Browse > Article
http://dx.doi.org/10.7232/iems.2010.9.2.141

Transaction Mining for Fraud Detection in ERP Systems  

Khan, Roheena (Information Security Institute Queensland University of Technology)
Corney, Malcolm (Information Security Institute Queensland University of Technology)
Clark, Andrew (Information Security Institute Queensland University of Technology)
Mohay, George (Information Security Institute Queensland University of Technology)
Publication Information
Industrial Engineering and Management Systems / v.9, no.2, 2010 , pp. 141-156 More about this Journal
Abstract
Despite all attempts to prevent fraud, it continues to be a major threat to industry and government. Traditionally, organizations have focused on fraud prevention rather than detection, to combat fraud. In this paper we present a role mining inspired approach to represent user behaviour in Enterprise Resource Planning (ERP) systems, primarily aimed at detecting opportunities to commit fraud or potentially suspicious activities. We have adapted an approach which uses set theory to create transaction profiles based on analysis of user activity records. Based on these transaction profiles, we propose a set of (1) anomaly types to detect potentially suspicious user behaviour, and (2) scenarios to identify inadequate segregation of duties in an ERP environment. In addition, we present two algorithms to construct a directed acyclic graph to represent relationships between transaction profiles. Experiments were conducted using a real dataset obtained from a teaching environment and a demonstration dataset, both using SAP R/3, presently the predominant ERP system. The results of this empirical research demonstrate the effectiveness of the proposed approach.
Keywords
Fraud Detection; Audit Trail Analysis; Security; Role Mining; Anomaly Detection; Enterprise Resource Planning Systems;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Best, P. J., Rikhardsson, P., and Toleman, M. (2009), Continuous fraud detection in enterprise systems through audit trail analysis, The Journal of Digital Forensics, Security and Law, 4(1), 39-60.
2 Bingi, P., Sharma, M. K. and Godla, J. K. (1999), Critical issues affecting an ERP implementation, Information Systems Management, 16(3), 7-14.   DOI   ScienceOn
3 Bolton, R. and Hand, D. (2002), Statistical fraud detection: A review, Statistical Science, 17(3), 235-249.   DOI
4 Cahill, M., Lambert, D., Pinheiro, J. and Sun, D. (2002), Detecting fraud in the real world, In J. Abello, P. Pardalos and M. Resende (ed), Handbook of Massive Datasets (Netherlands: Kluwer Academic Publishers), chapter 26, 911-929.
5 Cohen, W. (1995), Fast effective rule induction, Proceedings of 12th International Conference on Machine Learning, San Francisco, CA, 115-123.
6 Cortes, C., Pregibon, D. and Volinsky, C. (2003), Computational methods for dynamic graphs, Journal of Computational and Graphical Statistics, 12(4), 950- 970.   DOI   ScienceOn
7 ACFE. (2006), ACFE report to the nation, http://www. acfe.com/documents/2006-rttn.pdf.
8 ACFE. (2008), ACFE report to the nation, http://www. acfe.com/documents/2008-rttn.pdf.
9 Albrecht, W. S., Albrecht, C. C., Albrecht, C. O., and Zimbelman, M. F. (2009), Fraud Examination, So uth-Western Cengage Learning, Mason, OH.
10 Vaidya, J., Atluri, V., Guo, Q. and Adam, N. (2008), Migrating to optimal RBAC with minimal perturbation, Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, Estes Park, CO, 11-20.
11 Vaidya, J., Atluri, V. and Warner, J. (2006), RoleMiner: Mining roles using subset enumeration, Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, 144-153.
12 Valdes, A. and Anderson, D. (1994), Statistical methods for computer usage anomaly detection using NID ES (Next-Generation Intrusion Detection Expert System), Proceedings of RSSC'94, 3rd International Workshop on Rough Sets and Soft Computing, San Jose, CA, 104-111.
13 Schlegelmilch, J. and Steffens, U. (2005), Role mining with ORCA, Proceedings of the 10th ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden, 168-176.
14 Wells, J. T. (2008), Principles of Fraud Examination, John Wiley, Hoboken, N.J.
15 Zhang, D., Ramamohanarao, K. and Ebringer, T. (2007), Role engineering using graph optimization, Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, 139-144.
16 Schaad, A., Moffett, J. and Jacob, J. (2001), The rolebased access control system of a European bank: a case study and discussion, Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, Chantilly, VA, 3-9.
17 Shin, D., Ahn, G.-J., Cho, S., and Jin, S. (2003), On modeling system-centric information for role engineering, Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, Villa Gallia, Como, 169-178.
18 Srinidhi, B. (1994), The influence of segregation of duties on internal control judgments, Journal of Accounting, Auditing and Finance, 9(3), 423-444.   DOI
19 Major, J. A. and Riedinger, D. R. (1992), EFD: a hybrid knowledge/statistical-based system for the detection of fraud, International Journal of Intelligent Systems, 7(7), 687-703.   DOI
20 Standards Australia (2008), Australian Standard AS 8001-2008 Fraud and Corruption Control, http:// www.saiglobal.com/PDFTemp/Previews/OSH/AS/ AS8000/8000/8001-2008.pdf.
21 Martin, K., Dalia, S. and Gerhard, S. (2003), Role mining- revealing business roles for security administration using data mining technology, Proceedings of the 8th ACM symposium on Access control models and technologies, Como, Italy.
22 McCue, C. (2007), Data Mining and Predictive Analysis: Intelligence Gathering and Crime Analysis, Butterworth-Heinemann, Boston.
23 Mohay, G. M., Anderson, A., Collie, B. and Vel, O. d. (2003), Computer and Intrusion Forensics, Artech House, Massachusetts, USA.
24 Oh, S. H. and Lee, W. (2003), An anomaly intrusion detection method by clustering normal user behavior, Computers and Security, 22(7), 596-612.   DOI   ScienceOn
25 Phua, C., Lee, V., Smith, K. and Gayler, R. (2005), A comprehensive survey of data mining-based fraud detection research, http://search.informit.com.au.ez p01.library.qut.edu.au/search; res = CINCH; search = DN = 56589.
26 Quinlan, J. R. (1993), C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, San mateo, CA.
27 SAP. (2007), Course ADM940, ABAP AS Authorization Concept-SAP NetWeaver, SAP AG.
28 Ryan, J., Lin, M., and Miikkulainen, R. (1998), Intrusion detection with neural networks, Proceedings of the 1997 conference on Advances in neural information processing systems Denver, Colorado, 72-79.
29 Sandhu, R., Bhamidipati, V. and Munawer, Q. (1999), The ARBAC97 model for role-based administration of roles, ACM Transactions on Information and System Security, 2(1), 105-135.   DOI
30 Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996), Role-based access control models, Computer, 29(2), 38-47.   DOI   ScienceOn
31 Kumar, S. and Spafford, E. (1994), A pattern matching model for misuse intrusion detection, Proceedings of the Seventeenth National Computer Security Conference, New Orleans, LA, 11-21.
32 Lane, T. and Brodley, C. E. (2003), An empirical study of two approaches to sequence learning for anomaly detection, Machine Learning, 51(1), 73-107.   DOI   ScienceOn
33 Lee, W. and Stolfo, S. J. (1998), Data mining appro-aches for intrusion detection, Proceedings of the Seventh USENIX Security Symposium, San Antonio, TX, 79- 93.
34 Khan, R. Q., Corney, M. W., Clark, A. J., and Mohay, G. M. (2009), A role mining inspired approach to representing user behaviour in ERP systems, Proceedings of the 10th Asia Pacific Industrial Engineering and Management Systems Conference, Kitakyushu, Fukuoka, 2541-2552.
35 Little, A. G. and Best, P. J. (2003), A framework for separation of duties in an SAP R/3 environment, Managerial Auditing Journal, 18(5), 419-430.   DOI   ScienceOn
36 Lu, F., Boritz, J., and Covvey, D. (2006), Adaptive fraud detection using Benford's law, In (ed), Advances in Artificial Intelligence: Proceedings of the 19th Conference of the Canadian Society for Computational Studies of Intelligence, chapter 30, 347-358.
37 Ju, W.-H. and Vardi, Y. (2001), A hybrid high-order markov chain model for computer intrusion detection, Journal of Computational and Graphical Statistics, 10(2), 277-295.   DOI   ScienceOn
38 KPMG. (2006), KPMG 2006 fraud survey, www.kpmg.com.au.
39 Kuhlmann, M., Shohat, D. and Schimpf, G. (2003), Role mining-revealing business roles for security administration using data mining technology, Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, Villa Gallia, Como, 179- 186.
40 Kruegel, C. and Vigna, G. (2003), Anomaly detection of web-based attacks, Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, 251-261.
41 Kuhn, D. R. (1997), Mutual exclusion of roles as a means of implementing separation of duty in role-based access control systems, Proceedings of the 2nd ACM workshop on Role Based Access Control, Fairfax, VA, 23-30.
42 Haelst, W. and Jansen, K. (1997), Control and audit of SAP R/3 logical access security, Information Systems Audit and Control Journal, 3(1), 37-44.
43 Haixun, W., Hao, H., Jun, Y., Philip, S. Y. and Jeffrey Xu, Y. (2006), Dual labeling: Answering graph reachability queries in constant time, Proceedings of the 22nd IEEE International Conference on Data Engineering, Atlanta, Georgia, 75-87.
44 Hassibi, K. (2000), Detecting payment card fraud with neural networks, In P. J. G. Lisboa, A.Vellido and B.Edisbury (ed), Business Applications of Neural Networks (Singapore: World Scientific), chapter 9, 141-157.
45 Cox, K. C., Eick, S. G. and Wills, G. J. (1997), Visual data mining: recognizing telephone calling fraud, Data Mining and Knowledge Discovery, 1(2), 225- 31.   DOI   ScienceOn
46 Huang, S.-M., Hsieh, P.-G., Tsao, H.-H. and Hsu, P.-Y. (2008), A structural study of internal control for ERP system environments: A perspective from the Sarbanes-Oxley Act, International Journal of Management and Enterprise Development, 5(1), 102- 121.   DOI   ScienceOn
47 Ilgun, K., Kemmerer, R. A. and Porras, P. A. (1995), State transition analysis: a rule-based intrusion detection approach, IEEE Transactions on Software Engineering, 21(3), 181-99.   DOI   ScienceOn
48 Cox, E. (1995), A fuzzy system for detecting anomalous behaviour in healthcare provider claims, In S. Goonatilake and P.Treleaven (ed), Intelligent Systems for Finance and Business (New York: John Wiley and Sons Ltd), chapter 7, 111-134.
49 Coyne, E. J. (1996), Role-engineering, Proceedings of the 1st ACM Workshop on Role-based Access Control, New York, NY, 4-5.
50 Coyne, E. J. and Davis, J. M. (2007), Role Engineering for Enterprise Security Management, Artech House, USA.
51 Ghosh, S. and Reilly, D. L. (1994), Credit card fraud detection with a neural-network, Proceedings of the Twenty-Seventh Hawaii International Conference on System Sciences, Wailea, HI, 621-630.
52 Denning, D. E. (1987), An intrusion-detection model, IEEE Transactions on Software Engineering, 13(2), 222-232.
53 Dorronsoro, J. R., Ginel, F., Sgnchez, C. and Cruz, C. S. (1997), Neural fraud detection in credit card operations, IEEE Transactions on Neural Networks, 8(4), 827-34.   DOI   ScienceOn
54 Eberle, W. and Holder, L. (2009), Graph-based approaches to insider threat detection, Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, Washington, DC, 237-241.
55 Albrecht, W. S., Albrecht, C. O., and Albrecht, C. C. (2006), Fraud Examination, Thomson, Mason.
56 Arens, A. A. and Loebbecke, J. K. (2000), Auditing: An Integrated Approach, Prentice-Hall, Upper Saddle River, N. J.