Copyright © 2014 Raytheon Company. All rights reserved.
Customer Success Is Our Mission is a registered trademark of Raytheon Company.
Risk Metrics for Cyber
Inference Assessment
Dr. Kenric P. Nelson
Raytheon Company
Sr. Principal Systems Engineer
November 12, 2014
11/12/2014 2
0.00
0.05
0.10
0.15
0.20
0.25
0.30
1 2 3 4 5 6 7 8 9 10
Pro
bab
ilit
y o
f A
tta
ck P
hases
Attack Phases
What is the average uncertainty?
KPN Cyber Metrics
Given measurements regarding the phases of an attack,
what is the average probability of the attack’s progression?
Attack phases might include scanning, enumeration,
access, pilfering, etc.
Outline
Average Uncertainty: Making info metrics intuitive
Assessing threat models: Problems with Scoring Rules – Lack of clarity regarding which rules are appropriate
– Information theoretic rule – logarithmic rule – is very sensitive
– Results are unintuitive – what is entropy? How does it relate to uncertainty?
The Risk Profile – Spectrum of algorithm performance relative to degree of risk tolerance
– Originates from and encapsulates Tsallis entropy – information for nonlinear
systems
– Example analysis for classification systems
Conclusion & Suggested Applications
11/12/2014 3 KPN Cyber Metrics
11/12/2014 4
0.00
0.05
0.10
0.15
0.20
0.25
0.30
1 2 3 4 5 6 7 8 9 10
Pro
bab
ilit
y o
f A
tta
ck P
hase
Attack Phases
Not the arithmetic mean;
Nor the weighted mean
1 1i
i
pN N
2i i i
i i
p p p
What is the average uncertainty?
Arithmetic mean: seems intuitive but incorrect
KPN Cyber Metrics
11/12/2014 5
0.00
1.00
2.00
3.00
4.00
5.00
6.00
7.00
8.00
9.00
10.00
1 2 3 4 5 6 7 8 9 10
En
tro
py
lni ii
p p
Often interpreted as a length in natural bits (nats),
but how does this relate to the original probabilities?
What is the average uncertainty of threats?
Information theory: accurate but unintuitive
ln ip
KPN Cyber Metrics
The average uncertainty:
An intuitive approach to information theory
11/12/2014 6
Translation to probability scale is Entropy Functione
KPN Cyber Metrics
Info-Metric Entropy Scale Probability Scale
Entropy
Divergence
Cross-Entropy
ln
ln
ln
i
i
i
p
i i ii i
p
i ii
i ii i
p
i i ii i
p p p
q qp
p p
p q q
All information theoretic analysis can be
translated from entropy to an average probability
Information metrics as Probabilities
Info-Metric Entropy Scale Probability Scale
Entropy
Divergence
Cross-Entropy
11/12/2014 7
ln
ln
ln
i
i
i
p
i i ii i
p
i ii
i ii i
p
i i ii i
p p p
q qp
p p
p q q
Information gain = reduction in Shannon entropy
Equivalently Shannon teaches the average probability
Information gain = increase in average probability
KPN Cyber Metrics
11/12/2014 8
0.00
0.05
0.10
0.15
0.20
0.25
0.30
1 2 3 4 5 6 7 8 9 10
Pro
bab
ilit
y o
f A
tta
ck P
hase
Attack Phase
Power and accuracy of information theory
Simplicity & intuition of average probability
ip
ii
p
What is the average uncertainty of threats?
The Weighted Geometric Mean !!
KPN Cyber Metrics
11/12/2014 9
0.00
0.20
0.40
0.60
0.80
1.00
1 2 3 4 5 6 7 8 9 10
ip
ii
p
Represents probability of each event pi occurring pi times
Product is all events occurring a total of once; i.e. average
Interpreting
ip
ip
ipip
KPN Cyber Metrics
0.15 0.10 Min
Max
Accuracy of threat Assessment?
Purpose is to assess the accuracy of probabilistic forecasts
Comparison between two distributions: – Distribution of forecasts produced by algorithms, models, & analysts
– Distribution of test data used to evaluate the performance of analysts
Well established performance metrics based on decision boundaries – Confusion Matrix – percent correct classification & percent of decision errors
– Receiver Operator Curve – how does decision boundary affect confusion matrix
Accuracy of probabilistic forecasts much harder to assess – Again, arithmetic mean of true event probabilities is not correct
– Instead a scoring rule needed which weights the value of a probability; this value can be averaged
– Information theory: value of probability is negative logarithm, but oversensitive
– Most popular alternative: Mean-square average of the reported probabilities
– Countless alternatives: starting with any concave utility function, can derive a “Proper Scoring Rule” which encourage honesty in the mean, but modifies the risk associated with variation in the forecast
Demonstrate approach which uses a risk-biased info metric
11/12/2014 10 KPN Cyber Metrics
Coupled surprisal modifies info metric
Properties of coupled surprisal – Defined by deformation from additive metric
– Related to the degree of risk tolerance
11/12/2014 11 KPN Cyber Metrics
11ln lnmult
add
pp
p
Nonlinear metric:
Coupled Entropy:
lni ii
p p
This is the dual
Tsallis entropy
* 2
*
q q
1
0
If 1
Then ln 1
multadd
mult
p
Graph shows
ln 1
add mult
ddp p
0 0.2 0.4 0.6 0.8 10
1
2
3
4
5
6
7
8
9
10
Probability
k-S
urp
risa
l -lo
g k(p)
1.0
0.5
0.0
-0.5
-1.0
Robust metric - increased risk
Decisive metric - lower risk
Shannon SurprisalNeutral to risk
k Value
0
0
0
Coupled-Surprisal
Robust – Lower risk tolerance
Shannon Accuracy
Neutral to risk
Decisive – Higher risk tolerance
Coupled-Surprisal Gen. Mean
0 0.2 0.4 0.6 0.8 10
1
2
3
4
5
6
7
8
9
10
Probability
k-S
urp
risa
l -
log k(p
)
1.0
0.5
0.0
-0.5
-1.0
Robust metric - increased risk
Decisive metric - lower risk
Shannon SurprisalNeutral to risk
k Value
Coupled-Suprisal Coupled Cross-Entropy Generalized Mean
Arithmetic CoupledAverage Exp
1
1,
1
( , | )
N
avg truth i truthN
i
P qp q x
( >0) Decisive – finite cost
( <0) Robust – infinite cost
Shannon Entropy (κ = 0): Log average → Geometric Mean
Generalized mean can also be derived from Renyi Entropy
• Utilize just the coupled-surprisal to form Risk Profile
• Average coupled-surprisal is biased, local score
11/12/2014 12 KPN Cyber Metrics
11/12/2014 13
0.00
0.10
0.20
0.30
1 2 3 4 5 6 7 8 9 10
Pro
bab
ilit
y o
f T
hre
at
Ph
ase
Threat Phase
Illustration of bounds
using generalized mean
KPN Cyber Metrics
= 0, p = 0.15 = 1, p = 0.17
= −2 3 , 𝑝 = 0.13
1/101
1i
i
p
2
2decisive
robust
decisive
The Risk Profile: A scoring rule
based on the degree of risk tolerance
Input is the histogram
of true state
probabilities
Output is spectrum of
performance versus
risk tolerance
Provides insight into
forecasts: – Decisiveness
– Accuracy
– Robustness
Example
Fusion of Image Features
11/12/2014 14 KPN Cyber Metrics
-2 -1.5 -1 -0.5 0 0.5 1 1.5 20
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Confidence - Kappa Value
Ge
ne
ralize
d M
ea
n o
fT
rue
Cla
ss P
rob
ab
ilit
ies
Risk Profile for Fusion Methods
Average
Log-Average
Naive Bayes
Fusion Method
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 110
0
101
102
103
Probability Bins
Counts
of Pro
babiliti
es - Lo
g Scal
e
Histogram of True Class Probabilities
Examples:Examples:Decisive Metric Robust Metric
Sh
an
no
n S
urp
ris
al
Fusion & Info-Metric use
Generalized Mean
Using risk bias for bounds rather than variance
High risk sample Low risk sample
Examples:Examples:
100 samples of
each numeral
Fusion with Generalized Mean of 6 image features
Correct Classification 98%
Distribution of Probabilities Modified by Risk Bias
US Patent # US8595177 B1
11/12/2014 15 KPN Cyber Metrics
-2 -1.5 -1 -0.5 0 0.5 1 1.5 20
0.2
0.4
0.6
0.8
1
Risk Bias -
Ge
ne
raliz
ed
Me
an
of
Tru
e P
rob
ab
ilit
ies Risk Profile
Fusion Coupling
Decisive = 0.0
Accurate = -0.2
Robust = -0.4
Metric
Overfitting high-dimensional models
Truth & Model
Data generated from 10-D Independent Gaussian
Training data estimates &
Model is Gaussian
Model has 2-10 Dim.
Results
Decision Accuracy plateaus at 6 features
Probability Accuracy degrades from – 0.63 with 6 features
– to 0.47 with 10 features
16 11/12/2014 KPN Cyber Metrics
-5 0 50
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
- Risk Bias
Ge
ne
raliz
ed
Me
an
of
tru
e s
tate
pro
ba
bilit
ies
Truth - 10 Feature GaussianModel 2-10 Feature Gaussian
Training Features &Prob Correct Class
2 - 0.74
4 - 0.81
6 - 0.84
8 - 0.84
10 - 0.84
= 2.8
= 1.5
= 1.1
P0 = 0.63
P0 = 0.58
P0 = 0.47
Robust Heavy-tail Model
17 11/12/2014 KPN Cyber Metrics
-5 0 50
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
- Risk Bias
Ge
ne
raliz
ed
Me
an
of
tru
e s
tate
Pro
ba
bilit
ies
Truth - 10 Feature GaussianModel 2-10 -0.15 Gaussian
2 - 0.76
4 - 0.82
6 - 0.85
8 - 0.85
10 - 0.86
P0 0.60
Training Features &Prob Correct Class.
P0 0.69
P0 0.69
= 1.4
= 2.0
= 3.6
Truth & Model
Data generated from 10-D Independent Gaussian
Training data estimates &
Model is Heavy-Tail – robust against outliers
Model has 2-10 Dim.
Results
Decision Accuracy improves to 0.86 at Dim = 10
Probability Accuracy – stable at 0.86 for dim > 6
Conclusion
Average uncertainty is the Geometric Mean of probabilities
Risk assessment of forecasting algorithms requires … – Decisiveness: is there enough certainty to make good decisions?
– Accuracy: are the probabilistic forecasts honest about the uncertainty?
– Robustness: how sensitive is the algorithm to the testing data?
Average risk-biased uncertainty is the Generalized Mean
Resulting analytical tool is the Risk Profile – Information theoretic measure of algorithm performance versus risk
– Uses the familiar probability scale so results are intuitive
– Spectrum of performance provides rich insight into characteristics of algorithms
Application to Cyber Metrics – Evaluation of tools used to forecast threats
– Provides insight about how well an algorithm is balancing forecasting risks
11/12/2014 18 KPN Cyber Metrics
