What refers to the degree to which information flows freely within an organization?

Information Flow: Processing Stages

In an information flow model, we distinguish discrete processing stages. Although the following list is by no means complete, we can characterize each information flow stage as one of these classes.

Supply, representing external data suppliers provide

Acquisition, representing the point at which existing data instances are acquired

Transformation, representing the point where a data instance is modified to conform to another processing stage’s expected representative format

Creation, the point at which new data instances are created

Process, representing points at which system state is modified as a result of input data

Store, in which a data instance is stored in a persistent system

Packaging, in which data is collated, aggregated, and/or summarized

Switch/route, where a set of rules is used to determine where and how to route data instances

Decision point, which is a point at which a data consumer (real or automated) is solicited for a decision

Deliver, the delivery point for data that is meant to be consumed

Consume, the presentation point for information presented by the system

Information Flow: Directed Channels

Data moves between stages through directed information channels. A directed information channel is a pipeline indicating the flow of information from one processing stage to another, indicating the direction in which data flows. Our model is represented by the combination of the processing stages connected by directed information channels. Once we have constructed the flow model, we assign names to each of the stages and the channels.

Data Payload Characteristics

The last aspect of an information flow model is the description of the data items that are propagated between any pair of processing stages. The characteristics include the description of the information structure (i.e., columnar attribution), the size of the data instances, and the cardinality of the data set (i.e., the number of records communicated). More sophisticated models may be attributed with business rules governing aspects such as directional flow, validation, and enhancement as well as processing directives.

Definition 9.23 Information flow in HAL

ij,…,ik⊢jiffdegree ⊕ci⊂cj>δ

In our discussion here, information is computed from just one term. So ⊕ c1 = c1.11

Definition 9.24 Degrees of inclusion

degreeci⊂cj=∑P1∈QPδci∧QPcj∑Pk∈QPδci

9.8.1 The Raynaud-Fish Oil Abduction

In the 1980s a librarian named Don Swanson made a chance discovery by linking together two different on-line medical sites, one having to do with Raynaud’s disease and the other dealing with fish oil. As Swanson subsequently observed, “the two literatures are mutually isolated in that authors and readers of one literature are not acquainted with the other, and vice versa” [Swanson and Smalheiser, 1997, p. 184]. Swanson’s discovery turned on what we might call intermediate terms or B-terms. If we take A to represent “fish oil” and C to represent “Raynaud”, then the implicit link between them was indicated by groups of explicit links A-B and B-C [Weeber et al., 2001]. The B-terms used were “blood viscosity”, “platelet aggression” and “vascular reactivity”. (See again Table 9.1.) While A-B and B-C links were reported in the two disparate literatures, there is in neither any explicit link A → C. A → C Swanson characterizes as “undiscovered public knowledge” [Swanson, 1986].

Swanson downloaded 111,603 MEDLINE journal articles published between 1980 and 1985. He confined his attention to the titles of the papers collected. Swanson constructed a HAL semantic space from a vocabulary containing all words in these titles, save for those excluded by a stop but in the ARROSMITH system. The resulting vocabulary contained 28,834, which is the dimensionality of the semantic space.

Swanson’s experiments manipulated the size l of the window and the threshold δ, which fixes the properties comprehended by the source concept which would be involved in the information flow computations. The importance of window size lay in the likelihood that the bigger the window (i.e., the larger the context), the greater the number of B-terms spotted. The importance of heavily weighting the threshold parameter lay in the likelihood that the Raynaud representations would have desirable degrees of relevance if heavily weighted.

Using the Raynaud representation as the source concept in Definition 8.26, the 1500 most heavily weighted terms were computed. Although 1500 is arbitrary, it reflects the fact that computational costs vary proportionally with vocabulary size. Implicit information inferences were ranked according to information flows — the greater the flow the higher the ranking. Swanson wanted to compare his information flow computations with other kinds of outcome computed on the Raynaud representation. One such is cosine, which, when used in semantic spaces, measures the angle between representations, where the strength of the association varies inversely with the size of the angle. In HAL’s space, the cosine can be got by multiplying respective representations and ranking them in descending order of cosine. This is possible since in the HAL space representations are given a remit length normalization.

Using the Minkowski distance metric; it is possible to measure the distance between concepts x and y in the n-dimensional HAL space. Accordingly

Table 9.2. Implicit information inference and semantic association strengths based on the Raynaud representation

where d(x, y) is the distance between representations of x and y.

When x corresponds to a Raynaud representation, both Euclidean distance (r = 2) and city-block distance (r = 1) can be computed, and the y-terms are rankable on increasing order of distance, where terms closer to x are taken as having higher levels of semantic connection. In Swanson’s experiment the top 1500 y-terms were singled out for consideration.

Cosine and Minkowski distance metrics measure the semantic strength of the association of x and y in the HAL space. Information flow computation is different. It measures the level of information overlap in the target term relative to the source term.

For ease of exposition, we report only the results achieved in the best runs. Degree of information flow and strength of semantic association are represented by the numbers in the table’s cells, with the requisite ranking in parentheses. Bolded values indicate terms occurring in the top 1500. City-block metrics produced unsatisfactory runs, and don’t appear in the table.

What stands out is that, for three of the four tested terms, information flow through a semantic space managed to register their implicit association with “Raynaud”. Also of significance is the comparative lowness of these rankings. It bears on this that the best results were achieved when above average weightings were given to the Raynaud representation. Even so, in that situation only one B-term had an above average weighting (“platelet”: 0.15), and the other B-terms occurring in the representation had below average weightings. This means that they failed to part of the information flow. It is also interesting that relevant information flow was restricted to the same one B-term, “platelet”. However, when the weights of the B-terms were increased manually and the Raynaud vector was set at unity, the runs are more encouraging. All four target terms receive information flow, and three of the four now place quite in the ranking.

Regardless, semantic space calculations provide an account of how implicit connections can be computed from a semantic space and interpreted from an abductive perspective. In an automatic setting, information flow computation through a high dimensional space is able to suggest the majority of terms needed to simulate Swanson’s Raynaud-fish oil discovery, though the strength of suggestion is relatively small.

It is interesting to note that in HAL-based semantic space models there is no express capacity for seeking out or responding to considerations of relevance and plausibility. Likewise, there is no express role here for analogy. In the HAL model, semantic weight is dominantly a matter of the physical distance between and among co-occurring terms. Not only is this a not especially notion of semanticity, intuitively speaking, but the HAL runs also show that comparatively light semantic weightedness is all that is required for comparatively successful hypothesis-generations, in the manner of Swanson.

This is a highly admonitory turn of events. It suggests confirms what we have repeatedly claimed, namely, that hypothesis selection does not require the abducer to make judgements about what is relevant, plausible and analogous. But it also suggests that hypotheses that are selected need not satisfy conditions on relevance, plausibility or analogousness. In particular, it calls into question our claim that a wining hypothesis will always turn out to have a determinate place in a filtration-structure. But if that claim should fail, it may be that the best to be said for our intuitions about the relevant, the plausible and the analogous is that they issue forth in judgements made (albeit tacitly, for the most part) after the fact of hypothesis-selection. Part of the importance of research in mechanized abduction is the further light that it might throw on these suggestions. We also see in this a considerable rehabilitation of what we (not HAL) call topical relevance.

In the Swanson case, the implicit links between Raynaud’s disease and fish oil, were carried by connecting terms of the form A – B and B – C, where A terms are from the Raynaud lexicon and C terms are from the fish oil lexicon. Implicit inferential flow thus passes between A– and C– terms by way of intermediate B– terms. The basic structure of this flow resembles consequence relations that admit of an Interpolation Theorem. It also reflects the presence of the Anderson-Belnap conception of topical relevance, viz., term overlap. All this is food for thought. A semantic space approach to computerized abduction employs a weak notion of semanticity. The implicit inferential flows that drive the task of hypotheses-generation and hypothesis-engagement are semantically modest. The theory’s tacit responsiveness to relevance constraints is one that involves the crudest conception of topical relevance to be found in the entire relevance canon. Yet HAL produced the right answer for Swanson’s abduction problem. The semantic essence of the HAL model is given jointly by a pair of factors which our intuitions would lead us to think of as syntactic. Semantic insight is lexical co-occurrence under a distance relation. Inferential flow is driven by term-sharing. We see in this an approach to semantics that philosophically-trained readers might well associate with Paul Ziff’s Semantic Analysis of over forty years ago [Ziff, I960].

HAL’s computational abduction successes were transacted in semantically austere computational environments.12 It is clear that such semantic austerities possess economic advantages. In what we have so far said about the logic of down below, we have postulated structures with capacities to economize with complexity. In our discussions of Peirce, we have remarked upon the emphasis he gives to the human instinct for guessing right. The two points come together in a suggestion that is highly conjectural, but far from unattractive. It is that in real-life cases, especially in cut-to-the-chase abductions, beings like us might well be running something like the abductive logic of HAL-semantic spaces. It is a suggestion that we pass on to the ongoing research programme in cognitive science, with a special nod to neurocomputation and neurobiology.

6.1 Formal security analyses

The formal modeling and verification approach is one of the most effective tools for network security analysis with maximal precision [43]. It serves the common goals of network security analysis, which are to improve the quality of the system specification and to check for the existence of security deficiencies. Moreover, it may enable a more systematic understanding of security issues and facilitate systematic testing of network-related implementations.

A security model is a formal description of security related aspects and mechanisms of a system using formal methodology. A model is formal if it is specified using a formal language, which is defined as a language with well-defined syntax and semantics such as finite state automata (FSM) and predicate logic [43]. That model includes a base system component and a security component related with a satisfaction requirement as shown in Figure 30.9. The former defines what the system does while the security component is an abstraction of security requirements. The satisfaction relation ensures that these security requirements are met and typically verified via formal methods. Therefore, security analysis is carried out based on correspondence between system description and security properties adopted in the formal modeling.

According to [43], there are four classes of practically relevant formal security models:

Automata Models: A model checking specification consists of two parts [45]. One part is the model: a state machine defined in terms of variables, initial values for the variables, and a description of the conditions under which variables may change value. The second part is temporal logic constraints defined over states and execution paths. Conceptually, a model checker visits all reachable states and verifies that the temporal logic properties are satisfied over each possible path, that is, the model checker determines if the state machine is a model for the temporal logic formula via exploration of the state space temporal logic constraints over states and execution paths. For the analysis to be performed, the constituent elements of the model such as vulnerability description, connectivity and required function need to be developed. In [46], Mao et al. describe a new approach, namely logical exploitation graphs, to represent and analyze network vulnerability. Their logical exploitation graph generation tool illustrates logical dependencies among exploitation goals and network configuration. Their approach reasons all exploitation paths using bottom-up and top-down evaluation algorithms in the Prolog logic programming engine.

Access Control Models: Classical access control models, like the traditional Bell-LaPadula model [43], relying on access control rules with security labels on objects and clearances for users, lack the modeling capabilities for current practical systems. Role-based access control (RBAC) models mapping subjects to roles in a hierarchical structure and then relating roles to access rights to subjects are proposed to address this shortcoming. In [47], a formal model of the computer network is constructed using graph-theoretic tools with packet filter functions classifying the message flow thus constraining the reachability of the entities on the network. Access control lists and routing policies are reflected into the model by means of packet filtering functions that are associated with edges of the graph.

Information Flow Models: These models describe how information may flow between which domains in a very abstract way such that they can capture also indirect and partial flow of information [48,49]. An example is the confidentiality of data output from a system. The critical issue is not whether any output contains confidential data but rather depends on it [44]. The concept of noninterference is a fundamental information flow property in that regard. Basically, if there is no information flow from one group of processes to another, the first group is said to be noninterfering with the other. This means that the processes in the first group cannot reveal any secret information such as passwords or encryption keys to the entities in the second group. In return, the processes in the second group cannot be corrupted by the ones in the first group. This expressive capability provides the basis for modeling confidentiality and integrity requirements between processes.

Cryptoprotocol models: Probably the most successful class of security models are cryptoprotocol models describing the message traffic of security protocols. The formal and mathematical design of cryptographic schemes is suitable for formal verification. Virtually all formal methods have been employed for cryptoprotocol verification [50] extending to industrial size protocols. Mostly secrecy and authentication goals can be specified and then verified automatically using model-checkers tailored for this application.

Formal methods can only address certain aspects of security, those related to computer networks and system design. Some aspects of security do not lend themselves to formal methods (e.g., computer hacking, tampering, and social engineering) [51]. Since current ICT systems are very complex, it is also nontrivial to have methods scaling with network size and security flaws and vulnerabilities are hard to find using formal analysis. In Figure 30.10, a cost-benefit analysis for formal methods is shown. The benefit is a function of number of users and their importance level, i.e., as the number of users and their relative importance increase, the investment on formal analysis is more reasonable. On the difficulty aspect, the cost increases with increasing system and property complexity. The operation domain of the system renders formal analysis feasible or infeasible due to complexity. Event it is feasible, it may unreasonable due to small return-on-investment for the analysis efforts. Therefore, security analysis based on formal methods typically focuses on specific aspects of system in operation. However, these analyses are precise and can be automated.

6.2 Automated security analyses

For general network monitoring and analysis, there are various tools utilizing Internet Control Message Protocol (ICMP) and the Simple Network Management Protocol (SNMP), such as HP OpenView, NetXMS, and OpenNMS. Although they support network discovery and monitoring tasks in a remote and automated setting, they are not designed and purpose-built for security analysis or evaluations.

For automated security analysis, network security tools are crucial since they allow offline and online analysis of computer networks in an automated and scalable manner. These tools are generally grouped into two classes [3] as shown in Figure 30.11.

6.3 Soft security analysis

Traditionally, formal methods and on the shelf automated tools have been used to analyze security of computer networks and systems. With the increasing proliferation and complexity of computer networks and systems, uncertainty has become an unavoidable fact for these systems; that situation has changed the game regarding security analysis. Specifically, formal methods have been inappropriate to analyze all security properties of computer networks and systems. Moreover, automated tools have provided limited analysis options for such systems. Recently, soft security modeling and analysis methods have been widely used to complement formal analysis methods and traditional security analysis tools.

Soft security analyses and modeling methods aim to mitigate uncertainty and subjectivity. Most of the time, trust, risk, and reputation methods are used to cope with uncertainty and subjectivity so they are considered as soft security analyses and modeling methods in literature. In contemporary computer networks and systems, soft security analyses methods are used with traditional security analyses methods to have more precise analyses results. Since trust, risk, and reputation deal with uncertainty, they are interdependent as shown in Figure 30.12. Detailed explanations of soft security analysis methods are as follows:

Trust. Trust is an interdisciplinary subject studied in many fields of science. It has different meanings and many properties. For instance, trust is highly context dependent and subjective. Therefore, the definition of trust is significant to construct an analysis method of security for computer networks and systems. Moreover, some properties of trust may contradict properties of security [54].

Trust-based security analyses of computer networks and systems have two steps. First, a trust model of a security system is constructed. Following the construction, the model is analyzed with both context specific analysis approaches and conventional analysis approaches. For instance, trust information may be extracted from the security system of a service for security analysis purposes, where the service may be a network service [55].

Trust based modeling and analysis approaches have been widely used in computer networks and systems. These trust approaches may be designed for different contexts and purposes, but they may be applied to analyze security of computer networks and systems. For instance, the Eigen-Trust algorithm is used to decrease the number of downloads of inauthentic files in a peer-to-peer file-sharing network [56]. PeerTrust is another research related to peer-to-peer networks [57]. Actually, there are many other trust models related to trust modeling and analyses for computer networks and systems [58,59]. These models can be applied for security analysis of computer networks and systems with conventional analysis models to have better accuracy of analyses.

Risk. Risk is probably the best known and most commonly used soft security analysis method of computer networks and systems. Moreover, risk is used to construct trust and reputation models for analyzing security of systems [60].

The goal of risk-based analyses is to provide information necessary for security management to make reasonable decisions related to resources of computer networks and systems. Actually, there are many security risk methods defined in various standards, such as ISO/IEC 31010:2009 [61], and different risk classification methods. In this chapter, we follow the classification of risk approaches in [16] for analysis purposes of computer networks and systems as follows:

Baseline: Implement a basic level of security control to analyze and control security of systems, such as industry best practice.

Informal: Conduct semiformal risk analysis, such as individuals performing quick analyses of computer networks and systems.

Detailed: Use formal structures to analyze systems and it provides the greatest degree of assurance.

Combined: Combine baseline, informal, and detailed approaches to provide reasonable levels of protection and analysis as quickly as possible.

In the literature, there are many risk models and analysis approaches. For instance, trust and risk analysis is formalized for security architecture of systems to ensure that the systems are protected according to their stated requirements and identified risk threshold [62]. In another research work, trust and risk are used in role-based access control policies [63]. Trust mechanisms based on risk are used for evaluation of peer-to-peer networks [64]. Some other researches related to trust and risk for computer networks and systems are included in [65–69].

Reputation. Most of the time reputation is used to analyze security computer networks and systems. Reputation is defined according to the context it is applied to, and perceptions of people. Since perceptions of people vary, there are different definitions of reputation related to computer networks and systems. For example, a reputation definition for online systems is “Reputation is what is generally said or believed about a person’s or thing’s character or standing.” [70]. There are also many similar definitions for network systems in literature [71]. Although reputation has many different definitions in literature, it is about general belief of entities in computer networks and systems.

Reputation systems make some types of abstractions to decrease the amount of data to make analyses easier, which has some advantages. For instance, it decreases the need for space to store data. However, abstract representations cause loss of information. Therefore, it is impossible to verify properties of past behavior given only the reputation information [72]. Specifically, these analysis methods generally aggregate ratings via computer networks to have information about social networks [73]. Google’s Page Rank algorithm uses a reputation mechanism to analyze web page popularity on the Internet [74].

Soft analysis methods are complementary solutions to formal analysis methods and automated security analysis tools. Recently, these solutions have become primary analysis methods for computer networks and systems. With the proliferation of complex and dynamic computer networks and systems, it seems that soft analysis methods are essential to properly analyze security of computer networks and systems.