4. General Operation

The KOJAK Group Finder is really a "group expander', i.e., given one or more seed groups of interest, it finds entities strongly connected to known members of those seed groups by analyzing available link information such as, for example, communication logs (phone, email, etc.), financial transactions, etc. As a result it returns those additional entities that are most strongly connected to seed groups ranked by strength of their connection. For example, if in a terrorist domain we have a seed group of known terrorists, the Group Finder will return people that are very strongly connected to those terrorists based on the available link information. The assumption is that such strongly connected people might be additional (as yet unknown) terrorists or "bad guys" themselves. The result of the analysis is reported as a set of ranked lists (one per group) that is thresholded according to a number of user-supplied configuration parameters.

Larger seed groups (10-100 entities) usually work better than smaller seed groups (1-10 entities), since they provide more connections and a better overall signature. However, small seed groups (single persons in the extreme) can also be analyzed by following their connections to larger depth.

The Group Finder finder uses a logic-based model to combine fragmented evidence to generate the largest possible seed groups from the available information. Those seed hypotheses are then fed into a statistical mutual information model that grows a link graph around the seeds and then ranks the connection strength of those new entities found in the extended graph. Besides the mutual information model, simpler statistical methods such as link counting and connectivity are available as well. Once the mutual information model is done with its analysis, the extended group hypotheses can be deposited back into the KOJAK database and/or output to a file using a variety of report formats.