Estimating Vulnerabilities in Large Covert NetworksOrgAhead – multi-agent network model of...
Transcript of Estimating Vulnerabilities in Large Covert NetworksOrgAhead – multi-agent network model of...
June 2004
Estimating Vulnerabilities in Large Covert Networks
Kathleen M. [email protected]
412 268 6016
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Overview
Network profiles of terrorist organizationsAl-Quaeda HamasData derived both qualitatively and quantitatively
Computational simulation of large-scale dynamic social networks
Meta-Matrix modelORA AnalysisDyNet simulation system
Performance of simulation tools on covert networks
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
DyNetML
ORAStatistical analysis
of dynamic networks
AutoMapAutomated
extraction of network from texts
DyNetSimulation of
dynamic networks
Extended Meta-Matrix Ontology
TEXT:
Thesaurus
Delete List
Capability and interoperability of suite of tools.
Network-Vis Network-VisNetwork-Vis
TEXT:TEXT:TEXT:
Report on comparison and analysis of networks
described in texts
Sub-group andtopology
identification
Vulnerabilityanalysis
Key actor, roleact identification
Impact assessmentof change tactic
or evolution
Unified Database
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Text Analysis Approach
al QaedaSeveral thousand articles, web pages, etc.BooksData collected automatically and by hand
HamasSeveral hundred articlesData collected automatically and by hand
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Profile: Al-Qaeda
Built to maximize secrecy and securityInformation partitioning between cellsNode and link redundancyCellular structures
Small, densely connected cellsLittle interconnect between cells
Inter-cell connections are often dormant and only activated on the as-needed basis
Cells are expendable – minimizing the impact of a cell removalCell leaders are more knowledgeable then other membersCell members have distributed knowledgeCells are largely self-sufficient
Absorbs local insurgencies as operational cellsCentral command structure is a 2-level hierarchy (Bin Laden and a group of top officers)Regional structures differ; most prevalent are cellular organizations
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Profile: Hamas
Hierarchical Command and Control structureDivided into functional “services”, regionally distributed
“Political Wing” (based in Syria)Infrastructure (local and international)
Social Support Infrastructure (Schools, hospitals, etc)Fundraising, financeWeapons procurementReligious activities
“Military Wing”Popular Uprising (organizes protests and local resistance)Internal Security (Jihad Amman)Suicide BombersAzzeddin Al-Quassam
Professional military wingTrains and supplies suicide bombers
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Profiles of Terrorist Networks
Reasonably high Infrastructure - legitimate businessesOperational - infiltrated into police, etc.
Moderate to lowHidden
Integration with community
Functional and Regional LeadersCell LeadersExecutives
By function and region, also hierarchical
Similarity (historical)Connection among cell leaders
Planned by function; executed by local cells; funded regionally
Cell-orientedMultiple cells cooperate for large missions
Mission Structure
Function-OrientedSame skills in cells, need external support
Mission-orientedDistributed skills in cell, somewhat self-sufficient
Cells
Matrix – by region and functionTop-level structure is a hierarchyUnderlying cellular structureAbsorbs structures of subsidiary groups
Organizational Structure
HamasAl-QaedaFeature
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Al Qaeda 2001
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Al Qaeda 2004
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
al Qaeda
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Membership
Members that Joined
32
62
1825 25
21
40
19
8
21
36
1723
15
1 3 00
10
20
30
40
50
60
70
pre19
8919
8919
9019
9119
9219
9319
9419
9519
9619
9719
9819
9920
0020
0120
0220
0320
04
Year
Num
ber
Members that Left
212
2314
2
21 1711
71
52
79
30
102030405060708090
1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004
Year
Num
ber
Live Members
0
50
100
150
200
250
300
pre19
8919
9019
9219
9419
9619
9820
0020
0220
04
Live MembersLive Married MembersLive Members w/Children
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Internal Structure
Avg Live Member Total Degree Centrality
-0.03
-0.02-0.01
00.01
0.02
0.030.04
0.050.06
0.07
pre19
89
1990
1992
1994
1996
1998
2000
2002
2004
Year
Avg
Tot
Deg
ree
Cen
tralit
y
Avg-StdAvgAvg+Std
Avg Live Member Cognitive Demand
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
pre19
89
1990
1992
1994
1996
1998
2000
2002
2004
Year
Avg
Cog
Dem
and
Avg-StdAvgAvg+Std
0
0.005
0.01
0.015
0.02
0.025
0.03
Time
Density
Average Live Member Betweenness Centrality
-0.02
-0.01
0
0.01
0.02
0.03
0.04
pre19
89
1990
1992
1994
1996
1998
2000
2002
2004
Year
Avg
Bet
w C
entra
lity
Avg-StdAvgAvg+Std
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
al-QaedaBin Ladin
Religiousrecruitment finance media
consultative council
Militarytraining
operational cell
supportcell
support operation
support
support
operation
operation
operation
operation
support
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Hamas under Yassin
MeshaalDamscus
Infrastructure
Egypt
Gaza (HQ)
h
West Bank
Otherregions
OtherRegions
}Damascus
regional organization
functional cells
Lebanon
Judea Samaria
YassinGazaHead
RantissiGaza
Operations
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Hamas with Yassin
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Characteristics of Key Actors
Rantissi.087
Bin Ladin.015
Individual most likely to be an emergent leader, isolation of this person will be moderately crippling for a medium time
Highest in cognitive demand
Yassin.011
Bin Ladin.028
Individual most likely to diffuse new information, isolation of this person will be slightly crippling for a short time.
Highest in degree centrality
slightly less complex .053
Overall –very low density
slightly more complex .096
Overall –very low density
Very low then probably major amounts of missing data, possibly cells are self directed. Very high then system is tightly coupled and possibly prone to group think.
ComplexityHamasal-Qa’idaMeaningCharacteristics
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Expected Performance
Performance Over Time
64
65
66
67
68
69
70
71
1 14 27 40 53 66 79 92 105 118 131 144 157 170 183 196
Time
Per
form
ance
al-Qa'idaHamas
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Hamas Before and After Yassin
Before After
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Expected Performance After Removal of Top Leader
Performance impact of removing top leader
64.5
65
65.5
66
66.5
67
67.5
68
68.5
69
1 18 35 52 69 86 103 120 137 154 171 188
Time
Perf
orm
ance
al-Qa'ida without leaderHamas without leader
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Range in Estimates
Hamas Density
.03/.05 CD Yassin - .05/.04Degree - 2
Al-QaedaDensity
. 02/.096 (.01 to .03)CD bin Ladin - .05/.028Degree 2
Typical social networkDensity
.3Degree 7
But – since the structure is apx consistent –the results hold
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Key Ideas of Dynamic Network Analysis
Meta-Matrix
Combine
Emergent leaders – cognitive demand
People Knowledge Tasks
People Relation
Social Network Who knows who
Knowledge Network Who knows what
Assignment Network Who does what
KnowledgeRelation
Information Network What informs what
Needs Network What knowledge is needed to do that task
Tasks Relation
Precedence Network Which tasks must be done before which
Networks + multi-agentSocial science + computer science
Conceptual + network data
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Where Next
Dynamic measures Visualizing dynamicsSocial “zooming” on the visualsSimulations – linking actions (beyond communication) and networksExplore personality additionsExplore power added by using graph based pattern detection – like proximity
June 2004 © Kathleen M. Carley – CMU ISRI CASOS
Related Work
AutoMap – semi-auto extraction of network data from textsORA –DyNet – evaluation of network dynamics and destabilization policiesNetWatch – impact of data integration, sharing and control on ability to detect evolving networkBioWar – city scale multi-agent network model of weaponized biological attacksOrgAhead – multi-agent network model of evolving organizational formsConstruct – co-evolution of agent mental models and social networksThreatFinder – social/knowledge management system for locating IP security risksVista – estimating the evolving likelihood and impact of unanticipated events in urban settings