Investigative Data Mining in Fraud Detection
Transforming Minority Report from Science Fiction to Science Fact
Clifton Phua Honours Student
[email protected] 2003
Overview (1)
•
Investigative Data Mining and Problems in Fraud Detection • •
•
Existing Fraud Detection Methods •
•
Definitions Technical and Practical Problems Widely used methods
The Crime Detection Method • • • • •
Comparisons with Minority Report Classifiers as Precogs Combining Output as Integration Mechanisms Cluster Detection as Analytical Machinery Visualisation Techniques as Visual Symbols
Investigative Data Mining in Fraud Detection
Overview (2)
•
Implementing the Crime Detection System: Preparation Component • • •
•
Implementing the Crime Detection System: Action Component • • •
•
Investigation objectives Collected data Preparation of collected data to achieve objectives Which experiments generate best predictions? Which is the best insight? How can the new models and insights be deployed within an organisation?
Contributions and Recommendations • •
Significant research contributions Proposed solutions
Investigative Data Mining in Fraud Detection
Literature and Acknowledgements Dick P K (1956) Minority Report, Orion Publishing Group, London, Great Britain. Abagnale F (2001) The Art of the Steal: How to Protect Yourself and Your Business from Fraud, Transworld Publishers, NSW, Australia. Mena J (2003) Investigative Data Mining for Security and Criminal Detection, Butterworth Heinemann, MA, USA.
T h e
T h e
Elkan C (2001) Magical Thinking in Data Mining: Lessons From CoIL Challenge 2000, Department of Computer Science and Engineering, University of California, San Diego, USA. Prodromidis A (1999) Management of Intelligent Learning Agents in Distributed Data Mining Systems, Unpublished PhD thesis, Columbia University, USA. Berry M and Linoff G (2000) Mastering Data Mining: The Art and Science of Customer Relationship Management, John Wiley and Sons, New York, USA.
T h e
Han J and Kamber M (2001) Data Mining: Concepts and Techniques, Morgan Kaufmann Publishers. Witten I and Frank E (1999) Data Mining: Practical Machine Learning Tools and Techniques with Java, Morgan Kauffman Publishers, CA, USA.
Investigative Data Mining in Fraud Detection
Investigative Data Mining and Problems in Fraud Detection
Investigative Data Mining in Fraud Detection
Investigative Data Mining - Definitions
•
Investigative •
•
Data Mining • •
•
Official attempt to extract some truth, or insights, about criminal activity from data Process of discovering, extracting and analysing of meaningful patterns, structure, models, and rules from large quantities of data. Spans several research areas such as database, machine learning, neural networks, data visualisation, statistics, and distributed data mining.
Investigative Data Mining • • •
Applied to law enforcement, Industry, and Private databases
Investigative Data Mining in Fraud Detection
Fraud Detection - Definitions
•
Fraud •
•
Diversity of Fraud • • • • •
•
Criminal deception, use of false representations to obtain an unjust advantage, or to injure the rights and interests of another Against organisations, governments, and individuals Committed by external parties, internal management, and non-management employees Caused by customers, service providers, and suppliers Prevalent in insurance, credit card, and telecommunications Most common in automobile, travel, and household contents
Cost of Fraud •
Automobile insurance fraud alone – AUD$32 million for nine Australian companies
Investigative Data Mining in Fraud Detection
Fraud Detection Problems - Technical
•
Imperfect data • •
•
Highly skewed data • •
•
Usually not collected for data mining Inaccurate, incomplete, and irrelevant data attributes Many more legitimate than fraudulent examples Higher chances of overfitting
Black-box predictions •
Numerical outputs incomprehensible to people
Investigative Data Mining in Fraud Detection
Fraud Detection Problems - Practical
•
Lack of domain knowledge • •
•
Great variety of fraud scenarios over time • •
•
Important attributes, likely relationships, and known patterns Three types of fraud offenders and their modus operandi Soft fraud – Cost of investigation > Cost of fraud Hard fraud – Circumvents anti-fraud measures
Assessing data mining potential •
Predictive accuracy are useless for skewed data sets
Investigative Data Mining in Fraud Detection
Existing Fraud Detection Methods
Investigative Data Mining in Fraud Detection
Widely Used Methods in Fraud Detection
•
Insurance Fraud • •
•
Credit Card Fraud •
•
Cluster detection -> decision tree induction -> domain knowledge, statistical summaries, and visualisations Special case: neural network classification -> cluster detection Decision tree and naive Bayesian classification -> stacking
Telecommunications Fraud •
Cluster detection -> scores and rules
Investigative Data Mining in Fraud Detection
The Crime Detection Method
Investigative Data Mining in Fraud Detection
Comparisons with Minority Report
•
Precogs • •
•
Integration Mechanisms •
•
Combine predictions
Analytical Machinery • •
•
Foresee and prevent crime Each precog contains multiple classifiers
Record, study, compare, and represent predictions in simple terms Single “computer”
Visual Symbols • •
Explain the final predictions Graphical visualisations, numerical scores, and descriptive rules
Investigative Data Mining in Fraud Detection
The Crime Detection Method Precog P1 = L1(D)
Main Predictions + Predictions Examples and Instances D
Precog P2 = L2(D)
Precog P1 = L1(P1, P2, P3)
Precog P3 = L3(D)
Attribute Selection Main Predictions Final Predictions
Graphs and Scores Analytical Machinery CL = L4(D)
Visual Symbols
Rules
Investigative Data Mining in Fraud Detection
Classifiers as Precogs
•
Precog One: Naive Bayesian Classifiers • • •
•
Precog Two: C4.5 Classifiers • • •
•
Computer metaphor Explain patterns and quite fast Scalability and efficiency issues*
Precog Three: Backpropagation Classifiers • •
•
Statistical paradigm Simple and Fast Redundant and not normally distributed attributes*
Brain metaphor Long training times and extensive parameter tuning*
Advantages and disadvantages *For details on how the problems were tackled, please refer to the thesis
Investigative Data Mining in Fraud Detection
Combining Output as Integration Mechanisms
•
Cross Validation Divides training data into eleven data partitions Each data partition used for training, testing, and evaluation once* Slightly better success rate
• • •
•
Bagging Unweighted majority voting on each example or instance Combine predictions from same algorithm or different algorithms* Increases success rate
• • • 1
2
3
4
5
6
7
8
9
10
11
Main Prediction
fraud
fraud
legal
fraud
legal
fraud
legal
fraud
fraud
legal
fraud
fraud
fraud
fraud
fraud
legal
legal
fraud
legal
legal
legal
fraud
legal
legal
*For details on how the technique works, please refer to the thesis
Investigative Data Mining in Fraud Detection
Combining Output as Integration Mechanisms
•
Stacking • • •
Meta-classifier Base classifiers present predictions to meta-classifier* Determines the most reliable classifiers 1 Partition 1
Partition 2
Partition 3
Naive Bayesian Algorithm
1
C4.5 Algorithm
3 NB Classifi erss
2
3 NB Predictio ns
3 C4.5 Predictio ns
3 C4.5 Classifi erss
Backpropagation Algorithm
3
3 BP Predictio ns
3 BP Classifi erss 3 4
MetaClassifi er
Naive Bayesian Algorithm
4 Combined Training Data
*For details on how the technique works, please refer to the thesis
Investigative Data Mining in Fraud Detection
Combining Output as Integration Mechanisms
•
Stacking (2)
1
2
3 NB Predictio ns
3 NB Classifi erss
3 C4.5 Predictio ns
3 C4.5 Classifi erss
Score Data Set
3 BP Predictio ns
3 BP Classifi erss
Final Predictio n
Investigative Data Mining in Fraud Detection
4
4 MetaClassifi er
Combined Training Data
3
Cluster Detection as Analytical Machinery Visualisation Techniques as Visual Symbols
•
Analytical Machinery: Self Organising Maps • • •
•
Clusters high dimensional elements into more simple, low dimensional maps Automatically groups similar instances together Do not specify an easy-to-understand model*
Visual Symbols: Classification and Clustering Visualisations •
Classification visualisation
•
Clustering visualisation
– confusion matrix - naive Bayesian visualisation - column graph
*For details on how the problems were tackled, please refer to the thesis
Investigative Data Mining in Fraud Detection
Steps in the Crime Detection Method Precog P1 = L1(D)
Main Predictions + Predictions Examples and Instances D
Precog P2 = L2(D)
Precog P1 = L1(P1, P2, P3)
Precog P3 = L3(D)
Attribute Selection Main Predictions Final Predictions
Graphs and Scores Analytical Machinery CL = L4(D)
Visual Symbols
Rules
Investigative Data Mining in Fraud Detection
Implementing the Crime Detection System: Preparation Component
Investigative Data Mining in Fraud Detection
The Crime Detection System Preparation Component Data Understanding
Problem Understanding
Data Preparation Crime Detection Method
Data
Modelling
Deployment
Evaluation
Investigative Data Mining in Fraud Detection
Action Component
The Crime Detection System: Preparation Component
•
Problem Understanding •
•
• •
Determine investigation objectives - Choose - Explain Assess situation - Available tools - Available data set - Cost model* Determine data mining objectives - Max hits/Min false alarms Produce project plan - Time - Tools
*For details, refer to the thesis
Investigative Data Mining in Fraud Detection
The Crime Detection System: Preparation Component
•
Data Understanding •
•
•
Describe data - 11550 examples (1994 and 1995) - 3870 instances (1996) - 33 attributes - 6% fraudulent Explore data - Claim trends by month - Age of vehicles - Age of policy holder Verify data - Good data quality - Duplicate attribute, highly skewed attributes
Investigative Data Mining in Fraud Detection
The Crime Detection System: Preparation Component
•
Data Preparation • •
•
Select data - All, except one attribute, are retained for analysis Clean data - Missing values replaced - Spelling mistakes corrected Format data - All characters converted to lowercase - Underscore symbol
Investigative Data Mining in Fraud Detection
The Crime Detection System: Preparation Component
•
Data Preparation •
Construct data - Derived attributes - weeks_past* - is_holidayweek_claim* - age_price_wsum* - Numerical input - 14 attributes scaled between 0 and 1 - 19 attributes represented by one-of-N or binary encoding*
*For details, refer to the thesis
Investigative Data Mining in Fraud Detection
The Crime Detection System: Preparation Component
•
Data Preparation •
Partition data - Data multiplication or oversampling - For example, 50/50 distribution 1994 and 1995 Training Data 11550 Examples
1996 Score Data 4083 Examples
923 Fraud Examples
10840 Legal Examples
923 legal 923 examples legal 923 examples legal 923 examples legal 923 examples legal 923 examples legal 923 examples legal 923 examples legal 923 examples legal 923 examples legal 923 examples
Legal Examples
Investigative Data Mining in Fraud Detection
Implementing the Crime Detection System: Action Component
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling •
Generate experiment design (1)
Experiment Number
Technique or Algorithm
Data Distribution
I
Naive Bayes
50/50
II
Naive Bayes
40/60
III
Naive Bayes
30/70
IV
Backpropagation
Determined by Experiments I, II, III
V
C4.5
Determined by Experiments I, II, III
VI
Bagging
-
VII
Stacking
-
VIII
Stacking and Bagging
-
IX
Backpropagation
5/95
X
Self Organising Map
5/95
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling •
Generate experiment design (2)
Test A
B
C
D
E
F
G
H
I
J
K
Training Set
Partition 1
2
3
4
5
6
7
8
9
10
11
Testing Set
Partition 2
3
4
5
6
7
8
9
10
11
1
Evaluation Set
Partition 3
4
5
6
7
8
9
10
11
1
2
Evaluating
Success Rate A
B
C
D
E
F
G
H
I
J
K
Average W
Bagging
Predictions A
B
C
D
E
F
G
H
I
J
K
Bagged X
Producing
Classifier 1
2
3
4
5
6
7
8
9
10
11
Scoring Set
Success Rate A
B
C
D
E
F
G
H
I
J
K
Average Y
Bagging Main
Score Predictions A
B
C
D
E
F
G
H
I
J
K
Bagged Z
Investigative Data Mining in Fraud Detection
Overall Success Rate
The Crime Detection System: Action Component
•
Modelling •
Build models (1) - Bagged X outperformed Averaged W - Bagged Z performed marginally better than Averaged Y - Experiment II achieved highest cost savings than I and III - 40/60 distribution most appropriate under the cost model - Experiment V achieved highest cost savings than II and IV - C4.5 algorithm is the best algorithm for the data set
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling •
Build models (2) - Experiment VIII achieved slightly better cost savings than V - Combining models from different algorithms is better than the single algorithm - The top 15 classifiers from stacking consisted of 9 C4.5, 4 backpropagation, and 2 naive Bayesian classifiers*
*For details, refer to the thesis
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling •
Build models (3) - No scores from D2K software - Experiment IX demonstrates sorted scores and predefined thresholds result in focused investigations* - Satisfies Pareto’s Law - Rules did not provide insights - Already in domain knowledge and data attribute exploration* -
Experiment X requires 5 clusters for visualisation* age_of_policyholder weeks_past, is_holidayweek_claim make, accident_area, vehicle_category, age_price_wsum, number_of_cars, base_policy *For details, refer to the thesis
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling Assess models (1) - Training and score data sets too small* - Student’s t-test with k-1 degrees of freedom*
•
Rank
Experiment Number
Technique or Algorithm
Cost Savings
Overall Success Rate
Percentage Saved
1
VIII
Stacking and Bagging
$167,069
60%
29.71%
2
V
C4.5 40/60
$165,242
60%
29.38%
3
VI
Bagging
$127,454
64%
22.66%
4
VII
Stacking
$104,887
70%
18.65%
5
II
Naive Bayes 40/60
$94,734
70%
16.85%
6
IX
Backpropagation 5/95
$89, 232
75%
15.87%
7
IV
Backpropagation 40/60
-$6,488
92%
-1.15%
- McNemar’s hypothesis test*
*For details, refer to the thesis
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling Assess models (2) - Clusters 1, 2, and 3 have higher occurrences of fraud in 1996
•
- Clusters 1, 3, and 5 consist of several makes of inexpensive cars - Utility vehicles, rural areas, and liability policies - Clusters 2 and 4 contain claims submitted many weeks after the “accidents” - Toyota, sport cars, and multiple policies Cluster
Number of instances
Descriptive Cluster Profile
1
215
Cluster 1 contains a large number of 21 to 25 year olds. The insured vehicles are relatively new.
2
166
Cluster 2 also contains a large number of 21 to 25 year olds. The claims are usually reported 10 weeks past the accident. The insured vehicles are usually sport cars.
3
268
Cluster 3 has almost all 16 to 17 year old fraudsters. The insured vehicles are mainly Acuras, Chevrolets, and Hondas. The insured vehicles are usually utility cars.
4
103
Cluster 4 has claims are usually reported 20 weeks past the accident. Almost all insured cars are Toyotas and the fraudster has a high probability of getting 3 to 4 cars insured. Claims are unlikely to be submitted during holiday periods.
5
171
Cluster 5 consists of mainly Fords, Mazdas, and Pontiacs. Higher chances of rural accidents and the base policy type are likely to be liability.
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling •
Assess models (3) - Statistical evaluation of descriptive cluster profiles - Cluster 4 - 3121 Toyota car claims, 6% or 187 fraudulent - 2148 Toyota sedan car claims, expect 6% or 129 to be fraudulent with ±10 standard deviation - Actual 171 fraudulent Toyota sedan car claims, z-score of 3.8 standard deviation - This is an insight because it is statistically reliable, not known previously, and actionable Cluster
Group
Claims
No. and % of Fraud
Sub-Group
Claims
Expected No. of Fraud
Actual No. of Fraud
z-Score
1
All claims
15420
923 (6%)
21 to 25 year olds
108
2
16
5
2
Sport cars
5358
84 (1.6%)
21 to 25 year olds + Sport cars
32
1
10
9.5
3
16 to 17 year olds
320
31 (9.7%)
Honda + 16 to 17 year olds
31
3
31
9.3
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Modelling •
Assess models (4) - Append main predictions from 3 algorithms and final predictions from bagging to 615 fraudulent instances - 25 cannot be detected by any algorithms, highest lift in Clusters 1 and 2 - All can be detected by at least 1 algorithm in Cluster 3 - Not all fraudulent instances can be detected - Domain knowledge, cluster detection, and statistics offer explanation - 101 cannot be detected by 2 algorithms - Weakness of bagging - Other alternatives
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Evaluation Evaluate results - Experiment VIII generate the best predictions with cost savings of about $168, 000. This is almost 30% of total cost savings possible - Most statistically reliable insight is the knowledge of 21 to 25 year olds who drive sport cars Review process - Unsupervised learning to derive clusters first - More training data partitions - More skewed distributions - Cost model too simplistic - Probabilistic Neural Networks •
Investigative Data Mining in Fraud Detection
The Crime Detection System: Action Component
•
Deployment •
•
Plan deployment - Manage geographically distributed databases using distributed data mining - Take time into account Plan monitoring and maintenance - Determined by rate of change in external environment and organisational requirements - Rebuild models when cost savings are below a certain percentage of maximum cost savings possible
Investigative Data Mining in Fraud Detection
Contributions and Recommendations
Investigative Data Mining in Fraud Detection
Contributions
• • • • • • • •
New Crime Detection Method Crime Detection System Cost Model Visualisations Statistics Score-based Feature Extensive Literature Review In-depth Analysis of Algorithms
Investigative Data Mining in Fraud Detection
Recommendations – Technical Problems
•
Imperfect data • • • •
•
Highly skewed data • •
•
Statistical evaluation and confidence intervals Preparation component of crime detection system Derived attributes Cross validation Partitioned data with most appropriate distribution Cost model
Black-box predictions • •
Classification and clustering visualisation Sorted scores and predefined thresholds, rules
Investigative Data Mining in Fraud Detection
Recommendations – Practical Problems
•
Lack of domain knowledge • •
•
Great variety of fraud scenarios over time • • •
•
Action component of crime detection system Extensive literature review SOM Crime detection method Choice of algorithms
Assessing data mining potential • • •
Quality and quantity of data Cost model z-scores
Investigative Data Mining in Fraud Detection
Transforming Minority Report from Science Fiction to Science Fact: INVESTIGATIVE DATA MINING IN FRAUD DETECTION 1 INTRODUCTION • The world is overwhelmed with terabytes of data but there are only few effective and efficient ways to analyse and interpret it. • The purpose of the research is to simulate the Precrime System from the science fiction novel, Minority Report, using data mining methods and techniques, to extract insights from enormous amounts of data to
detect white-collar crime
3 RESULTS ON AUTOMOBILE INSURANCE DATA
4 DISCUSSION
• Through the use of integration mechanisms, the highest cost savings is achieved • The analytical machinery facilitated the interesting discovery of 21 to 25 year old fraudsters who used sport cars as their crime tool
semi-transparent approach
• Integration Mechanisms are needed. As each precog outputs its many predictions for each instance, all are counted and the class with the highest tally is chosen as the main prediction • Figure 1 shows that the main predictions can be combined either by majority count (bagging) or the predictions can be fed back into one of the precogs (stacking), to derive a final prediction
2 THE CRIME DETECTION METHOD
to increase the accuracy of the predictions, without violating competitive and legal requirements • The analytical machinery transforms multidimensional data into two-dimensional clusters which contain similar data to enable the data analyst to easily
differentiate the groups of fraud. It also allows the data analyst to
assess the algorithms’ ability
Preco g P1 = L1(D)
to cope with evolving fraud • The crime detection method provides a Main Predictions + Predictions
Examples and Instances D
Preco g P2 = L2(D)
Precog P1 = L1(P1, P2, P3)
Preco g P3 = L3(D)
flexible step-by-step approach to generating predictions from any three algorithms, and uses some form of integration mechanisms to increase the likelihood of correct final predictions
Attribute Selection Main Predictions Final Predictions
Analytical Machinery CL = L4(D)
Visual Symbols
Graphs and Scores
Rules
Figure 1: Predictions using Precogs, Analytical Machinery, and Visual Symbols • Analytical Machinery, or cluster detection, records, studies, compares, and represents the precogs’ predictions in easily understood terms • The analytical machinery is represented by the Self Organising Map (SOM) which clusters the similar data into groups • Figure 1 demonstrates that main predictions and final predictions are appended to the clustered data to determine the fraud characteristics which cannot be detected, and the most important attributes are selected for visualisation
by using analytical machinery and visual symbols to analyse and interpret the predictions • Precogs can be
shared between organisations
• The application is in uncovering fraudulent claims in automobile insurance • The objectives are to overcome the technical and practical problems of data mining in fraud detection
• Precogs, or precognitive elements, are entities which have the knowledge to predict that something will happen. Figure 1 uses three precogs to foresee and prevent crime by stopping potentially guilty criminals • Each precog contains multiple classification models, or classifiers, trained with one data mining technique to extrapolate the future • The three precogs are different from each other because they are trained by different data mining algorithms. For example, the first, second, and third precog are trained using naive Bayesian, C4.5, and backpropagation algorithms. • The precogs require numerical inputs of past examples to output corresponding predictions for new instances
• Black-box approach from the precogs are transformed into a
• Visual Symbols, or visualisations, integrate human perceptual abilities in the data analysis process by presenting the data in some visual and interactive form • The naive Bayesian and C4.5 visualisations facilitate analysis of classifier predictions and performance, and column graphs aid the interpretation of clustering results
• Scores are numbers with a specified range, which indicates the relative risk that a particular data instance maybe fraudulent, to rank instances • Rules are expressions in the form of Body → Head, where Body describes the conditions under which the rule is generated and Head is the class label
5 CONCLUSION • Other possible applications of this crime detection method are: -Anti-terrorism -Burglary -Customs declaration fraud -Drug-related homocides -Drug smuggling -Government financial transactions -Sexual offences
REFERENCES Dick P K (1956) Minority Report, Orion Publishing Group, London, Great Britain.
Done by Clifton Phua for Honours 2003 Supervised by Dr. Damminda Alahakoon
Questions?
Investigative Data Mining in Fraud Detection