SAS and CFMS IntegrationSAS and CFMS IntegrationAttacking Fraud in Next Generation Networks
<CPQ Speaker> and <SAS Speaker>Firenze, May 29th 2001
TopicsTopicsTopicsBusiness Case JustificationWe will present:
– the CFMS product– the SAS Enterprise Miner Product
We will describe:– the integration architecture– the pilot project done
We will analyze:– the results achieved and the business advantages of this
integrationSummary
What is Changing ?What is Changing ?What is Changing ?
Networks– Voice/Data – Packet vs. circuit switched
VoIP, GPRS, UMTS– Call records vs. events
Fraud not just time anymore– Quality of service, content,
bandwidth, bits, servicesWorkload
– More users Volume– More services Volume– More events Volume
What is changing?What is changing?What is changing?The sophistication of technology available to help manage fraud
– More real-time response capabilitiesUse of network transaction data (EDR), not just CDRsRespond during call set-up for call control
– More advanced tools for analysisManual, semi-automated, fully automated optionsImprove accuracy & Improve system tuning
The pressure to control Fraud Department costs & streamline operations
CFMS ArchitectureCFMS Architecture
CFMS Product HistoryCFMS Product HistoryCFMS Product History
Compaq developed CFMS in partnership with GTE as a fraud solution for the wireless industry Compaq delivered first CFMS installation Jan. 1994Introduced convergent version:
– added features for fixed line networks as well as enhancements for wireless
“Plug-in” architecture introducedCFMS V7.0 supports data networks including GPRS and UMTS events
1993
1994
20002001
1998
USA
USA
SpainNorway
Sweden
Italy
Thailand
South Korea
Malaysia
Taiwan
Czech Republic
Brasil
India Malaysia
Brasil
Italy
BrasilBrasil
Denmark
Brasil
Taiwan
BrasilChile
Italy
ColombiaEcuador
Spain
Canada
TurkeyOur customersOur customersOur customers
Peru
Events
Detection
Alarms
AnalysisCases
Two Steps Data ReductionTwo Steps Data ReductionTwo Steps Data Reduction
Millions Thousands Hundreds
CFMS System OverviewCFMS System OverviewCFMS System Overview
DETECTION
PatternsHot listsSmart thresholdsCollision & velocity
EventsEventsEvents
SubscriberInformationSubscriberInformation
AlarmsAlarmsAlarms
ANALYSIS
Expert systemsNeural networksConfidence levelsIndividual profiles
CustomerProfile
CustomerProfile
UsageProfileUsageProfile
FraudRulesFraudRules
ExternalAlarms
ExternalAlarms
CasesCasesCases ActionsActionsActions
LINKANALYSISEvent
ArchiveEvent
ArchiveCase
ArchiveCase
Archive
Detection EngineDetection Engine
Types of Detection (Alarm generation)Types of Detection Types of Detection (Alarm generation)(Alarm generation)
Call Pattern Detection
Velocity
Collision
High Fraud-Risk Destinations
Subscriber authorization
Black List Checking
StartTime A10:05
EndTime A10:39
StartTime B10:25
EndTime B10:53
10:00
10:15 10:30 10:45 11:00
Call A
Call B
Collision
**Sacramento, Ca10:30 AM EST
New York City11:45 AM EST
?=
Thresholds for operator-defined categoriesExamples might include:
– International (IDD) calls– Long Distance/Toll calls– Premium-rate service– Call forwarded/3-way calls– Operator-assisted calls– Wireless Home/Roam calls
Types of Detection --Smart ThresholdsTypes of Detection Types of Detection ----Smart ThresholdsSmart Thresholds
Time of Day Per Day WeekTotalcall count
Total Duration
Premium ratecharges
Total Charges
Per Call
N/A
InternationalDuration
Internationalcall count
Month
N/A
Sample Usage Matrix --For Service Profiles, Groups, and UsageSample Usage Matrix Sample Usage Matrix ----For Service Profiles, Groups, and UsageFor Service Profiles, Groups, and Usage
Support for Next Generation NetworksSupport for Next Generation NetworksSupport for Next Generation NetworksCFMS V7.0 data model supports these new technologies (e.g., VoIP, GPRS, UMTS)Call/Transaction records include additional data fields
– Originating and Destination IP addresses (IPv4 & IPv6)– QoS– Access Point Name (GPRS)– Fields to track packets, bits, bandwidth, etc. – Additional (16) numeric and string installation-defined
fields
SAS EM ArchitectureSAS EM Architecture
The Integrated SAS SolutionThe Integrated SAS SolutionThe Integrated SAS Solution
TransformData into
Information
Act on Information
BusinessQuestion
Data WarehouseDBMS
Data MiningProcessing
EIS, BusinessReporting,
OLAP
Identify Problem
MeasureResults
Enterprise Miner ArchitectureEnterprise Miner ArchitectureEnterprise Miner ArchitectureData Input
SAS File, Sampling, Training/ValidationData Preprocessing
Variable Transforms, Missing Values, OutliersExploration
Target relevance, Clustering, associationsModeling
Decision Tree, Neural Net, Regression, NNAssess&Implement
Assessment, Score & C-Score, User Defined
Process Flow DiagramsProcess Flow DiagramsProcess Flow Diagrams
CFMS and SAS EMCFMS and SAS EM
Goals of the IntegrationGoals of the IntegrationGoals of the IntegrationComplement CFMS real-time detection capabilities with data mining techniques, in order to
– Improve the ‘hit-rate’ of cases presented to the experts for final analysis
– Provide insight on new fraud types– Generate new rules for very particular situations
CFMS and SAS Miner AdvantagesCFMS and SAS Miner AdvantagesCFMS and SAS Miner AdvantagesAlarm Analysis Rules
– set thresholds based on the result of the data mining step Scoring Modules
– reduce the number of false positives, based also on fraudsters demographic information
Pattern Discovery– find patterns for known fraud
Natural groups– use clustering algorithms to discover groups based on
usage
CFMS and SAS IntegrationCFMS and SAS IntegrationCFMS and SAS Integration
CFMSCFMS
CFMS Case Archive
SAS EMSAS EM
True64 Unix
True64 Unix
SAS Internal Data Model
NT Server
DetectionDB
SubscriberUsage Data
ValidatedCase Data
Manual/AutomaticFeedback
Describe the PilotDescribe the PilotDescribe the Pilot
Input data from Oracle DB: Service, CDR, Alarm, CasesAggregation of Alarm & CDR tables by caseJoining of tables
– 1 record per case– 100+ variables– 4000 cases, incl. 450 fraud
exploratory & predictive analysis
Techniques UsedTechniques UsedTechniques UsedData preprocessing: filter outliers, transform variables, replace missing valuesExploratory: potential variables relating to fraudpredictive analysis for fraudpredictive analysis for alarmsclustering of customersprofiling customer segmentshierarchical clustering of call destinationsassessing solution impact
Results: Identifying Fraud CasesResults: Identifying Fraud CasesResults: Identifying Fraud Cases
Fraud Prediction– Start with app. 6% fraud rate– Data Mining: increase to app. 37%
Alarm ThresholdsClustering of Customers
– Clusters– Profile Tree
Clustering of Risk Countries
Fraud Classification ResultsFraud Classification ResultsFraud Classification Results
Fraud Prediction Lift ChartFraud Prediction Lift ChartFraud Prediction Lift Chart
Fraud Prediction RulesFraud Prediction RulesFraud Prediction Rules
IF 0.0845238095 <= number alarms per active daysTHEN N: 158 1: 25.9% 0: 74.1%
IF _8019 < 0.5 AND OCCUR < 13.5 AND number alarms per active days < 0.0845238095THEN N: 915 1: 1.4% 0: 98.6%
Alarm ThresholdsAlarm ThresholdsAlarm Thresholds
Customer ClustersCustomer ClustersCustomer Clusters
CLUSTER
Frequencyof Cluster duration charge AvgChargePer
DaysAvgF_chargePer
Call
avg_daily_internatio
nal
f_calls/active days
number alarmsper active days
NoFraud
= 1
1 405 53195 520452 44074 12164 128526 0.103 0.029 12 1224 43061 484121 223637 21978 145160 0.051 0.039 13 123 19278 324486 217643 25330 169619 0.178 0.164 04 958 11593 188943 124426 14774 122997 0.101 0.067 15 79 27874 1537991 959752 33893 280454 0.106 0.042 1
Profile Tree for Customer ClustersProfile Tree for Customer Profile Tree for Customer ClustersClusters
Clustering of Risk CountriesClustering of Risk CountriesClustering of Risk Countries
Future ActivitiesFuture ActivitiesFuture ActivitiesExtend scope
– analyze more data (parameters thresholds)– Use customer segments as rating basis– include destination risks in analysis
Improve performance– define additional transformed variables, ratios
Interfaces to data & users– tighter integration with database– flagging of cases
SummarySummarySummaryWe believe we have proven that this solution:
– successfully combines data mining & expert systems:
expert system provides operational structure for data miningmining enhances knowledge rules
– finds new segments, thresholds, interactions, value groupings based on both data and human knowledge
– achieves valuable productivity gains for analysts
Thank you for your time!