Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Seshika Fernando
“Catch them in the act”
Technical Lead
Fraud Detection with
WSO2 CEP and WSO2 BAM
2
How big is the problem?
๏ Its $ 4 Trillion BIG!
๏ Forrester Research Findings
๏ $ 3.5 – 4 Trillion in Global Losses per ...
3
Who should be worried?
4
Why WSO2 CEP?
5
Fraudster: Intuition
๏ Use stolen cards
๏ Buy Expensive stuff
๏ In Large Quantities
๏ Very quickly
๏ At odd hours
๏ Ship...
6
Siddhi for Expensive Purchases
define table PremiumProducts (itemNo string);
from TransactionStream[(itemNo==
PremiumPro...
7
Siddhi for Many Shipments
from TransactionStream#window.unique(shippingAddress)
select txnID, cardNo, count(shippingAddr...
8
Siddhi for Large Quantities
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from TransactionStr...
9
Siddhi for Large Quantities (Learning)
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from Tra...
10
Siddhi for Transaction Velocity
from e1 = TransactionStream ->
e2 = TransactionStream[e1.cardNo == e2.cardNo] <3:>
with...
11
Siddhi Templates
12
The False Positive Trap
๏ So what if I buy Expensive stuff
๏ And why can’t I buy a lot
๏ Very Quickly
๏ At odd hours
๏ ...
13
Fraud Scoring
๏ Use combinations of rules
๏ Give weights to each rule
๏ Derive a single number that reflects many fraud...
14
Fraud Scoring
Score = itemPrice * 0.0001
+ itemQuantity * 0.1
+ isFreeEmail * 2.5
+ highRiskCountry * 10
+ suspiciousUs...
15
Siddhi for Fraud Scoring
16
Markov Models
A Markov model is a stochastic model used to
model randomly changing systems where it is assumed
that fut...
17
๏ Classify each transaction in to ‘states’ based on certain
transaction parameters.
๏ Compute the probabilities of stat...
18
Markov Models for Fraud Detection
19
Markov Model: Classification
Each transaction is classified under the following three
qualities and expressed as a 3 le...
20
๏ Create a State Transition Probability Matrix
Markov Models: Probability Matrix
LNL LNH LNS LHL HHL HHS HNS
LNL
0.9767...
21
Markov Models: Probability Comparison
๏ Compare the probabilities of incoming transaction
sequences with thresholds and...
22
Life after Detection
Contact us !
Upcoming SlideShare
Loading in …5
×

Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor

1,892 views

Published on

Please use the below URL for the recording of this webinar.

http://wso2.com/library/webinars/2015/02/catch-them-in-the-act-fraud-detection-with-wso2-cep-and-wso2-bam/


In this webinar, Seshika Fernando, technical lead at WSO2, will discuss

Combined usage of WSO2 BAM and WSO2 CEP for fraud detection
Fraud detection through static rules
Fraud detection through fraud scoring
Fraud detection using Markov models

Published in: Technology
  • Be the first to comment

Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor

  1. 1. Seshika Fernando “Catch them in the act” Technical Lead Fraud Detection with WSO2 CEP and WSO2 BAM
  2. 2. 2 How big is the problem? ๏ Its $ 4 Trillion BIG! ๏ Forrester Research Findings ๏ $ 3.5 – 4 Trillion in Global Losses per year ๏ This amounts to 5% of Global GDP ๏ Globally, Merchants are paying $200 - $250 Billion in Fraud losses ๏ Financial Services losing $ 12 – 15 Billion
  3. 3. 3 Who should be worried?
  4. 4. 4 Why WSO2 CEP?
  5. 5. 5 Fraudster: Intuition ๏ Use stolen cards ๏ Buy Expensive stuff ๏ In Large Quantities ๏ Very quickly ๏ At odd hours ๏ Ship to many places ๏ Provide weird email addresses ๏ Get rejected often Siddhi Queries
  6. 6. 6 Siddhi for Expensive Purchases define table PremiumProducts (itemNo string); from TransactionStream[(itemNo== PremiumProducts.itemNo) in PremiumProducts ] select * insert into FraudStream;
  7. 7. 7 Siddhi for Many Shipments from TransactionStream#window.unique(shippingAddress) select txnID, cardNo, count(shippingAddress) as counter group by cardNo insert into CountStream; from CountStream[counter>5] select * insert into FraudStream;
  8. 8. 8 Siddhi for Large Quantities define table QuantityAverages (itemNo string, avgQty int, stdevQty int); from TransactionStream [(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in QuantityAverages as av] select * insert into FraudStream;
  9. 9. 9 Siddhi for Large Quantities (Learning) define table QuantityAverages (itemNo string, avgQty int, stdevQty int); from TransactionStream#window.time(8 hours) select itemNo, avg(qty) as avg, stdev(qty) as stdev group by itemNo update QuantityAverages as av on itemNo == av.itemNo; from TransactionStream [(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in QuantityAverages as av] select * insert into FraudStream;
  10. 10. 10 Siddhi for Transaction Velocity from e1 = TransactionStream -> e2 = TransactionStream[e1.cardNo == e2.cardNo] <3:> within 5000 select e1.cardNo, e1.txnID, e2[0].txnID, e2[1].txnID, e2[2].txnID insert into FraudStream;
  11. 11. 11 Siddhi Templates
  12. 12. 12 The False Positive Trap ๏ So what if I buy Expensive stuff ๏ And why can’t I buy a lot ๏ Very Quickly ๏ At odd hours ๏ Ship to many places Rich guy Gift giver Busy man Night owl Many girlfriends? Blocking genuine customers could be counter productive and costly
  13. 13. 13 Fraud Scoring ๏ Use combinations of rules ๏ Give weights to each rule ๏ Derive a single number that reflects many fraud indicators ๏ Use a threshold to reject transactions ๏ You just bought a Diamond Ring? ๏ You bought 20 Diamond Rings, in 15 minutes at 3am from an IP address in Nigeria?
  14. 14. 14 Fraud Scoring Score = itemPrice * 0.0001 + itemQuantity * 0.1 + isFreeEmail * 2.5 + highRiskCountry * 10 + suspiciousUsername * 5 + suspiciousIPRange * 10
  15. 15. 15 Siddhi for Fraud Scoring
  16. 16. 16 Markov Models A Markov model is a stochastic model used to model randomly changing systems where it is assumed that future states depend only on the present state and not on the sequence of events that preceded it
  17. 17. 17 ๏ Classify each transaction in to ‘states’ based on certain transaction parameters. ๏ Compute the probabilities of state transitions ๏ Compare incoming transaction sequences with state transition probabilities and flag sequences that have very low probabilities as possible fraud Markov Models for Fraud Detection
  18. 18. 18 Markov Models for Fraud Detection
  19. 19. 19 Markov Model: Classification Each transaction is classified under the following three qualities and expressed as a 3 letter token, e.g., HNN ๏ Amount spent: Low, Normal and High ๏ Whether the transaction includes high price ticket item: Normal and High ๏ Time elapsed since the last transaction: Large, Normal and Small
  20. 20. 20 ๏ Create a State Transition Probability Matrix Markov Models: Probability Matrix LNL LNH LNS LHL HHL HHS HNS LNL 0.976788 0.542152 0.20706 0.095459 0.007166 0.569172 0.335481 LNH 0.806876 0.609425 0.188628 0.651126 0.113801 0.630711 0.099825 LNS 0.07419 0.83973 0.951471 0.156532 0.12045 0.201713 0.970792 LHL 0.452885 0.634071 0.328956 0.786087 0.676753 0.063064 0.225353 HHL 0.386206 0.255719 0.451524 0.469597 0.810013 0.444638 0.612242 HHS 0.204606 0.832722 0.043194 0.459342 0.960486 0.796382 0.34544 HNS 0.757737 0.371359 0.326846 0.970243 0.771326 0.015835 0.574333
  21. 21. 21 Markov Models: Probability Comparison ๏ Compare the probabilities of incoming transaction sequences with thresholds and flag fraud as appropriate ๏ Can use direct probabilities or more complex metrics ๏ Miss Rate Metric ๏ Miss Probability Metric ๏ Entropy Reduction Metric ๏ Update Markov Probability table with incoming transactions
  22. 22. 22 Life after Detection
  23. 23. Contact us !

×