CIFD: Computational Immunology for Fraud Detection

1. CIFD:Computational Immunology for Fraud Detection Dr Richard Overill Department of Computer Science & International Centre for Security Analysis, King’s College London

2. DTI LINK project funded under Phase 1 of the Management of Information programme Application of adaptive, self-learning technologies with low overheads (CI) to fraud detection in the financial sector Partners (with King’s College London): Anite Government Systems Ltd. (developer) The Post Office (end user) Computational Immunology for Fraud Detection

3. are multi-layered (“defence in depth”) consist of several sub-systems: innate immune system (scavenger cells which ingest debris and pathogens acquired immune system (white blood cells which co-operate to detect and eliminate pathogens / antigens) Natural Immune Systems

4. Detector cells generated in bone marrow (B-cells), and in lymph system but matured in thymus gland (T-cells). Self-binding T-cell detectors destroyed by censoring (negative selection) in thymus. B- & remaining T-detectors released to bind to and destroy foreign (non-self) antigens. Acquired Immune System

6. Train with known normal behaviour (“self”) Generate database(s) of self-signatures. Generate a (random) initial population of detectors and screen it against database(s). Challenge the detectors with possibly anomalous behaviour (may contain some “foreign” activity). Digital Immune Systems I

7. An (approximate) match between a detector and an activity trace indicates a possible anomaly. React to (warn of) the possible anomaly. Evolve the population of detectors to reflect successful and consistently unsuccessful detectors (cloning / killing). Digital Immune Systems II

8. Can be host-based or network-based: Host-based systems monitor behaviour or processes on servers or other network hosts. Network-based systems are of 2 types: statistical traffic analysis using e.g. IP source & destination addresses and IP port / service. Promiscuous mode ‘sniffing’ of IP packets for anomalous behaviour. Digital Immune Systems III

9. Build a database(s) of normal transactions and sequences of transactions. Look for anomalous and hence potentially fraudulent patterns of behaviour in actual transactions and transaction sequences, using the detector matching criteria. Adapt the detector population. Application to CIFD

10. Redundancy: collective behaviour of many detectors should lead to emergent properties of robustness and fault tolerance - no centralised or hierarchical control, no SPoF. Memory of previous encounters can be built in, e.g. as long-lived successful detectors. Various adaptive learning strategies can be tried out, e.g. affinity maturation, niching. Advantages of CI

11. Subject to compromise in similar ways to the human immune system, i.e. subversion via ‘auto-immune’ reaction (cf. rheumatoid arthritis) where the system is induced to misidentify “self” as “foreign”. subversion via ‘immune deficiency’ response (cf. HIV-AIDS) where the system’s response is suppressed - misidentifying “foreign” as “self”. subversion by concealing “foreign” behaviour in “self” disguise (“Wolf in sheep’s clothing” or T.H.) Disadvantages of CI

12. Computational Immunology (aka Artificial Immune Systems, AIS, in the USA) has already been used successfully for: detecting the activity of computer viruses and other malicious software (IBM TJW Res Cen.) detecting attempted intrusions into computers and networks (New Mexico & Memphis Univs) Previous Applicationsof CI

13. Thank you!Any Questions?Contact:Tel: 020 7848 2833Fax: 020 7848 2913Email: richard@dcs.kcl.ac.uk