The explosion of telecommunications and computer networks has revolutionized the ways in which information is disseminated and shared. At any given time, massive amounts of information are exchanged electronically by millions of individuals worldwide using these networks not only for communicating but also for engaging in a wide variety of business transactions, including shopping, auctioning, financial trading, among others. While these networks provide unparalleled benefits to users, they also facilitate unlawful activity by providing a vast, inexpensive, and potentially anonymous way for accessing and distributing fraudulent information, as well as for breaching the network security through network intrusion.
Each of the millions of individuals exchanging information on these networks is a potential victim of network intrusion and electronic fraud. Network intrusion occurs whenever there is a breach of network security for the purposes of illegally extracting information from the network, spreading computer viruses and worms, and attacking various services provided in the network. Electronic fraud occurs whenever information that is conveyed electronically is either misrepresented or illegally intercepted for fraudulent purposes. The information may be intercepted during its transfer over the network, or it may be illegally accessed from various information databases maintained by merchants, suppliers, or consumers conducting business electronically. These databases usually store sensitive and vulnerable information exchanged in electronic business transactions, such as credit card numbers, personal identification numbers, and billing records.
Today, examples of network intrusion and electronic fraud abound in virtually every business with an electronic presence. For example, the financial services industry is subject to credit card fraud and money laundering, the telecommunications industry is subject to cellular phone fraud, and the health care industry is subject to the misrepresentation of medical claims. All of these industries are subject to network intrusion attacks. Business losses due to electronic fraud and network intrusion have been escalating significantly since the Internet and the World Wide Web (hereinafter “the web”) have become the preferred medium for business transactions for many merchants, suppliers, and consumers. Conservative estimates foresee losses in web-based business transactions to be in the billion-dollar range.
When business transactions are conducted on the web, merchants and suppliers provide consumers an interactive “web site” that typically displays information about products and contains forms that may be used by consumers and other merchants for purchasing the products and entering sensitive financial information required for the purchase. The web site is accessed by users by means of “web browser software”, such as Internet Explorer, available from Microsoft Corporation, of Redmond, Wash., that is installed on the users' computer.
Under the control of a user, the web browser software establishes a connection over the Internet between the user's computer and a “web server”. A web server consists of one or more machines running special purpose software for serving the web site, and maintains a database for storing the information displayed and collected on the web page. The connection between the user's computer and the server is used to transfer any sensitive information displayed or entered in the web site between the user's computer and the web server. It is during this transfer that most fraudulent activities on the Internet occur.
To address the need to prevent and detect network intrusion and electronic fraud, a variety of new technologies have been developed. Technologies for detecting and preventing network intrusion involve anomaly detection systems and signature detection systems.
Anomaly detection systems detect network intrusion by looking for user's or system's activity that does not correspond to a normal activity profile measured for the network and for the computers in the network. The activity profile is formed based on a number of statistics collected in the network, including CPU utilization, disk and file activity, user logins, TCP/IP log files, among others. The statistics must be continually updated to reflect the current state of the network. The systems may employ neural networks, data mining, agents, or expert systems to construct the activity profile. Examples of anomaly detection systems include the Computer Misuse Detection System (CMDS), developed by Science Applications International. Corporation, of San Diego, Calif., and the Intrusion Detection Expert System (IDES), developed by SRI International, of Menlo Park, Calif.
With networks rapidly expanding, it becomes extremely difficult to track all the statistics required to build a normal activity profile. In addition, anomaly detection systems tend to generate a high number of false alarms, causing some users in the network that do not fit the normal activity profile to be wrongly suspected of network intrusion. Sophisticated attackers may also generate enough traffic so that it looks “normal” when in reality it is used as a disguise for later network intrusion.
Another way to detect network intrusion involves the use of signature detection systems that look for activity that corresponds to known intrusion techniques, referred to as signatures, or system vulnerabilities. Instead of trying to match user's activity to a normal activity profile like the anomaly detection systems, signature detection systems attempt to match user's activity to known abnormal activity that previously resulted in an intrusion. While these systems are very effective at detecting network intrusion without generating an overwhelming number of false alarms, they must be designed to detect each possible form of intrusion and thus must be constantly updated with signatures of new attacks. In addition, many signature detection systems have narrowly defined signatures that prevent them from detecting variants of common attacks. Examples of signature detection systems include the NetProwler system, developed by Symantec, of Cupertino, Calif., and the Emerald system, developed by SRI International, of Menlo Park, Calif.
To improve the performance of network detection systems, both anomaly detection and signature detection techniques have been employed together. A system that employs both includes the Next-Generation Intrusion Detection Expert System (NIDES), developed by SRI International, of Menlo Park, Calif. The NIDES system includes a rule-based signature analysis subsystem and a statistical profile-based anomaly detection subsystem. The NIDES rule-based signature analysis subsystem employs expert rules to characterize known intrusive activity represented in activity logs, and raises alarms as matches are identified between the observed activity logs and the rule encodings. The statistical subsystem maintains historical profiles of usage per user and raises an alarm when observed activity departs from established patterns of usage for an individual. While the NIDES system has better detection rates than other purely anomaly-based or signature-based detection systems, it still suffers from a considerable number of false alarms and difficulty in updating the signatures in real-time.
Some of the techniques used by network intrusion detection systems can also be applied to detect and prevent electronic fraud. Technologies for detecting and preventing electronic fraud involve fraud scanning and verification systems, the Secure Electronic Transaction (SET) standard, and various intelligent technologies, including neural networks, data mining, multi-agents, and expert systems with case-based reasoning (CBR) and rule-based reasoning (RBR).
Fraud scanning and verification systems detect electronic fraud by comparing information transmitted by a fraudulent user against information in a number of verification databases maintained by multiple data sources, such as the United States Postal Service, financial institutions, insurance companies, telecommunications companies, among others. The verification databases store information corresponding to known cases of fraud so that when the information sent by the fraudulent user is found in the verification database, fraud is detected. An example of a fraud verification system is the iRAVES system (the Internet Real Time Address Verification Enterprise Service) developed by Intelligent Systems, Inc., of Washington, D.C.
A major drawback of these verification systems is that keeping the databases current requires the databases to be updated whenever new fraudulent activity is discovered. As a result, the fraud detection level of these systems is low since new fraudulent activities occur very often and the database gets updated only when the new fraud has already occurred and has been discovered by some other method. The verification systems simply detect electronic fraud, but cannot prevent it.
In cases of business transactions on the web involving credit card fraud, the verification systems can be used jointly with the Secure Electronic Transaction (SET) standard proposed by the leading credit card companies Visa, of Foster City, Calif., and Mastercard, of Purchase, N.Y. The SET standard provides an extra layer of protection against credit card fraud by linking credit cards with a digital signature that fulfills the same role as the physical signature used in traditional credit card transactions. Whenever a credit card transaction occurs on a web site complying with the SET standard, a digital signature is used to authenticate the identity of the credit card user.
The SET standard relies on cryptography techniques to ensure the security and confidentiality of the credit card transactions performed on the web, but it cannot guarantee that the digital signature is being misused to commit fraud. Although the SET standard reduces the costs associated with fraud and increases the level of trust on online business transactions, it does not entirely prevent fraud from occurring. Additionally, the SET standard has not been widely adopted due to its cost, computational complexity, and implementation difficulties.
To improve fraud detection rates, more sophisticated technologies such as neural networks have been used. Neural networks are designed to approximate the operation of the human brain, making them particularly useful in solving problems of identification, forecasting, planning, and data mining. A neural network can be considered as a black box that is able to predict an output pattern when it recognizes a given input pattern. The neural network must first be “trained” by having it process a large number of input patterns and showing it what output resulted from each input pattern. Once trained, the neural network is able to recognize similarities when presented with a new input pattern, resulting in a predicted output pattern. Neural networks are'able to detect similarities in inputs, even though a particular input may never have been seen previously.
There are a number of different neural network algorithms available, including feed forward, back propagation, Hopfield, Kohonen, simplified fuzzy adaptive resonance (SFAM), among others. In general, several algorithms can be applied to a particular application, but there usually is an algorithm that is better suited to some kinds of applications than others. Current fraud detection systems using neural networks generally offer one or two algorithms, with the most popular choices being feed forward and back propagation. Feed forward networks have one or more inputs that are propagated through a variable number of hidden layers or predictors, with each layer containing a variable number of neurons or nodes, until the inputs finally reach the output layer, which may also contain one or more output nodes. Feed-forward neural networks can be used for many tasks, including classification and prediction. Back propagation neural networks are feed forward networks that are traversed in both the forward (from the input to the output) and backward (from the output to the input) directions while minimizing a cost or error function that determines how well the neural network is performing with the given training set. The smaller the error and the more extensive the training, the better the neural network will perform. Examples of fraud detection systems using back propagation neural networks include Falcon™, from HNC Software, Inc., of San Diego, Calif., and PRISM, from Nestor, Inc., of Providence, R.I.
These fraud detection systems use the neural network as a predictive model to evaluate sensitive information transmitted electronically and identify potentially fraudulent activity based on learned relationships among many variables. These relationships enable the system to estimate a probability of fraud for each business transaction, so that when the probability exceeds a predetermined amount, fraud is detected. The neural network is trained with data drawn from a database containing historical data on various business transactions, resulting in the creation of a set of variables that have been empirically determined to form more effective predictors of fraud than the original historical data. Examples of such variables include customer usage pattern profiles, transaction amount, percentage of transactions during different times of day, among others.
For neural networks to be effective in detecting fraud, there must be a large database of known cases of fraud and the methods of fraud must not change rapidly. With new methods of electronic fraud appearing daily on the Internet, neural networks are not sufficient to detect or prevent fraud in real-time. In addition, the time consuming nature of the training process, the difficulty of training the neural networks to provide a high degree of accuracy, and the fact that the desired output for each input needs to be known before the training begins are often prohibiting limitations for using neural networks when fraud is either too close to normal activity or constantly shifting as the fraudulent actors adapt to changing surveillance or technology.
To improve the detection rate of fraudulent activities, fraud detection systems live adopted intelligent technologies such as data mining, multi-agents, and expert systems with case-based reasoning (CBR) and rule-based reasoning (RBR). Data mining involves the analysis of data for relationships that have not been previously discovered. For example, the use of a particular credit card to purchase gourmet cooking books on the web may reveal a correlation with the purchase by the same credit card of gourmet food items. Data mining produces several data relationships, including: (1) associations, wherein one event is correlated to another event (e.g., purchase of gourmet cooking books close to the holiday season); (2) sequences, wherein one event leads to another later event (e.g., purchase of gourmet cooking books followed by the purchase of gourmet food ingredients); (3) classification, i.e., the recognition of patterns and a resulting new organization of data (e.g., profiles of customers who make purchases of gourmet cooking books); (4) clustering, i.e., finding and visualizing groups of facts not previously known; and (5) forecasting, i.e., discovering patterns in the data that can lead to predictions about the future.
Data mining is used to detect fraud when the data being analyzed does not correspond to any expected profile of previously found relationships. In the credit card example, if the credit card is stolen and suddenly used to purchase an unexpected number of items at odd times of day that do not correspond to the previously known customer profile or cannot be predicted based on the purchase patterns, a suspicion of fraud may be raised. Data mining can be used to both detect and prevent fraud. However, data mining has the risk of generating a high number of false alarms if the predictions are not done carefully. An example of a system using data mining to detect fraud includes the ScorXPRESS system developed by Advanced Software Applications, of Pittsburgh, Pa. The system combines data mining with neural networks to quickly detect fraudulent business transactions on the web.
Another intelligent technology that can be used to detect and prevent fraud includes the multi-agent technology. An agent is a program that gathers information or performs some other service without the user's immediate presence and on some regular schedule. A multi-agent technology consists of a group of agents, each one with an expertise interacting with each other to reach their goals. Each agent possesses assigned goals, behaviors, attributes, and a partial representation of their environment. Typically, the agents behave according to their assigned goals, but also according to their observations, acquired knowledge, and interactions with other agents. Multi-agents are self-adaptive, make effective changes at run-time, and react to new and unknown events and conditions as they arise.
These capabilities make multi-agents well suited for detecting electronic fraud. For example, multi-agents can be associated with a database of credit card numbers to classify and act on incoming credit card numbers from new electronic business transactions. The agents can be used to compare the latest transaction of the credit card number with its historical information (if any) on the database, to form credit card users' profiles, and to detect abnormal behavior of a particular credit card user. Multi-agents have also been applied to detect fraud in personal communication systems (A Multi-Agent Systems Approach for Fraud Detection in Personal Communication Systems, S. Abu-Hakima, M. Toloo, and T. White, AAAI-97 Workshop), as well as to detect network intrusion. The main problem with using multi-agents for detecting and preventing electronic fraud and network intrusion is that they are usually asynchronous, making it difficult to establish how the different agents are going to interact with each other in a timely manner.
In addition to neural networks, data mining, and multi-agents, expert systems have also been used to detect electronic fraud. An expert system is a computer program that simulates the judgement and behavior of a human or an organization that has expert knowledge and experience in a particular field. Typically, such a system employs rule-based reasoning (RBR) and/or case-based reasoning (CBR) to reach a solution to a problem. Rule-based systems use a set of “if-then” rules to solve the problem, while case-based systems solve the problem by relying on a set of known problems or cases solved in the past. In general, case-based systems are more efficient than rule-based systems for problems involving large data sets because case-based systems search the space of what already has happened rather than the intractable space of what could happen. While rule-based systems are very good for capturing broad trends, case-based systems can be used to fill in the exceptions to the rules.
Both rule-based and case-based systems have been designed to detect electronic fraud. Rule-based systems have also been designed to detect network intrusion, such as the Next-Generation Intrusion Detection Expert System (NIDES), developed by SRI International, of Menlo Park, Calif. Examples of rule-based fraud detection systems include the Internet Fraud Screen (IFS) system developed by CyberSource Corporation, of Mountain View, Calif., and the FraudShield™ system, developed by ClearCommerce Corporation, of Austin, Tex. An example of a case-based fraud detection system is the Minotaur™ system, developed by Neuralt Technologies, of Hampshire, UK.
These systems combine the rule-based or case-based technologies with neural networks to assign fraud risk scores to a given transaction. The fraud risk scores are compared to a threshold to determine whether the transaction is fraudulent or not. The main disadvantage of these systems is that their fraud detection rates are highly dependent on the set of rules and cases used. To be able to identify all cases of fraud would require a prohibitive large set of rules and known cases. Moreover, these systems are not easily adaptable to new methods of fraud as the set of rules and cases can become quickly outdated with new fraud tactics.
To improve their fraud detection capability, fraud detection systems based on intelligent technologies usually combine a number of different technologies together. Since each intelligent technology is better at detecting certain types of fraud than others, combining the technologies together enables the system to cover a broader range of fraudulent transactions. As a result, higher fraud detection rates are achieved. Most often these systems combine neural networks with expert systems and/or data mining. As of today, there is no system in place that integrates neural networks, data mining, multi-agents, expert systems, and other technologies such as fuzzy logic and genetic algorithms to provide a more powerful fraud detection solution.
In addition, current fraud detection systems are not always capable of preventing fraud in real-time. These systems usually detect fraud after it has already occurred, and when they attempt to prevent fraud from occurring, they often produce false alarms. Furthermore, most of the current fraud detection systems are not self-adaptive, and require constant updates to detect new cases of fraud. Because the systems usually employ only one or two intelligent technologies that are targeted for detecting only specific cases of fraud, they cannot be used across multiple industries to achieve high fraud detection rates with different types of electronic fraud. In addition, current fraud detection systems are designed specifically for detecting and preventing electronic fraud and are therefore not able to detect and prevent network intrusion as well.
In view of the foregoing drawbacks of current methods for detecting and preventing electronic fraud and network intrusion, it would be desirable to provide systems and methods for dynamic detection and prevention of electronic fraud and network intrusion that are able to detect and prevent fraud and network intrusion across multiple networks and industries.
It further would be desirable to provide systems and methods for dynamic detection and prevention of electronic fraud and network intrusion that employ an integrated set of intelligent technologies including neural networks, data mining, multi-agents, case-based reasoning, rule-based reasoning, fuzzy logic, constraint programming, and genetic algorithms.
It still further would be desirable to provide systems and methods for dynamic detection and prevention of electronic fraud and network intrusion that are self-adaptive and detect and prevent fraud and network intrusion in real-time.
It also would be desirable to provide systems and methods for dynamic detection and prevention of electronic fraud and network intrusion that are less sensitive to known or unknown different types of fraud and network intrusion attacks.
It further would be desirable to provide systems and methods for dynamic detection and prevention of electronic fraud and network intrusion that deliver a software solution to various web servers.