4
Opportunities for Data Fusion

With an understanding of the potential capabilities provided by data fusion, it is now possible to describe the opportunities for data fusion within transportation security. Of particular interest are approaches that yield the most improvements quickly and inexpensively.

The Department of Defense (DOD) is experienced in networked operations. All local, state, and federal responders need to be on the same level of situational awareness. Situational awareness improves efficiency by determining where and when to apply critical resources. Information sharing has application at both the local level and the



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 43
Fusion of Security System Data to Improve Airport Security 4 Opportunities for Data Fusion With an understanding of the potential capabilities provided by data fusion, it is now possible to describe the opportunities for data fusion within transportation security. Of particular interest are approaches that yield the most improvements quickly and inexpensively. The Department of Defense (DOD) is experienced in networked operations. All local, state, and federal responders need to be on the same level of situational awareness. Situational awareness improves efficiency by determining where and when to apply critical resources. Information sharing has application at both the local level and the

OCR for page 43
Fusion of Security System Data to Improve Airport Security national level. At the local level (taking an airport as an example), information sharing between local police, safety, and transportation security authorities might provide a more comprehensive view of the expanse of a threat, combining actions as they are occurring in varying regions of the airport. The ability to fuse the “combined” local data at the national level may reveal patterns of threats not otherwise seen when the events are viewed only in isolation. Multiple events planned in combination serve to confuse and paralyze those reacting to an attack. For the Transportation Security Administration (TSA) to move from the recognition of data fusion as a key technology for transportation security to having an effective plan for implementing data fusion solutions requires a systems approach. This approach would provide the programmatic basis for integrating security systems for checkpoints, checked-baggage screening, and access control. Key outputs from this systems approach that will enable the successful implementation of data fusion are the following: A set of data standards (e.g., Extensible Markup Language [XML]) for the integration of data from security systems and security personnel; A path for the growth and migration of passenger pre-screening as an input to data fusion; Reference frames for exchanging locational data at all levels from within bags to within airports; Standards for the identification of explosives, hazardous materials, and items that appear as hazardous but are not; Common measures of uncertainty for all data inputs and validated error rates from security systems; Data structures for radio-frequency (RF) tagging and other object identification and marking; Ontologies for potential threat objects, systems, subsystems, and scenarios in baggage screening, checkpoints, and airports that enable the linking of alerts, observations, and historical data and provide for dynamic threat assessment; Data structures for airport and airport perimeter kinematics with a particular focus on trajectories; Visualization methods that enable distributed situational awareness and assessment; Standardized data structures for access control, including biometrics; and Standardized data interfaces for access control with facility security. Every year many hundreds of research papers that explore new developments and approaches in data fusion are published. While most of these do not directly address issues in transportation security, it is important for the TSA to be aware of these research results. Where appropriate, it may be possible to apply these research results to fuse data in transportation security settings. Recommendation 2: The TSA should establish a means to ensure that the following tasks and functions are carried out:

OCR for page 43
Fusion of Security System Data to Improve Airport Security Creation of a set of system-level data fusion requirements for the checked-baggage screening, checkpoint, and access-control systems; Performance of a systems engineering analysis of these areas; Validation of these requirements against threat projections, current and projected security systems, and facility idiosyncrasies; and The monitoring of fundamental research in the field and adjustment of requirements where appropriate. Data fusion offers the potential for improvements in baggage screening, checkpoint operations, and access control. In baggage screening, data fusion provides a cost-effective approach to using existing technologies to reduce false alarms (false positives) while maintaining or possibly improving the probabilities of detection. Data fusion for checkpoint operations can also improve the detection of suspicious activities and objects while not increasing waiting or processing times. For airport access control, data fusion can provide an effective approach for integrating biometrics to allow entry only to authorized personnel. It also offers a promising method for effectively employing existing sensors, such as radar and video surveillance cameras, to protect the perimeters of airports. All of these processes are described in greater detail in the sections that follow. Experimental work done at the Phoenix Sky Harbor International Airport in Arizona illustrates how data fusion can impact security screening. At this airport, magnetometers, computed tomography (CT) scans, trace-explosives detection, and video surveillance were linked; their outputs were viewable at a central security station. At the time of the committee’s visit, this design was implemented for one set of security checkpoints in one terminal. Rather than simply displaying the data from these devices, their results could be routed through a data fusion system. In doing so, an alert from a magnetometer could be fused with data from a CT scan to provide a more rapid assessment of the potential threat. These data could also be combined with human assessments of passengers provided by the screeners. The fusion of these assessments with the results obtained from the inspection devices could increase the detection probabilities and/or reduce false alarms. OPPORTUNITIES IN BAGGAGE SCREENING Data fusion may have a direct positive impact in baggage screening through the combination of results from different screening systems. Each system is designed to identify explosive materials. Candidates for fusion include x-rays, pulsed fast neutron analysis (PFNA), and nuclear quadrupole resonance (NQR) (see Figure 4-1 for their locations on the electromagnetic spectrum). X-ray interactions with matter at the energies used for the detection of explosives (50 to 1,000 kiloelectronvolts [keV]) occur by photoelectric absorption and scatter.

OCR for page 43
Fusion of Security System Data to Improve Airport Security Sources of Data X-ray diffraction technologies with energies in the 30 keV to 80 keV range have the interactions with matter that are mainly diffraction plus photoelectric absorption. Diffraction measures the atomic lattice spacing of crystalline materials or the local arrangement of atoms in a chemical compound that can be used as a specific measure of a range of compounds. Neutron interactions with matter include inelastic scattering and generate gamma rays that are related to the elemental makeup of the material. Quadrupole resonance, however, measures the interaction of electromagnetic radiation effects that are related to the local environment of the nuclear spin. Thus, all of these technologies measure radiation or particles, and by their interactions with matter, they are used to infer, to identify, or to specify the actual materials present within luggage. Advantages Fusing data from the technologies described above has advantages over using data from just one technology. Some vendors are currently exploring a two-level bag-screening process that involves a high-throughput projection x-ray system that screens all bags and directs any bag with objects matching a broad threat profile to a more sensitive CT-based system. There are other possible combinations; the committee explores some of them in the subsection below, entitled “Notional Model.” FIGURE 4-1 Notional diagram showing the various radiation and particle interactions with matter that are used for the detection of explosives material. NOTE: NQR, nuclear quadrupole resonance; CT, computerized tomography. For the pulsed fast neutron analysis to which the committee is referring, the gamma rays are detected. Coupling x-ray CT explosive detection system (EDS) technology with other technologies most likely will provide the biggest reduction in the false-alarm rate in the near term. However, this reduction may come at a substantial penalty in system cost,

OCR for page 43
Fusion of Security System Data to Improve Airport Security throughput rate, and airport footprint. For example, coupling an x-ray CT EDS machine with an alarm resolution system based on NQR1 and pulsed fast neutron analysis would assist in resolving false alarms, but it would also increase the space needed. A sample baggage-flow diagram for the coupling of these technologies is shown in Figure 4-2. FIGURE 4-2 Notional flow diagram illustrating one way in which an explosive detection system (EDS) could be coupled to two existing alarm-resolving systems, nuclear quadrupole resonance (NQR), and pulsed fast neutron analysis (PFNA). The percentages by the various logic flow paths represent nominal “notional” probabilities that may be encountered in operational scenarios. NOTE: LEO, law enforcement officer; CT, computerized tomography. Several technologies could be selected to help reduce machine false alarms in the x-ray CT EDSs. In Figure 4-2, the committee has depicted NQR and PFNA, since they both have some good performance parameters validated by testing conducted at the TSL.2 Other possible data fusion candidates include coherent x-ray scattering (CXRS) and pulsed fast neutron transmission spectroscopy (PFNTS). One issue with CXRS is that there are little to no reported TSA performance data. Good TSA-conducted test data exist for PFNTS, but the current status and/or availability of the PFNTS prototypes is not clear. 1 This has also been referred to as quadrupole resonance. 2 T.J. Rayner. 1995. Nuclear Quadrupole Resonance System for Explosive Detection, Phase 1 Final Report, DOT/FAA/CT-FR95, U.S. Department of Transportation, Washington, D.C.; Air Cargo PFNA Test and Status Report. 2001. Ancore Corporation, South Melbourne, Victoria, Australia, January; Curtis Bell and Derry Green. 2001. Pulsed Fast Neutron Analysis (PFNA) October 2000 Test Overview, Presentation to NRC Panel on Assessment of the Practicality of Pulsed Fast Neutron Analysis for Aviation Security, January 29.

OCR for page 43
Fusion of Security System Data to Improve Airport Security Directed trace-explosive detection may not be the best candidate for alarm resolution. Even if one uses directed trace sampling on an alarmed item, there is no quantified metric for the probability that one may miss collecting any explosive contamination on the outside of the item or for the probability that there is a lack of contamination on the outside of the item when an explosive is present inside. In either case, one could conceivably clear the item that contains an improvised explosive device or a bomb. While directed trace-explosive detection is a good technology to raise an alarm, it has significant risks if used to clear an alarm raised earlier in the inspection process. Furthermore, there is evidence that the manual inspection process is not always accurate, and it has had difficulty in identifying an alarmed item within a bag, a prerequisite for a successful directed trace alarm resolution. Notional Model In implementing the process depicted in Figure 4-2, every step up to opening the bag can be automated. First, a bag is scanned by one of the x-ray CT explosive detection systems, and it either signals an alarm or does not. Since x-ray CT is the only current technology that meets the EDS detection criterion and has reasonable throughput, it is clearly the only potential technology for first-stage alarm detection at this time. The committee has selected a notional probability of alarms for airport baggage as 30 percent, based on field-test data.3 Any non-alarmed bag is cleared to go onto the airplane, while an alarmed bag is held for further investigation. The diagram in Figure 4-2 includes three causes for alarm—shield alarms, sheet alarms, and bulk explosive alarms. Each is treated separately. For shield alarms, the only solution at this time is to open the bag. This is because one cannot clearly preclude the potential of a sheet explosive, and an x-ray shield alarm will result in a shield alarm for many potential sheet alarm technologies (NQR or CXRS). For sheet alarms, NQR is a likely candidate alarm-resolution technology for further inspection—it has a high probability of detection for the explosive materials present in explosive sheet materials and a low probability of false alarm. If subsequent scanning by NQR produces a shield alarm, it has been shown that a simple reorientation of the bag within the system may eliminate the shield alarm. If this is not the case, the bag must be opened. Bulk explosive alarms could be resolved using the PFNA technology. Since PFNA was initially developed for the detection of explosives in cargo containers, it can inspect several bags at a time. The scenario shown in Figure 4-2 assumes that the bulk explosive CT EDS alarms are packed into an LD-34 container for inspection by PFNA. If PFNA results in a shield alarm or “opaque volume,” the LD-3 should be repacked in a less dense configuration and rescanned. In this scenario, all unresolved alarmed bags must eventually be opened. Opening a bag and finding the alarmed item, whether a real bomb or not, has been found to be surprisingly difficult. For example, when an image of a potential threat (the alarm) is 3 EDS Reporter: A Monthly Report on a Sample of Explosive Detection Systems. 2002. Security Technology Deployment Office, Washington, D.C., August. 4 The LD-3 is the most common type of unit load device for transporting cargo by air; it measures 79"W × 60.4"D × 64"H.

OCR for page 43
Fusion of Security System Data to Improve Airport Security shown on the EDS screen, the ability of the screener to follow through and actually find that same threat and remove it is low. Individual protocols may vary depending on the needs and resources of each airport. In the protocol established by the committee, however, once a bag gets to the “open bag” stage, it is wise to have a law enforcement officer present. Furthermore, opening a bag would be hazardous if a bomb inside the bag has been set to detonate when the bag is opened. A fusion system that reduced false alarms would ensure that the person opening the bag would have a higher proportion of bags to search that did contain true threats, as increasing the probability that an item contains a true signal will likely increase the probability that an operator will detect that signal. OPPORTUNITIES FOR PRE-SCREENING OF PASSENGERS The integration of the many public and federal agency databases into the passenger security screening system is critical in inhibiting the terrorist from entry onto the aircraft. This “pre-screening” of passengers allows the remaining security system components to focus the necessary resources downstream in the screening process. For instance, if the passenger pre-screening system were capable of assigning a threat “score” to an individual at the point of initial screening, the system could, at that point, deny further airport access (high score) or recommend further screening (elevated score) with a variety of screening methods next in the process. Sources of Data Many attempts have been made to pre-screen passengers on the basis of criteria other than random selection. These various schemes have had limited success owing, for example, to concerns over the privacy rights of the passengers. The lack of depth in the passenger pre-screening system, however, can put tremendous strain on the remaining components of the security system. At these junctures, the system still depends on the “human in the loop” to discover a threat, although few TSA efforts have been made to link observed behavior patterns through the entry of such behavior patterns into a centralized database. Also of note is the use of so-called psychological screening of passengers through simple questioning by police, ticket agents, security agents, and others, as practiced by El Al Israel Airlines. At least one company is already offering the technology necessary to fuse check-in data to EDS sensitivity,5 and the Israeli government is said to have used it and collected data on its performance. The TSL has identified this approach as a promising one in its strategic plan. At least two of the computed tomography systems (GE/InVision and L3) in place today can be commanded in real time to dynamically increase or decrease the sensitivity of the scan. By encoding the results of the Secure Flight passenger pre-screening (see below) onto checked-baggage tags, the bags of passengers with high threat scores could 5 See Y. Margalit. 2007. Fusion Frenzy. Available at http://www.secprodonline.com/articles/41853/. Accessed March 8, 2007.

OCR for page 43
Fusion of Security System Data to Improve Airport Security automatically be subjected to a higher sensitivity screening, while those with low scores could go through a streamlined process. Since the number of passengers selected for additional screening is expected to be low, the increased false-alarm rate associated with this higher sensitivity should not be a great hindrance to system throughput. Alternatively, several approaches have been attempted in order to identify passengers who are unlikely to present a threat to the aircraft. Two recent examples of which the committee is aware are the Registered Traveler program and Secure Flight. Registered Traveler allows a limited set of frequent fliers to provide specific data to the TSA. Secure Flight employs information already extant in the air carriers’ databases to rapidly identify passengers who are unlikely to present a threat. Privacy Issues While senior officials in the Department of Homeland Security and the TSA remain committed to the concept of using existing database information to pre-screen passengers, political considerations and operational issues have stymied even operational testing, much less implementation of expanded passenger pre-screening. The TSA does hope to test the consolidated TSA-operated “watch list” portion of the successor to the computer-assisted passenger pre-screening system, Secure Flight, this year. The “right to privacy” was not recognized in U.S. courts until 1890, following an article in the Harvard Law Review by Samuel D. Warren and Louis Brandeis that reviewed previous tort claims based on the public disclosure of private facts.6 New York State enacted a statute7 that codified this implied right. A separate aspect of this general right to privacy is the intrusion on seclusion or solitude through such means as wiretapping or high-powered binoculars. However, in all cases, it has been recognized that an individual’s expectation of privacy must be reasonable and that the right can be surrendered. In the realm of airline security, most legal scholars regard an individual’s choice to fly as tacit consent to the screening procedures used, provided that adequate notice of the screening is provided. Any individual airport security system collects and analyzes data about passengers (baggage screening, behavioral observations, passengers passing through metal detectors, and so on), which may present a trivial invasion of privacy. However, the aggregation of these data within a single system may provide more detail than most passengers would be comfortable with and may raise questions about the trade-off between personal freedoms and security. In Whalen v. Roe (1977), the Supreme Court addresses this issue as follows: We are not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data banks or other massive government files. The collection of taxes, the distribution of welfare and social security benefits, the supervision of public health, the direction of our armed forces and the enforcement of criminal laws, all require the orderly preservation of great quantities of information, much of which is personal in character and 6 John Wade, Victor Schwartz, Kathryn Kelly, and David F. Partlett. 1994. Prosser Wade and Schwartz’s Cases and Materials on Torts (9th ed.). Foundation Press, Westbury, New York. 7 New York Civil Rights Law, §§ 50-51.

OCR for page 43
Fusion of Security System Data to Improve Airport Security potentially embarrassing or harmful if disclosed. The right to collect and use such data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures. We therefore need not, and do not, decide any question which might be presented by the unwarranted disclosure of accumulated private data—whether intentional or unintentional—or by a system that did not contain comparable security provisions. We simply hold that this [electronic] record does not establish an invasion of any right or liberty protected by the Fourteenth Amendment. 8 These issues have been raised in previous reports of the National Research Council—most notably, Airline Passenger Security Screening: New Technologies and Implementation Issues, which noted: “Limitations on the [deployment of new] technology will … be imposed as a result of passenger intolerance for invasion of privacy, delays, or discomfort.”9 OPPORTUNITIES IN CHECKPOINT SCREENING Checkpoints at the majority of airports today consist of stand-alone systems that have no reporting capability, either among other systems in the airport or to higher levels. Thus, there is no capability to combine or fuse the data obtained through checkpoint screening to gain the advantages of orthogonal measurements or warnings in determining whether security concern exists. Generally, the screening done at airport checkpoints occurs in two ways: through the screening of people and the screening of carry-on objects. Sources of Data Technologies currently being tested and piloted for deployment into the checkpoint environment have greater detection capabilities than those of earlier technologies. However, even these newer technologies are independent systems that neither interact with one another nor report to higher levels for data analysis. Making any connection of alarms or threats between items in carry-on baggage or items on the person is done by the human operator and requires the operator to independently match the person and the hand-carried object. Screening of Carry-on Objects and Passengers (Technology Deployed Today) The following technologies are those used to screen carry-on baggage in U.S. airports today: 8 Whalen v. Roe, 429 U.S. 589 (1977). 9 National Research Council. 1996. Airline Passenger Security Screening: New Technologies and Implementation Issues. National Academy Press, Washington, D.C.

OCR for page 43
Fusion of Security System Data to Improve Airport Security X-ray: X-ray radiography systems continue to be the primary method for detecting objects of concern in carry-on baggage. These systems provide the operator with a projected image of the bag and of objects inside, which he or she must independently interpret. With the exception of CXRS, there is no elemental analysis for explosives. Shielding (metal blocking the view of items behind the shields) can be an issue. X-ray radiography systems as currently deployed are most useful for the detection of weapons. Trace-explosives detection: Ion mobility spectrum systems are used for trace-explosive detection either randomly or if the x-ray examination has led checkpoint personnel to question an item that might be inside a carry-on bag. Trace detection is typically accomplished by collecting a sample from the surface of the carry-on bag and placing the sample in a trace-detection machine that analyzes the sample for any explosive residue. These systems are good for identifying most explosives. Visual inspection: Operators visually inspect bags and search them for potential threat objects. The following technology is used to screen passengers boarding planes in U.S. airports today: Metal detectors: The primary screening of passengers is accomplished by requiring the passenger to walk through a metal detector. The variable-sensitivity system provides an audible alarm and visible red light if metal objects are detected. If a portal’s metal detector signals an alarm, the person is normally taken to an adjoining area for further screening with a handheld metal-detection wand. None of the preceding carry-on baggage or passenger screening systems are linked in any way. Further, information regarding the results of the screening is not communicated to a higher level. Alarm responses are discrete events and are not integrated with other security information. Screening of Carry-on Objects and Passengers (New Technologies) New technologies, including differing levels of test and pilot programs in the United States, are being introduced into aviation checkpoints around the world. Highlights of the new technologies include the following: CT-based hand-carried systems: X-ray CT machines traditionally used in the checked-baggage areas at airports have been downsized for use at checkpoints. These systems provide attenuation-specific analysis, along with the capability by means of imaging, for analysis by security personnel after a machine alarm has occurred. The systems can also be operated remotely, allowing for higher throughput and reduced operating costs. These systems have potential computer capabilities for performing pattern recognition, and they have the capability to communicate with higher-level systems.

OCR for page 43
Fusion of Security System Data to Improve Airport Security Advanced technology: X-ray systems that acquire multiple views, dual energy, and/or x-ray backscatter images. Among the technologies being tested for screening passengers are the following: Trace portals: Similar in concept to trace-explosive detection systems, the trace portal system works by having the passenger walk into a portal where air jets blow onto the passenger to try to dislodge any explosive residue. Any residue is then analyzed for chemical specificity. These systems can be operated remotely. Whole-body imaging systems: Three basic kinds of technologies are used in imaging the human body: active millimeter wave, passive millimeter wave, and backscatter x-ray. All of these systems create some type of image of the person through their clothing to display threat images or information to an operator for analysis. These systems can be operated remotely and also have extensive computer capability for integration. Biometrics: Biometric systems of all types should be useful in the future, assuming that trusted-traveler programs are approved; in such programs, identity verification is important in determining the amount of screening that the person will receive. Current Systems Newer screening systems for airports are designed as system building blocks, providing the potential to integrate security systems. For example, metal detectors are being integrated with an optical imaging system—as with a zone metal detector scanning the area from the knee to the floor and being fused with the whole-body photograph system. Although much more computer-based and capable of communicating large amounts of data, these systems are not being integrated into a system hierarchy but rather are being integrated piecemeal to replace or add capability to existing methods of operation. Pilot programs, such as the General Electric Checkpoint of the Future at San Francisco International Airport, are being developed in an effort to integrate multiple technologies into a single “checkpoint system.” Other changes that could have profound impact on checkpoint operations are also worth discussion. One is the concept of the privatization of the checkpoint operation, whereby commercial companies would be responsible for equipment selection and information sharing. The second is a rebirth of trusted-traveler programs, with private companies providing memberships to people who agree to various levels of pre-screening, including background checks and biometrics or other types of recognition programs. While these “trusted” travelers have the potential to be threats, the likelihood is reduced, and such programs are currently the only method of verifying people in these areas. Private companies are moving rapidly to prepare these new technologies for deployment to checkpoints, but there appears to be little guidance regarding what will be approved for operations, who will regulate them, or how they will be regulated.

OCR for page 43
Fusion of Security System Data to Improve Airport Security OPPORTUNITIES FOR FUSION OF AIRPORT PERIMETER SURVEILLANCE SYSTEMS Airport security includes perimeter surveillance systems designed to detect intruders at a distance, such as ground surveillance radars. It also includes access-control systems designed to prevent unauthorized entry into buildings (see the following section). All of these aspects of airport security may benefit from data fusion. Data fusion for perimeter surveillance would combine the multiple detection systems designed to provide early warning and alerts regarding unauthorized access. OPPORTUNITIES FOR FUSION OF AIRPORT ACCESS-CONTROL SYSTEMS As with other technologies, access control might also be improved with the deployment of data fusion of multiple biometric devices. The airport security application of biometrics for access control requires a level of technical performance that is difficult to obtain with a single biometric device. Much research has been conducted over the past two decades regarding the uniqueness of body features, and as a result, the methods of employing biometric algorithms have matured. The use of multiple biometric measurements from independent biometric sensors typically improves technical performance and reduces risk—including an improved level of performance where not all biometric measurements are available, so that decisions can be made from any number of biometric measurements within an overall policy on accept/reject thresholds.10 Sources of Data From a theoretical point of view, biometric processes can be combined to give a guaranteed improvement in performance over that of individual biometric devices. Any number of suitably characterized biometric processes can have their decision scores combined in such a way that the multibiometric combination is guaranteed (on average) to be no worse than the best of the individual biometric devices. The key is to correctly identify the method that will combine these matching scores reliably and maximize the improvement in performance.11 Current Systems The TSA is well aware of efforts to promote the standardization of biometric data fusion. Efforts are under way to publish a technical report from the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) considering all levels of fusion, including the following: decision level (every biometric 10 International Organization for Standards. 2007. Text of Working Draft Technical Report 24722 on Multi-Modal and Other Multi-Biometric Fusion, ISO/IEC JTC 1/SC 37 N1271, p. v. 11 International Organization for Standards. 2007. Text of Working Draft Technical Report 24722 on Multi-Modal and Other Multi-Biometric Fusion, ISO/IEC JTC 1/SC 37 N1271, p. 11.

OCR for page 43
Fusion of Security System Data to Improve Airport Security process generates a Boolean result), score level (every biometric process generates either a match score or multiple scores that are fused into a single score), feature level (every biometric process generates features that are then fused into a single set or vector), and sample level (every biometric process results in a collection of samples that are fused into a single sample). The ISO/IEC report also considers multibiometric systems for different scenarios, including verification, positive identification, and negative identification.12 If the airport access control biometric data fusion projects planned by the TSA follow the guidelines as outlined in the ISO/IEC biometric fusion technical report, the Transportation Security Laboratory (TSL) would benefit from this formal systems engineering approach and could serve as a good example to other TSA programs. The committee’s review of the opportunities for employing data fusion for current airport operations led to the following finding and recommendation: Finding: Most of the detection systems now fielded in U.S. airports were built without regard for the need for data fusion or data integration among systems. Many manufacturers are attempting to create systems that not only fuse data, but also link information about passengers and baggage. However, there is little direction from the TSA with respect to the establishment of standards or requirements. Recommendation 3: The TSA should work (that is, contract) with the leading integrators and manufacturers to form a representative working body and require it to develop initial strategies and standards for the integration of airport security, checkpoints, checked-baggage screening, and access control, including legacy systems. HUMAN SENSORS Not all data used in data fusion need to come from instruments. In the DOD applications, data also come from human intelligence and may be fused successfully with instrumentation data. An example of the use of human intelligence is the apprehension of Ahmed Ressam in a car carrying explosives to bomb Los Angeles International Airport for the so-called millennium plot. He was stopped by a border guard at Port Angeles, Washington: Upon noticing that he appeared nervous, customs officers inspected him more closely and asked for further identification. Ressam panicked and attempted to flee. Customs officials then found nitroglycerin and four timing devices concealed in a spare tire well of his automobile.13 Another example is the methods reportedly used by Israeli security forces and now widely used to train Western law enforcement agencies. These methods attempt to stop terrorists before they can act by targeting “the bomber not the bomb.” 12 International Organization for Standards. 2007. Text of Working Draft Technical Report 24722 on Multi-Modal and Other Multi-Biometric Fusion, ISO/IEC JTC 1/SC 37 N1271. 13 “Ahmed Ressam.” Available at http://en.wikipedia.org/wiki/Ahmed_Ressam. Accessed March 12, 2007.

OCR for page 43
Fusion of Security System Data to Improve Airport Security For both of the above approaches there are well-documented reports of success in individual incidents, but sparse data exist on the traditional measures of probability of detection and probability of false alarm. However, a data source such as a human observer can contribute to overall systems effectiveness if the source is (1) better than a chance level of hits and false alarms and (2) correctly fused with other data from independent, preferably orthogonal, sources. Human observation could be fused with instrument data by, for example, providing a number of observers, even security personnel performing other tasks, with the ability to raise concerns about a passenger by entering a code into the system where it could be processed for fusion. For example, the checkpoint person assisting passengers through the metal detector (or its replacement) might observe unusual behavior (such as holding one’s hands over a body part) or abnormal nervousness about the security process. Entering these observed data into a fusion system might not itself trigger an alarm, but it could do so if combined with other subcritical data. The passenger might have been “almost” selected by the Secure Flight system or his or her checked bag might have alarmed but then been cleared. None of these events alone would cause an alarm, but a suitable fusion system would be able to combine the data leading to a fusion alarm without a high penalty in false alarms. In terms of the allocation of function, humans are much better than automated systems at detecting hard-to-specify but salient events. Computer-based systems without human oversight are better at detecting easy-to-specify events, such as the presence of a substance with a particular density or an atomic number in a particular shape. The advantage of providing human intelligence inputs into a data fusion system is that both humans and instruments play to their respective and complementary strengths so as to allow greater potential for the detection of terrorist events. Adding data input tasks to the existing tasks of security personnel must be done carefully. As with all changes involving human operators, careful task analysis and human-computer interaction design are required to ensure that performance on all tasks, old and new, is achieved at the highest level. A human-based fusion system would need to consider how to display to the human decision maker the importance of each source of data: a machine-based fusion system would need to parse text input to allow fusion. As with any other input into a data fusion system, human inputs need to meet data registration and data integrity requirements. Chapter 2 defines these further as spatial and temporal registration, plus confidence intervals to indicate data uncertainty. The design of either human or machine-based fusion systems is not simple, but any such fusion system will perform better given valid input from human sensors. Finding: Data fusion would enhance security system effectiveness if it were to combine inputs from security personnel with data from detection systems into a unified situational awareness system. Recommendation 4: The TSA should develop formal data-entry mechanisms for security personnel that will enable the combination of human observational data with security system data. These mechanisms should be designed so as to maintain performance on existing tasks.

OCR for page 43
Fusion of Security System Data to Improve Airport Security AIRPORT-WIDE DATA FUSION MODELS In addition to the fusion of data within each airport security system, data fusion can occur on an airport-wide level, as illustrated in Figure 4-3. In this model of data fusion, each piece of data is fed to the next level of screening in order to ensure that security personnel have the best idea of an individual’s or an item’s threat potential for the entire time that the individual or item is present at the airport and, in some cases, even prior to arrival on airport grounds. FIGURE 4-3 Data can be fed to later checkpoints to achieve an airport-wide model of data fusion. IMPLEMENTATION CONSIDERATIONS As discussed in Chapter 2, poorly implemented data fusion will provide no significant improvements. For example, a simple decision-data fusion system using OR logic actually performed worse than the individual security systems. As discussed in Chapter 3, there are many examples of failed attempts at data fusion. Many of these failures resulted from an attempt to directly export systems from laboratory testing into

OCR for page 43
Fusion of Security System Data to Improve Airport Security field use. To alleviate these problems, the committee recommends the use of a systems engineering approach to implement data fusion projects more effectively. Finding: The implementation of data fusion based only on laboratory testing is a high-risk strategy. Operational testing conducted as a subset of certification testing is required to ensure data fusion system effectiveness. In addition to a systems engineering approach to data fusion, the successful use of this technology in transportation security will require a modular approach. An approach to maximizing the probability of success from data fusion implementations is to use a staged deployment strategy. The TSA has not yet been required by Congress to formally establish an operational testing program analogous to that required of the DOD and the military departments. This approach would implement fusion through a series of staged fusion modules. For example, the opportunities in checked-baggage screening could be modularized through the combination of data from an x-ray CT EDS with an alarm-resolution system based on nuclear quadrupole resonance and pulsed fast neutron analysis, discussed in detail earlier in this chapter. This could be implemented through a series of staged deployments in an operational testbed as designated by the TSA and/or at selected airports and tested, calibrated, and improved before broader deployment is attempted. In the same fashion, checkpoint systems fusing trace, magnetometer, video, and human observations could be implemented, tested, calibrated, and improved in single airports before broader deployments. Recommendation 5: The TSA should implement any data fusion systems through a series of staged deployments at an operational testbed as designated by the TSA and/or at selected airports. The experience from these early staging events can then be incorporated and used in the data fusion systems rolled out in later implementations.