2. github.com/maxdemarzi
About 200 public repositories
Max De Marzi
Neo4j Field Engineer
About
Me !
01
02
03
04
maxdemarzi.com
@maxdemarzi
About 160 blog posts
9. Endpoint-Centric
Analysis of users and
their end-points
1.
Navigation Centric
Analysis of
navigation behavior
and suspect
patterns
2.
Account-Centric
Analysis of anomaly
behavior by channel
3.
PC:s
Mobile Phones
IP-addresses
User ID:s
Comparing Transaction
Identity Vetting
Traditional Fraud Detection Methods
10. • Fraud rings
• Fake IP-adresses
• Hijacked devices
• Synthetic Identities
• Stolen Identities
• And more…
Weaknesses
DISCRETE ANALYSIS
Endpoint-Centric
Analysis of users and
their end-points
1.
Navigation Centric
Analysis of
navigation behavior
and suspect
patterns
2.
Account-Centric
Analysis of anomaly
behavior by channel
3.
Traditional Fraud Detection Methods
11. CONNECTED ANALYSIS
Endpoint-Centric
Analysis of users and
their end-points
Navigation Centric
Analysis of
navigation behavior
and suspect
patterns
Account-Centric
Analysis of anomaly
behavior by channel
DISCRETE ANALYSIS
1. 2. 3.
Cross Channel
Analysis of anomaly
behavior correlated
across channels
4.
Entity Linking
Analysis of relationships
to detect organized
crime and collusion
5.
Augmented Fraud Detection
15. Subgraph Patterns
Ni: number of neighbors of a node
Ei: number of relationships in a subgraph
Wi: total “weight” of a subgraph
λw,i: largest variability of the “weights” of a
subgraph
29. John and Sheila are
sharing a phone number
CREATE (phone1:Phone {number:"312-876-5309"})
CREATE (john)-[:HAS_PHONE]->(phone1)
CREATE (sheila)-[:HAS_PHONE]->(phone1)
30. John and Karen are sharing an
Identification Number
CREATE (ssn1:Identification {number:"000-91-7434", type:"SSN"})
CREATE (john)-[:HAS_ID]->(ssn1)
CREATE (karen)-[:HAS_ID]->(ssn1)
31. They all share the same address
CREATE (ad:Address {line1:"175 N. Harbor Drive",
city:"Chicago", state:"IL", zip:”60601"})
CREATE (john)-[:HAS_ADDRESS]->(ad)
CREATE (karen)-[:HAS_ADDRESS]->(ad)
CREATE (sheila)-[:HAS_ADDRESS]->(ad)
35. Union Find Graph Algorithm
Finds sets where all nodes can
reach all other nodes
•Fraud Detection
•Deduplication
•Entity Resolution
See “The Real Property Graph” blog post:
36. Union Find Graph Algorithm
CALL algo.unionFind.stream(
'MATCH (p:User) RETURN id(p) as id',
'MATCH (p1:User)-->()<--(p2:User)
RETURN id(p1) as source, id(p2) as target',
{graph:'cypher'}
) YIELD nodeId, setId
RETURN algo.asNode(nodeId).name AS user, setId
40. They called from the same number
MATCH (john:User {name:"John"}),
(sheila:User {name:"Sheila"})
CREATE (ani:ANI {number:"312-666-1234"})
CREATE (ani)-[:CALLED]->(john)
CREATE (ani)-[:CALLED]->(sheila)
41. They logged on using the same
browser
MATCH (john:User {name:”John"}),
(robert:User {name:”Robert"})
CREATE (fg:Browser {fingerprint:”asdf7373jsdf3rw"})
CREATE (fg)-[:ACCESSED]->(john)
CREATE (fg)-[:ACCESSED]->(robert)
47. Store the results of Union Find
CALL algo.unionFind(
'MATCH (p:User) RETURN id(p) as id',
'MATCH (p1:User)--()--(p2:User)
RETURN id(p1) as source, id(p2) as target',
{graph:'cypher'}
) YIELD setCount
48. Let’s see these partitions
MATCH (n:User)
RETURN n.partition, COUNT(*) AS members,
COLLECT(n.name) AS names
ORDER BY members DESC
57. Credit Card Transactions as a Graph
CREATE (john)-[:MAKES]->(tx1)
CREATE (john)-[:MAKES]->(tx2)
CREATE (john)-[:MAKES]->(tx3)
CREATE (john)-[:MAKES]->(tx4)
58. John’s Transactions last week
// The last week of John's transactions
MATCH p = (n:User {name:"John"})-[:MAKES]->(tx)
WHERE tx.date > datetime() - duration('P7D')
RETURN p
60. Credit Card Transactions as a List
MATCH (u:User)
WHERE SIZE((u)-[:PREV_TX]->()) = 0 AND SIZE((u)-[:MAKES]->()) > 0
WITH u
LIMIT 100
MATCH (u)-[r:MAKES]->(tx)
WITH u, tx ORDER BY tx.date DESC
WITH u, COLLECT(tx) AS transactions, HEAD(COLLECT(tx)) AS last
CREATE (u)-[:PREV_TX]->(last)
FOREACH (n IN RANGE(0, SIZE(transactions)-2) |
FOREACH (next IN [transactions[n]] |
FOREACH (prev IN [transactions[n+1]] |
CREATE (next)-[:PREV_TX]->(prev)
)))
61. John’s Transactions last week
// The last week of John's transactions
MATCH p = (n:User {name:"John"})-[:PREV_TX*]->(tx)
WHERE NONE (tx IN tail(nodes(p))
WHERE tx.date <= datetime() - duration('P7D'))
RETURN p
68. Following the footsteps
// All the transactions marked fraudulent in the last week
// and the transactions that came before them
// up to two weeks ago.
MATCH p = (fraud:Fraudulent)-[:PREV_TX*]->(tx)
WHERE fraud.date > datetime() - duration('P7D')
AND NONE (tx IN tail(nodes(p))
WHERE tx.date <= datetime() - duration('P14D'))
RETURN p
73. Find the Suspect Merchants
// Top 5 common merchants from fraudulent transaction chains
up to two weeks ago.
MATCH p = (fraud:Fraudulent)-[:PREV_TX*]->(tx)
WHERE fraud.date > datetime() - duration('P7D')
AND NONE (tx IN tail(nodes(p))
WHERE tx.date <= datetime() - duration('P14D'))
WITH nodes(p) AS transactions
UNWIND transactions AS tx
WITH DISTINCT tx
MATCH (tx)-[:AT_MERCHANT]->(merchant)
RETURN merchant.name, COUNT(*) AS txCount
ORDER BY txCount DESC
LIMIT 5
78. Money
Transferring
Purchases Bank
Services Relational
database
Data Lake
+ Good for Map Reduce
+ Good for Analytical Workloads
– No holistic view
– Non-operational workloads
– Weeks-to-months processes Develop Patterns
Data Science-team
Merchant
Data
Credit
Score
Data
Other 3rd
Party
Data
79. Money
Transferring
Purchases Bank
Services
Neo4j powers
360° view of
transactions in
real-time
Neo4j
Cluster
SENSE
Transaction
stream
RESPOND
Alerts &
notification
LOAD RELEVANT DATA
Relational
database
Data Lake
Visualization UI
Fine Tune Patterns
Develop Patterns
Data Science-team
Merchant
Data
Credit
Score
Data
Other 3rd
Party
Data
80. Money
Transferring
Purchases Bank
Services
Neo4j powers
360° view of
transactions in
real-time
Neo4j
Cluster
SENSE
Transaction
stream
RESPOND
Alerts &
notification
LOAD RELEVANT DATA
Relational
database
Data Lake
Visualization UI
Fine Tune Patterns
Develop Patterns
Data Science-team
Merchant
Data
Credit
Score
Data
Other 3rd
Party
Data
Data-set used
to explore
new insights
82. We talked about…
Finding Fraud with Graphs
Examples of different types of Fraud:
Fraud Rings
Credit Card Testing
Fraud Origination
How Neo4j Fits in an Architecture
83. Detect & prevent fraud in real-time
Faster credit risk analysis and transactions
Reduce chargebacks
Quickly adapt to new methods of fraud
Why Neo4j? Who’s using it?
Financial institutions use Neo4j to:
FINANCE Government Online Retail
Names redacted to protect the innocent and conceal the guilty