Computational intelligence in e-mail traffic analysis

In law enforcement, tools and techniques are required that enable forensic analysts to uncover electronic evidence about the communication activities of possible criminal or terrorist suspects. This is needed in order to better understand the actions of criminal or terrorist groups and to also understand the communication patterns of suspected individuals. The extraction of useful information from electronic communication data is a difficult task, due to the large amounts of data and also due to the difficulty in making sense of unusual activities in the data. This thesis considers the problem of aiding the analyst to provide a better understanding about the communication behaviour of suspected individuals. The type of data considered for the thesis is e-mail traffic, which is based on information obtained from e-mail message headers but not the content of e-mails. This thesis proposes a \computational intelligence\" approach for analysing email traffic by using a set of computational techniques to provide different perspectives for examining the communication behaviour of suspect e-mail accounts. This is considered important since a range of views on e-mail traffic behaviour can provide the user/analyst a more overall understanding about the behaviour of suspect e-mail accounts. The purpose of using a set of computational techniques is to utilise the capabilities of each technique so that the combined effect of using those techniques present useful information to the user/analyst about a suspect e-mail account's traffic behaviour. The computational techniques used for the research in this thesis are visualisation and feature extraction techniques which each provide different ways of examining e-mail traffic behaviour. Visualisation is used to provide a visual method of interpreting exploring and understanding the communication patterns present in e-mail traffic data. The two visualisation techniques used for visualization are social network visualisation and time-series visualisation. Feature extraction techniques are another type of technique used to analyse e-mail traffic behaviour by providing information that locate features in the data indicating where unusual changes in communication activity are occurring. The two techniques used for feature extraction in the research are decision tree classification and hierarchical fuzzy inference. Two case studies are provided in this thesis. The first case study explores the detection of unusual variations in traffic behaviour from simulated e-mail traffic data while the second case study explores the rating of abnormal communication changes from the Enron e-mail corpus dataset. Both case studies demonstrate that computational intelligence is a useful approach for providing the user/analyst a better understanding about the traffic behaviour of suspect e-mail accounts."