Entry Name: giCentre-Wood-MC2

VAST Challenge 2014
Mini challenge 2

Team members:

Jo Wood, giCentre, City University London, j.d.wood@city.ac.uk    PRIMARY

Student Team: NO

Analytic Tools Used:

Bespoke software designed and built using Processing and libraries giCentre Utils and geoMap both written by the giCentre at City University London. Map design carried out with the use of LandSerf written by the author 1997-2009. Some additional minor file processing using Microsoft Excel.

Approximately how many hours were spent working on this submission in total?

Approximately 5 person-days to design and develop the software. Approximately 1 person-day of analysis. Analysis and software development completed in several iterative cycles where analytical conclusions from earlier iterations used to inform development of the software and further analysis.

May we post your submission in the Visual Analytics Benchmark Repository after VAST Challenge 2014 is complete?

YES

Video:

Online video

Download

Questions:

 

MC2.1

Figure 1 Modal behaviour of registered car-owning GAStech employees. Each row represents 24 hours, coloured by the most common location type of employees at any given time. Vertical width represents the entropy of the behaviour - the narrower the bar, the greater the diversity of employee location type.

Weekend activity tends to involve similar midday and mid-evening visits to food outlets (yellow). No one appears to visit GAStech HQ during the weekend.

Other behaviour includes shopping (purple), typically in the evening, weekends or during midday lunch break (e.g. Figure 2). Weekend activity includes Saturday visits to the Capitol Building / Abila Park; Sunday golf and museum visits.

Figure 2

Figure 2 Calendar view for Vira Frente (car 19) showing typical employee behaviour. Bar colours as Figure 1. Grey ellipses represent credit card purchases.

GASTech trucks, driven by a pool of truck driving employees show a more limited range of locations (Figure 3). They are not used at weekends or outside 8:30-19:00. Working locations tend to be industrial supply/processing units or Abila airport.

Figure 3

Figure 3 Modal location of GAStech trucks.

MC2.2

·  What is the pattern or event you observe?

·  Who is involved?

·  What locations are involved?

·  When does the pattern or event take place?

·  Why is this pattern or event significant?

·  What is your level of confidence about this pattern or event? Why?

  1. Five unknown locations visited by four security employees. Locations where any vehicle has stopped for at least 5 minutes were identified for all vehicles. Credit card transactions and nighttime patterns of vehicle movement allowed all these places to be identified with the exception of five unknown locations (red/purple stars in Figure 4). The locations exclusively and repeatedly, visited by four employees - Inga Ferro, Loreto Bodrogi, Hennie Osvaldo and Minke Mies. Visits typically occurred in late morning, spanning midday and lasting between 10 minutes and two hours (e.g. Ferro's calendar view, Figure 4). Visits were most commonly made during weekdays between travel from GASTech HQ and lunchtime visits to food outlets. All except Minke Mies visited at least one of these locations on a Saturday around midday. The co-location view shows all except location 5 included meetings between more than one of the four employees.

    Significance of pattern: High. All four individuals are employed as 'security' under 'site control' (Ferro and Bodrogi) or 'perimeter control' (Osvaldo and Mies). It is not obvious that their jobs require visits to such locations, remote from GASTech facilities. Many of the stops at these locations involve apparent meetings between various combinations of Ferro, Bodrogi and Osvaldo, yet on every occasion, they arrived and left at staggered times. Is one or more of these locations, especially location 5, being used as a dead drop?

    Confidence: High that these five locations were visited by the four employees. Medium that these were the only employees to do so (others may have shared car journeys or visited without a tracked car/truck).

    Figure 4

Figure 4 Overview of Ferro's activities (top-left calendar view). Suspicious locations shown in reds/purples and as star symbols in map view.

  1. Osvaldo's nighttime house calls. Hennie Osvaldo (under suspicion, see above) shows an unusual pattern of evening/night visits to others' residences (dark blue bars, Figure 5). This includes repeated visits to Home 14/18 (Dedos/Birgitta Frente), Home 35 (Vasco-Pais) and Home 4 (Barranco). Visits to Home 14/18 occur after work every day, yet nighttime stops are more commonly at Home 13/15/16/21

    Significance of pattern: Medium. The behaviour is unusual compared with all other employees. It may be significant that two of the three other houses visited belong to GASTech executives (Barranco and Vasco-Pais) and that Osvaldo is also under suspicion for visiting suspect locations (see above).

    Confidence: High confidence that this is unusual behaviour. Medium cconfidence that this is suspicious (e.g. cannot rule out social or work-based motivation for behaviour).

    Figure 5

Figure 5 Calendar, place and map view of Hennie Osvaldo's travel behaviour. Calendar view (top-left) shows frequent visits to others' homes during the evening and night (darker blue bars).

  1. Isia Vann's two nightime trips. On Monday 6th at 11:00pm Isia Vann visits Home 10 (Campo-Corrente) and appears to stay there until 7:00am the following morning. She makes a similar nighttime trip at 11:00pm on Friday 10th to Home 35 (Vasco-Pais) returning at around 3:30am on Saturday (see darker blue bars in Figure 6). In this second trip she swaps locations with Osvaldo who makes the reverse journey at around the same time. On both occasions she visits a shop earlier in the evening (Shoppers' Delight and Roberts and Sons), spending between €240-300.

    Significance of pattern: High. Both visited homes belong to executives. The second trip occurs while most employees are at the Friday night party (see below). Vann is employed as perimeter security along with Osvaldo, already under suspicion (see above).

    Confidence: Medium This behaviour is unusual, although it only occurs on two occasions.

    Figure 6

Figure 6 Isia Vann's movements. Map view shows animation snapshot of her travel (red circle) between two home locations. Lower portion shows co-location view with respect to her home location (blue bars in highlighted row).

  1. No vehicle movements recorded at weekends before midday. Time view (see Figure 7) suggests no vehicle movements at weekends before midday, which seems rather unusual. The only exceptions are Vann (car 16) and Osvaldo (car 21) who travel between Home 17/24/33 (Flecha, M. Mies, Tempestad) and Home 35 (Vasco-Pais) at 3:30am on Saturday 11th.

    Significance of pattern: Lack of general movement: Low; movement of Vann and Osvaldo: High, especially as they are already both under suspicion (see above).

    Confidence: High. Direct observation from GPS trackers, no inferences or assumptions required.

    Figure 7

Figure 7 Movements (red) of all tracked vehicles (rows). Weekend mornings highlighted in orange. Only Sat 11th shows morning movement for vehicles 16 and 21.

  1. Gathering at Capitol building Five employee vehicles visit the Capitol building, Saturday 18th afternoon. Three vehicles arrive (Bodrogi, Nubarron and Vann) as two others leave (Harrero and Orilla) - see Figure 8. Time of maximum co-location around 1:20pm.

    Significance of pattern: Medium. That two vehicles leave when the other three arrive suggest this is not a social gathering, especially since Bodrogi and Vann are under suspicion. It is unusual in that no other such co-location occurs on any other weekend day.

    Confidence: MediumThere may be an event at the Capital building or in the park attracting employees and therefore not suspicious. Harrero and Orilla go on to visit the Museum and Hippokampus together before both returning to Harrero's house, so probably not directly suspicious. Presence of Bodrogi at the initial meeting with Vann and Nubarron is more suspicious.

    Figure 8

Figure 8 Co-location at the Capitol building / Abila Park (green bars).

  1. Lars Azada hosts a Friday night party Most car-owning employees visit Lars Azada's house on the evening of Friday 10th, presumably for a social event / party. Lars himself leaves GASTech early (5:05pm). The majority of others arrive between 7:00-7:15pm and stay typically until around 11:00pm.

    Significance of pattern: Low. This appears to be a normal Friday night social event, but it is notable that none of the five employees under main suspicion were present at this event and so may be a prompt for other suspicious activity by those employees.

    Confidence: High that there was some social event. Low confidence that this is directly suspicious or warrants further investigation.

    Figure 9

Figure 9 Co-location at Lars Azada's house showing 16 vehicles present at 8:40pm on Friday 10th.

  1. Borrasca and Tempestad's daytime hotel visits Isande Borrasca and Brand Tempestad meet regularly at the Chostus hotel between around 11:00am and 1:30pm on Wed 8th, Friday 10th, Tuesday 14th and Friday 17th as revealed by the co-location view (See Figure 10).

    Significance of pattern: Low. While GAStech may allow legitimate business to be conducted at the hotel, the behaviour is suspicious in that both leave GASTech, but typically separated by an interval of 10-15 minutes and are spending 2 hours, twice a week there on work time. Returns from the hotel are also usually staggered. Should check that if they are having an affair, they are not vulnerable to blackmail.

    Confidence: High that there is co-location at the hotel. Medium that they are conducting a covert affair.

    Figure 10

Figure 10 Co-location view (bottom) at Hotel Chostus. Solid pink bar is car 31 (Sanjorge Jr) and not suspicious. Regular shorter bars rerepsent repeated midday visits by Borrasca and Tempestad. Calendar view (top-left) shows Borrasca's locations including the hotel in pink.

  1. Bertrand Ovan's late night round trip.. Car 29, registered to Bertrand Ovan shows unusual behaviour in taking a late night trip starting from his home at 10:10pm then visiting Guy's Giros (10:15pm), Ouzen Elian (10:29pm), Kalami Kafenion (10:40pm), Hippokampos (10:55pm), U-Pump (11:25pm) where he stays for 30 minutes before returning home at midnight (see Figure 11). The whole trip takes less than two hours but visits 5 locations. Should investigate further to see, at the very least, if Bertrand has any drinking / drink-driving issues. There may be other reasons for this trip.
    Significance of pattern: Low. But it is notable in being unusual and not exhibited by any other employees. On the surface there is no evidence of any criminal activity, but some concern over possible alcohol / drink-driving issues.
    Confidence: The pattern of movement: High; inference in behaviour: Low (we do not know what he did at the visited locations as there were no CC purchases to support inferences).

    Figure 11

Figure 11 Bertrand Ovan (car 29) tracks showing late night round trip on Sat 11th / Sun 12th visiting a variety of bars. Red circle is his vehicle at currently selected time (10:58pm).

  1. Systematic visits to Nationwide Refinery.. Trucks 107, 105, 101 and 106 regularly visit Nationwide Refinery. This in itself is not suspicious, except that the co-location view (Figure 12) shows that they do this in the same sequence on Tuesdays, Wednesdays and Thursdays including co-location. CC purchases suggest the same four drivers are responsible: Ceculia Morluniau, Valeria Morlun, Benito Hawelon and Dylan Scozzese.

    Significance of pattern: Low; probably benign, but check against work rosters for confirmation as regularity of the pattern is unusual.

    Confidence: High confidence in pattern of visits; Low confidence that we are observing suspicious behaviour.

    Figure 12

Figure 12 Co-location view of trucks at Nationwide Refinery. Green bars show presence of trucks over time at Nationwide Refinery.

MC2.3

Figure 13 Gross GPS errors in Vehicle 28 (red) compared to all other vehicle tracks (black).

Car 9 and Truck 107 showed gaps in the GPS records where consecutive points were far apart in space and time. These gaps were automatically indicated by dashed lines in the map view (e.g. Figure 14) and dashed rectangles in the calendar view (e.g. Figure 15).

Figure 14

Figure 14 Interpolated GPS tracks for Vehicle 9 (red, dashed line).

Figure 15

Figure 15 Gaps in GPS record of Truck 107 indicated by desaturated dashed rectangles.

Credit Card Transaction Record Errors

Some credit card records registered transactions at exactly midday on day of purchase, especially coffee shops. These erroneous times were edited by dragging the transaction symbol (ellipse) to match the time at which the registered vehicle owner was present. Such edits resulted in automatic outline symbolisation (see Figure 16) to encourage caution when making inferences.

Where a correctly timed credit card transaction occurred at a different location to the employee's vehicle, the transaction was automatically symbolised in red (see Figure 16).

Figure 16

Figure 16 Credit card transactions (ellipses) in calendar view. Edited times shown as outlines and mismatches with vehicle location shown as red and visible as a tooltip.

Spatial contradictions were indicated by showing location of all vehicles of employees who made a credit card transaction at the time. This was used initially to identify place locations and subsequently to identify possible errors (see Figure 17) or online (remote) purchases.

Figure 17

Figure 17 Vehicle locations when credit card purchases were made at Kalami Kafenion.