In [25]:
%use dataframe, kandy
import kotlinx.datetime.*

val dataset = DataFrame.readCSV("dataset/bank_transactions_data_2.csv", delimiter = ',')

val df = dataset
    .add("DayOfWeek") { row ->
        // NOTE: Day of the week the transaction occured.
        val transactionDate = row["TransactionDate"] as LocalDateTime
        transactionDate.dayOfWeek.name
    }.add("HourOfDay") { row ->
        // NOTE: Hour of day the transaction occured. (in 24h format)
        val transactionDate = row["TransactionDate"] as LocalDateTime
        transactionDate.hour
    }.add("TimeGapSeconds") {row ->
        // NOTE: Time gap between current transaction and previous transaction (output in seconds).
        val usTimeZone = TimeZone.of("America/New_York")
        val transactionDate = (row["TransactionDate"] as LocalDateTime).toInstant(usTimeZone)
        val prevTransactionDate = (row["PreviousTransactionDate"] as LocalDateTime).toInstant(usTimeZone)

        transactionDate.until(prevTransactionDate, DateTimeUnit.SECOND, usTimeZone)
    }

df

TransactionID,AccountID,TransactionAmount,TransactionDate,TransactionType,Location,DeviceID,IP Address,MerchantID,Channel,CustomerAge,CustomerOccupation,TransactionDuration,LoginAttempts,AccountBalance,PreviousTransactionDate,DayOfWeek,HourOfDay,TimeGapSeconds
TX000001,AC00128,14.09,2023-04-11T16:29:14,Debit,San Diego,D000380,162.198.218.92,M015,ATM,70,Doctor,81,1,5112.21,2024-11-04T08:08:08,TUESDAY,16,49480734
TX000002,AC00455,376.24,2023-06-27T16:44:19,Debit,Houston,D000051,13.149.61.4,M052,ATM,68,Doctor,141,1,13758.91,2024-11-04T08:09:35,TUESDAY,16,42827116
TX000003,AC00019,126.29,2023-07-10T18:16:08,Debit,Mesa,D000235,215.97.143.157,M009,Online,19,Student,56,1,1122.35,2024-11-04T08:07:04,MONDAY,18,41698256
TX000004,AC00070,184.5,2023-05-05T16:32:11,Debit,Raleigh,D000187,200.13.225.150,M002,Online,26,Student,25,1,8569.06,2024-11-04T08:09:06,FRIDAY,16,47407015
TX000005,AC00411,13.45,2023-10-16T17:51:24,Credit,Atlanta,D000308,65.164.3.100,M091,Online,26,Student,198,1,7429.4,2024-11-04T08:06:39,MONDAY,17,33232515
TX000006,AC00393,92.15,2023-04-03T17:15:01,Debit,Oklahoma City,D000579,117.67.192.211,M054,ATM,18,Student,172,1,781.68,2024-11-04T08:06:36,MONDAY,17,50169095
TX000007,AC00199,7.08,2023-02-15T16:36:48,Credit,Seattle,D000241,140.212.253.222,M019,ATM,37,Doctor,139,1,13316.71,2024-11-04T08:10:09,WEDNESDAY,16,54228801
TX000008,AC00069,171.42,2023-05-08T17:47:59,Credit,Indianapolis,D000500,92.214.76.157,M020,Branch,67,Retired,291,1,2796.24,2024-11-04T08:10:55,MONDAY,17,47143376
TX000009,AC00135,106.23,2023-03-21T16:59:46,Credit,Detroit,D000690,24.148.92.177,M035,Branch,51,Engineer,86,1,9095.14,2024-11-04T08:11:14,TUESDAY,16,51293488
TX000010,AC00385,815.96,2023-03-31T16:06:57,Debit,Nashville,D000199,32.169.88.41,M007,ATM,55,Doctor,120,1,1021.88,2024-11-04T08:06:32,FRIDAY,16,50432375


In [26]:
val deviceVariationsDF = df.groupBy { it["AccountID"] }
    .aggregate { it["DeviceID"].distinct().size() }

deviceVariationsDF.plot {
    histogram("aggregated") {
        alpha = 0.9
        fillColor = Color.BLUE
        y(Stat.density)
    }
    densityPlot("aggregated") {
        alpha = 0.5
        fillColor = Color.hex(0xFF6666)
    }
    layout.title = "Unique Devices per Account"
    layout.xAxisLabel = "Unique Devices"
    layout.yAxisLabel = "Count"
}

In [27]:
val ipAddressVariationDF = df.groupBy { it["AccountID"] }
    .aggregate { it["IP Address"].distinct().size() }

ipAddressVariationDF.plot {
    histogram("aggregated") {
        alpha = 0.9
        fillColor = Color.BLUE
        y(Stat.density)
    }
    densityPlot("aggregated") {
        alpha = 0.5
        fillColor = Color.hex(0xFF6666)
    }
    layout.title = "Unique IP Addresses per Account"
    layout.xAxisLabel = "Unique IP Addresses"
    layout.yAxisLabel = "Count"
}

Most accounts have ~5 devices and IP Address. With a lot using as much as 7 devices and IP Address.
Rarely anything 8 and above; We can use that as one of the baseline for accounts that potentially has fraud transactions in it.

----

Next, we can look at the number of shared devices per account.

> Note that we are filtering out ATM and in-person transactions, as they are meant to be shared in the first place...



In [28]:
import kotlinx.serialization.decodeFromString
import kotlinx.serialization.json.*

val sharedDevicesDF = df
    .filter {
        it["Channel"] != "ATM" && it["Channel"] != "IN-PERSON"
    }
    .groupBy { it["DeviceID"] }
    .aggregate { it["AccountID"].distinct() }
    .add("AccountCount") { row ->
        // Since aggregated column is a list of account IDs in array format,
        // convert it to a proper list type, then count how many accounts are there in a Device
        val sharedAccounts = row["aggregated"]
        val jsonArray: JsonArray = Json.parseToJsonElement(sharedAccounts.toString()).jsonArray
        val stringList: List<String> = jsonArray.map { it.jsonPrimitive.content }
        stringList.size
    }.filter {
        it["AccountCount"] as Int > 1
    }

plot(sharedDevicesDF) {
    x("AccountCount")
    y("DeviceID")

    bars {
        fillColor("DeviceID") {
        }
        borderLine.width = 0.0
    }

    layout {
        title = "Shared Devices per Account"
        size = 700 to 1000
        style {
            legend.position = LegendPosition.None
        }
        xAxisLabel = "Account Count"
        yAxisLabel = "Device ID"
    }
}

That's a lot of devices that are shared between multiple accounts.
Let's represent it in density

In [29]:
sharedDevicesDF.plot {
    histogram("AccountCount") {
        alpha = 0.9
        fillColor = Color.BLUE
        y(Stat.density)
    }
    densityPlot("AccountCount") {
        alpha = 0.5
        fillColor = Color.hex(0xFF6666)
    }
    layout.title = "Shared Accounts Per Device"
    layout.xAxisLabel = "No of Unique Accounts"
    layout.yAxisLabel = "Count"
}

Here, we can say that mostly 3 or less shared accounts per device is deemed 'normal'.
However, there is still a quite a good number of users that has 4 shared accounts.

Let's deem any device with 5 or more shared accounts as potentially 'fraud' device.

In [34]:
val filteredSharedDevicesDF = sharedDevicesDF
    .filter {
        it["AccountCount"] as Int >= 5
    }

plot(filteredSharedDevicesDF) {
    x("AccountCount")
    y("DeviceID")

    bars {
        fillColor("DeviceID") {
        }
        borderLine.width = 0.0
    }

    layout {
        title = "Shared Devices per Account (more than 4)"
        size = 700 to 450
        style {
            legend.position = LegendPosition.None
        }
        xAxisLabel = "Account Count"
        yAxisLabel = "Device ID"
    }
}

Much cleaner to look at now;<br>
We can say that any accounts that has made a transaction with either of these devices has a higher chance of fraud.

Finally, doing the same to the IP Address...

In [31]:
import kotlinx.serialization.decodeFromString
import kotlinx.serialization.json.*

val sharedIpAddressDF = df
    .filter {
        it["Channel"] != "ATM" && it["Channel"] != "IN-PERSON"
    }
    .groupBy { it["IP Address"] }
    .aggregate { it["AccountID"].distinct() }
    .add("AccountCount") { row ->
        // Since aggregated column is a list of account IDs in array format,
        // convert it to a proper list type, then count how many accounts are there in a Device
        val sharedAccounts = row["aggregated"]
        val jsonArray: JsonArray = Json.parseToJsonElement(sharedAccounts.toString()).jsonArray
        val stringList: List<String> = jsonArray.map { it.jsonPrimitive.content }
        stringList.size
    }.filter {
        it["AccountCount"] as Int > 1
    }

sharedIpAddressDF.plot {
    histogram("AccountCount") {
        alpha = 0.9
        fillColor = Color.BLUE
        y(Stat.density)
    }
    densityPlot("AccountCount") {
        alpha = 0.5
        fillColor = Color.hex(0xFF6666)
    }
    layout.title = "Shared Accounts Per IP Address"
    layout.xAxisLabel = "No of Unique IP Address"
    layout.yAxisLabel = "Count"
}

In [50]:
val filteredSharedIpAddressDF = sharedIpAddressDF
    .filter {
        it["AccountCount"] as Int >= 6
    }
    .rename("IP Address")
    .into("ipaddress")

plot(filteredSharedIpAddressDF) {
    x("AccountCount")
    y("ipaddress")

    bars {
        fillColor("ipaddress") {
        }
        borderLine.width = 0.0
    }

    layout {
        title = "Shared IP Address per Account (more than 5)"
        size = 700 to 450
        style {
            legend.position = LegendPosition.None
        }
        xAxisLabel = "Account Count"
        yAxisLabel = "IP Address"
    }
}

Found out that majority is 2 to 3 IP Address, with a good chunk of users being in 4 to 5 range.<br>
Hence, a good indication of fraud is 6 or more IP Addresses.

Above IP Addresses are likely to be 'fraud' IP Address.