FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Financial Fraud Detection with Anomaly Feature

Detection
CHAPTER-1
ABSTRACT
Online social networks (OSNs) gradually integrate financial capabilities by enabling the usage of
real and virtual currency. They serve as new platforms tohost a variety of business activities, such
as online promotion events, where users can possibly get virtual currency as rewards by participating
in such events. Both OSNs and business partners are significantly concerned when attackers
instrument a set of accounts to collect virtual currency from these events, which make these events
ineffective and result in significant financial loss. It becomes of great importance to proactively
detecting these malicious accounts before the online promotion activities and subsequently decreases
their priority to be rewarded. In this paper, we propose a novel system, namely Pro Guard, to
accomplish this objective by systematically integrating features that characterize accounts from three
perspectives including their general behaviors, their recharging patterns, and the usage of their
currency. We have performed extensive experiments based on data collected from the Tencent QQ, a
global leading OSN with built-in financial management activities. Experimental results have
demonstrated that our system can accomplish a high detection rate of 96.67% at a very low false
positive rate of 0.3%.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 1

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-2

OBJECTIVES

 To detect malicious in the online social networks

 To control the malicious accounts and make the system effective

ADVANTAGES:
 ProGuard features new capability of fusing features from both networking and financial
aspects for detection.
 Detection accuracy of ProGuard is high.
 Effective detection and collection of virtual currency

DISADVANTAGE:
 Harder to protect OSN from spamming and phishing
 Effectiveness of current technique is low
 Current technique doesn’t detect spamming and phishing

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 2

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-3
LITERATURE SURVEY
1. Detecting automation of twitter accounts: Are you a human, Bot, or
cyborg?
Year : 2012
Author :Zi Chu ,Steven Gianvecchio, Haining Wang

Zi Chu; Steven Gianvecchio; Haining Wang; SushilJajodia

this paper focuses on the classification of human, bot, and cyborg accounts on Twitter. We first
conduct a set of large-scale measurements with a collection of over 500,000 accounts. We observe the
difference among human, bot, and cyborg in terms of tweeting behavior, tweet content, and account
properties. Based on the measurement results, we propose a classification system that includes the
following four parts: 1) an entropy-based component, 2) a spam detection component, 3) an account
properties component, and 4) a decision maker. It uses the combination of features extracted from an
unknown user to determine the likelihood of being a human, bot, or cyborg.
2. Online Social Spammer Detection
Author: Xia Hu, Jiliang Tang, Huan Liu

Year: 2014
A general optimization framework to collectively use content and network information for social
spammer detection, and provide the solution for efficient online processing. Experimental results on
Twitter datasets confirm the effectiveness and efficiency of the proposed framework.

3. Leveraging knowledge across media for spammer detection in

microblogging
Author :Xia Hu, Jiliang Tang, and Huan Liu
Year : 2014
We first perform a comprehensive linguistic study to compare spam across different media. Inspired
by the findings, we present an optimization formulation that enables the design of spammer detection
in microblogging using knowledge from external media. We conduct experiments on real-world

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 3

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Twitter datasets to verify whether email, SMS and web spam resources help and how different media
help for spammer detection in microblogging.

4. Collective spammer detection in evolving multi-relational social networks

Author :James Foulds, LiseGetoor and ShobeirFakhraei
Year: 2015
We the predictive power of a noisy abuse reporting system, we develop a statistical relational model
using hinge-loss Markov random fields (HL-MRFs), a class of probabilistic graphical models which
are highly scalable. We use we the predictive power of a noisy abuse reporting system, we develop a
statistical relational model using hinge-loss Markov random fields (HL-MRFs), a class of probabilistic
graphical models which are highly scalable. We use Graph lab Create TM and Probabilistic Soft
Logic (PSL)2 to prototype and experimentally evaluate our solutions on internet-scale data from
Tagged.com. Our experiments demonstrate the effectiveness of our approach, and show that models
which incorporate the multi-relational nature of the social network significantly gain predictive
performance over those that do not.

5. Twitter spammer detection using data stream clustering

Author :Brian Dickinson, Zachary Miller and Alex Hai Wang
Year : 2015
Here to facilitate spam identification. Both algorithms clustered normal Twitter users, treating outliers as
spammers. Each of these algorithms performed well individually, with StreamKM++ achieving 99%recall
and a 6.4% false positive rate; and DenStream producing 99% recall and a 2.8% false positive rate. When
used in conjunction, these algorithms reached 100% recall and a 2.2% false positive rate, meaning that
our system was able to identify 100% of the spammers in our test while incorrectly detecting only 2.2% of
normal users as spammers.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 4

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-4
EXISTING
 Online social networks (OSNs) that integrate virtual currency serve as an appealing
platform for various business activities where online, interactive promotion is among the
most active ones.
 A user, who is commonly represented by her OSN account, can possibly get reward in the
form of virtual currency by participating online promotion activities organized by business
entities. 
 She can then use such reward in various ways such as online shopping,transferring it
to others, and even exchanging it for real currency. 
 However, it faces a significant threat: attackers can control a large number of accounts,
either by registering new accounts or compromising existing accounts, to participate in the
online promotion events for virtual currency. 
 Such malicious activities will fundamentally undermine the effectiveness of the promotion
activities, immediately voiding the effectiveness of the promotion investment from business
entities and meanwhile damaging ONS's reputation.
 Attackers can effectively perform attacks by simply clicking links offered by business
entities or sharing the benign content that is originally distributed by business partners.

□ The detection of such malicious OSN accounts fundamentally different from the detection
oftraditional attacks such as spamming and phishing.
 It is extremely hard to adopt existing methods to detect spamming and phishing accounts.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 5

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-5

PROPOSED

 In order to effectively detect malicious accounts in online promotion activities by

overcoming the aforementioned challenges, we have designed a novel system, namely Pro
Guard.

 To the best of our knowledge, this work represents the first effort to systematically detect
malicious accounts used for online promotion activity participation.

 To solve the new challenges, our method detects malicious accounts by investigating both
regular activities of an account and its financial activities.

 Proposed a detection method based on threshold-type binary classification algorithm to

solve problems of credit card fraud and telecommunications fraud.

 The typical virtual currency flow when malicious accounts participate in online promotion
events.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 6

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-6

SYSTEM REQUIREMENTS

6.1 : SOFTWARE REQUIREMENTS:

 Operating system : Windows Family

 Coding Language : JAVA/J2EE
 Tool : Eclipse
 Database : MYSQL

6.2 : HARDWARE REQUIREMENTS:

 System : Pentium Dual Core.

 Hard Disk : 120 GB.
 Monitor : 15’’ LED
 Input Devices : Keyboard, Mouse
 RAM : 1GB.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 7

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-7
SYSTEM ANALYSIS
7.1 : FEASIBILITY SYSTEM
Depending on the results of the initial investigation the survey is now expended to a more
detailed feasibility study. “FEASIBILTY STUDY” is a test of system proposal according to its
workability, impact of the organization, ability to meet needs and effective use of the resources.

Steps in feasibility analysis:

Eight steps involved in the feasibility analysis are:

 Form a project team and appoint a project leader.

 Enumerate potential proposed system.
 Define and identify characteristics of proposed system.
 Determine and evaluate performance and cost effectiveof each proposed system.
 Weight system performance and cost data.
 Select the best proposed system.
 Prepare and report final project directive to management.
Three key considerations involved in the feasibility analysis are

 ECONOMICAL FEASIBILITY

 TECHNICAL FEASIBILITY
 SOCIAL FEASIBILITY

 OPERATIONAL FEASIBILITY

ECONOMICAL FEASIBILITY

This study is carried out to check the economic impact that the system will have
on the organization. The amount of fund that the company can pour into the research and
development of the system is limited. The expenditures must be justified. Thus the
developed system as well within the budget and this was achieved because most of the

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 8

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

technologies used are freely available. Only the customized products had to be purchased

TECHNICAL FEASIBILITY
This study is carried out to check the technical feasibility, that is, the technical
requirements of the system. Any system developed must not have a high demand on the
available technical resources. This will lead to high demands on theavailable technical
resources. This will lead to high demands being placed on the client. The developed system
must have a modest requirement, as only minimal or null changes are required for
implementing this system.

SOCIAL FEASIBILITY

The aspect of study is to check the level of acceptance of the system by the user.
This includes the process of training the user to use the system efficiently.The user must
not feel threatened by the system, instead must accept it as a necessity. The level of
acceptance by the users solely depends on the methods that are employed to educate the
user about the system and to make him familiar with it. His level of confidence must be
raised so that he is also able to make some constructive criticism, which is welcomed, as he
is the final user of the system.

OPERATIONAL FEASIBILITY
Operational feasibility is a measure of how well a proposed system
solves the problems, and takes advantage of the opportunities identified during scope
definition and how it satisfies the requirements identified in the requirements analysis phase
of system development.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 9

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-8
SOFTWARE DESCRIPTION

8.1 : JAVA TECHNOLOGY : Java technology is both a programming language

and aPlatform.

8.2 : The Java Programming Language : The Java programming language is a

high-level language that can be characterized by all of the following buzzwords

 Simple

 Object Oriented

 Portable

 Distributed

 High perfromance

 Interpreted

 Multi-threaded

 Robust

 Dynamic

 Secure

With most programming languages, you either compile or interpret a program so that you can run it on
your computer. The Java programming language is unusual in that a program is both compiled and
interpreted. With the compiler, first you translate a program into an intermediate language called Java
byte codes —the platform-independent codes interpreted by the interpreter on the Java platform. The
interpreter parses and runs each Java byte code instruction on the computer

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 10

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Compilation happens just once; interpretation occurs each time the program is executed. The
following figure 8.1 illustrates how this works.

Fig 8.1- Working Of JAVA

The Java Platform

A platform is the hardware or software environment in which a program runs. The Java
platform differs from most other platforms in that it’s a software-only platform that runs on top of
other hardware-based platforms.

The Java platform has two components:

 The Java Virtual Machine (Java VM)

 The Java Application Programming Interface (Java API)

You’ve already been introduced to the Java VM. It’s the base for the Java platform and is
ported onto various hardware-based platforms.

The Java API is a large collection of ready-made software components that provide many
useful capabilities, such as graphical user interface (GUI) widgets. The Java API is grouped into
libraries of related classes and interfaces; these libraries are known as packages The following figure
depicts a program that’s running on the Java platform. As the figure 8.2 shows, the Java API and the
virtual machine insulate the program from the hardware.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 11

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Fig 8.2 The JAVA Platform

Activities of Java

An application is a standalone program that runs directly on the Java platform. A special
kind of application known as a server serves and supports clients on a network. Examples of servers
are Web servers, proxy servers, mail servers, and print servers. Another specialized program is a
servlet. A servlet can almost be thought of as an applet that runs on the server side. Java Servlets
are a popular choice for building interactive web applications, replacing the use of CGI scripts.
Servlets are similar to applets in that they are runtime extensions of applications. Instead of working
in browsers, though, servlets run within Java Web servers, configuring or tailoring the server.

Every full implementation of the Java platform gives you the following features:

 The essentials: Objects, strings, threads, numbers, input and output, data
structures, system properties, date and time, and so on.

 Applets: The set of conventions used by applets.

 Networking: URLs, TCP (Transmission Control Protocol), UDP (User Datagram

Protocol) sockets, and IP (Internet Protocol) addresses.

 Security: Both low level and high level, including electronic signatures,public
and private key management, access control, and certificates.

 Software components: Known as JavaBeansTM, can plug into existing

component architectures.

 Object serialization: Allows lightweight persistence and communicationvia

Remote Method Invocation (RMI).

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 12

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

 Java Database Connectivity (JDBC): Provides uniform access to a wide

range of relational databases.

The Java platform also has APIs for 2D and 3D graphics, accessibility, servers, collaboration,
telephony, speech, animation, and more. The following figure 4.3 depicts what is included in the
Java 2 SDK.

Fig 8.3 – JAVA 2 SDK

Networking :

TCP/IP stack

The TCP/IP stack is shorter than the OSI one: The following figure 4.4 shows the TCP/IPStack Structure

Fig 4.4 – TCP/IP Stack

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 13

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

IP datagram’s

The IP layer provides a connectionless and unreliable delivery system. It considers each
datagram independently of the others. Any association between datagram must be supplied by the
higher layers. The IP layer supplies a checksum that includes its own header. The header includes
the source and destination addresses.

TCP
TCP supplies logic to give a reliable connection-oriented protocol above IP.

It provides a virtual circuit that two processes can use to communicate.

Internet addresses
In order to use a service, you must be able to find it. The Internet uses an address scheme for
machines so that they can be located. The address is a 32 bit integer which gives the IP address.
This encodes a network ID and more addressing. The network ID falls into various classes
according to the size of the network.

Network address

Class A uses 8 bits for the network address with 24 bits left over for
other addressing. Class B uses 16 bit network addressing. Class C uses 24 bit network
addressing and class D uses all 32.

Subnet address

Internally, the UNIX network is divided into sub networks. Building 11 iscurrently on one
sub network and uses 10-bit addressing, allowing 1024 different hosts.

Host address

8 bits are finally used for host addresses within our subnet. This places a limit of256
machines that can be on the subnet.

Total address

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 14

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Fig 8.5- IP Addressing

The 32 bit address is usually written as 4 integers separated by dots.Theabovefigure 4.5 indicates the IP
Addressing

Port addresses
A service exists on a host, and is identified by its port. This is a 16 bit number. To send a
message to a server, you send it to the port for that service of the host that it is running on. This is
not location transparency! Certain of these ports are "well known".

Sockets

A socket is a data structure maintained by the system to handle network connections. A

socket is created using the call socket. It returns an integer that is like a file descriptor. In fact, under
Windows, this handle can be used with Read File and Write File functions.

#include <sys/types.h>

#include <sys/socket.h>

int socket(int family, int type, int protocol);

Here "family" will be AF_INET for IP communications, protocol will be zero, and type will
depend on whether TCP or UDP is used. Two processes wishing to communicate over a network
create a socket each. These are similar to two ends of a pipe - but the actualpipe does not yet exist.

ODBC
Microsoft Open Database Connectivity (ODBC) is a standard programming interface for
application developers and database systems providers. Before ODBC became a de facto standard

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 15

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

for Windows programs to interface with database systems, programmers had to use proprietary
languages for each database they wanted to connect to. Now, ODBC has made the choice of the
database system almost irrelevant from a coding perspective, which is as it should be. Application
developers have much more important things to worry about than the syntax that is needed to port
their program from one database to another when business needs suddenly change.

Through the ODBC Administrator in Control Panel, you can specify the particular database
that is associated with a data source that an ODBC application program is written to use. Think of
an ODBC data source as a door with a name on it. Each door willlead you to a particular database.
For example, the data source named Sales Figures might be a SQL Server database, whereas the
Accounts Payable data source could refer to an Access database. The physical database referred to
by a data source can reside anywhere on the LAN.

The ODBC system files are not installed on your system by Windows 95. Rather, they are
installed when you setup a separate database application, such as SQL Server Client or Visual Basic
4.0. When the ODBC icon is installed in Control Panel, it uses a file called ODBCINST.DLL. It is
also possible to administer your ODBC data sources through a stand-alone program called
ODBCADM.EXE. There is a 16-bit and a 32-bit version of this program, and each maintains a
separate list of ODBC data sources.

From a programming perspective, the beauty of ODBC is that the application can be written to use
the same set of function calls to interface with any data source, regardless of the database vendor.
The source code of the application doesn’t change whether it talks to Oracle or SQL Server. We
only mention these two as an example. There are ODBC drivers available for several dozen popular
database systems. Even Excel spreadsheets and plain text files can be turned into data sources. The
operating system uses the Registry information written by ODBC Administrator to determine which
low-level ODBC drivers are needed to talk to the data source (such as the interface to Oracle or
SQL Server). The loading of the ODBC drivers is transparent to the ODBC application program. In
a client/server environment, the ODBC API even handles many of the network issues for the
application programmer.

The advantages of this scheme are so numerous that you are probably thinking there must be
some catch. The only disadvantage of ODBC is that it isn’t as efficient as talking directly to the

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 16

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

native database interface. ODBC has had many detractors make the charge that it is too slow.
Microsoft has always claimed that the critical factor in performance is the quality of the driver
software that is used. In our humble opinion, this is true. The availability of good ODBC drivers has
improved a great deal recently. And anyway, the criticism about performance is somewhat
analogous to those who said that compilers would never match the speed of pure assembly language.
Maybe not, but the compiler (or ODBC) gives you the opportunity to write cleaner programs, which
means you finish sooner. Meanwhile, computers get faster every year.

JDBC

In an effort to set an independent database standard API for Java, Sun Microsystems
developed Java Database Connectivity, or JDBC. JDBC offers a generic SQL database access
mechanism that provides a consistent interface to a variety of RDBMSs. This consistent interface is
achieved through the use of “plug-in” database connectivity modules, or drivers. If a database
vendor wishes to have JDBC support, he or she must provide the driver for each platform that the
database and Java run on.

To gain a wider acceptance of JDBC, Sun based JDBC’s framework on ODBC. As you
discovered earlier in this chapter, ODBC has widespread support on a variety of platforms. Basing
JDBC on ODBC will allow vendors to bring JDBC drivers to market much faster than developing a
completely new connectivity solution.

JDBC was announced in March of 1996. It was released for a 90 day public review that
ended June 8, 1996. Because of user input, the final JDBC v1.0 specification was released soon
after.

The remainder of this section will cover enough information about JDBC for you to know
what it is about and how to use it effectively. This is by no means a complete overview of JDBC.
That would fill an entire book.

JDBC Goals

Few software packages are designed without goals in mind. JDBC is one that, because of its
many goals, drove the development of the API. These goals, in conjunction with early reviewer

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 17

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

feedback, have finalized the JDBC class library into a solid framework for building database
applications in Java.

The goals that were set for JDBC are important. They will give you some insight as to
why certain classes and functionalities behave the way they do. The eight design goals for JDBC are
as follows:

1. SQL Level API

The designers felt that their main goal was to define a SQL interface for Java. Although not the
lowest database interface level possible, it is at a low enough level for higher-leveltools and APIs to
be created. Conversely, it is at a high enough level for application programmers to use it confidently.
Attaining this goal allows for future tool vendors to “generate” JDBC code and to hide many of
JDBC’s complexities from the end user.

2. SQL Conformance

SQL syntax varies as you move from database vendor to database vendor. In an effort to
support a wide variety of vendors, JDBC will allow any query statement to be passed through it
to the underlying database driver. This allows the connectivity module to handle non-standard
functionality in a manner that is *suitable for its users.

3. JDBC must be implemental on top of common database interfaces

The JDBC SQL API must “sit” on top of other common SQL level APIs. This goal allows JDBC to
use existing ODBC level drivers by the use of a software interface. This interface would translate
JDBC calls to ODBC and vice versa.

4. Provide a Java interface that is consistent with the rest of the Java system

Because of Java’s acceptance in the user community thus far, the designers feelthat they
should not stray from the current design of the core Java system.

5. Keep it simple

This goal probably appears in all software design goal listings. JDBC is no exception. Sun

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 18

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

felt that the design of JDBC should be very simple, allowing for only one method of completing a
task per mechanism. Allowing duplicate functionality only servesto confuse the users of the API.

6. Use strong, static typing wherever possible

Strong typing allows for more error checking to be done at compile time; also, less errors appear at
runtime.

7. Keep the common cases simple

Because more often than not, the usual SQL calls used by the programmer are simple SELECT’s,
INSERT’s, DELETE’s and UPDATE’s, these queries should be simple to perform with JDBC.
However, more complex SQL statements should also be possible.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 19

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-9

SYSTEM ARCHITECTURE

9.1 : Modules:
 Collecting the Data from OSN and Financial
 Online Promotion Activities
 Classifying the User Behaviors
 Recharging Patterns and Usage of Currency
 Transferring and Laundering Virtual Currency

Collecting the Data from OSN and Financial

To the best of our knowledge, this work represents the first effort to systematically
detect malicious accounts used for online promotion activity participation.We have
evaluated our system using data collected from OSN and Financial,online social network
that uses a widely-accepted virtual currency.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 20

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Online Promotion Activities

It therefore becomes of essential importance to detect accounts controlled by attackers
in online promotion activities. In the following discussions, we refer to such accounts as
malicious accounts. The effective detection of malicious accounts enables both OSNs and
business entities to take mitigation actions such as banning these accounts or decreasing the
possibility to reward these accounts.The best of our knowledge, this work represents the
effort to systematically detect malicious accounts used for online promotion activity
participation. We have evaluated our system using data collected from OSN and Financial

Classifying the User Behaviors

Benign accounts are usually used by regular users for variety of activities such as
chatting, photo sharing, and financial activities. In contrast, malicious accounts are more
likely to be driven by online promotion events. Therefore, the benign accounts tend to be
more socially active compared to malicious accounts.The malicious accounts under
investigation focus on using online promotion activities to collect virtual currency. In
contrast, benign users are likely to obtain virtual currency from multiple resources.Attackers'
ultimate objective is to monetize the virtual currency. In contrast, benign users use their
virtual currency in much more diversified ways.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 21

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Recharging Patterns and Usage of Currency

A user usually directly deposits real currency into her online banking account; she can
recharge her virtual currency account from her banking account. By participating online
promotion events, a user can also recharge her virtual currencyaccount by collecting rewards
from the promotion events. A user can expend from his accounts in two typical ways.
First, she can use real or virtual currency to purchase both real and virtual goods (i.e.,
online shopping). Second, she cantransfer both real and virtual currency to another user by
sending out gifts.

Transferring and Laundering Virtual Currency

All current features rely on coarse-grained information that minimizes privacy concerns,
which may foster the deployment of the proposed system in a detection- as-service model.
Despite the fact that ProGuardcan effectively detect malicious accounts used for collecting
virtual currency from online promotion activities, it is now designed for detecting malicious
accounts used for transferring and laundering virtual currency. Extending ProGuardto
include such detection capabilities falls into our work.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 22

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

9.2:UML DIAGRAMS

FIG: 9.2.1:USE CASE DIAGRAM

FIG:9.2.2:SEQUENCE DIAGRAM

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 23

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION
FIG:9.2.3:COLLABORATION DIAGRAM

FIG:9.2.4:ACITVITY DIAGRAM

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 24

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-10
SOURCE CODE
Customer Register

// Source File Name: RegistrationAction.java

packagecom.yourcompany.struts.action;
importDatabase.dataconnection;
importcom.yourcompany.struts.form.RegistrationForm;
importjava.io.PrintStream;
importjava.sql.SQLException;
importjava.util.ArrayList;
importjava.util.Vector;
importjavax.servlet.http.HttpServletRequest;
importjavax.servlet.http.HttpServletResponse;
importorg.apache.struts.action.*;
public class RegistrationAction extends Action{
publicRegistrationAction(){
}
publicActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest
request, HttpServletResponse response)
throwsClassNotFoundException,
SQLException{ RegistrationFormregistrationForm =
(RegistrationForm)form;String username =
registrationForm.getUsername();
String card = registrationForm.getCreditcard();
String pin = registrationForm.getPinnumber();
ArrayList al = new ArrayList();
al.add(card);
al.add(pin);
Vector vec = new Vector();
vec.add(registrationForm.getMailid());
vec.add(registrationForm.getName());
vec.add(registrationForm.getAge());
vec.add(registrationForm.getAddress());
vec.add(registrationForm.getCity());
vec.add(registrationForm.getState());
vec.add(registrationForm.getPin());
vec.add(registrationForm.getCountry());
vec.add(registrationForm.getPhone());
vec.add(registrationForm.getMobile());
PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 25
 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

vec.add(registrationForm.getPassword());
vec.add(registrationForm.getCreditcard());
vec.add(registrationForm.getPinnumber());
dataconnection data = new dataconnection();
data.setTablename("customerdetails");
data.setInsert(vec, username);
data.setCard(al);
int r = data.Loginuser(username);
System.out.println((new StringBuilder("Login_count ------ > ")).append(r).toString());
String result = data.getInsert();
returnmapping.findForward(result);
}
}
Fraud Detection

<%@ page language="java" import="java.sql.*" import="java.util.*"%>

<div id="menu_tab">
<ul class="menu">
<li><a href="Index.jsp" class="nav">Home</a></li>
<li class="divider"></li>
<li><a href="Computer.jsp" class="nav">Products</a></li>
<li class="divider"></li>
<li><a href="Customer.jsp" class="nav">Customer Sign in</a></li>
<li class="divider"></li>
<li><a href="Admin.jsp" class="nav">Admin</a></li>
<li class="divider"></li>
<li><a href="Registration.jsp" class="nav">Sign Up</a></li>
<li class="divider"></li>
<li><a href="contact.html" class="nav">Contact Us</a></li>
</ul>
</div><!-- end of menu tab -->
<div class="crumb_navigation">
Navigation: <span class="current">Home</span>
</div>
<div class="left_content">
<div class="center_content">
<div class="oferta" style="width: 481px; height: 11px">
<div class="prod_box"><div align="left">
<div id="pageNavPosition">
</div>
<script type="text/javascript">
var pager = new Pager( 'results', 3 );
pager.init();
pager.showPageNav( 'pager', 'pageNavPosition');
pager.showPage(1);
</script>

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 26

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

</div>
<%!
String countresult="";
%>
<table border="1" id="results" width="471" height="24">
<tr>
<td align="center" width="10%">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SNO</td>
<td align="center" width="30%">USER NAME</td>
<td align="center" width="30%">MAIL ID</td>
<td align="center" width="30%">PRODUCT ID</td>
<td align="center" width="30%">DATE OF PURCHASED</td>
<td align="center" width="10%">LOGIN COUNT</td>
<td align="center" width="10%">RESULT</td>
</tr>
<%
String deletename=request.getParameter("delete");
int count=0;
Class.forName("com.mysql.jdbc.Driver");
Connection con1 =
DriverManager.getConnection("jdbc:mysql://localhost:3306/virtual","root","root123");
Statement st1 = con1.createStatement();
ResultSet rs1=st1.executeQuery("select distinct
customerdetails.username,customerdetails.emailid,purchase_details.product_id,purchase_details.
dateofpurchased,login_count.logincount from customerdetails join purchase_details on
customerdetails.username=purchase_details.username join login_count on
purchase_details.username=login_count.username");
while(rs1.next()){
count=count+1;
String username=rs1.getString(1);
String emailid=rs1.getString(2);
String product_id=rs1.getString(3);
String dateofpurchased=rs1.getString(4);
String logincount=rs1.getString(5);
intlogc=Integer.parseInt(logincount);
session.setAttribute("countuser",username);
session.setAttribute("logc",logc);
if(logc>=15){
countresult="Outlier Detection";
}else{
countresult="Normal User";
}

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 27

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-11

TESTING AND IMPLEMENTATION

11.1 :TESTING

PROCESS

The purpose of testing is to discover errors. Testing is the process of trying to discover
every conceivable fault or weakness in a work product. It provides a way to check the functionality
of components, sub assemblies, assemblies and/or a finished product it is the process of exercising
software with the intent of ensuring that the Software system meets its requirements and user
expectations and does not fail in an unacceptable manner. There are various types of test. Each test
type addresses a specific testing requirement.

TYPES OF TESTS

UNIT TESTING
Unit testing involves the design of test cases that validate that the internal
program logic is functioning properly, and that program input produces validoutputs. All
decision branches and internal code flow should be validated. It is the testing of individual
software units of the application .it is done after the completion of an individual unit before
integration. This is a structural testing, that relies on knowledge of its construction and is
invasive. Unit testsperform basic tests at component level and test a specific business process,
application, and/or system configuration. Unit tests ensure that each unique path of a business
process performs accurately to the documented specifications and contains clearly defined
inputs and expected results.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 28

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

INTEGRATION TESTING

Integration tests are designed to test integrated software components to determine if

they actually run as one program. Testing is event driven and is more concerned with the
basic outcome of screens or fields. Integration tests demonstrate that although the
components were individually satisfaction, as shown by successfully unit testing, the
combination of components is correct and consistent. Integration testing is specifically
aimed at exposing the problems that arise from the combination of components.

FUNCTIONAL TESTING
Functional tests provide systematic demonstrations that functions tested areavailable as
specified by the business and technical requirements, system documentation and user
manuals.

SYSTEM TESTING
System testing ensures that the entire integrated software system meets requirements.
It tests a configuration to ensure known and predictable results. An example of system
testing is the configuration oriented system integration test. System testing is based on
process descriptions and flows, emphasizing pre-driven process links and integration points.

WHITE BOX TESTING

White Box Testing is a testing in which the software tester has knowledge of the inner
workings, structure and language of the software, or at least its purpose. It is used to test
areas that cannot be reached from a black box level.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 29

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

BLACK BOX TESTING

Black Box Testing is testing the software without any knowledge of the inner
workings, structure or language of the module being tested. Black box tests, as most other
kinds of tests, must be written from a definitive source document, such as specification or
requirements document, such as specification or requirements document. It is a testing in
which the software under test is treated, as a black box .you cannot “see” into it. The test
provides inputs and responds to outputs without considering how the software works.

UNIT TESTING

Unit testing is usually conducted as part of a combined code and unit test phase of
the software lifecycle, although it is not uncommon for coding and unit testing to be
conducted as two distinct phases.

TEST STRATEGY AND APPROACH

Field testing will be performed manually and functional tests will be written in detail

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 30

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

11.2: SYSTEM IMPLEMENTATION

System Implementation is the stage in the project where the theoretical design isturned into a
working system. The most critical stage is achieving a successful

system and in giving confidence on the new system for the user that it will work efficiently and
effectively.

The existing system was long time process. The proposed system was developed using
C#.NET. The existing system caused long time transmission process but the system developed
now has a very good user-friendly tool, which has a menu-based interface, graphical interface
for the end user.

After coding and testing, the project is to be installed on the necessary system. The executable
file is to be created and loaded in the system. Again the code is tested in the installed system.

Installing the developed code in system in the form of executable file is implementation.

11.3:PROTOCOL:
Initialization factor:

K--------- >System’s security

C ---------> client [user]

S -------- > server (server donated by s)

Sm --------- > system generate password

Pw --------- > user password

Bo -------- > user’s biometrics data

SK ---------> user’s total credential

Factor-Registration:

The server (denoted by S) it is stored all user’s credential and kept secret .The client

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 31

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

(denoted by C), with an initial password PW, biometrics data and system password, registers
on the system by running this interactive protocol with S. An execution of this protocol is
denoted by

Factor-Reg

C [PW, BO, SM] <============>S [SK] --------> {1, 0}

The information in square brackets indicates the secret value(s) known by the corresponding
party. The output of this protocol is “1” (if the registration is successful) or “0” (Error
message).

Factor-Login-Authentication:

This is another interactive protocol between the client C and the server S, which enables the
client to login successfully using PW, BO, SM An execution of this protocol is denoted by

Factor-login-auth

C [PW, BO, SM] <================>S [SK] ------------------ > {1, 0}

The output of this protocol is “1” (if the authentication is successful) or “0” (otherwise).

Method of implementation:

System Implementation is the stage in the project where the theoretical design is
turned into a working system. The most critical stage is achieving a successful system and in
giving confidence on the new system for the user that it will work efficiently and effectively.

The existing system was long time process. The proposed system was developed
using C#.NET. The existing system caused long time transmission process but the system
developed now has a very good user- friendly tool, which has a menu-based interface,
graphical interface for the end user.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 32

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

Phase Description:

Phase Task Descript

ion
Phase Analysis Analyze the information given in the IEEEpaper.
1

Literature survey Collect raw data and elaborate on

literaturesurveys.

Design Assign the module and design the process

flowcontrol.

Implementation Implement the code for all the modules

andintegrate all the modules.

Testing Test the code and overall process weather

theprocessworks properly.

Documentation Prepare the document for this project with

conclusion and future enhancement.
Alpha Test
In software development, your alpha test, will be a test among yourselves (the teams)
to confirm that your product works. Originally, the term alpha test meant the first phase of
testing in a software development process. The first phase includes unit testing, component
testing, and system testing. During this time you will compress files, edit for misspelled
words and unclear directions, broken links, and sync audio and video. You will also test your
product on the lowest common denominator machines to make sure download times are
acceptable and preloaders work.
Beta Test
In software development, a beta test is the second phase of software testingin which a
sampling of the intended audience tries the product out. Beta testing canbe considered "pre-
release testing." Beta test versions of software are now distributed to curriculum specialists
and teachers to give the program a "real- world" test and partly to provide a preview of the
next release.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 33

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-12

RESULT&EVALUATION
We performed extensive evaluation of ProGuard, which focuses on the overall
detection accuracy, the importance of each feature, and the correlation among these features.
For this evaluation, we used totally 56,000 accounts whose entire dataset is divided into
28,000 malicious accounts and 28,000 benign accounts. Such data serve as a well-balanced
dataset for training a statistical classifier
DETECTION ACCURACY

We have used the normalized Random Forest (RF) as the statistical classifier for
ProGuard and evaluated its detection accuracy. RF classifier is an ensemble of unpruned
classification trees, which is trained over bootstrapped samples of the original data and the
prediction is made by aggregating majority vote of theensemble. In order to avoid the bias
caused by the selection of specific training set, we also performed 10- fold cross-validation.
Specifically, the entire dataset is partitioned to 10 equal-size sets (i.e., 10-folds); then
iteratively 9-folds are used for training and the remaining 1-fold is adopted for testing. The
RF classifier was trained with 3000 trees and randomly sampled 4 features for each of
treesplitting. The receiver operating characteristic (ROC) that characterizes the overall
detection performance of ProGuard. The experimental results have shown that ProGuard can
achieve high detection accuracy. For example, given the false positive rate of 0.3%,
ProGuard can accomplish a high detection rate of 96.67%. In practice,alternative statistical
classifiers might be adopted to render new performance benefits such as scalability.
Therefore, we also evaluate how ProGuard performs when alternative classifiers are used. As
a means towards this end, we used Support Vector Machine (SVM) and Gradient-Boosted
Tree to repeatour experiments. Specifically, we used 10- fold cross validation for each of
classifiers and calculated the area under the ROC curve (AUC) , a widely used measure of
quality of super- vised classification models,

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 34

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

which is equal to the probability that a randomly chosen sample of malicious accounts will
have a higher estimated probability of belonging to malicious accounts than a randomly
chosen sample of benign accounts. Since AUC is cutoff-independent and values of AUC
range from 0.5 (no predictive ability) to 1.0 (perfect predictive ability), a higher AUC of a
classifier indicates the better prediction performance, irrespective of the cutoff selection.
Table 1 lists the AUC values for all threeclassifiers used in the experiments. Both SVM and
Gradient-Boosted Tree accomplished high detection results, comparable with the Random
Forest which has the best performance on AUC. The experimental results imply that our
proposed features are not sensitive to the selection of statistical classifiers.

PURCHASE DETAILS
pu chaseamount creditpoints

46743 56544
22.2 467.4 565.433333333.322222222.2
2222 creditpoints
purchaseamount

user1 user2 user1 user3 user2

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 35

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-13

SCREENSHOTS

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 36

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 37

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 38

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 39

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 40

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 41

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 42

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 43

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 44

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 45

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-14

CONCLUSION

This paper presents a novel system, ProGuard, to automatically detect malicious OSN
accounts that participate in online promotion events. ProGuard leverages three categories of
features including general behavior, virtual-currency collection, and virtual-currency usage.
Experimental results based on labelled data collected from Ten cent QQ, a global leading
OSN company, have demonstrated the detection accuracy of ProGuard, which has achieved
a high detection rate of96.67% given an extremely low false positive rate of 0.3%.
Future Enhancement

Addressing false negatives in this case is definitely an important issue and seeking effective
solutions falls. ProGuard can effectively detect malicious accounts used for collecting virtual
currency from online promotion activities, it is not designed for detecting malicious accounts
used for transferring and laundering virtual currency. Extending ProGuard to include such
detection capabilities falls.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 46

 FINANCIAL FRAUD DETECTION WITH ANOMALY FEATURE DETECTION

CHAPTER-15
REFRENCE
[1] Y. Wang and S. D. Mainwaring, ‘‘Human-currency interaction: Learning from virtual
currency use in China,’’ in Proc. SIGCHI Conf. Human Factors Comput. Syst., 2008, pp. 25–
28.
[2] J. S. Gans and H. Halaburda, ‘‘Some economics of private digital currency,’’ Rotman
SchoolManage., Toronto, ON, Canada, Tech. Rep. 2297296, 2013.
[3] X. Hu, J. Tang, and H. Liu, ‘‘Online social spammer detection,’’ in Proc. 28th AAAI
Conf. Artif.Intell., 2014, pp. 59–65.
[4] X. Hu, J. Tang, and H. Liu, ‘‘Leveraging knowledge across media for spammer detection
in microblogging,’’ in Proc. 37th Int. ACM SIGIR Conf. Res. Develop. Inf. Retr., 2014, pp.
547– 556.
[5] Z. Chu, S. Gianvecchio, A. Koehl, H. Wang, and S. Jajodia, ‘‘Blog or block: Detecting
blog bots through behavioral biometrics,’’ Comput. Netw., vol. 57, no. 3, pp. 634–646, 2013.
[6] S. Fakhraei, J. Foulds, M. Shashanka, and L. Getoor, ‘‘Collective spammer detection in
evolving multi-relational social networks,’’ in Proc. 21th ACM SIGKDD Int. Conf. Knowl.
Discovery Data Mining, 2015, pp. 1769–1778.
[7] Y.-R. Chen and H.-H.Chen, ‘‘Opinion spammer detection in Web forum,’’ in Proc. 38th
Int. ACM SIGIR Conf. Res. Develop. Inf. Retr., 2015, pp. 759–762.
[8] F. Wu, J. Shu, Y. Huang, and Z. Yuan, ‘‘Social spammer and spam message co-detection
in microblogging with social context regularization,’’ in Proc. 24th ACM Int. Conf. Inf.
Knowl. Manag., 2015, pp. 1601–1610.

[9] Z. Miller, B. Dickinson, W. Deitrick, W. Hu, and A. H. Wang, ‘‘Twitter spammer

detectionusing data stream clustering,’’ Inf. Sci., vol. 260,pp. 64–73, Sep. 2014.

[10] Z. Miller, B. Dickinson, W. Deitrick, W. Hu, and A. H. Wang, ‘‘Twitter spammer

detection using data stream clustering,’’ Inf. Sci., vol. 260,pp. 64–73, Sep. 2014.

PACE INSTITUTE OF TECHNOLOGY AND SCIENCES Page 47