The significant growth of online banking frauds, fueled by the underground economy of malware, raised the need for effective defense systems.
As a consequence, in last the years, banks have upgraded their security measures to protect online transactions from frauds.
We propose a novel approach, Banksealer, that models user’s behavior through his or her interaction with the online banking services from different perspectives but with the common goal of recognizing fraudulent activities.
By Michele Carminati
Postdoctoral Researcher @ Politecnico di Milano, working on System Security at NECSTLab.
Over the years, Internet banking has grown in popularity. Unfortunately, this has led to an increase of frauds perpetrated through cyber-attacks, resulting in worldwide substantial financial losses. According to Kaspersky Lab, financial malware is evolving through the collaboration between malware creators and grow by 16% since the beginning of the 2016.
Because fraudulent activities seriously threaten the security and trust of banks, the need to create up-to-date defense infrastructures has emerged.
However, Internet banking frauds are difficult to analyze and detect because malicious behavior is dynamic and dispersed in large datasets. Despite the importance of the problem, the development of new solutions is made difficult by the very limited available information due to privacy and security concerns.
Typical banking Trojan fraud scheme
Proposed approach
Banksealer is inspired and rooted around the idea of constructing profiles from historical data to detect suspicious deviations. Instead of focusing on pure detection approaches, we believe that more research efforts are needed toward systems that support investigations. We aim at providing the analyst of a modular framework, able of big data behavioral analysis and where analyst’s feedback is put together with machine learning techniques to build a dynamic and auto-adaptive fraud analysis and detection system. This research was made possible thanks to the collaboration with a leading national banking group, which gave us the great opportunity to work on a real dataset.
Overall approach
The first main component of the banksealer framework is an unsupervised decision support module that is based on a combination of different profiles built on historical user data. During a training phase, it builds a local, global, and temporal profile for each user. The local profile models past user behavior by means of histograms to evaluate the anomaly of new transactions. The global profile clusters users with similar spending habits, according to their transactions features. The temporal profile aims at detecting frauds by exploiting a precise modeling of recurrent vs. non-recurrent spending patterns. With this threefold profiling approach, Banksealer is adaptive to non-stationary sources, it mitigates the under-training problem, and the evolution of user’s spending habit over time. At runtime, it supports analysts by ranking new transactions that deviate from the learned profiles, with an output that has a clear statistical meaning. An in-depth performance evaluation on a real-world dataset against actual frauds and malicious scenarios that replicate real-world attacks, showed that Banksealer’s approach correctly ranks complex frauds with up to 98% detection rate.
The second main component of banksealer is a supervised learning module that improves the detection performance. This module is composed by a multi-objective genetic algorithm, that can exploit the knowledge of the analysts through their feedbacks to automatically tune BankSealer’s parameters, and a Random Forest classifier, able to learn and detect frauds pattern. The evaluation showed that this module can increase the detection performance of Banksealer up to 35%. We evaluate this system against state-of-the-art literature works keeping into consideration the detection performances and a cost function that depends on misclassifications.