Traditional security mechanisms are often found to be inadequate for protection against attacks by authorized users or intruders posing as authorized users. This has drawn interest of the research community towards intrusion detection techniques. The authors model the conflicting motives between an intruder and an intrusion detection system as a multi-stage game between two players, each trying to maximize its payoff. They consider the specific application of credit card fraud detection and propose a two-tiered architecture having a rule-based component in the first tier and a Game-theoretic component in the second tier. Classical Game theory is considered useful in many situations because it permits the formulation of strategies that are optimal regardless of what the adversary does, negating the need for prediction of his behavior. However, the authors use it in a predictive application in the sense that we consider intruders as rational adversaries who would try to behave optimally, and the expected optimal behavior can be determined through Game theory.
TopIntroduction
The popularity of E-commerce applications like online shopping has been growing rapidly over the last several years. According to a recently conducted ACNielsen study, one-tenth of the world’s population has now started shopping online (Global Consumer Attitude, 2006). Germany and Great Britain have the largest number of online shoppers and credit card is the most popular mode of payment (59%). As the number of credit card users is rising worldwide, opportunity for thieves to steal credit card details and subsequently commit fraud are also increasing. Credit card frauds can be broadly categorized into the following three types.
- a)
Physical card gets lost or stolen and is used by fraudster.
- b)
Card number is stolen and used in indirect shopping.
- c)
Credit card skimming where the data from a card magnetic strip is electronically copied onto another card.
The first type can lead to a huge financial loss as long as the card holder does not realize the loss of the card immediately. Once the card holder realizes the loss of the card, the institution issuing the card can cancel it. In the second and the third type of fraud, the card holder normally can realize the fraudulent transaction on his card after a long period of time. The only way to detect these two types of fraud is to analyze the transaction patterns of the card holder and find out unusual transactions.
Over the last several years, researchers have developed methods to prevent unauthorized access to database applications. All these techniques aim to detect malicious transactions, specifically in databases, but an open problem in this field is to protect the database from well-formed but damaging transactions while limiting the generation of too many false alarms. This assumes significance especially in the domain of E-commerce where a service provider like a credit card company needs to minimize its losses due to fraudulent transactions but, at the same time, does not wish the cardholder to feel hassled too often. If it could confirm all transactions on a credit card with the genuine cardholder, then automated fraud detection would not have been necessary. But this is neither practical nor feasible. Further, there exists a finite possibility of the attacker being able to learn the defense mechanisms in place when involved in repeated attacks on the system. It is imperative that the detection system, in contrast, should be able to learn the strategies of an attacker and adopt a suitable counter-strategy.
Consider intrusion in an E-purchase situation: the fraudster, if in possession of somebody else’s credit card details, can attempt a fraudulent transaction over the Internet posing as the genuine cardholder. The fraudster can obtain the credit card details of an unsuspecting cardholder through a number of ways such as shoulder surfing, dumpster diving, packet intercepting and database stealing (Li and Zhang, 2004). We also add the possibility that unscrupulous employees at merchant establishments, restaurants, gas stations, etc, can note down credit card details and possibly pass them on to an organized group of fraudsters. A fraudster aims at deriving the maximum benefit from such a pool of cards either in the short run (by making high value purchases, even risking detection) or in the long run (by making a number of small-value purchases to avoid obvious detection). The fraud detection system at the credit card company, oblivious of the type of customer it is interacting with, aims at minimizing its loss due to fraudulent transactions through early detection. This can be modeled as two players in a max-min situation, typical of a Game-theoretic problem.
The field of Game theory has been explored for problems ranging from auctions to chess and its application to the domain of information warfare seems promising. Hamilton et al. (2002a) bring out the possible role of Game theory in information warfare. They highlight that one can utilize well-developed Game-theoretic techniques to predict future attacks and possible courses of action to defend against them. They also identify the differences and challenges in this domain as compared to traditional games like chess. This includes the availability of only a few limited examples, multiple simultaneous moves and no time constraints (Hamilton et al., 2002b).