Upload
iram
View
27
Download
0
Embed Size (px)
DESCRIPTION
CIFD: Computational Immunology for Fraud Detection. Dr Richard Overill Department of Computer Science & International Centre for Security Analysis, King’s College London. DTI LINK project funded under Phase 1 of the Management of Information programme - PowerPoint PPT Presentation
Citation preview
CIFD:Computational Immunology for
Fraud Detection
Dr Richard OverillDepartment of Computer Science &
International Centre for Security Analysis,King’s College London
Computational Immunology for Fraud Detection
• DTI LINK project funded under Phase 1 of the Management of Information programme
• Application of adaptive, self-learning technologies with low overheads (CI) to fraud detection in the financial sector
• Partners (with King’s College London):
– Anite Government Systems Ltd. (developer)– The Post Office (end user)
Natural Immune Systems
• are multi-layered (“defence in depth”)
• consist of several sub-systems:– innate immune system (scavenger cells which
ingest debris and pathogens– acquired immune system (white blood cells
which co-operate to detect and eliminate pathogens / antigens)
Acquired Immune System
• Detector cells generated in bone marrow (B-cells), and in lymph system but matured in thymus gland (T-cells).
• Self-binding T-cell detectors destroyed by censoring (negative selection) in thymus.
• B- & remaining T-detectors released to bind to and destroy foreign (non-self) antigens.
Digital Immune Systems I
• Train with known normal behaviour (“self”)
• Generate database(s) of self-signatures.
• Generate a (random) initial population of detectors and screen it against database(s).
• Challenge the detectors with possibly anomalous behaviour (may contain some “foreign” activity).
Digital Immune Systems II
• An (approximate) match between a detector and an activity trace indicates a possible anomaly.
• React to (warn of) the possible anomaly.
• Evolve the population of detectors to reflect successful and consistently unsuccessful detectors (cloning / killing).
Digital Immune Systems III
• Can be host-based or network-based:
• Host-based systems monitor behaviour or processes on servers or other network hosts.
• Network-based systems are of 2 types:– statistical traffic analysis using e.g. IP source &
destination addresses and IP port / service.– Promiscuous mode ‘sniffing’ of IP packets for
anomalous behaviour.
Application to CIFD
• Build a database(s) of normal transactions and sequences of transactions.
• Look for anomalous and hence potentially fraudulent patterns of behaviour in actual transactions and transaction sequences, using the detector matching criteria.
• Adapt the detector population.
Advantages of CI
• Redundancy: collective behaviour of many detectors should lead to emergent properties of robustness and fault tolerance - no centralised or hierarchical control, no SPoF.
• Memory of previous encounters can be built in, e.g. as long-lived successful detectors.
• Various adaptive learning strategies can be tried out, e.g. affinity maturation, niching.
Disadvantages of CI
• Subject to compromise in similar ways to the human immune system, i.e.– subversion via ‘auto-immune’ reaction (cf.
rheumatoid arthritis) where the system is induced to misidentify “self” as “foreign”.
– subversion via ‘immune deficiency’ response (cf. HIV-AIDS) where the system’s response is suppressed - misidentifying “foreign” as “self”.
– subversion by concealing “foreign” behaviour in “self” disguise (“Wolf in sheep’s clothing” or T.H.)
Previous Applicationsof CI
• Computational Immunology (aka Artificial Immune Systems, AIS, in the USA) has already been used successfully for:– detecting the activity of computer viruses and
other malicious software (IBM TJW Res Cen.)– detecting attempted intrusions into computers
and networks (New Mexico & Memphis Univs)