SKYNET: Applying Advanced Cloud-based Behavior Analytics

May. 8 2015 — 10:26a.m.


TOP SECRETHCOMINTHHEL TO USE. HUS, CAN, GER, NZL ifi'fiBeh-avior Analytics {ff 3:

- Outline I What is DEMONSPIT Data Flow Automated Bulk Cloud Analytics Analytic Triage

. . . trill". A fun"- "frn'VIn" .11. I . r-Collaborative cloud research effort between 5 different organizations crossing 3 NSA Directorates: Signals Intelligence: 52L 522, 556 Research: R6 Technology: T12, T14 - Partnerships MIT Lincoln Labs 8: Harvard - SKYNET applies complex combinations of geospatial, geotemporal, pattern-of?life, and travel analytics to bulk DNR data to identify patterns of suspect activity

TOP SE - . MMC Counterterrerism Missile-n Managemem Center Update Rough outiine of ceurier path as described by the targets Tu esdaw' rider,?r Sunday Wazirist an . i I I: . Sundaw'MDndav TOP SECRETHCOMINTHREL TO USA, AUG, CAN, GER, NZL Probany Faisalabad

- . . itinWho has traeled from Peshawar toFaialabad or Lahore (and back) in the past month? - Who does the traveler call when he arrives? - Who else is seen in the area when the traveler arrives, and . who seen leaving the area shortly afterward? Who travels to/from Peshawar every other Sunday and "somewhere else" on a weekly basis? Who visits Akora Khattak periodically and also travels between Peshawar and Lahore? Who fits the above travel profiles and also possesses unusual behavior: - One or two hops from other suspects or known tasked selectors - Frequent handset swapping or powering down

DEMONSPIT is a new dataflow for bulk Call Data Records Pakistan CDRs are being acquired from major PK Telecom providers Data is normalized through TUSKATTIRE, like all other Call Data Records DEMONSPIT data is forwarded by TUSKATTIRE to several Clouds: - Promotes records to FASCIA and feeds the SEDB Tower QFD Cloud 14 - Ingests DEMONSPIT into Sortinglead summaries to support SKYN ET Analvtics - Ingests DEMONSPIT into a Perishable QFD which will be available to via JEMA and CINEPLEX Bulldozer/MDRZ I o??e ciouds receiving DEMONSPIT date dist} receive FASCIA data

Original Original Access to cure, Analyst-Queries. Results of Analytics Summaries Analyst Prams-ted 8 SKYNET Sr. Analyst Pramntad EDRs Access to ALL DEMONSPIT Data is?? Access to DEMONSPIT FASCIA Promoted Data

- Outline I What is SKYN DEMONSPIT Data Flow Automated Bulk Cloud Analytics Analytic Triage .

TOP SECRETHSIHREL TO I. Cloud Building?. . I a- 5 Travel Pattern Travel phrases (Locations visited in given timeframe) Regular/repeated visits to locations of interest - Behavior-Based Analytics Low use, incoming calls onlv Excessive SIM or Handset swapping Frequent Detach/Power-down Courier machine learning models Other Enrichments Travel on particular days of the week Co-travelers Similar travel patterns Common contacts Visits to airports Other countries Overnight trips Permanent move TOP 1 .

Sample Travel. Report: Haqqani Network ta sked- selectnr_ centect- swapping assesiated_ ceu nt num selectors _seed-centacts lash ka rgahjitv newbahar IR uisits_regularly countries phrase helmend kendeher AF PK farah AF farah masew farah masew newbahar masew BA ghazni AF sharan urgen AF khest_airpert kajir_kaiay

What Suspicious Selectors Were Seen Traveling Between Peshawar and Lahore? Ehnvfaru! Cloud Ana! tics Peshawar-Lahore Travel 1 - 4 NOV 2011 TASKED TRAVEL PHRASE MSISDN IMSI CONTACT 5 SELECT 0R5 CATEBDRIES terkham AF PK Ipeshawar Iahnre FRI 2 IPK peshawar lahere THU behsud AF jalalabad jalal_abad jalalabad behsud redat bati_kot mnhmand?arah .peshawarw ww 4 PK nowshera gulhahar peshawar sanda_kalan lahore THU jamrud PK peshawar Ilahere TUE Ber-fewer- centaets; sms- and?zero? duration-calls- peshawar lahore THU only, low-use

- Outline f" . What iS SKYN DEMONSPIT Data Flow Automated Bulk Cloud Analytics Analytic triage SMARTTRACKER .

Selectors of Interest from Cloud Travel Analytic (tasked) Handsets:

an?mn: UC ell ID 2 Lin??m?'?h?uj? 1* 1 1 59:13? 14 1- I 11-9011 03:19:16] ?it?ltai-?rIEil-CEIIJ?I?] 112112011 13:3t1'5} 13:34:15] 7 TOP SECRETHSIHREL TO USA, EVE-Y5- Lat; in! I: LIIZEIIDID 410305.01] 03.20 393 30 [1133-3911 7411:3355} 104 TASHEU ME 21201114553}? 31 191171? N. 75? 315.193?

TOP To use, Ever"- AnaIYtic Tradecra? Examine travel patterns for common routes and meeting locations Run cell soaks on all common meeting locations during meeting timeframe - Analyze selectors for common contacts - Analyze selectors for handset sharing behavior Repeat procedure with resulting selectors Correlate with other known and suspected selectors TOP Use,

SMARTTRACKER Coincidence Report Era-:3 mm 3 rams-m. . 1 at 1 location Sets- 1th tars-315 31 at l?locannE- 9! at locations 3 at 13'. IDCEDDHE 33 at 12 locahons SE at 12 locations 2.: at 11 IDCEUDHS 1 at 1 location 1 at 1 1 at 1 location


. .infMeetings who is at the same ucellid at the same time as the potential courier at the destination times. - - . Sidekicks - is there a pair traveling together to the destination city?

TOP To USA, Pulling It Start/nd points il Human in the loop to analvze travel Destination Cities reports. Evaluate, add value, prioritize Are selectors seen meeting at Does Sidekick selector have destination consistently? call events?


Fetching more

Filters SVG