CIFD: Computational Immunology for Fraud Detection
Dr Richard Overill Department of Computer Science & International Centre for Security Analysis, King‟s College London
�Computational Immunology for Fraud Detection
• DTI LINK project funded under Phase 1 of the Management of Information programme • Application of adaptive, self-learning technologies with low overheads (CI) to fraud detection in the financial sector • Partners (with King‟s College London):
– Anite Government Systems Ltd. (developer) – The Post Office (end user)
�Natural Immune Systems
• are multi-layered (“defence in depth”) • consist of several sub-systems:
– innate immune system (scavenger cells which ingest debris and pathogens – acquired immune system (white blood cells which co-operate to detect and eliminate pathogens / antigens)
�Acquired Immune System
• Detector cells generated in bone marrow (B-cells), and in lymph system but matured in thymus gland (T-cells). • Self-binding T-cell detectors destroyed by censoring (negative selection) in thymus. • B- & remaining T-detectors released to bind to and destroy foreign (non-self) antigens.
��Digital Immune Systems I
• Train with known normal behaviour (“self”) • Generate database(s) of self-signatures. • Generate a (random) initial population of detectors and screen it against database(s). • Challenge the detectors with possibly anomalous behaviour (may contain some “foreign” activity).
�Digital Immune Systems II
• An (approximate) match between a detector and an activity trace indicates a possible anomaly. • React to (warn of) the possible anomaly. • Evolve the population of detectors to reflect successful and consistently unsuccessful detectors (cloning / killing).
�Digital Immune Systems III
• Can be host-based or network-based: • Host-based systems monitor behaviour or processes on servers or other network hosts. • Network-based systems are of 2 types:
– statistical traffic analysis using e.g. IP source & destination addresses and IP port / service. – Promiscuous mode „sniffing‟ of IP packets for anomalous behaviour.
�Application to CIFD
• Build a database(s) of normal transactions and sequences of transactions. • Look for anomalous and hence potentially fraudulent patterns of behaviour in actual transactions and transaction sequences, using the detector matching criteria. • Adapt the detector population.
�Advantages of CI
• Redundancy: collective behaviour of many detectors should lead to emergent properties of robustness and fault tolerance - no centralised or hierarchical control, no SPoF. • Memory of previous encounters can be built in, e.g. as long-lived successful detectors. • Various adaptive learning strategies can be tried out, e.g. affinity maturation, niching.
�Disadvantages of CI
• Subject to compromise in similar ways to the human immune system, i.e.
– subversion via „auto-immune‟ reaction (cf. rheumatoid arthritis) where the system is induced to misidentify “self” as “foreign”. – subversion via „immune deficiency‟ response (cf. HIV-AIDS) where the system‟s response is suppressed - misidentifying “foreign” as “self”. – subversion by concealing “foreign” behaviour in “self” disguise (“Wolf in sheep‟s clothing” or T.H.)
�Previous Applications of CI
• Computational Immunology (aka Artificial Immune Systems, AIS, in the USA) has already been used successfully for:
– detecting the activity of computer viruses and other malicious software (IBM TJW Res Cen.) – detecting attempted intrusions into computers and networks (New Mexico & Memphis Univs)
�Thank you! Any Questions? Contact:
Tel: 020 7848 2833 Fax: 020 7848 2913 Email: richard@dcs.kcl.ac.uk
�