DEVELOPING AN INTELLIGENCE ANALYSIS PROCESS THROUGH SOCIAL NETWORK ANALYSIS

Transcription

1 DEVELOPING AN INTELLIGENCE ANALYSIS PROCESS THROUGH SOCIAL NETWORK ANALYSIS Todd Waskiewicz and Peter LaMonica Air Force Research Laboratory Information and Intelligence Exploitation Division {Todd.Waskiewicz, Abstract Intelligence analysts are tasked with making sense of enormous amounts of data and gaining an awareness of a situation that can be acted upon. This process can be extremely difficult and time consuming. Trying to differentiate between important pieces of information and extraneous data only complicates the problem. When dealing with data containing entities and relationships, social network analysis (SNA) techniques can be employed to make this job easier. Applying network measures to social network graphs can identify the most significant nodes (entities) and edges (relationships) and help the analyst further focus on key areas of concern. Strange developed a model that identifies high value targets such as centers of gravity and critical vulnerabilities 1. SNA lends itself to the discovery of these high value targets and the Air Force Research Laboratory (AFRL) has investigated several network measures such as centrality, betweenness, and grouping to identify centers of gravity and critical vulnerabilities. Using these network measures, a process for the intelligence analyst has been developed to aid analysts in identifying points of tactical emphasis. Organizational Risk Analyzer (ORA) and Terrorist Modus Operandi Discovery System (TMODS) are the two applications used to compute the network measures and identify the points to be acted upon. Therefore, the result of leveraging social network analysis techniques and applications will provide the analyst and the intelligence community with more focused and concentrated analysis results allowing them to more easily exploit key attributes of a network, thus saving time, money, and manpower. Keywords: Social Network Analysis, Center of Gravity, Intelligence Analysis, and Knowledge Discovery Introduction The concept of social networks was developed to provide a new method for analyzing the social structure and concept of entities and relationships within a network 2. Social network analysis consists of a set of metrics and algorithms that analyze network characteristics, such as nodes, edges, and attributes. These techniques can be applied not only to social networks, but they can also be applied to multi-modal domains. Evolutionary and Bio-Inspired Computation: Theory and Applications II edited by Misty Blowers, Alex F. Sisti, Proc. of SPIE Vol. 6964, 69640B, (2008) X/08/$18 doi: / SPIE Digital Library -- Subscriber Archive Copy Proc. of SPIE Vol B-1

2 One particular focus of this research is to apply social network analysis techniques to derive high value targets that are especially critical to the intelligence community. Analysts within the intelligence community are interested in exploiting targets of interest by learning network characteristics such as centers of gravity and their critical vulnerabilities. In determining these attributes, analysts can gain a deeper understanding of the situation, which allows for greater impact of military action. These network attributes can be derived from the Strange Model of Critical Vulnerabilities. Dr. Joe Strange claims that extensive knowledge of the enemy s network is required to determine physical and psychological strengths and weaknesses, and ultimately to identify centers of gravity and critical vulnerabilities 1. For example, the Strange Model states that the first task in planning is to identify centers of gravity, and strategically understand the network that encompasses these centers. Strange Model In an edition of the Marine Corps University s Perspectives on Warfighting, Strange s Centers of Gravity and Critical Vulnerabilities: Building on the Clausewitzian Foundation So That We Can All Speak the Same Language is featured. In this paper, Strange presents a unique perspective on warfighting. For the purposes of this paper, that perspective is adopted for the analysis of criminal and terrorist networks. Strange presents a model for the adversary that includes four different roles. These roles are center of gravity, critical capability, critical requirement, and critical vulnerability 1. Strange defines a center of gravity as a primary source of moral or physical strength, power, and resistance. A critical capability is a primary ability which merits a center of gravity to be identified as such in the context of a given scenario or situation. The essential conditions, resources, and means for a critical capability to be fully operative are critical requirements. Critical vulnerabilities are critical requirements or components thereof, which are deficient or vulnerable to neutralization, interdictions or attack in a manner achieving decisive results. These four roles can be applied to an adversary in an effort to minimize risk when planning action against them. When an adversary is modeled as a network, these roles can be filled through careful analysis of the network. One idea that Strange stresses is that the answer to whom and what fills these roles is completely contextual 1. In the case of warfighting, the answers may depend on the mission. For the analysis of criminal and terrorist networks, it is the same case. When analyzing a criminal or terrorist network, it is for some purpose; whether it is to identify someone who holds a lot of information or the removal of a critical node from the network. For example, if a terrorist network is being analyzed, the objective may be to cripple the network s ability to obtain bomb-making materials. The results of this analysis may be different from analysis concerned with cutting off the flow of money through the network. Consequently, when conducting network analysis, the results must take context. The highest-ranking node of some measurement may not be the most Proc. of SPIE Vol B-2

3 significant according to the purpose of the analysis. Organizational Risk Analyzer (ORA) Organizational Risk Assessment (ORA) is a network analysis tool that detects risks or vulnerabilities of an organization s design structure 3. For example, ORA can help determine if the removal of a certain person from a network will cripple the network s capabilities or who the best person to start the spread of ideas through a network is. Relational data collected by an individual can be represented by a collection of networks called a Meta- Matrix and analyzed by ORA. The relational data can encompass associations between people, knowledge, resources, and tasks. ORA can both read and write a Meta-Matrix in multiple formats making it interoperable with other network analysis software 3. The network analysis can be applied to a variety of fields such as sociology, intelligence analysis, and operations research. This paper will focus on the use of ORA for the analysis of criminal and terrorist networks. ORA provides three main ways to analyze networks; through its Reports, View Charts, and Visualize features. Each feature provides its own value to the analysis of networks. Reports provides a means of analyzing networks from a higher level than simply network measures such as eigenvector centrality and betweenness centrality. The Reports feature gives a high level name to a measure or collection of measures so network measures may easily be selected for the appropriate purpose. For example, the Key Entities report generates a report that allows the user to see who, what, and how key entities are important. For the who portion, the report will identify the person entities that are leaders, in the know, and connect groups along with several other reasons for importance. The Key Entities report also indicates what measures were used to achieve the calculations. The Report capability provides an easy and quick way to analyze a network without spending the time of seeking out and calculating the appropriate measures. The View Charts feature offers a more specialized means of analysis. It provides a large list of measures between the types of entities contained in the network. For example, betweeness centrality can be calculated between person entities or out-degree centrality can be calculated between person and knowledge entity types. Once a measure is selected, a bar graph, scatter plot graph, or histogram can be used to display the results. The user can select the top number of results. For example, the user can select to display the top 5 scores for centrality. View Charts provides the user with a more customized and specialized way of analyzing a network while quickly calculating and displaying the results in a number of ways. The Visualization feature gives another way to view the data and conceptualize the analysis of the network. It provides a number of ways to customize how the data is presented. For example, only certain types of nodes can be displayed or edges below a specific weight can be omitted. Customizing the way the network is displayed is the true value of this feature. By only viewing a subgraph of the network and altering the way it is Proc. of SPIE Vol B-3

4 displayed allows a user to see the graph beyond simple metrics. Significant entities and features of the network may be discovered that ordinarily may not have been found through calculating measures. Visualization can also motivate more analysis through Reports and View Charts. Terrorist Modus Operandi Discovery System (TMODS) Terrorist Modus Operandi Discovery System (TMODS) is an application that has many utilities that include social network and pattern matching algorithms and techniques. This application was developed by 21 st Century Technologies, Inc. and is very effective at assisting analysts to determine areas of importance in a network graph. One such algorithm within the TMODS application is known as the Best Friends Group Detection algorithm. This algorithm is very effective at taking network data and determining the groups of entities that exist within the network based on the relationships and attributes of the network. All nodes, edges, and attributes are analyzed and evaluated in discovering these groups. Thus, no prior domain knowledge is needed to determine the particular groups that exist within a network. The Best Friends Group Detection algorithm uses various social network analysis metrics, such as closeness and betweenness centrality. These two metrics define the connectedness value of each node to the other nodes within the network. From this attribute, groups can be defined within the network. Figure 1 demonstrates how the Best Friends Group Detection algorithm can discover groups from the network data. By gaining this knowledge, analysts can now determine relationships that exist within the network. Not only can this algorithm determine explicit relationships (e.g. A B), but it also can derive implicit relationships. For example, Node A is connected to Node C through its relationship with Node B. Figure 1: TMODS Best Friends Group Detection Algorithm The Best Friends Group Detection algorithm allows analysts to reason about actors and their relationships, groups, and entire networks in a quantifiable and rigorous manner 4. Thus, with limited observability and knowledge of these large networks, analysts can detect groups and relationships that exist that they previously had no knowledge of. Process In an attempt to fulfill the roles described in the Strange model, ORA and TMODS were applied. The network that was analyzed includes trafficking of illicit goods via civil aircraft outside the United States. When using network Proc. of SPIE Vol B-4

5 analysis along with the Strange model, one should start by finding the center of gravity in the network. This is because the critical capabilities, vulnerabilities, and requirements will all be in the context of the center(s) of gravity that exist within the network. They will all be the attributes that enable the center of gravity. Finding the center of gravity in a network lends itself to the use of the eigenvector centrality metric. This is because the metric finds the nodes that are not only highly connected, but also connected to other nodes that are highly connected. A node with a high eigenvector centrality would certainly exhibit the properties of a center of gravity in a network. To find the center of gravity using eigenvector centrality, ORA and its View Charts feature were used selecting Centrality, Eigenvector: agent x agent. The result is pictured in Figure 2. Notice there are two distinct nodes that score higher than the rest of the nodes. These two nodes are most likely to be centers of gravity. Due to the relative closeness of their values, they both could be considered centers of gravity or one could be better suited than the other. To find out which is the case, further investigation is required. To do that, TMODS was used. Centrality, Eigenvector: agent x agent Figure 2. Eigenvector Centrality Results Analysis with TMODS The same dataset that was processed in ORA was then processed in TMODS, with the Best Friends Group Detection algorithm. As noted, the Best Friends Group Detection algorithm can take the network data and determine what groups exist within that data. An image of the data in TMODS can be seen in Figure 3. Figure 3. Dataset in TMODS Once the data is loaded, the user can execute the group detection algorithm and view the results. In one of the group results, the algorithm found that the same first two individuals from the eigenvector centrality analysis were found in the same group. There was also a third individual found that was ranked fourth highest in the eigenvector centrality, which led the analysis to focus more on this person. This person was also a known trafficker of illicit goods, and connects the two top individuals with many other known traffickers. In the Strange model, boundaries are prime candidates for critical vulnerabilities to the network 1. Further, since this individual acts as a boundary between these two groups, it can be inferred that these top two individuals are also associated with the trafficking of illicit goods 5. Figure 4 Proc. of SPIE Vol B-5

6 demonstrates how this group was derived from the data, and how explicit and implicit relationships can be discovered. Figure 4. Group Detection Result Results and Application Comparing the manual analysis of relational data to the process described in this paper, not only is there a significant decrease in the amount of time required for analysis, but greater capabilities such as visualization and report generation are provided. The endstate is that the analyst is provided with a capability to go beyond a trivial analysis, and can delve into the underlying relationships and discover the hotspots of the dataset much faster. This gives the analyst the potential to gain a deeper understanding of the specific scenario resulting in a greater overall awareness. Further, when an analyst has relational data, the process described offers a means for maintenance of the data. Nodes and connections can be easily added and removed using ORA and TMODS. In addition, maintaining this repository of network data in a network analysis tool allows for fast analysis of the data. Possessing the ability to manipulate the visualization of a network and calculate network metrics at a moment s notice is invaluable to the analyst while they carry out their mission. Factoring in the current capabilities of text extraction, a completely automatic process could be developed to save the analyst even more time. Converting open source documents to relational data is a viable option today and would generate far more relational data than a human could manually process in the same amount of time. This would further enhance the process described in this research. The result of taking advantage of these analysis tools achieves the goal of this research and that is to provide the analyst with the ability to perform their job more effectively and efficiently. In addition, Strange states that centers of gravity are dynamic agents of action and influence, which need to be closely monitored and tracked 1. The process outlined in this research can also apply temporally, as it can trace entities and their relationships through time. The analyst can then learn and understand how networks evolve and decay, as well as identify trends and patterns, giving them greater insight and knowledge into their research domain. Summary According to Strange, a critical vulnerability is something that makes a center of gravity vulnerable 1. Intelligence analysts are routinely tasked with exploiting these centers of gravity and determining the weaknesses of the adversary. However, analysts are faced with numerous databases that are all Proc. of SPIE Vol B-6

7 enormous in size, which further justifies the need to apply this process to their problem. When applying the process, the analyst can easily maintain and alter network data while having the ability to execute algorithms against the data. As a result, they will be able to process data more efficiently and gain a greater understanding of the data. Reference [1] Strange, J. (1996). Perspectives on warfighting: Centers of gravity and critical vulnerabilities. Quantico, VA: Marine Corps University. [2] Nadel, S.F. (1957). The Theory of Social Structure. New York, NY: Free Press. [3] Carley, Kathleen & Reminga, Jeffrey. (2004). ORA: Organization Risk Analyzer. Carnegie Mellon University, School of Computer Science, Institute for Software Research International, Technical Report CMU-ISRI [4] Coffman, T.R., and Marcus, S.E. (2004). Pattern classification in social network analysis: A case study, Proceedings of the 2004 IEEE Aerospace Conference, March 6-13, [5] Macskassy, S., and Provost, F. (2005). Suspicion scoring based on guilt by association, collective inference, and focused data access. International Conference on Intelligence Analysis. Proc. of SPIE Vol B-7