DOI QR코드

DOI QR Code

Transaction Mining for Fraud Detection in ERP Systems

  • Khan, Roheena (Information Security Institute Queensland University of Technology) ;
  • Corney, Malcolm (Information Security Institute Queensland University of Technology) ;
  • Clark, Andrew (Information Security Institute Queensland University of Technology) ;
  • Mohay, George (Information Security Institute Queensland University of Technology)
  • Received : 2010.02.20
  • Accepted : 2010.05.17
  • Published : 2010.06.01

Abstract

Despite all attempts to prevent fraud, it continues to be a major threat to industry and government. Traditionally, organizations have focused on fraud prevention rather than detection, to combat fraud. In this paper we present a role mining inspired approach to represent user behaviour in Enterprise Resource Planning (ERP) systems, primarily aimed at detecting opportunities to commit fraud or potentially suspicious activities. We have adapted an approach which uses set theory to create transaction profiles based on analysis of user activity records. Based on these transaction profiles, we propose a set of (1) anomaly types to detect potentially suspicious user behaviour, and (2) scenarios to identify inadequate segregation of duties in an ERP environment. In addition, we present two algorithms to construct a directed acyclic graph to represent relationships between transaction profiles. Experiments were conducted using a real dataset obtained from a teaching environment and a demonstration dataset, both using SAP R/3, presently the predominant ERP system. The results of this empirical research demonstrate the effectiveness of the proposed approach.

Keywords

References

  1. ACFE. (2006), ACFE report to the nation, http://www. acfe.com/documents/2006-rttn.pdf.
  2. ACFE. (2008), ACFE report to the nation, http://www. acfe.com/documents/2008-rttn.pdf.
  3. Albrecht, W. S., Albrecht, C. C., Albrecht, C. O., and Zimbelman, M. F. (2009), Fraud Examination, So uth-Western Cengage Learning, Mason, OH.
  4. Albrecht, W. S., Albrecht, C. O., and Albrecht, C. C. (2006), Fraud Examination, Thomson, Mason.
  5. Arens, A. A. and Loebbecke, J. K. (2000), Auditing: An Integrated Approach, Prentice-Hall, Upper Saddle River, N. J.
  6. Best, P. J., Rikhardsson, P., and Toleman, M. (2009), Continuous fraud detection in enterprise systems through audit trail analysis, The Journal of Digital Forensics, Security and Law, 4(1), 39-60.
  7. Bingi, P., Sharma, M. K. and Godla, J. K. (1999), Critical issues affecting an ERP implementation, Information Systems Management, 16(3), 7-14. https://doi.org/10.1201/1078/43197.16.3.19990601/31310.2
  8. Bolton, R. and Hand, D. (2002), Statistical fraud detection: A review, Statistical Science, 17(3), 235-249. https://doi.org/10.1214/ss/1042727940
  9. Cahill, M., Lambert, D., Pinheiro, J. and Sun, D. (2002), Detecting fraud in the real world, In J. Abello, P. Pardalos and M. Resende (ed), Handbook of Massive Datasets (Netherlands: Kluwer Academic Publishers), chapter 26, 911-929.
  10. Cohen, W. (1995), Fast effective rule induction, Proceedings of 12th International Conference on Machine Learning, San Francisco, CA, 115-123.
  11. Cortes, C., Pregibon, D. and Volinsky, C. (2003), Computational methods for dynamic graphs, Journal of Computational and Graphical Statistics, 12(4), 950- 970. https://doi.org/10.1198/1061860032742
  12. Cox, E. (1995), A fuzzy system for detecting anomalous behaviour in healthcare provider claims, In S. Goonatilake and P.Treleaven (ed), Intelligent Systems for Finance and Business (New York: John Wiley and Sons Ltd), chapter 7, 111-134.
  13. Cox, K. C., Eick, S. G. and Wills, G. J. (1997), Visual data mining: recognizing telephone calling fraud, Data Mining and Knowledge Discovery, 1(2), 225- 31. https://doi.org/10.1023/A:1009740009307
  14. Coyne, E. J. (1996), Role-engineering, Proceedings of the 1st ACM Workshop on Role-based Access Control, New York, NY, 4-5.
  15. Coyne, E. J. and Davis, J. M. (2007), Role Engineering for Enterprise Security Management, Artech House, USA.
  16. Denning, D. E. (1987), An intrusion-detection model, IEEE Transactions on Software Engineering, 13(2), 222-232.
  17. Dorronsoro, J. R., Ginel, F., Sgnchez, C. and Cruz, C. S. (1997), Neural fraud detection in credit card operations, IEEE Transactions on Neural Networks, 8(4), 827-34. https://doi.org/10.1109/72.595879
  18. Eberle, W. and Holder, L. (2009), Graph-based approaches to insider threat detection, Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, Washington, DC, 237-241.
  19. Ghosh, S. and Reilly, D. L. (1994), Credit card fraud detection with a neural-network, Proceedings of the Twenty-Seventh Hawaii International Conference on System Sciences, Wailea, HI, 621-630.
  20. Haelst, W. and Jansen, K. (1997), Control and audit of SAP R/3 logical access security, Information Systems Audit and Control Journal, 3(1), 37-44.
  21. Haixun, W., Hao, H., Jun, Y., Philip, S. Y. and Jeffrey Xu, Y. (2006), Dual labeling: Answering graph reachability queries in constant time, Proceedings of the 22nd IEEE International Conference on Data Engineering, Atlanta, Georgia, 75-87.
  22. Hassibi, K. (2000), Detecting payment card fraud with neural networks, In P. J. G. Lisboa, A.Vellido and B.Edisbury (ed), Business Applications of Neural Networks (Singapore: World Scientific), chapter 9, 141-157.
  23. Huang, S.-M., Hsieh, P.-G., Tsao, H.-H. and Hsu, P.-Y. (2008), A structural study of internal control for ERP system environments: A perspective from the Sarbanes-Oxley Act, International Journal of Management and Enterprise Development, 5(1), 102- 121. https://doi.org/10.1504/IJMED.2008.015909
  24. Ilgun, K., Kemmerer, R. A. and Porras, P. A. (1995), State transition analysis: a rule-based intrusion detection approach, IEEE Transactions on Software Engineering, 21(3), 181-99. https://doi.org/10.1109/32.372146
  25. Ju, W.-H. and Vardi, Y. (2001), A hybrid high-order markov chain model for computer intrusion detection, Journal of Computational and Graphical Statistics, 10(2), 277-295. https://doi.org/10.1198/10618600152628068
  26. Khan, R. Q., Corney, M. W., Clark, A. J., and Mohay, G. M. (2009), A role mining inspired approach to representing user behaviour in ERP systems, Proceedings of the 10th Asia Pacific Industrial Engineering and Management Systems Conference, Kitakyushu, Fukuoka, 2541-2552.
  27. KPMG. (2006), KPMG 2006 fraud survey, www.kpmg.com.au.
  28. Kruegel, C. and Vigna, G. (2003), Anomaly detection of web-based attacks, Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, 251-261.
  29. Kuhlmann, M., Shohat, D. and Schimpf, G. (2003), Role mining-revealing business roles for security administration using data mining technology, Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, Villa Gallia, Como, 179- 186.
  30. Kuhn, D. R. (1997), Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems, Proceedings of the 2nd ACM workshop on Role Based Access Control, Fairfax, VA, 23-30.
  31. Kumar, S. and Spafford, E. (1994), A pattern matching model for misuse intrusion detection, Proceedings of the Seventeenth National Computer Security Conference, New Orleans, LA, 11-21.
  32. Lane, T. and Brodley, C. E. (2003), An empirical study of two approaches to sequence learning for anomaly detection, Machine Learning, 51(1), 73-107. https://doi.org/10.1023/A:1021830128811
  33. Lee, W. and Stolfo, S. J. (1998), Data mining appro-aches for intrusion detection, Proceedings of the Seventh USENIX Security Symposium, San Antonio, TX, 79- 93.
  34. Little, A. G. and Best, P. J. (2003), A framework for separation of duties in an SAP R/3 environment, Managerial Auditing Journal, 18(5), 419-430. https://doi.org/10.1108/02686900310476882
  35. Lu, F., Boritz, J., and Covvey, D. (2006), Adaptive fraud detection using Benford's law, In (ed), Advances in Artificial Intelligence: Proceedings of the 19th Conference of the Canadian Society for Computational Studies of Intelligence, chapter 30, 347-358.
  36. Major, J. A. and Riedinger, D. R. (1992), EFD: a hybrid knowledge/statistical-based system for the detection of fraud, International Journal of Intelligent Systems, 7(7), 687-703. https://doi.org/10.1002/int.4550070709
  37. Martin, K., Dalia, S. and Gerhard, S. (2003), Role mining- revealing business roles for security administration using data mining technology, Proceedings of the 8th ACM symposium on Access control models and technologies, Como, Italy.
  38. McCue, C. (2007), Data Mining and Predictive Analysis: Intelligence Gathering and Crime Analysis, Butterworth-Heinemann, Boston.
  39. Mohay, G. M., Anderson, A., Collie, B. and Vel, O. d. (2003), Computer and Intrusion Forensics, Artech House, Massachusetts, USA.
  40. Oh, S. H. and Lee, W. (2003), An anomaly intrusion detection method by clustering normal user behavior, Computers and Security, 22(7), 596-612. https://doi.org/10.1016/S0167-4048(03)00710-7
  41. Phua, C., Lee, V., Smith, K. and Gayler, R. (2005), A comprehensive survey of data mining-based fraud detection research, http://search.informit.com.au.ez p01.library.qut.edu.au/search; res = CINCH; search = DN = 56589.
  42. Quinlan, J. R. (1993), C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, San mateo, CA.
  43. Ryan, J., Lin, M., and Miikkulainen, R. (1998), Intrusion detection with neural networks, Proceedings of the 1997 conference on Advances in neural information processing systems Denver, Colorado, 72-79.
  44. Sandhu, R., Bhamidipati, V. and Munawer, Q. (1999), The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security, 2(1), 105-135. https://doi.org/10.1145/300830.300839
  45. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996), Role-based access control models, Computer, 29(2), 38-47. https://doi.org/10.1109/2.485845
  46. SAP. (2007), Course ADM940, ABAP AS Authorization Concept-SAP NetWeaver, SAP AG.
  47. Schaad, A., Moffett, J. and Jacob, J. (2001), The rolebased access control system of a European bank: a case study and discussion, Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, Chantilly, VA, 3-9.
  48. Schlegelmilch, J. and Steffens, U. (2005), Role mining with ORCA, Proceedings of the 10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden, 168-176.
  49. Shin, D., Ahn, G.-J., Cho, S., and Jin, S. (2003), On modeling system-centric information for role engineering, Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, Villa Gallia, Como, 169-178.
  50. Srinidhi, B. (1994), The influence of segregation of duties on internal control judgments, Journal of Accounting, Auditing and Finance, 9(3), 423-444. https://doi.org/10.1177/0148558X9400900303
  51. Standards Australia (2008), Australian Standard AS 8001-2008 Fraud and Corruption Control, http:// www.saiglobal.com/PDFTemp/Previews/OSH/AS/ AS8000/8000/8001-2008.pdf.
  52. Vaidya, J., Atluri, V., Guo, Q. and Adam, N. (2008), Migrating to optimal RBAC with minimal perturbation, Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, 11-20.
  53. Vaidya, J., Atluri, V. and Warner, J. (2006), RoleMiner: Mining roles using subset enumeration, Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, 144-153.
  54. Valdes, A. and Anderson, D. (1994), Statistical methods for computer usage anomaly detection using NID ES (Next-Generation Intrusion Detection Expert System), Proceedings of RSSC'94, 3rd International Workshop on Rough Sets and Soft Computing, San Jose, CA, 104-111.
  55. Wells, J. T. (2008), Principles of Fraud Examination, John Wiley, Hoboken, N.J.
  56. Zhang, D., Ramamohanarao, K. and Ebringer, T. (2007), Role engineering using graph optimization, Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, 139-144.

Cited by

  1. Journal entry anomaly detection model vol.27, pp.4, 2010, https://doi.org/10.1002/isaf.1485