Out of the Ordinary

Out of the Ordinary: Finding Hidden Threats by Analyzing Unusual Behavior

JOHN HOLLYWOOD
DIANE SNYDER
KENNETH McKAY
JOHN BOON
Copyright Date: 2004
Edition: 1
Published by: RAND Corporation
Pages: 188
https://www.jstor.org/stable/10.7249/mg126rc
  • Cite this Item
  • Book Info
    Out of the Ordinary
    Book Description:

    Presents a unique approach to selecting and assembling disparate pieces of information to produce a general understanding of a threat. The Atypical Signal Analysis and Processing schema identifies atypical behavior potentially related to terror activity; puts it into context; generates and tests hypotheses; and focuses analysts' attention on the most significant findings. A supporting conceptual architecture and specific techniques for identifying and analyzing out-of-the-ordinary information are also described.

    eISBN: 978-0-8330-4817-2
    Subjects: Political Science

Table of Contents

  1. Front Matter
    (pp. i-ii)
  2. Preface
    (pp. iii-iv)
  3. The RAND Corporation Quality Assurance Process
    (pp. v-vi)
  4. Table of Contents
    (pp. vii-x)
  5. Figures
    (pp. xi-xii)
  6. Tables
    (pp. xiii-xiv)
  7. Summary
    (pp. xv-xxvi)
  8. Acknowledgments
    (pp. xxvii-xxviii)
  9. Acronyms
    (pp. xxix-xxx)
  10. CHAPTER ONE Introduction
    (pp. 1-26)

    In conducting a post-mortem of the sad events of November 9th, it is important to consider the events and timelines leading up to the incident. By mid-November, the media were clamoring for details on who knew what, what was known when, how the “obvious” signals could have been missed, and how the “dots” could have failed to have been “connected” . . . again. By the middle of December, investigative reporters and official government investigators had disclosed that the following observations had existed in various government databases (federal and local) since the middle of October:

    February 4

    Two dozen tuna...

  11. CHAPTER TWO Data Analyzed in the ASAP Schema
    (pp. 27-34)

    This chapter discusses the types and sources of data likely to be analyzed in an ASAP system. It also discusses what types of data and analysis findings should be declared significant (“truly out of the ordinary”) and worth further investigation.

    Figure 2.1 shows the areas of the ASAP schema on which the chapter focuses—what information about watched entities is considered to be of interest and how that information is captured and represented within ASAP-system databases.

    We have identified seven major types of data entities as having meaning for threat assessment:¹

    People. Everyone who might be involved in an attack,...

  12. CHAPTER THREE The Atypical Signal Analysis and Processing Architecture
    (pp. 35-64)

    In this chapter, we provide an overview of an architectural design to implement the ASAP schema. We discuss the control structure of the architecture and describe the multiple layers of control that seek to ensure operational performance and, more broadly, allow the architecture to adapt over time. Finally, we compare the roles of analysts and automated software agents within the architecture. Successive chapters examine specific functional components within the architecture.

    As with all major information analysis systems, the scope and complexity of an ASAP system is a vital issue. The size of the system—in terms of both the amount...

  13. CHAPTER FOUR Finding the Dots
    (pp. 65-76)

    This chapter considers techniques for identifying which data objects are dots worth further investigation. Figure 4.1 shows the area of the ASAP schema on which the chapter focuses—the identification of the dots and the initial determination of what actions to take with the newly discovered dots.

    In general, we identify out-of-the-ordinary activities—the dots—by seeing if they meet some set of criteria, orrules. The rules fall into several categories.

    Single-point analysis. These rules apply to single data elements. For example, a rule might be to identify individual funds transactions greater than $10,000. (Continuing the discussion of data...

  14. CHAPTER FIVE Connecting the Dots
    (pp. 77-82)

    This chapter considers techniques for identifying links between the dots and other, related data previously overlooked. Figure 5.1 shows the area of the ASAP schema on which the chapter focuses—the discovery of relationships that provide additional context to the dots.

    Connecting the dots is the purview oflinking agentsin the ASAP architecture. The linking agents would find two types of connections:similarity connectionsandcomplementary connections.

    Similarity connections link information elements that describe multiple occurrences of identical (or nearly identical) phenomena. In Figure 5.2, the fact that the three people are each helping to plan the same attack...

  15. CHAPTER SIX Understanding the Dots: Generating and Testing Hypotheses
    (pp. 83-96)

    This chapter considers techniques for understanding the significance of the connected dots by generating and testing hypotheses about them. Figure 6.1 shows the area of the ASAP schema on which the chapter focuses—the discovery of relationships that provide additional context to the dots.

    Once dots have been identified and linked, the next step is to come up with some indication of the significance of the linked dots. This would be done via hypothesis agents that match the dots topatterns; dots matching the pattern are apattern instance. In the context of this monograph, we define pattern and pattern...

  16. CHAPTER SEVEN Conclusion
    (pp. 97-102)

    In this monograph, we have specified a conceptual architecture that identifies, links, and attempts to make useful sense from out-of-the-ordinary information potentially related to terrorist activities. We have specified the major elements and processes of the architecture and discussed the major techniques that would be used to carry out its functions. We believe several features of this architecture make it a unique contribution toward improving the analysis of intelligence information:

    The overall structure of the architecture specifically models empirical research into how proactive and successful problem solvers connect the dots to detect and mitigate potential threats.

    Much of the architecture...

  17. APPENDIX A Case Study: “The November 9th Incident”
    (pp. 103-138)
  18. APPENDIX B Systems Related to the ASAP Architecture
    (pp. 139-150)
  19. Bibliography
    (pp. 151-155)