Not Applicable
Not Applicable
Not Applicable
Not Applicable
1. Field of the Invention
The field of the invention generally relates to security systems for inspecting passengers, luggage, and/or cargo, and more particularly to certain new and useful advances in data fusion protocols for such security systems, of which the following is a specification, reference being had to the drawings accompanying and forming a part of the same.
2. Description of Related Art
Detecting contraband, such as explosives, on passengers, in luggage, and/or in cargo has become increasingly important. Advanced Explosive Detection Systems (EDSs) have been developed that can not only see the shapes of the articles being carried in the luggage but can also determine whether or not the articles contain explosive materials. EDSs include x-ray based machines that operate using computed tomography (CT) or x-ray diffraction (XRD). Explosive Detection Devices (EDDs) have also been developed and differ from EDSs in that EDDs scan for a subset of a range of explosives as specified by the Transportation Security Administration (TSA). EDDs are machines that operate using metal detection, quadrapole resonance (QR), and other types of non-invasive scanning.
A problem of interoperability arises because each EDD and EDS computes and outputs results in a language and/or form that are specific to each system's manufacturer. This problem is addressed, in part, by U.S. Pat. No. 7,366,281, assigned to GE Homeland Protection, Inc, of Newark, Calif. This patent describes a detection systems data fusion protocol (DSFP) that allows different types of security devices and systems to work together. A first security system assesses risk based on probability theory and outputs risk values, which a second security system uses to output final risk values indicative of the presence of a respective type of contraband on a passenger, in luggage, or in cargo.
Development of suitable languages has mostly occurred in two general technology areas. (a) Representation and discovery of meaning on the world wide web for both content and services; and (b) interoperability of sensor networks in military applications, such as tracking and surveillance. The Web Ontology Language (OWL) is a language for defining and instantiating Web-based ontologies. The DARPA Agent Markup Language (DAML) is an agent markup language developed by the Defense Advanced Research Projects Agency (DARPA) for the semantic web. Much of the work in DAML has now been incorporated into OWL. Both OWL and DAML are XML-based.
An extension of the data fusion protocol referenced above into a common language that allows interoperability among different types of EDDs and/or EDSs is needed to deal with (a) how to manage risk values at divestiture (e.g., when luggage is given to transportation and/or security personnel prior to boarding); and (b) how to deal with aggregating risk values over a grouped entity (e.g., a single passenger and all of his or her items).
Embodiments of the invention address at least the need to provide an interoperability standard for security systems by providing a common language that not only brings forth interoperability, and may further address one or more of the following challenges:
enhancing operational performance by increasing detection and throughput rates and lowering false alarm rates;
ensuring security devices and systems can work together without sharing sensitive and proprietary performance data; and/or
allowing regulators to manage security device and/or system configuration and sensitivity of detection.
The common language provided by embodiments of the invention is more than just a standard data format and communication protocol. In addition to these, it is an ontology, or data model, that represents (a) a set of concepts within a domain and (b) a set of relationships among those concepts, and which is used to reason about one or more objects (e.g., persons and/or items) within the domain.
Compared with OWL and DAML, embodiments of the present security interoperability ontology appear simpler and more structured. For example, embodiments of a security system constructed in accordance with principles of the invention may operate on passengers and the luggage in a serialized fashion without having to detect and discover which objects to scan. This suggests creating embodiments of the present security interoperability ontology that are XML-based. Alternatively, embodiments of the present security interoperability ontology may be OWL-based, which permits greater flexibility for the ontology to evolve over time.
Other features and advantages of the disclosure will become apparent by reference to the following description taken in connection with the accompanying drawings.
Reference is now made briefly to the accompanying drawings, in which:
Like reference characters designate identical or corresponding components and units throughout the several views, which are not to scale unless otherwise indicated.
As used herein, an element or function recited in the singular and proceeded with the word “a” or “an” should be understood as not excluding plural said elements or functions, unless such exclusion is explicitly recited. Furthermore, references to “one embodiment” of the claimed invention should not be interpreted as excluding the existence of additional embodiments that also incorporate the recited features.
As required from the ontology definition above, embodiments of the invention define a data model that represents a set of concepts (e.g., objects) within the security domain and the relationships among those concepts. For example, in the aviation security domain, the concepts are: passengers, luggage, shoes, and various kinds of sensors. The scope of the invention, however, should not be limited merely to aviation security. Other types of domains in which embodiments of the invention may be deployed include mass transit security (e.g., trains, buses, cabs, subways, and the like), military security (e.g., main gate and/or checkpoints), city and government security (e.g., city and government buildings and grounds); corporate security (e.g., corporate campuses); private security (e.g., theaters, sports venues, hospitals, etc.), and so forth.
Embodiments of the invention also provide a risk representation, which has its own structure, and relates to—or resides in—the passengers and their items. For example, in the aviation security domain, exemplary risk representations include, but are not limited to:
ownership between luggage and passengers;
between sensors and the type of objects it can scan (capability);
between sensors and what type of threats it can detect (capability); and
between risk values and the corresponding physical objects.
Embodiments of the interoperability standard also provide a calculus for updating risk values. This calculus may include one or more of the following:
initialization of risk values;
transformation of existing sensor data to a set of likelihoods;
updating risk values based on new data (sensor or non-sensor data);
aggregation—or rollup—of multiple risk values, which corresponds to threat categories, for an object to a single risk value for that object;
flow down of risk values for “children objects” at divestitures (e.g. a passenger (“parent object” divests his/her checked luggage (“children objects”)); and
aggregation—or rollup—of risk values from several objects into an aggregated value (e.g. a passenger and all his/her belongings, or an entire trip or visit).
Each of objects 101, 102, 103, 104, 105, and 106 represents a series of computer-executable instructions, that when executed by a computer processor, cause the processor to perform one or more actions. For example, the risk agent object 101 functions to receive and update one or more risk values associated with one or more types of threats in one or more kinds of threat vectors. The aggregator object 102 functions to determine whether and what type of aggregation method (if any) will be used. The aggregator object 102 also functions to sum risk values for sub-categories (if any) of an object (e.g., a person or their item(s)). In a similar fashion, the divester object 103 determines whether an item has been divested from a passenger and what risk value(s) are to be assigned to the divested item(s). Examples of divested items include, but are not limited to: a piece of checked luggage (e.g., a “bag”), a laptop computer, a cell phone, a personal digital assistant (PDA), a music player, a camera, a shoe, a personal effect, and so forth. The threat vector generator object 105 functions to create, build, output, and/or display a threat matrix (see
An example of a Boolean value for a threat category is “1” for True and “0” for False. The Boolean value “1” indicates that a sensor performed its screen. The Boolean value “0” may indicate that a screen was not performed.
“Sensor” designates any device that can screen any of the threat vectors listed in the threat matrix 300 (see description of
The sensor is any type of device configured to directly detect a desired threat and/or to provide indirect data (such as biometric data) that can be used to verify an identity of a passenger. Examples of sensor include, but are not limited to: an x-ray detector, a chemical detector, a biological agent detector, a density detector, a biometric detector, and so forth.
The table 200 includes columns 201, 202, 203, and 204; a first category row 205 having sub-category rows 210; and a second category row 206 having sub-category rows 207, 208, and 209. Column 201 lists threat categories, such as explosives (on row 205) and weapons (on row 206). Column 202 lists sub-categories. For row 205 (explosives), the sub-categories listed on rows 210 are E1, E2 . . . En, and E0 (no explosives). For row 206 (weapons), the sub-categories listed are: Wg (Guns) on row 207; Wb (Blades (Metallic)) on row 208; and W0 (None) on row 209. Column 203 lists prior risk values (0.5/n for rows 210, except for E0 (no explosives), which has a prior risk value of 0.5). Column 203 also lists prior risk values (0.5/2) for rows 207 and 208; and lists a prior risk value of 0.5 for row 209. These risk values are probabilities that are updated as more information is extracted by sensors and/or from non-sensor data. Column 204 lists a total probability value of 1 for each of rows 205 and 206.
Separation of the threat categories 205 (explosives) and 206 (weapons) into subcategories optimizes data fusion. The benefits of this subdivision become apparent when considering the detection problem inversely: If sensor A eliminates categories 1, 2, 3, while sensor B eliminates categories 4, . . . , n, then—put together—they eliminate all categories 1 to n. This would not have been possible without incorporating the “threat space” and the subcategories into the interoperability language.
In aviation security, the threat vehicle focuses around the passenger. Potentially, each passenger can be treated differently, based either on passenger data that was available prior to arrival or on data that was gathered at the airport. Associated with each passenger, then, is a risk value, which is an instantiation of the threat space as defined in
Other threat vectors of interest are:
Checked luggage
Checkpoint items:
A simplifying constraint arises from the fact that not all threat types (e.g., explosives, guns, blades, etc.) can be contained in all threat vectors. For example, small personal effects are considered not to contain explosives, but could conceal a blade. Similarly, a shoe is assumed not to contain guns, but may conceal explosives and blades. These constraints are summarized below the threat matrix 300 of
The threat matrix 300 comprises columns 301, 302, 303, 304, 305, 306, 307, and 308, and rows 205, 207, and 208; all of which can be used to indicate scenarios that need to be screened for and/or to indicate scenarios that do not need to be screened for. For example, column 301 represents a piece of luggage; column 302 represents a laptop; column 303 represents a coat; column 304 represents a shoe; column 305 represents personal effects; column 306 represents a liquid container; column 307 represents a passenger; and column 308 represents a checked bag. Row 205 represents an explosive; row 207 represents a gun; and row 208 represents a blade. Boolean values (“1” for a valid threat scenario and “0” for an unlikely/invalid threat scenario) appear in the intersection of each row and column. For example, a Boolean value of “1” appears at the intersection of row 205 (explosive) and columns 301 (bag), 302 (laptop), 303 (coat), 304 (shoes), 306 (liquid container), 307 (passenger), and 308 (checked bag), indicating that an explosive may be concealed in a bag, a laptop, a coat, a shoe, a liquid container, on a passenger, or in a checked bag. The Boolean value of “0” appears at the intersection of row 205 (explosive) and column 305 (personal effects), indicating that concealment of an explosive in a person's personal effects is unlikely.
The risk values, or threat status, are measured in probability values, more specifically using Bayesian statistics. In addition, as previously mentioned, there is a Boolean value associated with each threat category, which specifies whether this threat type has been screened for yet—or serviced. This value may start out as False, (e.g., “0”).
“Priors” or “prior risk values) are initial values of the threat status, as stated in column 203 of the table depicted in
The two exemplary threat types of FIG. 2—explosives (row 205) and weapons (row 206)—are accounted for separately. The sum of P(E0), P(E1), . . . (En) equals a likelihood of 1. And the sum of the weapons risk values, P(W0)+P(Wg)+P(Wb) also equals a likelihood of 1.
The method 400 may begin by (a sensor) accepting 401 a prior threat status as an input. Thus each sensor in a security system must be able to accept an input threat status along with the physical scan item (person, bag, etc.). This prior threat status might be the initial threat status as described above, or it might have been modified by another sensor and/or based on non-sensor data before arriving at said sensor.
The method 400 may further comprise translating 402 sensor data into likelihoods. In one embodiment, this entails two sub-steps. A first sub-step 406 may comprise mapping sensor specific threat categories to common threat categories. This was described above with respect to the table shown in
The likelihoods can be written mathematically as P(X|Wi,Ej), where X is the measurement or output of the sensor. For the simplest case, when the sensor outputs Alarm or Clear, the likelihood matrix is simply the detection rates and false alarm rates, as shown below.
Better data fusion results may be obtained when determining the likelihoods from continuous feature(s) rather than a discrete output (Alarm/Clear). In such a case, the likelihoods can be computed from probability density functions, which in turn can be based on the histograms of training data. [SS1]
The method 400 may further comprise checking off 403 common threat categories that have been serviced by a sensor. In one embodiment, this may entail one or more substeps. For example, a first sub-step may be determining 408 whether a sensor has been able to screen for a threat category that it is capable of detecting. If so, a second sub-step may comprise setting a Boolean value for this category to True—irrespective of the category's prior Boolean value. Otherwise, if the sensor was unable to perform its usual inspection/screening due to limitations such as shield alarm (CT and X-ray) or electrical interference, the second sub-step may comprise leaving 410 the Boolean value unchanged. If a common threat category contains sub-categories, the Boolean values extend down to subcategories as well. In such a case, a third sub-step may comprise compiling (or rolling up) all Boolean values with the logical “AND” operation.
The method 400 may further comprise fusing 404 old and new data. This may be accomplished by configuring each sensor to combine its likelihood values with the input threat status (e.g., priors) using Bayes' rule:
Bayes' rule is used to compute the posterior risk values, P(Ei|X), from the priors, P(Ei), and the likelihoods provided by the sensors, P(X|Ei).
The method 400 may further comprise outputting 405 a threat status. This may involve two sub-steps. A first sub-step may comprise outputting 406 fused risk values. A second sub-step may comprise outputting updated Boolean values.
A critical part of the security ontology is the passing of threat status between threat vectors that “emerges” with time. For example, at the time a passenger registers at an airport, his identity is captured and a threat status can be instantiated and initialized. Later on, the same passenger divests of various belongings, which will travel their own path through security sensors.
The interoperability requirements of sensors and meta-sensors were described above. Such sensors have the role of propagating the risk values; meaning they receive pre-existing risk values as input, update them based on measurements, and output the result.
This section describes the governing rules for creation, divestiture, and re-aggregation of threat status. As
divestiture;
aggregation (risk rollup);
initialization; and
decision rules (alarm/clear, re-direction rules, etc.)
Accordingly, architectural choices of the interoperability standard address the following:
(1) What rules guide a handoff of a threat status to divested items? Moreover, how does divestiture affect the threat status of the divestor—if at all—and vice versa?
(2) How is threat status computed for an aggregation of items? Examples are a) a passenger and all her items, or b) all passengers and items that are headed on a particular trip.
Details on these architectural choices are presented below.
Thus, each divested object inherits the threat status, i.e. the risk values, from the parent object. Only if the threat matrix in
The justification for this requirement is that, for security purposes, one cannot allow divestitures to dilute the risk values. For example, a passenger who checks two bags should not receive lower risk values for each bag than a passenger that checks only one bag. This would become a security hole: bringing multiple bags would lower the risk value for each bag and thus potentially relax the screening.
The disadvantage of this requirement is loss of consistency in the risk values before and after divestiture: If a passenger is deemed 50% likely of carrying a bomb, one could argue that the total risk after divestiture—the combined risk of the person and the two checked bags—also should be 50%. This loss of consistency is acceptable to avert a security hole. Consistency on aggregated items will be regained by a risk roll-up mechanism (described below).
To get the combined risk of the two main threat categories, E and W, basic probability calculus is used:
P=P(E∪W)=1−(1−P(E))(1−P(W))
Thus, step 602 may comprise several sub-steps 604, 605, and 606. Sub-step 604 may comprise determining a prior risk value for the combined risk. In the present example, the prior risk value for the combined risk will not be 0.5, but 0.75. Sub-step 605 may comprise setting the determined prior risk value for the combined risk as a neutral point. In this example, the neutral state of the risk value 0.75—before any real information has been introduced—is “off balance” compared to the initial choice of 50/50. For a visual display of the risk value in a risk meter, it is therefore natural to make the neutral point on the gage (transition from green risk to red risk) at 0.75. Accordingly, sub-step 606 may comprise outputting and/or displaying a risk meter having the neutral point and/or the single risk value.
Moving forward from either step 602 or 603, the method 600 may comprise outputting 607 the risk of the object as a single risk value.
From a technical standpoint, there are several possible aggregation mechanisms. For example, the probability values could simply be summed, or averaged. Or, one could assume independence between items, or assume only one threat of each type for the whole aggregation. Because, each of the methods has its pros and cons, it embodiments of the interoperability standard support more than one aggregation method.
Assuming that each item in the aggregation is independent, there is no limitation on the total number of threats within the aggregation. The independence assumption also makes the aggregation trivial. For example, let k denote the item number, with K being the total number of items in the aggregation. Double indices for the threat category are then used: the first index for the sub-category, and the second index for the item. This yields the following calculus:
Illustratively, this methodology can be used when aggregating truly independent items, such as different passengers.
This method is analogous to the one used for the sub-categories of a single item that were described above with reference to
In other situations other aggregation methodologies may be better suited. Therefore, the architecture of the interoperability standard may be kept open with respect to overriding the two aggregation methodologies proposed above.
In an embodiment, a purpose of aggregation may be to utilize the risk values in a Command and Control (C&C) context. In such a scenario, risk values provided by an embodiment of the interoperability standard feed into a C&C context where agents—electronic or human—are combing for big-picture trends. Such efforts might foil plots where a passenger is putting small amounts of explosives in different bags, or across the bags of multiple passengers. It could also reveal coordinated attacks across several venues. It also can be used to assign a global risk to a person based on all the screening results.
An aggregation over multiple objects may be defined as a hierarchical structure such as a passenger and the belonging items, or a flight including its passengers. This means there must be some “container” objects such as a flight, which contains a link to all the passengers. An alternative implementation uses a database to look up all the passengers and items for a given flight number.
Requirement 803 is that the aggregated risk value should preserve the severity of high-risk items in the aggregation. This means that high-risk items are not masked or diluted by a large number of innocuous items. This is a plus for the independence aggregation method 702, and a minus for the one-threat aggregation method 703.
Requirement 804 is that the aggregation mechanism should operate over threat sub-categories in such a way that it can pick up an actual threat being spread between multiple items. This is a minus for the independence aggregation method 702, and a plus for the one-threat aggregation method 703.
Requirement 805 is that two items with high-risk values should combine constructively to yield an even higher risk value for the aggregation. This is a plus for the independence aggregation method 702, and a minus for the one-threat aggregation method 703.
Requirement 806 is the suitability in aggregating a person with all belongings. This is a minus for the independence aggregation method 702, and a plus for the one-threat aggregation method 703.
Requirement 807 is the suitability when aggregating over “independent” passengers. This is a plus for the independence aggregation method 702, and a minus for the one-threat aggregation method 703.
In an embodiment of the interoperability standard, the risk engine (DSFP) also supports receiving and using information from sources other than sensors. For example, a passenger profiling system may be integrated with the interoperability standard. There are no additional requirements for such non-sensor data nodes—but for clarity, the following example is provided.
Suppose that a passenger classification system categorizes passengers into two categories: normal and selectee. This classification system is characterized by its performance, more specifically by the two error classification rates:
(a) The false positives is the rate that innocent passengers are placed in the selectee category. This rate is easily measurable as the rate that “normal” passengers at an airport are classified as selectee. For our example, let's assume the rate is 5%.
(b) The false negatives rate is the percentage of real terrorists that are placed in the normal category. In this case, since there is no data available, we would have to use an expert's best guess to come up with a value. For this example we will assume there is a 50% chance that the terrorist will not be detected and thus ends up being classified as normal.
In an embodiment, the % of false positives and the % of false negatives are received from the profiling system that calculated them. To comply with the requirements above, the passenger-profiling node needs to determine the likelihoods:
P(Selectee|Ei) and P(Normal|Ei)
For brevity, we only consider the explosive categories here; the weapons categories behave the same way. Now note that E1, . . . , En means there are real threats on the person or his belongings, i.e. he is a terrorist on a mission. Based on the error rates above then,
By using these likelihoods with Bayes' rule, a passenger categorized as normal would have his risk value change from 50% to 35%. A passenger designated a selectee would have his risk value change to 91%. Each risk value is the sum of P(E1),P(E2,) . . . , P(En). The reduction of risk value from 50% to 35% was obtained by simply applying Bayes' rule with the likelihoods stated above.
A profiling method with higher misclassification rates would reduce leverage on the risk values. If for example, the false negatives rate, i.e. the rate of classifying terrorists on a mission as normal, is 75%, the resulting risk values would be 44% for normal and 83% for selectee.
Sensors with Indirect Data
This section builds upon the example in the last section and further describes how to transform data from biometric sensors and other types of sensors that output indirect data. “Indirect data” is a measurement result obtained from a sensor that does not directly indicate whether a threat (e.g., a weapon, an explosive, or other type of contraband) is present. Non-limiting examples of “indirect data” include a fingerprint, a voiceprint, a picture of a face, and the like. None of these measurements directly indicate whether a threat is present, but only whether the measurement matches or does not match similar items in a database. On the other hand, non-limiting examples of “direct data” are: an x-ray measurement that clearly defines the outline of a gun, a spectroscopic analysis that clearly identifies explosive residue, etc. In particular, this section describes how to convert the identity verification modality of biometric sensors to a risk metric that can be used in an embodiment of the interoperability ontology described above.
Converting an identity verification result into overall risk assessment quantifies the risk associated with the biometric measurement result. This is an advantage over prior biometric-based security systems in which biometric identity verification is usually used purely in a green light/red light mode.
Biometric sensors present another challenge because, in addition to utilizing the inherent likelihood functions that characterize a biometric sensor's capability, (a) the likelihood that a terrorist is using a false identity and (b) the likelihood that an “innocent” passenger (non-terrorist) is using false identity need to be determined.
Note that these two likelihoods are completely independent of the underlying biometric technology, i.e. these likelihood values would be identical for all biometric sensors.
That said, in an embodiment of the invention, biometric sensors are configured to compute likelihoods that a biometric sample is a match or a non-match. These likelihoods may be compounded with the two basic identity verification likelihoods described above, to produce an overall identity verification likelihood that can be used with an embodiment of the interoperability standard.
In another embodiment, immediately following step 901, the method 900 may further comprise compounding 902 a plurality of likelihoods to produce a compounded likelihood. In one embodiment, this step 902 may comprise compounding a likelihood of identity match defined above with a pre-established likelihood that a terrorist would use a false identity and/or with a likelihood that a non-terrorist (e.g., passenger) would use a false identity. The method may further comprise determining 903 new risk values by applying Bayes' rule to the prior risk value and the compounded likelihood. The method 900 may further comprise outputting 904 a new risk value. The method 900 may further comprise replacing 905 the prior risk value with the determined new risk value.
A full example how to update a risk value using indirect data from a sensor is given below.
The section titled “Sensors With Indirect Data” described two likelihoods that need to be determined: (a) the likelihood that a terrorist is using a false identity and (b) the likelihood that an “innocent” passenger (non-terrorist) is using false identity. In this example, both likelihoods are assigned values for purposes of illustration only. Assume it is 2% likely that a normal passenger would use a false identity and 20% likely that a terrorist on a mission would do so.
We then have:
Also assume for this example only that a fingerprint (e.g., one type of biometric) sensor produces a matching score that indicates that the likelihood of a match is three (3) times the likelihood of a non-match. We then have:
P(Score|FalseIdentity)=k
P(Score|TrueIdentity)=3k
These likelihoods [P(FalseIdentity/Ei); P(TrueIdentity/Ei); P(Score/False Identity); and P(Score/True Identity)] need to be compounded to produce a compounded likelihood P(Score|Ei), which can be written as:
Finally, the risk values are updated by applying Bayes' rule. This calculation shows that a passenger with the matching score from this example would have her risk value reduced from 50% to 47%. Thus, the high matching score of the biometric sensor reduced the perceived risk of the passenger.
In another example, the biometric sensor produced a matching score such that the likelihood of non-match was twice as great as the likelihood of a match. This means that there is doubt about the true identity of the passenger and the risk value increases to 57%.
This written description uses examples to disclose embodiments of the invention, including the best mode, and also to enable a person of ordinary skill in the art to make and use embodiments of the invention. The patentable scope of the invention is defined by the claims, and may include other examples that occur to those skilled in the art. Such other examples are intended to be within the scope of the claims if they have structural elements that do not differ from the literal language of the claims, or if they include equivalent structural elements with insubstantial differences from the literal languages of the claims.
Although specific features of the invention are shown in some drawings and not in others, this is for convenience only as each feature may be combined with any or all of the other features in accordance with the invention. The words “including”, “comprising”, “having”, and “with” as used herein are to be interpreted broadly and comprehensively and are not limited to any physical interconnection.
Moreover, any embodiments disclosed in the subject application are not to be taken as the only possible embodiments. Other embodiments will occur to those skilled in the art and are within the scope of the following claims.