1. CIFD: Computational Immunology for Fraud Detection
Dr Richard Overill
Department of Computer Science & International Centre for Security Analysis,
King’s College London

2. Computational Immunology for Fraud Detection
DTI LINK project funded under Phase 1 of the Management of Information programme
Application of adaptive, self-learning technologies with low overheads (CI) to fraud detection in the financial sector
Partners (with King’s College London):
Anite Government Systems Ltd. (developer)
The Post Office (end user)

3. Natural Immune Systems
are multi-layered (“defence in depth”)
consist of several sub-systems:
innate immune system (scavenger cells which ingest debris and pathogens
acquired immune system (white blood cells which co-operate to detect and eliminate pathogens / antigens)

4. Acquired Immune System
Detector cells generated in bone marrow (B-cells), and in lymph system but matured in thymus gland (T-cells).
Self-binding T-cell detectors destroyed by censoring (negative selection) in thymus.
B- & remaining T-detectors released to bind to and destroy foreign (non-self) antigens.

6. Digital Immune Systems I
Train with known normal behaviour (“self”)
Generate database(s) of self-signatures.
Generate a (random) initial population of detectors and screen it against database(s).
Challenge the detectors with possibly anomalous behaviour (may contain some “foreign” activity).

7. Digital Immune Systems II
An (approximate) match between a detector and an activity trace indicates a possible anomaly.
React to (warn of) the possible anomaly.
Evolve the population of detectors to reflect successful and consistently unsuccessful detectors (cloning / killing).

8. Digital Immune Systems III
Can be host-based or network-based:
Host-based systems monitor behaviour or processes on servers or other network hosts.
Network-based systems are of 2 types:
statistical traffic analysis using e.g. IP source & destination addresses and IP port / service.
Promiscuous mode ‘sniffing’ of IP packets for anomalous behaviour.

9. Application to CIFD
Build a database(s) of normal transactions and sequences of transactions.
Look for anomalous and hence potentially fraudulent patterns of behaviour in actual transactions and transaction sequences, using the detector matching criteria.
Adapt the detector population.

10. Advantages of CI
Redundancy: collective behaviour of many detectors should lead to emergent properties of robustness and fault tolerance - no centralised or hierarchical control, no SPoF.
Memory of previous encounters can be built in, e.g. as long-lived successful detectors.
Various adaptive learning strategies can be tried out, e.g. affinity maturation, niching.

11. Disadvantages of CI
Subject to compromise in similar ways to the human immune system, i.e.
subversion via ‘auto-immune’ reaction (cf. rheumatoid arthritis) where the system is induced to misidentify “self” as “foreign”.
subversion via ‘immune deficiency’ response (cf. HIV-AIDS) where the system’s response is suppressed - misidentifying “foreign” as “self”.
subversion by concealing “foreign” behaviour in “self” disguise (“Wolf in sheep’s clothing” or T.H.)

12. Previous Applications of CI
Computational Immunology (aka Artificial Immune Systems, AIS, in the USA) has already been used successfully for:
detecting the activity of computer viruses and other malicious software (IBM TJW Res Cen.)
detecting attempted intrusions into computers and networks (New Mexico & Memphis Univs)

13. Thank you. Any Questions
Thank you! Any Questions? Contact: Tel: Fax: