CIFD: Computational Immunology for Fraud Detection

1
CIFDComputational Immunology for Fraud Detection
Dr Richard Overill Department of Computer Science
International Centre for Security
Analysis, Kings College London
2
Computational Immunology for Fraud Detection

• DTI LINK project funded under Phase 1 of the
  Management of Information programme
• Application of adaptive, self-learning
  technologies with low overheads (CI) to fraud
  detection in the financial sector
• Partners (with Kings College London)
• Anite Government Systems Ltd. (developer)
• The Post Office (end user)

3
Natural Immune Systems

• are multi-layered (defence in depth)
• consist of several sub-systems
• innate immune system (scavenger cells which
  ingest debris and pathogens
• acquired immune system (white blood cells which
  co-operate to detect and eliminate pathogens /
  antigens)

4
Acquired Immune System

• Detector cells generated in bone marrow
  (B-cells), and in lymph system but matured in
  thymus gland (T-cells).
• Self-binding T-cell detectors destroyed by
  censoring (negative selection) in thymus.
• B- remaining T-detectors released to bind to
  and destroy foreign (non-self) antigens.

5
(No Transcript)
6
Digital Immune Systems I

• Train with known normal behaviour (self)
• Generate database(s) of self-signatures.
• Generate a (random) initial population of
  detectors and screen it against database(s).
• Challenge the detectors with possibly anomalous
  behaviour (may contain some foreign activity).

7
Digital Immune Systems II

• An (approximate) match between a detector and an
  activity trace indicates a possible anomaly.
• React to (warn of) the possible anomaly.
• Evolve the population of detectors to reflect
  successful and consistently unsuccessful
  detectors (cloning / killing).

8
Digital Immune Systems III

• Can be host-based or network-based
• Host-based systems monitor behaviour or processes
  on servers or other network hosts.
• Network-based systems are of 2 types
• statistical traffic analysis using e.g. IP source
  destination addresses and IP port / service.
• Promiscuous mode sniffing of IP packets for
  anomalous behaviour.

9
Application to CIFD

• Build a database(s) of normal transactions and
  sequences of transactions.
• Look for anomalous and hence potentially
  fraudulent patterns of behaviour in actual
  transactions and transaction sequences, using the
  detector matching criteria.
• Adapt the detector population.

10
Advantages of CI

• Redundancy collective behaviour of many
  detectors should lead to emergent properties of
  robustness and fault tolerance - no centralised
  or hierarchical control, no SPoF.
• Memory of previous encounters can be built in,
  e.g. as long-lived successful detectors.
• Various adaptive learning strategies can be tried
  out, e.g. affinity maturation, niching.

11
Disadvantages of CI

• Subject to compromise in similar ways to the
  human immune system, i.e.
• subversion via auto-immune reaction (cf.
  rheumatoid arthritis) where the system is induced
  to misidentify self as foreign.
• subversion via immune deficiency response (cf.
  HIV-AIDS) where the systems response is
  suppressed - misidentifying foreign as self.
• subversion by concealing foreign behaviour in
  self disguise (Wolf in sheeps clothing or
  T.H.)

12
Previous Applicationsof CI

• Computational Immunology (aka Artificial Immune
  Systems, AIS, in the USA) has already been used
  successfully for
• detecting the activity of computer viruses and
  other malicious software (IBM TJW Res Cen.)
• detecting attempted intrusions into computers and
  networks (New Mexico Memphis Univs)

13
Thank you!Any Questions?ContactTel 020
7848 2833Fax 020 7848 2913Email
richard_at_dcs.kcl.ac.uk