WIXLIB

International Journal of Computer Applications (0975 – 8887)Volume 16– No.1, February 2011data mining for building models of user behavior. The resultantbase models are then combined to generate a meta-classifier forimproving detection accuracy. V.Hanagandi et al. [9] generate afraud score using the historical information on credit card accounttransactions. They describe a fraud-non fraud classificationmethodology using radial basis function network (RBFN) with adensity based clustering approach. The input data is transformedinto cardinal component space and clustering as well as RBFNmodeling is done using a few cardinal components. A.Shen et al.[10] investigates the efficacy of applying classification models tocredit card fraud detection problems. They tested threeclassification methods i.e. neural network, decision tree andlogistic regression for their applicability in fraud detections.H.shao et al. [11] introduced an application in data mining todetect fraud behavior in customs declarations data and used datamining technology such as an easy-to-expand multi-dimensioncriterion data model and a hybrid fraud-detection strategy. A.Srivastava et al. [12] model the sequence of operations in creditcard transaction processing using Hidden Markov Model (HMM)and show how it can be used for detection of frauds. An HMM isinitially trained with normal behavior of card holder. If anincoming credit card transaction is not accepted by trained HMMwith sufficiently high probability, it is considered to be fraudulent.At the same time they also try to ensure that genuine transactionsare not rejected. J.Quah et al. [13] focuses on real time frauddetection and presents a new and innovative approach inunderstanding spending patterns to decipher potential fraud cases.They make use of self organizing map to decipher, filter andanalyze customer behavior for detection of fraud. Recently frauddetection system is developed by Suvasini Panigrahi et al. [14],which consist of four components, namely, rule-based filter,Dempster-Shafer adder, transaction history database and Bayesianrule. In the rule based component, they determine the suspicionlevel of each incoming transaction based on the extent of itsdeviation from good pattern. Dempster-Shafer theory is used tocombine multiple such evidences and an initial belief iscomputed.S.J.Stoflo et al. [15] developed the JAM distributed data miningsystem for the real world problem of fraud detection in financialinformation systems. They have shown that cost-based metrics aremore relevant in certain domains, and defining such metrics posessignificant and interesting research questions both in evaluatingsystems and alternative models, and in formalizing the problemsto which one may wish to apply data mining technologies.Researchers also published some survey papers in the area offraud detection. Phua et al. [16] presented a comprehensive reportusing an extensive survey of data mining based Fraud DetectionSystems and. Kou et al. [17] have compared and measuredperformance of various fraud detection techniques for credit cardfraud, telecommunication fraud and computer intrusion detection.Bolton and Hand [18] identified the tools available for statisticalfraud detection and areas in which fraud detection technologiesare most commonly used. D.W.Abbott et al. [19] compare five ofthe most highly acclaimed commercial data mining tools on afraud detection application, with descriptions of their distinctivestrengths and weaknesses, based on the lessons learned by theauthors during the process of evaluating the products.There are two types of data mining techniques, Unsupervised andSupervised Methods. Unsupervised methods do not need the priorknowledge of fraudulent and non-fraudulent transactions inhistorical database, but instead detect changes in behavior orunusual transactions. Supervised methods require accurateidentification of fraudulent transactions in historical databases andcan only be used to detect frauds of a type that have previouslyoccurred. An advantage of using unsupervised methods oversupervised methods is that previously undiscovered types of fraudmay be detected.The main concern in this domain is that genuine transaction mightnot be caught as fraudulent transaction otherwise it createsinconvenience and dissatisfaction to customer. In the same way,fraudulent transaction should not go undetected otherwise thefinancial company has to suffer lot of money.It is well known that every card holder has certain purchasinghabits. Generally they repeat their shopping habits. Most of theFDS try to find the deviation from this good pattern by onlyimplementing rules or with the similarity from past fraudulenttransaction set. However these rules are largely static in nature, iffraudsters develop or learn new methods and tactics to evadedetection by FDS, then new types of fraud may get unnoticed.Thus system which is not dynamic and able is adapt to newchange, may become outdated resulting in large number of falsealarms. So there is a need of developing new system whichintegrates all the multiple evidences of past genuine andfraudulent transaction set and also focus current dynamic behaviorof customer.We propose a hybrid model containing data mining techniques,statistics and artificial intelligence to collect and combine all themultiple evidences. The model not only considers the pastbehavior but also monitors the current behavior very closely. Thecurrent behavior is stored in the different lookup tables. Wheneverany deviation other than normal behavior found it is furtherchecked with fraudulent transaction history with bayes theorem.To the best of our knowledge, this is first ever attempt to developfinancial cyber crime detection system using hybrid approach likedata mining, statistics and artificial intelligence.The rest of paper is organized as follows. We discuss thetransaction pattern generation tool in brief in section 3. Section 4describes proposed transaction risk score generation model alongwith its methodology. Section 5 shows the result as scatter graphin terms of clusters formed by DBSCAN algorithm.Implementation environment and result analysis & discussions arecovered in section 6 and 7 respectively. Finally we conclude insection 8.3. TRANSACTION PATTERNGENERATION TOOLThe transaction pattern generation tool (TPGT) will generate thepatterns (parameters) based on the historical data stored in thedata warehouse. TPGT is implemented in the Oracle 9i. All thepatterns generated by TPGT will collectively decide thepurchasing behavior of the card holder. These patterns are veryuseful for deciding or verifying the current transaction performedby the card holder online. It generates more than 60 parameters.As this domain is sensitive and due to space limitation, it is notpossible to discuss each parameter. Here are the main parametersgenerated by TPGT.3.1 Main Patterns (Parameters) Generated byTPGTDP: Daily Parameters, CP: Category Parameters, PP: ProductParameters, TP: Transaction Parameters, WP: Weekly Parameters,VP: Vendor Parameters, AP: Address Parameters, FP: FortnightlyParameters, MP: Monthly Parameters, SP: Sunday Parameters,19

International Journal of Computer Applications (0975 – 8887)Volume 16– No.1, February 2011HP: Holiday Parameters, LP: Location Parameters, GP:Transaction Gap Parameters3.2 Computations of the Patterns3.2.1 TP1 to TP8The Calculation of the parameters TP1 to TP8 in the tool is done asfollows.The tool divides all the transactions of the customer into eightdifferent time frames according to the following.T1 becomes true if the past transaction is performed from 3:00 to6:00 time frame on the card Ck within data warehouse.T 1 TRUE { Tck 3 : 00 t 6 : 00} (1)T2 becomes true if the past transaction is performed from 6:00 to9:00 time frame on the card Ck within data warehouse.T 2 TRUE { Tck 6 : 00 t 9 : 00} (2)T3 becomes true if the past transaction is performed from 9:00 to12:00 time frame on the card Ck within data warehouse.T 3 TRUE { Tck 9 : 00 t 12 : 00} (3)T4 becomes true if the past transaction is performed from 12:00 to15:00 time frame on the card Ck within data warehouse.(4)T 4 TRUE { Tck 12 : 00 t 15 : 00}T5 becomes true if the past transaction is performed from 15:00 to18:00 time frame on the card Ck within data warehouse.(5)T 5 TRUE { Tck 15 : 00 t 18 : 00}T6 becomes true if the past transaction is performed from 18:00 to21:00 time frame on the card Ck within data warehouse.(6)T 6 TRUE { Tck 18 : 00 t 21: 00}T7 becomes true if the past transaction is performed from 21:00 to0:00 time frames on the card Ck within data warehouse.T 7 TRUE { Tck 21: 00 t 0 : 00} (7)T8 becomes true if the past transaction is performed from 0:00 to3:00 time frame on the card Ck within data warehouse.T 8 TRUE { Tck 0 : 00 t 3 : 00}(8)The tool then finds the total number of the transactions performedby the customer in time frame from T1 to T8.TPi occurrences (count) of Ti on the card Ck from the datawarehouse, where 1 i 8 (9)Finally the percentage of all the parameters of all the transactionsis computed as follows.Percent TPi (TPi * 100) / total transactions on card Ck from thedata warehouse, where 1 i 8(10)Convert time () function is also implemented to map time of onecity to another city with time zone. So customer performsoverseas transaction then also time is converted accordingly.3.2.2 TP11 and TP12L1 becomes true if the transaction is performed from 0:00 to 4:00on the card Ck from the data warehouse.L1 TRUE { Tck 0 : 00 t 4 : 00} (11)L2 becomes true if the transaction is performed except from 0:00to 4:00 on the card Ck within the data warehouse.L2 TRUE { Tck 4 : 00 t 0 : 00} (12)Finally TP11 and TP12 are computed as follows.TP1i occurrences (count) of Li on the card Ck from the datawarehouse where 1 i 2 (13)3.2.3 GP1 to GP7G1 becomes true if the transaction occurs just within 4 hours fromthe previous transaction on the same card Ck from the datawarehouse.(14)G1 True { Tck (0 d 4)}d stands for the duration in hours between two successivetransactions.G2 becomes true if the transaction occurs just within 5 to 8 hoursfrom the previous transaction on the same card C k from the datawarehouse.(15)G 2 True { Tck (4 d 8)}G3 becomes true if the transaction occurs just within 9 to 16 hoursfrom the previous transaction on the same card Ck from the datawarehouse.(16)G3 True { Tck (8 d 16)}G4 becomes true if the transaction occurs just within 17 to 24hours from the previous transaction on the same card C k from thedata warehouse.(17)G 4 True { Tck (16 d 24)}G5 becomes true if the transaction occurs from 2 nd day to within aweek from the previous transaction on the same card Ck from thedata warehouse.(18)G5 True { Tck (24 d (24 * 7))}G6 becomes true if the transaction occurs just within 15 days fromthe second week since the previous transaction on the same cardCk from the data warehouse.(19)G 6 True { Tck ((24 * 7) d (24 *15))}G7 becomes true if the transaction occurs after 15 days from theprevious transaction on the same card Ck from the data warehouse.(20)G 7 True { Tck (d (24 *15))}Now the parameters GP1 to GP7 are computed as follows.GPi occurrences (count) of Gi on the card Ck from the datawarehouse,where 1 i 7 (21)(8)3.2.4 AP1 and AP2A1 becomes true if the past transactions are also shipped with thesame shipping address from the data warehouse.(22)A1 TRUE { Tck Saddr (Tcurrent ) Saddr ( Tpast ) }A2 becomes true if the transaction is performed with the differentshipping and billing address.(23)A2 TRUE { Tck Saddr Baddr }Finally AP1 and AP2 are computed as follows.APi occurrences (count) of Ai on the card Ck from the datawarehouse, where 1 i 2 (24)Other parameters are computed in the similar way.4. PROPOSED TRANSACTION RISKSCORE GENERATION MODEL (TRSGM)In the TRSGM, a number of rules are used to analyze thedeviation of each incoming transaction from the normal profile ofthe cardholder by computing the patterns generated by TPGT. Theinitial belief value is obtained as the risk score. The model alsoconsiders the transaction whether it is performed on normalworking day, Sunday or holiday. It will match the past transactionbehavior on the similar type of day and accordingly it generates arisk score. The initial belief is further strengthened or weakenedaccording to its similarity with fraudulent or genuine transactionhistory using Bayes theorem. In order to meet this functionality,20

International Journal of Computer Applications (0975 – 8887)Volume 16– No.1, February 2011the TRSGM is designed with the following five majorcomponents:(1) DBSCAN algorithm, (2) Linear equation, (3) Rules, (4) DataWarehouse and (5) Bayes theorem4.1 DBSCAN algorithmA customer usually carries out similar types of transactions interms of amount, which can be visualized as part of a cluster.Since a fraudster is likely to deviate from the customer’s profile,his transactions can be detected as exceptions to the cluster – aprocess known as outlier detection. It has important applicationsin the field of fraud detection and has been used for quite sometime to detect anomalous behavior.Here DBSCAN algorithm is used to form the clusters oftransaction amounts spend by the customer. Whenever a newtransaction is performed by the customer, the algorithm finds thecluster coverage of this particular amount. If this amount occursmore than once in the past, then the TRSGM considers as highlygenuine transaction. Result of Implementation of DBSCANalgorithm as scatter graph is shown in Fig.1.4.2 Linear EquationThe TRSGM is based on the following linear equation, whichgenerates a risk score and indicates how far or close the currenttransaction is from the normal profile of the customer. If thegenerated risk score is closer to 0, then it is considered closelymatch to customer normal profile. If the risk score is greater than0.5 or close to 1, then it considered heavily deviation from thecustomer normal profile.nRisk score (1 thresold ) ( P *W )ii(25)i 1Where threshold 0.5, Pi Parameter generated by TPGT, Wi Weightage of the parameter which is given as input to algorithm1, Wei

verification systems (AVS), card verification codes, rule-based detection, etc. But fraudsters are intelligent and devise new ways to escape from such protection mechanisms. The main concern is that such kind of money can be used in other criminal or terrorist activitie