[IEEE 2010 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2010) - Odense (2010.8.9-2010.8.11)] 2010 International Conference on Advances in Social Networks Analysis and Mining - Notice of Violation of IEEE Publication PrinciplesDetecting New Trends in Terrorist Networks

Download [IEEE 2010 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2010) - Odense (2010.8.9-2010.8.11)] 2010 International Conference on Advances in Social Networks Analysis and Mining - Notice of Violation of IEEE Publication PrinciplesDetecting New Trends in Terrorist Networks

Post on 08-Dec-2016




3 download


  • Notice of Violation of IEEE Publication Principles

    "Detecting New Trends in Terrorist Networks," by Uffe Kock Wiil, Nasrullah Memon, and Panagiotis Karampelas in the Proceedings of the 2010 International Conference on Advances in Social Networks Analysis and Mining (ASONAM), August 2010, pp.435-440 After careful and considered review of the content and authorship of this paper by a duly constituted expert committee, this paper has been found to be in violation of IEEEs Publication Principles. This paper has copied portions of text from the sources cited below. The lead author, Nasrullah Memon, was found to be solely responsible for the violation. The original text was copied without attribution (including appropriate references to the original author(s) and/or paper title) and without permission. Social Network Analysis and Information Fusion for AntiTerrorism by Pontus Svenson, Per Svensson, and Hugo Tullberg in the Proceedings of the 2006 Conference on Civil and Military Readiness (CIMI), May 2006 and Data Mining: Concepts and Techniques (second edition), by Jiawei Han and Micheline Kamber Morgan Kaufmann, Elsevier, 2006

  • Detecting New Trends in Terrorist NetworksUffe Kock Wiil, Nasrullah Memon, and Panagiotis Karampelas

    The Maersk Mc-Kinney Moller InstituteUniversity of Southern Denmark, 5230 Odense M, Denmark

    email: {ukwiil,memon}@mmmi.sdu.dkInformation Technology

    Hellenic American University, Athens, 10680, Greeceemail: pkarampelas@hau.gr

    AbstractThis paper discusses new trends in terrorist net-works. We investigate a new case study regarding the recentDenmark terror plan and present analysis of the thwarted plot.Analyzing covert networks after an incident is practically easyfor trial purposes. Mapping clandestine networks to thwartedterrorist activities is much more complicated. The networksurrounding the recent Denmark terror plan is studied throughpublicly available information. We are able to map a piece ofthe network centered on David Headley, who recently confessedto have planned a terrorist attack to take place on Danish soil.The map gives us an insight into the organizations and peopleinvolved.

    Index TermsDavid Headley case, open source information,subgroup detection, terrorist network analysis.


    The events of 9/11 instantly changed the perception ofthe words terrorist and network, and the United Statesand other countries rapidly started to gear up to fight a newkind of war against a new kind of enemy. In conventionalwarfare, conducted in specific locations, it is important tounderstand the terrain in which the battles will be fought. Inthe war against terror, there is no specific location. After 9/11,we know that the battleground can be anywhere. It is nowclear that the terrorists power base is not geographic; rather,they operate in networks, with members distributed across theglobe. To fight such an enemy, we need to understand the newterrain: networks - how they are constructed and how theyoperate.Advanced and emerging information technologies like inves-tigative data mining (IDM) offer key assets in confronting asecretive, asymmetric networked enemy. IDM is a powerfultool for intelligence and law enforcement agencies fightingterrorism [1]. IDM is a combination of data mining andsubject-based automated data analysis techniques. Data miningis an approach which uses algorithms to discover predictivepatterns in datasets. Subject-based automated data analysis ap-plies models to data to predict behavior, assess risk, determineassociations, or perform other types of analysis [2].How can we mine terrorist networks? Traditional methods ofmachine learning and data mining, taking a random sample ofhomogeneous objects from a single relation as input, may notbe appropriate. The data comprising terrorist networks tend tobe heterogeneous, multi-relational, and semi-structured. IDMembodies descriptive and predictive modeling. By considering

    links (relationships between the entities), more information ismade available to the mining process. Mathematical methodsused in the research on IDM [1] [2] [3] [4] are clearlyrelevant to intelligence analysis and may provide tools andtechniques to discover terrorist networks in their planningphase and thereby prevent terrorist acts from being carried out.Relevant patterns to investigate include connections betweenactors (meetings, messages), activities of the involved actors(specialized training, purchasing of equipment), and informa-tion gathering (time tables, visiting sites).IDM offers the ability to firstly map a covert cell, and tomeasure the specific structural and interactional criteria of sucha cell. IDM aims to connect the dots between individuals andmap and measure complex, covert, human groups, and orga-nizations. The methods focus on uncovering the patterning ofpeoples interaction, and correctly interpreting these networksto assists in predicting behavior and decision-making withinthe network. IDM borrows techniques from social networkanalysis (SNA) and graph theory for connecting the dots.In IDM a number of variations exist in the literature. Oneis known as link analysis (see for example [5] [6]). Linkanalysis research uses search and probabilistic approaches tofind structural characteristics in the network such as hubs, gate-keepers, pulse-takers [7], or identifying potential relationshipsfor relational data mining. Link analysis alone is insufficient asit looks at one side of the coin and ignores complex nonlinearrelationships that may exist between the attributes. Anotherapproach depends purely on visualization, such as NetMap[8]. Unfortunately, these tools that depend on visualizationalone - despite being useful to provide some insight - areinsufficient and rely on the user to carry out many tedious andtime consuming tasks, many of which could be automated.Uncovering a relationship among or within attributes (connect-ing the dots) is an important step, but in many domains it ismore important to understand how this relationship evolved.Hence, understanding network dynamics and evolution isneeded to complete the picture. Once we understand thedynamics and evolution of these relationships, we can searchfor ways to disconnect the dots if and when needed. Thisbrings about several new tasks [9]: (i) subgroup detection;(ii) object classification; (iii) community detection; (iv) objectdependence; (v) detecting hidden hierarchy; and (vi) under-standing topological characteristics.

    2010 International Conference on Advances in Social Networks Analysis and Mining

    978-0-7695-4138-9/10 $26.00 2010 IEEEDOI 10.1109/ASONAM.2010.73


    2010 International Conference on Advances in Social Networks Analysis and Mining

    978-0-7695-4138-9/10 $26.00 2010 IEEEDOI 10.1109/ASONAM.2010.73


    2010 International Conference on Advances in Social Networks Analysis and Mining

    978-0-7695-4138-9/10 $26.00 2010 IEEEDOI 10.1109/ASONAM.2010.73


  • In this paper, we use IDM techniques to study new trendsregarding the recent Denmark terror plan, in which DavidHeadley recently confessed to conspiring between October2008 and October 2009 with his associates to plan and carryout terrorist attacks, including murder and maiming, againstthe facilities of Jyllands-Posten, a Danish newspaper, and twoof its employees, Editor A and Cartoonist A [10].In Section 2, we briefly present the case study of the recentDenmark terror plan. Section 3 introduces IDM techniques todetect key players. In Section 4, we report and discuss ouranalysis results from the case study. Section 5 concludes thepaper and presents future research directions.


    David Coleman Headley [11], formerly known as DaoodSayed Gilani, (born June 30, 1960) is a Pakistani-Americanbusinessman based in Chicago. He recently confessed toinvolvement with terrorist plots against India and Denmark.David Coleman Headley and Tahawwur Hussain Rana wereaccused by U.S. federal authorities in Chicago, in complaintsunsealed on 27 October 2009, of plotting against the employ-ees of a newspaper in Copenhagen. Headley is accused of trav-eling to Denmark to scout the building of the Jyllands-Postennewspaper, and a nearby Synagogue, for an attack by terrorists[10]. On December 8, 2009, the FBI also accused Headley ofconspiring to bomb targets in Mumbai, India; providing mate-rial support to Lashkar-e-Taiba, a militant Pakistani extremistgroup; and aiding and abetting the murder of U.S. citizens[10]. There are some online data sources containing structuredterrorist information like http://www.trackingthethreat.com/,http://www.globalsecurity.org/ , etc. As we did not find theinformation about the entities present in the David Headleycase from these manually updated online sources, we harvestedthe information [17][20] about the David Headley networkfrom publicly available news and information sources. Theharvested information was combined with the informationpresent in iMiner database [20], prepared from gathering thedata from http://www.trackingthethreat.com/ and the result isshown in Figure 1.The rectangle in Figure 1 shows the main entities under ourinvestigation and connected directly with the David Headleycase. We have applied IDM techniques over the network andapplication of these techniques is discussed in the followingsections.


    In this section, we discuss various techniques to detect thecore members of a terrorist network.

    A. Subgroup/Community Detection

    One of the most common interests in analyzing terroristnetworks is the search for the substructures that may bepresent in the network. Subgroups are subsets of actors amongwhom there are relatively strong, direct, intense, frequent, or

    positive ties. We use a bottom-up approach for the detection ofsubgroups [9]. This approach begins with basic groups, andseeks to see how far this kind of close relationship can beextended. The notion is to build outward from single ties toconstruct the network. The substructures that can be identifiedby bottom-up approaches include cliques, n-cliques, s-cliques,and k-plexes.We discuss each concept briefly [12] [21]:

    A clique is defined as a maximal sub-graph in whichevery member of the graph is connected to every othermember of the graph. Every member is connected to n-1 others and the distance between every pair is 1. Inpractice, complete cliques are not very useful. They tendto overlap heavily and are limited in their size.

    An n-clique is a sub-graph in which every person isconnected by a path of length n or less.

    A group is an s-clique, if it has local maximal SMI(Segregation Matrix Index). That a group G has localmaximal SMI means that no other group has a higherSMI value. In addition, no other group has the same SMIvalue with one more element or one less element than G.

    A k-plex is a sub-graph in which every person is con-nected to at least n-k other people in the graph (recall ina clique everyone is connected to n-1, so this relaxes thatcondition) [12].

    In addition, we have used the most popular CNM algorithm(which discovers clear communities in the network) introducedby Clauset, Newman and Moore which maximizes modularitywith greedy approach [13]. The CNM algorithm runs fatserthan any of the other alogrithms. It runs in O(md log n)time, for a network with n vertices and m edges, where d isthe depth of the dendrogram. Beside community structure andsubgroup detection, the other important aspect in the terroristnetwork analysis is to classify nodes with different roles withincommunity or even in whole network.

    B. Object Classification

    In traditional classification methods, objects are classifiedon the attributes that describe them. A particular importantchallenge is to classify in a large network those individualswho play key roles - such as leaders, facilitators,communications go betweens, and so on. To understand thecalculations used to single out the core members in a network,we need to discuss some measures of object classification[10], [14]:

    Degree. A basic measure of SNA that turns out to beimportant in IDM is the degree of a node - that is, thenumber of other nodes directly connected to it by edges.In a graph (network) describing a terrorist network, nodesof high degree represent well connected people, oftenleaders.

    Closeness. This measure indicates for each node howclose it is to other nodes in a graph. Analysts consider thismeasure a good indication of how rapidly information canspread through a network from one node to others. This


  • Fig. 1. The David Headley terrorist network.

    measure relates to the closeness or the distance betweennodes. A core member (central actor) can reach otheractors through a minimum number of intermediary po-sitions and is therefore dependent on fewer intermediarypositions than a peripheral actor.

    Betweenness. The measure gives each node a scorethat reflects its role as a stepping-stone along geodesic(shortest) paths between other pairs of nodes. The ideais that if a geodesic path from node A to node B (theremay be more than one) goes through node C, then nodeC gains potential importance. Such nodes - or the peoplethat they represent in a terrorist network - can haveimportant roles in providing connections (for example,facilitating communications) between sets of nodes thatotherwise have few other connections, or perhaps no otherconnections. This measure explores an actors ability(say for example, node C) to be irreplaceable in thecommunication of two random actors (say for example,nodes A and B). It is of particular interest in the studyof destabilizing terrorists by network attacks, because atany given time the removal of maximum betweennessactor seems to cause maximum damage in terms ofconnectivity and average distance in a network.

    We used both object classification and subgroup/communitydetection techniques in the analysis to deduct the realistic

    results. The application of the theory is presented in the nextsection.


    We have collected information about the network usingthe iMiner harvesting facility [9] and developed a networkas shown in Figure 1. The network has some interestingcharacteristics, if weighted against different SNA measures.By identifying the cohesive parts of the network with differentalgorithms, it has been found that David Headley is the mostimportant node (Figure 1) followed by Kashmiri and Rana.The degree, closeness, and betweenness of the different nodesas shown in Figure 1 are also in agreement with the importanceof these nodes as shown in Figure 2.The different clique based and k-plex sub-graph detection al-gorithms also reveal the same results regarding the importanceof different nodes. The number of sub graphs containing DavidHeadley is the highest as shown Figure 3.David Headley is the most irreplaceable node of the network(as shown in Figure 3), since its absence makes the maximumof sub-graphs incomplete. This may be due to the fact thatHeadley is the most socialize...


View more >