Download No Slide Title

CIFD:
Computational Immunology for
Fraud Detection
Dr Richard Overill
Department of Computer Science &
International Centre for Security Analysis,
King’s College London
Computational Immunology
for Fraud Detection
• DTI LINK project funded under Phase 1 of
the Management of Information programme
• Application of adaptive, self-learning
technologies with low overheads (CI) to
fraud detection in the financial sector
• Partners (with King’s College London):
– Anite Government Systems Ltd. (developer)
– The Post Office (end user)
Natural Immune Systems
• are multi-layered (“defence in depth”)
• consist of several sub-systems:
– innate immune system (scavenger cells which
ingest debris and pathogens
– acquired immune system (white blood cells
which co-operate to detect and eliminate
pathogens / antigens)
Acquired Immune System
• Detector cells generated in bone marrow
(B-cells), and in lymph system but matured
in thymus gland (T-cells).
• Self-binding T-cell detectors destroyed by
censoring (negative selection) in thymus.
• B- & remaining T-detectors released to bind
to and destroy foreign (non-self) antigens.
Digital Immune Systems I
• Train with known normal behaviour (“self”)
• Generate database(s) of self-signatures.
• Generate a (random) initial population of
detectors and screen it against database(s).
• Challenge the detectors with possibly
anomalous behaviour (may contain some
“foreign” activity).
Digital Immune Systems II
• An (approximate) match between a detector
and an activity trace indicates a possible
anomaly.
• React to (warn of) the possible anomaly.
• Evolve the population of detectors to reflect
successful and consistently unsuccessful
detectors (cloning / killing).
Digital Immune Systems III
• Can be host-based or network-based:
• Host-based systems monitor behaviour or
processes on servers or other network hosts.
• Network-based systems are of 2 types:
– statistical traffic analysis using e.g. IP source &
destination addresses and IP port / service.
– Promiscuous mode ‘sniffing’ of IP packets for
anomalous behaviour.
Application to CIFD
• Build a database(s) of normal transactions
and sequences of transactions.
• Look for anomalous and hence potentially
fraudulent patterns of behaviour in actual
transactions and transaction sequences,
using the detector matching criteria.
• Adapt the detector population.
Advantages of CI
• Redundancy: collective behaviour of many
detectors should lead to emergent properties
of robustness and fault tolerance - no
centralised or hierarchical control, no SPoF.
• Memory of previous encounters can be built
in, e.g. as long-lived successful detectors.
• Various adaptive learning strategies can be
tried out, e.g. affinity maturation, niching.
Disadvantages of CI
• Subject to compromise in similar ways to
the human immune system, i.e.
– subversion via ‘auto-immune’ reaction (cf.
rheumatoid arthritis) where the system is induced
to misidentify “self” as “foreign”.
– subversion via ‘immune deficiency’ response (cf.
HIV-AIDS) where the system’s response is
suppressed - misidentifying “foreign” as “self”.
– subversion by concealing “foreign” behaviour in
“self” disguise (“Wolf in sheep’s clothing” or T.H.)
Previous Applications
of CI
• Computational Immunology (aka Artificial
Immune Systems, AIS, in the USA) has
already been used successfully for:
– detecting the activity of computer viruses and
other malicious software (IBM TJW Res Cen.)
– detecting attempted intrusions into computers
and networks (New Mexico & Memphis Univs)
Thank you!
Any Questions?
Contact:
Tel: 020 7848 2833
Fax: 020 7848 2913
Email: [email protected]