The anomaly detection problem has important applications in the field of fraud detection, network robustness analysis and intrusion detection. This paper is concerned with the problem of detecting anomalies in time series data using Peer Group Analysis (PGA), which is an unsupervised technique. The objective of PGA is to characterize the expected pattern of behavior around the target sequence in terms of the behavior of similar objects and then to detect any differences in evolution between the expected pattern and the target. The experimental results demonstrate that the method is able to flag anomalous records effectively.
With the expanded Internet and the increase of online financial transactions, financial
services companies have become more vulnerable to fraud. Outlier detection is a
fundamental issue in data mining, specifically in fraud detection. Outliers have been
informally defined as observations in a data set which appear to be inconsistent with the
remainder of that set of data [
Stock fraud usually takes place when brokers try to manipulate their customers into trading stocks without regard for the customers' own real interests. Corporate insiders, brokers, underwriters, large shareholders and market makers are likely to be manipulators. 2.2
Several fraud detection methods are available for the fields like credit card, telecommunications, network intrusion detections etc. But stock market fraud detection area is still lagging. Since stock market enhances the economic development of a country greatly, this field has a vital need for efficient security system. Also the amount of money involved in stock market is huge. For example, in Australia, 63 per cent of people's retirement savings is invested in securities. Investment in stock market is high in almost all the countries. If we do not protect against the ability of people to manipulate those securities, then implicitly, we are open to attack, or we are allowing open to attack a country's wealth indeed. It is a very real threat, a threat that very few people really, are acknowledging. Stock fraud may not be very frequent but when it arises the amount of loss is abundant. Outlier detection in stock market transactions will not only prevent the fraud but also alert the stock markets and broking houses to unusual movements in the markets.
First we analyzed how fraudulent cases occur in stock market through the thorough technical reviews and from the practical experiences of stock markets. The following two cases are the most important criteria, which we aim to mine first to detect the stock fraud:
To identify broker accounts whose sell quantity rise up or fall down suddenly. To identify broker accounts whose trade volume rise up or fall down suddenly.
We simulate the PGA tool in various situations and illustrate its use on a set of
stock market transaction data. PGA was initially proposed for credit card fraud
detection by Bolton & Hand in 2001[
Outlier detection in time series database has recently received considerable attention
in the field of data mining. Qu, et al. uses probabilities of events to define the profile
[
The neural network and Bayesian network comparison study [
The following processes are involved in PGA (fig. 1).
Modeling
Fig 1. Overview of PGA
Peer group analysis (PGA) is a term that have been coined to describe the analysis of the time evolution of a given object (the target) relative to other objects that have been identified as initially similar to the target in some sense (the peer group).
Since PGA finds anomalous trends in the data, it is reasonable to characterize such data in balanced form by collating data under fixed time periods. For example, the total quantity sold can be aggregated per week or the number of phone calls can be counted per day.
After the data modeling process, some statistical analyses are required. Mean or variance can be appropriate. In our research we used weekly mean of stock transactions.
Then the most important task of PGA method is to identify peer groups for all the target observations (objects). Member of peer groups are the most similar objects to the target object. In order to make the definition of peer group precise, we must decide how many objects, npeer, it contains from the complete set of objects. The parameter npeer effectively controls the sensitivity of the peer group analysis. Of course, if npeer is chosen to be too small then the behavior of the peer group may be too sensitive to random errors and thus inaccurate. The length of time window for calculating the peer group can be chosen based on the particular data set. We used 5 weeks for our experiments.
Peer groups are summarized at each subsequent time point and the target object is then compared with its peer group’s summary. Those accounts deviate from their peer groups more substantially are flagged as outliers for further investigation. The processes from the peer group identification to the account flagging are repeated as long as the proper result is found.
The approach of PGA is different in that a profile is formed based on the behavior of several similar users where current outlier detection techniques over time include profiling for single user.
A point may not be seen as unusual when compared with the whole set of points but may display unusual properties when compared with its peer group. This is the most significance feature of PGA.
Based on [
Let PG i (t j ) = {some subset of observations (≠x i ), which show behavior similar to that of x i at time t j }. Then PG i (t j ) is the peer groups of object i, at time j.
The parameter npeer describes the number of objects in the peer group and effectively controls the sensitivity of the peer group analysis. The problem of finding a good number of peers is akin to finding the correct number of neighbors in a nearestneighbor analysis.
Let S ij be a statistic summarizing the behavior of the ith observations at time j. Once we have found the peer group for the target observation x i we can calculate peer group statistics, P ij . These will generally be summaries of the values of S ij for the members of the peer group. The principle here is that the peer group initially provides a local model, P i1 , for S i1 , thus characterizing the local behavior of x i at time t 1 , and will subsequently provide models, P ij , for S ij , at time t j , j>1. If our target observation, S ik , deviates ‘significantly’ from its peer group model P ik at time t k , then we conclude that our target is no longer behaving like its peers at time t k . If the departure is large enough, then the target observation will be flagged as worthy of investigation.
To measure the departure of the target observation from its peer group we calculate its standardized distance from the peer group model; the example we use here is a standardized distance from the centroid of the peer group based on a t-statistic. The centroid value of the peer group is given by the equation 1: (1) (2) (3) where PG i (t 1 ) is the peer group calculated at time t 1 . The variance of the peer group can be calculated by the equation 2: where j 1, p i .
The square root of this can be used to standardize the difference between the target S ij and the peer group summary P ij , yielding equation 3:
P ij =
1 S pj ; j 1, p i .
npeer pPGi t1 V ij = 1 2
S pj Pij .
npeer 1 pPGi t1 T ij = Sij Pij
Our data set consists of 3 months real data from 6/01/2005 to 08/31/2005 for the daily stock sell quantity and the number of transactions for each of 143 brokers. The total number of transaction is 340,234. This data has been collected from the Dhaka Stock Exchange (Bangladesh).
Here we set, d = 14 weeks, N = 143. The length of time window, w = 5, but varied npeer to take values npeer = 13 and npeer = 26. A sample of stock market data has shown in table 2:
For comparison purpose, we simulated PGA over stock transactions many times by changing the number of peers. Here we have shown some of the results, which are more interesting. The following plots illustrate the power of PGA to detect local anomalies in the data. The vertical axis shows cumulative stock sold as weeks pass on the horizontal axis. The sale quantity of the target observation is represented by thick black line and the sale quantities of the peer group are represented by black dotted lines. The graph of number of transactions has shown in the same manner.
Fig 2. PGA Over Sell Quantity, Account # 132 npeer =13 Fig 3. PGA Over Sell Quantity, Account # 132 npeer = 26.
Fig 4. PGA Over Sell Quantity, Account # 68 npeer = 13
We have also measured the departure of the target observation from its peer group.
If the departure is large enough then the target observation will be flagged as worthy
of investigation. For this purpose we have calculated its standardized distance from
the peer group model. Table 3 shows the standardized distances from the centroid of
the peer group based on a t-statistic [
Fig 4 shows account 68 is flagged since it has a clear sudden rise in 12th week whereas most peers have very little sales in this week. This could be a possible fraud case since the behavior of this account was quite similar to its peer group for all the weeks except the sudden rise in the 12th week. Fig 5 shows account 68 where npeer is 26. Here we got very interesting findings. The behavior of this account also has not been affected by the increase of npeer but it makes the account more suspicious. According to our proposed method in section 3, we extended the investigation for the suspicious accounts in fig 6. We included another attribute into the outlier mining process. The main idea is to evaluate more information before flagging the fraudulent account, where traditional PGA considers only one attribute to flag an account.
We considered the number of transactions as well as trade volume as another indicator of stock fraud. Fig 6 shows PGA over number of stock transactions for the same account 68. It is obvious from the figure 6 that the number of transactions has suspiciously increased in the 12th week.
So, from fig 4, 5 and 6 we can do a comparative analysis about account 68. The discovered knowledge here is: Account 68 has sudden rise for both the sale quantity and the number of transactions in 12th week. The behavior of this account was similar with its peer group’s sale quantity and number of transactions in other weeks.
Now we can flag the account as an outlier or possible fraud case more confidently, because both the observations have same findings. The process of calculating the peer groups and t-scores can be run every minute in a real-time manner. Thus the outlier mining process becomes more effective than the one-attribute observation process.
Here we have demonstrated the results with the suitable npeer for our data set. In practical application, the flagged accounts will simply be noted as meriting more detailed examination. Using over 340,234 transactions gives an indicator of the performance of PGA on large data sets. 8
In this paper, we tried to mention the necessity of stock market fraud detection since the area has lack of proper researches. We have demonstrated the experimental results of PGA tool in an unsupervised problem over real stock market data sets with continuous values over regular time intervals. The visual evidences have been shown through graphical plots that peer group analysis can be useful in detecting observations that deviate from their peers. We also applied t-statistics to find the deviations effectively.
In future, we aim to investigate for weather PGA can identify labeled fraudulent objects or not from a real fraud data set. To make the stock fraud detection more effective we will mine the following cases of possible outliers: To identify stock IDs and buyer IDs in case of trade volume or trade quantity increases suspiciously. To identify stock IDs with sudden raise or fall in price or having same buyer and seller.
We have intention to integrate some other effective methods with PGA. We will also apply our strategy on other more applications, such as banking fraud detection, network intrusion detection etc.