Please use the below URL for the recording of this webinar.
http://wso2.com/library/webinars/2015/02/catch-them-in-the-act-fraud-detection-with-wso2-cep-and-wso2-bam/
In this webinar, Seshika Fernando, technical lead at WSO2, will discuss
Combined usage of WSO2 BAM and WSO2 CEP for fraud detection
Fraud detection through static rules
Fraud detection through fraud scoring
Fraud detection using Markov models
2. 2
How big is the problem?
๏ Its $ 4 Trillion BIG!
๏ Forrester Research Findings
๏ $ 3.5 – 4 Trillion in Global Losses per year
๏ This amounts to 5% of Global GDP
๏ Globally, Merchants are paying $200 - $250
Billion in Fraud losses
๏ Financial Services losing $ 12 – 15 Billion
5. 5
Fraudster: Intuition
๏ Use stolen cards
๏ Buy Expensive stuff
๏ In Large Quantities
๏ Very quickly
๏ At odd hours
๏ Ship to many places
๏ Provide weird email addresses
๏ Get rejected often
Siddhi Queries
6. 6
Siddhi for Expensive Purchases
define table PremiumProducts (itemNo string);
from TransactionStream[(itemNo==
PremiumProducts.itemNo) in PremiumProducts ]
select *
insert into FraudStream;
7. 7
Siddhi for Many Shipments
from TransactionStream#window.unique(shippingAddress)
select txnID, cardNo, count(shippingAddress) as counter
group by cardNo
insert into CountStream;
from CountStream[counter>5]
select *
insert into FraudStream;
8. 8
Siddhi for Large Quantities
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from TransactionStream
[(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in
QuantityAverages as av]
select *
insert into FraudStream;
9. 9
Siddhi for Large Quantities (Learning)
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from TransactionStream#window.time(8 hours)
select itemNo, avg(qty) as avg, stdev(qty) as stdev
group by itemNo
update QuantityAverages as av
on itemNo == av.itemNo;
from TransactionStream
[(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in
QuantityAverages as av]
select *
insert into FraudStream;
10. 10
Siddhi for Transaction Velocity
from e1 = TransactionStream ->
e2 = TransactionStream[e1.cardNo == e2.cardNo] <3:>
within 5000
select e1.cardNo, e1.txnID, e2[0].txnID, e2[1].txnID, e2[2].txnID
insert into FraudStream;
12. 12
The False Positive Trap
๏ So what if I buy Expensive stuff
๏ And why can’t I buy a lot
๏ Very Quickly
๏ At odd hours
๏ Ship to many places
Rich guy
Gift giver
Busy man
Night owl
Many girlfriends?
Blocking genuine customers could be counter
productive and costly
13. 13
Fraud Scoring
๏ Use combinations of rules
๏ Give weights to each rule
๏ Derive a single number that reflects many fraud indicators
๏ Use a threshold to reject transactions
๏ You just bought a Diamond Ring?
๏ You bought 20 Diamond Rings, in 15 minutes at 3am from
an IP address in Nigeria?
16. 16
Markov Models
A Markov model is a stochastic model used to
model randomly changing systems where it is assumed
that future states depend only on the present state and
not on the sequence of events that preceded it
17. 17
๏ Classify each transaction in to ‘states’ based on certain
transaction parameters.
๏ Compute the probabilities of state transitions
๏ Compare incoming transaction sequences with state
transition probabilities and flag sequences that have
very low probabilities as possible fraud
Markov Models for Fraud Detection
19. 19
Markov Model: Classification
Each transaction is classified under the following three
qualities and expressed as a 3 letter token, e.g., HNN
๏ Amount spent: Low, Normal and High
๏ Whether the transaction includes high price ticket
item: Normal and High
๏ Time elapsed since the last transaction: Large, Normal
and Small
21. 21
Markov Models: Probability Comparison
๏ Compare the probabilities of incoming transaction
sequences with thresholds and flag fraud as
appropriate
๏ Can use direct probabilities or more complex metrics
๏ Miss Rate Metric
๏ Miss Probability Metric
๏ Entropy Reduction Metric
๏ Update Markov Probability table with incoming
transactions