IEEE Third International Conference on Data Stream Mining & Processing
August 21-25, 2020, Lviv, Ukraine
Hybrid Machine Learning System for Solving
Fraud Detection Tasks
Olena Vynokurova
GeoGuard
Kharkiv, Ukraine
[email protected]
[email protected]
[email protected]
Vadim Ilyasov
GeoGuard
Kharkiv, Ukraine
[email protected]
[email protected]
[email protected]
Abstract — In parallel with technological development the
problem of fraud detection is becoming more and more
important. Increasing number of electronic transactions in
various business environments, on the one hand, and software
and technology development, on the other hand, lead to an
active increase in electronic crime. In the paper the hybrid
system of machine learning for solving tasks of anomalies
detection has been proposed. This hybrid system consists of two
subsystems – anomalies detection subsystem (based on
unsupervised learning) and the interpretation subsystem of
anomaly type (based on supervised system). The advantage of
proposed hybrid system is the high-speed data processing when
the data are fed in real time. The effectiveness of the proposed
approach was confirmed during the solution of the detecting
anomalies problem based on real data streams.
Keywords— fraud detection, anomaly detection, hybrid
system, isolation forest, random forest, transactions, machine
learning
I. INTRODUCTION
In parallel with technological development the problem of
fraud detection is becoming more and more important.
Increasing number of electronic transactions in various
business environments, on the one hand, and software and
technology development, on the other hand, lead to an active
increase in electronic crime. Authentication methods are no
longer the only way to protect against fraud. Early detection
of fraud is one of the main ways to prevent fraud. Blocking
anomalous electronic transactions in some cases is almost the
main way to avoid fraud. However, the development of
mathematical methods for detecting fraud stimulates the
skilled development of ways for concealing fraud. This leads
to the fact that the practical algorithms of fraud detection are
no longer universal.
In many cases, in order to increase the accuracy of early
identification of anomalous electronic transactions, it is
necessary to develop specialized software solutions. The
essence of specialization is to use models that are adapted to
the specifics of the company's business activities. For
example, most of the available scientific papers on detecting
fraud-related anomalies are related to credit cards.
978-1-7281-3214-3/20/$31.00 ©2020 IEEE
Authorized licensed use limited to: National Inst of Training & Indust Eng - Mumbai. Downloaded on August 12,2021 at 08:06:29 UTC from IEEE Xplore. Restrictions apply.
Dmytro Peleshko Oleksandr Bondarenko
GeoGuard GeoGuard
Lviv\Kharkiv, Ukraine Kharkiv, Ukraine
Vladislav Serzhantov Marta Peleshko
GeoGuard Lviv State University of Life Safety
Kharkiv, Ukraine Lviv, Ukraine
This means that fraud detection methods that focus on the
specific nature of input data that contain information from
electronic transactions related to credit cards. And the
resulting classification models are tightly tied to this business
domain. This specialization is not quite a disadvantage, as it
allows easy enough scaling of systems or expansion of types
of detection when new types of fraud appear.
II. RELATED WORK
Using set of rules is one of first approach for developing
fraud detection systems. This approach has been developed in
the form of knowledge base system. The most well-known
mechanisms for their implementation are expert systems [1].
Using a predefined set of rules simplifies the software
development of fraud detection systems, but in general such
systems have a number of disadvantages:
• the development of rules depends on the quality of
the examination of the business environment. This determines
the direct dependence of the effectiveness of the set of rules
on the qualifications of expert analysts who create these rules
[2].
• expanding the system of rules is costly. New experts
are needed to expand the set of rules. Therefore, the
appearance of new types of fraud leads to increased costs for
modification of software systems.
• with a significant increase in the set of rules, the
speed of the system can significantly decrease. This problem
is getting more intense when large feature vectors are used.
• in the case, when the rules use a threshold, it is very
difficult to achieve the adaptability of these values to
environmental conditions.
Another defining characteristic of rule-based systems is
the size of the rule base [1]. Small size databases occur
primarily in cases where the input data vectors have a small
dimension. Therefore, software solutions based on such
databases are characterized by high speed. But the accuracy of
these systems will again depend on experts.
In terms of support, small databases are much easier to
administer. This is another advantage of small databases.
1
 However, modern operational processes manipulate large-
scale vectors. And this fact leads to a significant increase in
the database and reduce the advantages of using rules for fraud
detection tasks.
Other methods for solving a fraud detection tasks are
statistical methods. The group of statistical methods includes
methods that are based on elements of probability theory,
mathematical statistics and data collected over a period of
time.
Using statistical methods is one of the modern main
directions of development of fraud detection methods. On the
one hand, high accuracy of anomaly detection is obtained. On
the other hand, the use of various inaccurate estimation
parameters greatly reduces the flexibility of these methods and
adaptability to changes in input data. For example, many
methods require setting thresholds. Other methods require
information on the statistical distribution of input data, etc. [3].
Today, all static methods of fraud detection can be divided
into two categories: supervised and unsupervised methods.
Both categories of these methods are united by the use of
historical data (record of observations from the past) for
effective fraud detection. The depth of this story for each
method of different categories may be different. One of the
main problems of supervised methods is the need to have sets
of labeled features at the input.
This is not always possible and therefore contributes to the
development of unsupervised methods. In the [4] authors have
used a combination of unsupervised and supervised methods
based on a self-organizing map and a neural network. Another
example of a combination is hybrid methods from [5]. In [6]
the classification of various hybrid methods is presented. This
Fig. 1. Architecting an Anomaly Detection Pipeline
This pipeline consists of two flows: training/testing flow,
which trains and tests the developed model and retrains it,
evaluation flow that processing data stream from server in real
time. The data are collected using no-sql DB Elasticsearch and
each transaction is stored in json file. Depending on the
solution type of transaction (Android, IOS, gdk (Windows and
MAC), Solus (html), Plugin (Windows and MAC)), the
different type of information about transaction can be stored
in json file.
For training/testing flow we have collected the historical
data for the dataset, which must be balanced for all type of
transactions and their combining. After that, the data are fed
Authorized licensed use limited to: National Inst of Training & Indust Eng - Mumbai. Downloaded on August 12,2021 at 08:06:29 UTC from IEEE Xplore. Restrictions apply.
classification describes a variety of combined uses of
unsupervised and supervised methods. In addition, a
significant number of comparative experiments were
conducted to assess the effectiveness of their use.
In point of view of the development and operation of
software systems for fraud detection, machine learning
methods have three main advantages:
1. An increase of the electronic transactions number
usually leads to an increase in the accuracy of fraud detection
models.
2. The dimensions of modern data sets make it
impossible to analyze them without automation. Machine
learning methods significantly simplify and increase the
processing speed of large data sets.
3. The use of machine learning methods makes it
possible to detect hidden dependencies. This is important to
improve the accuracy of the systems and to increase the
resistance of the system to the emergence of new types of
fraud.
As the analysis of scientific results shows that among the
most popular methods for Fraud Detection are Logistic
regression, Random Forests and Support Vector Machines [7,
8]. It should be noted that [7] shows the efficiency of
classification of anomalies using SVM. And in [8] the
effectiveness of anomaly detection using Random Forests.
III. ANOMALY DETECTION HYBRID ARCHITECTURE
FOR FRAUD DETECTION PROBLEMS
For solving task of fraud detection the pipline for real-time
anomality detection is proposed.
to the stage of feature embedding, which is the most time-
consuming, at this stage is cleaning, normalizing and
embedding data. At this stage, the final training and testing
dataset for the developed model is formed.
The next stage is the development of an anomaly detector
model and a system for interpreting anomalies type. Then the
model is trained and tested and after that we get a ready model
for use on the evaluation flow.
The evaluation flow consists of capturing the data stream
from the server and forwarding it to the feature engineering
stage. Based on the developed embedding methods on the
 training / testing flow, a dataset is obtained which is fed to the
deployed model. After that the calculation of transaction
scoring and making decision are performed.
Feature Engineering stage is the most time-consuming. It
consists of the selecting field from database, the correlation
analysis, the cleaning and preprocessing data and features
embedding. Based on correlation analysis we select 64 fields
for building dataset. Furthermore, we have to fill gaps in data.
Since each transaction may have different filled fields in the
connection with solution type. It is necessary to fill in all gaps
based on machine learning methods or expert analysis of each
field. It is important because quality of filling gaps affects
accuracy of anomaly detection. And, also, we need to
normalize and code numeric type data. The next stage of
feature engineering is Categorical Data Embedding. Among
the analyzed fields, 70% of fields are categorical variables.
Different fields require different encoding, or the combination
and encoding of several features together. We used: Label
Encoding, One Hot Encoding, Embedding Vector, Binary
Encoding, Hashing, Сrosstab, Frequency Encoding and some
modified methods.
The current version of the anomaly detector model is
based on data from 64 fields of database. These fields describe
the id of users and devices; the information about geolocation
of the users and devices, which perform this transaction the
history of transactions; the information about connection type
(gsm, gps, wifi, ip); the information about running process and
Fig. 2. General architecture of model
Fig. 3. Detailed architecture of deployed model
Nowadays there are a lot of methods for anomaly
detection, the Robust Covariance method [9], One-class SVM
Authorized licensed use limited to: National Inst of Training & Indust Eng - Mumbai. Downloaded on August 12,2021 at 08:06:29 UTC from IEEE Xplore. Restrictions apply.
software on the devices that can be rooted; spoofed
information about users and their location and etc.
Based on these fields and its combination 41 features is
developed
x ( k ) = { x1 ( k ), x2 ( k ),  , xn ( k )}
(1)
where x ( k ) is transaction, xi (k ) , i = 1 n are features (in
our case n=41), k is real time.
This set of features forms the training and testing dataset.
On the case study stage, it was determined that the solution
of the problem of fraud detection involves the need not only
to determine anomalous transactions, but also to interpret why
the transaction was failed. All existing methods of detection
anomalies solve only the first problem. Thus, it is necessary to
develop a hybrid model that could solve the problem of fraud
detection and interpretation of the transaction anomaly type.
Proposed approach in the paper involves the use of two
sequential models as entities to solve the problem of fraud
detection. The first model is a binary classifier that solves the
‘fraud’ or ‘non-fraud’ problem. The next model is a multi-
class classifier that defines the ‘fraud’ type. The general
architecture is shown in fig. 2 and a more detailed architecture
of the deployed model are shown in Fig. 3.
method [10], Local Outlier Factor method [11], KNN method
[12] and Isolation Forest [13] have been investigated, and for
 developing model of anomaly detector we have selected of node j , • rj is child node from right split on node j , • lj is
Isolation Forest. Among the different anomaly detection child node from left split on node j .
algorithms, Isolation Forest is one with unique capabilities. It
is a model free algorithm that is computationally efficient, can The importance for each feature on a decision tree is
easily be adapted for use with parallel computing paradigms, obtained in the form:
and has been proven to be highly effective in detecting
anomalies. In our case, it gave best accuracy among others.
n im
j
Thus, the vector x ( k ) = { x1 ( k ), x2 ( k ),  , xn ( k )} from the f i im =
j
(4)
constructed dataset is fed to generate an isolation tree. x is 
k ∈all nodes
nkim
recursively separated by randomly selecting a feature and a
random value of this feature between min( xq ) and max( xq )
where f i im is the importance of feature i , nim
j is the
the values of the selected feature and so on until the tree is
constructed. Thus, we get an isolation tree which is a proper importance of node j .
binary tree, where each node in the tree has exactly zero or
After that these features importance are normalized using
two daughter nodes.
expression
The task of detecting anomalies is to provide a rating of
transactions that reflects the degree of their anomaly. Thus, f i im
one way to detect an anomalous transaction is to sort the f i im = . (5)
transactions according to their length or anomaly scores; and 
j∈all features
f jim
anomalies are transactions that will be at the top of the list.
The path length and anomaly estimate are determined by the
algorithm proposed in [13]. The final feature importance, at the Random Forest level,
is its average over all the trees. The sum of the feature’s
In the case of Isolation Forest, anomaly score is defined importance value on each tree is calculated and divided by the
as: total number of trees:

E ( p ( x ))
− fijim
s ( x, l ) = 2 m (l )
(2)
where p ( x ) is the path length of observation x , m (l ) is the
average path length of unsuccessful search in a Binary Search
Tree and l is the number of external nodes. More on the
anomaly score and its components can be read in [13].
Each observation is given an anomaly score and the
following decision can be made on its basis:
• a score close to 1 indicates anomalous
transactions;
• score much smaller than 0.5 indicates normal
transactions;
• if all scores are close to 0.5 then the entire sample
does not seem to have clearly distinct anomalous
transactions
The random forest method [14] was chosen to develop an
interpreter model of the fraud detection hybrid system. The
interpreter model provides an explanation to the provider-
companies, why the transaction was determined as abnormal.
Because the system under development may have situations
where several types of anomalies can be present in a single
transaction, the use of random forest-based methods is a
priority.
For each decision tree, Scikit-learn calculates a nodes
importance using Gini Importance, assuming only two child
nodes (binary tree):
n im r r l l
j = w j U j − w j U j − w jU j
(3)
where n imj is the importance of node j , w j is weighted
number of samples reaching node j , U j is the impurity value

RFi im =
j∈all trees
(5)
Tr
where RFi im is the importance of feature i calculated from
all trees in the Random Forest model, f ijim is the normalized
feature importance for i in tree j , Tr is total number of
trees.
Anomalous transactions and borderline transactions that
have been detected by the anomaly detector model are fed to
the interpreter model. Cross validation has used for tuning
hyperparameters of interpreter model. Therefore, we have a
cascade of classifiers which in general presents the proposed
anomaly detector model.
IV. EXPERIMENTS
The proposed hybrid system was developed to solve the
problem of detecting anomalies in the geolocation of users
during transactions (GPS spoofing, Wi-Fi spoofing, location
jumping, etc.). Experimental studies were conducted on the
DB of GeoGuard company.
The specific feature of the system is that the decision
cannot be made at the level of an anomaly, the type of
anomaly must be explained to justify the decision.
The input vector consisted of 41 features based on
information collected in the no-sql Elasticsearch database in
json form for each transaction. Transaction information
depends on the type of user's operating system (Android, IOS,
MacOs, Windows) and consists of fields describing user
geolocation when executing transaction from gsm, gps, wi-fi
sources types and fields describing user's device. Frequency
of transaction appearance in the environment is 800
transactions per 1 minute.

Authorized licensed use limited to: National Inst of Training & Indust Eng - Mumbai. Downloaded on August 12,2021 at 08:06:29 UTC from IEEE Xplore. Restrictions apply.
 Training dataset consists of about 90 000 samples, REFERENCES
number of trees was 300 trees for anomaly detection model [1] N.F. Ryman-Tubb, P. Krause, and W. Garn. “How Artificial
and 500 trees for interpreter model. Intelligence and machine learning research impacts payment card fraud
Table I shows the results of detection and accuracy of detection: A survey and industry benchmark,” Engineering
Applications of Artificial Intelligence, no. 76, pp. 130–157, 2018.
interpretation of proposed hybrid machine learning system.
[2] R. P. Dazeley, “To The Knowledge Frontier and Beyond: A Hybrid
System for Incremental Contextual- Learning and Prudence Analysis,”
TABLE I. THE RESULTS OF ANOMALIES DETECTION AND THEIR PhD thesis, University of Tasmania, 2006
INTERPRETATION
http://https://eprints.utas.edu.au/8173
Accuracy, % [3] A. Patcha, and J. M. Park, “An overview of anomaly detection
Solution techniques: Existing solutions and latest technological trends,”
Training Testing Classification & Computer Networks, vol. 51(12), pp. 3448–3470, 2007.
Detector Detector Interpreter
[4] J. T. Quah, and M. Sriganesh “Real-time credit card fraud detection
all solution 91 90 90 using computational intelligence,” Expert Systems with Applications,
ios 91 90 95 vol. 35 (4), pp. 1721–1732, 2008.
[5] Y. Moreau, E. Lerouge, H. Verrelst, C. Stormann, P. Burge, and K. U.
android 92 90 95 Leuven, “A hybrid system for fraud detection in mobile
plugin communications,” Neural Networks, pp. 447–454, April 1999.
(Windows+ 99 96 99 [6] C. Phua, V. Lee, K. Smith, and R. Gayler, “A Comprehensive Survey
MacOs) of Data Mining-based Fraud Detection Research.” DOI:
gdk 10.1016/j.chb.2012.01.002. Arxiv:1009.6119., 2010.
(Windows+ 97 96 98 [7] S. Bhattacharyya, S. Jha, K. Tharakunnel, and J. C. Westland. “Data
MacOs) mining for credit card fraud: A comparative study,” Decision Support
Systems, vol. 50 (3), pp. 602–613, 2011.
The results show that the anomaly detection on each [8] D. Meyer, F. Leisch, K. Hornik. “The support vector machine under
individual solution is more accurate than when all solutions test,” Neurocomputing, vol. 55 (12), pp. 169 –186, 2003.
are combined into one dataset. The specificity of the system [9] P. J. Rousseeuw and M. Hubert, “Anomaly Detection by Robust
Statistics” arXiv:1707.09752v2 [stat.ML] 14 Oct 2017
is the need to balance the dataset, in which all known
[10] R. Zhang, Sh. Zhang, S. Muthuraman, and J. Jiang. “One Class Support
anomalies on each operating system must be presented. It is Vector Machine for Anomaly Detection in the Communication
also a feature of the system that multiple anomalies may be Network Performance Data,” In: 5th WSEAS Int. Conference on
present in a transaction at the same time, which complicates Applied Electromagnetics, Wireless and Optical Communications,
the process of interpretation. 2007.
[11] M. M. Breunig, H.-P. Kriegel, R. T. Ng, J. Sander, “LOF: Identifying
V. CONCLUSION Density-Based Local Outliers” in Proc. ACM SIGMOD 2000 Int.
Conf. On Management of Data, Dalles, TX, 2000
In the paper a hybrid system of machine learning for [12] Y. Djenouri, A. Belhadi, J. C. Lin and A. Cano, "Adapted K-Nearest
solving problems of anomaly detection is proposed. Such Neighbors for Detecting Anomalies on Spatio–Temporal Traffic
hybrid system consists of two subsystems - subsystem of Flow," in IEEE Access, vol. 7, pp. 10015-10027, 2019. doi:
anomaly detection and subsystem of anomaly type 10.1109/ACCESS.2019.2891933
interpretation (classification), which are based on a cascade of [13] T.L. Fei, M. T. Kai, Z. Zhi-Hua, “Isolation Forest,” in Proceedings of
the 2008 Eighth IEEE International Conference on Data Mining, pp.
decision trees with supervised and unsupervised learning. The 413–422, December 2008, https://doi.org/10.1109/ICDM.2008.17
advantage of the hybrid system is the speed of processing the
[14] L. Breima. “Random Forests. Machine Learning”, v. 45 (1), pp. 5–32,
data that are fed in real time. The effectiveness of the proposed 2010, doi:10.1023/A:1010933404324
approach has been confirmed in solving the practical problem
of detecting anomalies in user geolocation during transactions
execution (GPS spoofing, Wi-Fi spoofing, location jumping,
etc.).

Authorized licensed use limited to: National Inst of Training & Indust Eng - Mumbai. Downloaded on August 12,2021 at 08:06:29 UTC from IEEE Xplore. Restrictions apply.