1 / 21

Identification of Suspicious, Unknown Event Patterns in an Event Cloud

Identification of Suspicious, Unknown Event Patterns in an Event Cloud. DEBS 2007 June 20-22, 2007 Toronto. Alexander Widder, CITT Rainer von Ammon, CITT Philippe Schaeffer, TÜV Rheinland Christian Wolff, University of Regensburg. Table of Contents:.

enan
Download Presentation

Identification of Suspicious, Unknown Event Patterns in an Event Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identification of Suspicious, Unknown Event Patterns in an Event Cloud DEBS 2007 June 20-22, 2007 Toronto Alexander Widder, CITT Rainer von Ammon, CITT Philippe Schaeffer, TÜV Rheinland Christian Wolff, University of Regensburg

  2. Table of Contents: • Used fraud management methods and event patterns • Unknown event patterns • Possible detection methods • Discriminant analysis approach • Next steps Alexander Widder, CITT

  3. Used Fraud Management Methods: CyberSource. Third Annual UK Online Fraud Report. http://www.cybersource.co.uk/resources/fraud_report_2007, downloaded 2007-02-07. Alexander Widder, CITT

  4. Simple event patterns already exist for fraud detection from vendors like AptSoft: Examples for used patterns: AptSoft Corporation. CEP Solution. http://www.aptsoft.com, downloaded 2006-12-22. Alexander Widder, CITT

  5. Characteristics of Unknown Event Patterns: • Hypothesis: The fraud patterns change permantly! Which kinds of patterns are possible in the future? • Problem: How to define these fraud patterns and the relationships between the occuring events? Alexander Widder, CITT

  6. new auto pay account login withdrawal transfer logout account login deposit account balance logout enquiry account login withdrawal new auto pay deposit enquiry activity history Principal Scenario: On suspicious pattern: ALERT CEP Engine Possible Detection Methods?? Monitor Event cloud of a bank Alexander Widder, CITT

  7. Deterministic Approaches: Processes with stringent causal chains. Reference: Earman, J. “A Primer on Determinism”, Springer-Verlag, Dordrecht, 1986. Alexander Widder, CITT

  8. Probabilistic Approaches: Processes that are not stringent causal. Reference: Alon, N., Joel, H., and Spencer, J. „The Probabilistic Method“, Wiley InterScience, New York, 2000. Alexander Widder, CITT

  9. Cluster Analysis: Data analysis to recognize groups of objects which belong together, out of a basic quantity of objects. Reference: Romesburg, C. “Cluster Analysis for Researchers”, Lulu Press, Morrisville, 2004. Alexander Widder, CITT

  10. Discriminant Analysis: Analysis of the difference between certain groups of objects. Reference: Mardia, K.V., Kent, J. T., and Bibby, J. M. “Multivariate Analysis”,Academic Press, San Diego, San Francisco, New York, Boston, London, Sidney, Tokyo, 1979. Alexander Widder, CITT

  11. Fuzzy Set Theory: Method that differs not only between 0 and 1, such as a computer system, but also defines the gradual assessment of membership. Reference: Gottwald S. “A Treatise on Many-Valued Logics”, Research Studies Press LTD, Baldock, Hertfordshire, 2001. Alexander Widder, CITT

  12. Bayesian Belief Networks: Represent conclusions on the base of unsure knowledge. Reference: Jensen F. „Bayesian Networks and Decision Graphs“, New York, 2001. Alexander Widder, CITT

  13. Dempster Shafer Method: Combines information from different sources to a total conclusion. Reference: Shafer G. „A Mathematical Theory of Evidence“, Princeton University Press, 1976. Alexander Widder, CITT

  14. Hidden Markov Model: Stochastic model that is described by two random processes. Reference: Rabiner L. „A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition“, 1989. Alexander Widder, CITT

  15. Discriminant Analysis Approach – Process: • Determining attributes of events of interest for the specific use case. • Computing a discriminant function on the base of predefined historic fraud events by using a linear system of equations. • Computing the critical discriminant value of the discriminant function. • Computing the discriminant value of a new occurring event by inserting its attributes in the discriminant function. • Allocating the event to a specific group of events by comparing the discriminant value of the event with the critical discriminant value of the function. Alexander Widder, CITT

  16. Discriminant Analysis Approach – Goals: • Creating more discriminant functions and critical discriminant values to compare a new occurring event with in order to obtain more accurate groups of events and to classify events more exactly. • At the end, a possible group should be so much detailed that it represents an unknown event pattern itself. Alexander Widder, CITT

  17. Principal Architecture with included Discriminant Analysis: Alexander Widder, CITT

  18. Tibco‘s CEP Reference Architecture enhanced with Discriminant Analysis: Discriminant Analysis Bass, T. Fraud Detection and Event Processing for Predictive Business. http://www.tibco.com/ resources/mk/fraud_detection_in_cep_wp.pdf, downloaded 2007-01-31. Alexander Widder, CITT

  19. Discriminant Analysis Approach – Open Questions: • Which types of events are created, e.g. by a credit card transaction and which of them are important to detect fraud? • Which attributes of the event types are relevant to differenciate the groups of events for specific use cases just as credit card fraud detection? • In which way can the relevant string attributes be mapped to metric values? Alexander Widder, CITT

  20. Next Steps: • Finishing the realisation of a prototype for the discriminant analysis approach based on a CEP engine. • Examining the further mentioned algorithms, probably at first neuronal networks. • Comparing the performance of the different algorithms. • Combining the different solutions to a more performant solution. Alexander Widder, CITT

  21. Thank you for your Attention! Alexander Widder, CITT

More Related