Automating Intelligence Creation & Analysis

30 Jan 2020

Ashish Sonal CEO Orkash Services Pvt Ltd

Orkash is an international management-consultinggg and high-technology services com pan y operating in the following areas: ― Investment & Transaction Advisory Support ― Operational Risk and Security Risk Management ― Strategic Business & Market Intelligence ― SaaS-based Technology Solutions

Cutting edge technology expertise across AI systems, very large data mining, BI, cyber forensics, and parallel computing clusters & cloud computing.

Orkash is dedicated to turn knowledge and information into intelligence as a value driver for rapppid response to new o pp,ppportunities, competitive forces and risks. The greater the uncertaint y, complexity and risk in an operating environment, the greater is the potential of the value that Orkash delivers.

The company prides itself in measuring the value that it creates for its clients on strategic business metrics such as efficienciesefficiencies in execution, time-to-market, and returns.

Automating Intelligence Creation

Semantics & GIS Integration - Bridggging Technical Intelligence & Human Intelligence

Investigative Intelligence - Cyber Forensics

Decision Support - Granularity & Visualization

Backend Technologies - HPC Clusters and Clouds,,py,g AI Expert Systems, Large Scale and Real Time Data Mining

13 September 2008 27 September 2008 13 May 2008 New Delhi New Delhi Jaipur, Rajasthan (Six devices) (One device) (Eight devices) 30 October 2008 01January 2008 Guwahati, Assam 29 September 2008 Rampur, U. P (()18 devices) Modasa, Gujarat (Two devices) (One device) 21 October 2008 Imphal, Manipur 26 July 2008 (One device) Ahmedabad, Gujarat (21 devices) 29-30 July 2008 01 October 2008 Surat, Gujarat Tripura, Agartala (18 dev ices ) (Five devices)

29 September 2008 Malegaon, Maharashtra Date of attack (Two devices) Location 25 Ju ly 2008 (Scope of the attack) Bengaluru, Karnataka 26-29 November 2008 (Eight Devices) Mumbai, Maharashtra (()Multiple Attacks & Blasts) LEGEND KEY

Naxalites attack in last five years 140

118 120

100 No. of attacks 80 71 No. of people killed 60 mber 60 uu N

20 887 8 2 1 3 0 2005 2006 2007 2008 2009 Year

• From the organized 26/11 Mumbai attacks, it is clear that the attack was planned long ago • Terrorist groups used the internet and the mobile networks, for communicating messages, collecting information, money transactions and other

[email protected] [email protected] [email protected] Banking and Card Usage Internet account Location Account: Hazi Al Password: IP address Hazi_123 MAC address Multiple Sims Metadata Email tracing

Telephone Multiple Handsets Historical data analyygpsis can train artificial intelligence expert- engines to raise triggers and red flags. Real time data mining of mobile traffic generate trends and patterns in the usage

Intelligence Consumption Intelligence Creation

Strategic Tactical Intelligence Intelligence

Operational Intelligence

Strategic Intelligence Tactical Intelligence

Technical Intelligence + Human Intelligence

Predictive and Investigative Intelligence

GlitGranularity - DtData CbCubes

WHEN

WHO

WHERE

WHAT

WHY

Data Miiining & Information Forensics Extraction and Monitoring Geospatial Data Mining on •Extraction of data Analysis real time basis from various Semantic sources including Analysis of trends Analysis in websites, blogs, AliAnalysis and patterns of geospatial context mobile phone, activities to have better Emails and couriers Use of semantics data visualization Internet & Cyber to decipher the • Banking Forensics content Geospatial transactions, credit intelligence for card usage, travel Target Centric Using domain effective decision records specific ontologies making SilNtkSocial Network • Monitoring of web Analysis Network analysis Location for any unusual Tools and intelligence for communication and Pattern Tracing and analytics better interpretation red flags Tracking of network

Where is the Intelligence Gap • access andififid extraction of information • language interpretation for the context, and removal of NOISE • search vs scan . • pattern tracking , granularity & visualization

Leverage ‘collective int’

Geospatial analysis

Data mining Semantic analysis

Information generation/extraction

Global Internet Audience (()in ,000's)

282,651 Increased Email Communications 416,281

100000 90000 T e xt Me ssa g e s S e n t Total number 1600 1480 80000 of emails (in billions) 1400 74,906 60000 Spam emails 1200 ns)

72900 (in billions) oo 1000 185,109 40000 48,783 800 772 SM S sent Asia Middle North 20000 147 600 (billions Pacific East & America 210 Africa 0 400 2008 2009 Latin Amer- Europe 200 ica e s s a g e s s e n t ( in b illi M 0 2008 2009 Year Internet users in India Internet Users Active users: 1.3 mn 70000000 DilDaily TtTweets: 27.3 mn 60000000 50000000 Tweets per hour: 1.8 40000000 mn 30000000 “80 tweets per second 20000000 were posted during 26/11 10000000 0 Mumbai attacks” 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

• Requirement for massive high-performance parallel-processing clusters/cloud computing - consisting of hundreds of servers • GPU processors - 1000 cores and above • Massive data streams - very specialized database architecture

[email protected] [email protected] [email protected] Banking and Card Usage Internet account Location Account: Hazi Al Password: IP address Hazi_123 MAC address Multiple Sims Metadata Email tracing

Telephone Multiple Handsets Historical data analysis would train expert engines to raise triggers and red flags. Real time data mining will generate trends and patterns in the usage …ensuring Assurance in complexity and uncertainty 12 © 2010 - Orkash Services Pvt. Ltd. A Key Intelligence Challenge

• A key challenge for intelligence purposes is Deciphering the Intent of a target individual

• Behavior profiling

• Internet footprint - creation of filters over the internet traffic so that the keywords can be picked up and can be used as triggers

• Search patterns and kind of websites visited

• RSS feeds subscribed, social networking sites, search engine, alerts set, discussion board and blog postings

• Travel and movement of a person

• Email and communication patterns and linkages

• The pppresent platforms either do not tackle the issue of semantics fully or take into account a simple semantic structure. The burden of 'meaning construction' is left entirely to the user

• Interpreting the geographical or the spatial context of text and technical metadata

• Conversion of unstructured to structured data

• Integration with geographic data.

AtAutomated Contextualize info collection of & events real time events

Organize and identify relationships

Identify abstract 'Output' is the input for qualifiers - e.g the ne xt le vel of info opinions gathering

About 80% of all data and human decisions has a geographical component making the geo-spatial context more relevant in intelligence creation

Semantic enrichment is the process of creating or associating semantic tags in unstructured data or text, usually involving concepts, entities, relationships, events and properties described in an ontology or rule based Benefits : Adding semantic metadata tags to the original unstructured data enables advanced correlation and data fusion capabilities. Enables concept , event and relationship extraction and automated metadata tagging. Commonsense Concepts Engine Engine D1 D2 Classification D3 Document Semantically Results . Class ificati on EihdEnriched . Concepts Tagged Documents Dn Documents + Documents (XML) Entities Semantic Enrichment

QQyuery : Where does the woman who lives at 75-C, Sector 18 work??

dog is a

is a mammal is a Pali ownedbd by is a person is a pet Krishna

is a owned by lives in married to

house Ruhi worktks at located at 75-C, Orkash Sector-18

Query: What is the key reason behind the frequency of attacks and the transition of terrorism India?

Contextualize through NLPA + B + C

Query Result: Operational sophistication and adoption of modern technologies has led to the transition of terrorism in India

• Visualization of the meta-data and the contttent – Ctif'Vil'lCreation of 'Visual' layers

• Role of contextual scan -semantic and geospatial

• User created content and collective intelligence

…ensuring Assurance in complexity and uncertainty 22 © 2010 - Orkash Services Pvt. Ltd. Role of Cyber Forensics in Preemptive Intelligence • E-mail system of the Indian Prime Minister's Office (PMO) remained affected by a computer virus for 3 months dur ing 2008. Spyware in fec tion a ffec te d aroun d 600 compu ters o f the Mini st ry of Ext ernal Affa irs in February in 2009. • There have been several serious attacks by international hacking communities on Indian government IT networks. Many Indian ministries, embassies, the NIC and other organizations have faced disruptions arising from such threats • In 2006, investigations into the Mumbai train bombings highlighted that tech professionals in a leading technology firm in Bangalore were operating sleeper cells, using advanced techniques to mask identities of IP addresses and resorted to steganography for disguised communications and fund transfers

Cyber Forensics

Pre-event Post-event 1. Driven by intelligence gathering 1. Driven by Evidence Chain 2. Is predictive in nature Management System 3. Data Mining can produce trends 2. Is investigative in nature and patterns 3. Evidence that can be produced 4. Track back analysis in the court …ensuring Assurance in complexity and uncertainty 23 © 2010 - Orkash Services Pvt. Ltd. Packet Level Forensics

DimBackTra DimPort ck(Sk (System (VictimPort Detail Key) i.e.IP,MAC,D Audit NS,Node) (UpdateAu dit) DimPort (Int rud erP o rtKey)

Audit (Internal Package and TRACK-BACK table execution FORENSICS - Internet DimTime auditing) Packets (Time series Analysis)

DimIssues (Threats) DimEvidenceSu mmary (EvidenceLog e.g Protocol Info, DimSecurit DimRespo Total time, yLevel (4 nseLevel Packet) categories (Analytics of of severity Security) Calculation

Internet Pharmacy

I N V E S T I G A T I O N C H A N N E L S

Payment Physical Online selling gateway Supply

• Results from data mining can • Every physical packet of goods • Emails headers and firewall logs are critical in investigations through help in tracking payment leaves a footprint during its packtket lllevel fiforensics and tktrack transactions transportation backs • Derive the correlation between • It is possible to track the • Employ data mining tools like payment gateways and assess international movement of goods clustering, classification and the business architecture of the and narrow-down on the source. association sales channel Especially in case of medicines as • Mining of data in a relationship these are classified as ‘poisons’ database • Track the network of courier • Narrow down on suspicious IP services and/or other individuals addresses through pattern detection involved in the transit

Manual approach Graphic based approach Structured analysis approach4

(1) Manually creation of (1) Graphically representation (1)Advanced analytical capabilities association matrix by of terrorists networks using to assist investigation identifying the relations tools such as Analyst through raw data Notebook (i2) (2) It can help in identifying networks to mining of large volumes (2) Helpful in crime (2) Helpful in visualization of of data to discover useful investigation, becomes large amount of relationship knowledge and create intelligence ineffective where datasets data but without analytical about the structure and organization are very large functionality. of criminal networks - Data Mining - Social Network Analysis - Pattern Tracing and interactions

Convergence of Humint and Techint Government Private Agencies - Processing Enterprises - Databases Raw Data Databases itinto Usable form Human Tech Intelligence Intelligence Internet based information collection Datamining and investigation Better Information (()Track Back) Collection Identifying Automated analysis of Triggers & structured & unstructured dtdata Patterns

Orkash Services Pvt Ltd 75 C, Sector 18 Gurgaon 122 015 Haryana, India

Phone: +91 124 4033773 +91 98102 36020

[email protected] www.orkash.com