Agency:
Codewords:
Document Topic:
Countries Mentioned:
Text
Document
ArticlesTitle: SKYNET: Applying Advanced Cloud-based Behavior Analytics
Description: This NSA presentation from 2012 introduces SKYNET, a tool for detecting patterns in bulk phone metadata: see the Intercept article U.S. Government Designated Prominent Al Jazeera Journalist as “Member of Al Qaeda”, 8 May 2015.
Document: SKYNET: Applying Advanced
^loud-b^Jteehavior Analytics
i '?$ß
Presenters
m
S2I51
R66F
*
W : t ' WH^'FromvNSA/eSSM 1452
( -S ■ • • XV . :.' vDated:.20070108
w . , ; . ■ ! V DeclaSsltyOri: 20370401
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
UNCLASSIFIED//FOUO
Outline
What is SKYNET?
DEMONSPIT Data Flow
Automated Bulk Cloud Analytics
Analytic Triage
V* •
UNCLASSIFIED//F.OUO:
1
What is SKYNET?
• ; i
Collaborative cloud research effort between 5 different
organizations crossing 3 NSA Directorates:
- Signals Intelligence: S2I, S22, SSG
- Research: R6
- Technology: T12, T14
Partnerships
- TMAC/FASTSCOPE
- MIT Lincoln Labs & Harvard
SKYNET applies complex combinations of geospatial,
geotemporal, pattern-of-life, and travel analytics to
bulk DNR data to identify patterns of suspect activity
TOP SECf
CTMMC
NSA/CSS Counterterrorism
Mission Management Center
Intelligence Update
Rough outline of courier
path as described by the
targets
J
Snn ag ¿r
Islamabad*
R .T/v.ilpindi
Sunday
Probably Faisalabad
Fasalobad >
Lahore
Sunday/Monday
Clitii
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//ORCON/REL- TO USA, AUS, CAN, GBR.'NZL
I
'• I**
' yJs
SKYNET Analytic Questions
Who has traveled from Peshawar to Faisalabad or
Lahore (and back) in the past month?
• Who does the traveler call when he arrives?
• Who else is seen in the area when the traveler arrives, and
who seen leaving the area shortly afterward?
Who travels to/from Peshawar every other Sunday and
"somewhere else" on a weekly basis?
Who visits Akora Khattak periodically and also travels
between Peshawar and Lahore?
Who fits the above travel profiles and also possesses
unusual behavior:
• One or two hops from other suspects or known tasked
selectors
• Frequent handset swapping or powering down
TOP SECRET//COMFNT//ORCON/REL TO .USA,. AUS, CAN; GBR, NZL
DEMONSPIT is a new dataflow for bulk Call Data Records (CDRs) from
Pakistan
- CDRs are being acquired from major PK Telecom providers
Data is normalized through TUSKATTIRE, like all other Call Data Records
DEMONSPIT data is forwarded by TUSKATTIRE to several Clouds:
- GMHalo/DPS
• Promotes records to FASCIA and feeds the SEDB Tower QFD
- GMPIace & Cloud 14
• Ingests DEMONSPIT into Sortinglead summaries to support SKYNET
Analytics
• Ingests DEMONSPIT into a Perishable QFD which will be available to
analysts via JEMA and CINEPLEX
- Bulldozer/MDR2
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
DEMONSPIT
All of the clouds receiving DEMONSPIT data also receive all FASCIA data
TOP SECRET//COMINT//REL TO USA, AUS,:CAN. GB.R„N.Z,L
SECRET//GOMIÑT//REL TO USA AUS, CAN, GBR; NZll ' : • •.
Analysts’ View of DEMONSPIT
m ¿HI
¿KJ
TUSKATTIRE
Original
CDRs
Access to ALL DEMONSPIT Data
MAINWAY/SIGNAV
TOWER
QFD
Original
CDRs
ROLLERCOASTER
JEMA
CINEPLEX
Access to CDRs, Analyst Queries,
& Results of SKYNET Analytics
SMARTTRACKER
R6
CLOUD 14
CDR
Summaries
SORTINGLEAD
FASCIA
Analyst
Promoted CDRs
SKYNET & Analyst
Promoted CDRs
Access to DEMONSPIT FASCIA Promoted Data
ASSOCIATION
BANYAN
SECRET//COMINT//REL TO USA, AUS,:ÇÂN, GBR; NZL; ,
i
ON
What is SKYNET?
DEMONSPIT Data Flow
Automated Bulk Cloud Analytics
Analytic Triage
TOP SECRET//SI//REL TO USA, FYEY
Cloud Analytic
Building Blocks
Travel Patterns
- Travel phrases (Locations visited in given timeframe)
- Regular/repeated visits to locations of interest
• Behavior-Based Analytics
- Low use, incoming calls only
- Excessive SIM or Handset swapping
- Frequent Detach/Power-down
- Courier machine learning models
• Other Enrichments
• Travel on particular days of the week
• Co-travelers
• Similar travel patterns
• Common contacts
• Visits to airports
• Other countries
• Overnight trips
• Permanent move
TOP SECRET//SI//REL TO USA, F YE Y .
Sample Travel Report
Haqqani N etwork
tasked- selector_
contact- swapping associated
seed-contacts count num selectors
other
visits_regularly countries phrase
farah AF
bala_bulk farah
masow farah
masow
nowbahar
• , •, . »1
TOP SECRET//SI//REL TO USA; FVEY
TOP SECRET//SI//REL TO USA, FVEY .
• • • • ' * i # / * •
What Suspicious Selectors Were Seen
Traveling Between Peshawar and Lahore?
Case-Spa fflafi fin vioral Cloud Analytics________Peshawar-Lahore Travel 1-4 NOV 2011
^3 ^ TRAVEL PHRASE DOW MSISDN IMSI TASKED CONTACTS NUM_SELECTOR ^SWAPPING ASSOCIATED, SELECTORS ACTIVITY, CATEGORIES
torkham AF PK peshawar lahore FRI 2
PK peshawar lahore THU
behsud AF jalalabad jalal_abad jalalabad behsud rodat bati_kot mohmand_darah peshawar PK WED 4 7
gtrd PK nowshera gulbahar peshawar sanda_kalan lahore THU
jamrud PK peshawar lahore TUE 1 10
PK peshawar lahore THU 5-or-f ewer- contacts, sms- and-zero- duration-calls- only, low-use
TOP SECRET//SI//REL JO USA; FVEY:.
UNCLASSIFIED//FOUO
Outline
What is SKYNET?
DEMONSPIT Data Flow
Automated Bulk Cloud Analytics
Analytic triage
- SMARTTRACKER
- RT-RG
-JEMA
U N CLASS IF FED//F.0
(tasked)
IMSIs
Handsets
9VI
TOP SECRET//SI//REL TO USA, FVEY
• i * •. • * * . « # ^ • ;
Selectors of Interest
from Cloud Travel Analytic
i'1 jcry«^îcWAte*.i,‘
Ay
*+ Location: UCell IP|
(11/14/2011 04:27:47)
+ Location: UCefl ID
11/20/2011 12:50:04)
(11/20/201112:59:04)
* Location: UCell_ID 410.006.00403.20393
(11/14/201102:19:16)
(11/23/201114:23:55)
(11/21/2011 14:55:37)
4 Location: UCell
11/20 2011 18:34:15)
(11/20/2011 18:34:15)
uHA KHATTAK SUSPECT TERRORIST FACILITY 001
31 *29*2.7713“ N. 75*13*45 1982* E
TOP SECRET//SI//REL TO USA, FVEY '* : • ;•
SMARTTRACKER Travel View
31 October - 23 November
rr graven?’
Examine travel patterns for common routes and
meeting locations
- Run cell soaks on all common meeting locations
during meeting timeframe
Analyze selectors for common contacts
Analyze selectors for handset sharing behavior
Repeat procedure with resulting selectors
Correlate with other known and suspected selectors
TOP SECRET//SI//REL TO USA; FVEY: .
• ••• • # : . • i •
TOP SECRET//S
SMART
Sets with 3 targets
SeisjAith_:__t,arrets
Select
Select
Select
Select
Select
Select
Select
Select
Select
Select
Select
i /7i—> i— i -rr\ i i o a i—\/i—v/.
nee Keport
Who
Coincidence Count
1 at 1 location
101 at 16 locations
91 at 20 locations
39 at 24 locations
37 at 12 locations
33 at 12 locations
31 at 12 locations
24 at 11 locations
1 at 1 location
1 at 1 location
1 at 1 location
l//KfcUI U USA; rVbY-. ■ .
• . : • / f «
—
1
[ ~ ~
1 T
.1 L D
JJ IE in
TOP SECRET//SI//REL TO USA; EVEY:
TOP SECRET//SI//REL TO USA, F YE Y .
RT-RG Analytics
Meetings - who is at the same ucellid at the
same time as the potential courier at the
destination city?...Multiple times.
Sidekicks - is there a pair traveling together to the
destination city?
TOP SECRET//SI//REL TO USA; FVEY:
stçyg/T?
TOP SECRET//SI//REL TO USA, FVEY . ' • • '!
JEMA: Pulling It All Together
AOI
Movement
Irregularity
Destination Cities
Start/end points
AOIs
Dates
Travel Reports
Human in the loop
to analyze travel
reports.
Meetings
Evaluate,
add value,
prioritize
Are selectors seen meeting at
destination consistently?
Sidekicks
Does Sidekick selector have
call events?
siCUft/F
SKYNET WIKI
https:/,
THANK YOU!
Y ' £ %
.J sf m
HTd\
¡:r-T—\ ; ^ J
Document Date: 2012-01-01
Release Date: 2015-05-08
Link: https://freesnowden.is/2015/05/15/skynet-applying-advanced-cloud-based-behavior-analytics/
Document Path: https://edwardsnowden.com/wp-content/uploads/2015/05/skynet-applying-advanced-cloud-based-behavior.pdf