JDMS

Original article

Journal of Defense Modeling and

Simulation: Applications,
A Cyber-based Behavioral Model Methodology, Technology
9(3) 195–203
Ó 2012 The Society for Modeling
and Simulation International
DOI: 10.1177/1548512911425808
dms.sagepub.com

David Robinson1 and George Cybenko2

Abstract
While long considered an important aspect of strategic and theater planning, situational awareness (SA) is the linchpin to
both cyber planning and execution. As stated in Joint doctrine, before military activities in the information environment
can be accurately and effectively planned, the ‘‘state’’ of the environment must be understood. At its core, cyber situa-
tional awareness requires understanding the environment in terms of how information, events, and actions will impact
goals and objectives, both now and in the near future. Joint Information Operations (IO) doctrine defines three layers of
information inherent to this; physical, informational, and cognitive. While a fair amount of time and effort has been
focused on the physical and informational aspects of cyber situational awareness, very little emphasis has been placed on
the cognitive layer as it relates to cyber space and how best to model and analyze it. This research examines aspects of
the cognitive level by defining a cyber-based behavioral model contingent on the activities a user performs while on the
Internet. We believe this is foundational to completely defining a cyber situational awareness model, thus providing com-
manders and decision makers a more comprehensive and real time view of the environment in which they are operating.

Keywords
cognition, Department of Defense, Internet, World Wide Web

1. Introduction
While long considered an important aspect of strategic and
theater planning, situational awareness (SA) is the linchpin
to both cyber planning and execution. As stated in Joint
doctrine, before military activities in the information envi-
ronment can be accurately and effectively planned, the
‘‘state’’ of the environment must be understood. Joint
Information Operations (IO) doctrine defines three layers
of information inherent to this; physical, informational,
and cognitive.24 While a fair amount of time and effort has
been focused on the physical and informational aspects of
cyber situational awareness, very little emphasis has been
placed on the cognitive layer as it relates to cyber space
and how best to model and analyze it.* The Army recog-
nized this shortfall and in 2006 stood up the Army’s
Human Terrain System (HTS).1 The HTS provides
*
We use the Joint Information Operations [24] definition of ‘‘cognitive’’
which is ‘‘Where human decision making takes place; Dimension of intan-
gibles such as morale, unit cohesion, public opinion, situational aware-
ness; Key characteristics: perceptions, emotions, awareness, and
understanding.’’
commanders and staff with information for a given popula-
tion determined from observations and analysis by social
scientists in the field. This information is used by com-
manders to aid in the interpretation of cultural and regional
behaviors and to determine the effect of military actions
on them. While fairly successful for the Army, little to no
effort has been made to extend this approach into the cyber
arena.
At its core, cyber situational awareness requires under-
standing the environment in terms of how information,
events, and actions will impact goals and objectives, both
now and in the near future. E-commerce companies rea-
lized the importance of this type of understanding and
1
Air Force Institute of Technology, Wright Patterson AFB, OH, USA
2
Thayer School of Engineering, Hanover, NH, USA
Corresponding author:
David Robinson, Air Force Institute of Technology, 2950 Hobson Way,
Wright Patterson AFB, OH 45433, USA.
Email: david.robinson@afit.edu
196 Journal of Defense Modeling and Simulation: Applications, Methodology, Technology 9(3)

have invested a significant amount of time and effort into
modeling behaviors based on users’ cyber observables.
Online retail and marketing firms have done a great deal
of research2,3,4,5 based on profiling user’s cyber behaviors.
While the focus of their research lies in better targeted
advertising campaigns, personalization, and recommender
systems, many of the techniques developed are extremely
effective in modeling users shopping behaviors and pre-
dicting interests from collected historical data. Although
this analysis seems to work well in the e-commerce
domain, a significant limitation is its inability to scale as
additional (non-shopping) behaviors are introduced.
While aspects of behavioral models have been
researched and implemented in various domains, little to
no work has been done to create a model capable of captur-
ing the depth and breadth of human behavior in the cyber
realm. This research presents a mechanism to address this
shortfall by translating users’ cyber observables into beha-
viors using the concept of topic modeling. While tradition-
ally applied to document collections, we show how this
same approach may be used to extract and represent beha-
vioral information in a quantitative manner. The remainder
of this paper describes what cyber behaviors are, how they
may be modeled, extracted, and analyzed in a methodical
and repeatable manner, and provides an example of how
this approach may be utilized on actual data.
2. Cyber Behaviors
Leveraging previous work in this area,6 we define cyber
behavior as a set of activities together with a statistical
characterization of those activities. While this may seem
fairly straight forward and concise, trying to instantiate
and model an individual’s cyber behavior based on this
concept is a non trivial matter.
Activities in a cyber context can range from the broad
(i.e., surfing the web) to fairly specific (i.e., querying
‘‘human behavior’’). A user may take part in a number of
fairly complex activities, which when combined under cer-
tain conditions, describe one or more distinct behaviors.
For example, a user browsing web sites on cars, financing,
and car dealerships could be characterized by the activity
‘‘web browsing’’. This ‘‘top level’’ activity however, does
nothing to capture the underlying cyber behavior associ-
ated with buying a car.
From our definition, activities are obviously a key com-
ponent in the characterization of one’s behavior, but as just
demonstrated, activities themselves can often be expressed
in varying levels of abstraction. In order to describe activi-
ties in this manner, we make use of a hierarchical activity
tree. The root node represents the most basic instantiation
of the activity, while the leaf nodes provide further detail
and delineation into the specific act. Figure 1 is a graphical

Figure 1. Hierarchical activity tree for Shopping. Sibling nodes in the diagram are not in and of themselves independent activities, but
rather a more detailed description of the root activity (i.e. Automobilesis not an activity, but Shopping/Vehicles/Automobiles is).
Robinson and Cybenko
depiction of a portion of the shopping activity tree for
a user.
Each sibling leaf node is not in and of itself an indepen-
dent activity, but rather a more detailed description of its
root activity (i.e. Automobiles is not an activity, but
Shopping/Vehicles/Automobiles is). In this figure, Shopping
may be an adequate description of the activity given the
context of the analysis. However, for other research (i.e.,
e-commerce), a more detailed differentiation as to the spe-
cifics of what the user is shopping for is of critical impor-
tance. Using this hierarchical activity tree approach, we
allow for varying levels of activity representation.
We use the methodology outlined in our previous work7
to identify and extract activities from browser-based data.
This work provides a methodology to transform individual
URLs into hierarchical labels in a standardized and repea-
table manner. We currently utilize the Open Directory
Project (ODP)8 category structure as the basis for these
labels.
3. Behavioral Model
From a purely representational standpoint, we see cyber-
based behavioral models most similar to that of topic
Figure 2. Mapping of the topics model concept of documents being a mixture of topics to our behavioral model of behaviors being
a mixture of sessions.
Figure 3. Graphical depiction of the generative process (left) and that of statistical inference (right) as it relates to the generation
and extraction of cyber behaviors.
197
models.9,10,11,12 Topic models are generative models
allowing sets of observations to be explained by unob-
served groups which describe why some parts of the data
are similar. Typically applied to document collections
(abstracts, e-mails, etc.), topic models are based on the
idea that documents are mixtures of a small number of
topics and each word is attributable to one of the docu-
ment’s topics.
In contrast to generative models, statistical inference is
a technique used to invert the process just described by
inferring the set of topics responsible for generating a col-
lection of documents. We use the same approach in our
domain, but map documents, words, and topics to sessions,
activities, and behaviors. We define a session as a time
ordered sequence of page views by a single user occurring
during a period of activity by the user as defined in.13 The
table in Figure 2 summarizes this correspondence.
Using this terminology, behavioral models are based on
the idea that sessions are mixtures of a small number of
behaviors and each activity is attributable to one of the ses-
sion’s behaviors, where a cyber behavior is a probability
distribution over activities.
Borrowing from the example presented in,12 Figure 3 is
a graphical comparison of a generative process (left)
198 Journal of Defense Modeling and Simulation: Applications, Methodology, Technology 9(3)
versus statistical inference (right) of a topic model in a
behavioral context.
On the left, the generative process depicts two beha-
viors (Behavior 1 and Behavior 2) and the sessions (S1,
S2, and S3) generated by each. Both behaviors have a
common relationship to News but are focused on
Computers (Behavior 1) and Sports (Behavior 2) related
activities. These behaviors are represented as ‘‘bags-of-
activities’’ containing different distributions over activi-
ties from which sessions can be generated. In this case,
Session 1 (S1) is generated by Behavior 1, Session 3
(S3) by Behavior 2, and Session 2 (S2) is generated by
an equal mixture of both behaviors (edge labels in the
diagram indicate which behavior was used to sample
each activity).
Although implied by our common News activity, we
emphasize there is no notion of mutual exclusivity restrict-
ing activities to a single behavior. This is an important
aspect of the model allowing for a single activity to be
represented in multiple behavioral contexts. For example,
in Behavior 1, News is related to computer related news
and events whereas in Behavior 2, it is restricted to sport-
ing news.
The right portion of Figure 3 illustrates statistical infer-
ence. Given the observed activities in a collection of ses-
sions, we wish to know the behavioral model responsible
for generating the data. This involves inferring the prob-
ability distribution over activities associated with each
behavior, the distribution over behaviors for each session,
and the behavior responsible for generating each activity.
Figure 4 is a generic session/activity matrix used to store
our bag-of-activities data.
Figure 4. Session/activity matrix representation of
individual’s cyber activities.
Figure 5. The matrix factorization of a session/activity matrix
into a behaviors/activity matrix and a sessions/behavior matrix.
Here the Si are sessions, Aj the individual activities, aij
the activity counts per session, n the number of sessions,
and k the number of activities we are looking to model.
Our goal of storing information in this matrix is to then
perform a factorization of the sessions/activity matrix into
a sessions/behavior matrix and a behaviors/activity matrix
and (see Figure 5).
Our bag-of-activities representation tracks activity
counts only, not the order of activities within a session. We
understand activity-order may provide additional beha-
vioral insights. Griffiths et al14 present an extension of the
topic model which takes into account word order. We
believe this to be a viable approach to further define beha-
viors, but leave it as an area for future research.
While various instantiations of probabilistic topic models
exist,9,12,15,16 our model remains fundamentally the same no
matter which we use; sessions are a mixture of behaviors
and behaviors are a probability distribution over activities.
Each activity in a session is seen as a sample from a mixture
model where mixture components are multinomial P(ai |
z=Zj) and the mixing proportions are P(z=Zj | ss) (where z is
a latent behavior and Zj is one of 1,.,Z behavioral values).
Before going any further, we formalize our definitions of
activity, session, user, and behavior as follows:
• Activity – basic unit of discrete data, a, defined to
be an item from a vocabulary V where the vth activ-
ity in the vocabulary is represented as av
• Session – a sequence of Ns activities denoted by
s = a1 , a2 , . . . , aNS where an is the nth activity in
the session
PN – the total number of activity tokens (N =
Nd );
• User – collection of S sessions denoted by U = s1,
s2,., sS
• Behavior – each behavior z (where Z is the total
number of behaviors) is represented as a multino-
mial distribution over activities
an Borrowing notation from,12 P(z) is the distribution over
behaviors z in a session and P(a | z) is the probability
Robinson and Cybenko
Figure 6. Plate notation depicting our cyber-based behavioral model.
distribution over activities a given behavior z. P(zi = j) is
the probability the jth behavior was sampled for the ith
activity token and P(ai | zi = j) is probability of activity ai
under behavior j. The distribution over activities within a
session can now be represented as follows, where Z is the
total number of behaviors:
X
Z
P(ai ) = P(ai j zi = j)P(zi = j)
i=1
To simplify notation, we let ’(j) = P(a j z = j) refer to
the multinomial distribution over activities for behavior j
and θ(s)=P(z) refer to the multinomial distribution over
behaviors for session s. Parameter ’ indicates which activ-
ities are ‘‘important’’ for which behavior and parameter θ
represents the mixture weights to identify ‘‘important’’
behaviors for a session.
Typically a Dirichlet17 prior on θ is used in order to
estimate the mixture weights. The parameters of the distri-
bution are specified as α1.αZ where each hyperparameter
αj is interpreted as a prior observation count for the num-
ber of times behavior j is sampled in a session before hav-
ing observed any actual activities in the session. Normally
a symmetric Dirichlet distribution with single α parameter
is used to create a smoothed behavioral distribution (the
amount of smoothing is determined by α). A symmetric
Dirichlet(β) prior is also used on ’ and represents the prior
observation count on the number of times activities are
sampled from a behavior before any activity is observed.
Depending on the implementation used, various techniques
exist to estimate each parameter just described.
In order to capture the dependencies among the para-
meters, we represent our model in Figure 6 using a
199
behavior-based version of the plate notation originally pre-
sented in.12
The arrows in the model indicate conditional dependen-
cies between variables while plates (boxes) represent repe-
titions of sampling steps (variables in the lower right
corner refer to the number of samples). The activities a
(shaded), are the only observable variables in this model
while all others (non-shaded), are latent variables. Using
this notation, the inner plate over z and a illustrates the
repeated sampling of behaviors and activities until Ns
activities have been generated for session s. The plate sur-
rounding θ(s) shows the sampling of a distribution over
behaviors for each session s for a total of S sessions, while
the plate surrounding ’(z) illustrates the repeated sampling
of activity distributions for each behavior z until Z beha-
viors have been generated.
4. Behavioral Extraction
Given a session/activity matrix such as in Figure 4, the
goal of behavioral extraction is to use the concepts just
described to factor the matrix as shown in Figure 5 to iden-
tify the behaviors represented and the distribution of activ-
ities which created them. While a number of algorithm
exist to achieve this,9,12 we make use of a sampling based
version of Latent Dirichlet Allocation (LDA) described
in12 and implemented in the Java package Mallet.18
LDA9 is a probabilistic generative model used to
estimate the multinomial observations by unsupervised
learning. Estimating parameters for LDA by directly and
exactly maximizing the likelihood of the whole data
collection is intractable and therefore requires approximate
200 Journal of Defense Modeling and Simulation: Applications, Methodology, Technology 9(3)

estimation methods such as variational inference,
Expectation Propagation, and Gibbs Sampling. We make
use of the Gibbs Sampling approach in this work.
Gibbs sampling is a specific form of Markov Chain
Monte Carlo (MCMC) and simulates a high-dimensional
distribution by sampling on lower-dimensional subsets of
variables where each subset is conditioned on the value of
all others. Sampling is done sequentially and proceeds until
the sampled values approximate the target distribution.
Using this approach, activities are first randomly assigned
to behaviors. Repeated iteration over every activity is then
performed, choosing a new behavior for the activity based
on the current assignments of every other activity within a
session and the activities assigned to each behavior. The
probability of assigning an activity a in session s to beha-
vior z is given by
These values correspond to the predictive distributions
of sampling a new token of activity i from behavior j, and
a new (unobserved) token in session l from behavior j.
These values also represent the posterior means of these
quantities conditioned on a particular sample z.
The choice of the number of behaviors is an important
factor in our approach as too small a choice will result in
very broad behaviors and too large a choice will lead to
un-interpretable results. A large corpus of research19,20,10
exists on methods to select the most appropriate number
of behaviors, and is beyond the scope of this research. We
currently use a combination of Hierarchical Latent
Dirichlet Allocation4 based on nonparametric Bayesian
statistics and manual inspection to best determine the
appropriate behavior count.

αz + Nst βa + Nza 5. Experimental Results

p(z j s, a) /
X
0
0
X
0
0 In order to test the effectiveness of our model, we col-
(α0z + NSz ) (β0a + Nza )
z a
lected twelve browser history files from consenting users
ranging in duration from one to four months. These history
where Nsz is the number of times behavior z appears in ses- files contain the majority (users would sometimes use
sion s and Nza is the number of times activities of type a other computers or browsers during the period in question)
have been assigned to behavior z. Using LDA, the hyper- of the user’s web browsing activity for those periods of
parameters αz and βa are generally constants, reflecting time. Because the information was collected from known
symmetric, uninformative priors. and consenting users, ‘‘ground truth’’ information is avail-
During the initial stage of the sampling process (also able for verification of all analysis and testing with this
known as the burn-in period), the Gibbs samples are dis- data set. Due to the diversity of behaviors within our sam-
carded because they are poor estimates of the posterior. ple, we present initial findings on a single user from the
After the burn-in period, the successive Gibbs samples begin group. Our user (whom we will refer to as ‘‘User 1’’ for
to approximate the target distribution, which in our case, is the remainder of this section) is a graduate student con-
the posterior distribution over behavior assignments. ducting research in the areas of finance and computer engi-
Estimates for ’0 (activity-behavior distribution) and θ0 neering. Browsing history data for this individual was
(behavior-session distribution) can now be directly collected from 28 October 2009 to 7 January 2010 and
extracted as follows: consists of 10,907 click links, 623 sessions, and sixteen
top level categories.
Nzaj i + β Nzsjl + α Using behavioral extraction (see Section 4), we are able
’0(j)
i = θ0(l)
j = to identify and label seven dominant behaviors for this
X
A X
Z
Nzaj k + Aβ NZslk + Zα user. Figure 7 is a breakout of the distribution of activities
k=1 k=1 associated with each identified behavior.

Figure 7. User 1 personal (top) and work (bottom) behaviors extracted using LDA.
Robinson and Cybenko
Figure 8. Frequency of URL accesses by a user during a particularly stressful period in the workplace for work related (top) and
leisure related (bottom) activities.
The labels are defined in a qualitative manner by sim-
ply choosing a central theme based on manual browsing of
the activities for each behavior. Once labeled, it became
apparent two distinct types of behaviors were exhibited;
work and personal. Although this distinction is again qua-
litative in nature, given the context of the analysis per-
formed combined with the background information we
have on the individual, this division seems sound. We note
that, while not impossible, attempting to conduct beha-
vioral modeling and analysis with no contextual informa-
tion what so ever is a very difficult task.
We make the assumption that some background infor-
mation either on the individual or the point of collection
(i.e. collected from a university, bank, military installation,
etc.) will be made available. Behaviors related to personal
activities are represented on the top half of Figure 7 while
those having to do with work are depicted on the bottom.
Other than behavior B4 (e-mail and general interests),
manual inspection of the activities within each behavior
reveals a high correlation to individual areas of focus.
Although the average accuracy reported back by individu-
als modeled was 92%, additional research is needed to
determine a more quantitative method to measure accu-
racy. Figure 8 illustrates a cumulative sum (CUMSUM)
201
analysis21 of the deviation in frequency of URL accesses
by a user during a particularly stressful period in the
workplace.
These plots clearly demonstrate the utility of a beha-
vioral analysis based on cyber-observables in inferring the
psychological state of the user. In these figures, the verti-
cal bar at day 35 indicates the deadline for submitting writ-
ten materials for a milestone review and the vertical bar at
day 50 corresponds to the user’s defense of the findings.
The broader region spanning days 27-29 corresponds to a
holiday period. Analysis of the profiles reveals a sequence
of behavioral modalities that map to the following meta-
process:
Days 22-26: Start of intense preparation.
27-29: Holiday (work moves out of band).
30-35: Peak collection of research material.
35: Submission of written material.
36-50: Shift to consolidation of materials for
presentation.
50: Defense of findings.
51-end: Shift to relaxation period. Personal
(non-work related) browsing patterns.
202 Journal of Defense Modeling and Simulation: Applications, Methodology, Technology 9(3)
Within a military context, this same type of analysis
may be employed from an intelligence standpoint in identi-
fying certain ‘‘types’’ of individuals of interest (i.e. system
administrators, chemists, biologists, etc.) within a network.
Adding in temporal aspects (as in Figure 8) also provides a
mechanism to determine increases or decreases in cyber
activities of individuals or groups and the context of those
changes (i.e. increase in programming activities may be an
indicator of a new project starting).
6. Contribution of Work
We have implemented a novel approach to the modeling
and analysis of behaviors given a user’s cyber characteris-
tics. By formalizing and instantiating our behavioral model
as defined in Section 4 on user data, we have in place a
mechanism to characterize and profile both individuals
and groups at varying levels of fidelity. We are currently
unaware of any such mechanism in existence in the cyber
realm at this time.
Within the Department of Defense, this work provides
the foundation to accurately and effectively represent and
analyze the behavioral layers of the cyber situational
awareness environment, which in turn will provide plan-
ners and decision makers critical information to achieve
their mission. This research provides new insights and
analysis methods as of yet unimagined in the planning of
offensive and defensive cyber missions. Analysts will no
longer be constrained to functional characterization of
computer systems using terms such as ‘‘client’’, ‘‘web ser-
ver’’, and ‘‘database server’’. The capacity to ‘‘see’’ the
user at the keyboard will allow for advanced courses of
action to be developed and the full power of cyber effects
to be achieved.
We have focused on how this research is best utilized
within the Department of Defense, however, this work
offers great potential in other domains as well. The ability
to characterize, predict, and detect change in user behaviors
based on their cyber activities is something sought after for
a number of reasons. The financial sector may leverage this
work for fraud prevention and credit scoring while human
resources can track employees by monitoring their beha-
viors for malicious activity (insider threat) and for classify-
ing and ranking user’s skills. This work also offers a means
for e-commerce to expand the scope of its current profiling
techniques to better characterize and predict purchase pat-
terns for individuals and groups of online shoppers.
While this research provides the basis of a cyber-based
behavioral model, additional research in a number of areas
is needed to further develop this work making it a practical
and widely accepted framework. Our approach, while
quantitatively sound, lacks a mechanism for labeling the
behaviors extracted in an automated fashion. A common,
major challenge in applying a topic model based approach
to any text mining problem is to automatically label topics
both accurately and intuitively allowing a user to interpret
the discovered topic, or in our case, behavior. We consider
some recent work (see for example22,23 and others) as
offering viable approaches to resolve this problem, but
believe further research beneficial in discovering how this
would relate to the behavioral domain. While the initial
results provide examples demonstrating the effectiveness
of our behavioral model, additional data sources are
needed in which behaviors and activities can be verified
and validated in a scientific manner. Because our research
extends far beyond the engineering domain, work with
behavioral scientists and psychologists is vital to ascertain
the most beneficial methods and means to capture speci-
fied behavioral characteristics.
References
1. Army. ‘Army Human Terrain System’, http://humanterrain-
system.army.mil/ (December 2008).
2. Agrawal R and Imielinski T. Mining association rules
between sets of items in large databases. 1993, pp.207–216.
3. Lin W, Alvarez S and Ruiz C. ‘Efficient Adaptive-Support
Association Rule Mining for Recommender Systems’, http://
citeseer.ist.psu.edu/483133.html (2002).
4. Schafer JB, Konstan J and Riedi J. Recommender systems in
e-commerce. In: Proceedings of the 1st ACM Conference on
Electronic Commerce (EC ’99), ACM, New York, 1999, pp.
158–166.
5. Rayport JF and Jaworski BJ. Introduction to e-commerce.
New York: McGraw-Hill, Inc., 2004.
6. Sandell NF, Savell R, Twardowski D and Cybenko G. Hbml:
a language for quantitative behavioral modeling in the
human terrain. 2009, pp.1–10.
7. Robinson DJ, Berk VH and Cybenko GV. Online behavioral
analysis and modeling methodology (obamm). In Liu H,
Salerno JJ and Young MJ (eds) Social computing, behavioral
modeling, and prediction. New York, NY: Springer, 2008
pp. 100–109.
8. DMOZ. ‘Open Directory Project’, http://www.dmoz.org/
(2008).
9. Blei DM, Ng AY and Jordan MI. Latent Dirichlet
Allocation. J Mach Learn Res 2003; 3: 993–1022.
10. Rosen-Zvi M, Griffiths T, Steyvers M and Smyth P. The
author-topic model for authors and documents. In:
Proceedings of the 20th Conference on Uncertainty in
Artificial Intelligence, AUAI Press, Arlington, VA, 2004,
pp.487–494.
11. Mccallum A, Corrada-Emmanuel A and Wang X. Topic and
role discovery in social networks. 2005, pp.786–791.
12. Steyvers M and Griffiths T. Probabilistic topic models.
Mahwah, NJ: Lawrence Erlbaum Associates, 2007.
13. He D and Gker A. Detecting session boundaries from web
user logs. In: Proceedings of the BCS-IRSG 22nd Annual
Colloquium on Information Retrieval Research, 2000, pp.
57–66.
Robinson and Cybenko
14. Griffiths TL, Steyvers M, Blei DM and Tenenbaum JB.
Integrating topics and syntax. In: Advances in neural
information processing systems 17. Cambridge, MA: MIT
Press, 2005, pp.537–544.
15. Blei D and Lafferty J. Correlated topic models. Adv Neural
Inf Process Syst 2006; 18: 147.
16. Blei DM and Lafferty JD. Dynamic topic models. In:
Proceedings of the 23rd International Conference on
Machine Learning (ICML ’06), ACM, New York, 2006,
pp.113–120.
17. Bolstad WM. Introduction to Bayesian statistics. 1st ed. New
York, NY Wiley-Interscience, April 2004.
18. bMcCallum A. ‘MALLET: A Machine Learning for Language
Toolkit’, http://mallet.cs.umass.edu (January 2002).
19. Blei DM, Griffiths TL, Jordan MI and Tenenbaum JB.
Hierarchical topic models and the nested Chinese restaurant
process. In: Advances in neural information processing sys-
tems. Cambridge, MA: MIT Press, 2004, p.2003.
20. Teh YW, Jordan MI, Beal MJ and Blei DM. Sharing clusters
among related groups: hierarchical Dirichlet processes. In:
Advances in neural information processing systems. 2004.
21. Robinson D. Cyber-based behavioral modeling. PhD Thesis,
Dartmouth College, Hanover, NH, 2010.
22. Mei Q, Shen X and Zhai C. Automatic labeling of multino-
mial topic models. In: Proceedings of the 13th ACM
SIGKDD International Conference on Knowledge Discovery
and Data Mining (KDD ’07), ACM, New York, 2007,
pp.490–499.
203
23. Treeratpituk P and Callan J. Automatically labeling hierarch-
ical clusters. In: Proceedings of the 2006 International
Conference on Digital Government Research, ACM, New
York, 2006, pp.167–176.
24. Information Operations, U.S. Department of Defense Joint
Publication 3-13, 13 February 2006.
Author Biographies
David Robinson is an assistant professor of computer
science at the Air Force Institute of Technology and an
active duty Lieutenant Colonel in the United States Air
Force, Wright Patterson AFB, Ohio, USA. His research
interests include cyber-based behavioral modeling and
analysis, defining a science of cyber space, and cyber
physical systems (CPS) security.
George Cybenko is the Dorothy and Walter Gramm
Professor of Engineering at Dartmouth. He has made
seminal research contributions in information security,
signal processing, neural computing, parallel processing
and computational behavioral analysis and was the
Founding Editor-in-Chief of IEEE/AIP Computing in
Science and Engineering and IEEE Security & Privacy.
Cybenko is a Fellow of the IEEE and received his BS
(Toronto) and PhD (Princeton) degrees in Mathematics.