analyzing terrorist networks - theories &...

Analyzing Terrorist Networks - Theories & Techniques

Drew Conway

NYU — Department of Politics

April 10, 2012

Introduction Theories of terrorist organizations Network Analysis and CT Conclusions

What We Will Discuss

Why I am talking to you?

I Where I used to work

I What I used to do

I How I used to do it

Theories of terrorist organizations

I Sageman and Hoffman schools

I Empirical observations

I Who’s right?

Basic network analysis techniques usedin CT

I Key actor analysis

I Detecting community structure

I Block modeling

Exploring with real networks

I Illicit drug network in Hartford, CT

I Covert terrorist network

Conclusions & Departing Thoughts

I New paradigms in networkorganization

I Using network analysis to addressthem

Drew Conway Analyzing Terrorist Networks - Theories & Techniques


My experience in the Intelligence Community

DISCLAIMER: All views and opinions expressed today are my own, and notthose of U.S. Department of Defense or Office of the Director of NationalIntelligence

Currently, a fourth year PhD student in Politics, research interests include...

I Terrorism, low-intensity conflict, and cyber warfare

I Agent-based modeling, machine learning, and network analysis

Prior to entering graduate school...

I Worked in DC in the defense and intelligence communities for four years

I Official title was “All-source analyst,” specific role was to apply statisticaland computational methods to problems of social dynamics andorganization of interest to the DoD/IC.

NO: If I tell what I really did I will not have to kill you...they never have theanalysts do the killing



Organization of the IC & Where I Worked

Defense Intelligence Agency

I “Getting intelligence tothe war fighter”

National Security Agency

I SIGINT and cryptology



The Sageman and Hoffman Schools on Terrorist Organizations

Sageman School

I Marc Sageman - former CIA caseofficer for Islamabad

I Currently Scholar in Residence atthe NYPD

Terrorist groups are independent, orloosely connected cells

I Organization driven by a groupprocess; result of circumstance,motivation and opportunity

I The types of social ties areextremely important: kinship,friendship and religious

From Leaderless Jihad...

“The links are very interesting because it turned out that68% joined the Jihad out of friendship, they either grewup with somebody who was already a terrorist, or therewas a bunch of guys who collectively decided to join.”

Hoffman School

I Bruce Hoffman - History professorat Georgetown University

I Respected academic in terrorismstudies, published widely readInside Terrorism

Terrorist groups are hierarchicalstructures

I Global terrorist organization arewell-formed and lethal

I Critical information and resourcesflow down from the leadership tolow-level operatives

From Foreign Affairs

“Al Qaeda is much like a shark, which must keep movingforward, no matter how slowly or incrementally, or die. AlQaeda must constantly adapt and adjust to its enemies’efforts to stymie its plans while simultaneously identifyingnew targets.”



Evidence in support of Sageman

The “Hamburg Cell”

I Late 1998, future 9/11 hijackers Mohammed Atta, Marwan al-Shehhi, andRamzi Binalshibh moved into a three-bedroom apartment

I Originally intending to fight jihad in Chechnya, a chance meeting on atrain in Germany caused the group to travel to Afghanistan instead.

Several more contemporary examples

I 2004 Madrid Train Bombing – “al-Qaeda inspired cell”

I July 7, 2005 London bombings – 4 British, 3 Pakistani and 1 Jamaicanmotivated by British involvement in Iraq War

I Alexandria 5 – N. VA students travel to Pakistan to join Taliban

Excerpt from “The Pact”

“This is a story about the power of friendship. Of joining forces and beatingthe odds...”



Evidence in Support of Hoffman

2002 Bali BombingsI Coordinated attack carried out by Jemaah Islamiyah (JI), Southeast Asian

militant Islamic groupI Deadliest attack in Indonesia’s history, killed 202 peopleI Organized as a hierarchy, though many leaders have since been killed or

captured

International terrorist organizations remain lethalI 2008 Mumbai attacks – 10 coordinated attacks perpetrated by

Lashkar-e-Taiba militants from PakistanI Beslan school hostage crisis – Chechan militants seize school with 1,100

people (including 777 children) for three days. Ultimately, 334 hostageswere killed, including 186 children.

I Richard Reid (shoe bomber) – admitted member of al-Qaeda

2007 NIE The Terrorist Threat to the US Homeland

“Al-Qaida is and will remain the most serious terrorist threat to the Homeland,as its central leadership continues to plan high-impact plots, while pushingothers in extremist Sunni communities to mimic its efforts and to supplementits capabilities.”



Sorting out the debate

Who’s right?Spoiler: Both men are correct, and wrong

Karen J. Greenberg, Executive Director of NYU Center on Law and Security

“Sometimes it seems like this entire field is stepping into a boys-with-toysconversation. Here are two guys, both of them respected, saying that there isonly one truth and only one occupant of the sandbox. Thats ridiculous. Bothof them are valuable.”

I Since 9/11, the persistent, coordinated and international effort to kill orcapture terrorist leaders has decimated the structure of transnationalterrorist organization

I For those left, movement, communication and planning has becomeincredibly strained

Enter the age of the “al-Qaeda Affiliates”

I Model has moved away from strictly hierarchical or cellular to a franchise

I Leadership provide inspiration, rather than resources and ideas

I Umar Farouk Abdulmutallab and the al-Qaeda in the Arabian Peninsula



Why study networks for CT?

9/11 Commission Report - Chapter 12

“Our enemy is twofold: al Qaeda, a stateless network of terrorists that struck us on 9/11; and a radical ideologicalmovement in the Islamic world, inspired in part by al Qaeda, which has spawned terrorist groups and violenceacross the globe. The first enemy is weakened, but continues to pose a grave threat. The second enemy isgathering, and will menace Americans and American interests long after Usama Bin Ladin and his cohorts are killedor captured. Thus our strategy must match our means to two ends: dismantling the al Qaeda network andprevailing in the longer term over the ideology that gives rise to Islamist terrorism.”

After 9/11, the IC becomes focused on understanding networked organizations,with a specific focus on dismantling and disruptingPrimary focus is one three aspects of network analysis

1. Identifying leadership and key actors

2. Revealing underlying structure and intra-network community structure

3. Evolution and decay of social networks

We will review 1-2; however, 3 is where most cutting edge network research isfocused



Comparing two network metrics to find key actors

Often social network analysis is used to identify key actors within a socialgroup. To identify these actors, various centrality metrics can be computedbased on a network’s structure

I Degree (number of connections)

I Betweenness (number of shortest paths an actor is on)

I Closeness (relative distance to all other actors)

I Eigenvector centrality (leading eigenvector of sociomatrix)

One method for using these metrics to identify key actors is to plot actors’scores for Eigenvector centrality versus Betweenness. Theoretically, thesemetrics should be approximately linear; therefore, any non-linear outliers will beof note.

I An actor with very high betweenness but low EC may be a criticalgatekeeper to a central actor

I Likewise, an actor with low betweenness but high EC may have uniqueaccess to central actors



Highlighting Key Actors

Using data collected on a network of drug users in Hartford, CT we willattempt to identify the identity and location of the key actors

I First, visualize the data

1. Clear bifurcation withinthe network

2. Each region of the networkappears to cluster aroundcentral communities

3. Sparse peripheral structurewith long “pendantchains”

Given these structural featureswe will want to identify actorsboth inside the network’s core,but also those with uniquestructural positions



Finding Key Actors with R

I Perform a linear regressionof Eig ∼ Bet

I Capture residuals fromregression

I Use this data to resize andcolor the actors in the plot

I Identify key actors:I Pulse takersI Gate-keepers

Actor 44 is a significant outlier,and likely part of the centralleadership, while actors 50, 28and 53 are pulse takers and 67,102, and 79 are gate-keepers.

...now add this visualizationstogether

Key Actor Analysis for Hartford Drug Users

Betweenness Centrality

Eig

enve

ctor

C

entr

ality

1 2 3 45

6

7 8

9

1011

12

13 1415

16

17

1819

20

21

22

23

24

2526

27

28

29303132

33

34 35

36

37 3839 40

41

42

43

44

4546

47

48

49

50

51

52

53

5455

56

57

58

59 6061 62

63

64

65

66

67

6869

7071 72 7374

75

76

77

78 798081 8283

8485

86

87

88

89

90

91

92

93

94

9596 9798 99

100

101

102103

104

105

106107108109

110

111

112113 114 115116 117118119120121

122 123124

125

126

127128129

130

131132133134135

136

137138

139

140

141

142143 144145146

147

148149

150151152153 154

155

156 157158 159 160161

162

163164

165

166167

168

169

170

171

172

173

174

175176

177

178179180

181

182

183

184

185

186187188189 190191 1921931940.0

0.2

0.4

0.6

0.8

1.0

0 1000 2000 3000 4000 5000 6000

res

−0.2

0

0.2

0.4

0.6

abs(res)

0.1

0.2

0.3

0.4

0.5

0.6

0.7



Key Actor Plot

●

●●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●●

●

●

●

●●

●

●

●

●●

●

●

●

●

●

●●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

●

● 20

284447

50

53

58

79

102

141155

Plot with key actor data

Good

I Very easily identify coreleadership

I Mid-level actors,pulse-takers, layer

I Highlight some bridges,gate-keepers

Bad

I Several key actors nothighlighted

I Over-emphasis on onecommunity due to dataasymmetry



Identifying Network Sub-Structure

The Hoffman School posits that terrorist networks will contain layers ofconnectivity and leadership.

I Covert networks often exhibit a“core-periphery” structure

I We may want to identify clustersof actors based on variousstructural features

To identify these layers, we willexamine an actual covert network



Methods for Community Detection

Identifying community structure within a network is an entire sub-discipline ofnetwork science.

I Google Scholar search for [“community detection” networks] returns 3,380articles since 2001

I There is an incredible diversity of methodsI StatisticalI SpectralI Node and edge context and/or attributes

We will be using a very basic method from the statistical category: hierarchicalclustering of geodesic distance

I Clusters nodes together based on their distance (closer nodes clusteredtogether)

I Returns several possible partitions

I Method is both art and science



Hierarchical Clustering of Geodesic Distance

First, we will generate a matrix of the distance between all node pairs

Clustering this data hierarchically, we can produce a dendrogram of all thecommunity cuts within our covert network

I Each break in the treerepresents a cut in thecommunity structure

I Further down the tree, themore granular thecommunities

I To find a “good” set ofcommunity partitions wecan step through themvisually



Stepping through the partitions

We will now visualize each community cut.Partition: 123456789



Block Modeling Covert Network

To reveal the underlying structure of these communities, we will collapse thesecommunities into single nodes using a technique know as “block modeling”

Suppose we wanted to view partition 8as a block model

In the block model, each colored groupwill become a single node

We can also take advantage ofadditional data generated by the blockmodel

I Each block represents somenumber of nodes with ties to eachother, as well as actors in otherblocks

I We can use that data to uncoverboth the underlying structure, aswell as the tie dynamics within andamong blocks in the model

I This is best revealed by combiningthis data into a visualization



Block Model of Partition 8

With the added datawe can alter thevisualization

I Blocks sized byinternal density

I Edges sized by tiestrength

We can now see somedistinct underlyingstructural dynamics

I Ignore block 8

I Central leadershipvery tightlyconnected

I Middle layersparsely, butstrongly connected



Developing New Theories of Terrorist Organizations

What is the influence of information technology on terrorism and terroristorganizations?

I Cyber-terrorism blurs the lines among transnational terrorism,state-sponsored attacks, rogue actors and homegrown threats

I Is it possible to distinguish among these threat?I Is attribution possibly in cyber?

I The barriers to influence approach zero through the InternetI Recruitment still primarily through in-person connections, but significant

push to online

How does the franchise model change theories of organization?

I With the vanishing operational importance of terrorist leadership, how canresources be maximized for CT?

I Is there more value in disrupting communication networks (e.g.,inspiration/influence) than operation (e.g., franchise cells)?

Can network analysis mitigate these new problems?



subsection newtheories(end)



Thank you

Thank you!

Email: [email protected]


analyzing terrorist networks - theories &...

Documents