Rand proposes analysis method

Rand study: "Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual Behavior"

Connecting disparate pieces of information to prevent terrorist attacks has taken on greater importance for the intelligence and homeland security communities since the Sept. 11, 2001, terrorist attacks. But the going since then hasn't been easy.

For example, privacy advocates roundly criticized the Defense Advanced Research Projects Agency for the now-defunct Terrorism Information Awareness (also called Total Information Awareness) program that was supposed to mine mountains of personal information about individuals to find terrorists.

But Rand researchers have published -- in a recent study titled "Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual Behavior" -- what they characterize as a better process for sifting through relevant information to provide more useful results for intelligence and homeland security agencies.

Through a multilayered approach, Rand's Atypical Signal Analysis and Processing (ASAP) network and database gathers out-of-the-ordinary or atypical information, relates it to other pieces of data and develops working assumptions that can be modified as more information becomes available.

John Hollywood, the study's lead author, said a standard automated collection and analysis approach, such as TIA, gathers people's personal data and essentially uses a single data-mining tool to uncover terrorists or terror plots.

But such a system would contain so much information that it would have overwhelmed intelligence analysts, Hollywood said. Information, he argues, must be limited at first, then complemented with more valuable and relevant data -- essentially a "richer ore to work with," he said.

For example, if the government obtains information that a particular individual is involved in a terror plot to blow up a government office building, officials don't just automatically maintain that belief; they also test it over time. As more information is collected and related to that individual, it could strengthen or change the hypothesis, Hollywood said.

"What we're trying to do is get at this more complicated, multiple-step approach by first doing smart filtering of the incoming information to see if it meets profiles out of the ordinary," he said. "Then trying to do a better job of putting that information into context, related to things that you know are of interest, and third, actually maintaining and testing hypothesis about the information. So that way you don't jump to conclusions too quickly."

ASAP would also alert officials at two government groups, one that focuses on terrorism and another on organized crime, so they can collaborate if they're looking at the same individual in different ways. The system could also tag data to indicate that the individual is no longer of interest.

The ASAP database would include information already known about people, places, events and financial transactions suspected to be relevant to terrorist activities, other intelligence and government databases as well as publicly available data, information about critical infrastructures and industries vital to national security and economy, among other restricted data sets.

Hollywood said some agencies are moving along these lines. Officials at the Terrorist Threat Integration Center -- a multiagency entity that provides analysts with direct access to domestic and overseas intelligence from more than two-dozen federal networks -- are doing pieces of this type of intelligence analysis, he said.

"I think the value of what we're proposing is that it takes these various good tools and ideas that people have and puts them together into a single, unified hull as opposed to the different agencies all having their own suite of tools or tools that do a piece of the overall picture," he said. "This is sort of a concept to link everything together."

Rand officials developed this concept of operations about two years ago and it has garnered interest from several clients. In terms of feasibility it would be a complex and long-term process to develop ASAP, but the greatest challenge would be the integration, Hollywood said. Most of the technical algorithm pieces that perform the data-mining activities are out there within government agencies and commercial software.

"For example, there are tools that will take plain text information coming and break it down to meaningful information chunks like names, addresses, phone numbers, things like that," he said. "There is software that's very good in taking pieces of information and finding ways to link them to a network of other information elements."

The study makes short-term recommendations. Homeland security officials should create and disseminate standardized profiles of common threats and status quo conditions of possible industries that would be targeted by terrorists as a way to educate analysts and others, the report says. Rand officials also believe intelligence officials should report suspicious behavior on electronic bulletin boards and organize those online postings according to categories of threats. Another recommendation is to create Google-like search engines for the postings that match the results of search queries.