# B2B Travel Fraud Detection — Synthetic Data Generator

Each cell below generates one table. Run them **in order** (top → bottom).

**Tables**: `agency_master`, `user_master`, `booking_fact`, `session_context`, `passenger_details`, `post_booking_events`, `booking_label_table`

In [65]:
# ============================================================
# CELL 0 — IMPORTS & CONFIG
# ============================================================
import numpy as np
import pandas as pd
from datetime import datetime, timedelta
import random, os, zipfile, uuid, hashlib

random.seed(42)
np.random.seed(42)

N_BOOKINGS = 8000
N_USERS = 800
N_FRAUD_USERS = 40
TARGET_FRAUD_BOOKINGS = 720

N_AGENCIES = 200
START_DATE = datetime(2025, 1, 1)

OUT_DIR = os.path.join(os.path.dirname(os.getcwd()), "Data", "Tables")
os.makedirs(OUT_DIR, exist_ok=True)

# --- helpers -----------------------------------------------
def make_uuid():
    return str(uuid.uuid4())

def make_fingerprint(seed_str):
    """Deterministic hardware/cookie hash from a seed string."""
    return hashlib.sha256(seed_str.encode()).hexdigest()[:16]

def random_ip():
    return ".".join(map(str, np.random.randint(1, 255, size=4)))

# Datacenter ASN ranges — the ONLY way we detect VPN/proxy.
# If ASN falls in these ranges → is_vpn_or_proxy = 1, else 0.
DATACENTER_ASN_RANGES = set(range(10000, 15000)) | set(range(30000, 35000))

# --- Email domain pools ------------------------------------
CORPORATE_DOMAIN_POOL = [
    "travelcorp.com", "globeways.in", "flyhigh.ae", "skybound.co",
    "transwings.com", "jetsetgo.in", "voyagepro.sg", "airdesk.uk",
    "tripstation.com", "bookmyflight.in", "travease.ae", "routemaster.co",
    "flydeals.com", "wingspan.sg", "gotravel.in", "aerobiz.uk",
    "traveledge.com", "swiftfly.in", "jetstream.ae", "horizonair.co",
    "quicktrips.com", "flynext.sg", "tourhub.in", "skypaths.uk",
    "travelprime.com", "flybright.ae", "airsync.in", "globalwings.co",
    "travelworks.sg", "flyweb.com", "tripcraft.in", "aerolink.uk",
    "airventure.com", "flyscope.ae", "travelzen.in", "jetforce.co",
    "airnova.sg", "travelmax.com", "skyroute.in", "wingcraft.uk"
]

GENERIC_DOMAINS = [
    "gmail.com", "yahoo.com", "outlook.com", "hotmail.com",
    "protonmail.com", "mail.com", "yandex.com", "aol.com",
    "zoho.com", "icloud.com"
]

THROWAWAY_DOMAINS = [
    "tempmail.xyz", "fakeinbox.org", "trashmail.net", "guerrillamail.com",
    "mailinator.com", "throwaway.email", "discard.email", "sharklasers.com"
]

print("✅ Config loaded")

✅ Config loaded


In [66]:
# ============================================================
# CELL 1 — AGENCY MASTER
# ============================================================
agency_ids = [f"A{str(i).zfill(4)}" for i in range(1, N_AGENCIES + 1)]
agency_domains = [CORPORATE_DOMAIN_POOL[i % len(CORPORATE_DOMAIN_POOL)] for i in range(N_AGENCIES)]

agency_master = pd.DataFrame({
    "agency_id": agency_ids,
    "country": np.random.choice(["IN", "AE", "SG", "UK", "US"], size=N_AGENCIES,
                                p=[0.45, 0.15, 0.10, 0.15, 0.15]),
    "agency_age_days": np.random.randint(30, 3000, size=N_AGENCIES),
    "kyc_status": np.random.choice(["verified", "pending", "failed"], size=N_AGENCIES,
                                   p=[0.85, 0.12, 0.03]),
    "credit_limit": np.random.choice([5000, 10000, 25000, 50000, 100000, 200000, 500000],
                                     size=N_AGENCIES,
                                     p=[0.20, 0.20, 0.20, 0.15, 0.15, 0.07, 0.03]),
    "status": np.random.choice(["active", "suspended"], size=N_AGENCIES, p=[0.97, 0.03]),
    "agency_email_domain": agency_domains
})

agency_to_domain = dict(zip(agency_master["agency_id"], agency_master["agency_email_domain"]))

print(f"✅ agency_master — {len(agency_master)} rows")
print(f"   Sample domains: {agency_master['agency_email_domain'].head(5).tolist()}")
agency_master.head()

✅ agency_master — 200 rows
   Sample domains: ['travelcorp.com', 'globeways.in', 'flyhigh.ae', 'skybound.co', 'transwings.com']


Unnamed: 0,agency_id,country,agency_age_days,kyc_status,credit_limit,status,agency_email_domain
0,A0001,IN,657,verified,5000,active,travelcorp.com
1,A0002,US,616,verified,200000,active,globeways.in
2,A0003,UK,1678,verified,50000,active,flyhigh.ae
3,A0004,AE,1473,verified,10000,active,skybound.co
4,A0005,IN,1475,verified,50000,active,transwings.com


In [67]:
# ============================================================
# CELL 2 — USER MASTER (balanced fraud user types)
# ============================================================
user_ids = [f"U{str(i).zfill(5)}" for i in range(1, N_USERS + 1)]
user_agencies = np.random.choice(agency_ids, size=N_USERS)

fraud_user_ids = np.random.choice(user_ids, size=N_FRAUD_USERS, replace=False)
fraud_user_set = set(fraud_user_ids)

fraud_type_counts = {
    "account_takeover": 7, "ring_operator": 7, "bot_booking": 7,
    "cancellation_abuser": 6, "credit_bustout_user": 7, "new_synthetic_user": 6
}
assert sum(fraud_type_counts.values()) == N_FRAUD_USERS

balanced_fraud_types = []
for k, v in fraud_type_counts.items():
    balanced_fraud_types.extend([k] * v)
random.shuffle(balanced_fraud_types)
fraud_type_map = dict(zip(fraud_user_ids, balanced_fraud_types))

roles = np.random.choice(["agent", "admin", "finance"], size=N_USERS, p=[0.78, 0.12, 0.10])
user_age_days = np.random.randint(30, 2500, size=N_USERS)
avg_logins = np.clip(np.random.normal(6, 3.5, size=N_USERS), 0, 60)
failed_login_ratio = np.clip(np.random.beta(1.5, 40, size=N_USERS), 0, 1)
account_status = np.random.choice(["active", "locked"], size=N_USERS, p=[0.985, 0.015])
email_domain_match = np.zeros(N_USERS, dtype=int)

for i, uid in enumerate(user_ids):
    if uid in fraud_user_set:
        ftype = fraud_type_map[uid]
        if ftype == "account_takeover":
            failed_login_ratio[i] = np.random.uniform(0.18, 0.55)
            avg_logins[i] = np.random.uniform(10, 25)
        elif ftype == "bot_booking":
            failed_login_ratio[i] = np.random.uniform(0.05, 0.20)
            avg_logins[i] = np.random.uniform(25, 60)
        elif ftype == "ring_operator":
            failed_login_ratio[i] = np.random.uniform(0.03, 0.14)
            avg_logins[i] = np.random.uniform(12, 28)
        elif ftype == "cancellation_abuser":
            failed_login_ratio[i] = np.random.uniform(0.01, 0.10)
            avg_logins[i] = np.random.uniform(8, 18)
        elif ftype == "credit_bustout_user":
            failed_login_ratio[i] = np.random.uniform(0.01, 0.08)
            avg_logins[i] = np.random.uniform(10, 22)
        elif ftype == "new_synthetic_user":
            user_age_days[i] = np.random.randint(3, 40)
            failed_login_ratio[i] = np.random.uniform(0.02, 0.18)
            avg_logins[i] = np.random.uniform(12, 40)
        if np.random.rand() < 0.05:
            account_status[i] = "locked"

        if ftype in ["new_synthetic_user", "ring_operator"]:
            email_domain_match[i] = int(np.random.rand() < 0.15)
        elif ftype in ["bot_booking", "account_takeover"]:
            email_domain_match[i] = int(np.random.rand() < 0.35)
        elif ftype == "credit_bustout_user":
            email_domain_match[i] = int(np.random.rand() < 0.50)
        else:
            email_domain_match[i] = int(np.random.rand() < 0.75)
    else:
        email_domain_match[i] = int(np.random.rand() < 0.90)

user_master = pd.DataFrame({
    "user_id": user_ids, "agency_id": user_agencies, "role": roles,
    "user_age_days": user_age_days,
    "avg_logins_per_day": np.round(avg_logins, 2),
    "failed_login_ratio": np.round(failed_login_ratio, 4),
    "account_status": account_status,
    "email_domain_match_flag": email_domain_match,
    "user_fraud_label": [1 if u in fraud_user_set else 0 for u in user_ids],
    "user_fraud_type": [fraud_type_map[u] if u in fraud_user_set else "legit" for u in user_ids],
})

user_to_agency = dict(zip(user_master["user_id"], user_master["agency_id"]))

print(f"✅ user_master — {len(user_master)} rows")
print(f"   Fraud users: {user_master['user_fraud_label'].sum()}")
print(f"   Email domain match (legit): {user_master[user_master['user_fraud_label']==0]['email_domain_match_flag'].mean()*100:.1f}%")
print(f"   Email domain match (fraud): {user_master[user_master['user_fraud_label']==1]['email_domain_match_flag'].mean()*100:.1f}%")
print(user_master[user_master['user_fraud_label']==1]['user_fraud_type'].value_counts())
user_master.head()

✅ user_master — 800 rows
   Fraud users: 40
   Email domain match (legit): 93.2%
   Email domain match (fraud): 45.0%
user_fraud_type
account_takeover       7
bot_booking            7
credit_bustout_user    7
ring_operator          7
new_synthetic_user     6
cancellation_abuser    6
Name: count, dtype: int64


Unnamed: 0,user_id,agency_id,role,user_age_days,avg_logins_per_day,failed_login_ratio,account_status,email_domain_match_flag,user_fraud_label,user_fraud_type
0,U00001,A0100,agent,2033,1.05,0.0412,active,1,0,legit
1,U00002,A0041,agent,722,1.45,0.0058,active,1,0,legit
2,U00003,A0166,agent,1135,8.98,0.011,active,1,0,legit
3,U00004,A0034,agent,2401,11.25,0.05,active,1,0,legit
4,U00005,A0017,agent,2191,5.73,0.0243,active,1,0,legit


In [68]:
# ============================================================
# CELL 3 — BOOKING FACT
# ============================================================
booking_ids = [f"B{str(i).zfill(6)}" for i in range(1, N_BOOKINGS + 1)]
booking_ts = [START_DATE + timedelta(minutes=int(x)) for x in np.random.randint(0, 365 * 24 * 60, size=N_BOOKINGS)]

product_type = np.random.choice(["flight", "hotel", "package"], size=N_BOOKINGS, p=[0.6, 0.3, 0.1])
route_type = np.random.choice(["domestic", "international"], size=N_BOOKINGS, p=[0.65, 0.35])
origin_country = np.random.choice(["IN", "AE", "SG", "UK", "US"], size=N_BOOKINGS,
                                  p=[0.45, 0.15, 0.10, 0.15, 0.15])
dest_country = np.where(route_type == "domestic", origin_country,
                        np.random.choice(["IN", "AE", "SG", "UK", "US", "TH", "FR", "DE"], size=N_BOOKINGS))
lead_time_days = np.where(route_type == "domestic",
                          np.random.randint(1, 20, size=N_BOOKINGS),
                          np.random.randint(2, 90, size=N_BOOKINGS))

def gen_value(rt):
    if rt == "domestic":
        return float(np.clip(np.random.lognormal(mean=5.3, sigma=0.55), 40, 12000))
    return float(np.clip(np.random.lognormal(mean=7.2, sigma=0.65), 200, 25000))

booking_value = np.array([gen_value(rt) for rt in route_type])
passengers_count = np.random.choice([1,2,3,4,5,6,7,8,9,10], size=N_BOOKINGS,
                                    p=[0.35,0.25,0.15,0.08,0.05,0.04,0.03,0.025,0.015,0.01])
payment_method = np.random.choice(["credit_line", "card", "bank"], size=N_BOOKINGS, p=[0.75, 0.18, 0.07])
booking_status = np.random.choice(["confirmed", "pending", "failed"], size=N_BOOKINGS, p=[0.92, 0.06, 0.02])

fraud_booking_indices = np.random.choice(np.arange(N_BOOKINGS), size=TARGET_FRAUD_BOOKINGS, replace=False)
fraud_booking_set = set(fraud_booking_indices)

fraud_users_list = list(fraud_user_ids)
fraud_users_for_bookings = np.random.choice(fraud_users_list, size=32, replace=False)
legit_users_list = [u for u in user_ids if u not in fraud_user_set]

user_id_col = np.empty(N_BOOKINGS, dtype=object)
agency_id_col = np.empty(N_BOOKINGS, dtype=object)

for i in range(N_BOOKINGS):
    if i in fraud_booking_set:
        u = np.random.choice(fraud_users_for_bookings)
    else:
        u = np.random.choice(legit_users_list)
    user_id_col[i] = u
    agency_id_col[i] = user_to_agency[u]

booking_fact = pd.DataFrame({
    "booking_id": booking_ids, "booking_ts": booking_ts,
    "agency_id": agency_id_col, "user_id": user_id_col,
    "product_type": product_type, "route_type": route_type,
    "origin_country": origin_country, "dest_country": dest_country,
    "lead_time_days": lead_time_days.astype(int),
    "booking_value": np.round(booking_value, 2),
    "passengers_count": passengers_count.astype(int),
    "payment_method": payment_method, "booking_status": booking_status
})

print(f"✅ booking_fact — {len(booking_fact)} rows")
print(f"   Fraud bookings: {len(fraud_booking_set)}")
booking_fact.head()

✅ booking_fact — 8000 rows
   Fraud bookings: 720


Unnamed: 0,booking_id,booking_ts,agency_id,user_id,product_type,route_type,origin_country,dest_country,lead_time_days,booking_value,passengers_count,payment_method,booking_status
0,B000001,2025-07-26 02:24:00,A0072,U00567,hotel,domestic,IN,IN,6,205.91,6,credit_line,failed
1,B000002,2025-11-23 10:58:00,A0082,U00607,flight,domestic,US,US,13,79.82,1,card,confirmed
2,B000003,2025-01-29 02:51:00,A0105,U00272,package,domestic,IN,IN,19,332.24,6,credit_line,confirmed
3,B000004,2025-02-13 18:43:00,A0179,U00642,hotel,domestic,US,US,3,469.32,2,credit_line,confirmed
4,B000005,2025-03-31 06:48:00,A0124,U00448,hotel,domestic,IN,IN,16,221.84,3,credit_line,confirmed


In [69]:
# ============================================================
# CELL 4 — SESSION CONTEXT
# One row per booking. Replaces old device_master + ip_master.
#
# Each device_fingerprint is a physical device — same fp always
# maps to same OS + browser.
#
# SESSION PATTERNS:
#   1. Shared infra   — fraud users share FP/IP from fraud pool
#   2. Sticky infra   — user reuses their own pool of FP/IPs
#   3. IP MASKING      — same device (sticky FP) but RANDOM IP
#                        each session (VPN/proxy rotation).
#                        Creates "same device, many IPs" signal.
#
# VPN DETECTION RULE:
#   is_vpn_or_proxy is derived SOLELY from ASN.
#   If ASN ∈ DATACENTER_ASN_RANGES → 1, else → 0.
#   This is our only methodology to detect VPN/proxy usage.
#   Fraud users get higher VPN rates because:
#     - IP masking forces datacenter ASNs
#     - Infra-heavy fraud types have higher datacenter ASN prob.
# ============================================================

N_FINGERPRINTS = 500
N_IPS = 600

all_fingerprints = [make_fingerprint(f"dev_{i}") for i in range(N_FINGERPRINTS)]
all_ips = [random_ip() for _ in range(N_IPS)]

fraud_fp_pool = list(np.random.choice(all_fingerprints, size=20, replace=False))
normal_fp_pool = [f for f in all_fingerprints if f not in set(fraud_fp_pool)]

fraud_ip_pool = list(np.random.choice(all_ips, size=24, replace=False))
normal_ip_pool = [ip for ip in all_ips if ip not in set(fraud_ip_pool)]

# Pre-assign fixed OS + browser per fingerprint
os_choices = ["Windows", "macOS", "Android", "iOS"]
os_probs = [0.45, 0.20, 0.25, 0.10]
browser_choices = ["Chrome", "Safari", "Edge", "Firefox"]
browser_probs = [0.65, 0.12, 0.15, 0.08]

fp_to_os = {fp: np.random.choice(os_choices, p=os_probs) for fp in all_fingerprints}
fp_to_browser = {fp: np.random.choice(browser_choices, p=browser_probs) for fp in all_fingerprints}

# --- Sticky pools per user ---------------------------------
user_sticky_fps = {}
user_sticky_ips = {}

for u in legit_users_list:
    user_sticky_fps[u] = [np.random.choice(normal_fp_pool)]
    k_ips = np.random.choice([1, 2], p=[0.85, 0.15])
    user_sticky_ips[u] = list(np.random.choice(normal_ip_pool, size=k_ips, replace=False))

for u in fraud_users_list:
    utype = user_master.loc[user_master["user_id"] == u, "user_fraud_type"].values[0]
    if utype in ["ring_operator", "bot_booking"]:
        k_fp = np.random.choice([2, 3, 4], p=[0.30, 0.50, 0.20])
        k_ip = np.random.choice([3, 4, 5], p=[0.30, 0.50, 0.20])
    elif utype in ["account_takeover", "new_synthetic_user"]:
        k_fp = np.random.choice([2, 3], p=[0.60, 0.40])
        k_ip = np.random.choice([2, 3, 4], p=[0.40, 0.40, 0.20])
    elif utype == "cancellation_abuser":
        k_fp = np.random.choice([1, 2], p=[0.70, 0.30])
        k_ip = np.random.choice([1, 2], p=[0.70, 0.30])
    elif utype == "credit_bustout_user":
        k_fp = np.random.choice([1, 2], p=[0.60, 0.40])
        k_ip = np.random.choice([2, 3], p=[0.60, 0.40])
    else:
        k_fp, k_ip = 2, 2
    user_sticky_fps[u] = list(np.random.choice(all_fingerprints, size=k_fp, replace=False))
    user_sticky_ips[u] = list(np.random.choice(all_ips, size=k_ip, replace=False))

# --- IP masking probability per fraud type ------------------
IP_MASK_PROB = {
    "account_takeover":    0.35,
    "bot_booking":         0.30,
    "ring_operator":       0.25,
    "new_synthetic_user":  0.30,
    "credit_bustout_user": 0.10,
    "cancellation_abuser": 0.05,
    "legit":               0.00,
}

# --- Datacenter ASN probability per fraud type --------------
# Even without IP masking, infra-heavy fraud types are more
# likely to route through datacenters (shared hosting, etc.).
# Legit users rarely hit datacenter ASNs.
DATACENTER_ASN_PROB = {
    "account_takeover":    0.35,
    "bot_booking":         0.40,
    "ring_operator":       0.30,
    "new_synthetic_user":  0.30,
    "credit_bustout_user": 0.10,
    "cancellation_abuser": 0.05,
    "legit":               0.02,
}

DATACENTER_ASN_LIST = list(DATACENTER_ASN_RANGES)

# --- Generate one session row per booking -------------------
session_rows = []
ip_masked_count = 0

for i in range(N_BOOKINGS):
    u = booking_fact.loc[i, "user_id"]
    utype = user_master.loc[user_master["user_id"] == u, "user_fraud_type"].values[0]

    ip_masking = np.random.rand() < IP_MASK_PROB.get(utype, 0.0)

    if ip_masking:
        fp = np.random.choice(user_sticky_fps[u])
        ip = random_ip()
        ip_masked_count += 1
    elif u in fraud_user_set:
        if utype in ["ring_operator", "bot_booking"]:
            fp = np.random.choice(fraud_fp_pool) if np.random.rand() < 0.65 else np.random.choice(user_sticky_fps[u])
            ip = np.random.choice(fraud_ip_pool) if np.random.rand() < 0.65 else np.random.choice(user_sticky_ips[u])
        elif utype in ["account_takeover", "new_synthetic_user"]:
            fp = np.random.choice(fraud_fp_pool) if np.random.rand() < 0.55 else np.random.choice(user_sticky_fps[u])
            ip = np.random.choice(fraud_ip_pool) if np.random.rand() < 0.55 else np.random.choice(user_sticky_ips[u])
        else:
            fp = np.random.choice(user_sticky_fps[u])
            ip = np.random.choice(user_sticky_ips[u])
    else:
        fp = user_sticky_fps[u][0]
        ip = np.random.choice(user_sticky_ips[u])
        if np.random.rand() < 0.01:
            ip = np.random.choice(fraud_ip_pool)

    # --- ASN assignment ---
    # IP masking → always datacenter ASN
    # Non-masking → datacenter ASN based on fraud-type probability
    if ip_masking:
        asn = int(np.random.choice(DATACENTER_ASN_LIST))
    elif np.random.rand() < DATACENTER_ASN_PROB.get(utype, 0.02):
        asn = int(np.random.choice(DATACENTER_ASN_LIST))
    else:
        # Non-datacenter ASN: pick from ranges that DON'T overlap
        asn = int(np.random.choice(
            list(range(1000, 10000)) + list(range(15000, 30000)) + list(range(35000, 99999))
        ))

    # --- is_vpn_or_proxy: derived SOLELY from ASN ---
    # Datacenter ASN → VPN/proxy detected.  Otherwise → 0.
    vpn_proxy = 1 if asn in DATACENTER_ASN_RANGES else 0


    # --- time_to_book_seconds: how long the session lasted ----
    # Bots/fraud -> 70% very tight around a mean (scripted),
    #              30% wider variance (manual / jittered bots).
    # Legit      -> natural lognormal human browsing time.
    if u in fraud_user_set:
        if np.random.rand() < 0.70:
            ttb = int(np.clip(np.random.normal(45, 5), 15, 90))
        else:
            ttb = int(np.clip(np.random.lognormal(4.2, 0.6), 20, 600))
    else:
        ttb = int(np.clip(np.random.lognormal(5.8, 0.7), 60, 3600))

    session_rows.append({
        "session_id": make_uuid(),
        "booking_id": booking_fact.loc[i, "booking_id"],
        "device_fingerprint": fp,
        "ip_address": ip,
        "asn": asn,
        "is_vpn_or_proxy": vpn_proxy,
        "os": fp_to_os[fp],
        "browser": fp_to_browser[fp],
        "time_to_book_seconds": ttb,
    })

session_context = pd.DataFrame(session_rows)

fp_os_check = session_context.groupby("device_fingerprint")["os"].nunique()
fp_br_check = session_context.groupby("device_fingerprint")["browser"].nunique()
assert (fp_os_check == 1).all(), "FAIL: same fingerprint has different OS values!"
assert (fp_br_check == 1).all(), "FAIL: same fingerprint has different browser values!"

# --- device_switch_flag: did this user use a non-primary device? ---
# Primary device = the fingerprint the user has used most often.
# Legit users always use 1 sticky fingerprint → flag is always 0.
# Fraud users with multi-device pools will have flag = 1 for non-primary sessions.
_sc_user = session_context.merge(
    booking_fact[["booking_id", "user_id"]], on="booking_id"
)
_user_fp_counts = (
    _sc_user.groupby(["user_id", "device_fingerprint"])
    .size().reset_index(name="_cnt")
)
_primary_fp = (
    _user_fp_counts.sort_values("_cnt", ascending=False)
    .drop_duplicates("user_id")
    .rename(columns={"device_fingerprint": "_primary_fp"})[["user_id", "_primary_fp"]]
)
_sc_user = _sc_user.merge(_primary_fp, on="user_id")
session_context["device_switch_flag"] = (
    _sc_user["device_fingerprint"] != _sc_user["_primary_fp"]
).astype(int)
del _sc_user, _user_fp_counts, _primary_fp  # cleanup temp vars



# Verify VPN flag is purely ASN-derived
assert (session_context['is_vpn_or_proxy'] == session_context['asn'].isin(DATACENTER_ASN_RANGES).astype(int)).all(), \
    "FAIL: is_vpn_or_proxy does not match ASN-based derivation!"

print(f"✅ session_context — {len(session_context)} rows")
print(f"   Unique fingerprints: {session_context['device_fingerprint'].nunique()}")
print(f"   Unique IPs: {session_context['ip_address'].nunique()}")
print(f"   Datacenter ASN rate: {session_context['asn'].isin(DATACENTER_ASN_RANGES).mean()*100:.1f}%")
print(f"   VPN/Proxy rate: {session_context['is_vpn_or_proxy'].mean()*100:.1f}% (= datacenter ASN rate)")
print(f"   IP-masked sessions: {ip_masked_count} ({ip_masked_count/N_BOOKINGS*100:.1f}%)")
print(f"   Device-switch sessions: {session_context['device_switch_flag'].sum()} ({session_context['device_switch_flag'].mean()*100:.1f}%)")
print(f"   ✅ Fingerprint → OS/Browser consistency verified")
print(f"   ✅ VPN/Proxy = ASN-derived only: verified")

# --- time_to_book_seconds summary ---
_sc_lbl = session_context.merge(
    pd.DataFrame({'booking_id': booking_ids,
                  'is_fraud': [1 if i in fraud_booking_set else 0 for i in range(N_BOOKINGS)]}),
    on='booking_id')
print(f"   Booking time (legit)  — mean: {_sc_lbl[_sc_lbl['is_fraud']==0]['time_to_book_seconds'].mean():.0f}s, "
      f"std: {_sc_lbl[_sc_lbl['is_fraud']==0]['time_to_book_seconds'].std():.0f}s")
print(f"   Booking time (fraud)  — mean: {_sc_lbl[_sc_lbl['is_fraud']==1]['time_to_book_seconds'].mean():.0f}s, "
      f"std: {_sc_lbl[_sc_lbl['is_fraud']==1]['time_to_book_seconds'].std():.0f}s")
session_context.head()


✅ session_context — 8000 rows
   Unique fingerprints: 417
   Unique IPs: 644
   Datacenter ASN rate: 4.9%
   VPN/Proxy rate: 4.9% (= datacenter ASN rate)
   IP-masked sessions: 146 (1.8%)
   Device-switch sessions: 378 (4.7%)
   ✅ Fingerprint → OS/Browser consistency verified
   ✅ VPN/Proxy = ASN-derived only: verified
   Booking time (legit)  — mean: 427s, std: 342s
   Booking time (fraud)  — mean: 57s, std: 37s


Unnamed: 0,session_id,booking_id,device_fingerprint,ip_address,asn,is_vpn_or_proxy,os,browser,time_to_book_seconds,device_switch_flag
0,8ce55288-b02a-4933-acb9-1be2a10c7350,B000001,d0057c74a7ffee4b,149.171.156.40,99914,0,Android,Chrome,48,1
1,4a717ba7-31e4-4c70-90c9-8200667f05cb,B000002,3ddbdb25ceb330e5,123.162.129.23,44839,0,iOS,Chrome,45,0
2,fb7219de-e329-4e2a-adba-eac408365881,B000003,c802ce308ab84b82,5.38.248.97,59354,0,macOS,Firefox,478,0
3,95766036-1526-4f3d-be9e-f2108eeb1648,B000004,c1820b45e082fc67,97.60.235.80,84719,0,macOS,Chrome,187,0
4,aba26680-becd-446a-add5-e91821398c47,B000005,221af74ceee45242,154.132.66.129,36786,0,Android,Chrome,485,0


In [70]:
# ============================================================
# CELL 5 — PASSENGER DETAILS
# One row per passenger per booking (1:N with booking_fact).
#
# Contains:
#   - suspicious_email_count: per-booking count of passengers
#     whose email domain is a throwaway/suspicious domain.
#
# Distribution:
#   - 70% of fraud bookings have ≥1 suspicious email passenger
#   - 30% of non-fraud bookings have ≥1 suspicious email passenger
#   This gives the ML model signal from both classes.
# ============================================================
THROWAWAY_SET = set(THROWAWAY_DOMAINS)

# Pre-decide which bookings will have throwaway emails
fraud_indices_list = list(fraud_booking_set)
nonfraud_indices_list = [i for i in range(N_BOOKINGS) if i not in fraud_booking_set]

n_fraud_with_throwaway = int(0.70 * len(fraud_indices_list))
n_nonfraud_with_throwaway = int(0.30 * len(nonfraud_indices_list))

fraud_throwaway_set = set(np.random.choice(
    fraud_indices_list, size=n_fraud_with_throwaway, replace=False))
nonfraud_throwaway_set = set(np.random.choice(
    nonfraud_indices_list, size=n_nonfraud_with_throwaway, replace=False))

passenger_rows = []

for i in range(N_BOOKINGS):
    bid = booking_fact.loc[i, "booking_id"]
    uid = booking_fact.loc[i, "user_id"]
    aid = booking_fact.loc[i, "agency_id"]
    n_pax = int(booking_fact.loc[i, "passengers_count"])
    is_fraud_booking = i in fraud_booking_set
    agency_domain = agency_to_domain[aid]
    will_have_throwaway = i in fraud_throwaway_set or i in nonfraud_throwaway_set

    # Track suspicious count for this booking
    pax_domains = []
    for p in range(n_pax):
        r = np.random.rand()

        if is_fraud_booking and will_have_throwaway:
            # Fraud + throwaway selected: high throwaway rate
            if p == 0:
                # Guarantee at least one throwaway for the first passenger
                pax_domain = np.random.choice(THROWAWAY_DOMAINS)
            elif r < 0.15:
                pax_domain = agency_domain
            elif r < 0.50:
                pax_domain = np.random.choice(GENERIC_DOMAINS)
            else:
                pax_domain = np.random.choice(THROWAWAY_DOMAINS)
        elif is_fraud_booking:
            # Fraud but NOT selected for throwaway
            if r < 0.25:
                pax_domain = agency_domain
            else:
                pax_domain = np.random.choice(GENERIC_DOMAINS)
        elif will_have_throwaway:
            # Non-fraud + throwaway selected (30% of legit)
            if p == 0:
                pax_domain = np.random.choice(THROWAWAY_DOMAINS)
            elif r < 0.60:
                pax_domain = agency_domain
            elif r < 0.88:
                pax_domain = np.random.choice(GENERIC_DOMAINS)
            else:
                pax_domain = np.random.choice(THROWAWAY_DOMAINS)
        else:
            # Non-fraud, no throwaway
            if r < 0.75:
                pax_domain = agency_domain
            elif r < 0.97:
                pax_domain = np.random.choice(GENERIC_DOMAINS)
            else:
                pax_domain = np.random.choice(CORPORATE_DOMAIN_POOL)

        pax_domains.append(pax_domain)

    # Count suspicious emails for this booking
    susp_count = sum(1 for d in pax_domains if d in THROWAWAY_SET)

    for p in range(n_pax):
        passenger_rows.append({
            "passenger_id": make_uuid(),
            "booking_id": bid,
            "suspicious_email_count": susp_count,
        })

passenger_details = pd.DataFrame(passenger_rows)

# --- Stats ---
pax_labeled = passenger_details.merge(
    booking_fact[["booking_id"]].assign(
        is_fraud=booking_fact.index.isin(fraud_booking_set).astype(int)),
    on="booking_id"
)

# Per-booking view for distribution stats
booking_susp = passenger_details.drop_duplicates("booking_id")[["booking_id", "suspicious_email_count"]]
booking_susp = booking_susp.merge(
    booking_fact[["booking_id"]].assign(
        is_fraud=booking_fact.index.isin(fraud_booking_set).astype(int)),
    on="booking_id"
)
fraud_pct = (booking_susp[booking_susp["is_fraud"]==1]["suspicious_email_count"] > 0).mean() * 100
legit_pct = (booking_susp[booking_susp["is_fraud"]==0]["suspicious_email_count"] > 0).mean() * 100

print(f"✅ passenger_details — {len(passenger_details)} rows  ({N_BOOKINGS} bookings)")
print(f"   Avg passengers/booking: {len(passenger_details)/N_BOOKINGS:.2f}")
print(f"   Columns: {list(passenger_details.columns)}")
print(f"\n   Suspicious email distribution:")
print(f"   Fraud bookings with ≥1 suspicious email: {fraud_pct:.1f}%")
print(f"   Legit bookings with ≥1 suspicious email: {legit_pct:.1f}%")
print(f"\n   suspicious_email_count value counts:")
print(passenger_details.drop_duplicates('booking_id')['suspicious_email_count'].value_counts().sort_index().to_string())
passenger_details.head()

✅ passenger_details — 22003 rows  (8000 bookings)
   Avg passengers/booking: 2.75
   Columns: ['passenger_id', 'booking_id', 'suspicious_email_count']

   Suspicious email distribution:
   Fraud bookings with ≥1 suspicious email: 69.9%
   Legit bookings with ≥1 suspicious email: 30.0%

   suspicious_email_count value counts:
suspicious_email_count
0    5313
1    2064
2     457
3      91
4      36
5      29
6       5
7       4
8       1


Unnamed: 0,passenger_id,booking_id,suspicious_email_count
0,e8727da9-a63c-4c70-8173-5fed105dcfd6,B000001,5
1,96db706b-766d-43fe-b81a-998eed1a42ff,B000001,5
2,51c0fa03-3dc9-4ea8-a392-bd4a53a05eb8,B000001,5
3,91b1a68e-9ca6-48f0-be71-419ea2d89ce8,B000001,5
4,3f14e0c0-eb5b-4667-ab9a-b7c108e3060b,B000001,5


In [71]:
# ============================================================
# CELL 6 — POST BOOKING EVENTS
# ============================================================
post_events = []

for idx, row in booking_fact.iterrows():
    uid = row["user_id"]
    val = float(row["booking_value"])
    is_fraud_booking = idx in fraud_booking_set
    utype = user_master.loc[user_master["user_id"] == uid, "user_fraud_type"].values[0]

    cancel_p = 0.06
    dispute_p = 0.004

    if is_fraud_booking:
        cancel_p = 0.12
        dispute_p = 0.03

    if utype == "cancellation_abuser":
        cancel_p = 0.70 if not is_fraud_booking else 0.88
        dispute_p = 0.002

    if utype == "credit_bustout_user" and is_fraud_booking:
        cancel_p = 0.07
        dispute_p = 0.18
        booking_fact.loc[idx, "route_type"] = "international"
        booking_fact.loc[idx, "lead_time_days"] = np.random.randint(0, 2)
        booking_fact.loc[idx, "booking_value"] = round(float(np.clip(np.random.normal(18000, 4000), 5000, 25000)), 2)
        booking_fact.loc[idx, "payment_method"] = "credit_line"
        val = float(booking_fact.loc[idx, "booking_value"])

    if utype == "new_synthetic_user" and is_fraud_booking:
        cancel_p = 0.14
        dispute_p = 0.06
        booking_fact.loc[idx, "lead_time_days"] = np.random.randint(0, 4)

    is_cancelled = np.random.rand() < cancel_p
    is_disputed = (not is_cancelled) and (np.random.rand() < dispute_p)

    cancel_delay = int(np.random.randint(0, 3)) if is_cancelled else 0
    dispute_delay = int(np.random.randint(7, 45)) if is_disputed else 0

    chargeback_amount = 0.0
    final_loss_amount = 0.0

    if is_disputed:
        if utype == "credit_bustout_user":
            cb_ratio = np.random.uniform(0.85, 1.00)
            loss_ratio = np.random.uniform(0.65, 0.95)
        elif utype in ["account_takeover", "new_synthetic_user"]:
            cb_ratio = np.random.uniform(0.70, 0.95)
            loss_ratio = np.random.uniform(0.45, 0.85)
        else:
            cb_ratio = np.random.uniform(0.50, 0.90)
            loss_ratio = np.random.uniform(0.25, 0.75)

        chargeback_amount = round(val * cb_ratio, 2)
        final_loss_amount = round(chargeback_amount * loss_ratio, 2)

    post_events.append({
        "event_id": f"E{str(idx+1).zfill(6)}",
        "booking_id": row["booking_id"],
        "is_cancelled": int(is_cancelled),
        "cancel_delay_days": cancel_delay,
        "is_disputed": int(is_disputed),
        "dispute_delay_days": dispute_delay,
        "chargeback_amount": chargeback_amount,
        "final_loss_amount": final_loss_amount
    })

post_booking_events = pd.DataFrame(post_events)

print(f"✅ post_booking_events — {len(post_booking_events)} rows")
print(f"   Cancellations: {post_booking_events['is_cancelled'].sum()}")
print(f"   Disputes: {post_booking_events['is_disputed'].sum()}")
post_booking_events.head()

✅ post_booking_events — 8000 rows
   Cancellations: 596
   Disputes: 62


Unnamed: 0,event_id,booking_id,is_cancelled,cancel_delay_days,is_disputed,dispute_delay_days,chargeback_amount,final_loss_amount
0,E000001,B000001,0,0,0,0,0.0,0.0
1,E000002,B000002,0,0,0,0,0.0,0.0
2,E000003,B000003,0,0,0,0,0.0,0.0
3,E000004,B000004,0,0,0,0,0.0,0.0
4,E000005,B000005,0,0,0,0,0.0,0.0


In [72]:
# ============================================================
# CELL 7 — BOOKING LABEL TABLE
# ============================================================
booking_label_table = pd.DataFrame({
    "booking_id": booking_fact["booking_id"],
    "fraud_label": 0,
    "fraud_reason": "legit"
})
booking_label_table.loc[list(fraud_booking_set), "fraud_label"] = 1

for idx in fraud_booking_set:
    uid = booking_fact.loc[idx, "user_id"]
    utype = user_master.loc[user_master["user_id"] == uid, "user_fraud_type"].values[0]
    cancelled = post_booking_events.loc[idx, "is_cancelled"] == 1

    if utype == "cancellation_abuser" and cancelled:
        booking_label_table.loc[idx, "fraud_reason"] = "user has abnormally high cancellation rate"
    elif utype == "credit_bustout_user":
        booking_label_table.loc[idx, "fraud_reason"] = "credit bustout: high value international + high loss"
    elif utype == "new_synthetic_user":
        booking_label_table.loc[idx, "fraud_reason"] = "new user with risky infra + abnormal velocity"
    elif utype == "account_takeover":
        booking_label_table.loc[idx, "fraud_reason"] = "new device/ip + short lead time"
    elif utype == "ring_operator":
        booking_label_table.loc[idx, "fraud_reason"] = "shared infra across multiple fraud users"
    elif utype == "bot_booking":
        booking_label_table.loc[idx, "fraud_reason"] = "burst/automation pattern in activity"
    else:
        booking_label_table.loc[idx, "fraud_reason"] = "fraud user suspicious booking pattern"

print(f"✅ booking_label_table — {len(booking_label_table)} rows")
print(f"   Fraud bookings: {booking_label_table['fraud_label'].sum()}")
print(booking_label_table[booking_label_table['fraud_label']==1]['fraud_reason'].value_counts())
booking_label_table.head()

✅ booking_label_table — 8000 rows
   Fraud bookings: 720
fraud_reason
shared infra across multiple fraud users                140
new device/ip + short lead time                         140
credit bustout: high value international + high loss    133
burst/automation pattern in activity                    112
new user with risky infra + abnormal velocity           107
user has abnormally high cancellation rate               72
fraud user suspicious booking pattern                    16
Name: count, dtype: int64


Unnamed: 0,booking_id,fraud_label,fraud_reason
0,B000001,1,shared infra across multiple fraud users
1,B000002,1,credit bustout: high value international + hig...
2,B000003,0,legit
3,B000004,0,legit
4,B000005,0,legit


In [73]:
# ============================================================
# CELL 8 — SAVE FILES & RUN SANITY CHECKS
# ============================================================
agency_master.to_csv(os.path.join(OUT_DIR, "agency_master.csv"), index=False)
user_master.to_csv(os.path.join(OUT_DIR, "user_master.csv"), index=False)
booking_fact.to_csv(os.path.join(OUT_DIR, "booking_fact.csv"), index=False)
session_context.to_csv(os.path.join(OUT_DIR, "session_context.csv"), index=False)
passenger_details.to_csv(os.path.join(OUT_DIR, "passenger_details.csv"), index=False)
post_booking_events.to_csv(os.path.join(OUT_DIR, "post_booking_events.csv"), index=False)
booking_label_table.to_csv(os.path.join(OUT_DIR, "booking_label_table.csv"), index=False)



print("\n✅ Dataset generated!")
print("Folder:", OUT_DIR)




✅ Dataset generated!
Folder: /Users/sumitsaurabh/fraud_detection/b2b-travel-fraud-detection/Data/Tables
