Transcript Anti-Crime and Anti-Terror Presentation

Comprehensive
Intelligence Analysis and
Alert System
(CIAAS)
Characteristics
• Intelligence analysis is based on existing knowledge
and gathered experience
• Continuously expanded and updated by a massive flow
of diverse new information
Information
Data, details, messages
Knowledge
Information plus "meaning" –
relations between pieces of
information
Sources of Information
Internet
Bank
Transactions
Humint
Public domain
information
Sigint
Government
data bases
Intelligence
data bases
Comint
The Problems
• Too many holes in the cheese - needs powerful
inferencing
• Event information comes in randomly
• Uncertainty imposes multiple scenarios
• Speed of analysis is critical
Human Analysts
They carry most of the burden
Limitations…
• Inflation of information
• Combining many
disciplines
• Limited memory and
attention span
• Long duration of analysis
• Experience goes with the
person
How to support with a
computerized system ?
Human Analysts
They carry most of the burden
Limitations…
Requirements
• Effectively integrate knowledge and information from
diverse sources
• Continuously accumulate knowledge
• Provide automatic alerts
• Provide answers to the analysts' queries
• Construct different threat scenarios
The Approach
• Take some of the burden off analysts…
• By emulating the analyst in an automated process –
• Use existing knowledge to analyze incoming
information and update/augment the knowledge
Challenges
• Cannot know in advance which information will arrive,
in what order, and what will be its meaning
• The entire existing knowledge should be brought to
bear in the analysis
• The analysis may generate several different scenarios
• Requires coherent integration of diversified computing
disciplines, typically implemented using different
technologies
eCognition™ Active Knowledge Network Technology
• New software paradigm
• The system handles complex tasks, by distributed
cooperation among simple pieces of structure
Note: Actual GUI
eCognition™ - Emulating the
Cognitive Model
React
The information is
fed into the system
Analyze
Support
decision
Active Knowledge System
Extract Knowledge in Diversified
Forms
Free text
Timing & frequency analysis
Unified Knowledge
System
Qualitative, quantitative
Experiential
Tupai's
Data Mining
Databases
Use It For Diversified Purposes
Simulations,
Forecasting, analysis
Intelligent
Decision Support
Multi-purpose virtual
reasoning machine
Intelligent
Knowledge Discovery
Forensic accounting
Contact analysis
Integrate Knowledge Domains
Infrastructure
Integrated, holistic
Finance
Operations
Diversified Disciplines
Aggregates new pieces of information
to existing knowledge
Modeling
Automatically draws inferences
Network
inferencing
Integrates information from
diverse sources and formats
Data miner
Performs Analysis (including temporal)
Analyzer
Inherent simulation capabilities
Simulator
Diversified Interfaces
 Queries
 Charts
 Reports
 Lists
 Linkages
 Alerts
Advantages
Unmatched -
•
•
•
•
•
Complexity handling
Responsiveness
Usability
Extensibility
Flexibility/Maintainability
Solution – The Concept
Humint
Sigint
Sources
Visint
Events
generator
Events
Database
Events:
Meeting (What, Who, Where, When, Frequency)
Travel (Who, How, Where, When, Length)
Phone call (Who, When, Length, Content, Frequency)
Delivery (Who, When, How, Size, What, Frequent, Payment)
• Feed
(What, Who, When, Where)
•Other
Ask
• Check
Crime (What, When, Where, Who, How)
• Simulate
• Linkages
Bank
Transactions
Government
Database
Profiles
• Organizations
• Individuals
Other
Example –
Crime Analysis Automation
The Scene
Criminals – skills (bomb-maker, murderer, driver, etc.), membership and role
in gangs (planner, driver, boss, muscle, etc.), home base, jail time
Gangs – members, roles
Potential targets – people/institutions/businesses, their locations
Knowledge and experience – how all these interact – both explicit (people)
and experiential (past events)
New pieces of Information are arriving…
New Information
- Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information)
• Understand message
• Corradi is chief detective of Palermo police
• Don Marcello is the boss of the Marcello gang
• The Marcello gang is vindictive
• Expect reprisal against Palermo police
Text understanding / NLP
External data access
External data access
Data Mining / prior knowledge
Reasoning, alerts
New Information
- Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information)
- Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence)
• Understand message
• Bolivar is a member of the Marcello gang
• Bolivar is a Planner and a Negotiator
• The Marcello territory is Palermo
• Negotiators go outside territory to find skills gang members
don't possess
• Bomb-making is a skill the Marcello gang members don't
possess, and Particino based criminals do
• Perugia is a Particino based Bomb Maker
• Criminals served time together are likely to work together
• Perugia and Bolivar served time together
• The Marcello gang reprisal to Don Marcello's arrest could
be a bomb attack
• Bolivar could be planning a bomb attack on Palermo Police
Text understanding / NLP
External data access
External data access
External data access
Prior knowledge / data mining
External data access
External data access
Prior knowledge / data mining
External data access
Prior knowledge / data mining
Reasoning, alerts
New Information
- Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information)
- Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence)
- Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo
courthouse" (Public Information)
- Palermo, 7/5/03 : "Something will happen in Palermo this month" (Criminal
Intelligence)
•
…
…
•
• Expect reprisal against Palermo police – possibly a
bomb attack
• Expect reprisal against Judge Fabrizzi - possibly
Assault, Murder or a Bomb attack
Temporal Analysis, TSA
(all analysis is time sensitive)
New Information
- Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information)
- Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence)
- Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo
courthouse" (Public Information)
- Palermo, 7/5/03 : "Something will happen in Palermo this month" (Police
Intelligence)
• What if we detain Perugia?
• Threat of bomb attack reduced, but not gone – there are
other bomb makers Marcello negotiators know, etc…
• What if we detain Perugia and Bolivar?
Reasoning, Simulation
Reasoning, Simulation
The Demo
• System contains prior knowledge
• Free-text messages are read in to create events
• Events are connected by logic, triggering reasoning,
alerts, generation of additional events, etc.
• Combines
• Free Text Understanding
• Reasoning
• Data Mining
• Linkage to external resources
Searching In an Ocean of Information
The problem is dynamic in many
dimensions - protagonists, communication
channels, locations, types of threat....
So is the active structure used to
continuously track and analyze it......
Some Details
• Data Mining
• Information Extraction
• Risk Analysis
Administrator:
The miner can be
run manually or
automatically, and
several
databases can be
joined together
during the mining.
Data Mining
Phone
Records
The Data Miner, together with
probable gang structure, is
used on the records to
generate call patterns
Administrator:
Deriving call
patterns over time
allows us to
detect changes in
activity - trouble
is, communication
activity might
increase or
decrease when
something is up
and we need to
have figured that
out from previous
incidents.
Using Probabilities
We can use probability distributions and
correlations on contacts - who instigated it,
probable use from how long the call lasted
Administrator:
Businesses aren’t
static, so it can be
quite hard to see
what is happening
just from
statements or
spreadsheets,
particularly when
there may be
several seasonal
cycles -monthly,
yearly -at work
Time Series Analysis
Transaction records are turned into a timebased view of the business.
Reversing the Use
Time Series Analysis is usually used to find
the normal operation of a cyclic business
by eliminating the extraordinary events.
Here we are using it to find the
extraordinary events that may be hidden
away in normal business operations.
Administrator:
Some idea of the
sort of business is
required construction,
tourism, retail
How It Works
A smoothly operating business is extracted from the
time-based view, leaving the extraordinary events
Risk Analysis based on
Coincidence of Real and Potential Events
“Don Marcello arrested”
“Bolivar seen in Teracino”
Risk Analysis Model
Real events spawn hypothetical
events which spawn...
The logical and time interaction
of
these event chains determines
the risk of a catastrophic event
The red and blue
indicate criminal
and police
events.
Events Colliding
Criminal
Don humint
Marcello
says “something
arrested
will happen”, so
we assume
Don Marcello
something
bad.
incarcerated
The importance
Possible
of handling
time reprisals
intervals such
as “this
month”
Bolivar
sighted in
or “next week”Teracino
should be
emphasised.
Use database of possible Teracino
contacts and skills to produce
The system
Bomb may be under
(hypothetical event connected to Marcello
handles
construction
gang- alert effective for 3 months)
alternatives for
people, places,
Something
(bad) in
times, actions
so it canPalermo
easily this month
see where
events may Fabrizzi will sentence Don
collide.
Marcello on 29th