ABSTRACT. The ability to collect and process numerous documents from various sources is essential to achieve information superiority. However processing documents in large quantities is a time consuming effort, requiring trained personnel. Additionally, data volumes are exploding; more data has been created in the last few years than in the entire previous history of the human race . As a result, exploiting the whole of the information becomes impossible. The problem moves from having enough people to process information to providing trained individuals tools to point them in the direction where they are the most likely to find information with the highest value. This paper proposes a text analytics framework to help users search, categorize, and get recommendations on documents that are the most likely to be relevant to them and their current problem space. This framework allows user to: perform complex keyword searches; execute vector based queries; obtain recommendations based on user feedback and context, and perform topic modeling over a collection of heterogeneous unstructured document. Applications of various approaches (e.g., TF-IDF, Vector Space Model, Latent Dirichlet allocation) are detailed. An implementation on a fast, scalable, big data technological framework is also described.

ABSTRACT. Representing a knowledge graph by embedding it in a high-dimensional vector space where similar concepts are represented by similar vectors gives several advantages over traditional knowledge bases. It allows for generalization of vocabulary, where facts entered about one term can be extended to synonymous terms. It makes possible analogical reasoning and zero-shot learning. This research explores how such vector-based reasoning can be extended to be directly useful in the same way as a knowledge base. In order to assign vectors to terms, a distributional semantics approach is combined with information from a knowledge base. A neural network learns to assign properties to terms. Sets are represented by weighted sums of term vectors, which can be decomposed back into the original vectors using sparse decomposition techniques, allowing the system to find intersections, unions, and negations. Finding chains of deductive reasoning is accomplished through decomposition of a vector representing the head and tail of the chain. This paper also characterizes how the dimensionality and construction method of the vectors affects the accuracy and performance of the knowledge base.

ABSTRACT. This paper introduces some of the concepts, designs and testing platform for our work in developing software agents to augment network defense analysts. Human network defenders are overloaded with information provided by intrusion detection systems and other network event monitoring technologies. Our software agents are being developed to augment the overburdened human defenders. These software agents are designed with varying levels of autonomy and are capable of addressing low-level, suspicious network behaviors, freeing the human defenders to investigate other activities that require human intelligence.

Objectives of our software agent work include measuring the security posture of networks with and without software agent support as well as understanding how humans interact with the agents. As network behaviors and information objects are classified, appropriate machine learning techniques will be applied to train the software agents to expand their course of action selections. Issues of trust and coordination among multiple software agents will also be explored.

This work is currently focused on fundamental network security and information assurance for DoD enterprise networks, where policies are defined and topologies are well understood. A mature and stable networking environment is necessary to 1) support shared understanding of network activities and vulnerabilities, and 2) shared multi-modal information regarding hostile and friendly entities on the network. Our ultimate target for this work is mobile tactical military networks.

ABSTRACT. One of the most challenging aspects of network security management for the human analyst is examining the massive volume of alerts generated by large-scale intrusion detection systems (IDS). Although these IDS alarms may identify unauthorized network traffic, they are also known to frequently misclassify normal and background traffic as malicious—these are called false-positive alarms. Complicating the situation, organizational policy and changing operational environments may also influence which alarms are actively reported on versus those that are ignored. In previous work, we proposed a modeling approach for IDS alert prioritization that uses supervised learning algorithms to incorporate knowledge from past incident reports generated by human analysts and apply that knowledge to new intrusion detection alerts from signature and anomaly based network intrusion detection tools. In this paper, we enhance the modeling approach for IDS alert prioritization by improving the meaningfulness of the IDS alert feature embedding methodology used in the best-performing ensemble learning algorithms. In addition, we further examine the impact of training data learning windows and online learning approaches on prediction performance. We show that these improvements enhance prediction accuracy by increasing the depth of knowledge the classification model maintains.

ABSTRACT. Protecting information within stand-alone systems with well-defined and static cybersecurity requirements is a relatively straightforward task. Managing and satisfying cybersecurity requirements becomes increasingly difficult as environments become more complex such as Multi-Domain C2 environments operating with multiple inter-related and inter-dependent partners (Joint, Interagency, Multinational, and Public organizations). In these environments, C2 and C2-enabling system technical, operational and policy controls both affect, and are affected by the other systems. Moreover, the cybersecurity posture is continuously adapting to mitigate evolving threat vectors so change is a constant.

In addition to these Multi-Domain C2 operational environment considerations, researchers seeking to test, develop and accelerate insertion of positively disruptive C2-enabling capabilities must purposefully strike a balance between complying with current operational cybersecurity requirements and interoperability controls (constraints) and intentionally trying to incubate, align or integrate positively disruptive C2-enabling capabilities that, in turn, affect and change current system/integrated systems technical, operational and policy controls. With so many interrelated or unknown (or to be defined) requirements, alternatives to traditional research and development environments and management approaches (such as integration platform as a service (iPaaS) or a Capability Maturity Model Integration (CMMI) variant) are needed.

This paper describes how the “Alignment, Synchronization and Integration Framework” (ASIF) and methodology (1) optimally supported the development and supports the management of a "Multiple classification and releasability, Alignment, Synchronization and Integration, Platform as a Service" (MAPaaS) environment, and (2) supports multiple, ongoing (cybersecurity-specific) positively disruptive C2-enabling 'incubation through integration' efforts hosted by MAPaaS.

ABSTRACT. A cyberweapon is weaponized software code that exploits flaws in software. It is only effective while the flaw still exists. Because of this, there is usually only a small window of time when a particular cyberweapon can be used. Some have argued that cyberweapons can only be effectively used once, and that after first use the vulnerability will be patched. However, the target must first detect the attack, find the vulnerability that was exploited, reverse-engineer the cyberweapon to identify signatures, then create and implement a patch. This window of opportunity between attack detection and patch implementation allows an attacker to reuse the cyberweapon against different or even the same targets for a while. An attacker can increase the length of time the window remains open by obfuscating the cyberweapon’s signatures to make it harder to detect the attack, or making it harder to locate and remove the weapon. This can be accomplished by incorporating survivability ideas into the weapon’s design requirement. This paper explores the strategic implications of reusable cyberweapons by specifically looking at stealth as the critical attribute that allows a cyberweapon to go undetected and survive long enough to be effectively used more than once.

ABSTRACT. How can we defend what we don’t know we have? At first glance, gathering information about our IT assets might appear straightforward. However, in a complex enterprise with multiple mission components and possibly multiple sites, as well as large numbers of users, the situation is more complicated. As an enterprise evolves over time, knowledge about applications in inventory, how they are implemented, and how they interact becomes dispersed and disorganized. If organizations always exercised proper configuration management and maintained perfect registries of necessary information capturing all dependencies, then cyber defense would be easier. However, in the real world, entities evolve haphazardly and the required information is not maintained, particularly since applications can be very complex and distributed across many resources. In some cases, periodic data calls might temporarily alleviate the problem, but the information gathered quickly goes out of date. One key to a more comprehensive and effective inventory is to use application-aware tools that go beyond identifying low-level hardware and software; they recognize and characterize high-level enterprise applications and their complex dependencies. Another key is appropriate human investigation and analysis facilitated by the tools. This is required when users run complicated custom applications that are not well known to tool developers. For such cases, we describe methods including the examination of communication patterns between software modules, pattern matching, and name analysis. Applying such methods to several large enterprises successfully identified running applications and yielded previously unknown potential vulnerabilities to attack.

ABSTRACT. C2 Agility Theory tells us that there is no “one-size-fits-all” approach to C2 that is appropriate for all missions and circumstances. The evidence from case studies and experiments further indicate that inappropriate approaches to C2 can lead to serious adverse consequences and even mission failure. More importantly, C2 Agility Theory also provides a way to analyze and assess the efficacy of different approaches to C2 for a given mission and circumstances as well as the agility of a given approach to C2 for an Endeavor Space. Thus, C2 Agility Theory can be applied to answer the question “Are traditional approaches to C2 are appropriate for cyberspace operations?” and the implied question “If not, what approach to C2 is more appropriate?” The concept paper discusses what we may reasonably conclude from the existing body of evidence and what additional evidence and analyses are needed to “design” an appropriate C2 approach for Cyberspace Operations.

ABSTRACT. One of the three pillars in the new National Defense Strategy is to, “Strengthen Alliances and Attract New Partners.” This pillar recognizes that mutually beneficial alliances and partnerships are crucial to United States security and provide a durable, asymmetric strategic advantage that no competitor or rival can match. This approach has served the United States well, in peace and war, for the past 75 years. Our allies and partners came to our aid after the terrorist attacks on 9/11, and have contributed to every major U.S.-led military engagement since.

In times of relative peace, this day-to-day manifestation of working with our allies and partners occurs in the naval context Every day, our allies and partners join us in defending freedom, deterring war, and maintaining the rules which underwrite a free and open international order. These are the reasons that a former U.S. Chief of Naval Operations proposed the concept of a “Thousand-Ship Navy” well over a decade ago.

The Thousand-Ship Navy, subsequently renamed the Global Maritime Partnership and now called the Global Network of Navies (GNN) is based on the fact that no single navy is robust enough to enforce the rule of law in the global commons—or even adequately respond to a large-scale natural disaster. In order to build a successful GNN, coalition partners need an international C2 infrastructure that will allow them to seamlessly and rapidly share information in order to generate an accurate Common Operating Picture (COP) across asymmetric information sharing agreements and heterogeneous equipment architectures.

The range of existing technological capabilities and funding available to support such an ambitious undertaking by our potential operational partners however, is exceedingly broad. Addressing this diversity requires web-based Service Oriented Architectures (SOAs) to deal with interoperability challenges. The difficulty lies in connecting multiple SOAs to generate an accurate COP. As the United States “Rebalances to the Asia-Pacific Region”—a maritime theater with many first-rate navies the United States needs as partners—the imperative to work from the same COP and seamlessly exchange information has never been more important. Developing this international C2 compatibility is crucial to ensuring the security and prosperity of United States, it allies, and partners.

ABSTRACT. Tactical Networks (TNs) are challenging communication environments at the base of modern network-centric warfare, characterized by limited resources, frequent link disruption, and partitioning. TNs typically involve a multitude of units belonging to different domains that need to share information securely over shared and constrained links to enable cooperation. Federation Services offer a model for policy-based information sharing between multiple domains, which permit individual forces and organizations to match mission requirements by allowing a fine-grained selection of the data to exchange. However, while the Federation model alone is not enough to ensure confidentiality and integrity of data transmissions over shared network resources, traditional end-to-end cryptography solutions might not suit low-resources, bandwidth-constrained networking environments. This paper discusses three solutions to enable secure and efficient information sharing in multi-domain TNs using Federation Services. The first solution relies on a centralized group key management service (GkMS) that defines a single group for secure communications. The GkMS also authenticates the federates and assigns them a unique symmetric key for the group that they can use to encrypt/decrypt transmissions; with this approach, information sharing is entirely controlled by Federation policies. The second solution enables the definition of multiple groups of authenticated federates and provides information access control to information senders. This approach leverages attribute-based encryption (ABE) techniques to encrypt federated messages and define, on a per-message basis, a subset of groups that can access the data. Finally, the third solution addresses link disruption and network partitioning in TNs by introducing a distributed GkMS architecture.

ABSTRACT. Software products used in the critical infrastructure (CI) and command and control (C2) realms have very long lifecycles and have many interfaces that are crucial for secure interoperability and networked use. When exposed to the shorter lifecycles of the commercial off-the-shelf (COTS) software used within, new approaches are needed to keep these products secure.

Many of the commonly used software components have shorter lifecycles than the CI products using them. An inherent security debt develops if vendors creating the CI/C2 systems do not keep up updating underlying components. It is also possible that newer security testing methods might find new security issues on old software which are not any more under constant development and therefore not under quality assurance (QA) scrutiny.

Another source for security debt are changes in environment in which the system is operated in, and the assumptions of the typical usage of the product: Adding new network links, bringing in new data streams and new ways of using the system may seem simple and straightforward changes but may bring the security of the whole system under serious threat.

This paper suggests a sustainable long-term approach to address new sources of security debt of critical long-lifecycle software. Firstly, highly automated robustness testing setup is proposed to constantly go through the most critical interfaces of the system. Secondly, a periodical threat analysis is applied to the product in order to detect the subtle but important changes in the environment the product is used in.

ABSTRACT. Abstract This paper examines the challenges of supporting command and control (C2) in multi-domain operations with modelling and simulation (M&S) and illustrates a potential framework that addresses this and the opportunities for experimentation. Although M&S has been an important enabler to support training across all domains, its application to support decision making, including war gaming, on military operations even in a single domain has been limited with the exception of some focused operational analysis tools. Operations since the 1990s have increased in complexity and are not only multi-domain, including both military and civil elements but are multi-national. The challenges in using M&S are much greater as a result of this contemporary operational paradigm. The technical aspects including the application of standards that enable interoperability is only one element of providing the tools and techniques required to support advanced decision-making in either a centralised or decentralised multi-domain C2 environment. Another is the human aspect, which is critical to the acceptance, adoption, utilisation and understanding the utility of M&S in supporting decision making on military operations. In all cases there has been a reliance on external, highly-skilled technical support and future application of M&S needs to be used by non-specialist personnel.

ABSTRACT. Artificial intelligence (AI) is the intelligent behavior displayed by machines. In everyday terms, the term AI is used when machines mimic the cognitive functions that people associate with learning and problem solving. The key issues within AI include reasoning, planning, and learning. In military applications, AI becomes increasingly important in systems used at different military levels, from the combat level to tactical and operational levels. This development has led to decision support systems being used at the battalion and brigade levels. Based on empirical data gathered through structured user-centered activities involving military personnel, this study investigates how AI may be used in command and control systems. We study its use in the intelligence and operations processes. We discuss how AI methods can be used for decision support for processes that provide a common operational picture, use threat analysis to predict enemy actions, and analyze own forces’ alternative actions before execution. We conclude that the benefit of AI for the armed forces is that it can deliver critical system support when time is limited or when the number of choices is too large for people to be able to analyze all alternatives. We believe that the side that successfully implements AI in its command and control system can become the best and fastest at analyzing information and as a result can make quicker decisions and gain an operational advantage over its opponent.

ABSTRACT. TThe conditions for military operations have changed due to, e.g., globalization, climate change, and nations’ ambitions and actions. This has resulted in new demands on command and control (C2) capability. Further, the rapid evolution of information technology has provided vigorous opportunities to enhance the C2 capability, e.g., through advanced communication, information management, and decision support. However, the need to rely on modern technology also causes increased vulnerabilities. The sociotechnical nature of C2 systems means that the development of C2 systems is complex and challenging. Developing C2 concepts requires collaboration between people from different knowledge disciplines, traditions, and perspectives. Therefore, there is a need for elaborated concept development approaches and structures that promote collaborative efforts. The objective of this paper is a framework for the development of C2 concepts that enhance the collaboration of people from different traditions. The study was carried out as case study performed in two steps: theoretical development and formative evaluation. The case study targets the development of C2 concepts for future military operations of the Swedish Armed Forces. The framework includes terminology models, a development process, and system representations. The case study shows that in diverse teams, it is essential to agree upon terminology, development process, and systems representations used for the development to avoid misunderstandings and unnecessary rework. The framework explored in this paper is only in its first version. However, the development and the application of the framework was found to facilitate and focus the work of the multi-disciplinary team.

ABSTRACT. No abstract for Concept Paper

ABSTRACT. Military organizations want to increase the effectiveness of their actions with 'intelligence'. There is a need for intelligence that enables the military user to take the right actions earlier and faster. To improve decision-making, the collection, processing, integration and use of real-time intelligence needs to be strengthened. Currently, this process is organized reactively, with the military user mostly looking for the information himself. The amount of information that is becoming available is constantly increasing. In the future, the search for information itself will be replaced by intelligence modules that push information in which the military user is automatically provided with tailor-made information, depending on the situation he is currently in. This raises the following question: how can you integrate big data and AI developments for military decisionmaking? And, more specifically: how do you determine which information is relevant for which user? Artificial Intelligence (AI) generates the most benefit when data is freely available and can be combined across multiple domains. However, data is often collected for a specific purpose and only accessible to the limited set of applications that support that purpose. Therefore in order for AI to flourish, the first necessary step is to free up data from its application stovepipes. We therefore propose that a data centric approach for the enabling infrastructure may provide a better and future-proof basis than a traditional application centric architecture, which has been a major focal point for IT-design and development over the last decades. The outline of this data centric approach is described in this concept paper, to ultimately enable proactive intelligence provision for the military user.

ABSTRACT. We present a conceptual framework, the “Mission Value Pyramid,” for success in command, control and communications of complex missions, and use it to identify some example areas for basic research supporting the fundamentals of mission success. In the framework, mission success depends on adopting appropriate approaches to Command and Control, which depends in turn on effective management and use of complex, composite, multi-genre sociotechnical networks. These depend on effective and agile component networks, buttressed by assured communications capability. At lower levels of the Mission Value Pyramid, concerned with assured communications, some of the areas we identify include information theory for general, multi-hop, wireless mobile networks; mathematical treatment of multiple heterogeneous networks and their interconnection protocols; sub-Turing languages for cyber security; and new mathematics with applicability to encryption. At higher levels of the Pyramid, important areas include achieving a fundamental understanding of the behavior of composite networks, including trust dynamics. The understanding of systemic risk, and phenomena such as the normalization of deviance, are also important. The topics presented here do not constitute an exhaustive set, and many more are possible and desirable. We do not touch on some important areas such as data analytics, for example. The topics are also not prioritized. The main goal of this paper is to present a conceptual framework and begin to identify some important basic research topics and how they fit together.

ABSTRACT. The emergence of next generation VR and AR devices like the Oculus Rift and Microsoft HoloLens has increased interest in using mixed reality (MxR) for simulated training, enhancing command and control, and augmenting operator effectiveness at the tactical edge. It is thought that virtualizing mission relevant battlefield data, such as satellite imagery or body-worn sensor information, will allow commanders and analysts to retrieve, collaborate, and make decisions about such information more effectively than traditional methods, which may have cognitive and spatial constraints. However, there is currently little evidence in the scientific literature that using modern MxR equipment provides any qualitative benefits or quantitative benefits, such as increased task engagement or improved decision accuracy. There are also no validated metrics in the field for comparing across display devices and tasks. In this paper, we surveyed potential metrics for assessing the usefulness of MxR technologies and discuss how these data might be acquired in experimental and tactical scenarios. We also introduce the Mixed Reality Tactical Analysis Kit (MRTAK), which functions as an experimental platform to perform these assessments during collaborative mission planning and execution.

ABSTRACT. Human analysts have a vital role in the task of sensemaking, the process of extracting information to reach conclusions and make decisions. Question-Answering (QA) is an existing natural language processing application that would appear to be relevant to the analyst’s task, given information needs to address in a structured knowledge source. Standard QA systems, however, assume an input question can be interpreted in isolation, meaning that there is a single translation of language to a structured query, and that there is a unique correct answer. We assume that a more appropriate tool for an analyst would support open-ended exploration for relevant information from structured data sources, and would not commit too early to a single interpretation of the analyst’s question. We provide the capability to pose natural language questions to knowledge graphs in RDF format where information that is relevant to the question can be visualized, making the knowledge source more transparent to the user. This paper presents InK, an inquiry system for knowledge graphs where the input is a NL natural language (NL) question and the output consists of knowledge assumed to be relevant to a general information need that motivates the question.

ABSTRACT. Distributional models characterize the meaning of a word by its observed contexts. They have shown great success in many natural language processing tasks, however they are unable to differentiate clearly between different semantic relations. In cognitive psychology, a word is represented by its relations with properties. In this work, we propose that the mathematical structure of formal concept lattice (FCL) can be attached to property-based concepts in the property norm space to model the conceptual hierarchies. The k-nearest neighbors (KNN) method is then used to build a mapping from a distributional semantic space onto a FCL-based property space automatically for predicting property norms of unknown concepts. We evaluate our method on word embeddings learned with different types of contexts and demonstrate the potential of learning large-scale property-based concept representations from a modest-sized human-annotated perceptual data.

ABSTRACT. Critical needs in a cyber-active environment include both training cybersecurity technical personnel to provide for defense of operational systems and preparing operational military organizations to continue to function in such an environment. The latter is mostly unmet today, for two reasons: (1) a real cyber-attack on the information systems supporting an exercise would be so disruptive as to preclude any other training; and (2) modifying those supporting information systems to emulate an attack would be expensive, especially so in coalitions where every system would have to be modified.

The authors have reported in previous ICCRTS on the Command and Control - Simulation Interoperation (C2SIM) capability which enables a coalition to interoperate their C2 and simulation systems for training, course of action evaluation, and mission rehearsal. Typically, C2SIM information is exchanged via interface to a server. Reviewing capabilities introduced for single systems such as the Network Effects Emulation System (NE2S) simulation, we recognize the C2SIM server as an ideal place to emulate a wide range of cyberattack effects by modifying or deleting information as would happen from compromised software or networks and electronic warfare attacks. This requires the operational military organization to function while under cyberattack. While this approach does not provide training under all possible cyberattacks, it does allow a broad range that mitigates the previously identified concerns. The paper will provide an expanded version of the above rationale for adding cyberattack effects to C2SIM, explain what attacks and actions are possible and how we have imposed them.

ABSTRACT. Leveraging consumer technology as terminals for soldier systems is becoming more and more common. Typically, information exchange is implemented as classic request/response services, as these are easy to secure when concerned with users with different credentials and access levels. Conversely, publish/subscribe may be a more efficient approach to disseminate information to many users simultaneously, but this communication paradigm is harder to leverage in a secure manner. In this paper we propose a hybrid architecture for information exchange based on operational needs and different message types.