Welcome!

Microservices Expo Authors: Mehdi Daoudi, Liz McMillan, Pat Romanski, Elizabeth White, Stackify Blog

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Containers Expo Blog, Cloud Security

@CloudExpo: Article

Real-Time Fraud Detection in the Cloud

Using machine learning agent ensembles

This article explores how to detect fraud among online banking customers in real-time by running an ensemble of statistical and machine learning algorithms on a dataset of customer transactions and demographic data. The algorithms, namely Logistic Regression, Self-Organizing Maps and Support Vector Machines, are operationalized using a multi-agent framework for real-time data analysis. This article also explores the cloud environment for real-time analytics by deploying the agent framework in a cloud environment that meets computational demands by letting users' provision virtual machines within managed data centers, freeing them from the worry of acquiring and setting up new hardware and networks.

Real-time decision making is becoming increasingly valuable with the advancement of data collection and analytics techniques. Due to the increase in the speed of processing, the classical data warehousing model is moving toward a real-time model. A platform that enables the rapid development and deployment of applications, reducing the lag between data acquisition and actionable insight has become of paramount importance in the corporate world. Such a system can be used for the classic case of deriving information from data collected in the past and also to have a real-time engine that reacts to events as they occur. Some examples of such applications include:

  • A product company can get real-time feedback for their new releases using data from social media
  • Algorithmic trading by reacting in real times to fluctuations in stock prices
  • Real-time recommendations for food and entertainment based on a customer's location
  • Traffic signal operations based on real-time information of volume of traffic
  • E-commerce websites can detect a customer transaction being authentic or fraudulent in real-time

A cloud-based ecosystem enables users to build an application that detects, in real-time, fraudulent customers based on their demographic information and financial history. Multiple algorithms are utilized to detect fraud and the output is aggregated to improve prediction accuracy.

The dataset used to demonstrate this application comprises of various customer demographic variables and financial information such as age, residential address, office address, income type, income frequency, bankruptcy filing status, etc. The dependent variable (the variable to be predicted) is called "bad", which is a binary variable taking the value 0 (for not fraud) or 1 (for fraud).

Using Cloud for Effective Usage of Resources
A system that allows the development of applications capable of churning out results in real-time has multiple services running in tandem and is highly resource intensive. By deploying the system in the cloud, maintenance and load balancing of the system can be handled efficiently. It will also give the user more time to focus on application development. For the purpose of fraud detection, the active components, for example, include:

  • ActiveMQ
  • Web services
  • PostgreSQL

This approach combines the strengths and synergies of both cloud computing and machine learning technologies, providing a small company or even a startup that is unlikely to have specialized staff and necessary infrastructure for what is a computationally intensive approach, the ability to build a system that make decisions based on historical transactions.

Agent Paradigm
As multiple algorithms are to be run on the same data, a real-time agent paradigm is chosen to run these algorithms. An agent is an autonomous entity that may expect inputs and send outputs after performing a set of instructions. In a real-time system, these agents are wired together with directed connections to form an agency. An agent typically has two behaviors, cyclic and triggered. Cyclic agents, as the name suggests, run continuously in a loop and do not need any input. These are usually the first agents in an agency and are used for streaming data to the agency by connecting to an external real-time data source. A triggered agent runs every time it receives a message from a cyclic agent or another triggered agent. Once it consumes one message, it waits for the next message to arrive.

Figure 1: A simple agency with two agents

In Figure 1, Agent 1 is a cyclic agent while Agent 2 is a triggered agent. Agent 1 finishes its computation and sends a message to Agent 2, which uses the message as an input for further computation.

Feature Selection and Data Treatment
The dataset used for demonstrating fraud detection agency has 250 variables (features) pertaining to the demographic and financial history of the customers. To reduce the number of features, a Random Forest run was conducted on the dataset to obtain variable importance. Next, the top 30 variables were selected based on the variable importance. This reduced dataset was used for running a list of classification algorithms.

Algorithms for Fraud Detection
The fraud detection problem is a binary classification problem for which we have chosen three different algorithms to classify the input data into fraud (1) and not fraud (0). Each algorithm is configured as a triggered agent for our real-time system.

Logistic Regression
This is a probabilistic classification model where the dependent variable (the variable to be predicted) is a binary variable or a categorical variable. In case of binary dependent variables favorable outcomes are represented as 1 and non-favorable outcomes are represented as 0. Logistic regression models the probability of the dependent variable taking the value 0 or 1.

For the fraud detection problem, the dependent variable "bad" is modelled to give probabilities to each customer of being fraud or not. The equation takes multiple variables as input and returns a value between 0 & 1 which is the probability of "bad" being 0. If this value is greater than 0.7, then that customer is classified as not fraud.

Self-Organizing Maps (SOM)
This is an artificial neural network that uses unsupervised learning to represent the data in lower (typically two dimensions) dimensions. This representation of the input data in lower dimensions is called a map. Like most artificial neural networks, SOMs operate in two modes: training and mapping. "Training" builds the map using input examples, while "mapping" automatically classifies a new input vector.

For the fraud detection problem, the input space which is a fifty dimensional space is mapped to a two dimensional lattice of nodes. The training is done using data from the recent past and the new data is mapped using the trained model, which puts it either in the "fraud" cluster or "not - fraud" cluster.

Figure 2: x is an in-put vector in higher dimension, discretized in 2D using wij as the weight matrix
Image Source: http://www.lohninger.com/helpcsuite/kohonen_network_-_background_information.htm

Support Vector Machines (SVM)
This is a supervised learning technique used generally for classifying data. It needs a training dataset where the data is already classified into the required categories. It creates a hyperplane or set of hyperplanes that can be used for classification. The hyperplane is chosen such that it separates the different classes and the margin between the samples in the training set is widest.

For the fraud detection problem, SVM classifies the data points into two classes. The hyperplane is chosen by training the model over the past data. Using the variable "bad", the clusters are labeled as "0" (fraud) and "1" (not fraud). The new data points are classified using the hyperplane obtained while training.

Figure 3: Of the three hyperplanes which segment the data, H2 is the hyperplane which classifies the data accurately

Image Source: http://en.wikipedia.org/wiki/File:Svm_separating_hyperplanes.png

Fraud Detection Agency
A four-tier agency is created to build a workflow process for fraud detection.

Streamer Agent (Tier 1): This agent streams data in real-time to agents in Tier 2. It is the first agent in the agency and its behavior is cyclic. It connects to a real-time data source, pre-processes the data and sends it to the agents in the next layer.

Algorithm Agents (Tier 2): This tier has multiple agents running an ensemble of algorithms with one agent per algorithm. Each agent receives the message from the streamer agent and uses a pre-trained (trained on historical data) model for scoring.

Collator Agent (Tier 3): This agent receives scores from agents in Tier 2 and generates a single score by aggregating the scores. It then converts the score into an appropriate JSON format and sends it to an UI agent for consumption.

User Interface Agent (Tier 4): This agent pushes the messages it receives to a socket server. Any external socket client can be used to consume these messages.

Figure 4: The Fraud detection agency with agents in each layer. The final agent is mapped to a port to which a socket client can connect

Results and Model Validation
The models were trained on 70% of the data and the remaining 30% of the data was streamed to the above agency simulating a real-time data source.

Under-sample: The ratio of number of 0s to the number of 1s in the original dataset for the variable "bad" is 20:1. This would lead to biasing the models towards 0. To overcome this, we sample the training dataset by under-sampling the number of 0s to maintain the ration at 10:1.

The final output of the agency is the classification of the input as fraudulent or not. Since the value for the variable "bad" is already known for this data, it helps us gauge the accuracy of the aggregated model.

Figure 5: Accuracy for detecting fraud ("bad"=1) for different sampling ratio between no.of 0s and no. of 1s in the training dataset

Conclusion
Fraud detection can be improved by running an ensemble of algorithms in parallel and aggregating the predictions in real-time. This entire end-to-end application was designed and deployed in three working days. This shows the power of a system that enables easy deployment of real-time analytics applications. The work flow becomes inherently parallel as these agents run as separate processes communicating with each other. Deploying this in the cloud makes it horizontally scalable owing to effective load balancing and hardware maintenance. It also provides higher data security and makes the system fault tolerant by making processes mobile. This combination of a real-time application development system and a cloud-based computing enables even non-technical teams to rapidly deploy applications.

References

  • Gravic Inc, "The Evolution of Real-Time Business Intelligence", "http://www.gravic.com/shadowbase/pdf/white-papers/Shadowbase-for-Real-Time-Business-Intelligence.pdf"
  • Bernhard Schlkopf, Alexander J. Smola ( 2002), "Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond (Adaptive Computation and Machine Learning)", MIT Press​
  • Christopher Burges (1998), "A Tutorial on Support Vector Machines for Pattern Recognition", Data Mining and Knowledge Discovery, Kluwer Publishers
  • Kohonen, T. (Sep 1990), "The self-organizing map", Proceedings of IEEE
  • Samuel Kaski (1997), "Data Exploration Using Self-Organizing Maps", ACTA POLYTECHNICA SCANDINAVICA: MATHEMATICS, COMPUTING AND MANAGEMENT IN ENGINEERING SERIES NO. 82,
  • Rokach, L. (2010). "Ensemble based classifiers". Artificial Intelligence Review
  • Robin Genuer, Jean-Michel Poggi, Christine Tuleau-Malot, "Variable Selection using Random Forests", http://robin.genuer.fr/genuer-poggi-tuleau.varselect-rf.preprint.pdf

More Stories By Roger Barga

Roger Barga, PhD, is Group Program Manager for the CloudML team at Microsoft Corporation where his team is building machine learning as a service on the cloud. He is also a lecturer in the Data Science program at the University of Washington. Roger joined Microsoft in 1997 as a Researcher in the Database Group of Microsoft Research (MSR), where he was involved in a number of systems research projects and product incubation efforts, before joining the Cloud and Enterprise Division of Microsoft in 2011.

More Stories By Avinash Joshi

Avinash Joshi is a Senior Research Analyst in the Innovation and Development group of Mu Sigma Business Solutions. He is currently part of a team that works on generating insights from real-time data streams in financial markets. Avinash joined this team in 2011 and has interests ranging from marketing mix modeling to algorithmic trading.

More Stories By Pravin Venugopal

Pravin Venugopal is a Senior Research Analyst in the Innovation and Development group of Mu Sigma Business Solutions. He is currently part of a team that is developing a low latency platform for algorithmic trading. Pravin received his Masters degree in Computer Science and has been a part of Mu Sigma since 2012. His interests include analyzing real-time financial data streams and algorithmic trading.

Comments (1)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
We have already established the importance of APIs in today’s digital world (read about it here). With APIs playing such an important role in keeping us connected, it’s necessary to maintain the API’s performance as well as availability. There are multiple aspects to consider when monitoring APIs, from integration to performance issues, therefore a general monitoring strategy that only accounts for up-time is not ideal.
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastructure health across data centers and end-user experience globally, while responding to control changes and system specification at the speed of today’s DevOps teams. In his session at 20th Cloud Expo, Josh Gray, Chie...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
When you focus on a journey from up-close, you look at your own technical and cultural history and how you changed it for the benefit of the customer. This was our starting point: too many integration issues, 13 SWP days and very long cycles. It was evident that in this fast-paced industry we could no longer afford this reality. We needed something that would take us beyond reducing the development lifecycles, CI and Agile methodologies. We made a fundamental difference, even changed our culture...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that’s no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, will explore how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He wi...
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
Most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes a lot of work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reduction in cost ...
These days, change is the only constant. In order to adapt and thrive in an ever-advancing and sometimes chaotic workforce, companies must leverage intelligent tools to streamline operations. While we're only at the dawn of machine intelligence, using a workflow manager will benefit your company in both the short and long term. Think: reduced errors, improved efficiency and more empowered employees-and that's just the start. Here are five other reasons workflow automation is leading a revolution...
As today's digital disruptions bounce and smash their way through conventional technologies and conventional wisdom alike, predicting their path is a multifaceted challenge. So many areas of technology advance on Moore's Law-like exponential curves that divining the future is fraught with danger. Such is the problem with artificial intelligence (AI), and its related concepts, including cognitive computing, machine learning, and deep learning.
We have Continuous Integration and we have Continuous Deployment, but what’s continuous across all of what we do is people. Even when tasks are automated, someone wrote the automation. So, Jayne Groll evangelizes about Continuous Everyone. Jayne is the CEO of the DevOps Institute and the author of Agile Service Management Guide. She talked about Continuous Everyone at the 2016 All Day DevOps conference. She describes it as "about people, culture, and collaboration mapped into your value streams....
There are several reasons why businesses migrate their operations to the cloud. Scalability and price are among the most important factors determining this transition. Unlike legacy systems, cloud based businesses can scale on demand. The database and applications in the cloud are not rendered simply from one server located in your headquarters, but is instead distributed across several servers across the world. Such CDNs also bring about greater control in times of uncertainty. A database hack ...
“Why didn’t testing catch this” must become “How did this make it to testing?” Traditional quality teams are the crutch and excuse keeping organizations from making the necessary investment in people, process, and technology to accelerate test automation. Just like societies that did not build waterways because the labor to keep carrying the water was so cheap, we have created disincentives to automate. In her session at @DevOpsSummit at 20th Cloud Expo, Anne Hungate, President of Daring System...
API Security is complex! Vendors like Forum Systems, IBM, CA and Axway have invested almost 2 decades of engineering effort and significant capital in building API Security stacks to lockdown APIs. The API Security stack diagram shown below is a building block for rapidly locking down APIs. The four fundamental pillars of API Security - SSL, Identity, Content Validation and deployment architecture - are discussed in detail below.
Did you know that you can develop for mainframes in Java? Or that the testing and deployment can be automated across mobile to mainframe? In his session and demo at @DevOpsSummit at 21st Cloud Expo, Dana Boudreau, a Senior Director at CA Technologies, will discuss how increasingly teams are developing with agile methodologies, using modern development environments, and automating testing and deployments, mobile to mainframe.
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single-threaded, you can effectively identify hot spots in your serverless code. In his session at @DevOpsSummit at 21st Cloud Expo, Dave Martin, Product owner at CA Technologies, will give a live demonstration and code walkthrough, showing how ...
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
We define Hybrid IT as a management approach in which organizations create a workload-centric and value-driven integrated technology stack that may include legacy infrastructure, web-scale architectures, private cloud implementations along with public cloud platforms ranging from Infrastructure-as-a-Service to Software-as-a-Service.
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.