TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL?M1 h e SKYNET: Applying Advanced,bfl mm p* iii^bm I IV flhsmp DA U 0 ' a.. *: wm : ^MMMIMWai» 11 by S2I, R6, T12, T14, - Presenters: pres, S2I51, R66F T: J.f-fc V..-. TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL..V ivv I" ". Zi v*r ' ' -. -. : ff/if^. ' QeWttfftorii: NSA/CSSM 1-52 1» M l. Dated: 20070108 Wh \Z Declassify Oh: 20370401 /
UNCLASSIFIED//FOUO Outline What is SKYNET? DEMONSPIT Data Flow Automated Bulk Cloud Analytics Analytic Triage UNCLASSIFI : EÖ//F.OÜO
Collaborative cloud research effort between 5 different organizations crossing 3 NSA Directorates: - Signals Intelligence: S2I, S22, SSG - Research: R6 - Technology: T12, T14 Partnerships - TMAC/FASTSCOPE - MIT Lincoln Labs & Harvard SKYNET applies complex combinations of geospatial, geotemporal, pattern-of-life, and travel analytics to bulk DNR data to identify patterns of suspect activity
CTMMC T0PSEdî N S A/CSS Counterterrorism Mission Management Center Bag hi in ' Mtfiaud-E Etacfl P -van C hank or I.twJ.i Sh ata > O Kabul \ f.v»h nr Lam Tuesday/Friday Asad bad Peshawar Rough outline of courier path as described by the targets Snn ag ar : Gardez Id am it> ad» Rawalpindi Sunday Waziristan s Courier/ Probably Faisalabad F a sal abad Lahore U Sunday/Monday Cimi TOP SECRET//COMINT//REL TO USA/AUS, CAN, GBR, NZL
TOP SECRET//COMINT//ORCON/REL- TO USA, AUS, CAN, GBR. NZl. SKYNET Analytic Questions Who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives? Who else is seen in the area when the traveler arrives, and who seen leaving the area shortly afterward? Who travels to/from Peshawar every other Sunday and "somewhere else" on a weekly basis? Who visits Akora Khattak periodically and also travels between Peshawar and Lahore? Who fits the above travel profiles and also possesses unusual behavior: One or two hops from other suspects or known tasked selectors Frequent handset swapping or powering down
TOP SECRET//COMINT//REL TO USA. A4JS. CAN. GBR. ISJZll ' «s U DEMONSPIT DEMONSPIT is a new dataflow for bulk Call Data Records (CDRs) from Pakistan - CDRs are being acquired from major PK Telecom providers Data is normalized through TUSKATTIRE, like all other Call Data Records DEMONSPIT data is forwarded by TUSKATTIRE to several Clouds: - GMHalo/DPS Promotes records to FASCIA and feeds the SEDB Tower QFD - GMPIace& Cloud 14 Ingests DEMONSPIT into Sortinglead summaries to support SKYNET Analytics Ingests DEMONSPIT into a Perishable QFD which will be available to analysts via JEMA and CINEPLEX - Bulldozer/MDR2 All of the clouds receiving DEMONSPIT data also receive all FASCIA data TOP SECRET//COMINT//REL TO USA, AUS, ; CAN, GBR,,N.Z,L
SECRET//C0M1NT//REL TO USA, AUS, CAN, GBR; NZL Analysts' View of DEMONSPIT TUSKATTIRE Original wcdrs Access to ALL DEMONSPIT Data TOWER QFD ROLLERCOASTER Original fccdrs JEMA MAINWAY/SIGNAV CINEPLEX Access to CDRs, Analyst Queries, & Results of SKYNET Analytics CDR Summaries SMARTTRACKER SO RUN G LEAD Analyst Promoted CDRs Access to DEMONSPIT FASCIA Promoted Data FASCIA ASSOCIATION BANYAN SKYNET & Analyst Promoted CDRs SECRET//COMINT//REL TO USA, AUS, : CÄN, GBR; NZU
UNCLASSIFIED//FOUO Outline What is SKYNET? DEMONSPIT Data Flow Automated Bulk Cloud Analytics Analytic Triage UNCLASSIFI : EÖ//F.OÜO
TOP SECRET//SI//REL TO USA, FVEY Cloud Analytic Building Blocks Travel Patterns - Travel phrases (Locations visited in given timeframe) - Regular/repeated visits to locations of interest Behavior-Based Analytics - Low use, incoming calls only - Excessive SIM or Handset swapping - Frequent Detach/Power-down - Courier machine learning models Other Enrichments Travel on particular days of the week Co-travelers Similar travel patterns Common contacts Visits to airports Other countries Overnight trips Permanent move TOP SECRET//SI//REL TO USA; FVEY
TOP SECRET//SI//REL TO USA, FVEY Sample Travel Report: Haqqani Network tasked- selector^ contact- swapping associated^ other_ seed-contacts count _num selectors visits_regularly countries phrase 3 lashkargah_city nowbahar IR helmand kandaharaf PK fa rah AF bala_bulk farah masow farah masow nowbahar masow 3 BA AE ghazni AF sharan urgon AF khost_airport kajir_kalay - m JF TOP SECRET//SI//REL TO USA; FVEY
TOP SECRET//SI//REL TO USA, FYEY. * *. * ' What Suspicious Selectors Were Seen Traveling Between Peshawar and Lahore? J VJ SoecifmBehavioral Cloud Analytics Peshawar-Lahore Travel 1-4 NOV 2011 ì J TASKED NUM_SELECTOR ASSOCIATED, ACTIVITY, TRAVEL PHRASE DOW MSISDN IMSI CONTACTS.SWAPPING SELECTORS CATEGORIES torkham AF PK peshawar lahore FRI 2 PK peshawar lahore THU behsud AF jalalabad jalal_abad jalalabad behsud rodat bati_kot mohmand_darah peshawar PK WED 4 7 gtrd PK nowshera gulbahar peshawar sanda kalan lahore THU jamrud PK peshawar lahore TUE 10 PK peshawar lahore THU TOP SECRET//SI//REL JO USA; FVEY. \ ; 5-or-f ewercontacts, smsand-zeroduration-callsonly, low-use
UNCLASSIFIED//FOUO Outline What isskynet? DEMONSPIT Data Flow Automated Bulk Cloud Analytics Analytic triage -SMARTTRACKER - RT-RG -JEMA UNCLASSIFIED//F.OÜO
TOP SECRET//SI//REL TO USA, FVEY Selectors of Interest from Cloud Travel Analytic (tasked) IMSIs: Handsets. I V. M'HAäS TOP SECRET//SI//REL TO USA: FVEY
TOP SECRET//SI//REL TO USA, FVEY. SMARTTRACKER Travel View 31 October - 23 November * Location: UCell JDl (11/14/2011 04:27:47) * Location: UCefl ID 1/70/7011 17:59:04) «fta KHATTAk SUSPECT TERRORIST FACILITY 001 (11/20/201112:59:04) * Location: UCell ID] (11/14/201102:19:16) Location: UCellJD 410.006.00403.20393 (11/23/201114:23:55) (11/21/201114:55:37) Location: UCell '11/20 2011 18:34:15) (11/20/2011 19:34:15) 31 '292.7713" N. 75*13'45.1982* E
TOP SECRET//SI//REL TO USA, FVEY. Examine travel patterns for common routes and meeting locations - Run cell soaks on all common meeting locations during meeting timeframe Analyze selectors for common contacts Analyze selectors for handset sharing behavior Repeat procedure with resulting selectors Correlate with other known and suspected selectors r TOP SECRET//SI//REL TO USA; FVEY:
TOP SECRET//SI//REL TO USA, FVEY. SMARTTRACKER Coincidence Report W+ Si Sets with 2 targets ' ' ' '* i Select Select 31 at 12 locations 24 at 11 locations Af.ft.r. t Select 1 at 1 location Select 1 at 1 location Select 1 at 1 location u
^ 77 TOP SECRET//SI//REL TO USA, FVEY RT-RG Analytics mm m ^awiwffà am Meetings - who is at the same ucellid at the same time as the potential courier at the destination city?...multiple times. Sidekicks - is there a pair traveling together to the destination city? TOP SECRET//SI//REL TO USA; FVEY
TOP SECRET//SI//REL TO USA, F VE Y '' : / JEM A: Pulling It All Together sfcçug/tp Start/end points Dates Destination Cities Movement Irregularity Travel Reports Human in the loop to analyze travel reports. Evaluate, add value, prioritize Meetings Are selectors seen meeting at destination consistently? 10 Sidekicks Does Sidekick selector have call events?