Using targeted Bayesian network learning for suspect identification in communication networks

Abstract

This paper proposes a machine learning application to identify mobile phone users suspected of involvement in criminal activities. The application characterizes the behavioral patterns of suspect users versus non-suspect users based on usage metadata such as call duration, call distribution, interaction time preferences and text-to-call ratios while avoiding any access to the content of calls or messages. The application is based on targeted Bayesian network learning method. It generates a graphical network that can be used by domain experts to gain intuitive insights about the key features that can help identify suspect users. The method enables experts to manage the trade-off between model complexity and accuracy using information theory metrics. Unlike other graphical Bayesian classifiers, the proposed application accomplishes the task required of a security company, namely an accurate suspect identification rate (recall) of at least 50% with no more than a 1% false identification rate. The targeted Bayesian network learning method is also used for additional tasks such as anomaly detection, distinction between “relevant” and “irrelevant” anomalies, and for associating anonymous telephone numbers with existing users by matching behavioral patterns.

Appendix: the TBNL algorithm

The TBNL algorithm (for more details see [18]) uses a recursive procedure that can be applied to any node that represents a variable. The procedure, called AddParents (described below) adds edges from candidate nodes to the node to which the procedure is currently applied: each time, it adds the edge from the node with the highest Information Gain (IG) value. Essentially, AddParents is a greedy, forward feature selection procedure, which is similar to the feature selection scheme used by the adding-arrows principle [34]. The main difference is that the TBNL algorithm starts with the class variable and then proceeds recursively to the selected parent nodes. In particular, the TBNL algorithm starts by applying the AddParents procedure to the target node to select its parents. Then, AddParents is applied to each parent sequentially to select its own parents from the set of the target node’s parents. Thus, any node in the network can be a parent of the target node (i.e., corresponding to a limited form of a Markov blanket) while still maintaining the DAG structure. The input parameters of the AddParents procedure are as follows: \(X_i\) represents the current node; \(\varvec{\mathrm {T}}_i\) represents the set of the candidate parents of \(X_i\); \(\varvec{\mathrm {C}}\) represents the set of arbitrary constraints on the network such as the number of permitted parameters; \(\eta _i\) represents a constraint of the maximum allowed MI concerning \(X_i\); and \(\beta _i\) represents the minimum IG “step size” when adding a parent to \(X_i\) in the network. After applying the AddParents procedure to node \(X_i\), the output is the set of parent nodes \(\varvec{\mathrm {Z}}_i\) if one of the following conditions is fulfilled: 1) any of the \(\varvec{\mathrm {C}}\) constraints is not met; 2) \(I\left( X_i;\overline{\varvec{\mathrm {Z}}}_i|\varvec{\mathrm {Z}}_i\right) /H\left( X_i\right) <\beta _i\) ; or 3) the set of candidate parents \(\varvec{\mathrm {T}}_i\) is empty. The AddParents procedure is shown next. The last two code lines imply that it is a quasi-recursive procedure; namely, the TBNL algorithm actually calls AddParents only once. Then, having obtained \(\varvec{\mathrm {Z}}_i\), it iteratively calls \(\varvec{\mathrm {Z}}_j=\textit{AddParents}\left( X_j,\overline{\varvec{\mathrm {Z}}}_i,\varvec{\mathrm {C}},\eta _j,\beta _j\right) \) for each \(X_j\mathrm {\in }\varvec{\mathrm {Z}}_i\). Note that the order of the iterations is well defined: the output parents from each iteration directly affect the input of the next step. Such a procedure generates different outputs than those that would have been obtained had the algorithm iterated the procedure only after obtaining the full set of parents. Thus, the TBNL calls \(\varvec{\mathrm {Z}}_t=\textit{AddParents}\left( X_t,\overline{\varvec{\mathrm {X}}}_t,\varvec{\mathrm {C}},\eta _t,\beta _t\right) \), which ultimately results in a DAG \(\mathcal {G}=\lbrace \varvec{\mathrm {Z}}_1,\varvec{\mathrm {Z}}_2,\ldots ,\varvec{\mathrm {Z}}_N\rbrace \).