AntiCrime AntiTerror

1
Comprehensive Intelligence Analysis and Alert
System (CIAAS)
2
Characteristics

• Intelligence analysis is based on existing
  knowledge and gathered experience

• Continuously expanded and updated by a massive
  flow of diverse new information

3
Sources of Information
Sigint
Comint
Humint
4
The Problems

• Too many holes in the cheese - needs powerful
  inferencing
• Event information comes in randomly
• Uncertainty imposes multiple scenarios
• Speed of analysis is critical

5
Human Analysts
They carry most of the burden
Limitations

• Inflation of information
• Combining many disciplines
• Limited memory and attention span
• Long duration of analysis
• Experience goes with the person

How to support with a computerized system ?
6
Human Analysts
They carry most of the burden
Limitations
7
Requirements

• Effectively integrate knowledge and information
  from diverse sources
• Continuously accumulate knowledge
• Provide automatic alerts
• Provide answers to the analysts' queries
• Construct different threat scenarios

8
The Approach

• Take some of the burden off analysts
• By emulating the analyst in an automated process
  
• Use existing knowledge to analyze incoming
  information and update/augment the knowledge

9
Challenges

• Cannot know in advance which information will
  arrive, in what order, and what will be its
  meaning
• The entire existing knowledge should be brought
  to bear in the analysis
• The analysis may generate several different
  scenarios
• Requires coherent integration of diversified
  computing disciplines, typically implemented
  using different technologies

10
eCognition - Active Knowledge Network Technology

• New software paradigm
• The system handles complex tasks, by distributed
  cooperation among simple pieces of structure

Note Actual GUI
11
eCognition - Emulating the Cognitive Model
The information is fed into the system
12
Extract Knowledge in Diversified Forms
Free text
Timing frequency analysis
Unified Knowledge System
Qualitative, quantitative
Experiential
Databases
Tupai's Data Mining
13
Use It For Diversified Purposes
Simulations, Forecasting, analysis
Intelligent Decision Support
Multi-purpose virtual reasoning machine
Intelligent Knowledge Discovery
Forensic accounting Contact analysis
14
Integrate Knowledge Domains
Infrastructure
Integrated, holistic
Finance
Operations
15
Diversified Disciplines
Aggregates new pieces of information to existing
knowledge
Automatically draws inferences
Integrates information from diverse sources and
formats
Performs Analysis (including temporal)
Inherent simulation capabilities
16
Diversified Interfaces

• Queries
• Charts
• Reports
• Lists
• Linkages
• Alerts

17
Advantages

• Unmatched -
• Complexity handling
• Responsiveness
• Usability
• Extensibility
• Flexibility/Maintainability

18
Solution The Concept
19
Humint
Humint
Events Database
Sigint
Events generator
Sources
Visint
Bank Transactions
Government Database

Other

• Profiles
• Organizations
• Individuals

20
Example Crime Analysis Automation
21
The Scene
Criminals skills (bomb-maker, murderer, driver,
etc.), membership and role in gangs (planner,
driver, boss, muscle, etc.), home base, jail
time Gangs members, roles Potential targets
people/institutions/businesses, their
locations Knowledge and experience how all
these interact both explicit (people) and
experiential (past events) New pieces of
Information are arriving
22
New Information
- Palermo, 4/4/03 "Corradi arrested Don
Marcello" (Public Information)
Text understanding / NLP

• Understand message
• Corradi is chief detective of Palermo police
• Don Marcello is the boss of the Marcello gang
• The Marcello gang is vindictive
• Expect reprisal against Palermo police

External data access
External data access
Data Mining / prior knowledge
Reasoning, alerts
23
New Information

• Palermo, 4/4/03 "Corradi arrested Don Marcello"
  (Public Information)
• Palermo, 5/5/03 "Bolivar seen in Particino"
  (Police Intelligence)

• Understand message
• Bolivar is a member of the Marcello gang
• Bolivar is a Planner and a Negotiator
• The Marcello territory is Palermo
• Negotiators go outside territory to find skills
  gang members don't possess
• Bomb-making is a skill the Marcello gang members
  don't possess, and Particino based criminals do
• Perugia is a Particino based Bomb Maker
• Criminals served time together are likely to work
  together
• Perugia and Bolivar served time together
• The Marcello gang reprisal to Don Marcello's
  arrest could be a bomb attack
• Bolivar could be planning a bomb attack on
  Palermo Police

24
New Information

• Palermo, 4/4/03 "Corradi arrested Don Marcello"
  (Public Information)
• Palermo, 5/5/03 "Bolivar seen in Particino"
  (Police Intelligence)
• Roma, 5/5/03 "Fabrizzi is sentencing Don
  Marcello on 29th in Palermo courthouse" (Public
  Information)
• Palermo, 7/5/03 "Something will happen in
  Palermo this month" (Criminal Intelligence)

• Expect reprisal against Palermo police possibly
  a bomb attack
• Expect reprisal against Judge Fabrizzi - possibly
  Assault, Murder or a Bomb attack

25
New Information

• Palermo, 4/4/03 "Corradi arrested Don Marcello"
  (Public Information)
• Palermo, 5/5/03 "Bolivar seen in Particino"
  (Police Intelligence)
• Roma, 5/5/03 "Fabrizzi is sentencing Don
  Marcello on 29th in Palermo courthouse" (Public
  Information)
• Palermo, 7/5/03 "Something will happen in
  Palermo this month" (Police Intelligence)

• What if we detain Perugia?
• Threat of bomb attack reduced, but not gone
  there are other bomb makers Marcello negotiators
  know, etc
• What if we detain Perugia and Bolivar?

26
The Demo

• System contains prior knowledge
• Free-text messages are read in to create events
• Events are connected by logic, triggering
  reasoning, alerts, generation of additional
  events, etc.
• Combines
• Free Text Understanding
• Reasoning
• Data Mining
• Linkage to external resources

27
Searching In an Ocean of Information
The problem is dynamic in many dimensions -
protagonists, communication channels, locations,
types of threat.... So is the active structure
used to continuously track and analyze it......
28
Some Details

• Data Mining
• Information Extraction
• Risk Analysis

29
Data Mining
Administrator The miner can be run manually or
automatically, and several databases can be
joined together during the mining.
Phone Records
The Data Miner, together with probable gang
structure, is used on the records to generate
call patterns
30
Using Probabilities
Administrator Deriving call patterns over time
allows us to detect changes in activity - trouble
is, communication activity might increase or
decrease when something is up and we need to have
figured that out from previous incidents.
We can use probability distributions and
correlations on contacts - who instigated it,
probable use from how long the call lasted
31
Administrator Businesses arent static, so it
can be quite hard to see what is happening just
from statements or spreadsheets, particularly
when there may be several seasonal cycles
-monthly, yearly -at work
Time Series Analysis
Transaction records are turned into a time-based
view of the business.
32
Reversing the Use
Time Series Analysis is usually used to find the
normal operation of a cyclic business by
eliminating the extraordinary events. Here we
are using it to find the extraordinary events
that may be hidden away in normal business
operations.
33
Administrator Some idea of the sort of business
is required - construction, tourism, retail
How It Works
A smoothly operating business is extracted from
the time-based view, leaving the extraordinary
events
34
Risk Analysis based on Coincidence of Real and
Potential Events
Don Marcello arrested Bolivar seen in Teracino
35
Risk Analysis Model
Real events spawn hypothetical events which
spawn... The logical and time interaction of
these event chains determines the risk of a
catastrophic event
36
Events Colliding
The red and blue indicate criminal and police
events. Criminal humint says something will
happen, so we assume something bad. The
importance of handling time intervals such as
this month or next week should be emphasised.
The system handles alternatives for people,
places, times, actions - so it can easily see
where events may collide.