Boštjan Kaluža: Towards Detection of Suspicious Behavior from Multiple Observations

Talk on Towards Detection of Suspicious Behavior from Multiple Observations given by Boštjan Kaluža.

Identification of suspicious activities arises in many domains where an adversary has a motivating goal and exhibits behavior that deviates from behavior of normal users. The goal is to augment traditional security measures by scrutinizing behavior of all subjects in the environment. This can be applied, for example, to detect a passenger at an airport who plans to smuggle drugs while keeping contacts with authorities at minimum, to detect a pirate vessel that plans to capture a transport vessel and therefore avoids security patrols, to identify a user that misuses access to the server, to catch a reckless driver, a shoplifter, etc. We established a formal framework and show how to optimally detect suspicious behavior from a set of observed events, where no single event is sufficient to decide whether a person behaves suspiciously or not. Unfortunately, optimal detection is not feasible in practice because we cannot estimate all required parameters. We show two approximate methods (naive and heuristic) and compare them on an airport domain. The heuristic approach achieves high performance, discovering almost all suspicious passengers with low false-alarm ratio.