comprehensive intelligence analysis and alert system (ciaas)
DESCRIPTION
Comprehensive Intelligence Analysis and Alert System (CIAAS). Information. Knowledge. Information plus "meaning" – relations between pieces of information. Data, details, messages. Characteristics. Intelligence analysis is based on existing knowledge and gathered experience. - PowerPoint PPT PresentationTRANSCRIPT
Comprehensive Intelligence Analysis and
Alert System(CIAAS)
• Intelligence analysis is based on existing knowledge and gathered experience
Characteristics
• Continuously expanded and updated by a massive flow of diverse new information
Data, details, messages Information plus "meaning" –relations between pieces of information
Information Knowledge
Sources of Information
BankTransactions
Intelligence data bases
Public domain information
Government data bases
Internet
Comint SigintHumint
The Problems
• Too many holes in the cheese - needs powerful inferencing
• Event information comes in randomly
• Uncertainty imposes multiple scenarios
• Speed of analysis is critical
Human Analysts
• Inflation of information• Combining many
disciplines• Limited memory and
attention span• Long duration of analysis• Experience goes with the
person
How to support with a computerized system ?
Limitations…
They carry most of the burden
Human Analysts
Limitations…
They carry most of the burden
• Effectively integrate knowledge and information from diverse sources
• Continuously accumulate knowledge
• Provide automatic alerts
• Provide answers to the analysts' queries
• Construct different threat scenarios
Requirements
The Approach
• Take some of the burden off analysts…
• By emulating the analyst in an automated process –
• Use existing knowledge to analyze incoming information and update/augment the knowledge
Challenges
• Cannot know in advance which information will arrive, in what order, and what will be its meaning
• The entire existing knowledge should be brought to bear in the analysis
• The analysis may generate several different scenarios
• Requires coherent integration of diversified computing disciplines, typically implemented using different technologies
eCognition™ - Active Knowledge Network Technology
Note: Actual GUI
• New software paradigm
• The system handles complex tasks, by distributed cooperation among simple pieces of structure
The information is fed into the system
React
Analyze
Support decision
Active Knowledge System
eCognition™ - Emulating the Cognitive Model
Qualitative, quantitative
Timing & frequency analysis
Databases
Experiential
Free text
Unified KnowledgeSystem
Extract Knowledge in Diversified Forms
Tupai's Data Mining
Intelligent Decision Support
Intelligent Knowledge Discovery
Forensic accountingContact analysis
Simulations, Forecasting, analysis
Multi-purpose virtualreasoning machine
Use It For Diversified Purposes
Infrastructure
Finance
Operations
Integrated, holistic
Integrate Knowledge Domains
Diversified Disciplines
Inherent simulation capabilities
Modeling
Data miner
Analyzer
Simulator
Network inferencing
Aggregates new pieces of informationto existing knowledge
Automatically draws inferences
Integrates information from diverse sources and formats
Performs Analysis (including temporal)
Queries
Charts
Reports
Lists
Linkages
Alerts
Diversified Interfaces
Advantages
Unmatched -
• Complexity handling• Responsiveness • Usability • Extensibility• Flexibility/Maintainability
Solution – The Concept
Profiles• Organizations• Individuals
Humint
EventsDatabase
BankTransactions
Other
Sources
GovernmentDatabase
Sigint
Visint
• Feed
Humint
• Ask• Check• Simulate• Linkages
Events generator
Events:Meeting (What, Who, Where, When, Frequency)Travel (Who, How, Where, When, Length)Phone call (Who, When, Length, Content, Frequency)Delivery (Who, When, How, Size, What, Frequent, Payment)Other (What, Who, When, Where)Crime (What, When, Where, Who, How)
Example –Crime Analysis Automation
The Scene
Criminals – skills (bomb-maker, murderer, driver, etc.), membership and role in gangs (planner, driver, boss, muscle, etc.), home base, jail time
Gangs – members, roles
Potential targets – people/institutions/businesses, their locations
Knowledge and experience – how all these interact – both explicit (people) and experiential (past events)
New pieces of Information are arriving…
New Information - Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information)
• Understand message • Corradi is chief detective of Palermo police • Don Marcello is the boss of the Marcello gang • The Marcello gang is vindictive• Expect reprisal against Palermo police
Text understanding / NLPExternal data accessExternal data accessData Mining / prior knowledgeReasoning, alerts
New Information
• Understand message • Bolivar is a member of the Marcello gang• Bolivar is a Planner and a Negotiator• The Marcello territory is Palermo • Negotiators go outside territory to find skills gang members
don't possess• Bomb-making is a skill the Marcello gang members don't
possess, and Particino based criminals do• Perugia is a Particino based Bomb Maker• Criminals served time together are likely to work together• Perugia and Bolivar served time together• The Marcello gang reprisal to Don Marcello's arrest could
be a bomb attack• Bolivar could be planning a bomb attack on Palermo Police
- Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information) - Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence)
Text understanding / NLPExternal data accessExternal data accessExternal data access
Prior knowledge / data mining
External data accessExternal data accessPrior knowledge / data mining
Prior knowledge / data miningReasoning, alerts
External data access
New Information - Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information)- Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence)- Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo
courthouse" (Public Information)- Palermo, 7/5/03 : "Something will happen in Palermo this month" (Criminal
Intelligence)
• …• …• Expect reprisal against Palermo police – possibly a
bomb attack• Expect reprisal against Judge Fabrizzi - possibly
Assault, Murder or a Bomb attack
Temporal Analysis, TSA(all analysis is time sensitive)
New Information - Palermo, 4/4/03 : "Corradi arrested Don Marcello" (Public Information)- Palermo, 5/5/03 : "Bolivar seen in Particino" (Police Intelligence)- Roma, 5/5/03 : "Fabrizzi is sentencing Don Marcello on 29th in Palermo
courthouse" (Public Information)- Palermo, 7/5/03 : "Something will happen in Palermo this month" (Police
Intelligence)
• What if we detain Perugia? • Threat of bomb attack reduced, but not gone – there are
other bomb makers Marcello negotiators know, etc…• What if we detain Perugia and Bolivar?
Reasoning, Simulation
Reasoning, Simulation
The Demo
• System contains prior knowledge• Free-text messages are read in to create events• Events are connected by logic, triggering reasoning,
alerts, generation of additional events, etc.• Combines
• Free Text Understanding• Reasoning• Data Mining• Linkage to external resources
The problem is dynamic in many dimensions - protagonists, communication
channels, locations, types of threat....
So is the active structure used to continuously track and analyze it......
Searching In an Ocean of Information
Some Details
• Data Mining• Information Extraction• Risk Analysis
Data Mining
PhoneRecords
The Data Miner, together with probable gang structure, is
used on the records to generate call patterns
Administrator:
The miner can be run manually or
automatically, and several databases
can be joined together during
the mining.
Administrator:
The miner can be run manually or
automatically, and several databases
can be joined together during
the mining.
Using Probabilities
We can use probability distributions and correlations on contacts - who instigated it, probable use from how long the call lasted
Administrator:
Deriving call patterns over time allows us to detect changes in activity - trouble is, communication activity might increase or decrease when something is up and we need to have figured that out from previousincidents.
Administrator:
Deriving call patterns over time allows us to detect changes in activity - trouble is, communication activity might increase or decrease when something is up and we need to have figured that out from previous incidents.
Time Series Analysis
Transaction records are turned into a time-based view of the business.
Administrator:
Businesses aren’t static, so it can be quite hard to see what is happening just from statements or ,spreadsheets particularly when there may be several seasonal ,cycles -monthlyyearly -at work
Administrator:
Businesses aren’t static, so it can be quite hard to see what is happening just from statements or spreadsheets, particularly when there may be several seasonal cycles -monthly, yearly -at work
Reversing the Use
Time Series Analysis is usually used to find the normal operation of a cyclic business by eliminating the extraordinary events.
Here we are using it to find the extraordinary events that may be hidden away in normal business operations.
How It Works
A smoothly operating business is extracted from the time-based view, leaving the extraordinary events
Administrator:
Some idea of the sort of business is
- required ,constructiontourism, retail
Administrator:
Some idea of the sort of business is
required - construction,
tourism, retail
Risk Analysis based onCoincidence of Real and Potential Events
“Don Marcello arrested”“Bolivar seen in Teracino”
Risk Analysis Model
Real events spawn hypothetical events which spawn...
The logical and time interaction of these event chains determines the risk of a catastrophic event
Events Colliding
Something (bad) in Palermo this month
Fabrizzi will sentence Don Marcello on 29th
Bolivar sighted in Teracino
Use database of possible Teracino contacts and skills to produce
Bomb may be under construction
)hypothetical event connected to Marcello gang- alert effective for 3 months(
The red and blue indicate criminal and police events .
Criminal humint says “something will happen”, so we assumesomething bad.
The importance of handling time intervals such as this month” or“ ”next week“ should be
emphasised .
The system handles alternatives for ,people, places - times, actions so it can easily see where events maycollide.
The red and blue indicate criminal and police
events .
Criminal humint says “something will happen”, so we assume something bad.
The importance of handling time intervals such as “this month” or “next week” should be emphasised .
The system handles alternatives for people, places, times, actions - so it can easily see where events may collide.
Possible reprisals
Don Marcelloincarcerated
Don Marcelloarrested