Criminal Network Analysis

1
Criminal Network Analysis

• Jennifer Xu
• Artificial Intelligence Lab
• The University of Arizona
• August 23, 2002

2
Outline

• Introduction
• Review of Existing Criminal Network Analysis
  tools
• Research Questions
• The Proposed Approach
• Demo
• Questions Comments

3
IntroductionA Terrorist Network
4
Introduction (contd)

• Netwar a new war against terrorists
• Why study terrorist and criminal networks?
• Terrorists or criminals do not operate in a
  vacuum, but form groups or teams to make offenses
  possible
• Oftentimes, study of the overall structure of a
  criminal network can reveal valuable information
  that cannot otherwise be acquired from
  investigations targeting on specific individuals
• Network analysis may carry important implications
  to crime investigations and shape law enforcement
  efforts

5
Terrorist/Criminal Networks

• A network consists of
• Nodespersons, locations, organizations,
  vehicles, weapons
• Links (associations)kinship, friendship,
  religion, membership, business associates
• Network members may play different rolesring
  leaders, gatekeepers, guards, outliers
• Associations between these members are
  indispensable for network operations and to keep
  information, commands, and goods flowing smoothly

6
Criminal Network Analysis

• Terrorist network analysis is a subset of
  criminal network analysis
• Criminal network analysis is aimed at studying a
  networks
• Structure (patterns of interaction/association)
• Organization
• Information flow
• Individual roles
• It can be applied to the investigation of such
  organized crimes as terrorism, narcotics
  trafficking, fraud, gang, armed robbery, etc.

7

• Introduction
• Review of Existing Criminal Network Analysis
  tools
• Three generations
• Assessment
• Research Questions
• The Proposed Approach
• Demo
• Questions Comments

8
Existing Criminal Network Analysis Tools

• First generationmanual approach
• Anacapa Chart (Harper Harris, 1975)
• Second generationgraphics-based approach
• Analysts Notebook, Napmap, Watson
• Hyperbolic tree view, network view
• Third generationstructural analysis approach

9
Anacapa Chart (1st generation)

• Manually extracting criminal associations from
  data files
• Constructing an association matrix
• Drawing a link chart based on the association
  matrix

10
Anacapa Chart (contd)
11
Analysts Notebook, Netmap, Watson (2nd
generation)
Used by many law enforcement agencies
Used by the FinCEN system to detect money
laundering
12
Hyperbolic Tree View (2nd generation)
Hyperbolic tree view of search results
Hierarchical view of search results
Expand a tree node
Adjust the tree size
Start with one or multiple search terms
Multiple entity types
13
Network View (2nd generation)
Initial Network layout. Different icons
represent different entity types
Use filtering function to filter out unwanted
entity types
Textual labels for person names and addresses
Node positions are automatically adjusted.
Central nodes are placed in the center
Incident report number
14
Assessment of Existing Tools

• Modest level of sophistication
• Manual contruction of networks An investigator
  has to manually create links or associations by
  searching in databases to construct a network
• Visualization Most tools can automatically
  render a network in a two-dimensional display
• Lack of analytical functionality It depends on
  the investigator to examine the picture of a
  network and make inferences. If the network is
  drawn differently, it may result in different
  conclusions

15
A third-generation CNA tool should be able to

• Automatically construct a network of criminals
  based on criminal-justice data from databases
• Provide analytical functions to answer questions
  like
• Who is central in a network?
• What are the different roles in the network?
• Which individuals should be removed to disrupt
  the network?
• What subgroups exist in the network?
• How are these subgroups related to one another?

16

• Introduction
• Review of Existing Criminal Network Analysis
  tools
• Research Questions
• The Proposed Approach
• Demo
• Questions Comments

17
Research Questions

• Propose a third-generation criminal network
  analysis approach that can automatically
• Perform structural analysis
• Visualize the network
• Evaluate the approach in terms of its
  effectiveness, efficiency, and usefulness

18
Network Construction

• Automatic, does not require manual search in
  databases to create a network
• Method concept space approach (Chen Lynch,
  1991)
• Two individuals are assumed to be related if
  their names occur in the same incident report (or
  share the same address, phone number, etc.)
• The strength of the relationship between two
  individuals is obtained by calculating how
  frequently they occur together
• The same approach used by COPLINK Detect
• Data other than incident reports can also be used
  such as phone records, financial transactions

19
Analytical Functionality

• Social Network Analysis (SNA)
• was designed to discover patterns of
  relationships among social actors
• has been recognized as a promising technology for
  criminal network analysis (Sparrow, 1991
  McAndrew, 1991 Klerks, 2001)
• has been applied to evidence mapping in both
  fraud and criminal conspiracy cases (Baker
  Faulkner, 1993 Krebs, 2001)
• SNA is capable of
• Detecting subgroups in a network
• Discovering the overall structure of a network or
  patterns of interactions between subgroups
• Identifying central members in a group
• Visualizing a network

20
Subgroup Detection

• Partitioning a complex network into smaller
  subgroups based on structural equivalence of
  network nodes
• Methodhierarchical clustering (Burt, 1976)
• Members within a group are similar to one another
• Members from different groups are less similar

21
Discovery of Interaction Patterns (Network
Structure)

• Summarizing individual interaction details into
  interactions between groups
• MethodBlockmodeling
• Determining whether two groups have frequent
  interactions (strong relationships)
• The overall structural of the network becomes
  more salient

22
Special Network Structures
Chain/Hierarchy
Star
Vulnerability the network can be disrupted by
breaking the chain
Vulnerability the network can be disrupted by
removing the leader
Island
Clique
Vulnerability the network can be disrupted if
one member is captured or compromised
23
Central Member Identification

• Identifying leaders, gatekeeper, and outliers in
  a group
• Methodcentrality measures
• Degree the number of direct links a node
  has?leadership
• Betweennesthe number of geodesics (shortest
  paths between any two nodes) passing through the
  node? gatekeeper
• Closeness the sum of all the geodesics between
  the particular node and every other node in the
  network ? outlier

24
Central Member Identification (contd)
Leader
Outlier
Gate Keepers
25
An example
Central members? Subgroups? Group interactions?
26
An exampleSubgroups and central members
Leader
Group 1
Group 3
Gate Keeper
Group 2
27
An examplenetwork structure (pattern of
interaction)
28
Network Visualization

• Automatically rendering a network on a
  two-dimensional display
• MethodMultidimensional Scaling (MDS)
• Automatically arranging nodes based on their
  association strengths
• The stronger the association between two nodes or
  two groups, the closer they appear on the
  display the weaker the association, the farther
  apart

29
Implications

• Network analysis can help find vulnerable points
  of a network where disruptive strategies can take
  effect
• Network analysis can help find structural holes
  in a criminal network
• A structural hole is an empty area in a network
  that is void of nodes and links
• It may imply either incomplete information about
  the network or conflicts among the surrounding
  network nodes
• Blockmodeling can easily detect structural holes

30
Implications (contd)

• The knowledge gained from network analysis may
  help law enforcement agencies fight crime
  proactively
• allocating appropriate amount of police efforts
  to prevent a crime from taking place
• ensuring a police presence when the crime is
  carried out
• New structures discovered may shift our
  conventional views of certain crimes
• Many criminal networks do not have the
  traditional hierarchical structure, they are more
  fluid and flattened

31

• Introduction
• Review of Existing Criminal Network Analysis
  tools
• Research Objectives
• The Proposed Approach
• Demo (Screenshots)
• Questions Comments

32
Demo

• Data Sets
• TPD criminal-justice data about narcotics and
  gangs (scrubbed)
• Time period
• Narcotics 2000-present
• Gangs 1995-present
• Size
• Narcotics 12, 842 individuals
• Gangs 4376 individuals
• All network nodes are individual criminals
• Two criminals are assumed to be related if they
  appear in the same crime incident

33
Major System Functions

• Structural Analysis
• Blockmodeling grouping individuals and showing
  inter-group relations
• Centrality measure identify individuals
  structural roles as leader, gatekeeper, or
  outlier
• Visualization
• Display the network for narcotics criminals and
  gang members respectively
• Rearrange the network layout by drag-and-drop
• Zoom in to visualize relations when they are too
  cluttered
• Reduce network complexity by selecting levels of
  blockmodeling
• Show group members rankings of their structural
  roles
• Visualize group inner structure

34
(No Transcript)
35
(No Transcript)
36
The narcotic network example
37
The gang network example
38
Questions Comments?