Detecting Opportunities and Threats with Complex Event Processing: Case Studies in Predictive Customer Interaction Management and Fraud Detection February 27, 2007 FINAL DRAFT 2 8th Annual Japan's International Banking & Securities System Forum Tim Bass, CISSP Principal Global Architect, Director

Our Agenda Introduction to Complex Event Processing & BusinessEvents™ TIBCO Case Study in Fraud Detection TIBCO Case Study in Predictive Customer Interaction Management (PCIM)

Introduction to Complex Event Processing & BusinessEvents™

TIBCO Case Study in Fraud Detection

TIBCO Case Study in Predictive Customer Interaction Management (PCIM)

What is Complex Event Processing? "Complex event processing is a new technology for extracting information from message-based systems." - Dr. David Luckham, Brian Frasca Complex Event Processing in Distributed Systems, Stanford University, 1998

"Complex event processing is a new technology for extracting information from message-based systems."

- Dr. David Luckham, Brian Frasca

When Do You Need to Think About CEP? “ CEP applies to a very broad spectrum of challenges in information systems. A short list includes:” Business process automation Computer systems to automate scheduling and control network-based processes and processing Network monitoring and performance prediction Detection intrusion, fraud and other network attacks . The Power of Events , Addison Wesley, ISBN: 0-201-72789-7, 2002

“ CEP applies to a very broad spectrum of challenges in information systems. A short list includes:”

Business process automation

Computer systems to automate scheduling and control network-based processes and processing

Network monitoring and performance prediction

Detection intrusion, fraud and other network attacks .

CEP Brings Two Kinds Of Business Benefits Ref: Roy Schulte, Gartner, First Event Processing Symposium, 2006 2. Complex-Event Processing (CEP) for Earlier and Better Insight Order Entry Manufacturing Shipping 1. Event-Driven Architecture (EDA) for Flexibility and Maintainability

Detecting Opportunities and Threats with Complex Event Processing (CEP)

TIBCO BusinessEvents™ Overview BusinessEvents™ Solutions Space Data: Events & Databases -Real-Time & Historical Data Models: Statistical Financial Optimization Comms: Pub/Sub Messaging Queues Topics UIs Knowledge: Facts & Rules

Reference Architecture An Enterprise View of Complex Event Processing 24 EVENT PRE-PROCESSING EVENT SOURCES EXTERNAL . . . LEVEL ONE EVENT TRACKING Visualization, BAM, User Interaction CEP Reference Architecture DB MANAGEMENT Historical Data Profiles & Patterns DISTRIBUTED LOCAL EVENT SERVICES . . EVENT PROFILES . . DATA BASES . . OTHER DATA LEVEL TWO SITUATION DETECTION LEVEL THREE PREDICTIVE ANALYSIS LEVEL FOUR ADAPTIVE BPM

Summary of Complex Event Processing Flexible SOA and Event-Driven Architecture

Bloor Report on Event Processing Event Processing and Decision Making Automated Operational Decisions Automated Predictive Decisions Human Predictive Decisions Human Operational Decisions Decision Latency Event Complexity Process Complexity Pattern Matching and Inferencing Anti-Money Laundering Credit-Card Fraud Exchange Compliance Database Monitoring Algorithmic Trading Trade Desk Monitoring Customer Interaction Order Routing RFID Tariff Look-Up Rail Networks Search & Rescue Baggage Handling Liquidity Management

Our Agenda Introduction to Complex Event Processing & BusinessEvents™ TIBCO Case Study in Fraud Detection TIBCO Case Study in Predictive Customer Interaction Management (PCIM)

Introduction to Complex Event Processing & BusinessEvents™

TIBCO Case Study in Fraud Detection

TIBCO Case Study in Predictive Customer Interaction Management (PCIM)

Use Case: Real-Time Fraud Detection Customer Profile: Major US brokerage Large Portfolio of financial products and services: Mutual funds Retail brokerage Institutional products and services Retirement products and services Employer products and services Advisory services Business model dependent on Internet commerce

Customer Profile:

Major US brokerage

Large Portfolio of financial products and services:

Mutual funds

Retail brokerage

Institutional products and services

Retirement products and services

Employer products and services

Advisory services

Business model dependent on Internet commerce

Firewalls, Stand-Alone or Purpose-Built Fraud and Intrusion Detection Systems, Cryptography, Access Control, are Simply Not Sufficient. Malicious Users are Using Legitimate Internet Application Protocols, such as HTTP, HTTPS and SOAP to Defraud Businesses. A 2006 CyberSource reports that $2,800,000.000 (2.8B USD) was lost to on-line fraud in the US and Canada in 2005. eCommerce online fraud continues to grow (US and Canada) at a 20% annual rate. Risk for international transactions is 3 times the average risk. Industry and Business Drivers A Sample of the Problems with Network Security and Fraud Detection

Firewalls, Stand-Alone or Purpose-Built Fraud and Intrusion Detection Systems, Cryptography, Access Control, are Simply Not Sufficient.

Malicious Users are Using Legitimate Internet Application Protocols, such as HTTP, HTTPS and SOAP to Defraud Businesses.

A 2006 CyberSource reports that $2,800,000.000 (2.8B USD) was lost to on-line fraud in the US and Canada in 2005.

eCommerce online fraud continues to grow (US and Canada) at a 20% annual rate.

Risk for international transactions is 3 times the average risk.

Real-Time On-Line Fraud Detection Requirements Identify characteristics of fraud, such as continuous behavior changes, and identify new patterns of fraud Stop new account setups from fraudulent IP addresses Stop online registrations from fraudulent IP addresses Verify user identity in every transaction based on click-behavior Identify multiple users trying to login from same IP address Identify single user logins from multiple IP addresses within a time span Prevent phishing by tracking IP addresses that mass download institutional web pages Prevent phishing, pharming and man-in-the-middle attacks by checking against a list for fraudulent IP’s in real-time

Identify characteristics of fraud, such as continuous behavior changes, and identify new patterns of fraud

Stop new account setups from fraudulent IP addresses

Stop online registrations from fraudulent IP addresses

Verify user identity in every transaction based on click-behavior

Identify multiple users trying to login from same IP address

Identify single user logins from multiple IP addresses within a time span

Prevent phishing by tracking IP addresses that mass download institutional web pages

Prevent phishing, pharming and man-in-the-middle attacks by checking against a list for fraudulent IP’s in real-time

On-Line Fraud Detection Use Case Architecture and Capacity Planning Approx. 12,000 Hits Per Second During Peak Period Across the Three Sites – One Instance Of TIBCO BusinessEvents™ Capable of Handling Maximum Hits Overall 100 Million Hits Handled Between 3PM – 4 PM Peak Approx. 250 Million Hits Per Day Across the Three Sites Session Info Three Server Farms ~600-700 Application Servers

“ No Code” Custom User Interface Studio TIBCO’s Enterprise RTView™ or General Interface™

Fraud Detection Use Case Summary Overview of Fraud Detection Solutions Architecture Fusion of Fraud information across Customer’s Enterprise, including: Log files Existing Customer’s FDS (host and network based) devices Network traffic monitors and IDS systems (as required) Host statistics (as required) Secure, standards-based JAVA Messaging Service (JMS) for messaging: Events parsed into JMS Application Properties SSL transport for JMS messages TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control TIBCO Business Works™ as required, to transform, map or cleanse data TIBCO BusinessEvents™ for rule-based analytics TIBCO iProcess™ for fraud management, compliance work flow and reporting Solace Systems for ASIC-based, high speed application layer routing

Fusion of Fraud information across Customer’s Enterprise, including:

Log files

Existing Customer’s FDS (host and network based) devices

Network traffic monitors and IDS systems (as required)

Host statistics (as required)

Secure, standards-based JAVA Messaging Service (JMS) for messaging:

Events parsed into JMS Application Properties

SSL transport for JMS messages

TIBCO technology for next-generation detection, prediction, rule-based intrusion response, and adaptive control

TIBCO Business Works™ as required, to transform, map or cleanse data

TIBCO BusinessEvents™ for rule-based analytics

TIBCO iProcess™ for fraud management, compliance work flow and reporting

Solace Systems for ASIC-based, high speed application layer routing

Our Agenda Introduction to Complex Event Processing & BusinessEvents™ TIBCO Case Study in Fraud Detection TIBCO Case Study in Predictive Customer Interaction Management (PCIM)

Introduction to Complex Event Processing & BusinessEvents™

TIBCO Case Study in Fraud Detection

TIBCO Case Study in Predictive Customer Interaction Management (PCIM)

Use Case: Predictive Customer Interaction Management PCIM Customer Profile: Global financial services company, hundreds of millions of customers Large portfolio of financial products and services: Retail banking Wholesale banking Private banking Credit cards Insurance Business model dependent on Internet commerce

Customer Profile:

Global financial services company, hundreds of millions of customers

Large portfolio of financial products and services:

Retail banking

Wholesale banking

Private banking

Credit cards

Insurance

Business model dependent on Internet commerce

Case Study: Value Proposition TIBCO customer needed more cross-sell opportunities and greater promotion sales results for increased profits TIBCO provided software that opportunistically identifies cross-sell situations and provides real-time recommendations to the pertinent bank employees based on real time customer interactions and events TIBCO’s solution was more scalable, more flexible and works well with existing banking systems, products or services.

TIBCO customer needed more cross-sell opportunities and greater promotion sales results for increased profits

TIBCO provided software that opportunistically identifies cross-sell situations and provides real-time recommendations to the pertinent bank employees based on real time customer interactions and events

TIBCO’s solution was more scalable, more flexible and works well with existing banking systems, products or services.

Customer Requirements Intelligent Customer Dialog Dynamic Offer Management Conversion Tracking and Analysis Dynamic Channel Synchronization Dynamic Channel Management Sales Process Tracking

Intelligent Customer Dialog

Dynamic Offer Management

Conversion Tracking and Analysis

Dynamic Channel Synchronization

Dynamic Channel Management

Sales Process Tracking

Solution Overview Customer Interact Solutions with TIBCO BusinessEvents ™ Retail Banking Predictive Offer Management and Recommendation Engine Finance and Insurance Real Time Marketing & Customer Dialogue with Servicing/Personalization Transportation Affinity Program, Rewards, Servicing and Real Time Dialogue Management Gaming, Hospitality and Entertainment Customer Interaction Management Cross Line of Business (LOB) Customer View Integration for Finance, Retail, Insurance, Transportation, Hospitality – “Customer 360” Cross LOB Operational (Customer) Risk Management Common Customer Process Performance Measurement and Management (e.g. multi-LOB account processing visibility) Predictive Customer Service & SLA Management Cross Industry Real Time Affinity, Location, Scenario-Matched Marketing

Retail Banking Predictive Offer Management and Recommendation Engine

Finance and Insurance Real Time Marketing & Customer Dialogue with Servicing/Personalization

Transportation Affinity Program, Rewards, Servicing and Real Time Dialogue Management

Gaming, Hospitality and Entertainment Customer Interaction Management

Cross Line of Business (LOB) Customer View Integration for Finance, Retail, Insurance, Transportation, Hospitality – “Customer 360”

Cross LOB Operational (Customer) Risk Management

Common Customer Process Performance Measurement and Management (e.g. multi-LOB account processing visibility)

Predictive Customer Service & SLA Management

Cross Industry Real Time Affinity, Location, Scenario-Matched Marketing

Case Study: Bank Employee Interface TIBCO’s General Interface™ (AJAX Web Development)

PCIM High Level Conceptual Architecture

Case Study: Real-Time Recommendation Engine Back-office systems talk to the front-office systems. The front-offices systems talk to each other in real-time. Customer Interaction (CI) engine links all systems for a common delivery/dialogue infrastructure. CI engine provides the customer session intelligence. CI engine also provides the mechanics (and tools) to manage metrics visibility and intelligently.

Back-office systems talk to the front-office systems.

The front-offices systems talk to each other in real-time.

Customer Interaction (CI) engine links all systems for a common delivery/dialogue infrastructure.

CI engine provides the customer session intelligence.

CI engine also provides the mechanics (and tools) to manage metrics visibility and intelligently.

Where TIBCO BusinessEvents™ Helped. Collection, Normalization Metric of Managed Objects, Normalized Non-Contextual Events Metadata Repository Event Management, Correlation, Aggregation, Inference and Analysis Correlated, Analyzed, Contextual Dialogue Events Rules, Knowledge, Patterns, Models Visualization, Reporting, Alert Management Application Interface Feeds Visualization: Dialogue Metrics Agents Synthetic Warehouse Visualization: Sales Process View vCI Dialogue Manager Inference Engine DWH Product Marketing Semantic Model Events Rules Design Environment State Model Middleware

TIBCO BusinessEvents™ High performance, low latency business rules engine. Top down business process modeling. Real-time event processing. Cross-application and cross-process integratioin. Analytical and predictive models. Modeling Tools, Statefulness, Business Rules and Process Integration UML Conceptual UML State Business Rules Business Users Event Analyzer

High performance, low latency business rules engine.

Top down business process modeling.

Real-time event processing.

Cross-application and cross-process integratioin.

Analytical and predictive models.

TIBCO BusinessEvents™ Awards 2006 Best Complex Event Processing Software Winner: TIBCO 2006 Event Processing General Purpose Gold Award Winner

Additional Reading

Visit TIBCO Demo Booth Predictive Customer Interaction Management Demo Available! Press Release available for the relationship between TIBCO and Solace Systems

Predictive Customer Interaction Management Demo Available!

Press Release available for the relationship between TIBCO and Solace Systems

Thank You! Tim Bass, CISSP Principal Global Architect, Director Emerging Technologies Group [email_address] Event Processing at TIBCO