The following two ideas are driving our work in counterterrorism (and related areas such as fraud and organizational malfeasance). Both are related, since they both arise from the difficulty humans have in doing something unnatural in a natural way.

1. The footprint or signature of terrorists in large datasets is hard to pick out because the values of their attributes are not very different from those of other (innocent) people. In fact, they are trying as hard as possible to make sure that their attribute values seem ordinary.

   However, if a simple detection scheme is deployed, those who are aware that they are being looked for are much more likely to respond by changing in some way; and these changes differentiate them from innocent people.

   This suggests that a good strategy for identifying terrorists or terrorist actions is to deploy, with much fanfare, a simple assessment system; and then deploy a more-sophisticated system whose main purpose is to look for the signature of reaction to the simple, overt system.

   This idea has been well-understood in law enforcement for many years. For example, customs officers are trained that ordinary people to whom some pressure is applied, get angry quite quickly. In contrast, smugglers tend either not to get angry (thinking that it draws attention to themselves) or get angry at the wrong speed. The beauty of it is that it can't be reverse engineered. Even knowing this, a smuggler still doesn't know how quickly to get angry.

   We have shown, for example, that when messages are checked against a list of keywords, the attempt to avoid using these keywords tends to create a detectable signature in messages.

2. Much work with text has been concerned with the content, for example emphasising the nouns that are used. Recent work has shown that humans leak strong indicators of their mental and emotional state into the text they create in more subtle ways, for example by characteristic patterns in the way they use other words, such as pronouns and verbs.

   We have shown how a model of deception based on this idea works when applied to the large set of emails collected from the Enron Corporation in the three and a half years leading to the collapse of the company. We are refining such models to detect text (messages) that might be of interest for other reasons as well.

Approaches to counterterrorism that look for particular patterns seem doomed to failure in the long run, since not every pattern can be anticipated, and terrorists can evade patterns they can imagine. In contrast, our approach is always to rank objects (messages, travel patterns) by interestingness or anomaly within the dataset in which they occur. This enables typical objects to be ignored, so the resources can be spent on objects likely to be of interest.

Back to David Skillicorn's home page.