Recognition of Coordinated Adversarial Behaviors from Multi-Source Information Georgiy M. Levchuk *a , Djuana Lea b , Krishna R. Pattipati c a Aptima Inc., 12 Gill Street, Suite 1400,Woburn, MA 01801 b Sensors Directorate, Air Force Research Laboratory c Electrical and Computer Engineering Department, University of Connecticut, Storrs, CT 06269 ABSTRACT To successfully predict the actions of an adversary and develop effective counteractions, knowledge of the enemy’s mission and organization are needed. In this paper, we present new models and algorithms to identify behaviors of adversaries based on probabilistic inference of two main signatures of behavior: plans (what the enemy wants to do) and organizations (how the enemy is organized and who is responsible for what). The technology allows extraction, classification, and temporal tracking of behavior signatures using multi-source data, as well as prescribes intelligence collection plans to reduce the ambiguity in current predictions. Keywords: Behavior signatures, network recognition, adversarial analysis 1. INTRODUCTION: PATTERNS IN ADVERSARIAL BEHAVIOR A drug cartel offloads its cargo from a merchant ship to an unoccupied warehouse in Boston. A gun running organization makes a large transaction at an old farmhouse in a sparsely populated area in Georgia. An insurgent organization manufactures IEDs in a small house in northeastern Iraq. Each of these operations has its own “hidden” mission and organization, in which hostile actors perform their roles, interact and execute coordinated activities. Each activity must be conducted in some concrete geophysical location by some physical actor(s) – organizations, groups, individuals – but the mission must stay invisible for the operations to succeed. Many of these activities, if considered in isolation, look normal. It is often the specific patterns of these activities that constitute a threat. Behavior patterns exist all around us. The challenge is that hostile activities are often masked among the myriads of normal patterns, with normal and hostile behaviors embedded in a single environment. Crime modus operandi reconstruction [14] and behavior signature analysis [36] are two key phases in criminal profiling. The concept of modus operandi is used in law enforcement to define a characteristic method of committing a crime, while behavior signature is used to describe actions that a particular offender may perform to satisfy his/her psychological needs in committing the crime. In other words, the same modus operandi can be used by criminals with significantly different socio- and psychological characteristics, who then would exhibit different behavior signatures. The behavior signature cannot be defined as a unique set of committed actions due to the uncertainty in the behavior of the same individual. Neither can the behavior signature be defined as a specific sequence of observed actions, as the uncertainty of individual behavior is compounded in the observation space by the ambiguity in the information available to investigators due to missing data, intentionally deceptive signals, and irrelevant information. Instead, the way a crime is committed and the concomitant behavior signatures must be represented as models that can generalize and generate different instances of adversarial behavior. Analysis of the behavior of hostile and non-hostile organizations, ranging from the structured command systems of a conventional military to the decentralized and elusive insurgent and terrorist groups, suggests that a strong relationship exists between the structure, resources, and objectives of those organizations and the resulting actions [18]. The organizations conduct their missions by accomplishing tasks which may leave detectable clues (observable events) in the information space. The dynamic evolution of these events creates patterns of the potential realization of organizational activities and may be related, linked, and tracked over time [30,33]. Efficient organization, careful planning of activities * georgiy@aptima.com; phone 781-935-3966x267; fax 781-935-4385; www.aptima.com