Using targeted Bayesian network learning for suspect identification in communication networks

A. Gruber, I. Ben-Gal*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

10 Scopus citations


This paper proposes a machine learning application to identify mobile phone users suspected of involvement in criminal activities. The application characterizes the behavioral patterns of suspect users versus non-suspect users based on usage metadata such as call duration, call distribution, interaction time preferences and text-to-call ratios while avoiding any access to the content of calls or messages. The application is based on targeted Bayesian network learning method. It generates a graphical network that can be used by domain experts to gain intuitive insights about the key features that can help identify suspect users. The method enables experts to manage the trade-off between model complexity and accuracy using information theory metrics. Unlike other graphical Bayesian classifiers, the proposed application accomplishes the task required of a security company, namely an accurate suspect identification rate (recall) of at least 50% with no more than a 1% false identification rate. The targeted Bayesian network learning method is also used for additional tasks such as anomaly detection, distinction between “relevant” and “irrelevant” anomalies, and for associating anonymous telephone numbers with existing users by matching behavioral patterns.

Original languageEnglish
Pages (from-to)169-181
Number of pages13
JournalInternational Journal of Information Security
Issue number2
StatePublished - 1 Apr 2018


FundersFunder number
Israeli Chief Scientist Magneton44596


    • Behavioral patterns
    • Criminal behavior
    • Cyber crimes
    • Machine learning
    • Privacy
    • Security
    • Suspect identification
    • Targeted Bayesian network learning


    Dive into the research topics of 'Using targeted Bayesian network learning for suspect identification in communication networks'. Together they form a unique fingerprint.

    Cite this