Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Fraud Detection with Neo4j

408 vues

Publié le

GraphConnect Europe 2017
Jesus Barrasa, Neo4j

Publié dans : Technologie
  • Soyez le premier à aimer ceci

Fraud Detection with Neo4j

  1. 1. Fraud Detection with Neo4j what we can learn from the Panama Papers Graph Connect Europe May 11, 2017 Dr J. Barrasa Neo Technology @BarrasaDV
  2. 2. A year ago…
  3. 3. What did we learn from the Panama Papers?
  4. 4. Look at this dataset
  5. 5. Swap glasses
  6. 6. Look at the dataset again
  7. 7. Do I have a graph problem?
  8. 8. Law of the instrument (of the hammer) : cognitive bias that involves an over-reliance on a familiar tool. A.Maslow 1966
  9. 9. Did Google have a graph problem back in the early 2000s? I’d say it was an information retrieval problem… but they looked at it with a graph-thinking mindset!
  10. 10. nd so, my fellow graphistas: ask not whether you have a graph problem - instead, look at your problem with a graph thinking mindset” J. Barrasa - Graph Connect Europe 2017 “A
  11. 11. Example: Credit card fraud origination and assessment of potential impact
  12. 12. Mark Robert Sheila Kate
  13. 13. WITH { amount: 2.50, currency:"USD", txid:"05015244006", mid:"5073047", tid:"5073440-7", timestamp:1490060618007, cardno:"5224654370862586050" } AS newTxData MATCH (lastTx:Transaction { cardno: newTxData.cardno }) WHERE NOT (lastTx)-[:NEXT]->() CREATE (newTx:Transaction) SET newTx += newTxData CREATE (lastTx)-[:NEXT]->(newTx) WITH newTx, newTxData MERGE (term:Terminal { tid: newTxData.tid}) CREATE (newTx)-[:IN_TERMINAL]->(term) Tx Tx Tx Tx Fraud Fraud Data load: Transactions
  14. 14. WITH { amount: 2.50, currency:"USD", txid:"05015244006", mid:"5073047", tid:"5073440-7", timestamp:1490060618007, cardno:"5224654370862586050" } AS newTxData MATCH (lastTx:Transaction { cardno: newTxData.cardno }) WHERE NOT (lastTx)-[:NEXT]->() CREATE (newTx:Transaction) SET newTx += newTxData CREATE (lastTx)-[:NEXT]->(newTx) WITH newTx, newTxData MERGE (term:Terminal { tid: newTxData.tid}) CREATE (newTx)-[:IN_TERMINAL]->(term) Tx Tx Tx Tx Fraud Fraud Data load: Transactions
  15. 15. WITH { amount: 2.50, currency:"USD", txid:"05015244006", mid:"5073047", tid:"5073440-7", timestamp:1490060618007, cardno:"5224654370862586050" } AS newTxData MATCH (lastTx:Transaction { cardno: newTxData.cardno }) WHERE NOT (lastTx)-[:NEXT]->() CREATE (newTx:Transaction) SET newTx += newTxData CREATE (lastTx)-[:NEXT]->(newTx) WITH newTx, newTxData MERGE (term:Terminal { tid: newTxData.tid}) CREATE (newTx)-[:IN_TERMINAL]->(term) Tx Tx Tx Tx Fraud Fraud Data load: Transactions
  16. 16. WITH { amount: 2.50, currency:"USD", txid:"05015244006", mid:"5073047", tid:"5073440-7", timestamp:1490060618007, cardno:"5224654370862586050" } AS newTxData MATCH (lastTx:Transaction { cardno: newTxData.cardno }) WHERE NOT (lastTx)-[:NEXT]->() CREATE (newTx:Transaction) SET newTx += newTxData CREATE (lastTx)-[:NEXT]->(newTx) WITH newTx, newTxData MERGE (term:Terminal { tid: newTxData.tid}) CREATE (newTx)-[:IN_TERMINAL]->(term) Tx Tx Tx Tx Fraud Fraud Data load: Transactions
  17. 17. WITH { txid:"0501524400006"} AS unrecognizedTx MATCH (tx:Transaction { txid: unrecognizedTx.txid }) SET tx:FraudTx Tx Tx Tx Tx Fraud Fraud Data load: Reported fraud
  18. 18. WITH { txid:"0501524400006"} AS unrecognizedTx MATCH (tx:Transaction { txid: unrecognizedTx.txid }) SET tx:FraudTx Tx Tx Tx Tx Fraud Fraud Data load: Reported fraud
  19. 19. WITH { txid:"0501524400006"} AS unrecognizedTx MATCH (tx:Transaction { txid: unrecognizedTx.txid }) SET tx:FraudTx Tx Tx Tx Tx Fraud Fraud Data load: Reported fraud
  20. 20. WITH { txid:"0501524400006"} AS unrecognizedTx MATCH (tx:Transaction { txid: unrecognizedTx.txid }) SET tx:FraudTx Tx Tx Tx Tx Fraud Fraud Data load: Reported fraud
  21. 21. MATCH (term:Terminal)<-[:IN_TERMINAL]-(t)-[n:NEXT*]->(:FraudTx) WITH term , count(distinct t.cardno) as ct, min(t.timestamp) as mindate, max(t.timestamp) as maxdate WHERE ct > 1 MATCH (term)<-[:IN_TERMINAL]-(otherTx) WHERE otherTx.timestamp < maxdate and otherTx.timestamp > mindate RETURN term.tid AS terminal,mindate,maxdate, 100 * ct / COUNT(DISTINCT otherTx.cardno) AS impact, (maxdate - mindate)/(24*3600000) as timewindow ORDER BY impact DESC, timewindow DESC Query: Fraud origination at terminal level
  22. 22. MATCH (term:Terminal)<-[:IN_TERMINAL]-(t)-[n:NEXT*]->(:FraudTx) WITH term , count(distinct t.cardno) as ct, min(t.timestamp) as mindate, max(t.timestamp) as maxdate WHERE ct > 1 MATCH (term)<-[:IN_TERMINAL]-(otherTx) WHERE otherTx.timestamp < maxdate and otherTx.timestamp > mindate RETURN term.tid AS terminal,mindate,maxdate, 100 * ct / COUNT(DISTINCT otherTx.cardno) AS impact, (maxdate - mindate)/(24*3600000) as timewindow ORDER BY impact DESC, timewindow DESC Query: Fraud origination at terminal level
  23. 23. MATCH (term:Terminal)<-[:IN_TERMINAL]-(t)-[n:NEXT*]->(:FraudTx) WITH term , count(distinct t.cardno) as ct, min(t.timestamp) as mindate, max(t.timestamp) as maxdate WHERE ct > 1 MATCH (term)<-[:IN_TERMINAL]-(otherTx) WHERE otherTx.timestamp < maxdate and otherTx.timestamp > mindate RETURN term.tid AS terminal,mindate,maxdate, 100 * ct / COUNT(DISTINCT otherTx.cardno) AS impact, (maxdate - mindate)/(24*3600000) as timewindow ORDER BY impact DESC, timewindow DESC Query: Fraud origination at terminal level
  24. 24. MATCH (term:Terminal)<-[:IN_TERMINAL]-(t)-[n:NEXT*]->(:FraudTx) WITH term , count(distinct t.cardno) as ct, min(t.timestamp) as mindate, max(t.timestamp) as maxdate WHERE ct > 1 MATCH (term)<-[:IN_TERMINAL]-(otherTx) WHERE otherTx.timestamp < maxdate and otherTx.timestamp > mindate RETURN term.tid AS terminal,mindate,maxdate, 100 * ct / COUNT(DISTINCT otherTx.cardno) AS impact, (maxdate - mindate)/(24*3600000) as timewindow ORDER BY impact DESC, timewindow DESC Query: Fraud origination at terminal level
  25. 25. Query: Fraud origination at terminal level
  26. 26. WITH { tid : '2373743-7', from: 1487340089000, to: 1488039852000 } AS compTerm MATCH (term:Terminal { tid: compTerm.tid} )<-[:IN_TERMINAL]-(t) WHERE NOT (t)-[:NEXT*]->(:FraudTx) AND t.timestamp > compTerm.from AND t.timestamp < compTerm.to RETURN distinct t.cardno AS cardAtRisk Query: Proactive prevention
  27. 27. WITH { tid : '2373743-7', from: 1487340089000, to: 1488039852000 } AS compTerm MATCH (term:Terminal { tid: compTerm.tid} )<-[:IN_TERMINAL]-(t) WHERE NOT (t)-[:NEXT*]->(:FraudTx) AND t.timestamp > compTerm.from AND t.timestamp < compTerm.to RETURN distinct t.cardno AS cardAtRisk Query: Proactive prevention
  28. 28. WITH { tid : '2373743-7', from: 1487340089000, to: 1488039852000 } AS compTerm MATCH (term:Terminal { tid: compTerm.tid} )<-[:IN_TERMINAL]-(t) WHERE NOT (t)-[:NEXT*]->(:FraudTx) AND t.timestamp > compTerm.from AND t.timestamp < compTerm.to RETURN distinct t.cardno AS cardAtRisk Query: Proactive prevention
  29. 29. Query: Proactive prevention
  30. 30. Why graph native matters DB#1 1027910 nodes 4017217 relationships 10044420 properties DB#2 509451186 nodes 1008977685 relationships 3551517114 properties Fraud origination at terminal level 93ms 104 ms Fraud origination at merchant level 102ms 116 ms Proactive prevention 11ms 12 ms
  31. 31. Example: Credit card fraud origination and assessment of potential impact
  32. 32. Three takeaways Graph thinking Graph native matters Graphs rock! Enjoy the rest of the day!
  33. 33. Thank you

×