UNCC-ParallelTopics-GC

VAST 2011 Challenge
Grand Challenge - Cause and Effect

Authors and Affiliations:

Xiaoyu Wang, University of North Carolina at Charlotte, xwang25@uncc.edu [PRIMARY contact]
Wenwen Dou, University of North Carolina at Charlotte, wdou1@uncc.edu
Lane Harrison, University of North Carolina at charlotte, ltharri1@uncc.edu
Li Yu, University of North Carolina at Charlotte, lyu8@uncc.edu
William Ribarsky, University of North Carolina at Charlotte, Ribarsky@uncc.edu

Tool(s):

We used two tools to investigate possible epidemic spread. We used ParallelTopics to focus on analyzing the microblogs. This is a visual analytics system that supports analysis of large text corpora by integrating a state-of-the-art probabilistic topic model. ParallelTopics employs coordinated multiple views to support exploration of text corpora. Since each microblog message only contains limited amount of information, we have aggregated the data based on different time intervals (e.g. every four hours) to achieve better topic modeling results Specifically, we utilized three views in this investigation, namely Topic Cloud (a summary of major topics in the news corpus), Document Distribution (how each news distribute across the topics), ThemeRiver (how topics evolve over time). The three views are coordinated in that operations performed in one view will be immediately shown in other views so that information regarding topics, time and microblog message can be quickly synthesized by users.

We have also developed a geospatial-temporal tool for analyzing the origin of such spread. By plotting geo-referenced messages onto the map of Vastopolis, we can easily spot the development of microblogs over time.

Three tools were used for network analysis. The log visualizations were prototyped by one member of the team using Processing (processing.org) over the course of a month. The SQL queries were handled through Navicat Lite (navicat.com). Finally, an overview of the snort logs was obtained by using SnortSnarf (sourceforge.net/projects/snortsnarf/). All data was converted to a database-importable format using Perl scripts, which took two weeks to implement.

Video:

MC1: Index_GC_files\MC1.mp4

MC2: Index_GC_files\Mini2.mp4

MC3: Index_GC_files\MC3.mp4

Additional GC Video: Index_GC_files\Connecting Mini2 and Mini3.mp4

ANSWERS:

In Mini-Challenge 1, you used microblog data to characterize an epidemic spread. In Mini-Challenge 2, you conducted cyber security analysis for situational awareness of a corporate network infrastructure. In Mini-Challenge 3, you investigated terrorist activity in the region.

For the Grand Challenge, you are charged with investigating the cause of the epidemic.

In particular, you need to address the following:

Are any terrorist activities related to the current epidemic?

On April 11, 2011, Professor Edward Patino gave a talk about the threat of bioterrorism. He raised the fact that it is much easier than before to engineer dangerous microbes with the right equipment.

On April 26, 2011, Vast University in Uptown reported that Professor Edward’s large amount of equipments was stolen from his lab. The equipments could potentially be used to manufacture microbes.

On May 13, 2011, Police authorities apprehended three people suspected to be part of a terrorist group – Paramurderers of Chaos. Source revealed that the suspects were in the middle of construction of some type of laboratory in a basement. Before escaping, the suspects destroyed most of the equipment and evidence. But what was left looked like expensive high-end workbenches along with stacks of Petri dishes. The description of the remaining evidence and the timing led one to suspect the equipments are the ones stolen from Professor Patino’s lab, and the terrorist group members were manufacturing microbes before apprehended.

Following up on the lead of the terrorist group “Paramurderers of Chaos”, on May 15, 2011, a suspected member of the group was arrested for trespassing near the loading docks at a food preparation plant in Vastopolis shortly after midnight. Although further investigation on “food preparation plant” did not yield more related information, we suspect the individual was deploying the microbes manufactured by the same group to the food preparation plant based on the provided evidences, especially given the fact that CDC (Center for Disease Control) believes the food supply has the highest probability of being a bioterrorism target due to ease of dissemination. The CDC also said that targeting the food supply allows for widespread consumption by the populace that can be difficult to identify until it is too late.

Shortly after May 15 when a former terrorist group member was arrested for trespassing in the food preparation plant, the epidemic spread started within the metropolitan area.

Describe the series of events, planned or otherwise, that led to the current epidemic.

We constructed a timeline (below) to illustrate series events that might related to the current epidemic. Events in red frame indicate they are likely the cause of the epidemic while others are potential terrorist threats. Further explanations are embedded in the debrief.

Debrief

The debrief is about evidences that support potential terrorist threats, how the threats might have related to the current epidemic spread, and how the security breach at All Freight corporation’s network might have related with the terrorist threats.

A hypothesis on potential bio-terror threat is supported by evidences from the news corpus.

On April 11, 2011, Professor Edward Patino, a molecular professor, gave a talk at Vast University in Uptown about the threat of bioterrorism. He raised the fact that it is much easier than before to engineer dangerous microbes with the right equipment.

On April 26, 2011, Vast University in Uptown reported that Professor Edward’s large amount of equipments was stolen from his lab. The equipments could potentially be used to manufacture microbes.

On May 13, 2011, Police authorities apprehended three people suspected to be part of a terrorist group – Paramurderers of Chaos. Source revealed that the suspects were in the middle of construction of some type of laboratory in a basement which location authorities refuse to disclose. Before escaping, the suspects destroyed most of the equipment and evidence. But what was left looked like expensive high-end workbenches along with stacks of Petri dishes. The description of the remaining evidence and the timing led one to suspect the equipments are the ones stolen from Professor Patino’s lab, and the terrorist group members were manufacturing microbes before apprehended.

List of the evidential documents
CDC Publication on Bioterrorism	April 18, 2011
Manufacturing Dangerous Microbes	April 11, 2011
Robbery at Vast University	April 27, 2011
Suspects Apprehended	May 13, 2011
Dangerous Suspect Arrested at Local Plant	May 15, 2011

Shortly after May 15 when a former terrorist group member was arrested for trespassing in the food preparation plant, the epidemic spread started within the metropolitan area.

Evidences let one to believe that the epidemic happened during May 18^th to May 20^th. This epidemic showed significant high velocity spreading patter, with a substantial number of patients each day (8731, 8808, and 8731, respectively). Reported patients’ information has revealed evolving symptoms, indicating a pattern of downgrading health over the development of the symptoms in short amount of times.

Date	Symptom	Example Message
May 18th	Cold (some sweats)	I live such a dreadful life need to sleep this cold makes me want soup (ID 43: RowID 204)
May 19th	Chills, accompanied by vomiting	these chills makes me wish I wasn't here right now night tweeps (ID 188: RowID 1030)
May 20th	Chills, Pneumonia, Chest Pain	James has caught a pneumonia being sick sucks (ID 507 : RowID 2821)

Given the high population density in these areas and the weather situation, it let one to believe that such diseases is transmitted on a person-to-person base (through touch or airborne). During the day time, most of the people are reporting their sickness in downtown and east side area; at nights, reports are collected from mostly the adjacent city area.

The potential terrorist threat might also be related to the computer network breach at All Freight Corporation. The relationship is indirectly supported by evidence from the news corpus and computer network analysis.

Since the attacks to the computer network are launched by standard hacking tools. The suspicion is that the attackers are amateurs rather than experts. Incidentally, on April 19^th, a news article reported several teen computer hackers arrested. The group acts under the name F-Alliance. And on April 10^th, a robbery reported a room full of computers was found missing at the Vastopolis Library in Uptown. The letter “F” was written all over the walls of the room that contained the computers.

Based on the timeline, one can infer that the teen hackers had stolen the computers from the library and launched the attack to computer networks at All Freight Corporation.

Since the attack was amateurish, the networks may have been made vulnerable to other attacks and the terrorist groups might be able to access shipping information stored in the compromised servers.

Conclusion and Recommendation:

It is therefore suspected that such spread can be caused by microbes in food/water and eventually mutated into airborne virus. In light of the suspect apprehension for trespassing a food plant, it is highly alerting that certain food source could be contaminated by microbes. There is certain uncertainty though about the origin of the source. To confirm this hypothesis, further information on locations of food preparation plants and processing centers is necessary.