Surveillance and Hotspot Detection for Homeland Security: Tasking of Self-Organizing Surveillance Mobile Sensor Networks Many critical applications of surveillance sensor networks involve finding hotspots. The upper level set scan statistic is used to guide the search by estimating the location of hotspots based on the data previously taken by the surveillance network. Geographic Surveillance and Hotspot Detection for Homeland Security: Drinking Water Quality and Water Utility Vulnerability Geographic Surveillance and Hotspot Detection for Homeland Security: Drinking Water Quality and Water Utility Vulnerability New York City has installed 892 drinking water sampling stations. Currently, about 47,000 water samples are analyzed annually. The ULS scan statistic will provide a real-time surveillance system for evaluating water quality across the distribution system. Geographic Surveillance and Hotspot Detection for Homeland Security: Surveillance Network and Early Warning Geographic Surveillance and Hotspot Detection for Homeland Security: Surveillance Network and Early Warning Emerging hotspots for disease or biological agents are identified by modeling events at local hospitals. A time-dependent crisis index is determined for each hospital in a network. The crisis index is used for hotspot detection by scan statistic methods Geographic Surveillance and Hotspot Detection for Homeland Security: West Nile Virus: An Illustration of the Early Warning Capability of the Scan Statistic Geographic Surveillance and Hotspot Detection for Homeland Security: West Nile Virus: An Illustration of the Early Warning Capability of the Scan Statistic West Nile virus is a serious mosquito-borne disease. The mosquito vector bites both humans and birds. Scan statistical detection of dead bird clusters provides an early crisis warning and allows targeted public education and increased mosquito control. Geographic Surveillance and Hotspot Detection for Homeland Security: Crop Pathogens and Bioterrorism Geographic Surveillance and Hotspot Detection for Homeland Security: Crop Pathogens and Bioterrorism Disruption of American agriculture and our food system could be catastrophic to the nation's stability. This project has the specific aim of developing novel remote sensing methods and statistical tools for the early detection of crop bioterrorism. Geographic Surveillance and Hotspot Detection for Homeland Security: Disaster Management: Oil Spill Detection, Monitoring, and Prioritization Geographic Surveillance and Hotspot Detection for Homeland Security: Disaster Management: Oil Spill Detection, Monitoring, and Prioritization The scan statistic hotspot delineation and poset prioritization tools will be used in combination with our oil spill detection algorithm to provide for early warning and spatial-temporal monitoring of marine oil spills and their consequences. Geographic Surveillance and Hotspot Detection for Homeland Security: Network Analysis of Biological Integrity in Freshwater Streams Geographic Surveillance and Hotspot Detection for Homeland Security: Network Analysis of Biological Integrity in Freshwater Streams This study employs the network version of the upper level set scan statistic to characterize biological impairment along the rivers and streams of Pennsylvania and to identify subnetworks that are badly impaired. Center for Statistical Ecology and Environmental Statistics G. P. Patil, Director

4. 4 Network-Based Surveillance Subway system surveillance Subway system surveillance Drinking water distribution system surveillance Drinking water distribution system surveillance Stream and river system surveillance Stream and river system surveillance Postal System Surveillance Postal System Surveillance Road transport surveillance Road transport surveillance Syndromic Surveillance Syndromic Surveillance

5. 5 Target Tracking in Distributed Sensor Networks

6. 6 Video Surveillance and Data Streams Turning Video into Information Measuring Behavior by Segments Customer Intelligence Enterprise Intelligence Entrance Intelligence Media Intelligence Video Mining Service

7. 7 Deterministic Finite Automata (DFA) a a b b b c c start Directed Graph (loops & multiple edges permitted) such that: Nodes are called States Edges are called Transitions Distinguished initial (or starting) state Transitions are labeled by symbols from a given finite alphabet,  = {a, b, c,... } The same symbol can label several transitions A given symbol can label at most one transition from a given state (deterministic)

8. 8 Deterministic Finite Automata (DFA) Formal Definition a a b b b c c start Quadruple (Q, q 0, ,  ) such that: Q is a finite set of states  is a finite set of symbols, called the alphabet q 0  Q is the initial state  : Q    Q  {Blocked} is the transition function:   (q, a) = Blocked if there is no transition from q labeled by a   (q, a) = q' if a is a transition from q to q'

9. 9 DFA and Strings a a b b b c c start Any path through the graph starting from the initial state determines a string from the alphabet. Example: The blue dashed path determines the string a b c a Conversely, any string from the alphabet is either blocked or determines a path through the graph. Example: The following strings are blocked: c, aa, ac, abb, etc. Example: The following strings are not blocked: a, b, ab, bb, etc. The collection of all unblocked strings is called the language accepted or determined by the DFA (all states are “final” in our approach)

10. 10 Strings and Languages  = (finite) alphabet  * = set of all (finite) strings from  A language is any subset of  *. Not all languages can be determined by a DFA. Different DFAs can accept the same language

11. 11 Probabilistic Finite Automata (PFA) A PFA is a DFA (Q, q 0, ,  ) with a probability attached to each transition such that the sum of the probabilities across all transitions from a given node is unity. Formally, p: Q    [0, 1] such that p(q, a) = 0 if and only if  (q, a) = Blocked Multiplying branch probabilities lets us assign a probability value  (q 0, s) to each string s in  *. E.G.,  (q 0, abca)=(.8)1(.6)(.4)=.192 q0q0 a,.4 b,.2 b, 1 b,.5 c,.6 c,.5 start a,.8

12. 12 Properties of  (q 0, s) For fixed q 0,  (q 0, s) is a measure on  * Support of  is the language accepted by the DFA For fixed q 0,  (q 0, s) is a probability measure on  i (  i = strings of length i ) This probability measure is written as  (i). Given a probability distribution w(i) across string lengths i, defines a probability measure across  *, called the w-weighted probability measure of the PFA. If all w(i) are positive, then the support of  is also the language accepted by the underlying DFA.

13. 13 Distance Between Two PFA Let A and B be two PFAs on the same alphabet  Let w(i) be a probability distribution across string lengths i Let  A and  B be the w-weighted probability measures of A and B Define the distance between A and B as the variational distance between the probability measures  A and  B : d( A, B) = ||  A   B ||

14. 14 Using  -complexity for Network Behavior Analysis David Friedlander (dsf10@psu.edu) Shashi Phoha (spx26@psu.edu) Richard Brooks (rrb5@psu.edu) Penn State / ARL

15. 15 Tools for Recognizing Target Behavior From Network Measurements Symbolization Conversion Behavior Recognition Network Measurements (streams of numbers) Stream of symbols Higher level representation Representations of Known Behaviors Target Behavior

16. 16 Natural Language Definition (Merriam- Webster’s Collegiate  Dictionary) Behavior: 1b : anything that an organism does involving action and response to stimulation c : the response of an individual, group, or species to its Technical Definitions Behavior → Pattern of observations and actions Pattern → Formal language Observations → Uncontrollable events Actions → Controllable events

17. 17         ……  …… Phase-Space TrajectoryString of Symbols Symbolization: Network Sensor Readings to Symbolic Dynamics Sensor 1 Sensor 2 Sensor 3

18. 18 ……  …… Conversion Tools: Stream of Symbols to FSA Which defines a formal language of the target behavior

19. 19 a a,b ab 3.Merge topologically similar subtrees ……abaaabaaababababaaabab…. Conversion via topological complexity method 1. Language Sample 2. Tree of all substrings of length l.

20. 20 Conversion via  -complexity method a, P(a|0) b, P(b|0) a aa 0 12 3 4 5 67 8 9 b, P(b|2) a, P(a|2) b, P(b|3)a, P(a|3)  -complexity ……abaaabaaababababaaabab…. 1.Language Sample 2.Tree of all substrings of length l with transition probabilities 3.Merged subtrees must be topologically similar and have similar probability structures

21. 21 Behavior Classification Tool using Finite State Automata ……  …… Behavior 1 Behavior 2 String Rejections (1) / Sec String Rejections (2) / Sec Analyze Rejection Rates to find most likely known behavior for the sample (if any are close enough) Sample taken over “short” time scale Dynamic Target Behavior Changes over “long” time scale

22. 22 Conversion Tools: Formal Languages to Infinite Dimensional Vector Space For example: …..abababaaababaaaba….. Measures are defined on the vector space that satisfy: The space contains a vector for all possible languages of a given alphabet:

23. 23 Weighted Counting Measure for Formal Languages Various measures can be defined on the formal language vectors, such as: where n i (L) is the number of strings of length i in language L, and where k is the number of symbols in the alphabet. The distance between two languages is defined as:

24. 24 Behavior Classification Tool using a Formal Language Measure ……  …… Sample taken over “short” time scale Dynamic Target Behavior Changes over “long” time scale Convert to Vector Vectors of known behaviors

25. 25 Future Work – Recognizing the Behavior of Multiple Targets Recognizing the behaviors of multiple targets Stages Finding stationary targets Finding moving targets Recognizing behaviors of multiple targets Methods Sensor energy surface Sensor cross-correlation

26. 26 Future Work – Recognizing multiple targets – Method 1 Sensor energy surface

27. 27 Future Work – Recognizing multiple targets – Method 2 Sensor cross-correlation

28. 28 Future Work – Behavior Recognition of Multiple, Coordinated Enemy Assets Can we the extend model recognition techniques to hierarchical control systems?

29. 29 Experimental Validation Pressure sensitive floor Formal Language Events: a – green to red or red to green b – green to tan or tan to green c – green to blue or blue to green d – red to tan or tan to red e – blue to red or red to blue f – blue to tan or tan to blue Wall following Random walk Analyze String Rejections Target Behavior