Content-Based Detection of Terrorists Browsing the Web Using an Advanced Terror Detection System (ATDS)

  • Yuval Elovici
  • Bracha Shapira
  • Mark Last
  • Omer Zaafrany
  • Menahem Friedman
  • Moti Schneider
  • Abraham Kandel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3495)


The Terrorist Detection System (TDS) is aimed at tracking down suspected terrorists by analyzing the content of information they access. TDS operates in two modes: a training mode and a detection mode. During the training mode TDS is provided with Web pages accessed by a normal group of users and computes their typical interests. During the detection mode TDS performs real-time monitoring of the traffic emanating from the monitored group of users, analyzes the content of the Web pages accessed, and issues an alarm if the access information is not within the typical interests of the group. In this paper we present an advanced version of TDS (ATDS), where the detection algorithm was enhanced to improve the performance of the basic TDS system. ATDS was implemented and evaluated in a network environment of 38 users comparing it to the performance of the basic TDS. Behavior of suspected terrorists was simulated by accessing terror related sites. The evaluation included also sensitivity analysis aimed at calibrating the settings of ATDS parameters to maximize its performance. Results are encouraging. ATDS outperformed TDS significantly and was able to reach very high detection rates when optimally tuned.


True Positive Learning Phase Anomaly Detection Normal User Detection Phase 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Birnhack, M.D., Elkin-Koren, N.: Fighting Terror On-Line: The Legal Ramifications of September 11, Internal Report, The Law and Technology Center, Haifa University (2003),
  2. 2.
    Elovici, Y., Shapira, B., Last, M., Kandell, A., Zaafrany, O.: Using Data Mining Techniques for Detecting Terror-Related Activities on the Web. J. of Information Warfare 3(1), 17–28 (2004)Google Scholar
  3. 3.
    Extractor DBI Technologies (2003),
  4. 4.
    Fielding, R., Gettys, J., Mogul, J.: RFC2616: Hypertext Transfer Protocol – HTTP/1.1. Network Working Group (1999)Google Scholar
  5. 5.
    Last, M., Elovici, Y., Shapira, B., Zaafrany, O., Kandel, A.: Using Data Mining for Detecting Terror-Related Activities on the Web. In: ECIW Proceedings, pp. 271–280 (2003)Google Scholar
  6. 6.
    Last, M., Elovici, Y., Shapira, B., Zaafrany, O., Kandel, A.: Content-Based Methodology for Anomaly Detection on the Web. In: Menasalvas, E., et al. (eds.) AWIC 2003. LNCS (LNAI), vol. 2663, pp. 113–123. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Winpcap version 3.0 (2004),
  8. 8.
    Wooster, R., Williams, S., Brooks, P.: HTTPDUMP: a network HTTP packet snooper. Working paper (1996), available at
  9. 9.
    Kelley, J.: Terror Groups behind Web encryption. USA Today (2002),
  10. 10.
    Lemos, R.: What are the real risks of cyberterrorism?, ZDNet (2002),
  11. 11.
    Ingram, M.: Internet privacy threatened following terrorist attacks on US (2001),
  12. 12.
    Sequeira, K., Zaki, M.: ADMIT: Anomaly-based Data Mining for Intrusions. In: Proceedings of SIGKDD 2002, pp. 386–395 (2002)Google Scholar
  13. 13.
    Karypis, G.: CLUTO - A Clustering Toolkit, Release 2.0, University of Minnesota (2002),
  14. 14.
    Salton, G., Buckley, C.: Term-Weighting Approaches in Automatic Text Retrieval. Information Processing and Management 24(5), 513–523 (1988)CrossRefGoogle Scholar
  15. 15.
    Mobasher, M., Cooley, R., Srivastava, J.: Automatic personalization based on Web usage mining. Communications of the ACM 43(8), 142–151 (2002)CrossRefGoogle Scholar
  16. 16.
    Ghosh, A.K., Wanken, J., Charron, F.: Detecting Anomalous and Unknown Intrusions Against Programs. In: Proceedings of ACSAC 1998, December 1998 (1998)Google Scholar
  17. 17.
    Tan, K., Maxion, R.: Why 6? Defning the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 188–202 (2002)Google Scholar
  18. 18.
    Lane, V., Brodley, C.E.: Temporal sequence learning and data reduction for anomaly detection. In: Proceedings of the 5th ACM conference on Computer and Communications Security, pp. 150–158 (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Yuval Elovici
    • 1
  • Bracha Shapira
    • 1
  • Mark Last
    • 1
  • Omer Zaafrany
    • 1
  • Menahem Friedman
    • 2
  • Moti Schneider
    • 3
  • Abraham Kandel
    • 4
  1. 1.Department of Information Systems EngineeringBen-Gurion Univ. of the NegevBeer-ShevaIsrael
  2. 2.Department of Physics Nuclear Research Center – NegevBeer-ShevaIsrael
  3. 3.School of Computer ScienceNetanya Academic CollegeNetanyaIsrael
  4. 4.Department of Computer Sc. and EngineeringUniv. of South FloridaTampaUSA

Personalised recommendations