Welcome!

Microservices Expo Authors: Anders Wallgren, Liz McMillan, AppDynamics Blog, Automic Blog, Jason Bloomberg

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Containers Expo Blog, Cloud Security

@CloudExpo: Article

Real-Time Fraud Detection in the Cloud

Using machine learning agent ensembles

This article explores how to detect fraud among online banking customers in real-time by running an ensemble of statistical and machine learning algorithms on a dataset of customer transactions and demographic data. The algorithms, namely Logistic Regression, Self-Organizing Maps and Support Vector Machines, are operationalized using a multi-agent framework for real-time data analysis. This article also explores the cloud environment for real-time analytics by deploying the agent framework in a cloud environment that meets computational demands by letting users' provision virtual machines within managed data centers, freeing them from the worry of acquiring and setting up new hardware and networks.

Real-time decision making is becoming increasingly valuable with the advancement of data collection and analytics techniques. Due to the increase in the speed of processing, the classical data warehousing model is moving toward a real-time model. A platform that enables the rapid development and deployment of applications, reducing the lag between data acquisition and actionable insight has become of paramount importance in the corporate world. Such a system can be used for the classic case of deriving information from data collected in the past and also to have a real-time engine that reacts to events as they occur. Some examples of such applications include:

  • A product company can get real-time feedback for their new releases using data from social media
  • Algorithmic trading by reacting in real times to fluctuations in stock prices
  • Real-time recommendations for food and entertainment based on a customer's location
  • Traffic signal operations based on real-time information of volume of traffic
  • E-commerce websites can detect a customer transaction being authentic or fraudulent in real-time

A cloud-based ecosystem enables users to build an application that detects, in real-time, fraudulent customers based on their demographic information and financial history. Multiple algorithms are utilized to detect fraud and the output is aggregated to improve prediction accuracy.

The dataset used to demonstrate this application comprises of various customer demographic variables and financial information such as age, residential address, office address, income type, income frequency, bankruptcy filing status, etc. The dependent variable (the variable to be predicted) is called "bad", which is a binary variable taking the value 0 (for not fraud) or 1 (for fraud).

Using Cloud for Effective Usage of Resources
A system that allows the development of applications capable of churning out results in real-time has multiple services running in tandem and is highly resource intensive. By deploying the system in the cloud, maintenance and load balancing of the system can be handled efficiently. It will also give the user more time to focus on application development. For the purpose of fraud detection, the active components, for example, include:

  • ActiveMQ
  • Web services
  • PostgreSQL

This approach combines the strengths and synergies of both cloud computing and machine learning technologies, providing a small company or even a startup that is unlikely to have specialized staff and necessary infrastructure for what is a computationally intensive approach, the ability to build a system that make decisions based on historical transactions.

Agent Paradigm
As multiple algorithms are to be run on the same data, a real-time agent paradigm is chosen to run these algorithms. An agent is an autonomous entity that may expect inputs and send outputs after performing a set of instructions. In a real-time system, these agents are wired together with directed connections to form an agency. An agent typically has two behaviors, cyclic and triggered. Cyclic agents, as the name suggests, run continuously in a loop and do not need any input. These are usually the first agents in an agency and are used for streaming data to the agency by connecting to an external real-time data source. A triggered agent runs every time it receives a message from a cyclic agent or another triggered agent. Once it consumes one message, it waits for the next message to arrive.

Figure 1: A simple agency with two agents

In Figure 1, Agent 1 is a cyclic agent while Agent 2 is a triggered agent. Agent 1 finishes its computation and sends a message to Agent 2, which uses the message as an input for further computation.

Feature Selection and Data Treatment
The dataset used for demonstrating fraud detection agency has 250 variables (features) pertaining to the demographic and financial history of the customers. To reduce the number of features, a Random Forest run was conducted on the dataset to obtain variable importance. Next, the top 30 variables were selected based on the variable importance. This reduced dataset was used for running a list of classification algorithms.

Algorithms for Fraud Detection
The fraud detection problem is a binary classification problem for which we have chosen three different algorithms to classify the input data into fraud (1) and not fraud (0). Each algorithm is configured as a triggered agent for our real-time system.

Logistic Regression
This is a probabilistic classification model where the dependent variable (the variable to be predicted) is a binary variable or a categorical variable. In case of binary dependent variables favorable outcomes are represented as 1 and non-favorable outcomes are represented as 0. Logistic regression models the probability of the dependent variable taking the value 0 or 1.

For the fraud detection problem, the dependent variable "bad" is modelled to give probabilities to each customer of being fraud or not. The equation takes multiple variables as input and returns a value between 0 & 1 which is the probability of "bad" being 0. If this value is greater than 0.7, then that customer is classified as not fraud.

Self-Organizing Maps (SOM)
This is an artificial neural network that uses unsupervised learning to represent the data in lower (typically two dimensions) dimensions. This representation of the input data in lower dimensions is called a map. Like most artificial neural networks, SOMs operate in two modes: training and mapping. "Training" builds the map using input examples, while "mapping" automatically classifies a new input vector.

For the fraud detection problem, the input space which is a fifty dimensional space is mapped to a two dimensional lattice of nodes. The training is done using data from the recent past and the new data is mapped using the trained model, which puts it either in the "fraud" cluster or "not - fraud" cluster.

Figure 2: x is an in-put vector in higher dimension, discretized in 2D using wij as the weight matrix
Image Source: http://www.lohninger.com/helpcsuite/kohonen_network_-_background_information.htm

Support Vector Machines (SVM)
This is a supervised learning technique used generally for classifying data. It needs a training dataset where the data is already classified into the required categories. It creates a hyperplane or set of hyperplanes that can be used for classification. The hyperplane is chosen such that it separates the different classes and the margin between the samples in the training set is widest.

For the fraud detection problem, SVM classifies the data points into two classes. The hyperplane is chosen by training the model over the past data. Using the variable "bad", the clusters are labeled as "0" (fraud) and "1" (not fraud). The new data points are classified using the hyperplane obtained while training.

Figure 3: Of the three hyperplanes which segment the data, H2 is the hyperplane which classifies the data accurately

Image Source: http://en.wikipedia.org/wiki/File:Svm_separating_hyperplanes.png

Fraud Detection Agency
A four-tier agency is created to build a workflow process for fraud detection.

Streamer Agent (Tier 1): This agent streams data in real-time to agents in Tier 2. It is the first agent in the agency and its behavior is cyclic. It connects to a real-time data source, pre-processes the data and sends it to the agents in the next layer.

Algorithm Agents (Tier 2): This tier has multiple agents running an ensemble of algorithms with one agent per algorithm. Each agent receives the message from the streamer agent and uses a pre-trained (trained on historical data) model for scoring.

Collator Agent (Tier 3): This agent receives scores from agents in Tier 2 and generates a single score by aggregating the scores. It then converts the score into an appropriate JSON format and sends it to an UI agent for consumption.

User Interface Agent (Tier 4): This agent pushes the messages it receives to a socket server. Any external socket client can be used to consume these messages.

Figure 4: The Fraud detection agency with agents in each layer. The final agent is mapped to a port to which a socket client can connect

Results and Model Validation
The models were trained on 70% of the data and the remaining 30% of the data was streamed to the above agency simulating a real-time data source.

Under-sample: The ratio of number of 0s to the number of 1s in the original dataset for the variable "bad" is 20:1. This would lead to biasing the models towards 0. To overcome this, we sample the training dataset by under-sampling the number of 0s to maintain the ration at 10:1.

The final output of the agency is the classification of the input as fraudulent or not. Since the value for the variable "bad" is already known for this data, it helps us gauge the accuracy of the aggregated model.

Figure 5: Accuracy for detecting fraud ("bad"=1) for different sampling ratio between no.of 0s and no. of 1s in the training dataset

Conclusion
Fraud detection can be improved by running an ensemble of algorithms in parallel and aggregating the predictions in real-time. This entire end-to-end application was designed and deployed in three working days. This shows the power of a system that enables easy deployment of real-time analytics applications. The work flow becomes inherently parallel as these agents run as separate processes communicating with each other. Deploying this in the cloud makes it horizontally scalable owing to effective load balancing and hardware maintenance. It also provides higher data security and makes the system fault tolerant by making processes mobile. This combination of a real-time application development system and a cloud-based computing enables even non-technical teams to rapidly deploy applications.

References

  • Gravic Inc, "The Evolution of Real-Time Business Intelligence", "http://www.gravic.com/shadowbase/pdf/white-papers/Shadowbase-for-Real-Time-Business-Intelligence.pdf"
  • Bernhard Schlkopf, Alexander J. Smola ( 2002), "Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond (Adaptive Computation and Machine Learning)", MIT Press​
  • Christopher Burges (1998), "A Tutorial on Support Vector Machines for Pattern Recognition", Data Mining and Knowledge Discovery, Kluwer Publishers
  • Kohonen, T. (Sep 1990), "The self-organizing map", Proceedings of IEEE
  • Samuel Kaski (1997), "Data Exploration Using Self-Organizing Maps", ACTA POLYTECHNICA SCANDINAVICA: MATHEMATICS, COMPUTING AND MANAGEMENT IN ENGINEERING SERIES NO. 82,
  • Rokach, L. (2010). "Ensemble based classifiers". Artificial Intelligence Review
  • Robin Genuer, Jean-Michel Poggi, Christine Tuleau-Malot, "Variable Selection using Random Forests", http://robin.genuer.fr/genuer-poggi-tuleau.varselect-rf.preprint.pdf

More Stories By Roger Barga

Roger Barga, PhD, is Group Program Manager for the CloudML team at Microsoft Corporation where his team is building machine learning as a service on the cloud. He is also a lecturer in the Data Science program at the University of Washington. Roger joined Microsoft in 1997 as a Researcher in the Database Group of Microsoft Research (MSR), where he was involved in a number of systems research projects and product incubation efforts, before joining the Cloud and Enterprise Division of Microsoft in 2011.

More Stories By Avinash Joshi

Avinash Joshi is a Senior Research Analyst in the Innovation and Development group of Mu Sigma Business Solutions. He is currently part of a team that works on generating insights from real-time data streams in financial markets. Avinash joined this team in 2011 and has interests ranging from marketing mix modeling to algorithmic trading.

More Stories By Pravin Venugopal

Pravin Venugopal is a Senior Research Analyst in the Innovation and Development group of Mu Sigma Business Solutions. He is currently part of a team that is developing a low latency platform for algorithmic trading. Pravin received his Masters degree in Computer Science and has been a part of Mu Sigma since 2012. His interests include analyzing real-time financial data streams and algorithmic trading.

Comments (1)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
If there is anything we have learned by now, is that every business paves their own unique path for releasing software- every pipeline, implementation and practices are a bit different, and DevOps comes in all shapes and sizes. Software delivery practices are often comprised of set of several complementing (or even competing) methodologies – such as leveraging Agile, DevOps and even a mix of ITIL, to create the combination that’s most suitable for your organization and that maximize your busines...
In the world of DevOps there are ‘known good practices’ – aka ‘patterns’ – and ‘known bad practices’ – aka ‘anti-patterns.' Many of these patterns and anti-patterns have been developed from real world experience, especially by the early adopters of DevOps theory; but many are more feasible in theory than in practice, especially for more recent entrants to the DevOps scene. In this power panel at @DevOpsSummit at 18th Cloud Expo, moderated by DevOps Conference Chair Andi Mann, panelists will dis...
In a crowded world of popular computer languages, platforms and ecosystems, Node.js is one of the hottest. According to w3techs.com, Node.js usage has gone up 241 percent in the last year alone. Retailers have taken notice and are implementing it on many levels. I am going to share the basics of Node.js, and discuss why retailers are using it to reduce page load times and improve server efficiency. I’ll talk about similar developments such as Docker and microservices, and look at several compani...
The goal of any tech business worth its salt is to provide the best product or service to its clients in the most efficient and cost-effective way possible. This is just as true in the development of software products as it is in other product design services. Microservices, an app architecture style that leans mostly on independent, self-contained programs, are quickly becoming the new norm, so to speak. With this change comes a declining reliance on older SOAs like COBRA, a push toward more s...
Many private cloud projects were built to deliver self-service access to development and test resources. While those clouds delivered faster access to resources, they lacked visibility, control and security needed for production deployments. In their session at 18th Cloud Expo, Steve Anderson, Product Manager at BMC Software, and Rick Lefort, Principal Technical Marketing Consultant at BMC Software, will discuss how a cloud designed for production operations not only helps accelerate developer...
From the conception of Docker containers to the unfolding microservices revolution we see today, here is a brief history of what I like to call 'containerology'. In 2013, we were solidly in the monolithic application era. I had noticed that a growing amount of effort was going into deploying and configuring applications. As applications had grown in complexity and interdependency over the years, the effort to install and configure them was becoming significant. But the road did not end with a ...
I have an article in the recently released “DZone Guide to Building and Deploying Applications on the Cloud” entitled “Fullstack Engineering in the Age of Hybrid Cloud”. In this article I discuss the need and skills of a Fullstack Engineer with relation to troubleshooting and repairing complex, distributed hybrid cloud applications. My recent experiences with troubleshooting issues with my Docker WordPress container only reinforce the details I wrote about in this piece. Without my comprehensive...
Digital means customer preferences and behavior are driving enterprise technology decisions to be sure, but let’s not forget our employees. After all, when we say customer, we mean customer writ large, including partners, supply chain participants, and yes, those salaried denizens whose daily labor forms the cornerstone of the enterprise. While your customers bask in the warm rays of your digital efforts, are your employees toiling away in the dark recesses of your enterprise, pecking data into...
Admittedly, two years ago I was a bulk contributor to the DevOps noise with conversations rooted in the movement around culture, principles, and goals. And while all of these elements of DevOps environments are important, I’ve found that the biggest challenge now is a lack of understanding as to why DevOps is beneficial. It’s getting the wheels going, or just taking the next step. The best way to start on the road to change is to take a look at the companies that have already made great headway ...
Small teams are more effective. The general agreement is that anything from 5 to 12 is the 'right' small. But of course small teams will also have 'small' throughput - relatively speaking. So if your demand is X and the throughput of a small team is X/10, you probably need 10 teams to meet that demand. But more teams also mean more effort to coordinate and align their efforts in the same direction. So, the challenge is how to harness the power of small teams and yet orchestrate multiples of them...
Much of the value of DevOps comes from a (renewed) focus on measurement, sharing, and continuous feedback loops. In increasingly complex DevOps workflows and environments, and especially in larger, regulated, or more crystallized organizations, these core concepts become even more critical. In his session at @DevOpsSummit at 18th Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, will show how, by focusing on 'metrics that matter,' you can provide objective, transparent, and meaningfu...
You deployed your app with the Bluemix PaaS and it's gaining some serious traction, so it's time to make some tweaks. Did you design your application in a way that it can scale in the cloud? Were you even thinking about the cloud when you built the app? If not, chances are your app is going to break. Check out this webcast to learn various techniques for designing applications that will scale successfully in Bluemix, for the confidence you need to take your apps to the next level and beyond.
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus inter...
With DevOps becoming more well-known and established practice in nearly every industry that delivers software, it is important to continually reassess its efficacy. This week’s top 10 includes a discussion on how the quick uptake of DevOps adoption in the enterprise has posed some serious challenges. Additionally, organizations who have taken the DevOps plunge must find ways to find, hire and keep their DevOps talent in order to keep the machine running smoothly.
Wow, if you ever wanted to learn about Rugged DevOps (some call it DevSecOps), sit down for a spell with Shannon Lietz, Ian Allison and Scott Kennedy from Intuit. We discussed a number of important topics including internal war games, culture hacking, gamification of Rugged DevOps and starting as a small team. There are 100 gold nuggets in this conversation for novices and experts alike.
The notion of customer journeys, of course, are central to the digital marketer’s playbook. Clearly, enterprises should focus their digital efforts on such journeys, as they represent customer interactions over time. But making customer journeys the centerpiece of the enterprise architecture, however, leaves more questions than answers. The challenge arises when EAs consider the context of the customer journey in the overall architecture as well as the architectural elements that make up each...
Much of the discussion around cloud DevOps focuses on the speed with which companies need to get new code into production. This focus is important – because in an increasingly digital marketplace, new code enables new value propositions. New code is also often essential for maintaining competitive parity with market innovators. But new code doesn’t just have to deliver the functionality the business requires. It also has to behave well because the behavior of code in the cloud affects performan...
In 2006, Martin Fowler posted his now famous essay on Continuous Integration. Looking back, what seemed revolutionary, radical or just plain crazy is now common, pedestrian and "just what you do." I love it. Back then, building and releasing software was a real pain. Integration was something you did at the end, after code complete, and we didn't know how long it would take. Some people may recall how we, as an industry, spent a massive amount of time integrating code from one team with another...
As the software delivery industry continues to evolve and mature, the challenge of managing the growing list of the tools and processes becomes more daunting every day. Today, Application Lifecycle Management (ALM) platforms are proving most valuable by providing the governance, management and coordination for every stage of development, deployment and release. Recently, I spoke with Madison Moore at SD Times about the changing market and where ALM is headed.
Struggling to keep up with increasing application demand? Learn how Platform as a Service (PaaS) can streamline application development processes and make resource management easy.