Paladin

Link Analysis Diagram

Link Analysis Background

Today's terrorist enemy is fundamentally poor with respect to traditional military assets. They are not localized to a particular country or region, and most of their tangible assets are commercially available. The main asset that a terrorist or insurgent organization possesses is their network of terrorists or insurgents. The network enables terrorists to plan and to communicate covertly, to recruit new members, to acquire assets and expertise, to move money and assets where needed, and to carry out attacks. Executing these tasks leaves signatures in data - structures of interrelated transactions and associations. Yet, terrorists tend to use the same media and infrastructure that are used by the general public, so these signatures are often buried in an immense sea of background noise - transactions and associations that arise from legitimate activities and are not relevant to detecting threats.

Signatures constitute more than a simple trail of evidence to be followed. The structure of the network of data - how interrelated pieces of evidence fit together - contains much of the exploitable information. This differs dramatically from classical data fusion applications that process sensor reports or signals sequentially and assume conditional independence when fusing. In the structured, linked data environment of counterterrorism, signal processing requires connecting interrelated pieces of data and distinguishing threat signatures from noise. This process is often referred to as link analysis.

Paladin Technology Diagram

Paladin Technology Overview

Paladin is designed to detect threat activities and network anomalies by efficiently searching massive, noisy data that may be unreliable, incomplete and inconsistent. To manage uncertainty and reduce false alarms, Paladin technologies utilize a theory of detection on transactional and network data that was formulated by researchers at Metron. Paladin integrates four main functional components: an anomaly detector, a partial pattern matcher, a hypothesis evaluator and a hypothesis merger.

The anomaly detector is a pattern-free technology that offers a suite of statistical analyses, network metrics and algorithms to discover networks with deviant or abnormal properties.

The goal of the partial pattern matcher is to search for threat signatures that are believed (by domain experts) to reflect the execution of threat tasks, and to connect related signatures to hypothesize organized threat activities. The search strategy is optimized by analyzing threat patterns in the context of noise and clutter models. The goal is to immediately reduce the data by searching first for signatures or sub-patterns that are likely to be observed of threats but unlikely to arise from noise and clutter.

The hypothesis evaluator utilizes Metron's detection theory results together with the transactional signal, noise and clutter models to compute a likelihood ratio statistic for each hypothesis. The likelihood ratio is an optimal detection statistic (Neyman-Pearson Lemma) for discriminating between threat and non-threat hypotheses.

The ranked threat hypotheses are sent to the hypothesis merger, which clusters hypotheses that are likely to pertain to the same organized activity or network and merges each cluster into a representative hypothesis. Thus, an analyst is presented with a list of hypotheses about distinct organized activities that are ranked from most indicative of threat to least.

To enable users to apply Paladin to new data sources to solve problems in new domains, Paladin has straight-forward input mechanisms - a data model and database interface specification - that enable the extraction of entities, links and attributes from new data sources. A network visualization tool enables users to explore discovered networks and hypothesized threat activities, complete with numerous automated network layout algorithms.

Paladin has demonstrated impressive threat activity detection on extremely noisy datasets with tens of thousands of entities and millions of transactions in runtimes less than five minutes. During two separate evaluations of threat event detection capabilities that were held by an independent contractor, Paladin outperformed all other efforts, achieving average recall and precision scores greater than 0.7 and 0.8, respectively.

References

[1] T. Mifflin, C. Boner, G. Godfrey, J. Skokan, "A Random Graph Model of Terrorist Transactions," Proceedings of the IEEE Aerospace Conference, Big Sky, March 2004.

[2] C. Boner, "Automated Detection of Terrorist Activities through Link Discovery within Massive Databases," Proceedings of AAAI Spring Symposium A.I. Technologies for Homeland Security, Palo Alto, March 2005.

[3] C. Boner, "Novel, Complementary Technologies for Detecting Threat Activities within Massive Amounts of Transactional Data," Proceedings of the International Conference on Intelligence Analysis, Tysons Corner, May 2005.