3.2 What Can Link Analysis Do?

3.2 What Can Link Analysis Do?

Link analysis can be used to expose the underlying patterns and behaviors pertaining to national security and homeland defense related to such areas as terrorism and narcotics trafficking. The intelligence community can use link analysis to sift through vast amounts of data looking for connections, relationships, and critical links among their suspected targets. In the private sector, link analysis can be used to monitor online and offline transactions by fraud specialists. Link analysis is but the first data mining technique used to assist investigators and analysts in investigating such areas as money laundering, narcotic trafficking, and terrorism. Link analysis is already used to detect fraud by specialists in the insurance and telecom industries, as well as in the area of e-commerce.

Intelligence analysts and criminal investigators must often correlate enormous amounts of data about entities in fraudulent, political, terrorist, narcotics, and other criminal organizations and is a critical first step in the visualization of the data. This is accomplished by organizing it in a cohesive manner, in terms of relationships between people and organizations under investigation. One of the challenging aspects, unique to the intelligence community, is discovering patterns derived from nontraditional data sources ranging from free-text documents and message intercepts to video clips and audio streams. The data mining systems typically used by the intelligence community are comprehensive and extremely specialized, customized for their unique needs. In these situations, link analysis is but one component and technique used by these intelligence analysts.

3.3 What Is Link Analysis?

Link analysis is a data mining technique that reveals the structure and content of a body of information by representing it as a set of interconnected, linked objects or entities. Often link analysis allows an investigator to identify association patterns, new emerging groups, and connections between suspects. Through the visualization of these entities and links, an investigator can gain an understanding of the strength of relationships and the frequency of contacts and discover new hidden associations. For this reason, link analysis is typically used by criminal investigators in such fields as fraud detection and money laundering, as well as by intelligence analysts in the study of terrorist networks. Link analysis is the first level of data mining. It is a manual interactive technique for forming and examining a visual network of relationships (see Figure 3.1).

click to expand
Figure 3.1: A financial link analysis network.

Link analysis begins with data that can be represented as a network and attempts to infer useful knowledge from the nodes and links of that network from which an investigator or analyst can discover associations. Many of the current link analysis tools are highly specialized, interactive graphical software—with some having the capability of incorporating multimedia and some interactive what-if scenarios. While these visual-link networks have proven useful to investigators, their manual construction has proven difficult when it involves hundred of thousands of transactions.

Linkage data is typically modeled as a graph with nodes representing suspects of interest to the analyst and the links representing relationships or transactions. Examples might be a collection of telephone toll data with phone numbers, times of calls, and durations of calls subpoenaed for a criminal investigation; a collection of cash transactions to and from certain domestic and foreign bank accounts; a collection of sightings of individuals' meetings and their addresses, trips to foreign countries, points of entry, wire transfers, schools or churches attended, Web sites visited, and other related commercial or social interactions. The events can be a few meetings or conversations or a large number of toll calls or bank deposits or withdrawals. However, if the observations are very voluminous, the value of link analysis will begin to deteriorate.