System for Tracking and Disrupting Terrorist Operations
Metron is developing a system for the Intelligence Community called TerrAlert for tracking the progress of and optimizing courses of action to delay or disrupt suspected terrorist operations. The approach uses Monte Carlo sampling and Bayesian, nonlinear filtering to estimate the state (schedule) of a terrorist operation. The operation is specified by a project management model (such as a Program Evaluation and Review Technique (PERT) or Gantt chart) with uncertain task durations. The goal of TerrAlert is to free the counterterrorism analyst to generate more hypotheses of potential threats and consider more options to counter those threats.
The analyst specifies an operation in terms of a set of tasks, precedence relations between the tasks (the order in which the tasks are performed, some in sequence and some in parallel), and a probability distribution for each task's duration. TerrAlert's particle filtering approach generates thousands of potential schedules for that operation via Monte Carlo simulation of the task durations. In the absence of evidence, all schedules have equal influence in the analysis.
As evidence comes in regarding the state of a task on a given date (e.g., task 5 has been observed in the "Ongoing" state as of 3 July 2005 with confidence 70%), TerrAlert uses Bayesian likelihood theory to adjust the weights on each schedule based on the evidence. Consequently, schedules that are more consistent with the observed evidence will tend to have more influence on the analysis than schedules that are less consistent.
This Bayesian approach allows all available intelligence information to be processed, even if incomplete, possibly false or contradictory. By taking weighted averages across all schedules, TerrAlert presents the user with aggregate estimates of the state of each task as of a specified date. For example, the rainbow chart estimates the probability of task 3 being "Not Started", "Ongoing" or "Finished" as of 3 July 2005 to be 10%, 50% and 40%, respectively.
In addition to estimating the progress of a suspect terrorist operation, TerrAlert can also provide the analyst with the following capabilities: (1) course of action analysis to delay or disrupt the operation, (2) what-if analysis based on different assumptions about the operation, and (3) collection management to guide the search for additional evidence.
Course of Action Analysis
TerrAlert can help estimate the impact of actions taken against different tasks and at different times designed to delay the completion of the operation. For example, bombing a factory where the manufacturing task is suspected to be performed is most effective when the manufacturing task is "Ongoing", less effective when the task is "Not Started" (the raw materials can be rerouted to a different facility), and ineffective when the task is "Finished" (the final product has already been produced and distributed). TerrAlert can assess the state-dependent impact of a given course of action over all of the weighted schedules.
In addition to estimating the impact, TerrAlert can help identify which tasks and times in the operation are most sensitive to disruption. For example, delays in completing some tasks will lead to delays in completing the operation. Delays on other tasks containing slack time do not hold up the completion of the operation. Planners can use TerrAlert to analyze the value of taking action now versus taking action at a later time after getting people or resources in place. TerrAlert can also estimate the impact of delaying action in order to obtain additional evidence.
Analysts can use TerrAlert to predict how the estimated progress of an operation would change if a particular task state was known or a particular type of evidence was found. For example, how does the probability of terrorists detonating a sarin bomb by December 2005 change if we assume that the sarin production task is finished as of July 2005?
Analysts can also consider different variations for carrying out an operation (e.g., adding or removing tasks, tasks in a different order, etc.). TerrAlert uses likelihood theory to discriminate which variant is most likely to be the one selected by the terrorists given the available evidence.
TerrAlert can guide the analyst through the process of searching for evidence that will be most effective at reducing the uncertainty of the progress estimate, using an information-theoretic entropy metric. For example, suppose on 12 July 2005, TerrAlert identifies that the state of the mass sarin production task has greater uncertainty than the state of any other task. TerrAlert would ask the analyst to estimate that task state as of that date, along with a confidence estimate for that state. If the analyst cannot find appropriate evidence to answer that question, then TerrAlert recommends the second-best task in terms of clarifying the operational state estimate.