Investigative Data Mining for Security and Criminal Detection

1.13 Profiling via Pattern Recognition

Profiles constructed by criminologists, clinical psychologists, and other investigators are typically drawn from samples of behaviors, motives, and similar methods of operation. This type of profiling is deductive by nature and is based on work experiences and evidence an investigator assembles and examines to arrive at a conclusion. It is a top-down form of generalization, from samples to a profile of a potential suspect. Similar to the way an expert system works, the investigators follow a set of rules to arrive at an inference or conclusion about a particular case. For example, the case data collected by FBI profilers is passed down over time based on investigative experience by the agents and applied to new investigations. This type of profiling may be based on personal human experience and the insight and collective knowledge of seasoned investigators rather than empirical data.

The noted author, forensic scientist, and criminal profiler Brent Turvey offers this definition of the deductive method of criminal profiling: "A deductive criminal profile is a set of offender characteristics that are reasoned from the convergence of physical and behavioral-evidence patterns within a crime or a series of related crimes." Turvey goes on to state that the profile of offender characteristics must be supported by pertinent physical evidence suggestive of behavior, victimology, and crime-scene characteristics.

Turvey emphasizes, "A full forensic analysis must be performed on all available physical evidence before (a deductive) type of profiling can begin." Such is the case with data mining for behavioral profiling; the tools are different, but the methodology is the same. Criminals leave evidence, which may be digital by nature, but it represents patterns of crimes and intent. For example, investigative data miners can examine behavioral evidence found in a system's log files to study and analyze the victim's characteristics, which in this case may be a network, a server, or a Web site.

Profiling is an investigative technique and forensic science with many names and a history of being practiced on many levels for years. Dictionaries and encyclopedias tend to call it offender profiling or criminal profiling. The second most common name for it is psychological criminal profiling, or simply psychological profiling. The FBI approach produced the name criminal personality profiling. Criminologists tend to think of it as a type of applied criminology or clinical criminology. Some people prefer the name sociopsychological profiling, or think of it as a type of behavioral investigative analysis or criminal investigative analysis. The basic components of a criminal profile in some of the literature in this area include the following data features about the suspect:

  1. Probable AGE

  2. Probable SEX

  3. Probable RACE

  4. Probable RESIDENCE

  5. INTELLIGENCE level the suspect is operating at

  6. Probable OCCUPATION

  7. Probable MARITAL STATUS

  8. Probable LIVING ARRANGEMENTS

  9. The PSYCHOSEXUAL MATURITY

  10. Probable TYPE AND CONDITION OF VEHICLE driven

  11. Probable MOTIVATING FACTORS

  12. Probable ARREST RECORD

  13. PROVOCATION FACTORS that might drive the suspect out

  14. INTERROGATION TECHNIQUES that would work best with the suspect

Out of the 14 data components, several can be obtained from demographic databases (1 through 4); intelligence level (5) may be estimated by level of education, also obtainable from demographic data providers; items 6 through 8, as well as item 10, are also available by third-party data providers. So of the 14 data items, commercial data providers can provide approximately 9 items. The arrest records can be obtained from government databases. In the end, 10 data components can be gleaned from commercial and government data sources. This is important because in commercial applications, data mining is often used to profile potential customers using lifestyle information, such as occupation or marital status, to segment product offerings and develop predictive models. Similar applications of data mining models can be made for criminal profiling analyses.

Data mining is also a deductive method of profiling; however, the conclusions or rules are generated from data rather than from a human expert's experience. It is an empirically based approach where conclusion are derived from data analysis using modeling software driven by neural networks or machine-learning algorithms. For example, the following rule may be developed to profile a dummy corporation set up as a front for money laundering:

IF Standard Industry Code Number = 7813 AND Number of Physical Locations < 2 AND Number of employees -50 AND Uniform Commercial Code Number = 0 THEN Legal Entity 32% Questionable Entity 78%

The conditional rules are derived not from an expert who has worked these types of investigations, but are instead driven by observation from samples of hundreds of thousands of cases. Using pattern-recognition technology, coupled with powerful computing power, enables the construction of this type of digital profile. Profiling via data mining looks for emerging patterns in large databases, which can lead to new insight for reducing the probability of crimes. Criminal profiling and victimology is the thorough study and analysis of victim characteristics. The characteristics of an individual offender's victims can lend themselves to inferences about the offender's motive, modus operandi, and signature behavior. Part of victimology is risk assessment, and so it is with data mining, which also seeks to identify the signature behavior of a perpetrator. To do so, it also relies on the need to examine the crime-scene characteristics and the victim to determine a quantifiable risk assessment.

In the end, the ideal profiling method is a hybrid of machine learning and human reasoning, domain experience, and expertise. Some of the most effective techniques for detecting fraud, for example, use the rules derived from trained specialists, coupled with data mining models constructed with pattern-recognition software, such as neural networks. There are some hardwire conditions, which may indicate foul play, such as using a social security number in an application for a credit card with no activity or record, or in Internet fraud, using an e-mail address that is exclusively Web based, such as Hotmail, coupled with a credit card number that doesn't match the billing Zip code. These are hard, fast red flags for detecting potential fraud in e-commerce; however, when coupled with data mining models, the chances of profiling fraudulent transactions will increase. It is in the marriage of humans and machines that the best chance of criminal detection lies.

In criminal profiling the term signature is used to describe behaviors committed by offenders that serve their psychological and emotional needs. A signature can assist investigators in distinguishing offender behaviors and modus operandi. In data mining, however, a signature is used to assign a probability to a crime or to profile a criminal. For example, the following is a signature developed from a data mining analysis using demographics, department of motor vehicle records, and insurance information in which a vehicle at a point-of-entry border crossing is being identified as having a HIGH probability of being used for smuggling:

Condition data fields: DRIVER HOUSEHOLD TYPE is Apt Or Co-op Owner INSURER STATUS is None VEHICLE YEAR is 1988 TITLE OWNERSHIP is Owned VEHICLE PURCHASED is 1994-06-30 VEHICLE MAKE is CHEVROLET DRIVER CITY is El Paso, TX DEMOGRAPHIC NEIGHBORHOD is High Rise Renters Prediction # 1: ALERT is High

Criminal profiling, like data mining, is a matter of expertise. Just as the deductive method of criminal profiling is a skill, requiring some investigative heuristics, so is data mining. The data is the evidence, but some skill is required to extract a model or rules from the raw records. A methodology exists for data extraction, preparation, enhancement, and mining; however, it is a skill not a science. As with deductive profiling, no two criminals are exactly alike, and neither are the profiles or MOs constructed from data mining analyses. Every database is different, and so are the profiles extracted via data mining.

Категории