CIFD:Computational Immunology for

Fraud Detection

Dr Richard OverillDepartment of Computer Science &

International Centre for Security Analysis,King’s College London

Computational Immunology for Fraud Detection

• DTI LINK project funded under Phase 1 of the Management of Information programme

• Application of adaptive, self-learning technologies with low overheads (CI) to fraud detection in the financial sector

• Partners (with King’s College London):

– Anite Government Systems Ltd. (developer)– The Post Office (end user)

Natural Immune Systems

• are multi-layered (“defence in depth”)

• consist of several sub-systems:– innate immune system (scavenger cells which

ingest debris and pathogens– acquired immune system (white blood cells

which co-operate to detect and eliminate pathogens / antigens)

Acquired Immune System

• Detector cells generated in bone marrow (B-cells), and in lymph system but matured in thymus gland (T-cells).

• Self-binding T-cell detectors destroyed by censoring (negative selection) in thymus.

• B- & remaining T-detectors released to bind to and destroy foreign (non-self) antigens.

Digital Immune Systems I

• Train with known normal behaviour (“self”)

• Generate database(s) of self-signatures.

• Generate a (random) initial population of detectors and screen it against database(s).

• Challenge the detectors with possibly anomalous behaviour (may contain some “foreign” activity).

Digital Immune Systems II

• An (approximate) match between a detector and an activity trace indicates a possible anomaly.

• React to (warn of) the possible anomaly.

• Evolve the population of detectors to reflect successful and consistently unsuccessful detectors (cloning / killing).

Digital Immune Systems III

• Can be host-based or network-based:

• Host-based systems monitor behaviour or processes on servers or other network hosts.

• Network-based systems are of 2 types:– statistical traffic analysis using e.g. IP source &

destination addresses and IP port / service.– Promiscuous mode ‘sniffing’ of IP packets for

anomalous behaviour.

Application to CIFD

• Build a database(s) of normal transactions and sequences of transactions.

• Look for anomalous and hence potentially fraudulent patterns of behaviour in actual transactions and transaction sequences, using the detector matching criteria.

• Adapt the detector population.

Advantages of CI

• Redundancy: collective behaviour of many detectors should lead to emergent properties of robustness and fault tolerance - no centralised or hierarchical control, no SPoF.

• Memory of previous encounters can be built in, e.g. as long-lived successful detectors.

• Various adaptive learning strategies can be tried out, e.g. affinity maturation, niching.

Disadvantages of CI

• Subject to compromise in similar ways to the human immune system, i.e.– subversion via ‘auto-immune’ reaction (cf.

rheumatoid arthritis) where the system is induced to misidentify “self” as “foreign”.

– subversion via ‘immune deficiency’ response (cf. HIV-AIDS) where the system’s response is suppressed - misidentifying “foreign” as “self”.

– subversion by concealing “foreign” behaviour in “self” disguise (“Wolf in sheep’s clothing” or T.H.)

Previous Applicationsof CI

• Computational Immunology (aka Artificial Immune Systems, AIS, in the USA) has already been used successfully for:– detecting the activity of computer viruses and

other malicious software (IBM TJW Res Cen.)– detecting attempted intrusions into computers

and networks (New Mexico & Memphis Univs)

Thank you!

Any Questions?

Contact:Tel: 020 7848 2833Fax: 020 7848 2913

Email: richard@dcs.kcl.ac.uk