Teresa F. Lunt

Identifying terrorist activity with AI plan recognition technology

We describe the application of plan recognition techniques to support human intelligence analysts in processing national security alert sets by automatically identifying the hostile intent behind them. Identifying the intent enables us to both prioritize and explain the alert sets for succinct user presentation. Our empirical evaluation demonstrates that the approach can handle alert sets of as many as 20 elements and can readily distinguish between false and true alarms. We discuss the important opportunities, for future work, that will increase the cardinality of the alert sets supported by the system to the level demanded by a deployable application. In particular, we outline opportunities to bring the analysts into the process and the opportunities for heuristic improvements to the plan recognition algorithm.

Panel: foundations for intrusion detection

Intrusion detection technologies have well-known shortcomings, such as a very high false alarm rate and the ability to detect only a limited class of attacks on a limited set of system components. Specialized attack types on unique system components cannot be detected, and neither can application-specific attacks. Even generic attacks on operating systems and networks cannot be reliably detected. Moreover, todays technology does only poorly at detecting new attack types, whereas much effort goes into developing signatures indicative of known attacks.