The Scientific World Journal

Volume 2014 (2014), Article ID 615431, 13 pages

http://dx.doi.org/10.1155/2014/615431

## Covert Network Analysis for Key Player Detection and Event Prediction Using a Hybrid Classifier

Department of Computer Engineering, College of Electrical and Mechanical Engineering, National University of Sciences and Technology, Islamabad 44000, Pakistan

Received 2 April 2014; Revised 20 June 2014; Accepted 25 June 2014; Published 20 July 2014

Academic Editor: Christian Baumgartner

Copyright © 2014 Wasi Haider Butt et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

National security has gained vital importance due to increasing number of suspicious and terrorist events across the globe. Use of different subfields of information technology has also gained much attraction of researchers and practitioners to design systems which can detect main members which are actually responsible for such kind of events. In this paper, we present a novel method to predict key players from a covert network by applying a hybrid framework. The proposed system calculates certain centrality measures for each node in the network and then applies novel hybrid classifier for detection of key players. Our system also applies anomaly detection to predict any terrorist activity in order to help law enforcement agencies to destabilize the involved network. As a proof of concept, the proposed framework has been implemented and tested using different case studies including two publicly available datasets and one local network.

#### 1. Introduction

From the data published in electronic and print media, it can be clearly concluded that all terrorist events are done by organized terrorist organizations [1]. Members of such organizations cannot operate in isolation and they interact and collaborate with one another in order to coordinate such unlawful events. Law enforcement agencies have information of such members, their affiliations, and communication and other activities of such organizations which are under observation. Krebs introduced “prevention or prosecution” [1]. According to him, the existing methods focus more on prosecution which is of course after the event has occurred. Although there exist very efficient social network analysis (SNA) measures which can be used to find the key players of the identified network, which can be removed to destabilize the network, the thing which lacks is the alarm of the exact time at which those key players should be removed in order to prevent the event.

A social network is a social arrangement made up of a set of social actors such as individuals or organizations and a complex set of the dyadic ties between these actors. The social network perspective provides a clear way of analyzing the structure of whole social entities [2]. SNA is a mathematical method for “connecting the dots,” that is, to analyze nodes and their relationships. SNA allows us to map and measure complex, sometimes covert, human groups and organizations [3]. SNA has been applied in a number of applications in order to explore several interesting features of different sort of social networks especially with the advancement in information and communication technology and availability of social networks in electronic forms.

An important area in SNA is the key player detection. Key player is defined as the most important node in a social network. Centrality is a key theory in the study of social networks in order to study organizational and team behavior. Central individuals control information flow and decision making within a network [4].

Along with key player detection, outlier detection is also important to predict any abnormal activity. Outlier detection deals with detection of patterns from data which do not match expected normal behavior. These anomalous patterns are often known as outliers, anomalies, discordant observations, and so forth in different application domains. Outlier detection is a well-researched area having an immense use in a wide range of applications like fraud detection, insurance, intrusion detection in cyber security, fault detection in security critical systems, military surveillance for enemy activities, and so on.

The paper consists of five sections. Section 2 describes the existing frameworks related to our proposed one. It also highlights the main contributions which we have made in this field. The detailed explanation of proposed system is given in Section 3. Section 4 shows the results which are performed to check the validity of proposed method using different networks followed by conclusion and discussion in the last section.

#### 2. Related Work

A number of methods for SNA and outlier detection have been proposed. SNA as discussed earlier has been widely used in analyzing social structures. Social structures consist of actors and their relations or interactions. A social structure can be represented in the form of a graph consisting of vertices and edges where each vertex represents a social actor and every edge represents a relationship between two vertices. SNA helps in analyzing and understanding the structural importance of each actor in a network analyzing its relations and their impact throughout the network.

The structural importance of an actor in a network is measured using the centrality. A node is structurally more important to a network if it is relatively more central in a network. Various centrality measures are found in the literature, designed from different perspectives of a network. The most famous are highlighted here. The simplest centrality measure is degree centrality (DC). It uses the number of direct contacts of a node as a pointer of the quality of interconnectedness [4]. Using the adjacency matrix , it can be formalized as follows:

Here, is the degree centrality of node in a social network.

For weighted graphs, a variation of DC has been presented by Memon [5]. According to author, for weighted networks, the simplest extension of degree is node strength [6, 7], which is the sum of weights of node’s direct ties. Consider where WDC is weighted degree centrality and is the weighted adjacency matrix. The cell is greater than 0 if the node is connected to node and its value represents the weight of the tie.

Another centrality measure based on the idea that nodes with a short distance to other nodes can disseminate information productively through the network is known as closeness centrality (CC) [8]. To calculate the CC of a node , the distances between the node and all other nodes of the network are added [9]. By using the inverse value, we achieve that the value of the CC increases when dropping the distance to another node, that is, when improving the integration into network. Formally CC is given by [10]. One has

As (3) depicts, the reduction of the distance to at least one other node when adding an additional relationship leads to a smaller value of the denominator in formula, hence increasing the overall values of the measure.

Using betweenness centrality (BC), a node in a network is measured to be well connected if it is positioned on as many of the shortest paths between pairs of other nodes. The fundamental supposition of this centrality measure is that the interaction between two indirectly connected nodes and depends on the nodes between and . The formulation of BC is given by Freeman as [10] where is the number of shortest paths between node and node and is the number of shortest paths between node and node that pass through node .

An idea that a connection to a more interconnected node has more impact on the own centrality to a greater extent than a connection to a less well-interconnected node laid foundation of eigenvector centrality (EC). For a node , the EC is therefore given as [11] with referring to an eigenvector for the maximum eigenvalue of the adjacency matrix .

The other field as discussed earlier which is used in the proposed framework is outlier detection to predict any terrorist event. Outlier detection is very important because of the fact that outliers in the data point to something important that cannot be ignored. For example if extra ordinary traffic pattern is observed in a computer network, which obviously is an outlier, could indicate that a hacked computer is there in the network which may be sending important secret data outside the network. Such indication towards an event is possible due to outlier detection. Similarly, outlier transactions in credit card data could indicate that the card has been misused.

Some major causes of existence of outliers include [12] malicious activity: any activity that is exceptional and anomalous in a system, for example, credit card or telecom fraud, cyber intrusion, a terrorist activity, and instrument error. Some outliers may occur due to fault in components of measuring machines, environment change such as climate change, new buying pattern among consumers, mutation in genes, human error, data reporting error, and so forth.

Keeping in view the existing systems, we present a novel framework with two major contributions which are key player detection and prediction of any suspicious activity. All of the above centrality measures are important and provide valid information from different perspectives; so, selection among these can be a tough decision. To get full benefit and utilize strength of all of these, the proposed framework contains a classification based system of centrality to detect the key players using all of the above described measures. Secondly, the proposed model uses the idea of outliers which are created in the communication patterns of identified terrorist networks that something is likely to happen.

#### 3. Proposed Model

The proposed model is based on the two contributions discussed earlier. So, aim of the model is to achieve two main objectives; the first is to find the key players of the terrorist networks which already have been detected and the second is to continuously monitor the activities of such groups with the aim to alarm the situations when the probability of a terrorist event is high. Figure 1 shows the flow diagram of proposed model.

As mentioned earlier, the model consists of two major components; the first component is the key player detector which uses centrality measures and a hybrid classifier to detect all possible key players from the network. Once key players are detected, the data stream collected from different databases related to the actions that become the relationships of the network are monitored on time series in the second component of the model “anomaly detector” which has outlier detection in its core in order to predict terrorist activities. When an anomaly is detected that can be an indication of a severe terrorist activity like a suicide bomb attack or anything else, key players detected by the first component of the model can be eliminated by law enforcement agencies in order to destabilize the network and to prevent the event.

##### 3.1. Data Preprocessing

The first step before applying proposed key player detection is data preprocessing. The purpose of this step is to clean the data in order to facilitate further steps. Data preprocessing consists of(i)redundant feature removal,(ii)removal of duplicate entries,(iii)handling missing values.

First step uses two rank sum tests, that is, Wilcoxon rank-sum and Ansari-Bradley tests. Wilcoxon rank-sum test is a nonparametric test of the null hypothesis that two populations are the same against an alternative hypothesis that the two distributions differ only with respect to the median. It has higher efficiency on nonnormal distributions such as a mixture of normal distributions [13]. Ansari-Bradley test compares two independent samples which come from the same distribution against the alternative that they come from the same distributions having the same median and shape but different variances [14]. Preprocessing step also checks for duplicate entries and removes all such entries to avoid redundancy. The last step in preprocessing is to handle missing values in the data. The preprocessing technique identifies the missing feature values and then they are replaced by the mean value for that feature. This procedure is performed for those attributes where values are missing in less than 50% of the instances. If the number of instances with missing values is more than or equal to 50%, the particular attribute is rejected and not used further. Figure 2 shows the flow diagram of data preprocessing to handle any kind of data redundancies.

##### 3.2. Key Player Detection

Key player detection is an important step while analyzing covert networks. The proposed framework for key player detection consists of centrality measures for each node followed by hybrid classifier for accurate detection of key players. The four centrality measures which we have included in our proposed model are degree centrality (DC), betweenness centrality (BC), closeness centrality (CC), and eigenvector centrality (EC) which are given in (1), (4), (3), and (5), respectively. Figure 3 shows the flow diagram of proposed model for key player detection.

Key players normally appear as most central nodes in any network; so, they have significant values of centrality measures. If a covert network contains nodes, then the set representation for that network is . Here, represents th node in given network. For an automated system to analyze each node as key player or normal player, a feature set is formed for each node. Each node is considered as sample for classification and represented by a feature vector containing four features; that is, for a sample node from a network , the feature vector is .

Once all nodes are represented by feature vectors, next phase is to classify them as key player or normal member. A new hybrid classifier as an ensemble of -nearest neighbors (kNN), Gaussian mixture model (GMM), and support vector machine (SVM) is proposed here for accurate detection of key players. The purpose of using these three classifiers is to accurately model the distribution of data and to find accurate decision boundary by using the strengths of all three classifiers. kNN has simple implementation and gives good results whenever samples of same class exist as closest neighbors. GMM is famous due to the capability of accurately representing the data distribution and it caters for overlapping patterns where modeling of distribution gives a good clue. SVM caters for the data which is well separable by a decision boundary and has good classification and rapid training phase.

###### 3.2.1. -Nearest Neighbors (kNN)

kNN is the most simple and fundamental classifier used for supervised classification [15]. It is a kind of voting based classifier which finds -nearest samples from complete dataset based on some distance calculation between training and test samples. Let be a feature vector for th node with features ; let be the total number of nodes and let be the total number of features . The Euclidean distance between nodes and where is defined as

Now, depending upon the value of , we choose closest samples and assign the majority class to unknown node.

###### 3.2.2. Gaussian Mixture Model (GMM)

To implement GMM, we use a two-class Bayesian classifier using Gaussian functions [16]. Bayes decision rule is stated as [17] where is the class conditional probability density function (pdf) also known as likelihood and is the prior probability of class which is calculated as the ratio of class samples in the training set. The class conditional pdf of the feature vector for different classes is computed using multivariate Gaussian pdf [17] as follows: where and are feature vector containing number of features and mean vector containing mean of each feature, respectively. is a covariance matrix. In our case, . We model the class conditional pdf’s as linear combination of weighted Gaussian functions to represent the likelihood of a GMM using (9) as follows: where is the number of Gaussian mixtures used for Bayesian classification, is an -dimensional Gaussian distribution of weight , and are the two classes used in proposed system. Equations (8) and (9) show the likelihoods for a single Gaussian distribution and GMM, respectively.

The parameters for GMM are optimized using expectation maximization (EM) which is an iterative method and it chooses optimal parameters by finding the local maximum value of GMM distributions for training data. The EM starts with initial values of parameters () and weight for each Gaussian. In estimation step, EM computes the probability () of each point for each Gaussian using (10). One has

Here, represents the probability that th candidate region is generated from th Gaussian. We do this for all Gaussians and candidate regions. The second step is the maximization of likelihood by changing the parameters. The mean, covariance matrix, and weight for th Gaussian are updated using estimated probabilities and are given in (11), (12), and (13), respectively, as follows: where and are the total number of nodes.

###### 3.2.3. Support Vector Machine (SVM)

SVM is used as third classifier in proposed framework for key player detection. The original algorithm of SVM separates different regions from each other with maximum margin by using a separating hyperplane if the classes are linearly separable. Due to close relevance of nodes, the proposed features make a nonlinear hyperplane for which SVM is applied along with kernel function based on radial basis function (RBF). To implement SVM along with RBF, we have applied least squares SVM using LS-SVM toolbox [18]. In LS-SVM, the multiclass solution is found by solving a system of linear equations instead of original quadratic programming.

###### 3.2.4. Hybrid Classifier (HC)

For hybrid classifier, we combine kNN, GMM, and SVM classifiers using a weighted probabilistic ensemble. The classification of node using probabilistic classification prediction, based on measure of evidence from different classifiers, is performed as where is the probability of given a sample node using classifier and is the weight associated with the probabilistic prediction of class . Figure 4 shows the proposed ensemble framework for hybrid classifier.

*Learning Optimized Weights Using Genetic Algorithm.* The proposed ensemble framework given in (14) consists of a feature vector . These weights are optimized using genetic algorithm. The modeling of weights consists of two phases, that is, separation of confused samples and learning of optimized weights. In first phase, the algorithm separates out all confusing samples from complete training data. Confusing samples are those samples for which all three classifiers (kNN, GMM, and SVM) give different decisions and only these samples are used to optimize the weights for each classifier. This selection of confusing samples reduces the time for genetic algorithm in finding optimized weights. The second phase applies genetic algorithm for learning of optimal weights.

The parameters of genetic algorithm such as definition of population, size of population, rules for crossover and mutation, and objective function are defined as follows.

*(i) Population.* Each chromosome consists of a weight vector of three members which are weights for each classifier. All weight vectors are normalized to have a sum equal to 1.

*(ii) Population Size.* The initial population consists of 20 normalized weight vectors in which 16 are generated randomly and the remaining four are , , , and . Last four weight vectors are added to give maximum and equal confidence to all classifiers.

*(iii) Crossover.* Single point uniform crossover is used during learning. Crossover point is after first weight element which means that two selected chromosomes interchange their weights for GMM and SVM classifiers. The selection of chromosomes for crossover is performed based on objective function value. Worst 10 chromosomes out of population of 20 are selected for crossover.

*(iv) Mutation.* The mutation probability of 0% is used for mutation which means that no change is made in offsprings after crossover.

*(v) Objective Function.* The classification accuracy corresponding to a specific weight vector is taken as objective function as defined in (14) and we want to maximize this function.

The iterative learning is performed until there is no improvement in classification accuracy given in (14) for ten consecutive iterations or the algorithm reaches to maximum iteration which is set equal to 100.

##### 3.3. Anomaly Detector

The second major component of the proposed model is the anomaly detector which has time series and outlier detection in its core. The motivation for this component is the concept of “prevention and prosecution” in combating terrorism. The intent is to continuously monitor the interactions between members of the terrorist group and to search for the outlier data depicting an extraordinary sort of activities pointing something is going to happen just like intrusion detection which is also an application of outlier detection.

The process of detecting anomalous observations from data is anomaly detection. In data, anomaly can arise due to different reasons like mechanical faults, other changes in the underlying system, fraudulent behavior, or any type of error. Generally, anomalous observations are more interesting because they can indicate a situation that needs to be dealt with. Same is in our scenario, where anomalous behavior of terrorist activists can be indicating a near future terrorist activity. As discussed earlier, anomaly detection is a widely researched area typically applied to various fields in order to detect any anomalous behavior like intrusion detection, fraud detection, and so on. Outlier detection has never been applied to predict a terrorist event monitoring terrorist activities data on a time series. So, the idea is novel which is proposed as second contribution in this paper.

The basic idea of anomaly detector is to detect anomalous activities of terrorist groups monitoring routine activities over a timeline and predict event whenever an outlier occurs. Suppose we have seven different databases which are integrated and which record the logs of activities of these members. An activity can be any action in which one actor performs an action on another actor or actors. For example, if a node “” sends an SMS to node “,” it will be recorded as activity in the SMS log database; actors are nodes “” and “” and the weight of activity is one because of single SMS. Similarly, if a node “” sends an email to multiple nodes, the activity will be recorded in the email database as an activity and the weight of this activity will be equal to the total number of emails, that is, the total number of nodes receiving that email; say for example, if the email was sent to five nodes, the weight of overall activity will be equal to five. With these entire activities, time stamp will also be logged in the database in order to model activities on the timeline. At any instance of time, the overall weight of a terrorist group is proposed to be equal to sum of all the activities done by any member at that time. For example, if in our case we are considering SMS (), telephonic conversation (TC), email (), bank transfer (BT) of an extraordinary amount, and change of location (), the aggregate weight of activities on any time instance will be equal to sum of numbers of all SMS sent at that time + sum of numbers of all emails exchanged at that time + sum of numbers of telephonic conversations + sum of numbers of bank transfers made + sum of numbers of change of locations as given in (15):

So, after taking aggregate sum of numbers of all the activities done at a time instance, the activities are modeled over a timeline. The next step is the continuous monitoring of the timeline in order to detect any outliers which can be an indication of a possible threat. The working of proposed anomaly detector consists of the following steps.

###### 3.3.1. Data Logging

All the activities of detected terrorist groups are logged in the corresponding datasets. Following is the glimpse of the sample databases used.

The data shown in all the databases depicts the activities performed at one time stamp. One time stamp can be any time interval, maybe an hour or a day.

###### 3.3.2. Integration

Data from all the sources is integrated into one central data warehouse that is used for central integrated information retrieval purpose.

###### 3.3.3. Aggregation

Aggregated summary of all the activities done on different time intervals is monitored on a time series. The input data is fetched from the central data warehouse. In the data shown in Tables 1, 2, 3, 4, and 5, the magnitude of activities generated by different nodes of a terrorist group on time stamp 1 is equal to 15 because, at this time, 3 SMS have been transferred, 3 emails have been transported, 3 bank transfers have been made, 3 telephonic conversations have been done, and 3 nodes have changed their locations; so, the aggregate sum is equal to 15.

The decision that this 15 is a normal or an outlier data object is made with the help of outlier detection. However, this is worth mentioning here that if 15 is a normal value, which is representing during one hour (we have taken time stamp equal to one hour), this terrorist group makes 3 SMS, 3 telephonic calls, 3 bank transfers, 3 emails, and 3 travels or may be near these values. This normal value shows that the group is in passive mode. Passive mode can be the preparation or planning phase of a terrorist group during which they may be preparing for an attack or may be making future strategy but if this value is an outlier, that is, if the number of activities performed during one hour is abnormal, the group may be going to carry out a terrorist attack; so, the law enforcement agencies should immediately eliminate the key players that key player detection component of the proposed model has already pointed out.

In the graph shown in Figure 5, -axis shows the time stamps, while magnitude of activities done by members of a group is shown along -axis. Apparently, the activities done at time intervals 7 and 22 can be possible outliers indicating an indication of a terrorist attack but may be a false alarm.

Nearest neighbor analysis is a very well-known concept in which an object is analyzed with respect to its neighbors. For outlier detection in the proposed model, nearest neighbor analysis is proposed to be used to analyze the activities magnitude over time series because of its simplicity and because of its suitability for the data upon which we want to apply it to detect outliers. Nearest neighbor based outlier detection has the key advantage of being purely data driven.

As stated earlier, in nearest neighbor based outlier detection, the base assumption is that normal objects have many closely located neighbors, while outliers are located in a comparatively low dense region which is normally far from normal regions. As Figure 6 indicates, and are two data clusters in which all the data objects are closely located indicating that all are normal data instances, while points and are located in rare regions clearly depicting that they are outlier instances.

Nearest neighbor outlier detection techniques comprise of two steps; the first step is to compute neighborhood of each data object using a distance or a similarity measure defined between two data objects and then, in the second step, the neighborhood is analyzed to decide whether a data object is normal or outlier. Outlier detection techniques that fall under category of nearest neighbor operate using a distance or similarity measure which is defined between two data objects. There are different ways of computing distance or similarity between two data objects. Choice depends on the nature of data as follows.(i)Euclidean distance is mostly used for continuous data attributes but other measures can also be used [19].(ii)Generally, a simple matching coefficient is used for data objects having categorical attributes. Some complex distance measures are also defined in [20, 21].(iii)Normally, distance or similarity is calculated for each attribute and then combined for multivariate data, that is, data with multiple attributes.

Broadly, nearest neighbor based techniques can be divided into two categories based on how they calculate the outlier score. The first category is “distance to th nearest neighbor based.” In these techniques, distance of a data object to th neighbor is calculated and is used as its outlier score. The second category is “relative density based.” In techniques belonging to this category, relative density of each data object is computed to get its outlier score. Choice depends on nature of data or any other priority. Distance based outlier score calculation is used in the proposed model. From neighborhood perspective, there are three well-known definitions of outliers as follows.(1)The data objects in a dataset have fewer than neighbors where a neighbor is a data object that is within a distant [22].(2)Data objects are the objects presenting the highest distance values to their respective th nearest neighbor [23].(3)Outliers are the data objects in a dataset that present the highest average distance to their respective -nearest neighbors [15].

The basic form of a -nearest neighbor outlier detection is known as simple nested loops (SNL) algorithm which has worst case complexity . Algorithm 1 shows the outlier algorithm which we have used in our proposed system.

*Note. * returns the maximum distance between and an element in set . returns the -nearest elements in to . returns the top outliers in based on the distance to their th nearest neighbor. returns the distance between the weakest outlier in and its th nearest neighbor.

#### 4. Experimentation and Results

##### 4.1. Material

An open source software NodeXL which plugs in with Microsoft excel is used for testing of key player detection. For proper evaluation of proposed framework, we have used three case studies. The nodes in all three networks are labeled as key players and normal members. Table 6 shows the network specification for all three case studies on which the proposed system is evaluated.

###### 4.1.1. Case Study-I

The first case study is taken from [24] titled as Noordin Muhammad network. This subset of the Noordin Top Terrorist Network was drawn primarily from “Terrorism in Indonesia: Noordin’s Networks,” a 2006 publication of the International Crisis Group. It includes relational data on the 79 individuals listed in Appendix of that publication. The data were initially coded by Naval Postgraduate School students as part of the course “Tracking and Disrupting Dark Networks” under the direction of Professor Sean Everton, Codirector of the CORE Lab, and Professor Nancy Roberts. CORE Lab Research Associate Dan Cunningham also reviewed and helped clean the data. Figure 7 shows network generated in NodeXL for Noordin’s network.

###### 4.1.2. Case Study-II

The dataset for second case study was first compiled by Krebs [1] consisting the tragic September 11 attackers network. The overall network consisted of 62 nodes and 150 edges containing all the attackers and their helpers who helped or coordinated in any way to organize the attacks. Muhammad Atta was the leader as confirmed by Ossama Bin Laden in a video tape [1]. The actual 19 hijackers who got crashed are labeled. They are considered important because they are the actual implementers of the attack. Figure 8 shows network generated in NodeXL for September 11 attackers network.

###### 4.1.3. Case Study-III

This dataset consists of real data that has been created by IT department of our institute during detection and capturing of a hackers group who were intruding in our institute’s management information system. The network present in the dataset was created when a hacker was traced on a complaint; all his connections were traced from his communication links and his In/Out data log. The network consists of 30 nodes and 114 edges. Figure 9 shows network generated in NodeXL for cyber attackers network.

##### 4.2. Results

The detailed quantitative and comparative analysis of proposed system is performed in this section. The performance of proposed system is measured using sensitivity (sen), specificity (spec), accuracy (acc), and area under receiver operating characteristics (ROC) curves (AUC) as figures of merit. Sensitivity is true positive rate and specificity is true negative rate. These parameters are calculated using (16), (17), and (18), respectively, as follows: where(i) are true positive mean numbers of key players which are identified correctly;(ii) are true negative mean numbers of normal members of network which are identified correctly;(iii) are false positive mean numbers of normal members of network which are wrongly identified as key players;(iv) are false negative mean numbers of key players which are wrongly identified as normal members of network.

The modeling of classifiers has been done using randomly selected 70% of data as training and remaining 30% data as testing. The experiments are repeated 10 times and their average results are given. Table 7 shows the results of proposed framework for key player detection on all three networks given in case studies.

The statistical analysis of proposed system is done with the help of ROC curves which are plots of sensitivity versus 1-specificity. This analysis is done for performance evaluation of proposed hybrid classifier (HC). Figure 10 shows the averaged ROC curves for all three case studies.

The proposed hybrid classifier is compared with individual kNN, GMM, and SVM classifiers. The hybrid classifier is also compared with the existing well-established classifier ensemble methods such as AdaBoost [25], bagging [26], and random subspace methods (RSM) [27]. Table 8 shows the comparison of all these in terms of accuracy for key player detection.

Table 9 shows the comparison of proposed hybrid classifier with existing state of the art classifiers such as multilayer perceptron (MLP), Bayes classifier, and logistic regression.

The third case study which is based on the local network is also used to evaluate anomaly detection component of proposed system. A campus In/Out system was used to monitor the In/Out activities of the group members. Applying the proposed outlier detection strategy, the group was captured right at the moment when they were ready to attack. Set of attributes consisting of the hour of day of in and out times was extracted from the dataset and outlier detection was applied. Results of only main key player are presented in Table 10 because of convenience as other individuals’ outliers also appeared at the same time.

The points at which algorithm marked outliers are the points where there was a potential attack on the system. Out of three outliers detected in the log, that is, at S. numbers 4, 38, and 41, 4 and 38 were false alarms, while the group was captured on 41 where other correlations also identified as potential threat.

#### 5. Conclusion and Detection

National security has attracted a number of researchers due to tragic events of terrorism across the globe especially from the field of information and communication technologies. This is because of the fact that, in order to carry out terrorist events, very extensive collaboration between terrorists can be observed including use of latest communication technologies. This opens antiterrorist activities research on the data collected from detected suspicious individuals.

Application of social network analysis has also become a very active area of research due to the above mentioned fact. In this paper, we have proposed a new framework for combating terrorism which consists of key player detection part which is from social network analysis and an event predictor part which has its base from outlier detection. For key player detection, in order to utilize existing most effective measures of key player detection, a novel hybrid classifier based system has been proposed which detected key players from given data. The second and important contribution is the prediction of any suspicious activity by monitoring the data of any network and identifying something abnormal by using time series analysis along with nearest neighbor analysis.

The proposed framework has been tested using three case studies and number of statistical measures. The results taken clearly prove the validity and correctness of proposed framework. A new study from actual local event is taken and proposed system is tested on that as well. Along with proposed framework for key player detection, we have also tested a voting based method which takes care of all four centrality measures to detect the top key players of the terrorist network. Here, is equal to the total number of key players present in a network which is under study. A node is considered as key player of three out of four centrality measures declared it as key player. This idea detected key players with accuracies of and 79%, 65%, and 83.33% for all three case studies, respectively. The proposed framework achieved accuracies of 91.52%, 88.73, and 95.91% for the same case studies, respectively. The results showed the validity of our framework and it can be used for detection of key players for any suspicious network along with detection of any abnormal activity.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### References

- V. E. Krebs, “Uncloaking terrorist networks,”
*First Monday*, vol. 7, no. 4, 2002. View at Google Scholar · View at Scopus - S. Wasserman and K. Faust, “Social network analysis in the social and behavioral sciences,” in
*Social Network Analysis: Methods and Applications*, pp. 1–27, Cambridge University Press, 1994. View at Google Scholar - V. Krebs, Connecting the Dots—Tracking Two Identified Terrorists, 2002.
- J. Nieminen, “On the centrality in a graph,”
*Scandinavian Journal of Psychology*, vol. 15, no. 1, pp. 332–336, 1974. View at Publisher · View at Google Scholar · View at Scopus - B. R. Memon, “Identifying important nodes in weighted covert networks using generalized centrality measures,” in
*Proceedings of the European Intelligence and Security Informatics Conference (EISIC ’12)*, pp. 131–140, Odense, Denmark, August 2012. View at Publisher · View at Google Scholar · View at Scopus - A. Barrat, M. Barthélemy, R. Pastor-Satorras, and A. Vespignani, “The architecture of complex weighted networks,”
*Proceedings of the National Academy of Sciences of the United States of America*, vol. 101, no. 11, pp. 3747–3752, 2004. View at Publisher · View at Google Scholar · View at Scopus - S. Yang and D. Knoke, “Optimal connections: Strength and distance in valued graphs,”
*Social Networks*, vol. 23, no. 4, pp. 285–295, 2001. View at Publisher · View at Google Scholar · View at Scopus - M. A. Beauchamp, “An improved index of centrality,”
*Behavioral Science*, vol. 10, pp. 161–163, 1965. View at Publisher · View at Google Scholar · View at Scopus - G. Sabidussi, “The centrality index of a graph,”
*Psychometrika. A Journal Devoted to the Development of Psychology as a Quantitative Rational Science*, vol. 31, pp. 581–603, 1966. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet · View at Scopus - L. C. Freeman, “Centrality in social networks conceptual clarification,”
*Social Networks*, vol. 1, no. 3, pp. 215–239, 1978-1979. View at Publisher · View at Google Scholar · View at Scopus - P. Bonacich and P. Lloyd, “Eigenvector-like measures of centrality for asymmetric relations,”
*Social Networks*, vol. 23, no. 3, pp. 191–201, 2001. View at Publisher · View at Google Scholar · View at Scopus - V. Chandola, A. Banerjee, and V. Kumar,
*Outlier Detection: A Survey*, 2007. - P. A. Pappas and V. DePuy, “An Overview of Non-parametric Tests in SAS: When, Why, and How”.
- A. R. Ansari and R. A. Bradley, “Rank-sum tests for dispersions,”
*The Annals of Mathematical Statistics*, vol. 31, no. 4, pp. 1174–1189, 1960. View at Google Scholar - T. M. Cover and P. E. Hart, “Nearest neighbor pattern classification,”
*IEEE Transactions on Information Theory*, vol. 13, no. 1, pp. 21–27, 1967. View at Google Scholar - S. Theodoridis and K. Koutroumbas,
*Pattern Recognition*, Academic, Burlington, Mass, USA, 1st edition, 1999. - R. O. Duda, P. E. Hart, and D. G. Stork,
*Pattern Classification*, Wiley-Interscience, New York, NY, USA, 2nd edition, 2001. View at MathSciNet - Least squares support vector machine, http://www.esat.kuleuven.be/sista/lssvmlab/.
- P.-N. Tan, M. Steinbach, and V. Kumar,
*Introduction to Data Mining*, Addison-Wesley, 2005. - S. Boriah, V. Chandola, and V. Kumar, “Similarity measures for categorical data: a comparative evaluation,” in
*Proceedings of the 8th SIAM International Conference on Data Mining*, pp. 243–254, 2008. - V. Chandola, E. Eilertson, L. Ertoz, G. Simon, and V. Kumar, “Data mining for cyber security,” in
*Data Warehousing and Data Mining Techniques for Computer Security*, A. Singhal, Ed., Springer, 2006. View at Google Scholar - E. M. Knorr and R. T. Ng, “Finding intensional knowledge of distance based outliers,” in
*Proceedings of the 25th International Conference on Very Large Data Bases (VLDB '99)*, pp. 211–222, Morgan, San Francisco, Calif, USA, 1999. - S. Ramaswamy, R. Rastogi, and K. Shim, “Efficient algorithms for mining outliers from large data sets,” in
*Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD ’00)*, pp. 427–438, ACM Press, NewYork, NY, USA, 2000. View at Publisher · View at Google Scholar - N. Roberts and S. F. Everton, Roberts and Everton Terrorist Data: Noordin Top Terrorist Network (Subset), Machine-readable data file.
- Y. Freund and R. E. Schapire, “A desicion-theoretic generalization of on-line learning and an application to boosting,”
*Journal of Computer and System Sciences*, vol. 55, no. 1, pp. 119–139, 1995. View at Google Scholar - L. Breiman, “Bagging predictors,”
*Machine Learning*, vol. 24, no. 2, pp. 123–140, 1996. View at Google Scholar - R. Bryll, R. Gutierrez-Osuna, and F. Quek, “Attribute bagging: improving accuracy of classifier ensembles by using random feature subsets,”
*Pattern Recognition*, vol. 36, no. 6, pp. 1291–1302, 2003. View at Publisher · View at Google Scholar · View at Scopus