<a href="https://colab.research.google.com/github/bhaydon/online-fraud-risk-detection/blob/main/anomaly_detection.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

###Anomaly Detection in Python###
The most consistent challenge facing fraud detectionanalysts and data scientists out there is detecting abnormal data trends. The realm of fraud analytics does not escape this reality, albeit with somewhat unique challenges. At the risk of stating the obvious, every risk/fraud team should vigilantly monitor the traffic trends of their online service in order to spot and react to anomalies as soon as possible. 

There is a seemingly endless set of resources online for visualizing and monitoring traffic trends. In reality, many companies will eschew third-party products and elect instead to utlize a business intelligence (BI) dashboard or tailoring open source Python scripts to analyze and visualize data.

A more granular form of considering anomalies is not to look for high-level trends, but rather, to spot abnormal behavior coming from specific users.

The following Python code snippets represent a conceptual example of a "login anamoloy detection" algorithm. The first piece of code below calculates the daily number of logins per user to build up a statistical history (variable = "daily_logins_per_user_count")





In [None]:
WITH daily_logins_per_user_count AS
(
  SELECT userID,
    LoginDate,
    count(*) AS count_logins
  FROM user_logins
  GROUP BY 1, 2
)

After producing the login histogram, the following metrics are recorded in order to measure the level of density/velocity in user logins:

• Rate of normal volume days out of total number of active days for this user

• Rate of abnormal volume days out of total number of active days for this user

• Rate of abnormal volume days out of sum of logins, allowing a focus on users who consistently show abnormal figures versus users who spiked for only a short period of time

• Average login rate: simple division of logins out of all active days

In [None]:
SELECT userID,
sum(CASE
    WHEN count_logins = 1 THEN 1
    ELSE 0
  END)/count(*) AS perc_of_1_logins_in_perc,
sum(CASE
    WHEN count_logins >1 THEN 1
    ELSE 0 END)/count(*) AS perc_of_above_1_logins_in_perc,
sum(CASE
    WHEN count_logins >1 THEN count_logins
    ELSE 0
  END)/sum(count_logins) AS perc_of_above_1_logins_sum(count_logins)
sum(count_logins) total_login
  FROM daily_logins_per_user_count
GROUP BY 1;