![Page 1: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/1.jpg)
Seshika Fernando
“Catch them in the act”
Technical Lead
Fraud Detection with WSO2 CEP and WSO2 BAM
![Page 2: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/2.jpg)
2
How big is the problem?
๏ Its $ 4 Trillion BIG!
๏ Forrester Research Findings
๏ $ 3.5 – 4 Trillion in Global Losses per year
๏ This amounts to 5% of Global GDP
๏ Globally, Merchants are paying $200 - $250 Billion in Fraud losses
๏ Financial Services losing $ 12 – 15 Billion
![Page 3: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/3.jpg)
3
Who should be worried?
![Page 4: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/4.jpg)
4
Why WSO2 CEP?
![Page 5: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/5.jpg)
5
Fraudster: Intuition
๏ Use stolen cards
๏ Buy Expensive stuff
๏ In Large Quantities
๏ Very quickly
๏ At odd hours
๏ Ship to many places
๏ Provide weird email addresses
๏ Get rejected often
Siddhi Queries
![Page 6: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/6.jpg)
6
Siddhi for Expensive Purchases
define table PremiumProducts (itemNo string);
from TransactionStream[(itemNo== PremiumProducts.itemNo) in PremiumProducts ]
select *
insert into FraudStream;
![Page 7: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/7.jpg)
7
Siddhi for Many Shipments
from TransactionStream#window.unique(shippingAddress)
select txnID, cardNo, count(shippingAddress) as counter
group by cardNo
insert into CountStream;
from CountStream[counter>5]
select *
insert into FraudStream;
![Page 8: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/8.jpg)
8
Siddhi for Large Quantities
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from TransactionStream
[(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in QuantityAverages as av]
select *
insert into FraudStream;
![Page 9: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/9.jpg)
9
Siddhi for Large Quantities (Learning)
define table QuantityAverages
(itemNo string, avgQty int, stdevQty int);
from TransactionStream#window.time(8 hours)
select itemNo, avg(qty) as avg, stdev(qty) as stdev
group by itemNo
update QuantityAverages as av
on itemNo == av.itemNo;
from TransactionStream
[(itemNo== av.itemNo and qty > (av.avgQty + 2 * av.stdevQty)) in QuantityAverages as av]
select *
insert into FraudStream;
![Page 10: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/10.jpg)
10
Siddhi for Transaction Velocity
from e1 = TransactionStream ->
e2 = TransactionStream[e1.cardNo == e2.cardNo] <3:>
within 5000
select e1.cardNo, e1.txnID, e2[0].txnID, e2[1].txnID, e2[2].txnID
insert into FraudStream;
![Page 11: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/11.jpg)
11
Siddhi Templates
![Page 12: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/12.jpg)
12
The False Positive Trap
๏ So what if I buy Expensive stuff
๏ And why can’t I buy a lot
๏ Very Quickly
๏ At odd hours
๏ Ship to many places
Rich guy
Gift giver
Busy man
Night owl
Many girlfriends?
Blocking genuine customers could be counter productive and costly
![Page 13: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/13.jpg)
13
Fraud Scoring
๏ Use combinations of rules
๏ Give weights to each rule
๏ Derive a single number that reflects many fraud indicators
๏ Use a threshold to reject transactions
๏ You just bought a Diamond Ring?
๏ You bought 20 Diamond Rings, in 15 minutes at 3am from an IP address in Nigeria?
![Page 14: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/14.jpg)
14
Fraud Scoring
Score = itemPrice * 0.0001
+ itemQuantity * 0.1
+ isFreeEmail * 2.5
+ highRiskCountry * 10
+ suspiciousUsername * 5
+ suspiciousIPRange * 10
![Page 15: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/15.jpg)
15
Siddhi for Fraud Scoring
![Page 16: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/16.jpg)
16
Markov Models
A Markov model is a stochastic model used tomodel randomly changing systems where it is assumedthat future states depend only on the present state andnot on the sequence of events that preceded it
![Page 17: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/17.jpg)
17
๏ Classify each transaction in to ‘states’ based on certain transaction parameters.
๏ Compute the probabilities of state transitions
๏ Compare incoming transaction sequences with state transition probabilities and flag sequences that have very low probabilities as possible fraud
Markov Models for Fraud Detection
![Page 18: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/18.jpg)
18
Markov Models for Fraud Detection
![Page 19: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/19.jpg)
19
Markov Model: Classification
Each transaction is classified under the following three qualities and expressed as a 3 letter token, e.g., HNN
๏ Amount spent: Low, Normal and High
๏ Whether the transaction includes high price ticket item: Normal and High
๏ Time elapsed since the last transaction: Large, Normal and Small
![Page 20: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/20.jpg)
20
๏ Create a State Transition Probability Matrix
Markov Models: Probability Matrix
LNL LNH LNS LHL HHL HHS HNS
LNL
0.976788 0.542152 0.20706 0.095459 0.007166 0.569172 0.335481
LNH
0.806876 0.609425 0.188628 0.651126 0.113801 0.630711 0.099825
LNS
0.07419 0.83973 0.951471 0.156532 0.12045 0.201713 0.970792
LHL
0.452885 0.634071 0.328956 0.786087 0.676753 0.063064 0.225353
HHL
0.386206 0.255719 0.451524 0.469597 0.810013 0.444638 0.612242
HHS
0.204606 0.832722 0.043194 0.459342 0.960486 0.796382 0.34544
HNS
0.757737 0.371359 0.326846 0.970243 0.771326 0.015835 0.574333
![Page 21: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/21.jpg)
21
Markov Models: Probability Comparison
๏ Compare the probabilities of incoming transaction sequences with thresholds and flag fraud as appropriate
๏ Can use direct probabilities or more complex metrics
๏ Miss Rate Metric
๏ Miss Probability Metric
๏ Entropy Reduction Metric
๏ Update Markov Probability table with incoming transactions
![Page 22: Catch them in the Act: Fraud Detection with WSO2 Complex Event Processor and WSO2 Business Activity Monitor](https://reader034.vdocuments.us/reader034/viewer/2022042716/55a59d4a1a28ab91018b45df/html5/thumbnails/22.jpg)
22
Life after Detection