ML Applications
ML for Intelligence Predictive Analytics
Predictive analytics in the intelligence community: anomaly detection on transaction networks, link prediction on entity graphs, time-series forecasting for indications-and-warnings, and the IARPA program record. The cost asymmetry between false positives and false negatives shapes every threshold.
Why This Matters
Intelligence analysts operate under a brutal evaluation regime. A missed warning that lands on the front page is a career-ending event; a false alarm that triggers a costly response is also a career event, just slower. ML systems built for this domain do not get to optimize a single accuracy number. They are scored against a loss function that weights false negatives and false positives differently, and the operating point on the ROC curve is a policy choice, not a hyperparameter.
The corpus is also unusual. Labels are scarce, late, and contested. The positive class is rare by construction (most transactions are not suspicious; most days do not contain coups). Adversaries adapt to whatever the detector learns. These properties push practical work toward unsupervised anomaly detection, graph-structured priors, and forecasting models that produce calibrated probabilities rather than point predictions.
Core Methods
Anomaly detection on transaction networks. Counter-illicit-finance and counter-proliferation work treats transactions as edges in a typed multigraph (accounts, entities, jurisdictions, instruments). Methods range from classical isolation forests and one-class SVMs to graph autoencoders that score edges by reconstruction error, and to community-detection-based approaches that flag accounts whose neighborhoods change suddenly. The operational target is a short ranked list a human analyst can review, not a binary label on every record.
Link prediction on entity graphs. Given a knowledge graph of people, organizations, locations, and events, link prediction asks which missing edges are most plausible. Heuristics like Adamic-Adar and preferential attachment remain competitive baselines; embedding methods (DeepWalk, node2vec, GNN-based scoring) help on dense regions where structural features are uninformative. Calibration is the binding constraint: a top-100 list of predicted links is only useful if the analyst can act on the top decile without wading through chaff.
Time-series forecasting for indications-and-warnings. I&W problems include forecasting protests, regime instability, infectious-disease outbreaks, and supply-chain disruptions. Models include classical ARIMA / state-space methods, Gaussian-process regression for irregular sampling, and modern sequence models on multivariate exogenous features. The IARPA Open Source Indicators (OSI) program funded large-scale forecasting from public web signals; its Mercury program targeted multilingual web and social signals; the FUSE program targeted technical emergence forecasting from scientific text. Program announcements and final reports are public on the IARPA site.
Calibration and decision thresholds. The deployed metric is rarely AUC. It is something like "precision at recall 0.10" or "expected number of analyst-hours per true positive." Calibrated probabilities (via isotonic regression or Platt scaling on a held-out set) let downstream decision rules choose thresholds based on operational cost; raw classifier scores do not.
False-positive cost is not symmetric with false-negative cost
A 1% false-positive rate sounds small until the base rate of true positives is one in a million. Then 1% FPR generates 10000 false alarms per true alarm, and the analyst queue collapses. The ROC curve is the tool, but the operating point is a policy decision tied to the cost ratio and the analyst budget, not a property of the model.
Adversarial drift breaks i.i.d. assumptions
Transaction-laundering patterns change once detection methods become known. A model trained on yesterday's labels can be systematically defeated if attackers test their workflow against detector outputs. The mitigation is monitoring drift in feature distributions and routine retraining on recent labels, not a single static model.
References
IARPA Open Source Indicators
IARPA, "Open Source Indicators (OSI) Program." Program description, broad agency announcement IARPA-BAA-11-11. Forecasting societal events from public data; Ramakrishnan et al. 2014 KDD describe the EMBERS production system built under OSI.
IARPA Mercury
IARPA, "Mercury Program." Broad agency announcement IARPA-BAA-15-06. Multilingual signal-of-interest forecasting from streaming web sources, with emphasis on near-real-time event detection.
IARPA FUSE
IARPA, "Foresight and Understanding from Scientific Exposition (FUSE)." Program description IARPA-BAA-11-04. Technical-emergence forecasting from multilingual scientific and patent literature.
Ramakrishnan EMBERS 2014
Ramakrishnan, Butler, Muthiah et al., "'Beating the news' with EMBERS: forecasting civil unrest using open source indicators." KDD 2014. Production OSI system, forecasting horizons, and per-country evaluation methodology.
Akoglu graph anomaly survey
Akoglu, Tong, Koutra, "Graph based anomaly detection and description: a survey." Data Mining and Knowledge Discovery 29(3), 2015. Taxonomy of static and dynamic graph anomaly methods relevant to transaction-network monitoring.
Liben-Nowell Kleinberg link prediction
Liben-Nowell and Kleinberg, "The link-prediction problem for social networks." Journal of the American Society for Information Science and Technology 58(7), 2007. Canonical baselines (Adamic-Adar, Katz, preferential attachment) still competitive on sparse graphs.
Related Topics
Last reviewed: April 18, 2026