Aha! Analytics 2278 Baldwin Drive Phone: (937) 477-2983, FAX: (866)

Aha! Analytics 2278 Baldwin Drive Phone: (937) 477-2983, FAX: (866) 450-3812 Concepts for Next Generation Threat Assessment and Knowledge Management for Intelligence, Defense, and Homeland Security (Feb 11) This Briefing is: Dave Lush, SME Aha! Analytics UNCLASSIFIED 1

Contents UNCLASSIFIED Purpose Scope Current Problems Statement of the Need A Vision of Next Generation Threat Assessment and KM Implications & Features of Next Gen Threat Assessment and KM Key Concepts for Model Driven Threat Assessment Semantic Apps/Technologies Primer Notional Top Level System Diagram The Key Features/Technologies Revisited Summary/Conclusions UNCLASSIFIED 2

UNCLASSIFIED Purpose(s) To Communicate Some Ideas/Concepts Regarding Next Generation Threat Assessment and Threat Knowledge Representation/Applications for Intelligence, Defense, and Homeland Security UNCLASSIFIED 3

UNCLASSIFIED Current Threat Assessment and KM Problems Lack of Automatic Extraction/Staging of Structured Knowledge From INT Sources INT Source Exploitation Results Not Optimally Expressed for Immediate Incorporation of Relevant Knowledge Into the Threat Assessment Process Useful Automatic Extraction Capabilities Exist But Are Not Being Systematically Leveraged Threat Analysis/Assessment Ideas/Concepts Not Sufficiently Externalized and Shared During the Threat Assessment Process Collaboration and Peer Review Hampered by Lack of Externalized Conceptual Model(s) of the Threat to Facilitate Focus of the Group Collaborative Assessment and Peer Review Is Hampered by Lack of Linked Annotation Capability Which Enables Linking of Annotations and Comments to Designated or Highlighted Excerpts in Sources, Work Products and to Other Annotations/Comments End Product Is Usually the First Focus of Collaborative Review Final Assessments Not Benefitting from Positive Impacts of Creating and Vetting Conceptual Models and Other Supporting Artifacts (e.g. key assumptions, key arguments, key references, etc) Throughout the Assessment Process UNCLASSIFIED 4

UNCLASSIFIED Current Threat Assessment and KM Problems (cont) Externalized Threat Knowledge Not Optimally Expressed Current Intel Tend to Consist of Text with Embedded Structured Info (e.g. tables) Quite Sub-Optimal for Discovery and Extraction of Specific Relevant Knowledge Regarding the Threat Not Sufficiently “Operationalized”; Must Be Read by Humans and Then Reconstituted in Digital Form Wiki-based Capabilities Good for Collaboration But Not Good for Capture/Management/Repurposing of Knowledge of the Threat Currency and Consistency of Threat Knowledge Are Still Issues “One-Off” Intel Products Represent Serious Risks in Terms of Consistency and Currency Updating Assessments and Derived Products Remains a Problem UNCLASSIFIED 5

UNCLASSIFIED Statement of Core Need Regarding Threat Data, Info, Knowledge National Security Players (including machines) Need Specific, Relevant, Current, Complete, Accurate, and Timely Intelligence That Is Immediately Applicable or Actionable at the Point of Receipt In Order To Enable This, We Must Solve The Problems Cited Previously In This Briefing UNCLASSIFIED 6

A Vision for the Next Gen Threat Assessment and KM Paradigm UNCLASSIFIED A team of analysts are working in a collaborative thinking environment (CTE) that is prepped/seeded with relevant INT source knowledge expressed in machine readable semantic form. These artifacts are stored/managed in a knowledge base construct for the threat assessment project at hand. The team members review the INT source knowledge objects and highlight, annotate, and link relevant pieces of knowledge in those objects. The members also review the linked annotations and make commentary accordingly. As a result the environment has externalized/captured the relevant knowledge in the source objects and the relevant knowledge in the heads of the team members in context of the threat assessment problem at hand. Again, this knowledge is captured/managed in the threat assessment project’s knowledge base. The team employs structured analysis techniques (a la Structured Analysis Techniques, Heuer and Pherson ) Then, much like a systems engineering team would do, the team, using the appropriate tools, collectively produces standard intermediate artifacts that are in part distilled out of the collaborative knowledge “soup” (the linked annotations) from the collaborative thinking environment. These artifacts go into the project’s knowledge base. The core artifact is the conceptual threat system model (threat system ontology) which provides focus of the threat assessment effort and the framework for structured expression of the threat. This implies the use of a new kind of authoring tool for the expression of highly structured threat knowledge as detailed conceptual models and instantiations of the threat. The team members use the collaborative thinking environment and its linked annotation capability cited above to review and annotate the intermediate artifacts with emphasis on the core threat model in order to facilitate collaboration and vetting. The project knowledgebase captures all of the artifacts generated. UNCLASSIFIED 7

UNCLASSIFIED Vision (continued) Ultimately the team creates a model based threat characterization which is basically an instantiation of the threat model with the data and analysis results that have ensued. In other words, the team “hangs” the INT data and analysis results “onto” the model and imparts it to the knowledgebase. Using the new authoring tool cited above, the team finalizes the other parts of the overall threat assessment (which is not limited to the instantiated model ) in accordance with a standard framework or conceptual model for a threat assessment. The other components of the overall threat assessment include: summary of intelligence requirement(s), key assumptions, INT source descriptions, major findings, justifications of finding, etc. As the threat assessment ensues and even after it is “published”, relevant facts that become available are captured by authoring tool cited above and included in the knowledge base for the assessment. At this juncture all relevant threat assessment knowledge is contained in the threat assessment knowledge base and expressed via machine readable semantics and includes: Relevant INT source objects and extracted knowledge; The entire audit trail of linked annotations/comments from the threat assessment process; The threat model and its instantiation via data and analysis results; The threat assessment and its components; Relevant facts that have become known. Now, intelligence clients who have differing requirements access the intelligence portal and constituent portlets/services that query/search, reason, and/or manipulate/compute across the knowledge bases, and extract/package the threat knowledge that is relevant to their needs and in fact as immediately applicable to client needs as is possible. UNCLASSIFIED 8

UNCLASSIFIED Implications in Terms of Major Knowledge Process, Management, and Sharing Requirements: Relevant INT Source Knowledge Must Either Be Expressed In A More Suitable Form For Consumption By The Threat Assessment Process And/Or Be Automatically Extracted And Inserted Into The Threat Assessment Environment In a More Structured Form. Collaborating Analysts Must Be Able to Highlight and Annotate Source and Intermediate Work Artifacts and Capture/Manage Annotations and Linkages to the High Lighted Excerpts Intelligence, DoD, and DHS Elements Must Create, Capture, and Manage Complete Digital Characterizations of Simple and Complex Threat Objects, Situations, and Associated Objects/Concepts (e.g. weapon systems, terrorist threats, country military capabilities, etc) UNCLASSIFIED 9

UNCLASSIFIED Implications (cont): Must Create/Capture These Characterizations With Requisite Structure, Detail, and Data Types to Readily Support All Client Missions Must Capture and Manage the Threat Knowledge In Product Neutral Form So It Can Serve As the Single Source and Be Readily Repurposed (Single Source, Multi-channel) Must Provide for Optimal Query/Search and Reasoning Across the Threat Knowledge Captured Must Provide for Portal Based or Service Based Applications Which Query/Search, Reason, and/or Manipulate the Product Neutral Threat Knowledge to Derive/Deliver the Required Intelligence Products UNCLASSIFIED 10

UNCLASSIFIED Key Features of Next Generation Threat Assessment and Knowledge Management Threat Assessment Is Supported Via Up-Front Automated Knowledge Extraction from INT Sources Threat Assessment & Production Is Supported by a Collaborative Thinking Environment Rich Collaborative Linked Annotation Capability (e.g. HyLighter) More Structured, Productive, Focused, Manageable, and Expressive Assessment Process Application of Structured Analysis Techniques (a la Structured Analytic Techniques, Heuerand Pherson) Intermediate Assessment Artifacts and Work Products Externalized Conceptual Models of the Threat Having Requisite Detail and Structure Rich Set of Linked Annotations/Comments Threat Models Are the Core Assessment Artifact and Drive Highly Structured, Single, Digital Instantiation of the Core Threat Assessment Instantiated Threat Model Is Packaged in the Structured Digital Threat Assessment Having Supporting Info/Knowledge Related Intelligence “Facts” Captured on a Continuous Basis and Included in the Threat Assessment Structure UNCLASSIFIED 11

UNCLASSIFIED Key Features (continued) Each Threat Assessment Project Has a Knowledge Base Which Captures All Intermediate and Final Artifacts of the Assessment New Threat Knowledge Representation/Expression Tools Conceptual Modeling and Structured Semantics Authoring Tools Structured Threat Model Expression i.e. text is inserted into overall threat model structure vs traditional approach of inserting structure into text Single Source, Multi-Channel Publishing Paradigm Tailored Products “Spun” from the Single Source of Structured Digital Threat Knowledge Included in the Threat Assessment, Threat System Instantiation, and Associated Facts Application of Semantic Technologies Threat Knowledge Expressed Via Standard Semantic Languages i.e. RDF(S) and OWL Semantic Expression of the Threat Knowledge Enables Semantic Query and Inferencing UNCLASSIFIED 12

UNCLASSIFIED Collaborative Model Driven Assessment Driven by INT Derived Knowledge, Collaborative Discourse, and Capture of Linked Annotations and Commentary In Order to Develop, Evolve, and Refine an Emerging Conceptual Model of the Threat Overall Threat Assessment Employs Structured Analysis Techniques and Is Assembled IAW Its Own Conceptual Model or Template and Includes Instantiated Threat Model and Other Supporting Artifacts The Instantiated Threat Model and Threat Assessment Templates Facilitate Structured Threat Representations (e.g. via semantic languages) Which in Turn Facilitate Provisioning of Operationalized Intelligence at the Point of Need/Use These Threat Representations Enable the Single Source, Multiple Channel Product Paradigm. UNCLASSIFIED 13

UNCLASSIFIED Artifacts of a Threat Assessment Statement of Client Requirements and/or Purposes/Objectives of the Assessment Related Key Intelligence Questions Basic Assumptions and Constraints Citation of Sources, Linked Annotations, and Comments Key Findings Key Arguments The Instantiated Threat Model Highly Relevant Intelligence Facts (since posting last assessment or assessment update) UNCLASSIFIED 14

937-436-3344 UNCLASSIFIED Concept Map for Next Generation Threat Assessment and KM UNCLASSIFIED 15

UNCLASSIFIED Knowledge Creation and Conversion (Nonaka & Takeuchi 1995) creation socialization externalization creation internalization Nonaka and Takeuchi cite 2 states of knowledge and 5 knowledge processes . Knowledge has 2 states: Externalized Knowledge Automated Process Internal external There are 5 knowledge processes: combination Creation Externalization (int to ext) Internalization (ext to int) Socialization (int to int) Combination (ext to ext) Externalized Knowledge externalization internalization creation creation socialization UNCLASSIFIED 16

Our Generic Problem UNCLASSIFIED (involves all core knowledge creation and transfer processes) creation internalization Externalized Source Knowledge externalization Internalization socialization externalization Linked Annotations internalization externalization Internalization socialization Externalized Target Knowledge externalization creation UNCLASSIFIED 17

UNCLASSIFIED Traditional Problems This Is Not a New Problem But, Current Tools Do Not Have Requisite Features to Properly Facilitate the Knowledge Processes Involved e.g. Way Too Cumbersome! Don’t Support Multiple Object Types (MS Office, Images, Diagrams, RDF/OWL) Don’t Support Fragment Level Highlighting and Annotation Don’t Support Annotation Level Commentary and Commentary Level Commentary Don’t Persist Linked Annotations So That They Readily Support Browsing, Organizing, Search, Re-use (e.g. as references), etc Don’t Have Requisite Scalability UNCLASSIFIED 18

Basic Solution Concepts for the Generic Problem UNCLASSIFIED Source Knowledge Objects A Source of Knowledge to Be Captured Consist of Multiple Knowledge Fragments/Nuggets/Excerpts Humans Also a Source of Knowledge to Be Captured Detect, Designate, High Light Fragments of Interest in Source Objects Provide Annotation About Fragments and Commentary About Annotations and Other Commentary; These Are Called Linked Annotations or Linked Comments Linked Annotation or Commentary ID of Source Object, Annotation, or Comment ID of the Reviewer/Annotator Designated (HighLighted) Object Fragment, Annotation, or Comment The Annotation or Comment URL for the Preceding Composite UNCLASSIFIED 19

Basic Concepts Linked Annotation UNCLASSIFIED UNCLASSIFIED 20

UNCLASSIFIED The Basic CONOPS Collaborative Linked Annotation Platform Knowledge Worker Collaborative Concurrent Review, High Lighting, and Annotation Linked Commentary on Existing Annotations and Comments Tagging of Linked Annotations and Comments With URLs Capture, Browse, Search, Share, Re-use Linked Annotation Knowledge Insertion of Selected Annotation URLs into the Final Work Product Source Knowledge Objects and High Lighted Excerpts Linked Annotations and Comments Knowledge Worker Target Knowledge Objects With URLs to Annotations and Excerpts Target Object (e.g a conceptual model) UNCLASSIFIED 21

UNCLASSIFIED Ontology Based Intel Analysis & Threat Characterization Externalizing Conceptual Models CONCEPTUAL MODEL Cognitive and Ontology Development Processes Incoming Observations and Data ANALYST A Major Challenge of the New Intel Analyst Tradecraft Is to Externalize and Formalize The Analysts’ Conceptual Models to Become Machine Readable Ontologies or Information Models Which Can “Drive” Intel Knowledge Mgt and Virtual Production ONTOLOGY DEVELOPMENT METHODOLOGIES AND TOOL(S) EXTERNALIZED MACHINE READABLE INFORMATION MODELS OR ONTOLOGIES Figure 6: Externalizing Conceptual Models UNCLASSIFIED 22

UNCLASSIFIED Some Definitions/Observations What’s an Ontology?: In general, an ontology is a “specification of a conceptualization”. More specifically, an ontology is an externalized conceptual model of a piece of reality of interest expressed in terms of concepts, relationships between concepts, and associated properties of concepts. Ontologies and Associated Semantic Artifacts Expressed in the Appropriate Machine Readable Language Enable Computer Applications to Leverage Semantics e.g. Semantically Enriched Query Data Integration at the Semantic Level Operationalized Intelligence Via Ontologies of the Threat and Application of Customer Specific Rules UNCLASSIFIED 23

UNCLASSIFIED Ontology Concepts UNCLASSIFIED 24

UNCLASSIFIED Structured Threat Assessment Assessment (Characterization) of the Threat Using Structured Analysis Techniques and Thus Systematically Externalizing Key Thoughts and Concepts Throughout the Process to Include a Continuously Evolving and Refined Conceptual Model of the Threat Viewed As a System. The Conceptual Model Is Expressed As a Detailed Concept Map Which Ultimately Results in Creation of a Threat Ontology The Threat Ontology Enables Capture of the Threat Assessment in Structured Machine Readable Form Enabling Semantic Query and Reasoning UNCLASSIFIED 25

UNCLASSIFIED Structured Threat Assessment Structured Threat Assessment Key Intelligence Questions Conceptual Model Key Findings Key Assumptions UNCLASSIFIED Source Citations, Excerpts, & Annotations Instantiated Conceptual Model Hypotheses Considered & Arguments 26

UNCLASSIFIED UNCLASSIFIED 27

UNCLASSIFIED Conceptual Model of the Threat (the SysML Template) Conceptual Model of the Threat Purposes Capabilities Vulnerabilities Structure (structural models) Parametrics (physics/math) UNCLASSIFIED Behavior (behavioral models) Signatures 28

The Threat Model and Its Instantiation UNCLASSIFIED Conceptual Model of the Threat Threat Model Instantiation Purposes Capabilities Vulnerabilities Structure Parametrics Signatures Source Data & Engineering Models & Other Tools Behavior Assumptions & Constraints Arguments & Rationales Instantiated Model of the Threat Structure Key Findings (Purposes Capabilities Vulnerabilities) Parametrics Behavior Signatures Figure 2: Instantiation of the Conceptual Model UNCLASSIFIED 29

UNCLASSIFIED SysML consistent generic concept map for a threat system SysML is OMG system modeling language built upon UML Figure 1a: C-map of a Conceptual Model of the Threat UNCLASSIFIED 30

UNCLASSIFIED Model Driven Analysis & Knowledge Capture ANALYST Collaboration and Peer Review ANALYST INTERNALIZED CONCEPTUAL MODEL Cognitive and Conceptual Model Development Processes Incoming Observations and Data ANALYST CONCEPTUAL MODEL DEV METHODOLOGIES AND TOOL(S) ANALYSIS AND CONCEPTUAL MODEL INSTANTIATION METHODS/TOOL(S) Threat Knowledge Base Conceptual Model (Ontology) & Instantiation · · · · · Structure Behavior Parametrics Capabilities Signatures Structured Threat Assessment · · · · · · Key Intelligence Questions Key Assumptions Sources, Annotations, Links to Excerpts Conceptual Model Instantiated Conceptual Model Arguments/Rationales A core element of a threat assessment is the conceptual model of the threat. The model is “instantiated” with data and metadata derived from the source INT data and results of analysis of that data. The instantiated model is used to ascertain key facts and assertions regarding the nature of the threat. Linked Annotations and Commentary A Major Challenge of the New Intel Analyst Tradecraft Is to Externalize and Formalize The Analysts’ Conceptual Models to Become Machine Readable Ontologies or Information Models Which Can “Drive” Intel Knowledge Mgt and Virtual Production UNCLASSIFIED 31

Ever Increasing Structure UNCLASSIFIED Ever Increasing Structure Data Exploitation & Knowledge Extraction Exploited Data & Extracted Knowledge less structure Analysis & Assessment Analysis Results Conceptual Modeling & Knowledge Capture Structured Labeled Threat Knowledge Digital Production & Dissemination Dynamic Products & Portlets more structure Key Observations: The knowledge extraction processes extract structured knowledge from unstructured input streams. The knowledge capture processes capture structured knowledge that results from analysis/assessment. The more our knowledge of the threat is captured and managed in highly structured and labeled form the more flexibility and nimbleness we have when it comes to getting the knowledge to the right customer at the right time and in the right form. So, it would behoove us to cause our knowledge of the threat to become more and more structured as we move from exploitation and knowledge extraction, through analysis/assessment, to knowledge capture and management. Unstructured textual information must be accommodated in the resultant threat knowledge but it should be present within the context of an appropriately conceived and structured information model. UNCLASSIFIED 32

UNCLASSIFIED Semantic Applications Semantic Applications Leverage/Apply Machine Readable Semantics and Semantic Technologies to Satisfy Their Requirements The Core Constructs for Semantic Technologies/Applications Are the Semantic Triple, Relationship Graph, Taxonomy, and Ontology Semantic Applications Use Machine Readable Relationship Graphs, Taxonomies, and Ontologies to Express and Leverage Relevant Semantics Semantics Are Expressed As Subject-Predicate-Property (Object) Triples Using RDF or As Classes/Instances and Associated Relationships and Attributes Using OWL which is an expansion of RDF. RDF and OWL Are Ultimately XML-based Languages RDF Triples (Facts or Assertions) and OWL Ontologies Are Captured and Managed Via RDF Triple Store Capability (e.g. Oracle 11g Spatial) RDF and OWL Databases Are Queried Via SPARQL Protocol and RDF Query Language (SPARQL) UNCLASSIFIED 33

UNCLASSIFIED The Core Semantic Technologies Collaborative Thinking Environment & Semantic Annotation Tools Concept Modeling Tools (e.g. IHMC C-Map) Graphs/Taxonomy/Ontology Constructs RDF Language for Expressing Machine Readable Graphs/Taxonomies OWL Language for Expressing Machine Readable Ontologies Authoring/Editing Tools for RDF/OWL (e.g. Top Braid Composer) RDF Triple Store (e.g. Oracle 11g Spatial, AllegroGraph)) Semantic Query (SPARQL) Rules and Inferencing e.g. SPARQL Inferencing Notation (SPIN) Semantic Applications Frameworks, Platforms e.g. Java Jena, the Top Braid suite RDF (Entity/Relationship) Extraction UNCLASSIFIED 34

UNCLASSIFIED Threat Ontology, Intel Facts, and the SPIN Stack This Is About Application of Semantic Technologies to Threat Assessment, Capture, and Application (Query and Inferencing) RDF, RDF Triple Extraction/Management, Web Ontology Language (OWL), SPARQL Protocol and RDF Query Language (SPARQL), and SPARQL Inferencing Notation (SPIN) The Basic Process Capture Threat Assessments Via Ontologies Expressed in OWL Facilitate Ontology Population Via RDF Extraction from Traditional Intel Documents and Export From RDBMS Data Bases Capture/Store/Manage Simple Intelligence Facts Via RDF and RDF Triple Store Deploy and Apply the SPARQL Inferencing Notation (SPIN) Technology Stack Execute SPARQL Queries and Inferences Against the Threat Ontology and the Related Intelligence Facts Using the SPIN Stack The Basic Benefits Threat Is Precisely Defined in Machine Readable Form Via Open Standards Threat Knowledge Easily Queried and Navigated to Acquire Specific Threat Knowledge Threat Characterization Combined with Intelligence Facts When Processed by SPIN Can Yield Implicit or Intrinsic Knowledge Not Readily Apparent Ontology Based Threat Assessments, SPARQL, and SPIN Enable Machine to Machine Intel Support to Ops UNCLASSIFIED 35

UNCLASSIFIED UNCLASSIFIED 36

UNCLASSIFIED Next Generation Threat Assessment and KM These stores collectively constitute operationalized intelligence machine to machine Intel Application In Operational Context Acquire & Mediate Threat Knowledge (SPARQL, XSLT) Policy Maker Client Ops Client SAVANT KB Sources Threat Ontology KB (RDF/OWL) Intel Fact KB (RDF) SPIN Stack (RDF) SPARQL Inferencing Notation (SPIN) Rules for Inferencing Conduct Collaborative Threat Assessment Develop Threat Ontology Capture Intelligence Facts Modify & Extend SPIN Stack Collaborative Threat Assessment Environment Linked Annotation Capability Threat Assessment KB SAVANT Assessment Artifacts KB (e.g. Linked Annotations Conceptual Model(s)) Analysts Knowledge Engineer Figure 3: SPINing Threat Ontologies UNCLASSIFIED 37

Key Features Revisited UNCLASSIFIED Collaborative Thinking Environment Collaborative Annotation, Linking, and Sharing Environment (e.g. HyLighter (www.hylighter.com )) Structured Analysis Techniques (Heuer and Pherson) Ontology Driven Threat Assessment (ODTA) Formulation and Constant Refinement of Conceptual Model of the Threat Under Study Is at Center of the Assessment Conceptual Models Expressed Graphically and Also in Appropriate Semantic Language (e.g. IHMC’s CMap COE suite http://coe.ihmc.us/groups/coe/) Perhaps Based on Top Level System Model (SysML) Proposed by OMG (http://www.omgsysml.org/ ) Ontology Based Threat Representation Threat Entity Is Specified With an Ontology Expressed in OWL Ontology Authored Via Graphical Ontology Authoring/Editing Tool (e.g. Top Braid Composer http://www.topquadrant.com/) Capture/Management of Threat Assessment and Simple Intelligence Facts Threat Assessment Captured As an Ontology (expressed in OWL) Facts Captured As RDF Triples (Subject-Predicate-Object) Managed Via RDF Triple Store (e.g. Oracle Semantic Technologies for Data Management http://www.oracle.com/technetwork/database/options/semantic-tech/semtech11gr2-featover-131765.pd f Semantic Query and Inferencing Application of SPARQL and SPARQL Inferencing Notation (SPIN) (http://spinrdf.org/) Enables Powerful Query and Inferencing Against the Threat Ontologies and Intelligence Facts Via Semantic Applications (e.g. see Top Quadrant Semantic Suite www.topquadrant.com ) UNCLASSIFIED 38

UNCLASSIFIED The Key Technologies Revisited Collaborative Linked Annotation Concept Mapping, System Modeling, Ontology Development Tools XML, RDF/RDFS, OWL RDF Triple Store SPARQL Protocol and RDF Query Language (SPARQL) SPARQL Inferencing Notation (SPIN) Semantic Application Development Platform (e.g. Top Braid) UNCLASSIFIED 39

Summary of Next Gen Threat UNCLASSIFIED Assessment Threat Assessment Using Structured Analysis Techniques Is Accomplished in a Collaborative Thinking Environment That Provides for Collaborative Linked Annotation; This Environment Is Initialized with Linked Annotations Automatically Extracted from INT Sources/Products Externalized Conceptual Models of the Threat Are at the Core of the Threat Assessment. This Becomes Core Principle of Analyst Tradecraft Threat Concepts Are Ultimately Expressed As Ontologies and Supporting Assertions/Facts Using RDF and OWL and Appropriate Authoring/Editing Tools Single Source, Multiple Channel Intelligence Acquisition/Delivery Is the Rule Semantic Technologies Are Applied To Semantic Threat Expression, Development Of Client And Intel Domain Specific Rules, And Semantic Query And Inferencing. Requires a Paradigm Shift and Development of New Analyst Competencies/Skills in Conceptual Modeling and Ontology Development Several Very Important Benefits Threat Knowledge Creation, Capture, Sharing Is Greatly Facilitated Via Collaborative Thinking and Linked Annotation Development/Refinement of Externalized Conceptual Model of the Threat Throughout the Assessment Facilitates Communication, Collaboration, Vetting, Completeness, Accuracy, Clarity, etc. Threat Is Represented Via Highly Structured , Standards Based, Product Neutral, Machine Readable Semantic Languages Which Can Be Readily Queried and Which Can Drive Inferencing; Enables the Rapid Acquisition of Specific Knowledge Chunks/Facts Expression Of The Threat As Ontologies Via Semantic Languages Enables The Immediate Linking Of New Facts/Knowledge Or Even Entire Threat Ontologies So As To Enable Query And Inferencing Across Larger And Larger Knowledge Sets. UNCLASSIFIED 40

Conclusions UNCLASSIFIED The Time Has Come to Execute Threat Assessment in a Collaborative Thinking Environment Which Enables Collaborative Linked Annotation: Annotation of Designated Excerpts of Source Artifacts Sharing and Capture of the Annotations and Associated Excerpts The Time Has Come to Standardize Threat Analysis/Assessment Around the Creation and Refinement of Externalized Conceptual Models of the Threat Under Study The Time Has Come to Apply Semantic Technologies to Threat Assessment, Threat Knowledge Representation, and Associated Applications Threat Knowledge Can Be Represented in Machine Readable Form Enabling Powerful Query, Inferencing, and Mediation Capabilities and Basically Operationalizing Intelligence The Same Technologies Can Also Be Used in AFISRC2 Applications Using Threat and ISRC2 Ontologies UNCLASSIFIED 41