Oculus Info Inc. - nSpace2® – MC3
VAST 2011 Challenge
MC3: Investigation into Terrorist Activity
Authors and Affiliations:
Casey M. Canfield, Oculus Info Inc., ccanfield@oculusinfo.com
Tool(s):
nSpace2®: nSpace2 is an open-source and multi-source application designed to support multiple analytical tasks, styles, and workflows within a web browser-based system. By combining human information interaction, computational services, and innovative visualization techniques, nSpace2 enhances the analyst's ability to retrieve, comprehend, and organize large amounts of data. The nSpace2 environment has two main components: nSpace2 TRIST®, for information triage, and the nSpace2 Sandbox®, for evidence marshaling and analytical sense-making. nSpace2’s ability to facilitate the comprehension and analysis of a large data corpus was an ideal fit for the analytical tasks associated with this mini-challenge.
[See W. Wright, D. Schroh, P. Proulx, A. Skaburskis and B. Cort, The Sandbox for Analysis - Concepts and Methods, paper accepted for ACM CHI 2006.]
Video
MC3 - Investigation Into Terrorist Activity VideoANSWERS:
MC3: Potential Threats: Identify any imminent terrorist threats in the Vastopolis metropolitan area. Provide detailed information on the threat or threats (e.g. who, what, where, when, and how) so that officials can conduct counterintelligence activities. Also, provide a list of the evidential documents supporting your answer.
Detailed Answer:
Analytical Process
The analytical process was iterative, beginning with broad concepts, then focusing on specifics. Figure 1 describes the analytical process.
Figure 1: The nSpace2® analysis process
To begin, I created several Sandboxes and a Sandbox template to provide a consistent framework for my analysis.
I added the corpus to nSpace2 as a data collection in less than five minutes by using the TRIST query dialog. I then executed an initial TRIST query using the term “vastopolis AND (‘*terror*’ OR threat).” This search term was designed to capture a large number of relevant articles during the first query.
To facilitate scanning of the results, I enhanced the standard TRIST dimension set with a customized dimension containing terrorism-related terms of interest. This required two minutes of effort. I used a new feature of nSpace2 that allowed me to create multi-word terms, combining similar concepts in one dimension bucket. For example, I placed “threat” and “warning” on the same line so TRIST would treat the terms as identical for counting and document identification.
Figure 2 illustrates how TRIST dimensions quickly identify documents of interest.
Figure 2: Using TRIST Dimensions to characterize data
I quickly noticed consistency problems with the data collection, especially incorrect or omitted places, names, and genders. To adapt, I changed my triage approach to favor the custom dimensions over the standard dimensions.
I used the nSpace2 Viewer to examine the identified documents and the Pasteboard to place key information from those documents into Sandboxes. nSpace2 automatically records source information for evidence captured with the Pasteboard. After four hours, I completed a fully-sourced master timeline (Figure 3). This timeline used a new feature of nSpace2 – the ability to display multiple parallel timelines.
Figure 3: Master Multi-Timeline Sandbox
Over time, I created a series of detailed Sandboxes to visually focus on subsets of information. I used Assertions to evaluate my hypotheses. Assertions allow analysts to visually weigh evidence against a hypothesis. I assigned a weight to each piece of evidence according to its relative influence. Figure 4 illustrates the Sandbox for the Paramurderers of Chaos group.
Figure 4: PMC evidence in the nSpace2® Sandbox
Finally, I created a summary Sandbox to organize my findings. I exported the Sandbox (Figure 5) to a Word document, including Endnote citations.
Figure 5: Exporting the Conclusions Sandbox
My total effort was 14 hours.
Conclusions
It is my conclusion that the most imminent threat to Vastopolis is a biological attack from the Paramurderers of Chaos.
Paramurderers of Chaos (PMC): On April 25, terrorism expert Jose Thom warned Vastopolis city officials of potential attacks. He specifically mentioned the PMC. (4080.txt) Two recent events directly implicate the PMC in a bioterror plot:
· May 13: authorities arrested three people suspected of PMC involvement. The suspects were in a homemade laboratory, and most of the laboratory was destroyed prior to the raid. The suspects had warning, indicating possible law-enforcement connections. (3435.txt)
· May 15: authorities arrested a trespasser wearing PMC colors at a Vastopolis food-processing plant.(1878.txt)
Searches for corroborating evidence revealed other suspicious events. Placing all relevant events into a timeline revealed the following sequence:
· April 1: Suspicious livestock deaths reported. Soil and feed tested for contamination. (2385.txt)
· April 11: Biologist Edward Patino spoke about bioterrorism. He said it is now easier to generate genetically modified microbes with proper equipment. (3212.txt)
· April 14: Police investigated trespassing where livestock deaths occurred. (3740.txt).
· April 18: CDC publishes bioterrorism report about threats to the food supply. (3040.txt)
· April 20: Department of Agriculture concluded that animal deaths were caused by a microbe. The variant was not a threat to humans. (4085.txt)
· April 20: An inspector described widespread health violations at food preparation plants. (3662.txt)
· April 26: Expensive equipment stolen from Patino’s laboratory. (1785.txt)
· May 13: PMC laboratory arrest (3435.txt)
· May 15: PMC trespassing arrest (1878.txt)
· May 19: Dead fish reported in river (1038.txt)
· May 19: Report of unusually swift increase in influenza within Vastopolis. (3295.txt)
Figure 4 illustrates the presentation of this evidence in the PMC Sandbox.
Based on the gathered information and timeline, it is possible that the PMC:
· stole samples of the livestock-killing microbe.
· stole expensive bio-genetic equipment.
· genetically engineered a human-affecting microbe variant.
· inserted the microbe into the food and water supply.
The influenza outbreak and fish deaths on May 19 may indicate that a biological attack has already occurred. Authorities should determine if an attack has already occurred and react accordingly. It is also possible that the PMC was simply testing their plans and the efficacy of the microbe. Authorities should consider all food-handling and/or water supply locations to be potential imminent targets of the PMC. The PMC may have law-enforcement connections, so authorities should attempt to neutralize that advantage.
Other Possible Threats
There was insufficient evidence to link many of the events reports in the data collection to broader threats against Vastopolis. However, some activity was more significant. While not as compelling as the PMC narrative, these events may signal potential threats to Vastopolis.
Network of Hate (NOH): The NOH is likely responsible for the theft of 20 military rifles and ammunition, along with three shoulder-fired missiles (2287.txt). Subsequent reports confirm that a NOH member, Samuel Stansbury, was arrested with the missiles (2395.txt), while 20 military rifles were discovered at Vastopolis airport (0499.txt). Since Stansbury was arrested and the weapons recovered, the potential threat from the NOH appears to be reduced.
Network of Dread (NOD): The Network of Dread is an overseas terrorist group that has made vague threats against the press (0129.txt) and the nation (0383.txt). Recently, radioactive material was discovered in the Port of Vastopolis (1671.txt). One week later, the Department of Homeland Security arrested Bruno Eggleston, a “former” member of the NOD, for a dirty bomb plot (3231.txt). The target for this attack was Washington, not Vastopolis. There is no other evidence linking the NOD to an emerging threat scenario. Therefore, I considered the threat legitimate, but not imminent.