Acquiring & Exploiting Knowledge for Predicting Acts of Terrorism
Rocky Termanini. PhD, CISSP
Software Process Improvement Network (SPIN)
Northrop Grumman, E2 Conference, Redondo Beach, CA
April 6; 9:00 – 12:00 AM
Copyright 2010, Rocky M. Termanini
1
The US Government is learning it the
hard way:
Predictive Models do not work
unless you have been deeply
involved in the fabric of the culture
and religion of the country…
Copyright 2010, Rocky M. Termanini
2
The US Government Did not pay much attention to the History of Egypt
Copyright 2010, Rocky M. Termanini
3
Step one: dump everything we know about a
country like Iraq, and “create systems that mirror
the actual communities.”
Step two: in the CEWPS plan: to realistically represent the social,
cultural, and behavioral theories” about why people act the way they
do”.
Step three: let commanders run mock battle plans against these
modeled Iraqis, to see how they might react.
Copyright 2010, Rocky M. Termanini
4
A noble mission to explain the anatomy of Al Quada
Copyright 2010, Rocky M. Termanini
5
Event E(t)
Prior Attack
Copyright 2010, Rocky M. Termanini
Attack
Post Attack
Objective
We’re building an is artificially intelligent
reasoning machine that extract knowledge from
historical bombing episodes and offer solid
prediction and combat upcoming attacks...
Event E(t)
Prior Attack
Copyright 2010, Rocky M. Termanini
Attack
Post Attack
Objective
Specifically speaking,
1. creating a Knowledge database of past
attacks;
2. identifying trends in the attacks;
3. determining the correlation between attacks
4. using analysis to calculate the probabilities
of future attacks and their location.
Copyright 2010, Rocky M. Termanini
8
CEWPS Holistic vision
CEWPS™ offers four robust advantages:
• Early Warning Prediction of incoming attack.
• Early Warning Detection
• Evidential Reasoning to improve degree of certainty
• Memorizing attacks for future similar attacks
Copyright 2010, Rocky M. Termanini
9
Early Warning Rationale
Early-warning is not about predicting the
future …
It is about preventing specific events (terror
attacks) from happening at the right time
Copyright 2010, Rocky M. Termanini
10
Terrorism
What is It?
Why do we worry about it
What can we do to circumvent it
Copyright 2010, Rocky M. Termanini
11
Let’s define some term
Jihadism: ‫ الجهاد‬Originally had a significant
meaning to represent Islam expansion…Now, it has
a twisted meaning to represent Islamic terrorism
Mujahedeen: ‫ المجاهدين‬Radical warriors who
practice Islamic terrorism under the name of Jihad.
They are dedicated to destroying anything that is
not Islamic. They believe their action will win them
the Paradise.
Copyright 2010, Rocky M. Termanini
12
Dedication to a cause
Copyright 2010, Rocky M. Termanini
13
Even a Camel is part of Jihad
Copyright 2010, Rocky M. Termanini
Suicide Bombing can take any form
Copyright 2010, Rocky M. Termanini
15
Another Kind of Mujahedeen:
Copyright 2010, Rocky M. Termanini
16
Another mission to to call for Holy War
Copyright 2010, Rocky M. Termanini
17
U.S. RECOGNIZED TERRORIST ORGANIZATIONS
Lashkar I Jhangvi (LJ)
Abu Nidal organization (ANO)
WORLDWIDE
Liberation Tigers of Tamil Eelam (LTTE)
Abu Sayyaf Group (ASG)
Al-Aqsa Martyrs Brigade
Ansar al-Islam (AI)
Armed Islamic Group (GIA)
‘Asbat al-Ansar
Aum Supreme Truth (Aum) Aum Shinrikyo
Basque Fatherland and Liberty (ETA)
Communist Party of Philippines/
New People’s Army (CPP/NPA)
Al-Gama’a al-Islamiyya (Islamic Group, IG)
HAMAS (Islamic Resistance Movement)
Harakat ul Mujahidin (HUM)
Hizballah (Party of God)
Islamic Movement of Uzbekistan (IMU)
Jaish-e-Mohammed (JEM)
Jemaah Islamiya (JI)
Al-Jihad (Egyptian Islamic Jihad, EIJ)
Kahane Chai (Kach)
Kongra-Gel (KGK, formerly Kurdistan
Workers’ Party, PKK, KADEK)
Lashkar-e-Tayyiba (LT)
Copyright 2010, Rocky M. Termanini
Mujahedin-e Khalq Organization (MEK)
National Liberation Army (ELN)—
Colombia
Palestine Islamic Jihad (PIJ)
Palestine Liberation Front (PLF)
Popular Front for the Liberation of
Palestine (PFLP)
Popular Front for the Liberation of
Palestine–General Command (PFLP-GC)
Al-Qaida
Real IRA (RIRA)
Revolutionary Armed Forces of Colombia
(FARC)
Revolutionary Nuclei (RN)
Revolutionary Organization 17 November
(17 November)
Revolutionary People’s Liberation
Party/Front (DHKP/C) 135
Salafi st Group for Call and Combat-GSPC
Sendero Luminoso (Shining Path or SL)
United Self-Defense Forces/Group of
Colombia (AUC)
60% Shi’a
30% Sunni
10% Misc.
Copyright 2010, Rocky M. Termanini
19
890 /year
3200/year
1200 /year
Copyright 2010, Rocky M. Termanini
20
http://www.youtube.com/watch?v=bel7Trt49hE
http://www.youtube.com/watch?v=KOTH_xv6O4o&feature=related
Copyright 2010, Rocky M. Termanini
21
The History of Islam and its relation to Jihad
Copyright 2010, Rocky M. Termanini
22
Let’s go back and review the chemistry of
the four Terrorists
Copyright 2010, Rocky M. Termanini
23
Abdul Rahman Ghazi
Nationality: Iraqi, Kurd
Sect: Sunni, Married two kids; engineer; Joined AlQuada 2005; explosive knowledge- High
Training in Pakistan.
Jihadist
Frequent visitor to UAE…brother works accountant
Plan: Killing Shi’a Policemen
Suicide in 2009 Baghdad…
Copyright 2010, Rocky M. Termanini
24
Mustapha Hamwai Jalali
Nationality: Yemeni,
Sect: Sunni, Single; Accountant; Joined Al-Quada
2006; explosive knowledge- High
Training in Yemen, Accountant in Iraq
Jihadist
Brother works in Dubai…HSBC bank
Plan: Killing US troops
Suicide in 2009 Basra, Iraq
Copyright 2010, Rocky M. Termanini
25
Faysal Hasan
Nationality: Iraqi, from Baghdad
Sect: Shi’a, Single; Architect; Joined Muqtada alSadr 2006; explosive knowledge- High
Training in Lebanon’s Hezbollah.
Jihadist
Plan: Killing US tourists
Suicide in 2009 Mosel, Iraq
Copyright 2010, Rocky M. Termanini
26
Mohammed Abdul Salam
Nationality: Egyptian, Cairo
Sect: Sunni, Single; Journalist; Married to a
Palestinian girl Najwa, Joined Muslim Brotherhood
2004; Army officer, explosive knowledge- High
Training in Mauritania.
Jihadist, Radical
Plan: Killing US troops in an Humvee
Copyright 2010, Rocky M. Termanini
27
The Jihad War
•
•
•
•
•
•
•
•
•
•
Believe 9/11 is an inside job
Very savvy politically
Highly educated
Islamic war against enemies of God
Not afraid to die
Driven by radical Islamism
Residual anger and vengeance
Desire to go to Heaven
They only can do it “once”
They prefer to attack Americans outside the US
Copyright 2010, Rocky M. Termanini
28
We can improve our Homeland
security against suicide bombing, by
learning from previous attacks, in the
world...
Copyright 2010, Rocky M. Termanini
So, What can we learn from previous
Suicide Bombing Episodes?
Copyright 2010, Rocky M. Termanini
30
Experience & knowledge Relationship
Experience
Event
Outcome
Knowledge
Store
&
Predict
Created by external
sensation or internal
reflection
Neurological image of the
experience in the brain
Copyright 2010, Rocky M. Termanini
31
If we inject the human knowledge and
experience into the machine, we will be able
to build an intelligent system that employs
expert judgment and extensible reasoning
capability
Copyright 2010, Rocky M. Termanini
32
There are many registries and data repositories
on terrorism....but, they are disparate , nonnormalized, non-correlative
Copyright 2010, Rocky M. Termanini
GTD from the University of Maryland
Copyright 2010, Rocky M. Termanini
Rand DB on Terrorism Incidents
Copyright 2010, Rocky M. Termanini
Copyright 2010, Rocky M. Termanini
36
FBI Terrorist Screening Center
Copyright 2010, Rocky M. Termanini
Institute of Terrorism Research and Response
Copyright 2010, Rocky M. Termanini
Most Episodes partially documented,
incomplete and follow no standards
Copyright 2010, Rocky M. Termanini
Analyzing a suicide Bombing Episode
Copyright 2010, Rocky M. Termanini
40
Episode
attack
Episode
Episode
attack
Episode
attack
Episode
Episode
attack
attack
Episode
Episode
attack
Attack Episodes have lots in common
Copyright 2010, Rocky M. Termanini
attack
attack
They all have common features
Episode
Tstart
Tend
Each episode is a stochastic Process
Copyright 2010, Rocky M. Termanini
Episode
•
•
•
•
•
•
A Plan
Actors
Target
Time
Location
Damage
A suicide Episode has 6 basic attributes
Copyright 2010, Rocky M. Termanini
•
•
•
•
Casualties
Destruction
Disruption
Social Trauma
Forecast Zone
Emergency Response
Planning
Planning
Φ1
attack
Φ2
Recovery
Φ3
Tstart
Tend
Each episode has three Phases
Copyright 2010, Rocky M. Termanini
Bombing where Prediction Failed
SB-1
SB-3
SB-2
M(t)1
M(t)2
M(t)3
P(t)1
P(t)2
P(t)3
Prediction Period
M(t)0 P(t)0
SB-T
A(t)0
The Process of Credible Prediction
Copyright 2010, Rocky M. Termanini
Bombing where Prediction Failed
SB-1
M(t)1
M(t)2
SB-T
SB-3
SB-2
M(t)3
M(t)0 P(t)0
A(t)0
When prediction shorter,
prevention gets better
P(t)1
P(t)2
P(t)3
The Process of Credible Prediction
Copyright 2010, Rocky M. Termanini
The Major Building Blocks
Copyright 2010, Rocky M. Termanini
47
Bayesian Refinement Recursion
By indicators
Build
Collecting grids
Collect
Bombing
Episodes
Normalize &
Characterize
Create
Semantic
Knowledge
Build
Bombing
Patterns
Build
Reasoning
Model
Match
Rules
Analyze &
Validate
Dispatch &
Alert
Ontology Components&
Semantic Rules
Save Episode Analysis
48
Graph-G
The Global
Cyber Malware
Data Collection Grid
Global
Terror
Episode
Collection
Grid
Copyright 2010, Rocky M. Termanini
Global Terror
Steady Updates
The Intelligence
Data Grid
Steady Updates
The Activity
Monitoring
Grid
Steady Updates
The Demographic
Grid
Steady Updates
Copyright 2010, Rocky M. Termanini
The Cognitive Early Warning Prediction System (CEWPS™)
Collected Raw attributes on the attacker
Copyright 2010, Rocky M. Termanini
51
Knowledge Base
Ontological and Semantic
Transformation
Semantic attack Patterns
US/Global
Intelligence
Grids
Local Law
Enforcement
Monitoring
Sources
Attack Collectors
Disparate
Unstructured
Attacks
Unstructured Attack Episodes Are Collected, Filtered
And Transformed Into A Patterns
Copyright 2010, Rocky M. Termanini
Jihad
Faith
Suicide
Sacrifice
Terrorism
Heaven
is the domain
Ontology is used to represent a suicide attack as a knowledge model
Copyright 2010, Rocky M. Termanini
53
•
•
•
•
Fighting for Islam
Dedication to Islam
Showing Courage
Heaven is the award
Suicide
•
•
•
•
Go to Heaven
Destroy Enemy of God
Be an example to others
Koran teaches us to kill enemies of Allah
Sacrifice
•
•
•
•
I am not afraid of dying
I am enlisted in Mohammed’s Army
Sacrifice is the best way to die for Islam
Paradise is the desired place
Jihad
Semantic is to derive significant knowledge from words
Copyright 2010, Rocky M. Termanini
54
Bombing
History
Bomber
Profile
Potential
Occasions
Potential
Locations
Explosives
Knowledge
Suspect
Vehicles
Semantic Bombing Episodes Knowledge Base
Knowledge
Collector
Improvements
Match
Alerts
Attack Clues
incoming
Scenario Builder
Human Experience
Bombing Predictor
Bayesian and Heuristic
Processing
Dispatch
Predicted
Scenario
Dispatch Early
Warning
Pre-emptive Alerts
The Architecture of The Cognitive Early Warning Predictor System (CEWPS)
Copyright 2010, Rocky M. Termanini
Attack Knowledge
Database
Broadcast Alert to
Agencies
The Reasoner
Select Optimal
Predictive Attack
Apprehend
Terrorists
Urgent Response Mode
Attack Models with
Higher Degree of
Certainty
Incoming Attack Clues
Attack
knowledge
Models
Data include
Semantic Rules
Ontological and
Semantic
Transformation
CEWPS™ extracts credible forecasts and prediction about Bombing Attack
Copyright 2010, Rocky M. Termanini
56
US/Global
Intelligence
Sources
All the attributes are
semantically connected
Monitoring
Sources
Demographic
Sources
Each Attack Episode is Transformed into a Distinct Pattern
Copyright 2010, Rocky M. Termanini
Library of Attack Patterns
Reasoning Engine
Dynamic Prediction
Queries
Attack
Pattern
Selected Pattern
CEWPS Semantic Knowledge Base


As a finding is entered, the propagation algorithm updates the beliefs
attached to each relevant node in the network
A query produces the information to propagate through the network
and the belief functions of several nodes are updated
Copyright 2010, Rocky M. Termanini
Small Illustration of Bayes Modeling
Copyright 2010, Rocky M. Termanini
59
What Is it?
It is a network-based model involving uncertainty
What is it used for?
Intelligent decision aids, data fusion, feature
recognition, intelligent diagnostic aids, automated
free text understanding, data mining
Where did it come from?
Cross fertilization between the artificial
intelligence, Operations Research,, and statistic…
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
Visit to Asia
Smoking
Patient Information
Tuberculosis
Lung Cancer
Bronchitis
Medical Difficulties
Tuberculosis
or Cancer
XRay Result
Dyspnea
Diagnostic Tests
Network represents a knowledge structure that models the relationship
between medical difficulties, their causes and effects, patient
information and diagnostic tests
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
Tuber
Lung Can
Tub or Can
Visit to Asia
Present
Present
True
Present
Absent
True
Absent
Present
True
Absent
Absent
False
Tuberculosis
Patient Information
Lung Cancer
Tuberculosis
or Cancer
XRay Result
Smoking
Bronchitis
Dyspnea
Medical Absent
Difficulties
Present
Tub or Can
Bronchitis
True
Present
0.90
0.l0
True
Absent
0.70
0.30
False
Present
0.80
0.20
False
Absent
0.10
0.90
Dyspnea
Diagnostic
Tests
Relationship knowledge is modeled by deterministic functions, logic and
conditional probability distributions
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
V isit To Asia
Visit
1.00
N o Visit 99.0
Tuberculosis
Present 1.04
A bsent 99.0
Smoking
Smoker
50.0
N onSmoker 50.0
Lung Cancer
Present 5.50
A bsent 94.5
Patient Information
Bronchitis
Present 45.0
A bsent 55.0
Tuberculosis or Cancer
True
6.48
False
93.5
XRay Result
A bnormal 11.0
N ormal
89.0
D yspnea
Present 43.6
A bsent 56.4
Propagation algorithm processes relationship information to provide
an unconditional or marginal probability distribution for each node
Which is called the belief function of that node
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
V isit To Asia
Visit
100
N o Visit
0
Tuberculosis
Present 5.00
A bsent 95.0
Smoking
Smoker
50.0
N onSmoker 50.0
Lung Cancer
Present 5.50
A bsent 94.5
Bronchitis
Present 45.0
A bsent 55.0
Tuberculosis or Cancer
True
10.2
False
89.8
XRay Result
A bnormal 14.5
N ormal
85.5
D yspnea
Present 45.0
A bsent 55.0
Interviewing the patient produces more information the “Visit”
As this data is entered, the propagation algorithm updates the beliefs
attached to each relevant node in the network
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
V isit To Asia
Visit
100
N o Visit
0
Tuberculosis
Present 5.00
A bsent 95.0
Smoking
Smoker
100
N onSmoker
0
Lung Cancer
Present 10.0
A bsent 90.0
Bronchitis
Present 60.0
A bsent 40.0
Tuberculosis or Cancer
True
14.5
False
85.5
XRay Result
A bnormal 18.5
N ormal
81.5
D yspnea
Present 56.4
A bsent 43.6
Further interviewing of the patient produces the finding “Smoking” is
“Smoker”…This information propagates through the network
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
V isit To Asia
Visit
100
N o Visit
0
Tuberculosis
Present 0.12
A bsent 99.9
Smoking
Smoker
100
N onSmoker
0
Lung Cancer
Present 0.25
A bsent 99.8
Bronchitis
Present 60.0
A bsent 40.0
Tuberculosis or Cancer
True
0.36
False
99.6
XRay Result
A bnormal
0
N ormal
100
D yspnea
Present 52.1
A bsent 47.9
Finished with interviewing the patient, the physician begins the examination, and
he now moves to specific diagnostic tests such as an X-Ray, which results in a
“Normal” finding which propagates through the network…
information from this finding propagates backward and forward
Copyright 2010, Rocky M. Termanini
Example from Medical Diagnostics
Visit To Asia
Visit
100
No Visit
0
Tuberculosis
Present 0.19
Absent 99.8
Smoking
Smoker
100
NonSmoker
0
Lung Cancer
Present 0.39
Absent 99.6
Bronchitis
Present 92.2
Absent 7.84
Tuberculosis or Cancer
True
0.56
False
99.4
XRay Result
Abnormal
0
Normal
100
Dyspnea
Present 100
Absent
0
The physician also determines that the patient is having difficulty breathing, so
“Present” is entered for “Dyspnea” which propagated through the network.
The doctor might now conclude that the patient has bronchitis and does not have
tuberculosis or lung cancer
Copyright 2010, Rocky M. Termanini
•
•
•
•
•
•
•
•
•
•
Behavior prediction of serial killers patient
Prediction of Plagiarism in Academia
speech and speaker recognition....
Military Surprise Attacks
Cancer diagnosis
Google search
SPAM Filtering
FBI Face recognition (Biometrics)
Site profiler for Military against terrorism
Modeling Oil drilling
Bayesian Nets Modeling
Copyright 2010, Rocky M. Termanini
Arrive to
airport
Airport
Biometric
Picture
Picked up
by friend
Arrive to
Friend’s
Home
Rented car
from HERTZ
Raise
Flag-1
Phone
Call-1
Overseas
Call-2
Meeting-1
Restaurant
Given
Instructions
Restaurant
Under
Surveillance
Check
owner
records
Check
e-mail
Call
Main Cell
Overseas
Check
INS
Records
Meeting-2
Restaurant
Phone
Company
Plan to visit
location-1
E-mail
Forensics
Rendez-vous
time set
FBI
Check
State
Department
Track ISP
Pattern
Check-1
Track
Itinerary
Target
not
identified
Raise
Flag-3
Plan to visit
location-2
Check Local
Universities
3 visas from
3 countries
Raise
Flag-2
Registered
But did not
attend
Two locations
identified
Target
Somewhat
identified
Query
Knowledge
Base
Bayes Acyclic Attack Network (Part-1)
Bayes is a scientific approach to quantify our degree of certainty on the basis of incomplete
information
Diagram
– EM.Unstructured
Sequence Diagram Of The Attack Before Becoming A Pattern (Part-1)
Copyright
2010, Rocky
Termanini
Phone
calls to
headquarters
Terrorist
rehearse
attack
E-mails
sent to
headquarters
Visit-1 to
Penn
Station
Take
Pictures
Visit-1 to
WTC
CEWPS
predict 87%
Attack
CEWPS is
processing
data
CEWPS
predict 65%
Attack
July3d
Attack date
Get
go-ahead
with attack
E-mail
intercepted
Grids sent
more data
on Jamal
Caught On
CCTV
Camera
FBI
Notified
FBI at
Penn
Station
Amtrak
Notified
Query
Knowledge
Base
Thursday
2:45 PM
Surprise
Arrest
Document
and send
to KB
Bayes Acyclic Attack Network (Part-2)
Bayes is a scientific approach to quantify our degree of certainty on the basis of incomplete
information
Copyright 2010, Rocky M. Termanini
Complete Attack Network
Copyright 2010, Rocky M. Termanini
71
Copyright 2010, Rocky M. Termanini
72
Copyright 2010, Rocky M. Termanini
73
Copyright 2010, Rocky M. Termanini
74
Copyright 2010, Rocky M. Termanini
75
CEWPS can live on the cloud
Copyright 2010, Rocky M. Termanini
76
Terrorism Service Providers
Spying Services
White Slavery Services
Terror as a Service
Trafficking Services
Hacking Services
Suicide Services
Drug Traffiking Services
Cyberterrorism is big time on the cloud
Copyright 2010, Rocky M. Termanini
77
Data Collection Services
VPN Gateway
Early Warning Services
Secure VPN
Connection
Attack Prediction Services
The CEWPS™ Cloud Services
Subscriber Network
Copyright 2010, Rocky M. Termanini
78
The Newark Bombing Scenario
Copyright 2010, Rocky M. Termanini
79
Thank you
For Further Questions or inquires
Dr. Rocky Termanini
Email: rocky@termanini.com
Copyright 2010, Rocky M. Termanini
80