Unauthorized Terror Attack Tracking Using Web Usage Mining
Terrorist groups use the Web as their infrastructure for various purposes. One example is the forming of new local cells that may later become active and perform acts of terror. The Terror Tracking using Web Usage Mining (TTUM) is aimed at tracking down online access to abnormal content, which may include terrorist-generated sites, by analyzing the content of information accessed by the Web users. TTUM operates in two modes: the training mode and the detection mode. In the training mode, TTUM
... aining mode, TTUM determines the typical interests of a prespecified group of users by processing the Web pages accessed by these users over time. In the detection mode, TTUM performs real-time monitoring of the Web traffic generated by the monitored group, analyzes the content of the accessed Web pages, and issues an alarm if the accessed information is not within the typical interests of that group and similar to the terrorist interests. An experimental version of TTUM was implemented and evaluated in a local network environment. An innovative knowledge-based methodology for terrorist tracking by using Web traffic content as the audit information is presented. The proposed methodology learns the typical behavior ('profile') of terrorists by applying a data mining algorithm to the textual content of terror-related Web sites. The resulting profile is used by the system to perform real-time detection of users suspected of being engaged in terrorist activities. The Receiver-Operator Characteristic (ROC) analysis shows that this methodology can outperform a command based intrusion detection system.