Detecting malicious groups of agents

In this paper we study coordinated attacks launched by multiple malicious agents and the problem of detecting malicious groups of attackers. The paper proposes a formal method and an algorithm for detecting action interference between users. It has to be pointed out that some members of a malicious group may not necessarily perform illegal actions, for example, they can prepare and organize an attack without taking active part in the actual attack execution. In addition, members of a malicious group May not necessarily know each other The method we propose tries to solve these problems by building a Coordination graph which includes all users who, in some way or another, cooperate with each other i.e., the maximal malicious group of cooperating users including not only the executers of the attack but also their assistants. The paper also proposes formal metrics on coordination graphs that help differentiate central from peripheral attackers.