Nation-Building Modeling and Resource Allocation Via Dynamic Programming

Dynamic programming is used in many military and industrial applications to solve sequential decision making problems. This research proposes the development of a model and approach to address the application of dynamic programming in nation-building modeling. Through the creation of component indices to capture the state of operational variables: Political, Military, Economic, Social, Infrastructure, and Information (PMESII), a functional form of a system of differential equations is developed to account for the interactions between the state indices and instruments of national power: Diplomatic, Informational, Military, and Economic (DIME). Solving this problem with dynamic programming provides an improved sequence which describes the application of DIME in a manner that minimizes an objective (i.e. cost, time) and allows the model to account for external factors such as an insurgent reaction to US policy. An application of the model is derived for Iraq to demonstrate the utility of the model and explore various aspects of the solution space. This modeling approach offers a potential significant capability when analyzing and planning for nation-building operations

Understanding the Instruments of National Power through a System of Differential Equations in a Counterinsurgency

Models that account for the progression of nation-building and the impacts of the instruments of national power -- Diplomacy, Informational, Military, and Economic effects -- are rare. This research proposes the development of such a model. Through the derivation of state indices for the operational variables of Political, Military, Economic, Social, Infrastructure, and Information, a functional form of a system of differential equations is developed to account for the interactions between the state indices and instruments of national power. This methodology is a mean-field inverse problem which solves for the coefficients of the differential equations in a data-driven manner. Publicly available data are used to develop the indices and describe the instruments of national power. Applying mean-field theory allows the differential equations to be solved through a nonlinear program that derives minimum error-producing coefficients. An application of the model is derived for Operation Iraqi Freedom to demonstrate the utility as well as the effects of various alternate strategies, using the dynamics captured in the model. This modeling approach offers a potentially significant capability for analyzing and planning future Stabilization, Security, Transition, and Reconstruction Operations (STTRO)

Cyber Anomaly Detection: Using Tabulated Vectors and Embedded Analytics for Efficient Data Mining

Firewalls, especially at large organizations, process high velocity internet traffic and flag suspicious events and activities. Flagged events can be benign, such as misconfigured routers, or malignant, such as a hacker trying to gain access to a specific computer. Confounding this is that flagged events are not always obvious in their danger and the high velocity nature of the problem. Current work in firewall log analysis is manual intensive and involves manpower hours to find events to investigate. This is predominantly achieved by manually sorting firewall and intrusion detection/prevention system log data. This work aims to improve the ability of analysts to find events for cyber forensics analysis. A tabulated vector approach is proposed to create meaningful state vectors from time-oriented blocks. Multivariate and graphical analysis is then used to analyze state vectors in human–machine collaborative interface. Statistical tools, such as the Mahalanobis distance, factor analysis, and histogram matrices, are employed for outlier detection. This research also introduces the breakdown distance heuristic as a decomposition of the Mahalanobis distance, by indicating which variables contributed most to its value. This work further explores the application of the tabulated vector approach methodology on collected firewall logs. Lastly, the analytic methodologies employed are integrated into embedded analytic tools so that cyber analysts on the front-line can efficiently deploy the anomaly detection capabilities

anomalyDetection: Implementation of Augmented Network Log Anomaly Detection Procedures

As the number of cyber-attacks continues to grow on a daily basis, so does the delay in threat detection. For instance, in 2015, the Office of Personnel Management discovered that approximately 21.5 million individual records of Federal employees and contractors had been stolen. On average, the time between an attack and its discovery is more than 200 days. In the case of the OPM breach, the attack had been going on for almost a year. Currently, cyber analysts inspect numerous potential incidents on a daily basis, but have neither the time nor the resources available to perform such a task. anomalyDetection aims to curtail the time frame in which anomalous cyber activities go unnoticed and to aid in the efficient discovery of these anomalous transactions among the millions of daily logged events by i) providing an efficient means for pre-processing and aggregating cyber data for analysis by employing a tabular vector transformation and handling multicollinearity concerns; ii) offering numerous built-in multivariate statistical functions such as Mahalanobis distance, factor analysis, principal components analysis to identify anomalous activity, iii) incorporating the pipe operator (%\u3e%) to allow it to work well in the tidyverse workflow. Combined, anomalyDetection offers cyber analysts an efficient and simplified approach to break up network events into time-segment blocks and identify periods associated with suspected anomalies for further evaluation