360 likes | 489 Views
Comprehensive Intelligence Analysis and Alert System (CIAAS). Information. Knowledge. Information plus "meaning" – relations between pieces of information. Data, details, messages. Characteristics. Intelligence analysis is based on existing knowledge and gathered experience.
E N D
Comprehensive Intelligence Analysis and Alert System (CIAAS)
Information Knowledge Information plus "meaning" – relations between pieces of information Data, details, messages Characteristics • Intelligence analysis is based on existing knowledge and gathered experience • Continuously expanded and updated by a massive flow of diverse new information
Sources of Information Bank Transactions Public domain information Government data bases Intelligence data bases Internet Sigint Comint Humint
The Problems • Too many holes in the cheese - needs powerful inferencing • Event information comes in randomly • Uncertainty imposes multiple scenarios • Speed of analysis is critical
Human Analysts They carry most of the burden Limitations… • Inflation of information • Combining many disciplines • Limited memory and attention span • Long duration of analysis • Experience goes with the person How to support with a computerized system ?
Human Analysts They carry most of the burden Limitations…
Requirements • Effectively integrate knowledge and information from diverse sources • Continuously accumulate knowledge • Provide automatic alerts • Provide answers to the analysts' queries • Construct different threat scenarios
The Approach • Take some of the burden off analysts… • By emulating the analyst in an automated process – • Use existing knowledge to analyze incoming information and update/augment the knowledge
Challenges • Cannot know in advance which information will arrive, in what order, and what will be its meaning • The entire existing knowledge should be brought to bear in the analysis • The analysis may generate several different scenarios • Requires coherent integration of diversified computing disciplines, typically implemented using different technologies
eCognition™ - Active Knowledge Network Technology • New software paradigm • The system handles complex tasks, by distributed cooperation among simple pieces of structure Note: Actual GUI
React Analyze Support decision Active Knowledge System eCognition™ - Emulating the Cognitive Model The information is fed into the system
Extract Knowledge in Diversified Forms Free text Timing & frequency analysis Unified Knowledge System Qualitative, quantitative Experiential Databases Tupai's Data Mining
Use It For Diversified Purposes Simulations, Forecasting, analysis Intelligent Decision Support Multi-purpose virtual reasoning machine Intelligent Knowledge Discovery Forensic accounting Contact analysis
Integrate Knowledge Domains Infrastructure Integrated, holistic Finance Operations
Modeling Network inferencing Data miner Analyzer Simulator Diversified Disciplines Aggregates new pieces of information to existing knowledge Automatically draws inferences Integrates information from diverse sources and formats Performs Analysis (including temporal) Inherent simulation capabilities
Diversified Interfaces • Queries • Charts • Reports • Lists • Linkages • Alerts
Advantages Unmatched - • Complexity handling • Responsiveness • Usability • Extensibility • Flexibility/Maintainability
Events: Meeting (What, Who, Where, When, Frequency) Travel (Who, How, Where, When, Length) Phone call (Who, When, Length, Content, Frequency) Delivery (Who, When, How, Size, What, Frequent, Payment) Other (What, Who, When, Where) Crime (What, When, Where, Who, How) • Feed • Ask • Check • Simulate • Linkages Humint Humint Events Database Sigint Events generator Sources Visint Bank Transactions Government Database Other • Profiles • Organizations • Individuals
The Scene Criminals – skills (bomb-maker, murderer, driver, etc.), membership and role in gangs (planner, driver, boss, muscle, etc.), home base, jail time Gangs – members, roles Potential targets – people/institutions/businesses, their locations Knowledge and experience – how all these interact – both explicit (people) and experiential (past events) New pieces of Information are arriving…
New Information - Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) Text understanding / NLP • Understand message • Corradi is chief detective of Palermo police • Don Marcello is the boss of the Marcello gang • The Marcello gang is vindictive • Expect reprisal against Palermo police External data access External data access Data Mining / prior knowledge Reasoning, alerts
Text understanding / NLP External data access External data access External data access Prior knowledge / data mining External data access External data access Prior knowledge / data mining External data access Prior knowledge / data mining Reasoning, alerts New Information • Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) • Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence) • Understand message • Bolivar is a member of the Marcello gang • Bolivar is a Planner and a Negotiator • The Marcello territory is Palermo • Negotiators go outside territory to find skills gang members don't possess • Bomb-making is a skill the Marcello gang members don't possess, and Particino based criminals do • Perugia is a Particino based Bomb Maker • Criminals served time together are likely to work together • Perugia and Bolivar served time together • The Marcello gang reprisal to Don Marcello's arrest could be a bomb attack • Bolivar could be planning a bomb attack on Palermo Police
Temporal Analysis, TSA (all analysis is time sensitive) New Information • Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) • Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence) • Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo courthouse" (Public Information) • Palermo, 7/5/03 : "Something will happen in Palermo this month" (Criminal Intelligence) • … • … • Expect reprisal against Palermo police – possibly a bomb attack • Expect reprisal against Judge Fabrizzi - possibly Assault, Murder or a Bomb attack
Reasoning, Simulation Reasoning, Simulation New Information • Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) • Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence) • Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo courthouse" (Public Information) • Palermo, 7/5/03 : "Something will happen in Palermo this month" (Police Intelligence) • What if we detain Perugia? • Threat of bomb attack reduced, but not gone – there are other bomb makers Marcello negotiators know, etc… • What if we detain Perugia and Bolivar?
The Demo • System contains prior knowledge • Free-text messages are read in to create events • Events are connected by logic, triggering reasoning, alerts, generation of additional events, etc. • Combines • Free Text Understanding • Reasoning • Data Mining • Linkage to external resources
Searching In an Ocean of Information The problem is dynamic in many dimensions - protagonists, communication channels, locations, types of threat.... So is the active structure used to continuously track and analyze it......
Some Details • Data Mining • Information Extraction • Risk Analysis
Administrator: The miner can be run manually or automatically, and several databases can be joined together during the mining. Data Mining Phone Records The Data Miner, together with probable gang structure, is used on the records to generate call patterns
Administrator: Deriving call patterns over time allows us to detect changes in activity - trouble is, communication activity might increase or decrease when something is up and we need to have figured that out from previous incidents. Using Probabilities We can use probability distributions and correlations on contacts - who instigated it, probable use from how long the call lasted
Administrator: Businesses aren’t static, so it can be quite hard to see what is happening just from statements or spreadsheets, particularly when there may be several seasonal cycles -monthly, yearly -at work Time Series Analysis Transaction records are turned into a time-based view of the business.
Reversing the Use Time Series Analysis is usually used to find the normal operation of a cyclic business by eliminating the extraordinary events. Here we are using it to find the extraordinary events that may be hidden away in normal business operations.
Administrator: Some idea of the sort of business is required - construction, tourism, retail How It Works A smoothly operating business is extracted from the time-based view, leaving the extraordinary events
Risk Analysis based on Coincidence of Real and Potential Events “Don Marcello arrested” “Bolivar seen in Teracino”
Risk Analysis Model Real events spawn hypothetical events which spawn... The logical and time interaction of these event chains determines the risk of a catastrophic event
Don Marcello arrested Don Marcello incarcerated Possible reprisals Bolivar sighted in Teracino Use database of possible Teracino contacts and skills to produce Bomb may be under construction (hypothetical event connected to Marcello gang- alert effective for 3 months) Something (bad) in Palermo this month Fabrizzi will sentence Don Marcello on 29th The red and blue indicate criminal and police events. Criminal humint says “something will happen”, so we assume something bad. The importance of handling time intervals such as “this month” or “next week” should be emphasised. The system handles alternatives for people, places, times, actions - so it can easily see where events may collide. Events Colliding