Presentation on theme: "CIFD: Computational Immunology for Fraud Detection Dr Richard Overill Department of Computer Science & International Centre for Security Analysis, Kings."— Presentation transcript:
CIFD: Computational Immunology for Fraud Detection Dr Richard Overill Department of Computer Science & International Centre for Security Analysis, Kings College London
Computational Immunology for Fraud Detection DTI LINK project funded under Phase 1 of the Management of Information programme Application of adaptive, self-learning technologies with low overheads (CI) to fraud detection in the financial sector Partners (with Kings College London): –Anite Government Systems Ltd. (developer) –The Post Office (end user)
Natural Immune Systems are multi-layered (defence in depth) consist of several sub-systems: –innate immune system (scavenger cells which ingest debris and pathogens –acquired immune system (white blood cells which co-operate to detect and eliminate pathogens / antigens)
Acquired Immune System Detector cells generated in bone marrow (B-cells), and in lymph system but matured in thymus gland (T-cells). Self-binding T-cell detectors destroyed by censoring (negative selection) in thymus. B- & remaining T-detectors released to bind to and destroy foreign (non-self) antigens.
Digital Immune Systems I Train with known normal behaviour (self) Generate database(s) of self-signatures. Generate a (random) initial population of detectors and screen it against database(s). Challenge the detectors with possibly anomalous behaviour (may contain some foreign activity).
Digital Immune Systems II An (approximate) match between a detector and an activity trace indicates a possible anomaly. React to (warn of) the possible anomaly. Evolve the population of detectors to reflect successful and consistently unsuccessful detectors (cloning / killing).
Digital Immune Systems III Can be host-based or network-based: Host-based systems monitor behaviour or processes on servers or other network hosts. Network-based systems are of 2 types: –statistical traffic analysis using e.g. IP source & destination addresses and IP port / service. –Promiscuous mode sniffing of IP packets for anomalous behaviour.
Application to CIFD Build a database(s) of normal transactions and sequences of transactions. Look for anomalous and hence potentially fraudulent patterns of behaviour in actual transactions and transaction sequences, using the detector matching criteria. Adapt the detector population.
Advantages of CI Redundancy: collective behaviour of many detectors should lead to emergent properties of robustness and fault tolerance - no centralised or hierarchical control, no SPoF. Memory of previous encounters can be built in, e.g. as long-lived successful detectors. Various adaptive learning strategies can be tried out, e.g. affinity maturation, niching.
Disadvantages of CI Subject to compromise in similar ways to the human immune system, i.e. –subversion via auto-immune reaction (cf. rheumatoid arthritis) where the system is induced to misidentify self as foreign. –subversion via immune deficiency response (cf. HIV-AIDS) where the systems response is suppressed - misidentifying foreign as self. –subversion by concealing foreign behaviour in self disguise (Wolf in sheeps clothing or T.H.)
Previous Applications of CI Computational Immunology (aka Artificial Immune Systems, AIS, in the USA) has already been used successfully for: –detecting the activity of computer viruses and other malicious software (IBM TJW Res Cen.) –detecting attempted intrusions into computers and networks (New Mexico & Memphis Univs)