Using graphs for intelligence analysis

The identification and monitoring of terrorist or criminal networks are crucial activities to detect threats and defeat attacks. In this article, we see how Linkurious Enterprise and graph visualizations can help identify and track potentially dangerous individuals and networks.

Challenges for intelligence analysis

Criminal or terrorist activities are rarely conducted by isolated individuals. Behind these activities, we find more or less centralized organizations or networks. Intelligence experts are in charge of identifying every actor of such groups, despite their strategies to hide their connections to the networks (encrypted communication services, numerous middlemen, fake identities, etc). Getting the whole picture of the network is essential to monitor suspect activities, prevent attacks or detected potential threats.

Countering crime and terrorism is also about gathering information, from various existing sources. The logic so far has been: the more data intelligence and security organizations are able to obtain, the more likely they are to gather a clue needed to identify criminal or terrorist activities. But this means analysts and investigators have to handle large sets of heterogeneous data.

While traditional methods fell short to making sense of heterogeneous and large datasets, graph-based intelligence analysis is particularly effective. Graph databases allow organizations to store and query in near real-time the relationships between billions of entities. Let’s see how these systems, combined with network visualization tools like Linkurious Enterprise, can help intelligence analysts identify and investigate threats.

Applying a graph approach to intelligence analysis

We will dive into the investigation of a potential terrorist threat and explore how Linkurious Enterprise can help identify and investigate suspicious networks.

For this purpose, we have created a dataset with fictitious data about people, including addresses, phone numbers and travel information. This data can easily be modeled as a graph:

Graph data model of our investigation data

The graph data model of our investigation data.

To keep our analysis understandable, we chose a very simple model with only a limited volume of data. A real-life situation will definitely involve larger volumes and a wider range of data types.

As depicted above, data entities, such as individual, email, phone, are modeled as nodes. Relationships between entities are symbolized with edges, labeled with the nature of the connection. The data then form a network.

Let’s start our investigation by trying to detect suspicious patterns in our data.

How to use graph patterns to detect potential threats

When dealing with large datasets, we need to find ways to focus the analysts’ attention on relevant information. Here, we want to detect potential terrorist cells. We are going to try to detect groups of at least three people who 1) visited an at-risk country (in our case Syria) and 2) are indirectly in contact (via their addresses or phone communications).

With a simple Cypher query, users can set up a monitoring activity for chosen patterns. Below is the script we will use to identify our pattern:

// Detecting threats:
MATCH (a:Person)-[s:HAS_CONTACTED|HAS_PHONE|HAS_ADDRESS*..10]-(b:Person)-[:HAS_BEEN_TO]->(d:Country {name:’Syria’})
WITH a, collect(s) as rels,collect(distinct b) as suspects,d,count(distinct b) as score
WHERE score > 2
RETURN a,suspects
ORDER BY score DESC

Linkurious Enterprise reported three individuals in the database with an activity matching the pattern: Jessica Wells, Bobby Murphy, and Ruth Warren. In a click, analysts can visualize the individuals and how they are interconnected. Jessica, Bobby and Ruth display a “has been to” relationship with Syria and appeared to be all connected to a unique phone number: Judy Lewis’.

Visualization of a suspicious network around Jessica, Bobby & Ruth

Visualization of a suspicious network around Jessica, Bobby & Ruth.

Several nodes intermediate between our three people and Judy’s phone number. Phone calls and address are the bridges enabling the connection between our individuals. For analysts, this particular pattern could be pointing toward a recruiting network, with numerous middlemen to avoid detection. Those results could lead to specific recommendations and further investigations.

A graph approach provides the opportunity to detect specific cross-data patterns. With Linkurious Enterprise, it is easy to visualize and understand both the network and the relationship between its members. Node-edges graph visualizations combine all the available information in a single representation.
Some of the nodes here seem to be connected to other entities. Linkurious Enterprise allows analysts to interactively explore the data and uncover new information.

Investigate complex networks with graph visualization

We identified a potential network with several people. Perhaps they have accomplices? We can try to investigate further, starting from one node of the network. Let’s pick Judy’s phone number for instance and extend the nodes around it.

Investigating Judy’s closest connections via her phone number

Investigating Judy’s closest connections via her phone number.

Judy is connected to a certain Robert Wells, via phone communications, and Robert is himself connected to Theresa Mills’ phone number. If we expand the nodes linked to Theresa’s phone, we get the following visualization.

Visualization of a sub-network around Theresa’s phone number

Visualization of a sub-network around Theresa’s phone number.

The sub-network around Theresa Mills is very specific. The nodes, all linked together, are phone numbers associated to seven individuals. Such pattern -a  small highly connected group with a unique bridge to other potential suspects – represents a sub-network within the larger network we are investigating.

From a single node, we went up to another group, gathering new information about the network. Interactive and scalable tools like Linkurious ease the exploration and analysis for experts.

Visualize and analyse intelligence and security data with Linkurious Enterprise

The graph approach is well suited for the investigation of criminal networks and terrorist groups. Linkurious Enterprise offers to intelligence agents a unique entry point to identify hidden insights in complex connected data. Analysts can determine specific patterns to monitor suspicious activities. The visualization interface allows them to navigate between the nodes to identify new key actors through hidden connections.

READ A CASE STUDY OF TERRORISM INTELLIGENCE ANALYSIS

Tags: , , , , , ,

No comments yet.

Leave a Reply

Subscribe to our newsletter

Receive monthly updates about Linkurious and graph related news.

Follow us