Palantir Technologies

VAST 2009 Challenge
Challenge 2 - Social Network and Geospatial

Authors and Affiliations

Tools

Overview: Palantir is a platform for collaborative, all-source analysis and operations, enabling geospatial, social-network, temporal, statistical, and structured and unstructured analysis. Palantir provides flexible tools to import and model data, intuitive constructs to search against this data, and powerful techniques to iteratively define and test hypotheses. Our platform is most highly valued for:

• Quick integration of Enterprise data sources. Why should analysts have to query each data source individually?
• Simple, intuitive search and discovery. Why should analysts have to understand schemas and query languages?
• Extensibility. Palantir is highly adaptable through extensibility, enabling new integrations and visualizations to be developed in a matter of hours, not days.
• Open and interoperable with other toolkits. Many analysts have an established set of tools they rely on, which is why Palantir was built to interoperate.
• Collaboration. Palantir facilitates collaboration across users, groups, and agencies.

Background: Palantir is operational today at many of the most prestigious intelligence, defense, law enforcement, and regulation/oversight organizations in the world. Palantir was put together by the founders of PayPal, capitalizing on the lessons learned by their anti-fraud department. Facing highly coordinated cyber attacks in order to commit payment fraud and exploit sensitive consumer information, an entirely new approach was required. Existing technology was poorly suited to dealing with sparse, cyber-specific data. To defeat the international fraud rings, high level conceptual access to the data was required. The analyst-driven intelligence analysis tools that eventually became the Palantir platform were a direct outgrowth of this effort.

Company Web site:
http://www.palantirtech.com

Check out our Analysis Blog to see more analysis using Palantir: http://www.palantirtech.com/government/analysis-blog

Video

Palantir_MC2_Video.wmv

Answers

MC2.1: Which of the two social structures, A or B, most closely match the scenario you have identified in the data?

A

The scenario submitted matches structure A, with flitter account Schaffter as the employee in the center of the network. We have submitted two other networks which match scenario B as well. These center on employees Bailey and Terekhov.

MC2.2: Provide the social network structure you have identified as a tab delimitated file. It should contain the employee, one or more handler, any middle folks, and the localized leader with their international contacts. What are the Flitter names of the persons involved? Please identify only key connections (not all single links for example) as well as any other nodes related to the scenario (if any) you may have discovered that were not described in the two scenarios A and B above.

Flitter.txt

Flitter_Bailey_Network.txt

Flitter_Terekhov_Network.txt

MC2.3: Characterize the difference between your social network and the closest social structure you selected (A or B). If you include extra nodes please explain how they fit in to your scenario or analysis.

The differences between the network discovered and the network as described in the challenge are few. In the class A network we found, the only significant difference was in the geospatial information (see below). The employee had 40 flitter contacts (exact match), the handlers each had 30-40 contacts (exact match), they did not contact one another (exact match). The middle man was connected to each handler and only two other people (exact match). The leader had well over 100 contacts, some of which were international (exact match). This analysis took only about two hours: about a half hour for the data import, and a little over one hour to complete the workflow.

To perform this analysis, the data first had to be imported into the Palantir Revisioning Database. This process is relatively simple, only requiring two imports using the dedicated Palantir Job server. First, the Flitter accounts were imported. This is performed by simply dragging the excel spreadsheet icon over the import button on the Palantir workspace. The import wizard pops up and allows you to select which columns in the spreadsheet would refer to which properties in the object model. When finished, 6000 objects are created, labeled with the Flitter name, and having the Flitter ID number and city/country as properties. Next, the links are imported in a similar manner. In this case, we resolve the links to the Flitter accounts using a Palantir Entity Resolution Suite. Finally, the map of Flovania can be easily added to the Palantir map application as a tile map overlay. We mapped the cities on the Flovian map to the real-world geo-coordinates to enable geoanalysis in the Palantir Map.

The bulk of the social network analysis was performed in the Graph and Histogram, and networks were built with the Search Around tool which allows the analyst to make queries such as, “Show me all individuals connected through flitter that have X number of flitter contacts themselves”.

The basic work flow was as follows:

1. Using a Palantir filter, search for all Flitter accounts that have 38-42 Flitter contacts that are located in Flovania (23 return).

   

2. Using Search Around, determine which of these 23 have 3 or more contacts that have 30-40 contacts themselves (possible handlers). This narrowed down our 23 Flitter contacts to 5 suspects: Bailey, Campr, Lafouge, Schaffter, and Terekhov.

   

3. Starting with each of the 5 suspects, perform a Search Around to bring back all the potential handlers.
4. Next, perform a Search Around on the handlers to bring back the potential middlemen. We searched for all contacts of the handlers that have less than 6 contacts (as we are informed that the middlemen do not have that many flitter contacts). By placing the handlers in the corners of the graph, if there is one centralized middleman (Structure A), they will appear in the middle of the graph workspace. If is in a Structure B network you will simply see a circle of new contacts around the handlers

   

5. Next, perform search around on all the potential middle men by looking for contacts they are connected to with greater than 100 contacts. If it is structure A, you will see each handler communicating with only one other contact, who then communicates with a secondary contact (the fearless leader). If it is structure B, you will see three contacts in the circles around the handlers all connecting to only one matching contact (the fearless leader).
6. Finally, to make sure that the leader is not connected to the handlers or employee, perform one final search around to bring back all of the leaders contacts. If you see a connection to a handler or the employee, then this is NOT the correct network.

   

We found three possible networks, one structure A, two structure B. We submitted the structure A network as this matched most closely with the challenge description. However, we have also included a modified Flitter.txt file with the two other possible networks in order to be comprehensive in our analysis.

The overall structure indicates that the embassy employee was using social networking to exfiltrate data outside the embassy network. The handlers would pass this information to the middleman, middleman to the leader. As the leader is located in a border city, they can possibly facilitate the transport of classified information across international borders.

MC2.4: How is your hypothesis about the social structure in Part 1 supported by the city locations of Flovania? What part(s), if any, did the role of geographical information play in the social network of part one?

The geographic analysis performed in the Palantir map application indicated that the employee and his handlers all lived in Prounov. This implies that the handlers were in direct contact with the employee for handoffs, financial exchanges, etc. This allows us to assume that in the video challenge, it is one of the handlers that makes an exchange with the employee. The middleman lives in Kannvic and the leader lives in a border city, Kouvnic. The leader’s location is interesting as a border city would allow him to exfiltrate data across the border into the neighboring country of Trium. In general, geographic analysis allowed us to provide greater context to our overall analysis.

MC2.5: In general, how are the Flitter users dispersed throughout the cities of this challenge? Which of the surrounding countries may have ties to this criminal operation? Why might some be of more significant concern than others?

In general, how are the Flitter users dispersed throughout the cities of this challenge? Which of the surrounding countries may have ties to this criminal operation? Why might some be of more significant concern than others? Provide a Short Answer.