command and control forensics - dodccrp.org · command and control forensics kirk dunkelberger,...

10th International Command and Control Research and Technology Symposium

Command and Control Forensics

Kirk Dunkelberger, Northrop GrummanMajor Ryan Paterson, USMC, DARPA/IXO

Mark Akey, Northrop Grumman


Outline

• The Command Post of the Future (CPOF)– Concept and technology

• Development, deployment, and data– CPOF in the field

• The Vision– Supports collaboration, presents knowledge pro-

actively, adapts and learns• Preliminary data analysis• Plans for the future• The Challenge


CPOF Capabilities

• Analysts and staffers dynamically add a variety of planning, task, resource, etc. info to their “view of the world”

• Views (“thought visualizations”) are automatically shared leading to “topsight”

• Team members can instantly see what other members are doing• People collaborate automatically and almost without thought by preparing

information for others• Commander can see all views and can gather the “big picture” at

any time• “What are my people thinking about?” “Where are they?” “What’s

changed?” “Who is active?” etc.• CDR can synthesize his own custom views from briefings

“Where are you?”

“What are you doing?”

Dramatically Reduced!


Data Layer Eye

Abstraction

New Abstraction

Expertise

Understanding

Brain

Polymorphic

Focus

Knowledge

Reality

Eye

Data

E1

E2

E3

K1

K2

K3U

Eye

Collaboration – More than info sharing


CPOF Use by 1st Cavalry Div

Deployed Users at DIV MAIN CPDeployed Users at DIV MAIN CP

BDE CP UsersBDE CP UsersCDRCDR S3S3

MSE Conn

11stst Cav Div CPCav Div CP

ForwardForwardOperatingOperating

BaseBase


MSE Conn


MSE Conn


MSE Conn

Corp LiaisonCorp Liaison

MSE Conn

1 GB LAN1 GB LAN

CGCG COSCOS

CACAMIMIACEACESustainSustain(4)(4)

PlansPlans(4)(4)

ECC(4)ECC(4)CIC (4)CIC (4)

ADCMADCM

= Tactical Com Links


MSE Conn


MSE Conn


MSE Conn


MSE Conn


Data from Theater

• CPOF repository is checkpointed and archived every hour– Each archive is a snapshot of the state of the system at

that point• A “delta” file captures the changes between

archives• Recorded daily Battle Update Briefs (BUBs) and

Command Update Briefs (CUBS) using CPOF are also captured

Never before in the history of war has this kind of data been captured


Vision• Applying New Learning Techniques to Enhance Command Environment

– Capture, share and reason on knowledge– Relevant, critical knowledge mapped to current problem– Better understanding of the battlespace environment– Learning the evolving command process

• Build Adaptive Tools for Dynamic Command Process– Introduce adaptive awareness into C2 systems– Rapid access to essential domain expertise (subj ID), anywhere in the world– Dynamic ad-hoc team formation– System adapts to situation– Proactive retrieval (new domain-centric algorithms & knowledge representation)

• Develop Metrics for “C2 as a Science”– Measure success, align with NCO paradigm, produce superior effects– Improve commander expertise by orders of magnitude in time & effectiveness

• Lay Foundation for BattleZone– Superior decision making through knowledge and information superiority– Complete immersion in virtual combat environment (personalized)

Integrate new learning techniques and adaptive capabilities to revolutionize the way commanders discover and share resources and knowledge


Jan 06 Jan 08 Jan 09 Jan 10Jan 07

Phase 0: Adaptive Command

Phase 1: BattleNet

Phase 4: BattlePlex II

Phase 3: BattlePlex I

Phase 2: BattleSchool

Capture Live Combat

Extreme Scenarios

Designer’s Workbench(New Technologies/Systems/

Concepts)

Strategic SyllabusFor Life Long LearningCommander’s

Reference Library Interactive EncyclopediaOf All Battles

Career Progression

Reconstruction of Operations

Families of Decision Exercises

Cultural Immersion

Interactive History

Initial Learning & Skill Acquisition

Practice

Rehearse

Execute in the Real World

Observe & Understand

Learning TechniquesAdaptive Tools

What If? Capability

C2 as a Science

Amplifying IntuitiveKnowledge

BattleZone Concept


Preliminary Data Analysis

?

21 134 34 34 18 6 23 10 35 5 7

1085204401265 1085205721265 1085217941437 1085241600000 1085252400000 1085256000000 1085259600000 1085263200000 1085266800000 1085270400000C M M A D D A A A A

22 336 7 16 10 16 5 12 33 6 6

1085195441187 1085234400000 1085238000000 1085252400000 1085256000000 1085259600000 1085263200000 1085270400000 1085277600000 1085281200000C A A D D D D D D D

23 330 30 7 18 9 7 7

1085225641515 1085230301515 1085263200000 1085266800000 1085274000000 1085277600000 1085281200000C M A A A D D

24 119 19 7 7 23 37 27 9 7 7

1085166061875 1085166161093 1085202000000 1085212800000 1085223600000 1085227200000 1085234400000 1085241600000 1085245200000 1085248800000C M A A D A A A A D

25 339 39 5 40 35 35

1085229181515 1085231981875 1085266800000 1085270400000 1085277600000 1085281200000C M A A D D

26 119 29 29 29

1085207061296 1085245200000 1085277600000 1085281200000C A D D

27 131 41 40 16 6 14 4 3 16 5

1085169681093 1085205600000 1085209200000 1085227200000 1085230800000 1085234400000 1085238000000 1085252400000 1085256000000 1085259600000C A A D A A A D D D

28 12 2 3 2 2

1085177481140 1085216400000 1085252400000 1085277600000 1085281200000C A D D D

Social Network Analysis

•Clustering (spectral, graph, conceptual, hierarchical)

•Temporal Modeling (markov models, reinforcement learning, dynamic bayes nets, probabilistic automata, recurrent neural nets)

•Probabilistic Metadata

•Integration of learning and social network analysis

Now we need to leverage best of breed data mining tools to learn

and reason about the battlespaceenvironment

Correlation Analysis

Fourier Series Analysis

Knowledge Sharing Analysis

Discrete Sequence Analysis

Type Density Analysis

Today: We have a few

tools to acquire a

basic understanding

of combat data

Potential Approaches:


Correlation Analyses• Approach: cross correlate activity across workspaces• Objectives:

– Discover inter-workspace work flow• learn and cue team formation• anticipatory retrieval via inferred use patterns

– Infer intra-workspace procedure• learn and anticipate event effects• shorten timelines through global team optimization

• Discovery: global organization drives activity, but local SOP drives the details…

matching activity patterns across workspace pairs


Fourier Series Analyses• Approach: Feature extraction and filtering of workspace activity in

frequency domain• Objectives:

– Real time filtering for aperiodic event identification and isolation • team formation recognition and intuitive knowledge adaptation

– Continuous inference of informal periodic activities • anticipatory retrieval automation

– Manage bandwidth • proactive search and anticipatory retrieval efficiency

• Discovery: foundation patterns exist, but outliers represent tactically significant activity…

determining periodicity within a single workspace


Knowledge Sharing Analyses

• Approach: pattern recognition and anomaly detection in workspace knowledge overlap

• Objectives:– Generalize inter-workspace content patterns

• learn consistent collaboration• optimize storage and bandwidth via anticipatory retrieval

– Infer and recognize new sharing patterns• learn / reason on anomalous collaboration events• anticipate team formation

• Discovery: dynamic team formation is the key to emergent problem solving…

?!,

, , …

, …

overlap of UUIDs between workspaces over time


• Approach: track sequence of knowledge through workspaces over time

• Objectives:– Learn and generalize knowledge propagation

• infer team formation from “next step”indicators• optimize anticipatory retrieval from generalizations

– Build predictors for knowledge flow • learn collaborative workflow and informal organization• provide cognitive pre-fetch i.e. smart anticipatory retrieval

• Discovery: organization implies workflow but circumstances drivead-hoc organization…

Discrete Sequence Analyses

21 134 34 34 18 6 23 10 35 5 7

1085204401265 1085205721265 1085217941437 1085241600000 1085252400000 1085256000000 1085259600000 1085263200000 1085266800000 1085270400000C M M A D D A A A A

22 336 7 16 10 16 5 12 33 6 6

1085195441187 1085234400000 1085238000000 1085252400000 1085256000000 1085259600000 1085263200000 1085270400000 1085277600000 1085281200000C A A D D D D D D D

23 330 30 7 18 9 7 7

1085225641515 1085230301515 1085263200000 1085266800000 1085274000000 1085277600000 1085281200000C M A A A D D

24 119 19 7 7 23 37 27 9 7 7

1085166061875 1085166161093 1085202000000 1085212800000 1085223600000 1085227200000 1085234400000 1085241600000 1085245200000 1085248800000C M A A D A A A A D

25 339 39 5 40 35 35

1085229181515 1085231981875 1085266800000 1085270400000 1085277600000 1085281200000C M A A D D

26 119 29 29 29

1085207061296 1085245200000 1085277600000 1085281200000C A D D

27 131 41 40 16 6 14 4 3 16 5

1085169681093 1085205600000 1085209200000 1085227200000 1085230800000 1085234400000 1085238000000 1085252400000 1085256000000 1085259600000C A A D A A A D D D

28 12 2 3 2 2

1085177481140 1085216400000 1085252400000 1085277600000 1085281200000C A D D D

Markov models of uformtraffic through workspaces


• Approach: recognize temporal knowledge type density patterns• Objectives:

– Infer type/time clusters • dynamically adapt anticipatory retrieval (space and time)

– Characterize movement of clusters through workspaces • learn knowledge requirements• cue team formation• provide local, context-aware proactive search / retrieval

• Discovery: (temporal) interest falls into distinct classes…

Type Density Analyses

life cycle model of uformtypes over all workspaces


• Approach: apply graph theory to model social organization of andcoalitions among workspaces

• Objectives:– Identify gate keepers, bottlenecks, gurus, …

• aid team formation through problem / solver matching• tune proactive search to increase situational awareness

– Characterize (time-variant) informal organization• learn coalition formation and dissolution (cue team formation)• focus local anticipatory retrieval on rate limiters• learn future optimal, context-sensitive formal organization doctrine

• Discovery: IO vulnerabilities exist in the form of critical nodes…

Social Network Analyses

societal activity and relations as a model for C2


Plans for the Future

Facilitate fully integrated TOC workstations and assess the value of current and potential future data bridges.

Determine the statistical relevance (MOPs & MOEs) of potential analytic tool integration using the CPOF data, e.g., can the tool maximally extract value from the data?

Integrate Analysis Tools

Discover cues for efficient, effective team formation and elicit requirements for adaptive networking.

Identify “critical path” and “critical path people” in the operational flow

Identify Critical Resources

Discover approaches for recognizing inferred areas of interest, activities of interest, patterns of interest, etc. and for enabling knowledge-based compression.

Detect and identify C2 environmental (sensed data) boundary conditions

Take Cues from Anomalies

Uncover user profiles, default views, templates, etc. to move focus from tool to decisions and provide database design cues.

Identify common knowledge, forms and use

Capitalize on Data Overlap

Discover tripwires for system adaptation and knowledge push.

Detect and identify C2 decision boundary conditions

Leverage Activity Surges

Data Analysis ObjectiveDerived Analytical HypothesisWarfighter Requirement


Plans for the Future (cont.)

Discover informal organizational cues, emerging doctrine and (system, information, network, etc.) architectural cues.

Detect and identify causal and behavioral dependencies

Model the Architectures

Identify methods for improving team formation and prioritizing additional data bridges.

Determine the increase in team formation efficacy using additional, external databases

Exploit Outside Knowledge Sources

Validate semantics to expedite situation awareness and enable efficient representation and distribution.

Determine the efficiency of the emerging user-defined ontology; identify optimization/reduction of the semantics

Tune Knowledge Management

Discover opportunities for workload reduction, decision timeline reduction, dialogue pattern recognition, and query language improvement.

Detect and identify knowledge search “miscues” and “near hits” by the user

Improve Knowledge Interfaces

Data Analysis ObjectiveDerived Analytical HypothesisWarfighter Requirement


The Challenge

• Future command technologies must be able to learn and adapt to the user, his collaborative partners and the operational environment.

• The primary goal must always be to enable the human to adapt more quickly than his enemy and practice his art in a way that leaves him never surprised, not replace him or make him a mere weapons system.

• The challenge is to develop technologies that will transform the way we think about command and control and produce technologies that amplify intuitive knowledge.

• This challenge can be met only by a multi-disciplinary team of technologists, cognitive psychologists and military operators that is directed by the principle of Recognition Primed Decision Making, and enabled by the Capture of Live Combat.

command and control forensics - dodccrp.org · command and control forensics kirk dunkelberger,...

Documents