Tag: threat assessment

Diving into real-time geospatial threat intelligence
“Crime is common. Logic is rare. Therefore, it is upon the logic rather than upon the crime that you should dwell.”

“Data! Data! Data!” He cried impatiently. “I can’t make bricks without clay.”

— Sherlock Holmes, “The Adventure of the Copper Beeches,” Sir Arthur Conan Doyle

Watson is to Holmes what information is to intelligence. Watson could listen to the client story, observe the situation, and recite to Holmes all the relevant facts, but he lacked the ability to string together the seemingly random pieces of information into a coherent chain of events leading to the correct hypothesis. A computer can become a Watson, but it takes a human to be Sherlock; however, a human misguided by cognitive biases will end up as Inspector Lestrade, always coming to the wrong conclusion.

When it comes to data, the analogy of drinking from a fire hose is an understatement. Consider that a digital image can be terabytes in size and every day millions of images are taken. Facebook generates 4 petabytes of data daily, and each day there are 500 million tweets and 306 billion emails. Additionally, there are 20 billion connected devices. Combined, the world creates 2.5 quintillion bytes of data every day. If a grain of sand represents a byte of data, then every three days more data is created than there are grains of sand on the Earth, and it is only increasing.

Somewhere in all that data are signals. Real-time threat intelligence systems are looking for those signals before the next huge event occurs. It is a high-stakes hunt for Leviathan, except that Leviathan is only a packet of sand traveling at lightspeed through a cloud obscured by dust.

Nellis Air Force Base takes part in Red Flag 15-2 at its Combined Operations Center in 2015. (Photo: Senior Airman Thomas Spangler/U.S. Air Force.)

Interpreting a Signal

The massive volume, variety and velocity of continuously flowing data far surpasses the ability of humans to process. It exceeds the bandwidth most systems can handle. And it quickly overwhelms the capacity to store, manage and act on the information in a timely and cost-effective manner. Resources are not infinite. The best model to handle an overwhelming amount of data is the human brain. Humans are biological sensors. Every moment of every second of our lives, our bodies are receiving an endless stream of stimuli from internal and external sources. Most of this stimuli registers at an unconscious level, and as long as the stimuli is normal and expected, it goes unnoticed by the conscious mind. If, however, any discomfort is experienced, the conscious mind is notified. Then that becomes the focus until normalized. Externally, the same applies to computer data systems. Normal conditions are ignored, but if there is something unusual, such as a loud constant noise, or a colder than normal temperature, it draws all the processing attention.

In the realm of intelligence that is basically how things function. Algorithms are written to learn the normal patterns of life and to identify specific events, words, names, etc. As long as data is within normal parameters, it gets little attention, but as soon as an anomaly exceeds a threshold or something triggers the algorithm, it will immediately be brought to the attention of the intel center. An example can be viewed on the Global Incident Map dashboard. I encourage you to sign up for a free 72-hour membership. If you want to see what real news looks like, this would be a sampling. The number of real incidents that happen across the country and around the world that you never hear about, many of them hair-raising and all of them open source, add to the few stories the media has been able to tell about cyber attacks. Scroll down the page. There are many filters, but I recommend turning them all off to see the full extent of information. Clicking on an incident will drill down into the actual source so you can read about it more thoroughly.

Below is the U.S. Army’s real-time critical incident dashboard called the Joint Analytic Real-Time Virtual Information Sharing System (JARVISS). It tracks and monitors activity near U.S. Army installations and standalone assets of interest around the world.

Another dashboard for cyberattacks is Check Point, which shows just how aggressive cyberthreats are throughout world. Here, you can see the patterns of coordinated attacks. A war is underway. The soldiers are cyberwarriors. No country is safe. View the Live Cyber Threat Map.

JARVISS is designed to target criminal activity and provide natural disaster information in and around Army installations and stand-alone facilities, as well as COVID-19 threats. (Image: Steve Gardner/U.S. Army}

Fast Analysis in Real Time

Monitoring this information, analysts look for connections. If a plane veers off its flight path, the local operations center is notified. An automatic query shows if any critical-infrastructure assets or other important structures and facilities are in the area. The analyst can immediately find out the type of aircraft, the call sign, who the plane is registered to and who filed the flight plan. Weather radar can be overlaid to see if that is a possible reason for the deviation. Incident reports can be displayed in real time within the area of interest, along with social media feeds and other sources of communication. Traffic patterns can be displayed.

The important question that needs to be answered is whether this is a potential threat. Is there a connection to anything going on anywhere else? A dossier is developed on the person who filed the flight plan, the one who is assumed to be the pilot and the person or organization to which the plane is registered. All of this is being done in a matter of minutes, while the airplane either returns to its flight path or continues its diversion. The air traffic control tower is contacted to share information on the aircraft and its deviation. If the tower does not have an answer, it will radio the pilot for an answer. The passenger and crew manifest also are analyzed. All the data that can be pulled together — including the remaining fuel burn and the aircraft performance limitations — are analyzed.

Patterns emerge from the data. These patterns lead backwards to a cause and forward toward the end result. Finding those clues in the data requires a team of specialists from six primary intelligence disciplines.
- An imagery intelligence analyst brings in the live-streams and remote sensing.
- A human intelligence analyst seeks motivating factors and ways to deescalate the situation.
- A measurements and signatures intelligence specialist defines the operating limitations and the mechanics and science particular to the scenario.
- An open-source intelligence analyst accesses and queries open-source data sets to provide clues.
- A signals intelligence specialist focuses on the communications and electronic signatures.
- A geospatial intelligence analyst brings it all together and provides spatial context through the map the team uses that shows the events unfold in real time.
These analysts and sometimes many others will collect all these pieces of information and turn them into intelligence that decision-makers can use to take action. That is the purpose of intelligence; as CIA veteran Richard Heuer stated, “Intelligence seeks to illuminate the unknown.”

Fortunately, most alerts turn out to be false positives, but every one of them is treated as if it were “the one.” These false positives turn out to be excellent, real-world exercises that hone the skills of the team and wire the brain for speed. These events can last mere minutes or several hours. It’s an adrenaline rush.

To explore live streaming data feeds, Esri has a growing volume of data in its ArcGIS Living Atlas.

“My mind rebels at stagnation. Give me problems, give me work, give me the most abstruse cryptogram, or the most intricate analysis, and I am in my own proper atmosphere…”
— Sherlock Holmes, “The Sign of the Four,” Sir Arthur Conan Doyle

William Tewelow works for the Federal Aviation Administration. He is a graduate of a management fellowship program. While on special assignment to the U.S. Department of Transportation William led the project to crowdsource the National Address Database for the White House Open Data Partnership. He is a Geographic Information Systems Professional (GISP) and a Maryland Scholar STEMnet Speaker. He has a degree in Geographic Information Technology and Intelligence Studies from American Military University and is currently earning a degree in Organizational Leadership. William retired from the U.S. Navy after serving 23 years as a Geospatial and Imagery Intelligence Specialist, a Naval Aviator, a Meteorologist, and a Tactical Oceanographer. He was among the first in the nation to earn a Geospatial Specialist Certification from the U.S. Department of Labor while working at NASA Stennis Space Center in Mississippi. He is married, enjoys traveling, solving problems, playing with data, and fascinated by new technology and historical context. His favorite quote is, “A man’s mind changed by a new idea can never go back to its original dimension.” ~ Oliver Wendell Holmes
July 14, 2021
Space threat report catalogs China, Russia, jamming and GPS
America’s space assets are in danger from an array of kinetic, non-kinetic, electronic and cyber threats. These are wielded by nation states, primarily China, Russia, Iran and North Korea, though there are other countries as well as non-state actors.

On March 30, the Center for Strategic and International Studies (CSIS) Space Threat Assessment 2020 released a catalog that highlights the ways essential space-based services Americans rely upon can be degraded or eliminated. But it doesn’t do much to “assess threats.”

That said, it is still an impressive, useful and informative document. Some of what it doesn’t say can be inferred, and it provides a clear conclusion for policy makers and others.

Threat assessments are typically undertaken to:
- Identify potential dangers,
- Evaluate their credibility,
- Weigh potential impact, and
- Estimate the probability of the threat turning into an incident
This CSIS report generally stops after accomplishing the first two tasks.

Nonetheless, it is very instructive in a several ways.

Interference with Space Systems

First, it is packed with examples of how America’s adversaries have armed themselves, and stories about interference with space-based systems. Whether it is information about China training troops to use direct-ascent weapons, or reports about Russia’s mass GPS spoofing, the report’s matrix of threat categories is well supported by examples of real-world events.

Second, while the report doesn’t overtly rank threats and adversaries, it is possible to infer some generalities by the attention the report devotes to each. Among potential adversaries, China was mentioned the most by far — 429 times. It was followed by Russia (275), Iran (206), India (141), and North Korea (132).

This word cloud from CSIS Space Threat Assessment 2020 shows that China received by far the most mentions, followed by Russia. (Image: RNT Foundation)

Jamming and spoofing

Jamming and spoofing seem to be the most credible threats and were mentioned 188 times, with ASAT and direct-ascent closely following with 179 mentions. This particular word count might not be reflective, though, as the report contains many more examples of real-world jamming and spoofing than ASAT and direct-ascent.

And of all the types of satellites that could be threatened, GPS/GNSS was the clear leader at 98 mentions, with communications and surveillance coming in at 42 and three, respectively.

In all fairness, at only 80 pages, it’s not possible for Space Threat Assessment 2020 to be an exhaustive analysis. And doing more would likely require making it classified. Then this exceptionally educational reference would not be nearly as available for the policy making audience that sorely needs it.

And it does provide an excellent bottom line for those making macro-level decisions about space policy and budgets going forward. From the report’s “What to Watch” section:

Electronic counterspace weapons continue to proliferate at a rapid pace in both how they are used and who is using them. Satellite jamming and spoofing devices are becoming part of the every-day arsenal for countries that want to operate in the gray zone — i.e., below the threshold of overt conflict. The jamming and spoofing of satellites has become somewhat common, and without strong repercussions these adverse activities could gradually become normalized…

One should expect that the rate of satellite jamming and spoofing incidents will only increase as these capabilities continue to proliferate and become more sophisticated in the coming years.

Dana A. Goward is president of the non-profit Resilient Navigation and Timing Foundation.
April 29, 2020
Systems Engineering Group to demonstrate UAV tech at naval event

Telephonics Corporation’s subsidiary, Systems Engineering Group (SEG), will demonstrate autonomous UAV control and PULSEbox this month during the Annual Naval Technology Exercise (ANTX), Dahlgren (Virginia) Division event.

ANTX-Dahlgren, being held Sept. 13-14, is a two-day event providing a low-risk environment to evaluate technological innovations at the research and development level before technologies become militarized and integrated at the operational level.

The autonomous UAV control demonstration will include a system manager in a UAV control ConOps scenario. System Manager is a model-based expert system of systems, which can plan, schedule and initiate ConOps processes to provide round the clock automation in the Flight Dynamics Operations Area (FDOA) on NASA’s Magnetospheric Multiscale (MMS) mission. This enables NASA to minimize human involvement in controlling satellite maneuvers along with optimizing data downloads.

PULSEbox offers a high fidelity, real-time, RF threat scene generator that integrates SEG’s threat models with optimized hardware. The system will create advanced test ecosystems by providing real-world target simulated threat states and related radar representations in laboratory settings, leading to improved testing of interoperable elements before live-sea testing events of air-breathing and ballistic missile threats, the company said.

“Both the autonomous UAV control and PULSEbox technologies align with the U.S. Navy’s requirements for more autonomous systems with limited human control requirements and more realistic training, simulation and modeling environments,” said Michael Anderson, Telephonics vice president and SEG general manager.

September 12, 2017
Automatic Threat Assessment: Tracking System Tells Friend from Foe

INTRUSION SENSORS strive to have a high detection rate and low false alarm rate.

By Eric Olson and Steven Pisciotta

Ongoing threats from terrorist activities at critical facilities require early detection before the threats can reach their target and complete their mission. This has produced the need for advanced security systems to effectively detect terrorist activity, while reducing alarms caused by normal friendly activity. Automatic Threat Assessment, also referred to as Identify Friend or Foe (IFF), is the ability to automatically acknowledge alarms created by friendly assets. It can be achieved with a security system that uses GPS and geospatial data to go beyond the typical intrusion-sensor-only configuration.

The addition of a tracking system associated with friendly vehicles and personnel can provide the missing information necessary to tighten security and reduce the need to take action on alarms caused by friendly targets, and reduce the material and personnel cost of threat assessment. Tracking systems and intrusion sensors can worktogether to automatically classify an actual intruder with high confidence and without operator intervention.

The Verification Problem

Typical intrusion sensors include intelligent fences, ground proximity sensors, radar, LIDAR, and video analytics. The role of the intrusion sensor is to identify a breach and notify security personnel so they may perform verification. Table 1 shows the formal alarm types received from intrusion sensors, which strive for a high detection rate and a low false-alarm rate. For this reason, the nuisance alarm can be problematic as it reflects a real event for the intrusion sensor, but often a non-event for the security operator.

These typical sensors only provide a “suspected intruder” list. The follow-on task is to decide whether or not to reclassify a suspected intruder as an actual intruder. This process is typically a manual task and can be difficult, confusing, and time-consuming.

For instance, a landscape crew will trigger alarms. Even for very accurate systems that can uniquely track the object over a long period, it is highly likely that over the period of time the landscapers are in the area, the track will be lost, causing the system to re-alarm on the same person or vehicle, as it represents a potential intrusion.

If the landscaping crew needs to open a gate, and that gate is integrated into the facility’s access control system via a dry contact or beam breaker device, it may continuously alarm while left open, or at a minimum, in the case of the beam, each time one of the workers or the vehicle passes through the entrance. In these situations, security will either need to validate each alarm by verifying it on a camera or having an officer follow the landscaping crew throughout their route.

The existence of a friendly alarm event that needs continual validation can lead to compacency of security personnel, either not verifying it, or not verifying it in a timely manner.

Table 1. Alarm types.

Combined Detection, Location

A GPS tracking system combined with the intrusion sensors can help identify friends. Tracking systems consist of two main types of locating devices: GPS-enabled devices and wireless transponders.

Modern, low-cost GPS receivers can achieve an accuracy rating of less than 3 meters, provide an update once per second, and do not require visibility to the open sky. Wireless communication transmits the GPS data to the C2 system. A typical data set includes time, date, latitude, longitude, altitude, heading, speed, and quality of GPS signal.

The combination of intrusion sensors and tracking systems can produce automatic threat assessment. Routine situations requiring significant security involvement, such as the landscaping scenario, can be automatically managed by the system. The command and control system has the ability to know friendly targets and their location.

Further, the system can perform a check before actually alarming. In the case of a perimeter alarm, it now has the intelligence to understand, within a level of confidence, that the object detected by the intrusion sensors is the same friendly item being tracking by the tracking system. If the system determines the targets to be the same object, the alarm can be suppressed, eliminating the need for security to verify the event.

THE COMBINATION of intrusion sensors and a tracking system allows for Automatic Threat Detection.

Common Operating Picture

The integration of these types of systems is not complex in terms of how to coordinate data. Interface documents exist for these types of integration and are done on a regular basis. Typical position and target information is communicated over XML in a standard format. However, to gain these benefits, the tracking systems and intrusion sensors must all work within a common geospatial operating picture.

Advantages of geospatial or geo-referenced systems systems include the ability to easily display and control data in a map-based format, allowing tracking systems and intrusion sensors to synergistically perform automatic verification. This combined knowledge of the target’s track also allows the fusing of the GPS data and the intrusion sensor data into a single object and path, aiding security by reducing target and track clutter on his command and control or PSIM (perimeter security information system).

Take for example a guard enabled with a tracking device, performing a tour around a fence protected by video analytics enabled cameras. On a typical PSIM, a normal guard tour would result in two icons on the display, one friendly from the tracking system and one unknown from the video analytics. This scenario would also result in two similar object tracks. Security would need to review the situation and understand that this symbology represents a single target and a single track.

Integrating the tracking system with the video analytics system allows for a fusing of this data, and the resulting command-and-control symbology is a single target and a single track.

Other considerations when combining a tracking system with intrusion sensors include update rate, time and location accuracies, and overlapping coverage.

Ideally, all sensors would be synchronized when it comes to timing aspects, but this is typically not the case. Different timing between data updates and time inaccuracies can result in the inability for the systems to confidently conclude that two tracks were created by the same target. Transport delay, the transmission of the GPS data through the satellite, can also be an issue. For tracking devices, it’s vital for the data to be received by the C2 system with a repeatable transport delay. Variability in the transport delay also decreases the ability to automatically verify the threat.

Geographic accuracy of both the GPS tracker and the intrusion sensor is another important factor in data fusion. Typical GPS trackers have an accuracy rating of 3–10 meters. Actual accuracy varies based upon the visible GPS satellites, tall buildings, body worn, and RF interference. Intrusion sensors also possess an inherent accuracy. Radar surveillance may have a resolution of 1 x 1 meter at close range, but it expands at far range to 1 x 20 meters.

Intelligent fence sensors and video analytic systems can have resolutions that vary from 1 to 25 meters, based on the type of sensor and the terrain. These geographic inaccuracies can be handled to some degree by considering other factors, including heading, speed, and previous track, but it’s important to understand where these inaccuracies can occur.

Overlapping coverage of surveillance sensors also affects data fusion. In the case of track fusion, this ability is only available is areas where both a geospatial intrusion sensor exists and a tracking system is operational. If there are gaps in overlapping coverage, or areas that do not include geospatial- based intrusion sensors, then fusion is not possible in those regions.

Eric Olson is vice president of Marketing at PureTech Systems.

Steven Pisciotta is president of Remote Tracking Systems.

August 1, 2013