Ted E. Senator

Enabling technology for knowledge sharing

Building new knowledge-based systems today usually entails constructing new knowledge bases from scratch. It could instead be done by assembling reusable components. System developers would then only need to worry about creating the specialized knowledge and reasoners new to the specific task of their system. This new system would interoperate with existing systems, using them to perform some of its reasoning. In this way, declarative knowledge, problem- solving techniques, and reasoning services could all be shared among systems. This approach would facilitate building bigger and better systems cheaply. The infrastructure to support such sharing and reuse would lead to greater ubiquity of these systems, potentially transforming the knowledge industry. This article presents a vision of the future in which knowledge-based system development and operation is facilitated by infrastructure and technology for knowledge sharing. It describes an initiative currently under way to develop these ideas and suggests steps that must be taken in the future to try to realize this vision.

Countering terrorism through information technology

Developing the information-analysis tools for an effective multi-agency information-sharing effort.

The Financial Crimes Enforcement Network AI System (FAIS) Identifying Potential Money Laundering from Reports of Large Cash Transactions.

The Financial Crimes Enforcement Network (FIN-CEN) AI system (FAIS) links and evaluates reports of large cash transactions to identify potential money laundering. The objective of FAIS is to discover previously unknown, potentially high-value leads for possible investigation. FAIS integrates intelligent human and software agents in a cooperative discovery task on a very large data space. It is a complex system incorporating several aspects of AI technology, including rule-based reasoning and a blackboard. FAIS consists of an underlying database (that functions as a black-board), a graphic user interface, and several preprocessing and analysis modules. FAIS has been in operation at FINCEN since March 1993; a dedicated group of analysts process approximately 200,000 transactions a week, during which time over 400 investigative support reports corresponding to over

Multi-stage classification

1 billion in potential laundered funds were developed. FAISs unique analytic power arises primarily from a change in view of the underlying data from a transaction-oriented perspective to a subject-oriented (that is, person or organization) perspective.

Link mining applications: progress and challenges

While much research has focused on methods for evaluating and maximizing the accuracy of classifiers either individually or in ensembles, little effort has been devoted to analyzing how classifiers are typically deployed in practice. In many domains, classifiers are used as part of a multi-stage process that increases accuracy at the expense of more data collection and/or more processing resources as the likelihood of a positive class label increases. This paper systematically explores the tradeoffs inherent in constructing these multi-stage classifiers from a series of increasingly accurate and expensive individual classifiers, considering a variety of metrics such as accuracy, cost/benefit ratio, and lift. It suggests architectures appropriate for both independent instances and for highly linked data.

Ongoing management and application of discovered knowledge in a large regulatory organization: a case study of the use and impact of NASD Regulation's Advanced Detection System (RADS)

This article reviews a decade of progress in the area of link mining, focusing on application requirements and how they have and have not yet been addressed, especially in the area of complex event detection. It discusses some ongoing challenges and suggests ideas that could be opportunities for solutions. The most important conclusion of this article is that while there are many link mining techniques that work well for individual link mining tasks, there is not yet a comprehensive framework that can support a combination of link mining tasks as needed for many real applications.

The NASD Regulation Advanced-Detection System (ADS)

This paper describes a case study of an ongoing, deployed, KDD application – NASD Regulation’s Advanced Detection System (ADS), which monitors activity on the Nasdaq Stock Market – from the perspective of how organizations and systems are impacted by the continuous long-term use of KDD in a dynamic domain. It discusses knowledge management techniques that have been developed for and applied to discovered knowledge. It points out special considerations resulting from the regulatory environment as well as general lessons applicable to all organizations that may come to rely on KDD as an integral part of their business operations. It describes our modifications to accepted KDD processes that are needed to account for the longterm use of KDD as part of a dynamic business environment.

Use of Domain Knowledge to Detect Insider Threats in Computer Activities

The NASD Regulation Advanced Detection System (ADS) monitors trades and quotations in the Nasdaq stock market to identify patterns and practices of behavior of potential regulatory interest. ADS has been in operational use at NASD Regulation since summer 1997 by several groups of analysts, processing approximately 2 million transactions per day, generating over 7000 breaks. More important, it has greatly expanded surveillance coverage to new areas of the market and to many new types of behavior of regulatory concern. ADS combines detection and discovery components in a single system which supports multiple regulatory domains and which share the same market data. ADS makes use of a variety of Al techniques, including visualization, pattern recognition, and data mining, in support of the activities of regulatory analysis, alert and pattern detection, and knowledge discovery.

On the efficacy of data mining for security applications

This paper reports the first set of results from a comprehensive set of experiments to detect realistic insider threat instances in a real corporate database of computer usage activity. It focuses on the application of domain knowledge to provide starting points for further analysis. Domain knowledge is applied (1) to select appropriate features for use by structural anomaly detection algorithms, (2) to identify features indicative of activity known to be associated with insider threat, and (3) to model known or suspected instances of insider threat scenarios. We also introduce a visual language for specifying anomalies across different types of data, entities, baseline populations, and temporal ranges. Preliminary results of our experiments on two months of live data suggest that these methods are promising, with several experiments providing area under the curve scores close to 1.0 and lifts ranging from ×20 to ×30 over random.

Insider Threat Detection in PRODIGAL

Data mining applications for security have been proposed, developed, used, and criticized frequently in the recent past. This paper examines several of the more common criticisms and analyzes some factors that bear on whether the criticisms are valid and/or can be overcome by appropriate design and use of the data mining application.