Noblis Team - Multiviz

VAST 2010 Challenge
Text Records - Investigations into Arms Dealing

Authors and Affiliations:

Katharine Jennings, PhD, Noblis, Team Lead, Katharine.Jennings@noblis.org
Daniel Whitford, Noblis, Team Lead, Daniel.Whitford@noblis.org
Seth Blanchard, Noblis, Seth.Blanchard@noblis.org
Shin Chin, PhD, Noblis, Shin.Chin@noblis.org
Casey Henderson, Centrifuge Systems, chenderson@centrifugesystems.com
Mitchell Holland, Noblis, Mitchell.Holland@noblis.org
Matthew McCoy, Noblis, Matthew.McCoy@noblis.org
Jill McCracken, PhD, Noblis, Jill.McCracken@noblis.org
Benjamin Pecheux, Noblis, Benjamin.Pecheux@noblis.org
Mark Sanders, Future Point Systems, msanders@futurepointystems.com
Karen Taylor, Noblis, Karen.Taylor@noblis.org
Harry Cummins, Noblis, graphic artist, hcummins@noblis.org
Richard P. DiMassimo, Noblis, video producer, rdimassimo@noblis.org
Austin Blanton, Noblis Intern, austin.blanton@noblis.org
Catherine Campbell, PhD, Noblis, Catherine.Campbell@noblis.org [PRIMARY contact]

Noblis VAST Webpage: http://www.noblis.org/VAST

Tool(s):

1) Copernic Desktop Search by Copernic Inc. (http://www.copernic.com), allowed for indexed searching of files, e-mails (and attachments) stored anywhere on the analyst’s drive.
2) IN-SPIRE from Pacific Northwest National Laboratory, (http://in-spire.pnl.gov/) was used to integrate information visualization with query to analyze unstructured text documents.
3) Centrifuge, a partner in this challenge (http://www.centrifugesystems.com/), was used with Internet Explorer on Windows to perform “Interactive Analytics,” analyzing data using visuals such as relationship graphs, timelines and charts.
4) The free application Protovis (http://vis.stanford.edu/protovis/), a Javascript API, was used for custom visualization. Datasets were organized into natural hierarchies for performing graph visualizations and statistical data analysis.
5) Sentinal Visualizer from FMS Advanced Systems Group (http://www.fmsasg.com/), is an automated link analysis software for visualizing, analyzing and managing complex data.
6) Google Earth (http://earth.google.com/), was used to render user data onto  maps and satellite imagery, and to explore geographical content.
7) Starlight from Future Point Systems (http://www.futurepointsystems.com/), another partner in this project, was used as a comprehensive visual analytics platform. It performed social network analysis, hierarchical organizations, geospatial and temporal relationships, category memberships and link charting.
8) Starlight’s XML Engineering Environment (XEE) simplified the process of retrieving and restructuring information prior to visualization.

Video:
 
Noblis_Multiviz_MC1.mp4


ANSWERS:

MC1.1: Summarize the activities that happened in each country with respect to illegal arms deals based on a synthesis of the information from the different report types and sources. State the situation in each country at the end of the period (i.e. the end of the information you have been given) with respect to illegal arms deals being pursued.  Present a hypothesis about the next activities you expect to take place, with respect to the people, groups, and countries.  

In this challenge we investigated a series of intelligence reports (phone and wire intercepts; email and message board intercepts; news reports; US Government intelligence reports; and blog postings) spanning January 2008 to May 2009. Through this process, we discovered a Ukrainian-centered global arms network.

Our overall analytical approach involved data pre-processing followed by parallel analysis using manual techniques and visual analytics (Figure 1.1.1). The dataset was converted to a standard text format and subsequently to XML. Using automated and manual extraction processes, we developed entity lists for people, events, dates, places, transactions, aliases and objects. These lists were ingested into Starlight and Centrifuge, resulting in visualizations that drove hypothesis development and further analysis.

flowdiagram
Figure 1.1.1. Analytical Process.

Country summary
During the initial analysis, we created a Master View of all the networks in Starlight. From this we identified 17 countries (or country nationals) involved in this global arms network: Bosnia, Burma, Columbia, Iran, Kenya, Nigeria, North Korea, Pakistan, Palestine, Saudi Arabia, Sudan, Syria, Thailand, Turkey, Ukraine, Venezuela, and Yemen. Using Starlight’s Geographic View and Temporal Filter, we mapped the activities occurring in the dataset (Figure 1.1.2). This visualization helped us identify key events in each country and required approximately 4 hours to complete.

summary_map
Figure 1.1.2. Interactive Map of International Networks

We used the Starlight networks to create a summary graphic using Microsoft Visio (Figure 1.1.3) to better view the links among countries. From this illustration we can see three core roles: arms sellers (Kenya, North Korea, and Ukraine), intermediaries—financiers, and brokers—(Bosnia, Columbia, Kenya, Thailand, Ukraine, and Yemen), and buyers (Burma, Iran, Nigeria, Pakistan, Palestine, Saudi Arabia, Sudan, Syria, Turkey, Venezuela, and Yemen). Some countries such as the Ukraine, Kenya, and Yemen play multiple roles. At the core of this network, the Ukrainians act as both direct sellers of arms and brokers for other deals (such as the North Korean sale of arms to Iran). The Kenyans try to sell arms directly to Sudan, and try to broker a deal between the Ukrainians and Sudan. The Yemenis buy arms from the Ukrainians, and broker the sale of arms to Saudi Arabia. This network analysis was completed in approximately 4 hours.

Network
Figure 1.1.3. Summary of Arms Deals by Country (dotted lines represent unverified links).

Our analyses led us to conclude that most of the countries in this network are discussing future arms deals and are moving money and payments within their networks during this reporting period, often brokered by the Ukrainians (blue lines). The Ukrainian network (initially led by Leonid Minsky, who was murdered in February 2009) is led by Mikhail Dombrovski and Nicolai Kuryakin. Also during this period, Iran, Kenya, Pakistan, Palestine, Saudi Arabia, Venezuela, and Yemen have key stores of weapons seized or stolen. They need to replace these caches and are in contact with the Ukrainians to do so (either directly or through intermediaries). Additionally, the intelligence suggests that one separate key shipment was completed before the end of the reporting period. In October 2008, a ship is seized by Somali pirates carrying Soviet weapons thought to be intended for Sudan. This deal is brokered by the Kenyans, connecting the Ukrainians to Sudan.

Spring 2009 Events
Most of the identified deals and discussions culminated in a meeting in Dubai from April 15-23, 2009 to finalize payments and key arms deals. We used Starlight to investigate known Dubai attendees, starting with the Master View and including entities up to two relationships away. This allowed us to observe the main Ukrainian dealer network and three “orphan networks” (Turkey-Syria, Gaza, and Pakistan not directly connected to the Ukrainians) going to Dubai . We looked for integration points among the networks, focusing on Pakistan because it had links to international banking transactions.

We used Centrifuge (Figure 1.1.4) to view transactions linking Pakistan to a Saudi bank account (yellow circles). We then iteratively used Copernic keyword searches (e.g. “Saudi”) and linked both Turkey-Syria and Gaza to a Saudi bank account. There is only one Saudi arms dealer, Saleh Ahmed, in the dataset (associated with Dombrovski and Minsky) closing the link between the networks. This process required approximately 6 hours for analysis and less than 1 hour for visualization.

centrifuge_banking
Figure 1.1.4. Banking Transactions in Centrifuge

We next visualized these Dubai attendee network assumptions in Starlight by drawing dotted links between Ahmed, the Saudi account, and individuals in the orphan networks (Figure 1.1.5, yellow circles). Significantly, this created an integrated network connecting the buyers going to Dubai to the Ukrainian arms network. Analysis and visualization of the integrated network required approximately 5 hours.
From this network analysis we concluded that all of the deals were closed in Dubai, and that subsequently arms moved to the purchasing countries (Burma, Iran, Nigeria, Pakistan, Palestine, Saudi Arabia, Sudan, Syria, Turkey, Venezuela, and Yemen). Additionally in March, the ransom was paid to the pirates and Sudan received arms in April (according to a Kenyan blog). Finally, there were reports that three of the arms dealers (Owiti and Otieno of Kenya;Ahmed of Yemen) died or were near death in early May.

Asuumptions
Figure 1.1.5. Assumptions-linked Network of Arms Deals with Assumed Saudi Links (dashed red lines).

Future Activities - Hypotheses
At the conclusion of our analysis, we hypothesized the following future events based on information synthesized from the intelligence records. It is surmised that all of the buyers will receive their weapons and this will lead to the following:

1) MFJ in Palestine launches a revenge attack in May 2009.
2) LeJ attacks a public place on a religious holiday in Pakistan.
3) Aden-as-Sallal becomes the new Saudi link between Yemen and the Ukrainian network following Ahmed’s death.
4) The Burmese Shan State Army-South rebels launch local uprisings with their weapons.
5) The Yemenis stage Al-Houthi uprisings.

The intentions of the other countries who received arms (Iran, Nigeria, Sudan, Syria, Turkey, and Venezuela) are not apparent from the intelligence documents and would warrant future targeting efforts.

MC1.2:  Illustrate the associations among the players in the arms dealing through a social network.  If there are linkages among countries, please highlight these as well in the social network.  Our analysts are interested in seeing different views of the social network that might help them in counterintelligence activities (people, places, activities, communication patterns that are key to the network).

The Ukrainian centered arms network involves 17 countries, several rebel groups and over three dozen individuals associated through communications networks, financial transactions and personal contact. To create a Master View of all possible relationships in our dataset and to identify the key entities in the network for counterintelligence targeting, we utilized customized entity lists imported into Starlight. Figure 1.2.1 shows this Master View which is very large and cumbersome to analyze.

Master
Figure 1.2.1. Starlight Master View

To begin identifying key individuals - and to simplify the visualization - a sub-network was created for each major group identified in the data, requiring approximately 3 hours of analysis and visualization. User-selected icons helped to navigate this complex data (e.g., “bad guy” icons represent arms dealers). Figure 1.2.2 illustrates the Thai sub-network as an example. This same analytic process was used for the other sub-networks, visible in tabs across the Knowledge Manager workspace in Figure 1.2.1. Almost all sub-networks included more than one country, as can be seen in the Thai network. From these detailed views we identified Leonid Minsky as a principal for a large Ukrainian criminal organization selling arms from former Soviet stockpiles. We can also see that Ukrainians Nicolai Kuryakin, Mikhail Dombrovski, Arkadi Borodinski, and likely the Yemeni, Saleh Ahmed, are key players in this international arms network. During the reporting period Minsky is killed and Dombrovski and Kuryakin take over his business deals. These views and networks allowed us to generate hypotheses about key individuals, and in this particular view we identified a possible relationship between Minsky’s network (Borodinski) and North Korea as an arms supplier.

Thai
Figure 1.2.2. Thai Sub-Network

The various sub-networks were further analyzed for communications patterns, people movements, arms movements, and payments. We created a novel diagram using Protovis (Figure 1.2.3) to display the magnitude of communications between individuals and their relative centrality. Larger bubbles represent more communications from an individual, while thicker lines indicate frequent communications between individuals. This visualization helped identify key people and confirmed the sub-networks identified in our Starlight network diagrams. Approximately 5 hours were used to script and conduct the visual analysis. Future analyses would be faster since scripts and formatting are established and future plots could be animated to show communications over time.

Protovis
Figure 1.2.3. Protovis View of Communications

The Starlight Geographic View and Temporal Filter maps complement the Starlight network and Protovis views by displaying communications over space and time; however they lack the detailed interactions shown in the other two views. We used these interactive maps to visualize arms movements, people movements, and financial transactions. People movements, shown in Figure 1.2.4, illustrate that key players converged in Dubai in April 2009.

people_movements
Figure 1.2.4. People Movements, April 2009

This observation led us to analyze the social networks of ONLY Dubai meeting attendees. We created a new view of Dubai meeting attendees and all their associations up to 2 “hops” (relationships) away (Figure 1.2.5) Using this network diagram we could see that Kuryakin, Dombrovski, and Ahmed (yellow circles) form a “backbone” of purchases involving buyers in eleven countries: Burma, Iran, Nigeria, Pakistan, Palestine, Saudi Arabia, Sudan, Syria, Turkey, Venezuela, and Yemen. The backbone is obvious in this integrated view, but was not apparent when we were looking at the sub-networks individually. Analysis took approximately 4 hours.

Overall_networks
Figure 1.2.5. Dubai Meeting Social Networks

From these views we established the following associations between key individuals which could be exploited for future counterintelligence targeting efforts:

1) Africa: Kenyans Nahid Owiti, his wife Thabiti Otieno, and Wanohi Onyango are working with Minsky to broker the sale of arms to Sudan. Owiti and Otieno meet with Kuryakin in Dubai and subsequently die. Onyango could be targeted for intelligence gathering. Additionally, Dr. George Ngoki of Nigeria has purchased arms from Dombrovski and he, his email accounts, or bank accounts are potential targets for the Ukranian-Nigerian connection.
2) Burma: Lim Chanarong is connected through Boonmee Khemkhaengare to the Ukranian dealers. He or his financial transactions could be exploited. The Shan State Army South could be another access point to Chanarong.
3) Columbia/ Venezuela: In this network true names are unknown. The aliases Jhon, Pillo and Hombre are identified in message boards which could be monitored. Additionally, known bank accounts in this network could also be monitored for large transactions.
4) Iran: Someone, likely Sattari Khurshid arranges to purchase arms from North Korea through the Ukrainian network. After they are seized in Bangkok he agrees to meet Kuryakin in Dubai. Khurshid, through phone records, would be a likely target for this Iranian-Ukrainian-North Korean connection.
5) Pakistan: The Lashkar-e-Jhangvi terrorist group and key individuals Azeem Bhutani, Akram Basra, Mohammed Mengal, and Mudassar Mausherwani (Bhutani’s driver) could be exploited for their dealings with the Ukrainians. Maulana Haq Bukhari may be the financier. He and his known accounts are also potential targets.
6) Palestine: Muhammed Kasem, Abdullah Khouri, and Mohammed Anka are known members of the Martyrs Front of Judea. Their telephone numbers could be targeted for intercepts.
7) Saudi Arabia/Yemen: Saleh Ahmed likely dies at the end of the reporting period, leaving, Aden-as-Sallal as a potential target for the Yemeni and Saudi-Ukrainian connection. Ahmed’s Saudi account is another target, but could change following his death. Georgiy Giunter, who moves diamonds between the groups, is another potential asset.
8) Syria/Turkey: Syria and Turkey (Baltasar, Celik and Hakan) connect to the Ukrainian network through an unknown Bosnian by telephone records. These communications could also be targeted for future intelligence efforts.
9) Ukraine/Thailand: Khemkhaengare, Dombrovski, Kuryakin, and Borodinski are the keys to this entire network. They could be targeted directly through email, phone, or banking transactions, or indirectly through their interactions with most other individuals in this network.

Our combination of visual analytics and manual analysis is scalable for future counterintelligence activities involving increasingly large datasets. Automated text processing tools can be added or removed as needed. The most labor-intensive aspects are inherently human activities: characterizing the nature of network relationships created by the visualization tools, and developing hypotheses.