SAP Targets Terrorism With AI

Can machine learning help government agencies track down terrorists? A secretive arm of the business intelligence firm SAP says yes.

SAP Targets Terrorism With AI
[Animation: Flickr user Antonio Roberts]

A specialized division of the business software powerhouse SAP (System Application Products) is building tools to harness machine learning and artificial intelligence for antiterrorist intelligence missions and cybersecurity—though details of how exactly the software has been used are shrouded in secrecy.


SAP National Security Services, which describes itself as an independent subsidiary of the German-based software giant that’s operated by U.S. citizens on American soil, works with homeland government agencies to find ways to track potential terrorists across social media.

“One [use] is the identification of bad actors: People that may be threats to us—people and organizations,” says Mark Testoni, president and CEO of SAP NS2, as the company is known. “Secondarily, once we’ve identified those kinds of players and actors, we can then track their behaviors and organizations.”

SAP NS2 is also working with cybersecurity firm ThreatConnect to use some of the same underlying technology to track intruders and menaces in computer networks in real time, the companies announced this week.

And in the national security sphere, NS2’s government partners—Testoni says he’s not at liberty to name specific agencies—use SAP’s HANA data processing platform to analyze thousands of terabytes of data from social media and other public online sources.

“There have been success cases, I can tell you,” he says. “Unfortunately, I can’t tell you about any of it.”

Many experts have argued that social media has been key to the rise of ISIS and the spread of support for the organization around the globe. Democratic presidential nominee Hillary Clinton is one of the politicians who has called on social network operators to take down extremist content, and agencies including the Department of Homeland Security have recently sought to study the technical aspects—and legal and privacy ramifications—of tracking publicly accessible social posts.


In 2003, federal plans for a massive global digital surveillance program dubbed Total Information Awareness came under heavy scrutiny due to privacy concerns, and the project was eventually defunded by Congress. But critics have said similar surveillance programs quietly continued at agencies, including the National Security Agency, with a level of secrecy that makes it difficult to judge their effectiveness or potential privacy violations.

In the case of SAP NS2, the underlying HANA system is designed to store huge quantities of information in memory, rather than on disk, for speedy access and processing. It organizes data by columns storing the same type of information from different records, rather than by rows corresponding to individual records, a time-and-space-saving technique shared by big data platforms from other vendors including Amazon and Oracle.

It also includes features for network graph analysis, automated machine learning, and sophisticated text processing that can extract meaning from written language, including online posts, according to Testoni.

This is useful when it comes to monitoring potential terrorists. “They’re online communicating to their followers and recruiting using social media and digital platforms, so that kind of sentiment analysis is helpful in identifying those platforms and tracking them,” Testoni says. “We’re trying to help identify threats with customers, and once we find them, and we identify people and organizations, then it becomes a little bit easier because then you can potentially track them.”

The tools can help analysts detect relationships between suspects and track data from multiple sources in real time, flagging anomalous patterns or feeding risk models that identify potential threats, the company says.

“You’d be looking for activity on social media, either known or potentially known accounts and others, and establishing the other connections that may be associated,” says Testoni, adding that one partner tracks about 30 online sites in several languages.


According to the company, a HANA-based system has proven powerful enough to parse a large set of simulated military documents, extracting the people, places, and events described in them.

For ThreatConnect, HANA provides processing speed that helps clients keep track of potential security-related events happening on their networks in real time, while also reducing the number of false alarms about harmless noise, says the company’s cofounder and CEO, Adam Vincent.

“It allows our software to be effectively super-powered around faster and more sophisticated analytics,” Vincent says. “In particular, the ability to process more data in real-time and do real-time analytics on incoming events, so that we can filter out the noise faster. Most organizations today are getting tens of thousands of alerts every day—humans can’t possibly comb through them all.”

ThreatConnect’s systems, which the company has integrated with HANA through a collaboration with SAP NS2, can help clients track cybersecurity the way such tools as Salesforce manage customer relationships. Ideally, they can replace more ad hoc methods that can leave security personnel struggling to stay up to speed, particularly as many companies are grappling with a skills shortage.

ThreatConnect also functions as an “expert system,” effectively automating the thought processes that humans go through to determine which network activities are threats. This service will improve as the company integrates HANA’s machine learning support.

Says Vincent, “What we’re trying to do with this product is help the security professional do their job faster, and there’s never been a time when that was needed more than it was today.”

Related Video: How to protect your cell phone from hackers.

About the author

Steven Melendez is an independent journalist living in New Orleans.