fraud, waste, and abuse use case · fraud, waste, and abuse -government employees, contractors, and...
TRANSCRIPT
Manypeopleandorganizationscontributedtothisusecase.Inparticularwewouldliketothank:
• BillNiehausatNetOwl• JoeJubinskiatMITRE• RansomWinderatMITRE
Acknowledgements
2
Fraud,Waste,andAbuse- Governmentemployees,contractors,andcitizensreceivereimbursementsfortravelfromfederalagencieseachyear.Wastherearequestedreimbursementforapatientcancelledappointment,orano-showappointment?
ThreatAssessment- Aftercomplexgeopoliticaleventsunfold,itmaybedifficulttogatherandvisualizeacompletepictureofthefullcontext.Didaterroristgrouphaveothersimultaneousactivity?
CyberForensics- Cyberattacksarenumerous,sudden,andrequireaspeedyreactiontime.Whoperpetratedtheattack?Whatistheextentofthedamage?
UseCases
3
reservistsinconnectionwithaschemethatamountedto$870,000infraudulentexpenses
beingfiledbetweenAugust2007andSeptember2009
https://www.irs.gov/pub/foia/ig/ci/LAFO-2013-11.pdf
“Whileimproperpaymentsestimatesarenotameasureoffraud,alackofsufficientsupportingdocumentationmaymaskthetruecausesofimproperpayments—includingfraud.
Whenpaymentslacktheappropriatesupportingdocumentation,theirvaliditycannotbedetermined.Itispossiblethatthesepaymentswereforvalidpurposes,butitisalsopossiblethatthelackofdocumentationcouldconcealfraudulentactivities.”(GAO-17-631T,ReportandtestimonybeforetheCommitteeontheBudget,U.S.Senate,May2017)
4
TravelVoucherProcess
5
BeneficiaryLevel• paper/electronicclaimforreimbursementoftravel• travel/claimshistory(addressverification)• 3rd partyentityvalidation(SSN,name,address,phone)• travel/transportationreceipts
SourcesofDocumentation
6
ClaimantLevel• ElectronicFundsTransfer• Entityvalidation(name,address,phone)
Services/OtherLevel• transportationservices• servicesofferedbynearbyfacilities,hoursofoperation• relationships(i.e.,subordinateapprovestravelvouchersforsuperior)
StoredinWebOntologyLanguage(OWL)Upper/MidLevelsuseSuggestedUpperMergedOntology(SUMO)DomainLevelisAEspecificSuperstructurecrossesusecases• Onlysubsetsoftheoverallontologyarerelevant(andnecessary)toeachusecase
Exampleentities(upper-levelontology)• Agent,Artifact,Identifier
Exampleentities(mid-levelontology)• Human,Organization,Building,Addresses,etc.
Exampledomainentities(domainontology)• ContentBearingObjectà Textà Voucher
AE’sOntologyDetails
7
SUMO
SUMO
AESpecific
AnalysisTooltoAnalysisTool
8
API
API
ExchangeFormat
FraudUseCaseOverview
9
10
AnalyticsusingSASVisualStatistics:Exploreandpreparedata,interactivelycreateandrefinedescriptiveandpredictivemodels.
• Outlierdetectionusingpeergroupanalysisofexpenseestimatesgivensamegeographiclocationfortravelingfromandtosamefacilitiesofcare
• Peergroup“typeofcare”destinationfacilitylikelihood giventoandfromdistances,contrastedwithclosestfacilityofcare
• Probabilityestimatesofexpenseamountgivenclaimeddistances(i.e.,probabilityislowwhenmileageislowandmuchhigherwhenmileageimpliesanovernightstayortollbaseduponESRIrouting)
• Likelihoodestimatesoftreatmentfacilities• Weightedestimatesofriskgivenoneormoreindicatorsofriskfrom
ThomsonReutersdataenrichment.• Outlierdetectionusinganomalydetection
ScenariosforAnalysis
11
AnalystNotebook:Initialview
12
• TypicalLinkAnalysis“haystack”
• Highlightedtripsinpurplethatbypassednearertreatmentfacilities(basedonSASscore)
• Highlightedtripsinorangethathadunexpectedtolls(basedonSASscore)
• HighlightedindividualswithsuspectSSNSinbrown(basedonSASscore)
SuspectSSNs
AnalystNotebookFocusonIndividualswithSuspectSSN
13
IndividualsallusingsameSSN,significantamountofsuspecttollsandbypassingnearerfacilities
ANBheatmapanalysisidentifiedadditionalsuspectSSNs(SSNlinkedtomorethanoneperson)….
AnalystNotebookExtendednetworkofsuspecttravelvouchers
14
Samehomeaddresssharedby20individuals
JosephRobbappearstobeconnectionbetweenthisaddressandoriginalgroupofsuspectSSNs
