Content uploaded by Sina Khanmohammadi
Author content
All content in this area was uploaded by Sina Khanmohammadi on May 31, 2016
Content may be subject to copyright.
Proceedings of the 2016 Industrial and Systems Engineering Research Conference
H. Yang, Z. Kong, and MD Sarder, eds.
Network Topology based ANFIS Detection Framework for
Identifying Terrorism Threats
Salih Tutun
Department of Systems Science and Industrial Engineering
Turkish Military Academy, Ankara, Turkey, and Binghamton University, Binghamton, NY
Sina Khanmohammadi, Chun-An Chou
Department of Systems Science and Industrial Engineering
Binghamton University, Binghamton, NY
Yunus Kucuk
Department of Computer Science
Turkish Military Academy, Ankara, Turkey, and Binghamton University, Binghamton, NY
Abstract
In recent years, terrorist attacks around the world have begun to develop more complex strategies and tactics that are
not easily recognizable. Furthermore, in uncertain situations, agencies need to know whether the perpetrator was a
terrorist or someone motivated by other factors (e.g. criminal activity) so that they can develop appropriate strategies
to capture the responsible organizations and people. In most research studies, terrorist activity detection focuses
on either individual incidents, which do not take into account the dynamic interactions among them, or network
analysis, which leaves aside the functional roles of individuals while capturing interactions and giving a general idea
about networks. In this study, we propose a unified approach that applies pattern classification techniques to network
topology and features of incidents. The detected patterns are used in conjunction with an evolutionary adaptive neural
fuzzy inference system to detect future incidents of terrorism. Finally, the proposed approach was tested and validated
using a real world case study that consists of incidents in Iraq. The experimental results show that our approach
outperforms other traditional detection approaches. Policymakers can use the approach for timely understanding and
detection of terrorist activity thus enabling precautions to be taken against future attacks.
Keywords
Intelligence, Terrorism Detection, Network Analysis, Adaptive Neural Fuzzy Inference System, Evolutionary Strategy
1. Introduction
Terrorism can have many causes, but one of the most important objectives in counter-terrorism is to detect those terror-
ist activities that have a political, economic, religious or social goal. In order to capture the responsible organizations
and people, agencies need to know whether the perpetrator was a terrorist or someone motivated by other factors, such
as criminal activity. Detecting terrorist activities provides an opportunity to conduct a more in-depth analysis of such
events and ultimately gain a better understanding of tactics and strategies used by terrorists [1]. Detecting terrorist
activity is a challenging task because of the complex interactions that take place among terrorist groups. Furthermore,
the behavior of terrorists evolves over time and their tactics tend to adapt to the environment and emulate the behavior
of other terrorist groups [2]. In this regard, network-based approaches allow one to capture complex interactions [3, 4]
and recently, these approaches have become increasingly popular. However, terrorist groups attempting to conduct
illicit activities often organize into a Leninist cell structure that can tend toward centralized control. This structure
is not common to other social organizations. Therefore, it is hard to understand terrorist activity through network
analysis alone [5].
Tutun, Khanmohammadi, Chou and Kucuk
Most of the current research uses network models in isolation without considering underlying predictive patterns in
intelligence data sets [2, 6–9]. Using network analysis in isolation ignores the functional roles of individuals, though
it is essential for terrorist activity detection because it captures interactions and gives a general idea of systems [5, 10].
In this regard, combining pattern-recognition techniques with network-based approaches can provide more insight into
terrorist activity. In this paper, we propose a new hybrid detection framework that uses optimized adaptive neural fuzzy
inference system (OANFIS) as a pattern-recognition technique in network topology. This method extracted terrorist
interaction from network properties to obtain a better understanding of the terrorist activity. The proposed method was
tested on a case study of incidents in Iraq and the results show that this method provided superior results compared to
other methods.
The rest of the paper is organized as follows. In Section 2, the methods used in the new proposed approach are
explained briefly. The study is described in detail, showing how the proposed framework is used to detect terrorist
attacks. In Section 3, the proposed framework is discussed using different detection methods. Finally, the improvement
in modeling terrorism is shown, and the contribution of the paper is discussed.
2. Materials and Methods
Terrorist attacks listed in the Global Terrorism Database (GTD) are used as a platform for this research. The data
includes various incidents in the world between 1970 and 2014. The features of the data set include date, incident
information, incident location, attack information, weapon information, target/victim information, perpetrator infor-
mation, casualties and consequences for each incident [11]. The data is prepared by removing the missing values and
suspected events. The following section provides details of the proposed terrorist-detection framework.
2.1 Network Topology based ANFIS Detection Framework
The proposed framework consists of network formation using heterogeneous similarity function and pattern recogni-
tion using the OANFIS model. The parameters of the OANFIS model are optimized based on an evolutionary strategy
(ES) algorithm and are used to detect terrorist attacks using properties of the network constructed incidents, as seen in
Figure 1.
Figure 1: Structure of the proposed network-based detection framework
Tutun, Khanmohammadi, Chou and Kucuk
2.1.1 Network Construction
An analysis of terrorism demonstrated the evolutionary nature of terrorism and adaptation of tactics and strategies used
in terrorist attacks [2]. When incidents are successful, they are contagious, and other terrorist groups use these same
tactics for future attacks. Based on these behaviors, a network is constructed by using the similarity between various
incidents based on features such as weapon type, attack type and target type, then using this measure to form links
in the network. The similarity between incidents is calculated by looking at similarities between the characteristics
of the incidents. A heterogeneous similarity function is proposed to calculate similarity because there are categorical
and numeric variables for each incident. For example, as is seen in Figure 2, the final value of similarity is calculating
using categorical and continuous features between incident 1 and incident 2. It means that a future attack (incident 2)
will incorporate learned tactics from a past attack (incident 1) if incident 1 is successful.
The classic similarity functions (e.g., Euclidean) cannot be used to calculate similarity because the data set has categor-
ical and continuous features. Categorical features are not used because there is no order in these methods. Therefore, a
heterogeneous similarity function is proposed to calculate similarity. For categorical data, we define the notation for a
categorical data set chthat contains hobjects. Afterwards, nhratio is used to define relationships between the features
of two incidents in the data set. Last, the final value of similarity (Simh(Xh,Yh)) between incidents is found between 0
and 1 by combining these two calculations, as seen in Equation (1).
Similarity value between X and Y belonging to the data set as follows:
ch=1i f Xh=Yhf or categorical f eatures
0otherwise nh=(Xh/Yh)i f X <Y f or continuous f eatures
(Yh/Xh)otherwise
Simh(Xh,Yh) =
d
∑
h=1
(q(ch)2or (nh)) (1)
where Simh(Xh,Yh)is the similarity between two incidents. After calculating the similarity measure between various
Figure 2: Link formation for network analysis
features of data, the network G= (V,E)is constructed, where Vis the vertices of the network showing different
incidents, and Eis the calculated similarity measure between incidents. Two nodes (incidents) are connected to each
other if the final value of similarity for each pair exceeds 0.8. One distinguishing factor of the constructed network is
it also has temporal dimension since each node (incident) has occurred at one specific time. Therefore, we have used
a directed graph where ei j implies that event jhas occurred later than event i. Figure 2 represents an example of the
constructed network.
Tutun, Khanmohammadi, Chou and Kucuk
2.1.2 Optimized Adaptive Neural Fuzzy Inference System
ANFIS consists of a Sugeno fuzzy inference system, embedded into a neural network structure and fuzzy system to
capture the benefits of both methods under one framework. The network structure includes six layers that enable
learning the underlying patterns of the training dataset and using these patterns for determining the membership func-
tions and rule structure of the Sugeno Fuzzy Inference System (FIS) [13]. Typically, a hybrid approach consisting of
backpropagation and the least square method is used to define the membership functions [12]. ANFIS has six layers
(see in Figure 1) given as follows:
Layer 1: This layer is called the input layer. Every input signal taken from each node on the layer is transmitted to
other layers. The output equation for each node is defined in Equations (2-3).
O1=µ∗Aii=1,2 (2)
O1=µ∗Bii=1,2 (3)
Layer 2: This layer is called the fuzzy layer. The membership layers acquired from the second layer are shown as
µ∗Aiand µ∗Bi.
Layer 3: This layer is called the rule layer as shown in Equation (4). Each node on this layer states the rules and
numbers that are constituted according to the Sugeno Fuzzy Logic Inference system.
∏
i
=µAi(X)∗µBi(Y) = µi(4)
Layer 4: This layer is the normalization layer as seen in Equation (5).
Ni=µi
n
∑
i=1
(µi)
(5)
Layer 5: This layer is called the defuzzification layer (as seen in Equation (6)). The aim here is to calculate the
weighted result value of each rule given at each node of the defuzzification layer.
Di=µi∗Zi(6)
Layer 6: This layer is known as the multiplication layer in Equation (7). In this layer, by summing up the output value
of each node in the fifth layer, the real output value of the ANFIS system is acquired.
Z=
n
∑
i=1
(µi∗Zi)(7)
Where nshows the node number on the layer, A and B are inputs, µis membership function, Nis the normalized
priming level of each rule, and Zis the real output value of the ANFIS system.
The ANFIS method requires predetermination of many parameters such as the number of membership functions, type
of membership functions, learning rate, learning type, etc. These parameters can be determined based on expert knowl-
edge [13]. However, a more efficient way is to use an optimization method to determine these parameters. Independent
factors such as attack type, weapon type, modularity, degree, target type, goal of terrorism and centralities in network
topology are used to detect terrorism incidents. In this study, we have used the evolutionary strategy meta-heuristic
method to optimize the ANFIS parameters. The objective of the optimization approach is to identify the ANFIS pa-
rameters that maximize F-measure criteria (details in section 2.2).
The structure of the applied evolutionary strategy method is shown in Figure 1. First, the initial population is con-
structed using random selection. Afterwards, parents (the best 100 results) are selected for the evolutionary process.
Then, parents are changed by using bit flip mutation. Global intermediate recombination is used to determine a new
Tutun, Khanmohammadi, Chou and Kucuk
population. The population is evaluated to define the best solution. Thereafter, we compare the difference between
new solutions and old solutions. If they differ by less than 0.001, the best solutions are defined for parameters. If
they differ by more than 0.001, the population is evolved by using selection, mutation and replacement. The method
is repeated to find X=f(a)−f(b), where f(b)is the old population and f(a)is the new population. After finding the
best parameters for the ANFIS algorithm by using evolutionary strategy, the ANFIS method is used to detect terrorist
attacks on network metrics that are defined by using the proposed similarity function period.
2.2 Evaluation Metrics
The performance of the proposed detection framework is evaluated using four different measures defined as accuracy,
sensitivity, specificity, and F-measure in Equations (8-11). These measures are based on True Positive (TP), True
Negative (TN), False Positive (FP) and False Negative (FN) values.
Accuracy =T P +T N
T P +T N +FP +F N (8)
Sensitivity =T P
T P +FN (9)
S peci f icity =T N
F P +TN (10)
F Measure =2∗T P
2∗T P +F P +FN (11)
TP is the number of correct classifications for terrorist activity detection. FP is the number of incorrect classifications
for non-terrorist activity detection. FN is the number of incorrect classifications for terrorist activity detection. TN is
the number of correct classifications for non-terrorist activity detection. Among these four performance criteria, the
F-measure is generally preferred as it provides a better estimate of the algorithm performance when the testing data
set is imbalanced [3].
3. Results and Discussion
In this section, the proposed method is tested using the GTD data set [11] and the results are compared to traditional
classification methods such as Decision Tree, Support Vector Machine, Logistic Regression and Naive Bayes. The
influence of past events on the current events is captured via network properties including in-degree, out-degree,
modularity, closeness centrality and betweenness centrality. These network properties are then fed to the OANFIS
model to detect whether a certain event is a terrorist attack or not.
Table 1: Comparison of the results for the proposed methods
Training(2/3) Testing(1/3)
Accuracy F-Measure Sensitivity Specificity Accuracy F-Measure Sensitivity Specificity
Logistic Regression 95.13% 0.95 0.94 190.57% 0.89 0.89 1
Naive Bayes 94.81% 0.95 0.97 0.84 89.31% 0.89 0.91 0.82
Support Vector Machine 95.78% 0.96 0.96 0.97 90.57% 0.89 0.89 1
Decision Tree 95.13% 0.95 0.94 190.57% 0.89 0.89 1
The Framework 97.08% 0.98 0.98 0.90 91.20% 0.95 0.90 1
According to the comparison results (shown in Table 1), the proposed detection framework outperforms traditional
machine learning methods used for terrorist activity detection in most of the evaluation criteria. This is especially true
when we consider the F-measure, which is less than 0.9 for the other methods. The other methods have less detection
capacity because F-Measure value with 0.95 for the framework is much better than others to detect terrorism activity.
In addition, for the other evaluation metrics (e.g., accuracy, sensitivity and specificity), the framework is mostly better
than the other methods. Hence, by including the interaction between different terrorist activities we can make a more
precise decision as to whether a particular event is terror activity or not.
Tutun, Khanmohammadi, Chou and Kucuk
4. Conclusion
Detecting the type of incident (terrorist activity/non-terrorist activity) is critical for effective counter-terrorism per-
formance. Counter-terrorism agencies need to know whether the perpetrator was a terrorist or someone motivated by
other goals. In this study, we showed that by incorporating the interaction of past terrorist activity, we can have a better
understanding of whether a particular incident is terror activity or not. This is because terrorist groups tend to interact
and learn from each other’s behavior and experience and modify their tactics accordingly. This research is the pilot
study to show that we can detect terrorist activity efficiently on time. After incidents occur, the agencies can understand
differences among incidents. The proposed framework enables policy makers to develop precise global and/or local
counter-terrorism strategy. Furthermore, this information can be very useful for law enforcement agencies, enabling
them to propose timely reactive strategies.
5. Acknowledgments
The research is supported by the Turkish Military Academy (TMA). The authors wish to thank the Global Terrorism
Database and the Turkish Military Academy for their help in providing data and supporting research.
References
1. Fahey, S., LaFree, G., Dugan, L., and Piquero, A. R., 2012, "A Situational Model for Distinguishing Terrorist and
Non-terrorist Aerial Hijackings, 1948–2007, " Justice Quarterly, 29(4):573–595.
2. Chenoweth, E., and Lowham, E., 2007, "On Classifying Terrorism: A Potential Contribution of Cluster Analysis
for Academics and Policy-makers, " Defence & Security Analysis, 23(4):345–357.
3. Netzer, M., Kugler, K. G., Müller, L. A., Weinberger, K. M., Graber, A., Baumgartner, C., and Dehmer, M.,
2012, "A Network-based Feature Selection Approach to Identify Metabolic Signatures in Disease, " Journal of
Theoretical Biology, 310, 216–222.
4. Chen, H, 2011, "Dark web: Exploring and Data Mining the Dark Side of the Web, " Springer Science & Business
Media, 30.
5. Coffman, T. R., and Marcus, S. E., 2004, "Pattern Classification in Social Network Analysis: A Case Study, "
IEEE Aerospace Conference, 5, 3162–3175.
6. Cai, Q., Gong, M., Ma, L., Ruan, S., Yuan, F., and Jiao, L., 2015, "Greedy Discrete Particle Swarm Optimization
for Large-scale Social Network Clustering, " Information Sciences, 316, 503–516.
7. Li, B. X., Zhu, J. F., and Wang, S. G., 2015, "Networks Model of the East Turkistan Terrorism, " Physica A:
Statistical Mechanics and its Applications, 419, 479–486.
8. Talks, S. A. S., 2012, "Social Networks in Data Mining: Challenges and Applications, " retrieved from
http://www.sas.com/reg/web/corp/1845117
9. Tutun, S., Chou, C. A., and Canıyılmaz, E., 2015, "A New Forecasting Framework for Volatile Behavior in Net
Electricity Consumption: A Case Study in Turkey," Energy, 93, 2406–2422.
10. Coffman, T. R., and Marcus, S. E., 2004, "Dynamic Classification of Groups through Social Network Analysis
and HMMs, " IEEE Aerospace Conference, 5, 3197–3205.
11. National Consortium for the Study of Terrorism and Responses to Terrorism (START), "Global Terrorism
Database, " retrieved from http:/www.start.umd.edu/gtd
12. Demuth B., 2016, "Matlab: Fuzzy Logic Toolbox User’s Guide," 2015, retrieved from
http://www.mathworks.com/help/fuzzy/
13. Xinqing, L., Tsoukalas, L. H., and Uhrig, R. E., 1996, "A Neurofuzzy Approach for the Anticipatory Control of
Complex Systems, " IEEE Fuzzy Systems, 1, 587–593.
