Post on 16-Jun-2019
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
? M 1 h e
SKYNET: Applying Advanced ,bfl mm
i i i^BM • p *
U0' a . .
by S2I, R6, T12, T14, I
• . .V • ivv •
* : wm :
- pres M̂MMIMWai»11
flHSMP IV
Presenters:
I" • " •.
Zi ' • v*r • ' •
• - . - . :
, S2I51 , R66F
• T: J.f-fc V..- .
•• DA ff/if^
. ' QeWttfftorii: NSA/CSSM 1-52 1 » — M l . Dated: 20070108 W h \Z
Declassify Oh: 20370401 / TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
UNCLASSIFIED//FOUO
Outline
What is SKYNET?
DEMONSPIT Data Flow
Automated Bulk Cloud Analytics
Analytic Triage
UNCLASSIFI:EÖ//F.OÜO •
Collaborative cloud research effort between 5 different organizations crossing 3 NSA Directorates: - Signals Intelligence: S2I, S22, SSG - Research: R6
- Technology: T12, T14
Partnerships - TMAC/FASTSCOPE
- MIT Lincoln Labs & Harvard
SKYNET applies complex combinations of geospatial, geotemporal, pattern-of-life, and travel analytics to bulk DNR data to identify patterns of suspect activity
Peshawar
Probably Faisalabad
CTMMC T0PSEdî
N S A/CSS Counterterrorism Mission Management Center
Bag hi in
'——Mtfiaud-E Etacfl P¿ -van C hank or
I.twJ.i Sh ata O
>
\ Kabu l f.V»h|nr Lam
Asad ¿bad
Tuesday/Friday
: Gardez
Waziristan
s Courier/
Rough outline of courier path as described by the targets
Snn ag ar
Id am it> ad» Rawalpindi
Sunday
F a sa l a b a d Lahore
U Sunday/Monday
C i m i
TOP SECRET//COMINT//REL TO USA/AUS, CAN, GBR, NZL
TOP SECRET//COMINT//ORCON/REL- TO USA, AUS, CAN, GBR. NZl.
SKYNET Analytic Questions Who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? • Who does the traveler call when he arrives? • Who else is seen in the area when the traveler arrives, and
who seen leaving the area shortly afterward?
Who travels to/from Peshawar every other Sunday and "somewhere else" on a weekly basis? Who visits Akora Khattak periodically and also travels between Peshawar and Lahore? Who fits the above travel profiles and also possesses unusual behavior: • One or two hops from other suspects or known tasked
selectors • Frequent handset swapping or powering down
TOP SECRET//COMINT//REL TO USA. A4JS. CAN. GBR. ISJZll • •
' «s U DEMONSPIT DEMONSPIT is a new dataflow for bulk Call Data Records (CDRs) from Pakistan
- CDRs are being acquired from major PK Telecom providers Data is normalized through TUSKATTIRE, like all other Call Data Records DEMONSPIT data is forwarded by TUSKATTIRE to several Clouds:
- GMHalo/DPS • Promotes records to FASCIA and feeds the SEDB Tower QFD
- GMPIace& Cloud 14 • Ingests DEMONSPIT into Sortinglead summaries to support SKYNET
Analytics
• Ingests DEMONSPIT into a Perishable QFD which will be available to analysts via JEMA and CINEPLEX
- Bulldozer/MDR2
All of the clouds receiving DEMONSPIT data also receive all FASCIA data
TOP SECRET//COMINT//REL TO USA, AUS, ;CAN, GBR,,N.Z,L
SECRET//C0M1NT//REL TO USA, AUS, CAN, GBR; NZL
Analysts' View of DEMONSPIT TUSKATTIRE
MAINWAY/SIGNAV
TOWER QFD
CINEPLEX JEMA
ROLLERCOASTER
SMARTTRACKER SO RUN G LEAD
FASCIA ASSOCIATION BANYAN
SECRET//COMINT//REL TO USA, AUS,:CÄN, GBR; NZU
Original wCDRs Access to ALL DEMONSPIT Data
Original fcCDRs
Access to CDRs, Analyst Queries, & Results of SKYNET Analytics
CDR Summaries
Analyst Promoted CDRs Access to DEMONSPIT FASCIA Promoted Data
SKYNET & Analyst Promoted CDRs
UNCLASSIFIED//FOUO
Outline
What is SKYNET?
DEMONSPIT Data Flow
Automated Bulk Cloud Analytics
Analytic Triage
UNCLASSIFI:EÖ//F.OÜO •
TOP SECRET//SI//REL TO USA, FVEY
Cloud Analytic Building Blocks
TOP SECRET//SI//REL TO USA; FVEY
Travel Patterns - Travel phrases (Locations visited in given timeframe) - Regular/repeated visits to locations of interest
Behavior-Based Analytics - Low use, incoming calls only - Excessive SIM or Handset swapping - Frequent Detach/Power-down - Courier machine learning models
Other Enrichments • Travel on particular days of the week • Co-travelers • Similar travel patterns • Common contacts • Visits to airports • Other countries • Overnight trips • Permanent move
TOP SECRET//SI//REL TO USA, FVEY
Sample Travel Report: Haqqani Network tasked- selector^ contact- swapping associated^ other_
seed-contacts count _num selectors visits_regularly countries phrase
3 lashkargah_city
helmand
kandaharAF PK
nowbahar IR
fa rah AF
bala_bulk farah
masow farah
masow
nowbahar
masow
3 BA
ghazni AF
sharan urgon
AE
AF
khost_airport
kajir_kalay
• •
- m J F TOP SECRET//SI//REL TO USA; FVEY
TOP SECRET//SI//REL TO USA, FYEY •. • • • • * * . • * '
What Suspicious Selectors Were Seen Traveling Between Peshawar and Lahore? J
SoecifmBehavioral Cloud Analytics Peshawar-Lahore Travel 1 - 4 NOV 2011
V J ì J TASKED NUM_SELECTOR ASSOCIATED, ACTIVITY, TRAVEL PHRASE DOW MSISDN IMSI CONTACTS .SWAPPING SELECTORS CATEGORIES
torkham AF PK peshawar lahore FRI | 2
PK peshawar lahore THU • behsud AF jalalabad jalal_abad jalalabad behsud rodat bati_kot mohmand_darah peshawar PK WED 4 7
gtrd PK nowshera gulbahar peshawar sanda kalan lahore THU jamrud PK peshawar lahore TUE 10
PK peshawar lahore THU
5-or-f ewer-contacts, sms-and-zero-duration-calls-only, low-use
•TOP SECRET//SI//REL J O USA; FVEY . • \ ; •
UNCLASSIFIED//FOUO
Outline
What isSKYNET?
DEMONSPIT Data Flow
Automated Bulk Cloud Analytics
Analytic triage -SMARTTRACKER
- RT-RG
- J E M A
UNCLASSIFIED//F.OÜO •
M'HAäS
TOP SECRET//SI//REL TO USA, FVEY
Selectors of Interest from Cloud Travel Analytic
(tasked)
IMSIs:
• .• • I V .
Handsets
TOP SECRET//SI//REL TO USA: FVEY
TOP SECRET//SI//REL TO USA, FVEY .
SMARTTRACKER Travel View 31 October - 23 November
« f t A KHATTAk SUSPECT TERRORIST FACILITY 001
31 '292.7713" N. 75*13'45.1982* E
* Location: UCell JDl
(11/14/2011 04:27:47)
* Location: UCefl ID
1/70/7011 17:59:04)
(11/20/201112:59:04)
* Location: UCell ID]
Location: UCellJD 410.006.00403.20393 (11/14/201102:19:16)
(11/23/201114:23:55)
(11/21/201114:55:37)
Location: UCell
'11/20 2011 18:34:15)
(11/20/2011 19:34:15)
TOP SECRET//SI//REL TO USA, FVEY .
Examine travel patterns for common routes and meeting locations - Run cell soaks on all common meeting locations
during meeting timeframe
Analyze selectors for common contacts
Analyze selectors for handset sharing behavior
Repeat procedure with resulting selectors Correlate with other known and suspected selectors
• r TOP SECRET//SI//REL TO USA; FVEY:
TOP SECRET//SI//REL TO USA, FVEY .
SMARTTRACKER Coincidence Report
Si
Sets with 2 targets
Select
Select
Select
Select
Select
31 at 12 locations
24 at 11 locations
1 at 1 location
1 at 1 location
1 at 1 location
W+
• • ' ' ' '* i
• • •Af.ft.r. t
u
TOP SECRET//SI//REL TO USA, FVEY
RT-RG Analytics
TOP SECRET//SI//REL TO USA; FVEY
£̂¿¿£77
mm m ̂ awiwffà am Meetings - who is at the same ucellid at the
same time as the potential courier at the destination city?...Multiple times.
Sidekicks - is there a pair traveling together to the destination city?
sfcÇug/Tp TOP SECRET//SI//REL TO USA, F VE Y '' : • /•
JEM A: Pulling It All Together
Movement Irregularity
Destination Cities
Meetings Evaluate, add value, prioritize
Start/end points
Dates
Are selectors seen meeting at destination consistently?
Travel Reports Human in the loop to analyze travel reports.
Sidekicks
Does Sidekick selector have call events?
10