Rule+exception strategies for security information analysis

Broadly defined, intelligence and security informatics is "the study of the use and development of advanced information technologies, systems, algorithms, and databases for national- and homeland-security-related applications". Processing security-related information is a critical component of ISI research, which involves studying a wide range of technical and systems challenges related to the acquisition, collection, storage, retrieval, synthesis, analysis, visualization, presentation, and understanding of security-related information. Our research aims to develop a unified data description and understanding framework to enable discovery of useful knowledge and events from data sets related to international, homeland, or other types of security. In particular, this article focuses on a common security information analysis task: how to develop an efficient knowledge representation framework and related automated learning and mining mechanisms to describe and identify abnormal situations or behavior. We advocate the use of a specific knowledge representation and data mining framework based on rules and exceptions for analysis of security-related information. In this rule+exception framework, normal and abnormal situations or behaviors occur as pairs of dual entities: rules succinctly summarize normal situations, and exceptions characterize abnormal situations. The rule+exception approach -which closely resembles how humans understand, organize, and use knowledge -has the potential to evolve into a unified, multilevel data description and understanding framework applicable across many security informatics applications.