ArticlePDF Available

An Outlier-Based Intention Detection for Discovering Terrorist Strategies

Authors:

Abstract and Figures

Terrorist groups (attackers) always strive to outmaneuver counter-terrorism agencies with different tactics and strategies for making successful attacks. Therefore, understanding unexpected attacks (outliers) is becoming more and more important. Studying such attacks will help identify the strategies from past events that will be most dangerous when counter-terrorism agencies are not ready for protection interventions. In this paper, we propose a new approach that defines terrorism outliers in the current location by using non-similarities among attacks to identify unexpected interactions. The approach is used to determine possible outliers in future attacks by analyzing the relationships among past events. In this approach, we calculate the relationship between selected features based on a proposed similarity measure that uses both categorical and numerical features of terrorism activities. Therefore, extracting relations are used to build the terrorism network for finding outliers. Experimental results showed that the comparison of actual events and the detected patterns match with more than 90% accuracy for many future strategies. Based on the properties of the outliers, counter-terrorism agencies can prevent a future bombing attack on strategic locations.
Content may be subject to copyright.
Available online at www.sciencedirect.com
1877-0509 © 2017 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme:
Engineering Cyber Physical Systems.
10.1016/j.procs.2017.09.006
ScienceDirect
Procedia Computer Science 114 (2017) 132–138
10.1016/j.procs.2017.09.006 1877-0509
Available online at www.sciencedirect.com
ScienceDirect
Procedia Computer Science 00 (2017) 000–000
w
ww.elsevier.com/locate/procedia
1877-0509© 2017 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme:
Engineering Cyber Physical Systems.
Complex Adaptive Systems Conference with Theme: Engineering Cyber Physical Systems, CAS
October 30 – November 1, 2017, Chicago, Illinois, USA
An Outlier-Based Intention Detection for Discovering
Terrorist Strategies
Salih Tutuna,*, Murat Akçab, Ömer Bıyıklıb, Mohammad T. Khasawneha
aDepartment of Systems Science and Industrial Engineering, Binghamton University, New York, 13850, USA
bDepartment of Industrial Engineering, Gazi University, Ankara, 06420, Turkey
Abstract
Terrorist groups (attackers) always strive to outmaneuver counter-terrorism agencies with different tactics and strategies for
making successful attacks. Therefore, understanding unexpected attacks (outliers) is becoming more and more important.
Studying such attacks will help identify the strategies from past events that will be most dangerous when counter-terrorism
agencies are not ready for protection interventions. In this paper, we propose a new approach that defines terrorism outliers in the
current location by using non-similarities among attacks to identify unexpected interactions. The approach is used to determine
possible outliers in future attacks by analyzing the relationships among past events. In this approach, we calculate the relationship
between selected features based on a proposed similarity measure that uses both categorical and numerical features of terrorism
activities. Therefore, extracting relations are used to build the terrorism network for finding outliers. Experimental results showed
that the comparison of actual events and the detected patterns match with more than 90% accuracy for many future strategies.
Based on the properties of the outliers, counter-terrorism agencies can prevent a future bombing attack on strategic locations.
© 2017 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme:
Engineering Cyber Physical Systems.
Keywords: Outlier Detection; Similarity Function; Link Formation; Network Analysis; Counter-terrorism
* Corresponding author.
E-mail address: stutun1@binghamton.edu
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
1. Introduction
Terrorism is a new kind of war that is increasingly characterized with uncertainty. In this war, terrorist groups
(attackers) often change their strategies in an effort to surprise and shock defenders (counter-terrorism agencies) for
more successful attacks. Defenders are always under pressure to learn new strategies in order to have a strong
counter-terrorism strategy [1]. Moreover, terrorism has significantly increased after the September 11 attack because
the uncertainties associated with such events make their prevention a very complex effort to manage [2]. Defenders
need to know how to create strategies to prevent this kind of attacks, and they need to adopt more accurate
approaches to investigate terrorist activities [3]. Intelligence gathering is the cornerstone through which uncertainty
is reduced.
Current literature suggests that terrorism has an evolutionary nature and attackers change their behavior
according to defenders’ counter-terrorism policies. The behavior of attackers evolves over time, and they often copy
the behavior of other attacks [4]. For instance, each attacker learns tactics from past attacks whether they were
successful or not. After learning certain tactics, they seek to shock defenders through attacks that are unexpected
when compared with past events. Only when defenders have the ability to predict unexpected future events is the
prevention of terrorism plausible.
In the literature for understanding strategies of terrorism, network-based approaches are used to understand
complex interactions [5, 6]. These approaches are becoming increasingly popular [7] because they are proving to be
effective methods for understanding terrorism [8]. Moreover, many researchers have studied the behavior of people
(attackers) to find the leader of attackers (with their leader). Therefore, existing network-based approaches in the
literature focused on prosecution instead of prevention [9, 10]. In this research, we focus on the finding relationships
between different attacks instead of connections and relationships between people [11].
This research aims to propose a new approach by analyzing relations of attacks to develop predictive capabilities.
The network of attacks is modeled in the approach to understand future strategies. More specifically, a new outlier-
based similarity function is proposed to find relations that will help construct a network for events. Furthermore, this
similarity function is used to estimate relationships among interactive events by using non-similar attacks [11, 12].
This method extracts attacker interaction from network properties to obtain a better understanding of the attacker
activity. The results could potentially help in the understanding of future attacks and enable counter-terrorism
agencies to propose proactive strategies [11, 13].
The remainder of the paper is organized as follows. In Section 2, data analysis and collection are explained, and
the methods used in the new approach are presented. A detailed description of how the proposed approach is used to
understand complex interactions is also presented. In Section 3, experimental results that show the proposed
approach works to understand attacker activities efficiently are presented. Finally, Section 4 presents a discussion to
highlight the improvement in modeling terrorism and the contribution of the research.
2. Materials and Methods
Terrorist attacks listed in the Global Terrorism Database (GTD) are used in this research. The data includes
various events between 1970 and 2015 [2]. The data is prepared by removing missing values and incorrect events.
The following section provides details of the proposed approach. Moreover, bombing (with explosives weapons)
attacks, as seen in Fig. 1 and Fig. 2, are used against defenders’ agencies (e.g., Military, Police, etc.). This type of
attack was chosen because they constitute half of all attacks [11].
In the collected dataset, the variable names are explained as follows: Extended incident (extended) is defined as
yes (1) if there is an extension for more than 24 hours or no (0). Doubt of terrorism proper (doubtterr) is defined as
yes (1) or no (0). Part of multiple incidents (multiple) is determined as yes (1) or no (0). Location of events is
defined using countries, regions, state, and city. Vicinity (vicinity) is used as yes (1) if the event happens near the
city or no (0) if it is in the city center. Specificity is determined at the geospatial resolution of the latitude and
longitude areas with five different categories. Attack type (attackttype1)is defined as a Bombing/Explosion attack.
Successful Attack (success) is defined based on whether the event is successful (1) or not (0). Weapon type
(weaptype1) is defined as which weapons are used for attacks. Target type (targettype1) is determined by which
targets the attackers pursue. The number of killings (nkill) means the number of people killed in the attack. Hostage
Salih Tutun et al. / Procedia Computer Science 114 (2017) 132–138 133
Available online at www.sciencedirect.com
ScienceDirect
Procedia Computer Science 00 (2017) 000–000
w
ww.elsevier.com/locate/procedia
1877-0509© 2017 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme:
Engineering Cyber Physical Systems.
Complex Adaptive Systems Conference with Theme: Engineering Cyber Physical Systems, CAS
October 30 – November 1, 2017, Chicago, Illinois, USA
An Outlier-Based Intention Detection for Discovering
Terrorist Strategies
Salih Tutuna,*, Murat Akçab, Ömer Bıyıklıb, Mohammad T. Khasawneha
aDepartment of Systems Science and Industrial Engineering, Binghamton University, New York, 13850, USA
bDepartment of Industrial Engineering, Gazi University, Ankara, 06420, Turkey
Abstract
Terrorist groups (attackers) always strive to outmaneuver counter-terrorism agencies with different tactics and strategies for
making successful attacks. Therefore, understanding unexpected attacks (outliers) is becoming more and more important.
Studying such attacks will help identify the strategies from past events that will be most dangerous when counter-terrorism
agencies are not ready for protection interventions. In this paper, we propose a new approach that defines terrorism outliers in the
current location by using non-similarities among attacks to identify unexpected interactions. The approach is used to determine
possible outliers in future attacks by analyzing the relationships among past events. In this approach, we calculate the relationship
between selected features based on a proposed similarity measure that uses both categorical and numerical features of terrorism
activities. Therefore, extracting relations are used to build the terrorism network for finding outliers. Experimental results showed
that the comparison of actual events and the detected patterns match with more than 90% accuracy for many future strategies.
Based on the properties of the outliers, counter-terrorism agencies can prevent a future bombing attack on strategic locations.
© 2017 The Authors. Published by Elsevier B.V.
Peer-review under responsibility of the scientific committee of the Complex Adaptive Systems Conference with Theme:
Engineering Cyber Physical Systems.
Keywords: Outlier Detection; Similarity Function; Link Formation; Network Analysis; Counter-terrorism
* Corresponding author.
E-mail address: stutun1@binghamton.edu
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
1. Introduction
Terrorism is a new kind of war that is increasingly characterized with uncertainty. In this war, terrorist groups
(attackers) often change their strategies in an effort to surprise and shock defenders (counter-terrorism agencies) for
more successful attacks. Defenders are always under pressure to learn new strategies in order to have a strong
counter-terrorism strategy [1]. Moreover, terrorism has significantly increased after the September 11 attack because
the uncertainties associated with such events make their prevention a very complex effort to manage [2]. Defenders
need to know how to create strategies to prevent this kind of attacks, and they need to adopt more accurate
approaches to investigate terrorist activities [3]. Intelligence gathering is the cornerstone through which uncertainty
is reduced.
Current literature suggests that terrorism has an evolutionary nature and attackers change their behavior
according to defenders’ counter-terrorism policies. The behavior of attackers evolves over time, and they often copy
the behavior of other attacks [4]. For instance, each attacker learns tactics from past attacks whether they were
successful or not. After learning certain tactics, they seek to shock defenders through attacks that are unexpected
when compared with past events. Only when defenders have the ability to predict unexpected future events is the
prevention of terrorism plausible.
In the literature for understanding strategies of terrorism, network-based approaches are used to understand
complex interactions [5, 6]. These approaches are becoming increasingly popular [7] because they are proving to be
effective methods for understanding terrorism [8]. Moreover, many researchers have studied the behavior of people
(attackers) to find the leader of attackers (with their leader). Therefore, existing network-based approaches in the
literature focused on prosecution instead of prevention [9, 10]. In this research, we focus on the finding relationships
between different attacks instead of connections and relationships between people [11].
This research aims to propose a new approach by analyzing relations of attacks to develop predictive capabilities.
The network of attacks is modeled in the approach to understand future strategies. More specifically, a new outlier-
based similarity function is proposed to find relations that will help construct a network for events. Furthermore, this
similarity function is used to estimate relationships among interactive events by using non-similar attacks [11, 12].
This method extracts attacker interaction from network properties to obtain a better understanding of the attacker
activity. The results could potentially help in the understanding of future attacks and enable counter-terrorism
agencies to propose proactive strategies [11, 13].
The remainder of the paper is organized as follows. In Section 2, data analysis and collection are explained, and
the methods used in the new approach are presented. A detailed description of how the proposed approach is used to
understand complex interactions is also presented. In Section 3, experimental results that show the proposed
approach works to understand attacker activities efficiently are presented. Finally, Section 4 presents a discussion to
highlight the improvement in modeling terrorism and the contribution of the research.
2. Materials and Methods
Terrorist attacks listed in the Global Terrorism Database (GTD) are used in this research. The data includes
various events between 1970 and 2015 [2]. The data is prepared by removing missing values and incorrect events.
The following section provides details of the proposed approach. Moreover, bombing (with explosives weapons)
attacks, as seen in Fig. 1 and Fig. 2, are used against defenders’ agencies (e.g., Military, Police, etc.). This type of
attack was chosen because they constitute half of all attacks [11].
In the collected dataset, the variable names are explained as follows: Extended incident (extended) is defined as
yes (1) if there is an extension for more than 24 hours or no (0). Doubt of terrorism proper (doubtterr) is defined as
yes (1) or no (0). Part of multiple incidents (multiple) is determined as yes (1) or no (0). Location of events is
defined using countries, regions, state, and city. Vicinity (vicinity) is used as yes (1) if the event happens near the
city or no (0) if it is in the city center. Specificity is determined at the geospatial resolution of the latitude and
longitude areas with five different categories. Attack type (attackttype1)is defined as a Bombing/Explosion attack.
Successful Attack (success) is defined based on whether the event is successful (1) or not (0). Weapon type
(weaptype1) is defined as which weapons are used for attacks. Target type (targettype1) is determined by which
targets the attackers pursue. The number of killings (nkill) means the number of people killed in the attack. Hostage
134 Salih Tutun et al. / Procedia Computer Science 114 (2017) 132–138
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
victims (ishostkid) is defined that the victim was taken a hostage or not. International (int-log) means that the attack
was international or domestic [2]. As seen in Fig. 1, half of all attacks based on the dataset are of the bombing and
explosion category. Moreover, 40% of all attacks used explosive weapons (as seen in Fig. 2). Therefore, this paper
focuses on these attacks to implement the proposed approach.
Fig. 1. Attack types for collected data.
Fig. 2. Weapon types for collected data.
As seen in Fig. 3, there are interactions among attacks. The similarity function can be proposed to capture these
complex interactions. This research explores the opportunities for the application of network analytic techniques to
make precautions before attacks. Similarity function can be used to measure non-similarities (links) to form relations
between nodes. However, computing categorical features is not straightforward because there is no explicit ordering
among categorical variables. A new data-driven heterogeneous similarity function is proposed to solve this problem.
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
Fig. 3. Interactions and learning among terrorist attacks.
Table 1.Explanation of the data with formulas.
Attributes ID A1 A
2 A
3 Ad
n1 x
11 x
12 x
13 x1d
n2 x
21 x
22 x
23 x2d
n3 x
31 x
32 x
33 x3d
. . . . .
. . . . .
. . . . .
nN x
N1 x
N2 x
N3 Xnd
Frequency f1(x) f2(x) f3(x) fn(x)
For an overlap measure between categorical data, we define the notations (as seen in Table 1) as categorical
dataset ܦ that contains ܰ objects. This dataset has ݀ categorical features and continuous features where Ah denotes
the hth feature. Let the feature Ah take nh values in the dataset ܦ.
),...,4,3,2,1(
)(
)( dh
N
xf
xP h
h (1)
The following notations are used. The frequency of values is defined as the number of times that feature Ah taking
the value ݔ in the ܦdataset (Note: if x not in Ah, fh(x) = 0), and Ph(x) (as seen in Eq. (1)). The sample probability of
feature Ah takes value ݔ in ܦ dataset, as seen in above matrix [12]. The similarity value between X and Y (see Eq.
(2)) that belongs to the dataset ܦ is calculated as follows:
otherwise
featureslcategoricaasYXifxP
chhh
h0
)(


otherwiseXY
featurescontinuousasYXifYX
n
hh
hhhh
h
/
/
 
d
h
hh
norcYXNS
1
2
1,
(2)
Salih Tutun et al. / Procedia Computer Science 114 (2017) 132–138 135
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
victims (ishostkid) is defined that the victim was taken a hostage or not. International (int-log) means that the attack
was international or domestic [2]. As seen in Fig. 1, half of all attacks based on the dataset are of the bombing and
explosion category. Moreover, 40% of all attacks used explosive weapons (as seen in Fig. 2). Therefore, this paper
focuses on these attacks to implement the proposed approach.
Fig. 1. Attack types for collected data.
Fig. 2. Weapon types for collected data.
As seen in Fig. 3, there are interactions among attacks. The similarity function can be proposed to capture these
complex interactions. This research explores the opportunities for the application of network analytic techniques to
make precautions before attacks. Similarity function can be used to measure non-similarities (links) to form relations
between nodes. However, computing categorical features is not straightforward because there is no explicit ordering
among categorical variables. A new data-driven heterogeneous similarity function is proposed to solve this problem.
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
Fig. 3. Interactions and learning among terrorist attacks.
Table 1.Explanation of the data with formulas.
Attributes ID A1 A
2 A
3 Ad
n1 x
11 x
12 x
13 x1d
n2 x
21 x
22 x
23 x2d
n3 x
31 x
32 x
33 x3d
. . . . .
. . . . .
. . . . .
nN x
N1 x
N2 x
N3 Xnd
Frequency f1(x) f2(x) f3(x) fn(x)
For an overlap measure between categorical data, we define the notations (as seen in Table 1) as categorical
dataset ܦ that contains ܰ objects. This dataset has ݀ categorical features and continuous features where Ah denotes
the hth feature. Let the feature Ah take nh values in the dataset ܦ.
),...,4,3,2,1(
)(
)( dh
N
xf
xP h
h (1)
The following notations are used. The frequency of values is defined as the number of times that feature Ah taking
the value ݔ in the ܦdataset (Note: if x not in Ah, fh(x) = 0), and Ph(x) (as seen in Eq. (1)). The sample probability of
feature Ah takes value ݔ in ܦ dataset, as seen in above matrix [12]. The similarity value between X and Y (see Eq.
(2)) that belongs to the dataset ܦ is calculated as follows:
otherwise
featureslcategoricaasYXifxP
chhh
h0
)(


otherwiseXY
featurescontinuousasYXifYX
n
hh
hhhh
h
/
/
 
d
h
hh
norcYXNS
1
2
1,
(2)
136 Salih Tutun et al. / Procedia Computer Science 114 (2017) 132–138
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
where NS(X,Y) is the non-similarity between two events. This value is used to define relations between events in
networks.
3. Defining Outliers (Unexpected Events) for Future Threats
In this section, we look at the non-similarity for the events because attackers will always change strategies. As
seen in Fig. 4, outliers are changing dynamically based on the past attacks. In Fig. 4, some events are not in the
center because they are not similar to others. At the same time, we observed these events dynamically to understand
unexpected behaviors. As a result, Events 57, 16, 12 are the most unused events for first 100 events. After that,
Event 52 is added when 200 events are examined. Events 133, 64 are found for the next 100 events. As a conclusion,
Events 57, 52, 16, 12, 133 are outliers for future behaviors.
Fig. 4. Defining outliers for future attacks.
As seen in Table 2, we calculated the similarity of outlier attacks for the next 100 attacks with high accuracy.
Therefore, we can understand outlier behaviors for future attacks. As a result, based on the non-similar relations, we
can find outlier behaviors for future attacks. When defenders focus on these actions, they can understand which
behaviors are unused and have a high potential for occurrence in the future.
Table 2.Accuracies (%) of occurrence for future attacks.
extended country Region specificity vicinity crit3
0.97% 0.92% 0.95% 0.97% 0.93% 0.98%
doubtterr multiple attacktype1 targtype1 guncertain1
0.74% 0.86% 0.96% 0.62% 0.94%
weaptype1 property Ishostkid int-log nkill success
0.98% 0.98% 0.99% 0.99% 0.88% 0.97%
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
Fig. 5. Defining the most important outliers for future attacks.
Furthermore, some events when followed all past attacks, are found as the most non-similar for using future events.
As seen in Fig.5, Event 57 and Event 133 have successful strategies in the past attacks. Once attackers used these
strategies, they will shock defenders with successful attacks. In order to control attackers, defenders need to analyze
these events deeply. They also continue to search other events dynamically. In this way, attackers can be controlled
to prevent the most dangerous attacks.
4. Conclusions
Nowadays, counter-terrorism agencies need to develop better defense strategies to combat the attackers tactics.
This research proposes a new approach based on a similarity function. More specifically, a heterogeneous similarity
function is proposed to analyze relationships between interactive events to understand how attackers seek to surprise
defenders. At the same time, the proposed network approach is different because it uses attackers (as events) instead
of people.
The proposed approach proves its usefulness due to the use of the proposed similarity function. We show that
attacks can be prevented by learning from outlier behavior of attacks. The results prove that we can understand
outlier behaviors for bombing attacks by finding patterns. The patterns identified with more than 90% accuracy show
that the framework can be used to understand future attacks.
In future work, larger dynamic networks could be used to discover the patterns as a big data project for future
events. Moreover, people could study a unified approach that applies pattern classification techniques to the
proposed network topology to improve detection accuracy. Based on the proposed network, pattern recognition
methods could be used to detect terrorism events. Also, conditional probability can be used to understand which
event could lead to a future event. At the same time, the framework can be implemented in other application areas if
they have interactions among terrorism-related observations for detection.
In conclusion, defenders can deter threats by using this approach. They can understand how terrorism will impact
future events, and governments can control attackers' behaviors to reduce the risk of future events. After attacks
occur, the defenders can understand differences between attacks. The proposed approach enables policy makers to
develop precise global and/or local counter-terrorism strategies. Furthermore, this information can be extremely
useful for law enforcement agencies, which allows them to propose timely reactive strategies.
References
[1] Byman, Daniel, and Jeremy Shapiro. (2014). "We Shouldn’t Stop Terrorists from Tweeting. The Washington Post 9.
[2] National Consortium for the Study of Terrorism and Responses to Terrorism (START). (2015) "Global terrorism database."
http://www.start.umd.edu/gtd.
Salih Tutun et al. / Procedia Computer Science 114 (2017) 132–138 137
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
where NS(X,Y) is the non-similarity between two events. This value is used to define relations between events in
networks.
3. Defining Outliers (Unexpected Events) for Future Threats
In this section, we look at the non-similarity for the events because attackers will always change strategies. As
seen in Fig. 4, outliers are changing dynamically based on the past attacks. In Fig. 4, some events are not in the
center because they are not similar to others. At the same time, we observed these events dynamically to understand
unexpected behaviors. As a result, Events 57, 16, 12 are the most unused events for first 100 events. After that,
Event 52 is added when 200 events are examined. Events 133, 64 are found for the next 100 events. As a conclusion,
Events 57, 52, 16, 12, 133 are outliers for future behaviors.
Fig. 4. Defining outliers for future attacks.
As seen in Table 2, we calculated the similarity of outlier attacks for the next 100 attacks with high accuracy.
Therefore, we can understand outlier behaviors for future attacks. As a result, based on the non-similar relations, we
can find outlier behaviors for future attacks. When defenders focus on these actions, they can understand which
behaviors are unused and have a high potential for occurrence in the future.
Table 2.Accuracies (%) of occurrence for future attacks.
extended country Region specificity vicinity crit3
0.97% 0.92% 0.95% 0.97% 0.93% 0.98%
doubtterr multiple attacktype1 targtype1 guncertain1
0.74% 0.86% 0.96% 0.62% 0.94%
weaptype1 property Ishostkid int-log nkill success
0.98% 0.98% 0.99% 0.99% 0.88% 0.97%
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
Fig. 5. Defining the most important outliers for future attacks.
Furthermore, some events when followed all past attacks, are found as the most non-similar for using future events.
As seen in Fig.5, Event 57 and Event 133 have successful strategies in the past attacks. Once attackers used these
strategies, they will shock defenders with successful attacks. In order to control attackers, defenders need to analyze
these events deeply. They also continue to search other events dynamically. In this way, attackers can be controlled
to prevent the most dangerous attacks.
4. Conclusions
Nowadays, counter-terrorism agencies need to develop better defense strategies to combat the attackers’ tactics.
This research proposes a new approach based on a similarity function. More specifically, a heterogeneous similarity
function is proposed to analyze relationships between interactive events to understand how attackers seek to surprise
defenders. At the same time, the proposed network approach is different because it uses attackers (as events) instead
of people.
The proposed approach proves its usefulness due to the use of the proposed similarity function. We show that
attacks can be prevented by learning from outlier behavior of attacks. The results prove that we can understand
outlier behaviors for bombing attacks by finding patterns. The patterns identified with more than 90% accuracy show
that the framework can be used to understand future attacks.
In future work, larger dynamic networks could be used to discover the patterns as a big data project for future
events. Moreover, people could study a unified approach that applies pattern classification techniques to the
proposed network topology to improve detection accuracy. Based on the proposed network, pattern recognition
methods could be used to detect terrorism events. Also, conditional probability can be used to understand which
event could lead to a future event. At the same time, the framework can be implemented in other application areas if
they have interactions among terrorism-related observations for detection.
In conclusion, defenders can deter threats by using this approach. They can understand how terrorism will impact
future events, and governments can control attackers' behaviors to reduce the risk of future events. After attacks
occur, the defenders can understand differences between attacks. The proposed approach enables policy makers to
develop precise global and/or local counter-terrorism strategies. Furthermore, this information can be extremely
useful for law enforcement agencies, which allows them to propose timely reactive strategies.
References
[1] Byman, Daniel, and Jeremy Shapiro. (2014). "We Shouldn’t Stop Terrorists from Tweeting.” The Washington Post 9.
[2] National Consortium for the Study of Terrorism and Responses to Terrorism (START). (2015) "Global terrorism database."
http://www.start.umd.edu/gtd.
138 Salih Tutun et al. / Procedia Computer Science 114 (2017) 132–138
Salih Tutun, Murat Akça, Ömer Bıyıklı, Mohammad Khasawneh / Procedia Computer Science 00 (2017) 000–000
[3] Jackson, Brian A., and David R. Frelinger. (2009) "Understanding why terrorist operations succeed or fail." RAND CORP ARLINGTON
VA.
[4] Chenoweth, Erica, and Elizabeth Lowham. (2007) "On classifying terrorism: A potential contribution of cluster analysis for academics and
policy-makers." Defence& Security Analysis 23(4): 345-357.
[5] Chen, Hsinchun. (2011) "Dark web: Exploring and data mining the dark side of the web (Vol. 30)."Springer Science & Business Media.
[6] Netzer, Michael, Karl G. Kugler, Laurin AJ Müller, Klaus M. Weinberger, Armin Graber, Christian Baumgartner, and Matthias Dehmer
(2012) "A network-based feature selection approach to identify metabolic signatures in disease."Journal of theoretical biology 310: 216-222.
[7] Coffman, Thayne R., and Sherry E. Marcus. (2004) "Dynamic classification of groups through social network analysis and HMMs". In
Aerospace Conference, 2004. Proceedings. IEEE (Vol. 5, pp. 3197-3205).
[8] Bohannon, John (2009) "Counterterrorism's new tool: ‘metanetwork’ analysis." http://science.sciencemag.org/content/325/5939/409
[9] Xu, Jennifer J., and Hsinchun Chen. (2005) "CrimeNet explorer: a framework for criminal network knowledge discovery."ACM
Transactions on Information Systems (TOIS)23(2): 201-226.
[10] Krebs, Valdis E. (2002) "Mapping networks of terrorist cells."Connections 24 (3):43-52.
[11] Tutun, Salih, Mohammad T. Khasawneh, and Jun Zhuang. (2017) "New framework that uses patterns and relations to understand terrorist
behaviors."Expert Systems with Applications 78: 358-375.
[12] Tutun, Salih, Sina Khanmohammadi, and Chun-an Chou. (2016) "A network-based approach for understanding suicide attack behavior", in
Industrial & Systems Engineering Research Conference (ISERC). Institute of Industrial Engineers (IIE).
[13] Li, Ben-xian, Jun-fang Zhu, and Shun-guo Wang. (2015) "Networks model of the East Turkistan terrorism." Physica A: Statistical
Mechanics and its Applications 419: 479-486.
... The authors discovered meaningful insights to counter-terrorism by deriving statistical correlations between the pairs-Event of Terrorism-Target of Terrorism and Event of Terrorism-Method of Terrorism. Tutun et al. used network graphs to find outliers in the types of terrorist attacks using dissimilarity measures in past terrorist attacks (Tutun et al., 2017). The network graphs are often based on massive datasets, leading to very dense plots making it complex to extract information. ...
Article
Full-text available
In this contemporary era, where a large part of the world population is deluged by extensive use of the internet and social media, terrorists have found it a potential opportunity to execute their vicious plans. They have got a befitting medium to reach out to their targets to spread propaganda, disseminate training content, operate virtually, and further their goals. To restrain such activities, information over the internet in context of terrorism needs to be analyzed to channel it to appropriate measures in combating terrorism. Open Source Intelligence (OSINT) accounts for a felicitous solution to this problem, which is an emerging discipline of leveraging publicly accessible sources of information over the internet by effectively utilizing it to extract intelligence. The process of OSINT extraction is broadly observed to be in three phases (i) Data Acquisition, (ii) Data Enrichment, and (iii) Knowledge Inference. In the context of terrorism, researchers have given noticeable contributions in compliance with these three phases. However, a comprehensive review that delineates these research contributions into an integrated workflow of intelligence extraction has not been found. The paper presents the most current review in OSINT, reflecting how the various state‐of‐the‐art tools and techniques can be applied in extracting terrorism‐related textual information from publicly accessible sources. Various data mining and text analysis‐based techniques, that is, natural language processing, machine learning, and deep learning have been reviewed to extract and evaluate textual data. Additionally, towards the end of the paper, we discuss challenges and gaps observed in different phases of OSINT extraction. This article is categorized under: Application Areas > Government and Public Sector Commercial, Legal, and Ethical Issues > Social Considerations Fundamental Concepts of Data and Knowledge > Motivation and Emergence of Data Mining
... Tutun et al. [31] identified unexpected interactions through using non-similarities among attacks. The approach was used to find the possible outlier by analyzing the past strategies used in the events. ...
Article
Full-text available
Suicide bomb attacks are a high priority concern nowadays for every country in the world. They are a massively destructive criminal activity known as terrorism where one explodes a bomb attached to himself or herself, usually in a public place, taking the lives of many. Terrorist activity in different regions of the world depends and varies according to geopolitical situations and significant regional factors. There has been no significant work performed previously by utilizing the Pakistani suicide attack dataset and no data mining-based solutions have been given related to suicide attacks. This paper aims to contribute to the counterterrorism initiative for the safety of this world against suicide bomb attacks by extracting hidden patterns from suicidal bombing attack data. In order to analyze the psychology of suicide bombers and find a correlation between suicide attacks and the prediction of the next possible venue for terrorist activities, visualization analysis is performed and data mining techniques of classification, clustering and association rule mining are incorporated. For classification, Naïve Bayes, ID3 and J48 algorithms are applied on distinctive selected attributes. The results exhibited by classification show high accuracy against all three algorithms applied, i.e., 73.2%, 73.8% and 75.4%. We adapt the K-means algorithm to perform clustering and, consequently, the risk of blast intensity is identified in a particular location. Frequent patterns are also obtained through the Apriori algorithm for the association rule to extract the factors involved in suicide attacks.
Article
Terrorism is a globally prevalent dreaded form of crime against humanity in modern civil society. The nature of surprise, casualties caused, and the panic involved in terrorist activities compels improvisation of efforts to counter them. These counter-terrorism efforts require precise and reliable techniques to analyze the patterns existing in data of previous terrorist activities. Such patterns can reveal vital information for predicting details of upcoming attacks. Structures of terrorist networks and their operational specifics are among such attack details that deserve critical analysis by specialized applications. Most of these applications used for analyzing terrorism data are based on computational methods articulated under the broad term of soft computing techniques. In this paper, we review various aspects of soft computing applications developed for the analysis of terrorism data. Initiating with an in-depth discussion on the datasets of terrorist event data, we propose 6 criteria for their quality evaluation. We proceed by elaborating the utilities of a prospective terrorism analysis application. These utilities include forecasting, detection and link mapping of terrorist activities. In the core of this review, we present a categorization of soft computing techniques into 3 major components; approximate reasoning, metaheuristic optimization and machine learning. A rich volume of applications for terrorism analysis has been discussed and compared on the scale of these techniques and their subcategories. Among these applications, while metaheuristic approaches present results to a precision of 90%, machine learning classifier methods also depict a classification accuracy of up to 93% in their outputs. Later, we discuss the perceived challenges in current literature, their consequential inclinations of research, and suggestions for directions of possible future developments. Finally, we conclude this review with a summary of the current state-of-art and critical comment on open opportunities in terrorism analysis.
Chapter
In this chapter, the comprehensive procedure to improve the capacity of secret text is discussed. Two Steganography techniques were proposed which employed JPEG compression on grayscale image to hide secret text.
Chapter
The concept of optimization is widely used to locate the optimum solution for different mathematical problems.
Book
This book explores the use of a socio-inspired optimization algorithm (the Cohort Intelligence algorithm), along with Cognitive Computing and a Multi-Random Start Local Search optimization algorithm. One of the most important types of media used for steganography is the JPEG image. Considering four important aspects of steganography techniques – picture quality, high data-hiding capacity, secret text security and computational time – the book provides extensive information on four novel image-based steganography approaches that employ JPEG compression. Academics, scientists and engineers engaged in research, development and application of steganography techniques, optimization and data analytics will find the book’s comprehensive coverage an invaluable resource.
Chapter
Stego image quality, secret text embedding capacity, computational time and security are the main challenges involved for steganography methods.
Chapter
Nowadays the level of information security has been enhanced by various concepts such as cryptography, steganography [9] along with nature-inspired optimization algorithms [4, 7, 8]. However, in today’s world computational cost (time and function evaluations) plays a vital role in the success of any scientific method. The optimization algorithms, such as CICC and M-MRSLS were already implemented and applied for JPEG image steganography for 8×8 8 \times 8 as well as 16×16 16 \times 16 quantization table, respectively. Although results were satisfactory in terms of image quality and capacity, the computational time was high for most of the test images.
Chapter
The JPEG image format (Miano in Compressed image file formats: JPEG, PNG, GIF, XBM, BMP. Addison-Wesley Professional, Boston, pp 1–264, 1999 [7]) is commonly used in various steganography techniques such as least significant bit insertion, masking, and filtering, transformations, etc. The algorithm of CI is inspired by the natural and social tendency of learning from one another. It has already been applied and tested for solving unconstrained, constrained and NP-hard combinatorial problems.
Chapter
Exchange of secure information between the sender and receiver draws the attention of several researchers due to its importance in various fields ranging from national security (Tutun et al. in Procedia Comput Sci 114:132–138, 2017 [73]) to social profile (Gupta and Dhami in J Direct Data Digit Mark Pract 17:43–53, 2015 [29]). Cryptography (Coron in IEEE Secur Priv 4:70–73, 2006 [17]) and Steganography (Cheddad and Condell in Sig Process 90:727–752, 2010 [14], Rabah in Inf Technol J 3:245–269, 2004 [59]) are the two major streams dealing with information security. This chapter focuses on different techniques used for cryptography and steganography. The major emphasis is given on image steganography.
Conference Paper
Full-text available
Terrorists are increasingly using suicide attacks to attack different targets. The government finds it challenging to track these attacks since the terrorists have learned from experience to avoid unsecured communications such as social media. Therefore, we propose a new approach that will predict the characteristics of future suicide attacks by analyzing the relationship between past attacks. The proposed approach first identifies relevant features using a graph-based feature selection (GBFS) method, then calculates the relationship between selected features via a new similarity measure capable of handling both categorical and numerical features. The proposed approach was tested using a second terrorism data set; we were able to successfully predict the characteristics of this new testing data set using patterns extracted from the original data set. The results could potentially enable law enforcement agencies to propose reactive strategies.
Article
Full-text available
Terrorism is defined as a premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience. There are alternative ways to conceive terrorist typologies or the classification of terrorist groups for analysis and response. Cluster analysis provides a technique for large scale comparisons while maintaining the contextuality and comprehensiveness of individual incidents. There are two critical choices in setting up a cluster analysis: choice of the measure of similarity within the data and choice of the algorithm to determine groupings. The analysis is run on 259 incidents using a Jaccard coefficient as a measure of similarity and an average between groups linkage as the computational algorithm. Ten core cluster have been identified which were classified under the bombing and the non-bombing clusters. For the former: bombings of a public population where a liberation group takes responsibility; bombings of a public population at a commercial target where groups take responsibility; bombings of a public population at a commercial target by an unknown groups; bombings of official population at official targets by unknown groups; and the bombings of foreign populations at military targets where a group takes responsibility. For the latter: gun attacks where a righteous vengeance group takes responsibility; assassination of foreign population with guns by unknown groups; attacks on foreign, official populations in open air targets where groups take responsibility; attacks on official populations at official targets with no deaths where a group takes responsibility; and kidnappings at open-air targets with small casualties and no deaths. Overall, terrorist groups should thus be classified not only on the basis of their motives, nationalities, and religions, but also on the basis of their tactics, destructiveness, and targets.
Article
The presence of the East Turkistan terrorist network in China can be traced back to the rebellions on the BAREN region in Xinjiang in April 1990. This article intends to research the East Turkistan networks in China and offer a panoramic view. The events, terrorists and their relationship are described using matrices. Then social network analysis is adopted to reveal the network type and the network structure characteristics. We also find the crucial terrorist leader. Ultimately, some results show that the East Turkistan network has big hub nodes and small shortest path, and that the network follows a pattern of small world network with hierarchical structure.
Article
Understanding why terrorist attacks succeed and fail is important for homeland security and counterterrorism planning. In examining past terrorist attacks, this understanding is necessary to discern why attackers sometimes are very successful and why sometimes even reasonably well-planned operations fall apart. Discerning ways to make attacks less likely to succeed is a central goal of efforts ranging from homeland security technology development to the direct military engagement of terrorist groups. Given the importance of the issue, many analysts have approached the problem from a variety of different directions. Success and failure in the context of terrorist attacks have been defined in different ways, from the strategic down to the tactical level. Many factors that make contributions to operations going well or poorly have been identified. But in our work focusing on security planning, we have found the results of many of these past analytic efforts difficult to apply. In part, this is because of the tactical focus of such planning, but it is also because of the absence of a unifying framework that brings together the range of factors that can influence the success and failure of terrorist operations in a practical and applicable way. Based on past research examining a variety of terrorist groups and security planning problems, we have developed just such a unifying framework. At the heart of our model lies our contention that the past success or failure of a terrorist operation -- or the likelihood that a future attack will succeed -- can be best understood by thinking about the match or mismatch between three key sets of characteristics: terrorist group capabilities and resource, the requirements of the operation it attempted or is planning to attempt, and the relevance and reliability of security countermeasures.
Article
The identification and interpretation of metabolic biomarkers is a challenging task. In this context, network-based approaches have become increasingly a key technology in systems biology allowing to capture complex interactions in biological systems. In this work, we introduce a novel network-based method to identify highly predictive biomarker candidates for disease. First, we infer two different types of networks: (i) correlation networks, and (ii) a new type of network called ratio networks. Based on these networks, we introduce scores to prioritize features using topological descriptors of the vertices. To evaluate our method we use an example dataset where quantitative targeted MS/MS analysis was applied to a total of 52 blood samples from 22 persons with obesity (BMI >30) and 30 healthy controls. Using our network-based feature selection approach we identified highly discriminating metabolites for obesity (F-score >0.85, accuracy >85%), some of which could be verified by the literature.
Conference Paper
This talk will review the emerging research in Terrorism Informatics based on a web mining perspective. Recent progress in the internationally renowned Dark Web project will be reviewed, including: deep/dark web spidering (web sites, forums, Youtube, virtual worlds), web metrics analysis, dark network analysis, web-based authorship analysis, and sentiment and affect analysis for terrorism tracking. In collaboration with selected international terrorism research centers and intelligence agencies, the Dark Web project has generated one of the largest databases in the world about extremist/terrorist-generated Internet contents (web sites, forums, blogs, and multimedia documents). Dark Web research has received significant international press coverage, including: Associated Press, USA Today, The Economist, NSF Press, Washington Post, Fox News, BBC, PBS, Business Week, Discover magazine, WIRED magazine, Government Computing Week, Second German TV (ZDF), Toronto Star, and Arizona Daily Star, among others. For more Dark Web project information, please see: http://ai.eller.arizona.edu/research/terror/ .
Article
Knowledge about the structure and organization of criminal networks is important for both crime investigation and the development of effective strategies to prevent crimes. However, except for network visualization, criminal network analysis remains primarily a manual process. Existing tools do not provide advanced structural analysis techniques that allow extraction of network knowledge from large volumes of criminal-justice data. To help law enforcement and intelligence agencies discover criminal network knowledge efficiently and effectively, in this research we proposed a framework for automated network analysis and visualization. The framework included four stages: network creation, network partition, structural analysis, and network visualization. Based upon it, we have developed a system called CrimeNet Explorer that incorporates several advanced techniques: a concept space approach, hierarchical clustering, social network analysis methods, and multidimensional scaling. Results from controlled experiments involving student subjects demonstrated that our system could achieve higher clustering recall and precision than did untrained subjects when detecting subgroups from criminal networks. Moreover, subjects identified central members and interaction patterns between groups significantly faster with the help of structural analysis functionality than with only visualization functionality. No significant gain in effectiveness was present, however. Our domain experts also reported that they believed CrimeNet Explorer could be very useful in crime investigation.
Article
NewsA decade ago, most research on social networks was abstract and academic. But in the wake of the 11 September 2001 attacks, interest in applying this research to warfare exploded. Many companies are now vying for a piece of the military funding. Academic network scientists are also diving in, competing for lucrative U.S. military contracts and grants. In spite of the boom, there is sharp disagreement about how effective social network analysis has been for counterterrorism. Some worry that in the rush to catch terrorists, the U.S. military has put too much faith in social network analysis. One former U.S. official even claims that applying these methods in war zones has led to unethical practices ([see sidebar][1]). [1]: http://www.sciencemag.org/cgi/content/full/325/5939/410