Identifying threatening networks from transactional data

We present a method for identifying threatening networks from vast amounts of transactional data (source, destination, timestamp). Our approach builds upon 21CT´s patented network discovery algorithm, and analyzes the changes and trends in network activity in response to stimuli (e.g., key events) as a means to expose the adversarial nature of networks. We provide an analyst with a ranking of networks according to suspiciousness and also various graphical depictions of the change in activity patterns and anomaly scores over time. This assists the analyst in identifying networks of interest from among vast amounts of data and enables the analyst to focus time and resources on those networks. By our approach using anomaly detection, it is not necessary to have an a priori determination of what behavior constitutes a threat. We present results of our capability on real operational data that contains ground truth. Within this dataset are thirteen detected networks, four of which are known to be threatening. There are three key events in this dataset: the arrival of the U.S. Marines to the region, the removal of a key threatening leader, and the raid of an insurgent´s home. Our results indicate that threatening networks conduct communications activity differently than non-threatening networks in response to key events and our approach is able to capture these differences with compelling accuracy, sensitivity, and specificity.