Scoring Hypotheses from Threat Detection Technologies

Robert C. Schrag, Masami Takikawa

We describe efficient methods to score structured hypotheses from threat detection technologies that fuse evidence from massive data streams to detect threat phenomena. The strongly object-oriented threat case representation summarizes only key object attributes. Pairing of hypothesized and reference cases exploits a directed acyclic case type graph to minimize case comparisons. Because case pairing is expensive, we expediently avoid it where possible. One global pairing operation suffices to develop: (1) Count-based metrics (precision, recall, F-value) that generalize the traditional versions to object-oriented versions that accommodate inexact matching over structured hypotheses with weighted attributes; (2) Area under the object-oriented precision-recall curve; (3) Cost-based metrics that address timely incremental evidence processing; (4) Statistical significance of computed scores. Many software parameters support customized experimentation.

Subjects: 1. Applications; 2. Architectures


This page is copyrighted by AAAI. All rights reserved. Your use of this site constitutes acceptance of all of AAAI's terms and conditions and privacy policy.