Please use the below URL for the recording of this webinar. http://wso2.com/library/webinars/2015/02/catch-them-in-the-act-fraud-detection-with-wso2-cep-and-wso2-bam/ In this webinar, Seshika Fernando, technical lead at WSO2, will discuss Combined usage of WSO2 BAM and WSO2 CEP for fraud detection Fraud detection through static rules Fraud detection through fraud scoring Fraud detection using Markov models

1. Seshika Fernando
“Catch them in the act”
Technical Lead
Fraud Detection with
WSO2 CEP and WSO2 BAM

2. 2
How big is the problem?
๏ Its $ 4 Trillion BIG!
๏ Forrester Research Findings
๏ $ 3.5 – 4 Trillion in Global Losses per year
๏ This amounts to 5% of Global GDP
๏ Globally, Merchants are paying $200 - $250
Billion in Fraud losses
๏ Financial Services losing $ 12 – 15 Billion

3. 3
Who should be worried?

4. 4
Why WSO2 CEP?

5. 5
Fraudster: Intuition
๏ Use stolen cards
๏ Buy Expensive stuff
๏ In Large Quantities
๏ Very quickly
๏ At odd hours
๏ Ship to many places
๏ Provide weird email addresses
๏ Get rejected often
Siddhi Queries

6. 6
Siddhi for Expensive Purchases
define table PremiumProducts (itemNo string);
from TransactionStream[(itemNo==
PremiumProducts.itemNo) in PremiumProducts ]
select *
insert into FraudStream;

7. 7
Siddhi for Many Shipments
from TransactionStream#window.unique(shippingAddress)
select txnID, cardNo, count(shippingAddress) as counter
group by cardNo
insert into CountStream;
from CountStream[counter>5]
select *
insert into FraudStream;

8. 8
Siddhi for Large Quantities
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from TransactionStream
[(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in
QuantityAverages as av]
select *
insert into FraudStream;

9. 9
Siddhi for Large Quantities (Learning)
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from TransactionStream#window.time(8 hours)
select itemNo, avg(qty) as avg, stdev(qty) as stdev
group by itemNo
update QuantityAverages as av
on itemNo == av.itemNo;
from TransactionStream
[(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in
QuantityAverages as av]
select *
insert into FraudStream;

10. 10
Siddhi for Transaction Velocity
from e1 = TransactionStream ->
e2 = TransactionStream[e1.cardNo == e2.cardNo] <3:>
within 5000
select e1.cardNo, e1.txnID, e2[0].txnID, e2[1].txnID, e2[2].txnID
insert into FraudStream;

11. 11
Siddhi Templates

12. 12
The False Positive Trap
๏ So what if I buy Expensive stuff
๏ And why can’t I buy a lot
๏ Very Quickly
๏ At odd hours
๏ Ship to many places
Rich guy
Gift giver
Busy man
Night owl
Many girlfriends?
Blocking genuine customers could be counter
productive and costly

13. 13
Fraud Scoring
๏ Use combinations of rules
๏ Give weights to each rule
๏ Derive a single number that reflects many fraud indicators
๏ Use a threshold to reject transactions
๏ You just bought a Diamond Ring?
๏ You bought 20 Diamond Rings, in 15 minutes at 3am from
an IP address in Nigeria?

14. 14
Fraud Scoring
Score = itemPrice * 0.0001
+ itemQuantity * 0.1
+ isFreeEmail * 2.5
+ highRiskCountry * 10
+ suspiciousUsername * 5
+ suspiciousIPRange * 10

15. 15
Siddhi for Fraud Scoring

16. 16
Markov Models
A Markov model is a stochastic model used to
model randomly changing systems where it is assumed
that future states depend only on the present state and
not on the sequence of events that preceded it

17. 17
๏ Classify each transaction in to ‘states’ based on certain
transaction parameters.
๏ Compute the probabilities of state transitions
๏ Compare incoming transaction sequences with state
transition probabilities and flag sequences that have
very low probabilities as possible fraud
Markov Models for Fraud Detection

18. 18
Markov Models for Fraud Detection

19. 19
Markov Model: Classification
Each transaction is classified under the following three
qualities and expressed as a 3 letter token, e.g., HNN
๏ Amount spent: Low, Normal and High
๏ Whether the transaction includes high price ticket
item: Normal and High
๏ Time elapsed since the last transaction: Large, Normal
and Small

20. 20
๏ Create a State Transition Probability Matrix
Markov Models: Probability Matrix
LNL LNH LNS LHL HHL HHS HNS
LNL
0.976788 0.542152 0.20706 0.095459 0.007166 0.569172 0.335481
LNH
0.806876 0.609425 0.188628 0.651126 0.113801 0.630711 0.099825
LNS
0.07419 0.83973 0.951471 0.156532 0.12045 0.201713 0.970792
LHL
0.452885 0.634071 0.328956 0.786087 0.676753 0.063064 0.225353
HHL
0.386206 0.255719 0.451524 0.469597 0.810013 0.444638 0.612242
HHS
0.204606 0.832722 0.043194 0.459342 0.960486 0.796382 0.34544
HNS
0.757737 0.371359 0.326846 0.970243 0.771326 0.015835 0.574333

21. 21
Markov Models: Probability Comparison
๏ Compare the probabilities of incoming transaction
sequences with thresholds and flag fraud as
appropriate
๏ Can use direct probabilities or more complex metrics
๏ Miss Rate Metric
๏ Miss Probability Metric
๏ Entropy Reduction Metric
๏ Update Markov Probability table with incoming
transactions

22. 22
Life after Detection

23. Contact us !