Comprehensive Intelligence Analysis and Alert System (CIAAS)

Intelligence analysis is based on existing knowledge and gathered experience Characteristics Continuously expanded and updated by a massive flow of diverse new information Data, details, messages Information plus "meaning" – relations between pieces of information Information Knowledge

Sources of Information Bank Transactions Intelligence data bases Public domain information Government data bases Internet Comint Sigint Humint

The Problems Too many holes in the cheese - needs powerful inferencing Event information comes in randomly Uncertainty imposes multiple scenarios Speed of analysis is critical

Human Analysts Inflation of information Combining many disciplines Limited memory and attention span Long duration of analysis Experience goes with the person How to support with a computerized system ? Limitations… They carry most of the burden

Human Analysts Limitations… They carry most of the burden

Effectively integrate knowledge and information from diverse sources Continuously accumulate knowledge Provide automatic alerts Provide answers to the analysts' queries Construct different threat scenarios Requirements

The Approach Take some of the burden off analysts… By emulating the analyst in an automated process – Use existing knowledge to analyze incoming information and update/augment the knowledge

Challenges Cannot know in advance which information will arrive, in what order, and what will be its meaning The entire existing knowledge should be brought to bear in the analysis The analysis may generate several different scenarios Requires coherent integration of diversified computing disciplines, typically implemented using different technologies

eCognition™ - Active Knowledge Network Technology Note: Actual GUI New software paradigm The system handles complex tasks, by distributed cooperation among simple pieces of structure

The information is fed into the system React Analyze Support decision Active Knowledge System eCognition™ - Emulating the Cognitive Model

Qualitative, quantitative Timing & frequency analysis Databases Experiential Free text Unified Knowledge System Extract Knowledge in Diversified Forms Tupai's Data Mining

Intelligent Decision Support Intelligent Knowledge Discovery Forensic accounting Contact analysis Simulations, Forecasting, analysis Multi-purpose virtual reasoning machine Use It For Diversified Purposes

Infrastructure Finance Operations Integrated, holistic Integrate Knowledge Domains

Diversified Disciplines Inherent simulation capabilities Modeling Data miner Analyzer Simulator Network inferencing Aggregates new pieces of information to existing knowledge Automatically draws inferences Integrates information from diverse sources and formats Performs Analysis (including temporal)

 Queries  Charts  Reports  Lists  Linkages  Alerts Diversified Interfaces

Advantages Unmatched - Complexity handling Responsiveness Usability Extensibility Flexibility/Maintainability

Solution – The Concept

Profiles Organizations Individuals Humint Events Database Bank Transactions Other Sources Government Database Sigint Visint Feed Humint Ask Check Simulate Linkages Events generator Events: Meeting (What, Who, Where, When, Frequency) Travel (Who, How, Where, When, Length) Phone call (Who, When, Length, Content, Frequency) Delivery (Who, When, How, Size, What, Frequent, Payment) Other (What, Who, When, Where) Crime (What, When, Where, Who, How)

Example – Crime Analysis Automation

The Scene Criminals – skills (bomb-maker, murderer, driver, etc.), membership and role in gangs (planner, driver, boss, muscle, etc.), home base, jail time Gangs – members, roles Potential targets – people/institutions/businesses, their locations Knowledge and experience – how all these interact – both explicit (people) and experiential (past events) New pieces of Information are arriving …

New Information - Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) Understand message Corradi is chief detective of Palermo police Don Marcello is the boss of the Marcello gang The Marcello gang is vindictive Expect reprisal against Palermo police Text understanding / NLP External data access Data Mining / prior knowledge Reasoning, alerts

New Information Understand message Bolivar is a member of the Marcello gang Bolivar is a Planner and a Negotiator The Marcello territory is Palermo Negotiators go outside territory to find skills gang members don't possess Bomb-making is a skill the Marcello gang members don't possess, and Particino based criminals do Perugia is a Particino based Bomb Maker Criminals served time together are likely to work together Perugia and Bolivar served time together The Marcello gang reprisal to Don Marcello's arrest could be a bomb attack Bolivar could be planning a bomb attack on Palermo Police -Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) -Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence) Text understanding / NLP External data access Prior knowledge / data mining External data access Prior knowledge / data mining Reasoning, alerts External data access

New Information -Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) -Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence) -Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo courthouse" (Public Information) -Palermo, 7/5/03 : "Something will happen in Palermo this month" (Criminal Intelligence) … … Expect reprisal against Palermo police – possibly a bomb attack Expect reprisal against Judge Fabrizzi - possibly Assault, Murder or a Bomb attack Temporal Analysis, TSA (all analysis is time sensitive)

New Information -Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) -Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence) -Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo courthouse" (Public Information) -Palermo, 7/5/03 : "Something will happen in Palermo this month" (Police Intelligence) What if we detain Perugia? Threat of bomb attack reduced, but not gone – there are other bomb makers Marcello negotiators know, etc… What if we detain Perugia and Bolivar? Reasoning, Simulation

The Demo System contains prior knowledge Free-text messages are read in to create events Events are connected by logic, triggering reasoning, alerts, generation of additional events, etc. Combines Free Text Understanding Reasoning Data Mining Linkage to external resources

The problem is dynamic in many dimensions - protagonists, communication channels, locations, types of threat.... So is the active structure used to continuously track and analyze it Searching In an Ocean of Information

Some Details Data Mining Information Extraction Risk Analysis

Data Mining Phone Records The Data Miner, together with probable gang structure, is used on the records to generate call patterns Administrator: The miner can be run manually or automatically, and several databases can be joined together during the mining. Administrator: The miner can be run manually or automatically, and several databases can be joined together during the mining.

Using Probabilities We can use probability distributions and correlations on contacts - who instigated it, probable use from how long the call lasted Administrator: Deriving call patterns over time allows us to detect changes in activity - trouble is, communication activity might increase or decrease when something is up and we need to have figured that out from previous incidents. Administrator: Deriving call patterns over time allows us to detect changes in activity - trouble is, communication activity might increase or decrease when something is up and we need to have figured that out from previous incidents.

Time Series Analysis Transaction records are turned into a time- based view of the business. Administrator: Businesses aren ’ t static, so it can be quite hard to see what is happening just from statements or spreadsheets, particularly when there may be several seasonal cycles -monthly, yearly -at work Administrator: Businesses aren ’ t static, so it can be quite hard to see what is happening just from statements or spreadsheets, particularly when there may be several seasonal cycles -monthly, yearly -at work

Reversing the Use Time Series Analysis is usually used to find the normal operation of a cyclic business by eliminating the extraordinary events. Here we are using it to find the extraordinary events that may be hidden away in normal business operations.

How It Works A smoothly operating business is extracted from the time-based view, leaving the extraordinary events Administrator: Some idea of the sort of business is required - construction, tourism, retail Administrator: Some idea of the sort of business is required - construction, tourism, retail

Risk Analysis based on Coincidence of Real and Potential Events “Don Marcello arrested” “Bolivar seen in Teracino”

Risk Analysis Model Real events spawn hypothetical events which spawn... The logical and time interaction of these event chains determines the risk of a catastrophic event

Events Colliding Something (bad) in Palermo this month Fabrizzi will sentence Don Marcello on 29th Bolivar sighted in Teracino Use database of possible Teracino contacts and skills to produce Bomb may be under construction (hypothetical event connected to Marcello gang- alert effective for 3 months) The red and blue indicate criminal and police events. Criminal humint says “ something will happen ”, so we assume something bad. The importance of handling time intervals such as “ this month ” or “ next week ” should be emphasised. The system handles alternatives for people, places, times, actions - so it can easily see where events may collide. The red and blue indicate criminal and police events. Criminal humint says “ something will happen ”, so we assume something bad. The importance of handling time intervals such as “ this month ” or “ next week ” should be emphasised. The system handles alternatives for people, places, times, actions - so it can easily see where events may collide. Possible reprisals Don Marcello incarcerated Don Marcello arrested