1 of 41

Conflict Alert Flagging with Open Data Sources

Stephen Weber

ICCRTS

November 2025

2 of 41

Motivation & Vision

2

3 of 41

3

Research in support to Canadian Special Operations Forces Command (CANSOFCOM)

Question: How best to leverage open data sources for global conflict indicators and warnings (I&W)

Wide range of I&W categories:

Market indicators

Forex, stocks, commodities
Betting markets (e.g polymarket)

Sociopolitical / Economic indicators

Elections, protests, unemployment
Military expenditure, internally displaced people

Online narrative monitoring

Prevalence of generated content

Conflict data aggregators

GDELT, ACLED, UCDP, ICEWS

4 of 41

4

Research in support to Canadian Special Operations Forces Command (CANSOFCOM)

Question: How best to leverage open data sources for global conflict indicators and warnings (I&W)

Wide range of I&W categories:

Market indicators

Forex, stocks, commodities
Betting markets (e.g polymarket)

Sociopolitical / Economic indicators

Elections, protests, unemployment
Military expenditure, internally displaced people

Online narrative monitoring

Prevalence of generated content

Conflict data aggregators

GDELT, ACLED, UCDP, ICEWS

Automated categorization

Researcher verified categorization

5 of 41

5

The GDELT project “monitors print, broadcast, and web news media in over 100 languages from across every country in the world to keep continually updated on breaking developments”

GDELT has a rapid 15 minute update frequency

Automated system 🡪 we don’t want to trust each data point

Idea is to aggregate and treat the GDELT feed as a 1D signal

6 of 41

6

The GDELT project “monitors print, broadcast, and web news media in over 100 languages from across every country in the world to keep continually updated on breaking developments”

GDELT has a rapid 15 minute update frequency

Automated system 🡪 we don’t want to trust each data point

Idea is to aggregate and treat the GDELT feed as a 1D signal

ACLED data has been used by CANSOFCOM for years

We created a schema to assign ACLED categories to GDELT events

7 of 41

Initial Experimentation

7

8 of 41

8

DRDC took part in a US lead data challenge April 2025

Developed a prototype dashboard integrating a data pipeline to collect, filter and flag on the GDELT data

9 of 41

Raw data inspection with Elastic / Kibana

Deeper exploratory analysis with Pygwalker

Dashboards for quick situation awareness

9

Visual Design Requirements

Wide range of users, Multiple Visual Designs

10 of 41

10/16/25

11 of 41

10/16/25

12 of 41

10/16/25

Potential LLM summarization + topic modelling pipeline

URL parsing in action for most popular article & reliable source

13 of 41

More Effective Triggering System

13

14 of 41

Gold Standard Way to Flag?

Each country has a different baseline of news events and mentions

Need to tailor alerts for each country, based on its own threshold

This also depends on the time scale

Maybe 1000 mentions in a day is normal, but 1000 mentions in an hour is a flag

We want a specific flag threshold for each country and time scale

How to set these? Fit the data!

15 of 41

Fitting the data

Israel has a lot of data, good place to start fitting

This plot contains 10 years of data in 3h time chunks

Tried fitting many different functions to these distributions

Gamma, exponential, pareto, beta, etc

For most countries and time scales the generalized extreme value distribution is best

The fit of this distribution is shown in red, it clearly fits the observed data

Confidence intervals gives us our thresholds for alerts

How likely is each number of mentions in 3h?

Peaks ~100, meaning 100 mentions in a 3h period is most likely

Long tail at higher values

90% Confidence Interval

16 of 41

Getting our thresholds

Performed fits for many countries at 5 different time scales

Country	Country_FIPS	Timescale	CI_68_max	CI_80_max	CI_90_max	CI_95_max	CI_997_max
United Arab Emirates	AE	1h	20	26	36	51	173
United Arab Emirates	AE	3h	41	52	71	94	261
United Arab Emirates	AE	6h	74	91	118	149	336
United Arab Emirates	AE	12h	140	163	199	237	420
United Arab Emirates	AE	1d	271	310	367	424	667

Higher confidence (alert less often)

Longer time scale

More mentions to trigger alert

17 of 41

17

Fit historical data

Determine threshold values

Set activity state

Very Low → Very High

Very Low: 30-day mentions counts are all below 70% confidence interval upper bound
Low: all below 85% upper bound
Moderate: all below 92% upper bound
High: all below 98% upper bound
Very High: At least 1 count in the last 30-days is greater than or equal to the 98% upper bound

18 of 41

State change based alerts trigger more reliably and avoid redundant triggers

To measure performance we define positive and negative segments

Method	Accuracy	Precision	Recall	F1
Spike	0.91	0.97	0.60	0.74
Build	0.87	0.83	0.46	0.59
Historical High	0.84	1.00	0.22	0.35
Benchmark Combination	0.92	0.88	0.70	0.78
State Change	0.94	0.79	0.97	0.87

19 of 41

Fusing Multiple Data Streams

UNCLASSIFIED INTERNAL

19

20 of 41

UNCLASSIFIED INTERNAL

20

21 of 41

UNCLASSIFIED INTERNAL

21

22 of 41

UNCLASSIFIED INTERNAL

22

23 of 41

UNCLASSIFIED INTERNAL

23

24 of 41

UNCLASSIFIED INTERNAL

24

25 of 41

UNCLASSIFIED INTERNAL

25

26 of 41

UNCLASSIFIED INTERNAL

26

27 of 41

UNCLASSIFIED INTERNAL

27

28 of 41

UNCLASSIFIED INTERNAL

28

29 of 41

We aim to address the data fusion problem of combining indicators across fields
Track states and momentum of longer-term indicators and provide data for deep dives
Use and/or model existing approaches (e.g., ACLED Conflict Index/Watchlist)

Conflict Index / Watchlist from December 2024

29

30 of 41

Conclusions & Next Steps

30

31 of 41

Conclusions

We can reliably flag major conflict events or escalations as they happen
Initial comparisons to historical events are lining up
State change alerts limit false positives and reduce alert fatigue

Continued work in

Using multiple datasets
Refine historical validation with more known events (escalations, non-breaking news)

Limited release trial for feedback & refinement
Robust database and alerting system
Fuse with level 2 reporting

31

Next Steps

32 of 41

Questions?

32

33 of 41

Backup Slides

33

34 of 41

Collection: GDELT

A free dataset that collects traditional media of "the world's breaking events and reaction in near-real time".

Pros	Cons
Updates every 15 minutes	Massive dataset to work with
Real time translation of 65 languages into English	Prone to duplication
Free	Geolocation accuracy inconsistent
Similar events in the 15 min window are binned together as one event, with the "mentions" field capturing volume	Automated NLP, so cannot be taken as fully reliable

Assumptions:
Reliability en masse of something happening

Question:
Can we use GDELT as an indicator "something's happening" to then verify elsewhere?

Global Database of Events, Language, and Tone

It is a database that monitors the world's broadcast, print, and web news from nearly every country, and is a massive dataset - over several billion data points.

And I assume at this point you are quite familiar with it. So the big takeaway is that it’s not super reliable on a granular level because it’s using automated NLP techniques without humans in the loop.

Some pros of gdelt is that:

it updates every 15 minutes, as opposed to ACLED's once a week time lag.
It has real-time translation built into it, so that's a step that we don't then have to do, which is great.
It's free.
And it does a little bit of data pre-processing for us. GDELT's methods take similar events in the 15-minute window of question and bin them together as one event, where the mentions fields lets you know how many different articles became that one event. So this helps us with our deduplication process.

A con is that it's just an absolutely massive data set to work with. There's no way we could look at all of it everyday, so we need to work to filter down to a subset that is useful to the analysts. While GDLET does do some of that binning for event deduplication, it is still very prone to duplication. So for example say I write an article discussing a protest and publish it at 10:00 a.m., and Susan writes an article about the same protest, but she publishes it at 10:45. Well, yes, we're talking about the same event, but because we are in separate 15-minute GDLET bins that is counted as two separate events by GDELT.

Another con is that GDELT is entirely automated, there is no human in the loop, there is no human verification. Where ACLED you do get that. So here NLP is doing the translation, the location extraction from the text, the determination of who is the actor from the text, when event type should this be categorized as...

And when we took a closer look, it's not perfect. It does make errors. And so our assumption is that there is reliability en masse that GDELT can accurately indicate that something is happening.

So if there is a big spike in data volume in Syria, then that is indicative of something actually happening in Syria that might be worth an analyst taking a look at. And so our project is exploring this question of can we use GDELT as an indication and warnings tool to flag an analyst that "that something is happening somewhere" and maybe they should go look investigate.

35 of 41

Filtering: Geolocation

Filtering upon ingestions into the ELK stack:

Filter by date range (last 15 minutes)

Assign events ids to avoid duplication

Filter to the 27 countries of interest

Using field actiongeocountrycode

36 of 41

Battle		Protests		Riots		Explosions		Violence Against Civilians		Strategic Developments		Other
150	Demonstrate military or police power	017	Engage in symbolic act	144	Obstruct passage, block	183	Conduct suicide, car, or other non-military bombing	180	Use unconventional violence	87	De-escalate military agreement	176	Attack cybernetically
171	Seize or damage property	133	Threaten with political dissent, protest	1441	Demonstrate for leadership change	1834	Carry out location bombing	181	Abduct, hijack, or take hostage	57	Sign formal agreement	102	Demand diplomatic cooperation
190	Use conventional military forces	140	Engage in political dissent	1443	Demonstrate for rights	194	Fight with artillery and tanks	182	Physically assault	50	Engage in diplomatic cooperation	104	Demand political reform
191	Impose blockade	141	Demonstrate or rally	145	Protest violently, riot	195	Employ arial weapons	186	Assassinate	55	Apologize	1053	Demand release of persons or property
192	Occupy territory	143	Conduct strike or boycott	1451	Engage in violent protest for leadership change	1951	Employ precision-guided aerial munitions	201	Engage in mass expulsion	56	Forgive	1041	Demand change in leadership
193	Fight with small arms and light weapons	1431	Conduct strike or boycott for leadership change	1711	Confiscate property	204	Use weapons of mass destruction	202	Engage in mass killing	62	Cooperate militarily	1014	Demand intelligence cooperation
200	Use unconventional mass violence	1432	Conduct strike or boycott for policy change	1712	Destroy property	2041	Use chemical, biological, or radiological weapons	203	Engage in ethnic cleansing	71	Provide economic aid	1054	Demand easing of economic sanctions, boycott, or embargo

ACLED

GDELT CAMEO Codes

Filtering upon ingestions into the ELK stack:

Filter by date range (last 15 minutes)

Assign events ids to avoid duplication

Filter to the 27 countries of interest

Using field actiongeocountrycode

Filter to CAMEO codes that match ACLED categories of interest

Verified by analysts

And our last filtering step, is to only keep the data that is similar to ACLED.

GDELT's NLP process automatically assigns every event a CAMEO event code that somewhat describes the nature of the event. For example, "demobilize forces" or "surrender militarily". And so what we have done, is read through all the CAMEO codes and build a dictionary of which are similar to the ACLED categories of interest to analysts.

This table shows some of this mapping. There are a lot more CAMEO codes included in our dictionary, but for the same of presentation, this table gives a good overview.

While this mapping of GDELT to ACLED was done by our team, we have run it by five analysts, and feel confident we are filtering to the useful subset of the GDELT data. Moreover, the "other" category on the far right captures CAMEO codes that don't obviously fall in an ACLED category, but were identified by analysts as still having value to the problem space at hand.

37 of 41

24-hour aggregation doesn't mean 24 delay

10/16/25

38 of 41

Fit summary for Israel example

39 of 41

Popular Forecasts

Beginning March 2023
1-6 month out predictions
Globally down to admin 1 but no predictions for countries with two few events/mo
Political violence events

Battles
Explosions/remote violence
Violence against civilians

ACLED CAST

VIEWS (IDEaS collaborators)

UNCLASSIFIED INTERNAL

Beginning March 2022
1-36 month out predictions
Globally to the country level and ~60km grids for Africa + ME
Fatalities & probability of conflict (state-based)

39

Lots of papers in this area but few organizations that consistently publicly release their predictions

40 of 41

An Aside on Conflict Forecasts

40

41 of 41

Example of ACLED CAST Qualitative Results

UNCLASSIFIED INTERNAL

41

We largely find predictions are a Y_t+1 = Y_t + noise shift, so not super useful for I&W
We are aiming to flag the escalation of events not predict them far in the future
Some things are truly not foreseeable, those we just want to alert for ASAP