10. 10
•Introduction
Motive
인터넷 전문은행?
• 인터넷과 모바일을 통해서 예금 수신·이체·대출·펀드투자
등 금융 서비스를 제공하는 은행
• 특징 : 점포 없이 저비용 구조로 운영하면서 시중은행 보다
저렴한 수수료와 낮은 대출 금리 제공.
• 산업자본의 지분 참여 30% 이상 허용
• 대기업군(61개) 제한 : 삼성, 현대자동차 등 공정거래 위원회로
부터 상호 출자 제한을 받는 자산 5조원 이상
11. 11
•Introduction
Motive
• 불편한 금융 보안장치와 프로세스
• 보안카드 OTP
• 책임은 누구
• 금융보안은 자율적으로 처리하는 것이 대세
• 금융회사 책임 범위 강화
• 금융보호업무 재위탁 금지, 단 금융위 허용시 예외
• 징벌적 과징금- 50억원이하
• 벌칙강화 -10년이하 징역, 1억원이하 벌금
• 과태료 -신설, 안정성 확보의무 불이행시 5천만원이하
• 의무적 보고 – CISO의 매월 정보보안점검 내용 보고.
12. 12
•Introduction
신제윤 금융위원장은 금융보안을 위해 모든 금융권이 이상거
래탐지시스템(FDS) 구축을 완료해야 한다고 촉구했다.
"핀테크 활성화 방안을 추진하기 위해서 반드시 전제돼야
할 사항은 보안의 중요성"이라며 "정보보안이 확보되지 않
은 서비스는 결국 사상누각이 될 것"이라고 우려했다.
그는 핀테크(Fintech) 추진 방안과 관련해서는 "오프라인
위주의 금융제도 개편을 통해 핀테크 기술이 금융에 자연스
럽게 접목될 수 있도록 지원할 것"이라며 "전자금융업종 규
율을 재설계토록 하겠다"고 밝혔다.
Motive
14. 14
•
Bigdata Ecosystem
Bigdata
• 빅데이터의 의의
데이터 양이 방대할 뿐만 아니라 복잡해져서 전통적인 데이터 프로세싱으로
는 처리하기 어려워서 고안되 대용량 병렬 컴퓨팅 기술
• 빅데이터 처리 기술
이러한 복잡하고 방대한 데이터를 병렬 프로세싱을 통해서 효율적으로 처
리하는 기술
• 빅데이터 처리 과정
수집-저장-처리-분석-표현
수집-처리-분석-표현-저장
• 빅데이터 분석의 의의
복잡하고 방대한 데이터를 대용량 병렬 컴퓨팅 기술에 기반하여 기
계학습이나 확률 통계적 기법을 이용한 분석 기술
15. 15
•
Bigdata Ecosystem
Open Source Bigdata Ecosystem
• Query (NOSQL) : Cassandra, HBase, MongoDB and more
• Query (SQL) : Hive, Stinger, Impala, Presto, Shark
• Advanced Analytic : Hadoop, Spark,H2O
• Real time : Storm, Samza, S4, Spark Streaming
Bigdata
28. 28
•
Lambda Architecture
Bigdata
•All data entering the system is dispatched to both the batch layer and the speed layer for processing.
•The batch layer has two functions: (i) managing the master dataset
(an immutable, append-only set of raw data), and (ii) to pre-compute the batch views.
•The serving layer indexes the batch views so that they can be queried in low-latency, ad-hoc way.
•The speed layer compensates for the high latency of updates to the serving layer
and deals with recent data only.
•Any incoming query can be answered by merging results from batch views and real-time views.
31. 31
•
Seldon Infrastructure
Bigdata
•Real-Time Layer : responsible for handling the live predictive API requests.
•Storage Layer : various types of storage used by other components.
•Near time/Offline Layer:components that run compute intensive or non-realtime jobs.
•Stats layer : components to monitor and analyze the running system.
34. 34
•
Pulsar Architecture
Bigdata
The Pulsar pipeline includes the following components:
• Collector: Ingests events through a Rest end point
• Sessionizer: Sessionizes the events, maintaining the session state and
generating marker events
• Distributor: Filters and mutates events to different consumers;
acts as an event router
• Metrics calculator: Calculates metrics by various dimensions and
persists them in the metrics store
• Replay: Replays the failed events on other stages
• ConfigApp: Configures dynamic provisioning for the whole pipeline
35. 35
•
Pulsar Architecture
Bigdata
• • Complex Event Processing: SQL on stream data
• • Custom sub-stream creation: Filtering and Mutation
• • In Memory Aggregation: Multi Dimensional counting
40. 40
•
What is ?
Machine Learnig
Data로 부터 출발....
• 기계(Machine) + Learning (학습)
• 기계(컴퓨터)에게 데이터를 이용하여 학습하는 방법을
가르치는 것.
Teach computer how to learn from data
따라서 Data가 교재이다.
41. 41
•
ML Types
Machine Learnig
• Supervised learning : 지도학습
• Data의 종류를 알고 있을 때(Category, Labeled)
• ex: spam mail
• Unsupervised : 비지도학습
• Data의 종류는 모르지만 패턴을 알고 싶을 때
• SNS, Twitter
• Semi-supervised learning : 지도학습 + 비지도학습
• Reinforcement learning : 강화학습
• 잘못된 것을 다시 피드백
• Evolutionary learning : 진화학습(GA, AIS)
• Meta Learning : Landmark of data for classifier
42. 42
•
Lifecycle on Realtime
Machine Learnig
ML Modeling
ML Deploy
ML Optimizer
New Data
Decision Making
Alert
Anomaly Store
Hadoop DFS/NoSQl/Hive
45. 45
• Finite State Automata
(FSA)
Since the tests in can be grouped, the states can represent the
several tests being performed at the same time. For example, T34
means that T3 and T4 can be done simultaneously
Machine Learnig
47. 47
• Hidden Markov
Sequence Based Algorithm
•Certain fraudulent activities may not be detectable with instance
based algorithms
•small amount of money, instance based algorithms will fail to
detect the fraud
Machine Learnig
55. 55
•Fraud Detection
Credit card data (70-80 variables per transaction):
• Transaction ID
• Transaction type
• Date and time of transaction
(to nearest second)
• Amount
• Currency
• Local currency amount
• Merchant category
• Card issuer ID
• ATM ID
• POS type
• Cheque account prefix
• Savings account prefix
• Acquiring institution ID
• Transaction authorisation code
• Online authorisation performed
• New card
• Transaction exceeds floor limit
• Number of times chip has been accessed
• Merchant city name
• Chip terminal capability
• Chip card verification result
Card
56. 56
• Fraud Detection
Basics
Fraud Detection
Speed is the key !!!•
- many transactions - billions - algorithms must be efficient
- mixed variable types (generally not text, image)
- large number of variables
- incomprehensible variables, irrelevant variables
- different misclassification costs
- many ways of committing fraud
- unbalanced class sizes (c. 0.1% transactions fraudulent)
- delay in labelling
- mislabelled classes
- random transaction arrival times
- (reactive) population drift
- Maintain a sliding buffer of the last billion transactions in RAM
(fast memory)
- Organize the transactions in such a way that some queries
could be executed very fast
- Develop some clever algorithms that operate on this data
structure
- Will it work??? Yes, it will !!! Yes, it does …
57. 57
• Fraud Detection
Basics
Fraud Detection
Challenge: real-time detection!
• Monitor in real time all POS/ATM transactions
• Detect unusual patterns and block compromised cards as quickly as
possible
• Ideally: block compromised cards before fraud is discovered!
• A big question: can we do it ???
• Some numbers:
• 3,000,000,000 transactions per year
• up to 15,000,000 transactions per day
• up to 400 transactions per second (peak hours)
• 100,000,000 cards
59. 59
• Fraud Detection
Basics
Fraud Detection
–SQL like language for specifying processing rules
–Analysis over rolling and tumbling windows of time
–Filtering and Joining streams
–Grouping and Ordering output
–For routing events between stages and between clusters
–Event Mutation
–Correlation
–Patterns
60. 60
• Fraud Detection
Basics
Fraud Detection
•Rolling window aggregation over long time windows
(hours or days)
•Session store scaling to 1 million insert/update per sec
•Dynamic Joins with graphs and RDBMS tables
•Auto scaling based on load sensing
•Hot deployment of Java source code
61. 61
• Fraud Detection
Basics
• Outlier Detection
• detecting data points that don’t follow the trends and
patters in the data
• rule base detection
• anomaly detection
• Two approaches for treating input
• focus on instance of data point
• focus on sequence of data points
• Three kinds of algorithms
• building a model out of data
• using data directly.
• immunse system base on temporal data
• Real time fraud detection
• feasible with model based approach
• A model is built with batch processing of training data
• A real time stream processor uses the model and
makes predictions in real time
Fraud Detection
62. 62
•
Economy Imperative
• Not worth spending $200m to stop $20m fraud
• The Pareto principle
• fthe first 50% of fraud is easy to stop
• next 25% takes the same effort
• next 12.5% takes the same effort
• Resources available for fraud detection are always limited
• around 3% of police resources go on fraud ?
• this will not significantly increase
• If we cannot outspend the fraudsters we must out-think them
Fraud Detection
64. 64
•Fraud Detection
AIS are adaptive systems inspired by theoretical immunology and
observed immune functions, principles and models, which
are applied to complex problem domains
•Immune system needs to be able to differentiate between
self and non-self cells
•may result in cell death therefore
• Some kind of positive selection(Clonal Selection)
• Some kind of negative selection
Aritifical
Immune Systems
65. 65
•Fraud Detection
무과립성 백혈구(無顆粒性 白血球, agranulocyte)의 일종으로
면역 기능 관여하며 전체 백혈구 중에서도 30%를 차지한다.
•T세포(T cell)
•보조 T세포(Helper T cell)
•세포독성 T세포(killer T cell)
•억제 T세포(suppressor T cell)
•B세포(B cell)
•NK세포(Natural killer cell, NK cell)
Lymphocyte(림프구)
67. 67
•Fraud Detection
T세포(T細胞, T cell) 또는 T림프구(T lymphocyte)는 항원 특이적인 적
응 면역을 주관하는 림프구의 하나이다. 가슴샘(Thymus)에서 성숙되기 때문
에 첫글자를 따서 T세포라는 이름이 붙었다. 전체 림프구 중 약 4분의 3이 T
세포
T세포는 아직 항원을 만나지 못한 미접촉 T세포와, 항원을 만나 성숙한 효과 T
세포(보조 T세포, 세포독성 T세포, 자연살상 T세포), 그리고 기억 T세포로 분류
T cell
70. 70
• Danger Theory
•Proposed by Polly Matzinger, around 1995
•Traditional self/non-self theory doesn’t always match
observations
•Immune system always responds to non-self
•Immune system always tolerates self
•Antigen-presenting cell(APC):T-cell activation by APCs
•Danger theory relates innate and adaptive immune systems
•Tissues induce tolerance towards themselves
•Tissues protect themselves and select class of response
Fraud Detection
71. 71
•
•Tissues induce tolerance by
•Lymphocytes receive 2 signals
•antigen/lymphocyte binding
•antigen is properly presented by APC
•Signal 1 WITHOUT signal 2 : lymphocyte death
•Tissues protect themselves
•Alarm Signals activate APCs
•Alarm signals come from
•Cells that die unnaturally
•Cells under stress
•APCs activate lymphocytes
•Tissues dictate response type
•Alarm signals may convey information
Danger Theory
Fraud Detection
76. 76
•Fraud Detection
For natural immune system, all cells of body are
categorized as two types of self and non-self. The
immune process is to detect non-self from cells.
use the Positive Selection Algorithm (PSA) to
perform the non-self detection for recognizing the
malicious executable.
Non-self Detection
Principle
86. 86
•Solutions
• Storage
• hadoop
• HDFS: Distributed File System(DFS)
• MapReduce : parallel processing
• Algorithms
• on-line learning (Immune System and Genetic Algorithms)
• batch model
• direct data
• Stream
• Neural stream
• Decentralize decision process
• Cell base detection
• Network for Artificial Immune Systems
• Lambda architecture, Pulsar can’t use on-line learning
Neural Stream
87. 87
• Classical rule-based
approach
• Always “too late”:
• New fraud pattern is “invented” by criminals
• Cardholders lose money and complain
• Banks investigate complains and try to understand
the new pattern
• A new rule is implemented a few weeks later
• Expensive to build (knowledge intensive)
• Difficult to maintain:
• Many rules
• The situation is dynamically changing, so frequently
• rules have to be added, modified, or removed …
Solutions
88. 88
•Solutions
• Every bank user gets a vector of parameters that describe his/her
behavior: an “average-behavior” profile
• The system constantly compares this “long-term” profile with the
recent behavior of cardholder
• Transactions that do not fit into bank user’s profile are flagged as
suspicious (or are blocked)
• Profiles are updated with every single transaction, so the system
constantly adopts to (slow and small) changes in bank user’ behavior
A system based on
profiles