DEVELOPING AN INTELLIGENCE ANALYSIS PROCESS THROUGH SOCIAL NETWORK ANALYSIS

Similar documents
Dynamic Context Maintenance in Human Terrain

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Introducing Cyber Resiliency Concerns Into Engineering Education

10 Steps to Building an Architecture for Space Surveillance Projects. Eric A. Barnhart, M.S.

Cyber Semantic Landscape Ontology and Taxonomy

A Common Cyber Threat Framework: A Foundation for Communication

RiskSense Attack Surface Validation for IoT Systems

Robustness of Centrality Measures for Small-World Networks Containing Systematic Error

Engineering Improvement in Software Assurance: A Landscape Framework

Vulnerability Assessments and Penetration Testing

Anonymized Social Media Datasets, Dark Networks, and Strategic Simulation

Advanced Security Tester Course Outline

Evaluation of Organizational Designs with Network-Centric Philosophy

System of Systems Architecture Generation and Evaluation using Evolutionary Algorithms

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

The Global Cybercrime Industry

COUNTERING IMPROVISED EXPLOSIVE DEVICES

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Systems Engineering for Software Assurance

Intelligence Preparation of the Cyber Environment. Rob Dartnall Director Cyber Intelligence

INFORMATION ASSURANCE DIRECTORATE

Introduction Types of Social Network Analysis Social Networks in the Online Age Data Mining for Social Network Analysis Applications Conclusion

2 The IBM Data Governance Unified Process

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Achieving & Measuring the Value of Cyber Threat Information Sharing. Lindsley Boiney, Clem Skorupka (presenting)

2006 CCRTS Some thoughts on the application of military theory to Information Operations and Network Centric Warfare

Cyber Threat Intelligence: Integrating the Intelligence Cycle. Elias Fox and Michael Norkus, Cyber Threat Intelligence Analysts January 2017

Space Cyber: An Aerospace Perspective

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Employing Mobile Applications for Capability Enhancement

TDWI Data Modeling. Data Analysis and Design for BI and Data Warehousing Systems

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

What s New in Spotfire DXP 1.1. Spotfire Product Management January 2007

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

French-American Foundation Conference on cyber issues. Opening remarks. 25 October 2017

Choosing the Right Security Assessment

An ICS Whitepaper Choosing the Right Security Assessment

UNCLASSIFIED. R-1 Program Element (Number/Name) PE D8Z / Software Engineering Institute (SEI) Applied Research. Prior Years FY 2013 FY 2014

Contents The Global Cybercrime Industry and Its Structure: Relevant Actors, Motivations, Threats, and Countermeasures

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Rodale. Upper East Side

YOU VE GOT 99 PROBLEMS AND A BUDGET S ONE

Certified Manager Certification

The Success of the AMRAAM DBMS/DAS

Closing the Hybrid Cloud Security Gap with Cavirin

Using the Semantic Web in Ubiquitous and Mobile Computing

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

UBIQUITIOUS, RESILIENT, SECURE CONNECTIVITY IN THE NEAR-PEER THREAT ENVIRONMENT

Empirical Study on Impact of Developer Collaboration on Source Code

Systems 2020 Strategic Initiative Overview

PPKM: Preserving Privacy in Knowledge Management

Device Discovery for Vulnerability Assessment: Automating the Handoff

Enriching Lifelong User Modelling with the Social e- Networking and e-commerce Pieces of the Puzzle

Network Analysis Software

Implementing ITIL v3 Service Lifecycle

Applying Semantic Web in Mobile and Ubiquitous Computing: Will Policy-Awareness Help?

Assured Compliance through Information Security Continuous Monitoring

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CS SOFTWARE ENGINEERING

Threat Hunting in Modern Networks. David Biser

Homeland Security Institute. Annual Report. pursuant to. Homeland Security Act of 2002

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 8 R-1 Line #18

CYBER THREAT INTELLIGENCE TOWARDS A MATURE CTI PRACTICE

CE4031 and CZ4031 Database System Principles

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Cybersecurity in Acquisition

Database Systems: Design, Implementation, and Management Tenth Edition. Chapter 9 Database Design

VETRI VINAYAHA COLLEGE OF ENGINEERING AND TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

THE KNOWLEDGE MANAGEMENT STRATEGY IN ORGANIZATIONS. Summer semester, 2016/2017

Alignment of Business and IT - ArchiMate. Dr. Barbara Re

Chapter : Analysis Modeling

IHS Connect FORESIGHT SECURITY PLANNING 2015 IHS. ALL RIGHTS RESERVED.

Diseño y Evaluación de Arquitecturas de Software. Architecture Based Design Method

Applying ISO/IEC Quality Model to Quality Requirements Engineering on Critical Software

Hybrid Cyber Warfare, dual risks?

Guidelines for the application of Data Envelopment Analysis to assess evolving software

ACL Interpretive Visual Remediation

Study of Data Mining Algorithm in Social Network Analysis

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Mission Aware Cybersecurity

TEL2813/IS2820 Security Management

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Operationalizing Cyber Security Risk Assessments for the Dams Sector

M.S. IN INFORMATION ASSURANCE MAJOR: CYBERSECURITY. Graduate Program

Trustwave Managed Security Testing

ENGINEERING AND TECHNOLOGY MANAGEMENT

UNCLASSIFIED. R-1 ITEM NOMENCLATURE PE D8Z: Data to Decisions Advanced Technology FY 2012 OCO

Forecasting Technology Insertion Concurrent with Design Refresh Planning for COTS-Based Electronic Systems

CSD Project Overview DHS SCIENCE AND TECHNOLOGY. Dr. Ann Cox. March 13, 2018

Considerations for a NATO Space Policy PERSPECTIVES. Considerations for a NATO Space Policy

DIGITAL STEGANOGRAPHY 1 DIGITAL STEGANOGRAPHY

Overview of Web Mining Techniques and its Application towards Web

Micro Simulations in ORA. Agenda

The Importance of Data Profiling

Sustainable Security Operations

Managing Complex SAS Metadata Security Using Nested Groups to Organize Logical Roles

Context Based Shared Understanding for Situation Awareness

Beyond Technical Interoperability

A Critical Systems Thinking Perspective on Data Warehouse Stakeholders

Transcription:

DEVELOPING AN INTELLIGENCE ANALYSIS PROCESS THROUGH SOCIAL NETWORK ANALYSIS Todd Waskiewicz and Peter LaMonica Air Force Research Laboratory Information and Intelligence Exploitation Division {Todd.Waskiewicz, Peter.LaMonica}@rl.af.mil Abstract Intelligence analysts are tasked with making sense of enormous amounts of data and gaining an awareness of a situation that can be acted upon. This process can be extremely difficult and time consuming. Trying to differentiate between important pieces of information and extraneous data only complicates the problem. When dealing with data containing entities and relationships, social network analysis (SNA) techniques can be employed to make this job easier. Applying network measures to social network graphs can identify the most significant nodes (entities) and edges (relationships) and help the analyst further focus on key areas of concern. Strange developed a model that identifies high value targets such as centers of gravity and critical vulnerabilities 1. SNA lends itself to the discovery of these high value targets and the Air Force Research Laboratory (AFRL) has investigated several network measures such as centrality, betweenness, and grouping to identify centers of gravity and critical vulnerabilities. Using these network measures, a process for the intelligence analyst has been developed to aid analysts in identifying points of tactical emphasis. Organizational Risk Analyzer (ORA) and Terrorist Modus Operandi Discovery System (TMODS) are the two applications used to compute the network measures and identify the points to be acted upon. Therefore, the result of leveraging social network analysis techniques and applications will provide the analyst and the intelligence community with more focused and concentrated analysis results allowing them to more easily exploit key attributes of a network, thus saving time, money, and manpower. Keywords: Social Network Analysis, Center of Gravity, Intelligence Analysis, and Knowledge Discovery Introduction The concept of social networks was developed to provide a new method for analyzing the social structure and concept of entities and relationships within a network 2. Social network analysis consists of a set of metrics and algorithms that analyze network characteristics, such as nodes, edges, and attributes. These techniques can be applied not only to social networks, but they can also be applied to multi-modal domains. Evolutionary and Bio-Inspired Computation: Theory and Applications II edited by Misty Blowers, Alex F. Sisti, Proc. of SPIE Vol. 6964, 69640B, (2008) 0277-786X/08/$18 doi: 10.1117/12.776990 2008 SPIE Digital Library -- Subscriber Archive Copy Proc. of SPIE Vol. 6964 69640B-1

One particular focus of this research is to apply social network analysis techniques to derive high value targets that are especially critical to the intelligence community. Analysts within the intelligence community are interested in exploiting targets of interest by learning network characteristics such as centers of gravity and their critical vulnerabilities. In determining these attributes, analysts can gain a deeper understanding of the situation, which allows for greater impact of military action. These network attributes can be derived from the Strange Model of Critical Vulnerabilities. Dr. Joe Strange claims that extensive knowledge of the enemy s network is required to determine physical and psychological strengths and weaknesses, and ultimately to identify centers of gravity and critical vulnerabilities 1. For example, the Strange Model states that the first task in planning is to identify centers of gravity, and strategically understand the network that encompasses these centers. Strange Model In an edition of the Marine Corps University s Perspectives on Warfighting, Strange s Centers of Gravity and Critical Vulnerabilities: Building on the Clausewitzian Foundation So That We Can All Speak the Same Language is featured. In this paper, Strange presents a unique perspective on warfighting. For the purposes of this paper, that perspective is adopted for the analysis of criminal and terrorist networks. Strange presents a model for the adversary that includes four different roles. These roles are center of gravity, critical capability, critical requirement, and critical vulnerability 1. Strange defines a center of gravity as a primary source of moral or physical strength, power, and resistance. A critical capability is a primary ability which merits a center of gravity to be identified as such in the context of a given scenario or situation. The essential conditions, resources, and means for a critical capability to be fully operative are critical requirements. Critical vulnerabilities are critical requirements or components thereof, which are deficient or vulnerable to neutralization, interdictions or attack in a manner achieving decisive results. These four roles can be applied to an adversary in an effort to minimize risk when planning action against them. When an adversary is modeled as a network, these roles can be filled through careful analysis of the network. One idea that Strange stresses is that the answer to whom and what fills these roles is completely contextual 1. In the case of warfighting, the answers may depend on the mission. For the analysis of criminal and terrorist networks, it is the same case. When analyzing a criminal or terrorist network, it is for some purpose; whether it is to identify someone who holds a lot of information or the removal of a critical node from the network. For example, if a terrorist network is being analyzed, the objective may be to cripple the network s ability to obtain bomb-making materials. The results of this analysis may be different from analysis concerned with cutting off the flow of money through the network. Consequently, when conducting network analysis, the results must take context. The highest-ranking node of some measurement may not be the most Proc. of SPIE Vol. 6964 69640B-2

significant according to the purpose of the analysis. Organizational Risk Analyzer (ORA) Organizational Risk Assessment (ORA) is a network analysis tool that detects risks or vulnerabilities of an organization s design structure 3. For example, ORA can help determine if the removal of a certain person from a network will cripple the network s capabilities or who the best person to start the spread of ideas through a network is. Relational data collected by an individual can be represented by a collection of networks called a Meta- Matrix and analyzed by ORA. The relational data can encompass associations between people, knowledge, resources, and tasks. ORA can both read and write a Meta-Matrix in multiple formats making it interoperable with other network analysis software 3. The network analysis can be applied to a variety of fields such as sociology, intelligence analysis, and operations research. This paper will focus on the use of ORA for the analysis of criminal and terrorist networks. ORA provides three main ways to analyze networks; through its Reports, View Charts, and Visualize features. Each feature provides its own value to the analysis of networks. Reports provides a means of analyzing networks from a higher level than simply network measures such as eigenvector centrality and betweenness centrality. The Reports feature gives a high level name to a measure or collection of measures so network measures may easily be selected for the appropriate purpose. For example, the Key Entities report generates a report that allows the user to see who, what, and how key entities are important. For the who portion, the report will identify the person entities that are leaders, in the know, and connect groups along with several other reasons for importance. The Key Entities report also indicates what measures were used to achieve the calculations. The Report capability provides an easy and quick way to analyze a network without spending the time of seeking out and calculating the appropriate measures. The View Charts feature offers a more specialized means of analysis. It provides a large list of measures between the types of entities contained in the network. For example, betweeness centrality can be calculated between person entities or out-degree centrality can be calculated between person and knowledge entity types. Once a measure is selected, a bar graph, scatter plot graph, or histogram can be used to display the results. The user can select the top number of results. For example, the user can select to display the top 5 scores for centrality. View Charts provides the user with a more customized and specialized way of analyzing a network while quickly calculating and displaying the results in a number of ways. The Visualization feature gives another way to view the data and conceptualize the analysis of the network. It provides a number of ways to customize how the data is presented. For example, only certain types of nodes can be displayed or edges below a specific weight can be omitted. Customizing the way the network is displayed is the true value of this feature. By only viewing a subgraph of the network and altering the way it is Proc. of SPIE Vol. 6964 69640B-3

displayed allows a user to see the graph beyond simple metrics. Significant entities and features of the network may be discovered that ordinarily may not have been found through calculating measures. Visualization can also motivate more analysis through Reports and View Charts. Terrorist Modus Operandi Discovery System (TMODS) Terrorist Modus Operandi Discovery System (TMODS) is an application that has many utilities that include social network and pattern matching algorithms and techniques. This application was developed by 21 st Century Technologies, Inc. and is very effective at assisting analysts to determine areas of importance in a network graph. One such algorithm within the TMODS application is known as the Best Friends Group Detection algorithm. This algorithm is very effective at taking network data and determining the groups of entities that exist within the network based on the relationships and attributes of the network. All nodes, edges, and attributes are analyzed and evaluated in discovering these groups. Thus, no prior domain knowledge is needed to determine the particular groups that exist within a network. The Best Friends Group Detection algorithm uses various social network analysis metrics, such as closeness and betweenness centrality. These two metrics define the connectedness value of each node to the other nodes within the network. From this attribute, groups can be defined within the network. Figure 1 demonstrates how the Best Friends Group Detection algorithm can discover groups from the network data. By gaining this knowledge, analysts can now determine relationships that exist within the network. Not only can this algorithm determine explicit relationships (e.g. A B), but it also can derive implicit relationships. For example, Node A is connected to Node C through its relationship with Node B. Figure 1: TMODS Best Friends Group Detection Algorithm The Best Friends Group Detection algorithm allows analysts to reason about actors and their relationships, groups, and entire networks in a quantifiable and rigorous manner 4. Thus, with limited observability and knowledge of these large networks, analysts can detect groups and relationships that exist that they previously had no knowledge of. Process In an attempt to fulfill the roles described in the Strange model, ORA and TMODS were applied. The network that was analyzed includes trafficking of illicit goods via civil aircraft outside the United States. When using network Proc. of SPIE Vol. 6964 69640B-4

analysis along with the Strange model, one should start by finding the center of gravity in the network. This is because the critical capabilities, vulnerabilities, and requirements will all be in the context of the center(s) of gravity that exist within the network. They will all be the attributes that enable the center of gravity. Finding the center of gravity in a network lends itself to the use of the eigenvector centrality metric. This is because the metric finds the nodes that are not only highly connected, but also connected to other nodes that are highly connected. A node with a high eigenvector centrality would certainly exhibit the properties of a center of gravity in a network. To find the center of gravity using eigenvector centrality, ORA and its View Charts feature were used selecting Centrality, Eigenvector: agent x agent. The result is pictured in Figure 2. Notice there are two distinct nodes that score higher than the rest of the nodes. These two nodes are most likely to be centers of gravity. Due to the relative closeness of their values, they both could be considered centers of gravity or one could be better suited than the other. To find out which is the case, further investigation is required. To do that, TMODS was used. Centrality, Eigenvector: agent x agent 1111111111 Figure 2. Eigenvector Centrality Results Analysis with TMODS The same dataset that was processed in ORA was then processed in TMODS, with the Best Friends Group Detection algorithm. As noted, the Best Friends Group Detection algorithm can take the network data and determine what groups exist within that data. An image of the data in TMODS can be seen in Figure 3. Figure 3. Dataset in TMODS Once the data is loaded, the user can execute the group detection algorithm and view the results. In one of the group results, the algorithm found that the same first two individuals from the eigenvector centrality analysis were found in the same group. There was also a third individual found that was ranked fourth highest in the eigenvector centrality, which led the analysis to focus more on this person. This person was also a known trafficker of illicit goods, and connects the two top individuals with many other known traffickers. In the Strange model, boundaries are prime candidates for critical vulnerabilities to the network 1. Further, since this individual acts as a boundary between these two groups, it can be inferred that these top two individuals are also associated with the trafficking of illicit goods 5. Figure 4 Proc. of SPIE Vol. 6964 69640B-5

demonstrates how this group was derived from the data, and how explicit and implicit relationships can be discovered. Figure 4. Group Detection Result Results and Application Comparing the manual analysis of relational data to the process described in this paper, not only is there a significant decrease in the amount of time required for analysis, but greater capabilities such as visualization and report generation are provided. The endstate is that the analyst is provided with a capability to go beyond a trivial analysis, and can delve into the underlying relationships and discover the hotspots of the dataset much faster. This gives the analyst the potential to gain a deeper understanding of the specific scenario resulting in a greater overall awareness. Further, when an analyst has relational data, the process described offers a means for maintenance of the data. Nodes and connections can be easily added and removed using ORA and TMODS. In addition, maintaining this repository of network data in a network analysis tool allows for fast analysis of the data. Possessing the ability to manipulate the visualization of a network and calculate network metrics at a moment s notice is invaluable to the analyst while they carry out their mission. Factoring in the current capabilities of text extraction, a completely automatic process could be developed to save the analyst even more time. Converting open source documents to relational data is a viable option today and would generate far more relational data than a human could manually process in the same amount of time. This would further enhance the process described in this research. The result of taking advantage of these analysis tools achieves the goal of this research and that is to provide the analyst with the ability to perform their job more effectively and efficiently. In addition, Strange states that centers of gravity are dynamic agents of action and influence, which need to be closely monitored and tracked 1. The process outlined in this research can also apply temporally, as it can trace entities and their relationships through time. The analyst can then learn and understand how networks evolve and decay, as well as identify trends and patterns, giving them greater insight and knowledge into their research domain. Summary According to Strange, a critical vulnerability is something that makes a center of gravity vulnerable 1. Intelligence analysts are routinely tasked with exploiting these centers of gravity and determining the weaknesses of the adversary. However, analysts are faced with numerous databases that are all Proc. of SPIE Vol. 6964 69640B-6

enormous in size, which further justifies the need to apply this process to their problem. When applying the process, the analyst can easily maintain and alter network data while having the ability to execute algorithms against the data. As a result, they will be able to process data more efficiently and gain a greater understanding of the data. Reference [1] Strange, J. (1996). Perspectives on warfighting: Centers of gravity and critical vulnerabilities. Quantico, VA: Marine Corps University. [2] Nadel, S.F. (1957). The Theory of Social Structure. New York, NY: Free Press. [3] Carley, Kathleen & Reminga, Jeffrey. (2004). ORA: Organization Risk Analyzer. Carnegie Mellon University, School of Computer Science, Institute for Software Research International, Technical Report CMU-ISRI-04-106 [4] Coffman, T.R., and Marcus, S.E. (2004). Pattern classification in social network analysis: A case study, Proceedings of the 2004 IEEE Aerospace Conference, March 6-13, 2004. [5] Macskassy, S., and Provost, F. (2005). Suspicion scoring based on guilt by association, collective inference, and focused data access. International Conference on Intelligence Analysis. Proc. of SPIE Vol. 6964 69640B-7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback