TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

? M 1 h e

SKYNET: Applying Advanced ,bfl mm

i i i^BM • p *

U0' a . .

by S2I, R6, T12, T14, I

• . .V • ivv •

* : wm :

- pres M̂MMIMWai»11

flHSMP IV

Presenters:

I" • " •.

Zi ' • v*r • ' •

• - . - . :

, S2I51 , R66F

• T: J.f-fc V..- .

•• DA ff/if^

. ' QeWttfftorii: NSA/CSSM 1-52 1 » — M l . Dated: 20070108 W h \Z

Declassify Oh: 20370401 / TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

UNCLASSIFIED//FOUO

Outline

What is SKYNET?

DEMONSPIT Data Flow

Automated Bulk Cloud Analytics

Analytic Triage

UNCLASSIFI:EÖ//F.OÜO •

Collaborative cloud research effort between 5 different organizations crossing 3 NSA Directorates: - Signals Intelligence: S2I, S22, SSG - Research: R6

- Technology: T12, T14

Partnerships - TMAC/FASTSCOPE

- MIT Lincoln Labs & Harvard

SKYNET applies complex combinations of geospatial, geotemporal, pattern-of-life, and travel analytics to bulk DNR data to identify patterns of suspect activity

Peshawar

Probably Faisalabad

CTMMC T0PSEdî

N S A/CSS Counterterrorism Mission Management Center

Bag hi in

'——Mtfiaud-E Etacfl P¿ -van C hank or

I.twJ.i Sh ata O

>

\ Kabu l f.V»h|nr Lam

Asad ¿bad

Tuesday/Friday

: Gardez

Waziristan

s Courier/

Rough outline of courier path as described by the targets

Snn ag ar

Id am it> ad» Rawalpindi

Sunday

F a sa l a b a d Lahore

U Sunday/Monday

C i m i

TOP SECRET//COMINT//REL TO USA/AUS, CAN, GBR, NZL

TOP SECRET//COMINT//ORCON/REL- TO USA, AUS, CAN, GBR. NZl.

SKYNET Analytic Questions Who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? • Who does the traveler call when he arrives? • Who else is seen in the area when the traveler arrives, and

who seen leaving the area shortly afterward?

Who travels to/from Peshawar every other Sunday and "somewhere else" on a weekly basis? Who visits Akora Khattak periodically and also travels between Peshawar and Lahore? Who fits the above travel profiles and also possesses unusual behavior: • One or two hops from other suspects or known tasked

selectors • Frequent handset swapping or powering down

TOP SECRET//COMINT//REL TO USA. A4JS. CAN. GBR. ISJZll • •

' «s U DEMONSPIT DEMONSPIT is a new dataflow for bulk Call Data Records (CDRs) from Pakistan

- CDRs are being acquired from major PK Telecom providers Data is normalized through TUSKATTIRE, like all other Call Data Records DEMONSPIT data is forwarded by TUSKATTIRE to several Clouds:

- GMHalo/DPS • Promotes records to FASCIA and feeds the SEDB Tower QFD

- GMPIace& Cloud 14 • Ingests DEMONSPIT into Sortinglead summaries to support SKYNET

Analytics

• Ingests DEMONSPIT into a Perishable QFD which will be available to analysts via JEMA and CINEPLEX

- Bulldozer/MDR2

All of the clouds receiving DEMONSPIT data also receive all FASCIA data

TOP SECRET//COMINT//REL TO USA, AUS, ;CAN, GBR,,N.Z,L

SECRET//C0M1NT//REL TO USA, AUS, CAN, GBR; NZL

Analysts' View of DEMONSPIT TUSKATTIRE

MAINWAY/SIGNAV

TOWER QFD

CINEPLEX JEMA

ROLLERCOASTER

SMARTTRACKER SO RUN G LEAD

FASCIA ASSOCIATION BANYAN

SECRET//COMINT//REL TO USA, AUS,:CÄN, GBR; NZU

Original wCDRs Access to ALL DEMONSPIT Data

Original fcCDRs

Access to CDRs, Analyst Queries, & Results of SKYNET Analytics

CDR Summaries

Analyst Promoted CDRs Access to DEMONSPIT FASCIA Promoted Data

SKYNET & Analyst Promoted CDRs

UNCLASSIFIED//FOUO

Outline

What is SKYNET?

DEMONSPIT Data Flow

Automated Bulk Cloud Analytics

Analytic Triage

UNCLASSIFI:EÖ//F.OÜO •

TOP SECRET//SI//REL TO USA, FVEY

Cloud Analytic Building Blocks

TOP SECRET//SI//REL TO USA; FVEY

Travel Patterns - Travel phrases (Locations visited in given timeframe) - Regular/repeated visits to locations of interest

Behavior-Based Analytics - Low use, incoming calls only - Excessive SIM or Handset swapping - Frequent Detach/Power-down - Courier machine learning models

Other Enrichments • Travel on particular days of the week • Co-travelers • Similar travel patterns • Common contacts • Visits to airports • Other countries • Overnight trips • Permanent move

TOP SECRET//SI//REL TO USA, FVEY

Sample Travel Report: Haqqani Network tasked- selector^ contact- swapping associated^ other_

seed-contacts count _num selectors visits_regularly countries phrase

3 lashkargah_city

helmand

kandaharAF PK

nowbahar IR

fa rah AF

bala_bulk farah

masow farah

masow

nowbahar

masow

3 BA

ghazni AF

sharan urgon

AE

AF

khost_airport

kajir_kalay

• •

- m J F TOP SECRET//SI//REL TO USA; FVEY

TOP SECRET//SI//REL TO USA, FYEY •. • • • • * * . • * '

What Suspicious Selectors Were Seen Traveling Between Peshawar and Lahore? J

SoecifmBehavioral Cloud Analytics Peshawar-Lahore Travel 1 - 4 NOV 2011

V J ì J TASKED NUM_SELECTOR ASSOCIATED, ACTIVITY, TRAVEL PHRASE DOW MSISDN IMSI CONTACTS .SWAPPING SELECTORS CATEGORIES

torkham AF PK peshawar lahore FRI | 2

PK peshawar lahore THU • behsud AF jalalabad jalal_abad jalalabad behsud rodat bati_kot mohmand_darah peshawar PK WED 4 7

gtrd PK nowshera gulbahar peshawar sanda kalan lahore THU jamrud PK peshawar lahore TUE 10

PK peshawar lahore THU

5-or-f ewer-contacts, sms-and-zero-duration-calls-only, low-use

•TOP SECRET//SI//REL J O USA; FVEY . • \ ; •

UNCLASSIFIED//FOUO

Outline

What isSKYNET?

DEMONSPIT Data Flow

Automated Bulk Cloud Analytics

Analytic triage -SMARTTRACKER

- RT-RG

- J E M A

UNCLASSIFIED//F.OÜO •

M'HAäS

TOP SECRET//SI//REL TO USA, FVEY

Selectors of Interest from Cloud Travel Analytic

(tasked)

IMSIs:

• .• • I V .

Handsets

TOP SECRET//SI//REL TO USA: FVEY

TOP SECRET//SI//REL TO USA, FVEY .

SMARTTRACKER Travel View 31 October - 23 November

« f t A KHATTAk SUSPECT TERRORIST FACILITY 001

31 '292.7713" N. 75*13'45.1982* E

* Location: UCell JDl

(11/14/2011 04:27:47)

* Location: UCefl ID

1/70/7011 17:59:04)

(11/20/201112:59:04)

* Location: UCell ID]

Location: UCellJD 410.006.00403.20393 (11/14/201102:19:16)

(11/23/201114:23:55)

(11/21/201114:55:37)

Location: UCell

'11/20 2011 18:34:15)

(11/20/2011 19:34:15)

TOP SECRET//SI//REL TO USA, FVEY .

Examine travel patterns for common routes and meeting locations - Run cell soaks on all common meeting locations

during meeting timeframe

Analyze selectors for common contacts

Analyze selectors for handset sharing behavior

Repeat procedure with resulting selectors Correlate with other known and suspected selectors

• r TOP SECRET//SI//REL TO USA; FVEY:

TOP SECRET//SI//REL TO USA, FVEY .

SMARTTRACKER Coincidence Report

Si

Sets with 2 targets

Select

Select

Select

Select

Select

31 at 12 locations

24 at 11 locations

1 at 1 location

1 at 1 location

1 at 1 location

W+

• • ' ' ' '* i

• • •Af.ft.r. t

u

TOP SECRET//SI//REL TO USA, FVEY

RT-RG Analytics

TOP SECRET//SI//REL TO USA; FVEY

£̂¿¿£77

mm m ̂ awiwffà am Meetings - who is at the same ucellid at the

same time as the potential courier at the destination city?...Multiple times.

Sidekicks - is there a pair traveling together to the destination city?

sfcÇug/Tp TOP SECRET//SI//REL TO USA, F VE Y '' : • /•

JEM A: Pulling It All Together

Movement Irregularity

Destination Cities

Meetings Evaluate, add value, prioritize

Start/end points

Dates

Are selectors seen meeting at destination consistently?

Travel Reports Human in the loop to analyze travel reports.

Sidekicks

Does Sidekick selector have call events?

10