Presentation on theme: "CIFD: Computational Immunology for Fraud Detection"— Presentation transcript:
1CIFD: Computational Immunology for Fraud Detection Dr Richard OverillDepartment of Computer Science & International Centre for Security Analysis,King’s College London
2Computational Immunology for Fraud Detection DTI LINK project funded under Phase 1 of the Management of Information programmeApplication of adaptive, self-learning technologies with low overheads (CI) to fraud detection in the financial sectorPartners (with King’s College London):Anite Government Systems Ltd. (developer)The Post Office (end user)
3Natural Immune Systems are multi-layered (“defence in depth”)consist of several sub-systems:innate immune system (scavenger cells which ingest debris and pathogensacquired immune system (white blood cells which co-operate to detect and eliminate pathogens / antigens)
4Acquired Immune System Detector cells generated in bone marrow (B-cells), and in lymph system but matured in thymus gland (T-cells).Self-binding T-cell detectors destroyed by censoring (negative selection) in thymus.B- & remaining T-detectors released to bind to and destroy foreign (non-self) antigens.
6Digital Immune Systems I Train with known normal behaviour (“self”)Generate database(s) of self-signatures.Generate a (random) initial population of detectors and screen it against database(s).Challenge the detectors with possibly anomalous behaviour (may contain some “foreign” activity).
7Digital Immune Systems II An (approximate) match between a detector and an activity trace indicates a possible anomaly.React to (warn of) the possible anomaly.Evolve the population of detectors to reflect successful and consistently unsuccessful detectors (cloning / killing).
8Digital Immune Systems III Can be host-based or network-based:Host-based systems monitor behaviour or processes on servers or other network hosts.Network-based systems are of 2 types:statistical traffic analysis using e.g. IP source & destination addresses and IP port / service.Promiscuous mode ‘sniffing’ of IP packets for anomalous behaviour.
9Application to CIFDBuild a database(s) of normal transactions and sequences of transactions.Look for anomalous and hence potentially fraudulent patterns of behaviour in actual transactions and transaction sequences, using the detector matching criteria.Adapt the detector population.
10Advantages of CIRedundancy: collective behaviour of many detectors should lead to emergent properties of robustness and fault tolerance - no centralised or hierarchical control, no SPoF.Memory of previous encounters can be built in, e.g. as long-lived successful detectors.Various adaptive learning strategies can be tried out, e.g. affinity maturation, niching.
11Disadvantages of CISubject to compromise in similar ways to the human immune system, i.e.subversion via ‘auto-immune’ reaction (cf. rheumatoid arthritis) where the system is induced to misidentify “self” as “foreign”.subversion via ‘immune deficiency’ response (cf. HIV-AIDS) where the system’s response is suppressed - misidentifying “foreign” as “self”.subversion by concealing “foreign” behaviour in “self” disguise (“Wolf in sheep’s clothing” or T.H.)
12Previous Applications of CI Computational Immunology (aka Artificial Immune Systems, AIS, in the USA) has already been used successfully for:detecting the activity of computer viruses and other malicious software (IBM TJW Res Cen.)detecting attempted intrusions into computers and networks (New Mexico & Memphis Univs)
13Thank you. Any Questions Thank you! Any Questions? Contact: Tel: Fax: