SPECIAL SECTION ON INTELLIGENT INFORMATION SERVICES

Received January 18, 2020, accepted January 26, 2020, date of publication January 31, 2020, date of current version February 10, 2020.
Digital Object Identifier 10.1109/ACCESS.2020.2970614

A Fraud Detection Method for Low-

Frequency Transaction
ZHAOHUI ZHANG 1,2,3 , LIGONG CHEN 1, QIUWEN LIU 1, AND PENGWEI WANG 1
1 Schoolof Computer Science and Technology, Donghua University, Shanghai 200051, China
2 The Key Laboratory of Embedded System and Service Computing, Ministry of Education, Tongji University, Shanghai 200092, China
3 Shanghai Engineering Research Center of Network Information Services, Shanghai 201620, China

Corresponding author: Zhaohui Zhang (zhzhang@dhu.edu.cn)

This work was supported in part by the Natural Science Foundation of Shanghai under Grant 19ZR1401900, in part by the Shanghai
Science and Technology Innovation Action Plan Project under Grant 19511101802, and in part by the National Natural Science Foundation
of China under Grant 61472004 and Grant 61602109.

ABSTRACT The effectiveness of transaction fraud detection methods directly affects the loss of users in
online transactions. However, for low-frequency users with small transaction volume, the existing methods
cannot accurately describe their transaction behaviors for each user, or lead to a high misjudgment rate.
So we propose a new method for individual behavior construction, which can make the behavior of
low-frequency users more accurate by migrating the current transaction group behavior and transaction
status. Firstly, we consider the user’s only historical transactions, combined with the optimal risk threshold
determination algorithm, to form the user’s own transaction behavior benchmark. Secondly, through the
DBSCAN clustering algorithm, the behavior characteristics of all current normal samples and fraud samples
are extracted to form the common behavior of the current transaction group. Finally, based on historical
transaction records, the current transaction status is extracted using a sliding window mechanism. The
combination of the three constitutes a new transaction behavior of the user. On this basis, a multi-behavior
detection model based on new transaction behavior is proposed. According to the result of each behavior,
Naive Bayes model is used to calculate the probability that current transaction belongs to fraud, and finally
determine whether current transaction is fraud. Experiments prove that the method proposed in this paper
can have a good effect on low-frequency users, which can accurately identify fraud transactions and has a
low misjudgment rate for normal transactions.

INDEX TERMS Transaction detection, low-frequency users, individual behavior, group behavior,
DBSCAN, Naive Bayes.

I. INTRODUCTION indirectly or directly through these methods, thus stealing

With the rapid development of e-commerce, online payment user money. Although fraud is serious, for a large number
has become more and more popular. However, the safety of of normal transactions, the number of fraud transactions
online transactions has become increasingly serious. Accord- accounts for only a small proportion, so the sample of finan-
ing to report by the Beijing Municipal Public Security Bureau cial transactions is unbalanced. If a model is trained directly
Network Security Team and the 360 Company’s Hunting on unbalanced samples, it often fails to achieve good results.
Network Platform, the number of cyber fraud criminals How to effectively prevent the risk of transaction fraud has
exceeded 1.6 million yuan, and online scam market reached become a problem to be solved.
110 billion yuan. According to the relevant departments to In view of above phenomenon, it is very effective to solve
analyze existing fraud cases, the main means of fraud crimes such problems from the perspective of user behavior authen-
are hacking, stolen cards, credit card cashing, phishing web- tication. Because user behavior is unique, the credibility of
sites, Trojan horses, etc. [1]. Criminals steal user information the current behavior of the system can be verified from the
perspective of behavior authentication. And the proportion
The associate editor coordinating the review of this manuscript and of normal transactions and abnormal transactions of a single
approving it for publication was Shouguang Wang . user is better than proportion of all users. At present, major

This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/
25210 VOLUME 8, 2020
Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

financial institutions mainly adopt the following methods to method, the fifth section introduces data source and exper-
verify identity and behavior of users. The first is based on imental results, and the sixth section summarizes research
account password matching mechanism [2], however exist- results and future prospects.
ing matching mechanisms are only used to verify password,
and can’t identify the malicious user’s network behavior. II. RELATED WORK
The second is to use expert system based on expert rules to Fraud detection is similar to classification problems.
achieve fraud detection by anti-fraud experts [3]. However, Therefore, based on user group behavior, using machine
expert system can’t adapt to new fraud methods, and there learning or deep learning to detect fraud transactions has
will be rule redundancy [19]. The third is to analyze group been widely studied in recent years. Zhang et al. [4] used
trading users and use machine learning and deep learning the features of the convolutional neural network to derive
methods to mine common behaviors of users, such as neu- features. By inputting the original features and adding a fea-
ral networks [4], random forests [7], [8], relationship net- ture arrangement layer to combine the inputs, they achieved
works [13], HMM [14], and so on. However, these methods good results in fraud detection. Zhou et al. [5] proposed a
train models based on transaction data for all users. They can siamese neural network structure based on CNN and LSTM.
only mine the common characteristics of all users, it is diffi- They used the siamese neural network structure to solve
cult to learn the individual behavior of each user [15], [24], the problem of sample imbalance in online transactions, and
and such models cannot effectively identify new types of used the LSTM structure to make model memory user’s
fraud [19]–[21]. The fourth is to extract user behavior pattern transaction information.Wang et al. [6] used neural network-
from the perspective of individual user, and then determine based embedding to capture detailed information about user
whether user’s current behavior is fraud, including user’s click actions, and used recurrent neural networks to model
browsing behavior [15], mouse and keystrokes behavior [16], such click sequences. Xuan et al. [8] used random forests to
transaction behavior [17], [20], [21], etc. However, if user train the characteristics of normal and abnormal behaviors,
does not have enough historical transaction records, it is compared two random forest models with different base clas-
difficult to ensure that the extracted user behavior pattern sifiers, and proved that random forests perform well in credit
is accurate enough [14], [22]–[26]. In addition, in view of fraud detection. Whitrow et al. [9] considered a framework
imbalanced characteristics of financial transaction samples, for transaction aggregation and used various classification
there are currently many studies to alleviate this problem, methods and cost-based indicators to evaluate the effective-
such as the GMM-based undersampling method [27] and the ness of various transaction detection methods, and found
hybrid cross feature extraction method [28]. that random forests outperform other methods. Fu et al. [10]
In summary, the current main problem is that it is difficult proposed the derived characteristics of transaction entropy to
for the existing individual behavior models to accurately learn characterize the user’s transaction behavior, and converted
the behavior characteristics of low-frequency users with low the original one-dimensional transaction data into a two-
transaction volume, which leads to a high misjudgment rate dimensional transaction matrix and input the convolutional
for low-frequency users. Considering that fraudsters often neural network to establish a credit card fraud detection
commit fraud against multiple people, this article proposes model based on deep learning. Dal Pozzolo et al. [11] Con-
that it is easier to find traces of fraudster behavior by sup- sidered a concept drift and sample imbalance in fraud detec-
plementing the transaction behavior and transaction status tion, proposed a new learning strategy, and verified it on
of the current transaction group, the specific contributions real data. Kim et al. [12] Made in-depth comparisons of
are as follows. First, it is proved through experiments that hybrid-to-hybrid integration and deep learning methods, and
the frequency of transactions has a great impact on accu- developed two detection models. The real data proved that the
racy of individual behaviors. Existing models can’t accu- deep learning model has good performance. Meng et al. [13]
rately describe transaction behaviors of low-frequency users. Proposed a detection method based on relational networks
Secondly, a new low-frequency user transaction behavior and boosting trees. First, a transaction relationship network
construction method is proposed. The clustering algorithm is was constructed for users, and secondly, information was
used to extract current group user’s behavior to supplement extracted through the network for transaction identification,
low-frequency user’s behavior, and considering current trans- which can well identify fraudulent transactions.
action status, the behavior of low-frequency user can be fully From another perspective, most of the existing fraud meth-
characterized. Finally, this paper proposes a multi-behavior ods use direct or indirect methods to steal user information
detection model based on user behavior, and uses the Naive and use the identity of normal users to perform fraud. There-
Bayes formula to determine whether the current transaction is fore, there have been some studies in recent years to solve
a fraudulent transaction based on the results of each behavior the problem of transaction fraud from the perspective of indi-
detection. vidual user behavior. Ji et al. [18] proposed a method for e-
The rest of this paper is organized as follows. The sec- commerce user abnormal behavior detection research, based
ond section introduces the related work, the third section on user historical behavior data to establish user’s normal
discusses the construction process of low-frequency user behavior pattern, and finally used the pattern comparison
behavior, the fourth section introduces transaction detection method to determine user’s transactions. K`‘ult´’ur et al. [19]

VOLUME 8, 2020 25211

 Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

proposed a new cardholder behavior model for credit card

fraud detection, which used this model to detect fraud transac-
tions in combination with user historical consumption behav-
ior. Zheng et al. [20] proposed a new credit card fraud
detection system based on behavior certificate. They built
user behavior certificates based on user historical transac-
tions and used them for fraud detection. At the same year,
Zheng et al. [21] proposed a transaction fraud detection FIGURE 1. User behavior benchmark.
method based on total order relationship and behavior diver-
sity. They defined user transaction logic diagrams, attribute
transition probabilities, diversity coefficients, and state tran- third part is through sliding window mechanism, which
sition matrices to build a behavior summary for each user. counts the proportion of fraud transactions in all transactions
Xie et al. [22] proposed a rule-based feature project that took in current time period as the current transaction status. The
into account individual and group behaviors and depicted combination of the three together builds the behavior bench-
individual behaviors as group characteristics, which can more mark of low-frequency users.
effectively distinguish between normal transactions and fraud
transactions. Nami et al. [23] proposed a cost-sensitive pay- A. USER BEHAVIOR EXTRACTION
ment card fraud detection method based on dynamic ran- A transaction r contains m attributes, write as
dom forest and k-nearest neighbors, including two stages: r = {a1 , · · · ,am | a1 ∈ A1 , · · · ,am ∈ Am }. The transaction
cardholder behavior pattern matching and dynamic random attributes in this paper include transaction user number, trans-
forest detection. Jiang et al. [24] proposed a new method action time, transaction amount and transaction IP address,
transaction r = ano , atime , aamount , aip . User u’s transaction

that utilizes aggregation strategies and feedback mechanisms.
First, all cardholders were divided into different groups, and log is a collection of historical transactions up to the
current
date, which is denoted as Lu = r1u , r2u , · · · ,rnu , where

then the behavior patterns of each group were extracted to
train classifiers for each group. Finally, a classifier set was nu = |Lu | , as the number of transaction records of the user.
used to detect fraud online. Extract the normal transaction Tu = {t∈Lu | label = normal}
In the above work, the group behavior method is to train a from user transaction log, where ntu = |Tu |. For user’s normal
classifier based on all user transaction data. They can only transaction Tu , we need to do further processing to get user’s
find the common characteristics of users, and the unique behavior benchmark.
characteristics of each user will be overwhelmed during The specific processing method is introduced in the user
training [15], [24]. And compared with individual behavior behavior extraction part in literature [17]. First, according
models, they are not very effective in identifying new types to the user’s historical normal transaction records, the user’s
of fraud [19]–[21]. However, the individual behavior method transaction amount, transaction time, and transaction IP
also faces the problem of sparseness of low-frequency user address are processed separately, taking into account changes
data. The existing individual behavior research is based on in user transactions over time, and performing feature pro-
the user’s possession of sufficient historical data and have cessing and feature derivation to obtain user transaction
not provided effective solutions for low-frequency users. For behavior. Then calculate the optimal risk threshold of each
example, the data amount of each user in the literature [15], user according to the optimal risk threshold algorithm, and
[18]–[21] is more than 50. The literature [23] considers that finally we can get the behavior benchmark UBBu based
the detection method is invalid for users with sparse data, on user behavior, UBBu = [TBu , Threshold u ]. Where
so users with a transaction volume of less than 50 are deleted Threshold u represents the optimal risk threshold of each
during the individual behavior modeling stage. The litera- user, TBu represents the user’s transaction behavior, TBu =
ture [24] considers that a single user has data sparseness, (TARu , TAC u , TIW u , TTRu , TFAu , TIPu , PTS u ).
so it considers multiple similar users as similar and trains a
TARu represents the user’s transaction amount attribute.
classifier for a class of users.
TAC u represents the user’s transaction change attribute.
III. LOW-FREQUENCY USER BEHAVIOR BENCHMARK TIW u represents the user’s transaction workdays attribute.
This section will introduce a behavioral benchmark construc- TTRu represents the user’s transaction time attribute.
tion method for low-frequency users. The method mainly
TFAu represents the user’s transaction frequency attribute.
consists of three parts, as shown Fig. 1. The first part is
user’s own transaction behavior. According to user’s histor- TIPu represents the user’s transaction IPaddress attribute.
ical normal transaction records, user’s transaction behavior PTS u represents the user’s previous transaction status.
is extracted from the transaction records. The second part is
the existing fraud behavior and normal behavior in current B. EXTRACT CURRENT TRADING GROUP BEHAVIOR
trading group, clustering multiple behavior patterns through The study finds that the accuracy of user behavior descrip-
DBSCAN as the group behavior of current transaction. The tion has a great relationship with the user’s transaction

25212 VOLUME 8, 2020

Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

frequency [17]. However, the low-frequency user transaction

volume is scarce. The user behavior generated by the above
methods are difficult to guarantee high accuracy, so it is also
needed enrich the user’s own behavior through other means.
By analyzing the existing fraud cases, it is found that
fraud is often dominated by gangs, and fraud transactions
initiated by the same gang often have the same behavior
pattern, and fraudsters often commit fraud against multiple FIGURE 2. Sliding window.

people at the same time. So, this paper analyzes the fraud
transactions and normal transactions that have occurred, and
uses algorithms to extract the respective behavior patterns of group GBB = [TBB, FBB], where TBB and FBB are the
normal transactions and fraud transactions to compensate the normal transaction behavior matrix and fraud transaction
transaction behavior of low-frequency users. behavior matrix.
As the distribution of transaction data is uneven, and TARW 1 , TAC W 1, TIW W 1 , TTRW 1, TFAW 1, TIPW 1
 
the data shape is different, the number of transaction cate-
TBB =  ...
 
gories can’t be predicted in advance. Therefore, the DBSCAN

method is used to cluster historical transaction records. TAR , TAC , TIW , TTR , TFA , TIP
WQ WQ WQ WQ WQ WQ

TARB1 , TAC B1 , TIW B1 , TTRB1 , TFAB1 , TIPB1

 
Compared with other clustering algorithms, DBSCAN has
the following advantages[29]. First, it can cluster dense data FBB = 

...


sets of any shape. Second, it can’t predict the number of
TARBP , TAC BP , TIW BP , TTRBP , TFABP , TIPBP
clusters in advance, and it is not limited by the shape of the
sample. Third, the model can find outliers while clustering,
C. CALCULATE CURRENT TRANSACTION STATUS
and is not sensitive to outliers in the data set. Fourth, there is
no bias in the clustering results. Internet transaction fraud is mostly based on phishing web-
sites and Trojan viruses. It has been found that fraudsters
n Record uall transactions o that have occurred as L =
r1ui , . . . ,rk j , · · · ,rnuk , n = |L|, where rkui represents the tend to transfer the property of normal users in a short period
of time, so the time interval of transactions is much shorter
kth transaction generated by user ui . The normal transac-
and occurs continuously. Based on this, by analyzing the
tion T = {t∈L | label = normal} and the fraud transaction
number of fraud transactions in the current time period, it is
F = {t ∈ L | label = fraud} are extracted from transactions
used to indicate a state of the current time period trans-
L, where nT = |T | , nF = |F|, and n = nT + nF . Then take
actions. If there are a large number of fraud transactions,
the normal transaction and the fraud transaction as input, get
the suspiciousness of the current transactions will increase.
the result of each transaction through DBSCAN, and label
Therefore, this paper proposes a sliding window mechanism
them with {B1 , . . . ,BP } and {W1 , . . . ,WQ }. In the current
to count the proportion of fraud transactions in the current
historical transactions, fraud transactions are classified into
time period, and use this to indicate the status of current
P categories, and normal transactions are classified into Q
transactions.
categories. which are represented as follows.
 ui As shown in Fig. 2, the transaction at time t is denoted
 r1 , label = normal, target = W1 as rt , and the transaction sequence occurring before time
... t is denoted as Lt = {r 1 , . . . ,rt }. The sliding window is h,




 uj
rk1 , label = normal, target = WQ

and the sliding window length is nh , and nh = k. The
ui
 rk2 , label = fraud, target = B1 transaction sequence in the sliding window is recorded as
... Lht = {r t−k , . . . ,rt }. And in the sliding window ht at time t,




 uj

rn , label = fraud, target = BP the fraud transaction Fht = {r∈Lht | label = fraud}, nFht =
Based on the above results, we deal with trans- |Fht |. The transaction status in the current time period is
action records L according to label categories, and recorded as St , which represents the proportion of fraud trans-
obtain P + Q transaction sets, which are recorded as actions in the first k transactions in the current time period.
TB1 , . . . ,TBP , TW 1 , . . . ,TWQ , where TB1 , . . . ,TBP belong to The calculation method is shown in (1).
fraud transaction, and TW 1 , . . . ,TWQ belong to normal 
st =nFht nh (1)
transaction.
For each transaction set, we use the behavior extraction We use the sliding window h to aggregate all the trans-
method in literature [17] to determine the transaction behav- action sets L that have occurred, and find the proportion
ior of each type of transaction. As the transaction status of fraud transactions in each window, will get n − nh ratio
attributes of each type of transaction belong to the same sequence s = [s1 , . . . ,sn−nh ]. The mean value of the sequence
category, we do not need to consider the user’s previous Threshold S is taken as a critical value of the historical trans-
transaction state when extracting the transaction behavior. action state. If the transaction state si is higher than the critical
Therefore, we will get the behavior of the current trading value, si = 1, otherwise si = 0.

VOLUME 8, 2020 25213

 Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

where xi is the value of each dimension of the user’s current

transaction r u mapped to the point in the current multidi-
mensional space, tbi is the value of each dimension of the
user’s own transaction behavior. The above formula divides
the space into two parts, if f1 (x) > 0, record as a fraud
transaction, otherwise record as a normal transaction, thus
obtaining the user’s current transaction result URt .
(
0, f1 (x) ≤ 0
URt = (3)
1, f1 (x) > 0

B. CURRENT GROUP BEHAVIOR DETECTION

Current trading group behavior GBB = [TBB, FBB], where
TBB is a matrix of Q × 6, representing the normal trans-
action behavior of Q class, and FBB is a matrix of P × 6,
representing the fraud transaction behavior of P class. For
the transaction r u currently entering the system, convert it
FIGURE 3. Detection method flow chart.
to a matrix r T = [x1, x2, x3, x4, x5, x6]. Then, use (4) to
calculate the deviation distance of this transaction from each
D. LOW-FREQUENCY USER TRANSACTION BEHAVIOR
group behavior benchmark (TBB and FBB), and the following
Through the above work, the user’s own behavior UBBu , two distance sets DTBB and DFBB will be obtained, where
current trading group behavior GBB and current transaction DTBB = [d1 , . . . ,dq ], DFBB = [d1 , . . . ,dP ]. The (5) will be
status St are obtained. So the supplementary low-frequency used to determine which behavior the current transaction is
user behavior is represented by a triple, which is recorded as biased in. If the transaction is more biased towards the fraud
New_UBBu = (UBBu , GBB, St ), and described as follows. transaction behavior, the transaction is more suspicious.
UBBu = [TBu , Threshold u ] is the user’s own transaction
behavior extracted through the user’s historical normal trans-
v
− u n
→ −−−−−−−→ uX
action records. d r ,tbbj1 (fbbj2 ) =t
T
(xi −yi )2 (4)
GBB = [TBB, FBB] is a group of normal behavior patterns i=1
TBB and fraud behavior patterns FBB obtained by analyzing
the current trading group. Formula (4) represents the calculation of deviation distance
St indicates the status of the transactions in the current time between current transaction r u and each of the behavioral
period. benchmarks in TBB or FBB, where rET represents the matrix
vector after current transaction is converted into a matrix,
−−−−−−−→
IV. USER BEHAVIOR BASED DETECTION METHOD tbbj1 (fbbj2 ) represents the behavior vector of each behavior
In the above work, the user behavior New_UBBu is divided in TBB or FBB, where 1 ≤ j1 ≤ Q, 1 ≤ j2 ≤ P.
into three parts, UBBu , GBB and St . Based on the hyper-
P Q
sphere model of the literature [17], we propose a new detec- 1X 1X
tion method. When the user’s transaction r u enters the current f2 (x) = di − dj (5)
P Q
system, the system will give the judgment result to the cur- i=1 j=1

rent transaction through the following method, the specific

Formula (5) represents the current transaction tendency
process is shown in Fig. 3.
degree. The first part is the mean deviation of current trans-
action r u from fraud behavior. The second part is the mean
A. SELF-BEHAVIOR DETECTION
deviation of current transaction r u from normal behavior,
The user’s own behavior benchmark UBBu = [TBu , the difference between the two is f2 (x). If f2 (x) is too small,
Threshold u ] consists of two parts, they are user’s own trans- the distance between current transaction r u and fraud sample
action behavior TBu and the user’s optimal risk threshold is less than distance from normal sample, and the suspi-
Threshold u . According to the hyper-sphere model proposed cious degree is increased; otherwise, the suspicious degree
in literature [17], TBu is regarded as a point in the space, and is reduced. Therefore, the current r u transaction result GRt
Threshold u is regarded as the radius in space. The transaction of user can be obtained, as shown in (6), where Threshold G
detection is transformed into a mapping problem of points in is the optimal threshold calculated by optimal risk threshold
multidimensional space, and the (2) is used to judge whether algorithm.
the current transaction is normal.
n
(
X
2 1, f1 (x) ≤ Threshold G
f1 (x) = (xi −tbi )2 − Threshold u (2) GRt = (6)
0, f1 (x) >Threshold G
i=1

25214 VOLUME 8, 2020

Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

C. TRANSACTION DETECTION
After the user’s own behavior detection and the current group
behavior detection, the judgment results URt and GRt of the
transaction will be obtained, combined with current transac-
tion status St , using Naive Bayes model judges the current
transaction results.
FIGURE 4. Data set.

P (Y = k) , k = 0, 1 (7)
TABLE 1. Data set D1.

In the historical transaction record L, URi , GRi and Si are

obtained for each transaction, and the category k to which the
transaction currently belongs. Based on this, the probability
of historical fraud transactions and normal transactions can
be calculated.

P (X = x | Y = k) V. EXPERIMENTAL RESULTS
(1) (1) (n) (n) This section describes the detection effects of the proposed
=P(X =x , . . . ,X =x |Y = k) (8)
model. First introduce the source of the experimental data,
then introduce the low-frequency user division and clustering
Calculate the conditional probability distribution accord-
results, and finally introduce the comparison of this paper
ing to the historical transaction record, where X is the random
with other models.
vector in the input space. In this paper, X = (UR, GR, S).
Because the user’s own detection result, the current trading
A. DATA SET
group detection result and the current transaction status do
not affect each other, and the conditions of the independent The data set comes from a domestic bank data, which
hypothesis are met. The conditional probability formula is as covers 3 months transactions and contains 92133 users,
shown in (9). 3502048 transaction records, each transaction record is
marked by the bank for the label. In Fig. 4, all transactions are
P (X = x | Y = k) referred to as data set A, and all fraud transactions are in data
  set F, which contains 65138 transaction data for 14751 users.
=P X (1) =x (1) , . . . ,X (n) =x (n) | Y = k The data set shows that the main types of fraud include
Yn  
phishing sites, Trojan viruses, etc. Transactions involving
= P X (j) =x (j) | Y = k (9)
j=1 14751 users are in data set B, all transactions for fraud-free
transaction users are in data set C. We randomly extract
For the current transaction r u , according to the user’s own transaction data of any number of users from dataset B as
behavior and the current group behavior, the judgment results experimental data. The test set and the training set are divided
of this transaction are URt and GRt , and the transaction according to time, the data of April and May are used as the
status St , x = (URt , GRt , St ) is the current input. Then, training set, and the data of June is used as the test set.
using (10) and (11), the transaction ru is calculated to belong
to the fraud probability P (Y = 1 | X = x) and the normal B. DIVISION OF LOW-FREQUENCY USERS
probability P (Y = 0 | X = x).
In order to solve the problem of high misjudgment rate of
low-frequency users, it is first necessary to determine what
P (Y = 1 | X = x)
is a low-frequency user. Literature [17] proposed that the
P (X = x | Y = 1) P(Y = 1)
= P1 model detection effect is related to the frequency of user
k=0 P (X = x | Y = k) P(Y = k) transactions, and the results shown in the Fig. 5 also confirm
P (X = x | Y = 1) P(Y = 1) this. Therefore, this paper uses its proposed model, and uses
= P1 (10)
(j) (j)
Qn

the model detection precision as an evaluation index to divide
k=0 P(Y = k) j=1 P X =x | Y = k
P (Y = 0 | X = x) high-frequency users and low-frequency users.
P (X = x | Y = 0) P(Y = 0) In this paper, three sets of data D1, D2 and D3 are randomly
= P1 selected in data set B, each set of data contains three months
k=0 P (X = x | Y = k) P(Y = k) of transaction data of 150 users. Among them, each set of
P (X = x | Y = 0) P(Y = 0) data set Di contains ten sets of data, denoted as Dij , 0 ≤j ≤ 9,
= P1 (11)
(j) (j)
Qn

k=0 P(Y = k) j=1 P X =x | Y = k
the transaction frequency is between j × 10 ∼ (j + 1) × 10,
the details are shown in table 1 to 3. The precision of each
If P (Y = 1 | X = x) > P (Y = 0 | X = x), the transaction group of users is calculated by the hyper-sphere model to
r u belongs to a fraud transaction, otherwise it belongs to determine the range of low-frequency user transaction vol-
normal transaction. ume. The experimental results are shown in Fig. 5. When the

VOLUME 8, 2020 25215

 Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

TABLE 2. Data set D2.

TABLE 3. Data set D3.

FIGURE 6. Samples distribution.

FIGURE 5. Relationship between precision and transaction frequency.

user transaction volume is more than 30, the model detec-

tion precision is relatively stable, and both are higher than
80%; when the user transaction frequency is less than 30,
the precision of the model detection will fluctuate greatly.
And the precision rate is less than 80%, so this paper con-
siders users with less than 30 transactions as low-frequency
users. The next experiment in this paper will focus on these
users.

C. CLUSTERING RESULTS
Fig. 6 shows the distribution of historical transactions, with
the distribution of fraud samples is (a) and the normal sample
is (b). As can be seen from the figures, the data is not cluster-
like and has different shapes. The traditional K-means clus-
tering algorithm is not suitable for such data sets. Therefore,
when extracting the behavior of the current trading group,
FIGURE 7. Clustering effect comparison.
this paper uses the density clustering algorithm DBSCAN to
cluster the transactions. The following figures are compar-
ison of the clustering effects of the two methods on fraud where n denotes the number of clusters, k denotes the current
transactions. class, trB(k) denotes the trace of the inter-class dispersion
It can be seen from the Fig. 7. DBSCAN can clearly matrix, and trW (k) denotes the trace of the intra-class dis-
cluster the samples into different classes, but K-means can’t, persion matrix. If the larger the CH, the closer the class itself
so DBSCAN has better clustering effect. But the DBSCAN is, the more dispersed the classes are, the clustering result is
clustering effect is affected by two parameters, radius and better. As shown in Fig. 8, when the density is 3, the value of
density. In this paper, the CH index is used to judge the the radius is continuously adjusted. When the value of the CH
clustering effect of the algorithm, and its calculation method index reaches the maximum, the clustering effect is the best.
is shown in (12). At this time, the number of fraud sample clusters is 4 and the
number of normal sample clusters is 16. Therefore, the fraud
trB(k)/(k − 1) samples in this paper are divided into 4 categories, and the
CH (k) = (12)
trW (k)/(n − k) normal samples are divided into 16 categories.

25216 VOLUME 8, 2020

Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

TABLE 5. Indicator calculation method.

transactions. The F1 is the harmonic average of the precision

and recall. The disturbance is the proportion of the model
that miscalculated the real normal transactions as abnormal
transactions to the total normal transactions.
As can be seen from Fig. 9 to Fig. 12, compared with the
individual behavior models (UR, UBC) and group behavior
models (GB, XB), the model NM performs better among the
three groups of low-frequency users. The average precision is
improved by about 5%, 35%, 4%, and 14%, and the average
disturbance is reduced by about 8%, 15%, 3%, and 17%.
FIGURE 8. CH index. In the recall, the model NM still performs better than other
models. Although occasionally the model XB and UR recall
TABLE 4. Confusion matrix. rates are higher than NM, but the precision of the model XB
and UR at this time is lower and the disturbance is higher,
indicating that the model XB and UR have higher recall rates
in the case of misjudgment of a large number of normal
transactions. The F1 value is the harmonic average of the
recall and precision, and represents the overall performance
of the model. At the F1 value, the model NM is higher
D. COMPARISON OF RESULTS than the models UR, UBC, GR, and XB, and the average
In this section, we compare our model (NM) with the follow- increase is 5%, 35%, 15% and 10%. It has been proved
ing models, which are the hyper-sphere model (UR) proposed through experiments that the model NM performs better than
in [17], and the detection model based on user user behavior other models (UR, UBC, GR, XB) in the detection of low-
certificate (UBC) proposed in [20], DBSCAN-based group frequency user transactions. It accurately detects fraudulent
behavior model (GR) and XgBoost (XB) model. Among transactions and reduces the misjudgment of normal trans-
them, UR and GR are the individual behaviors and group actions. If only the individual behavior model UR and UBC
behaviors extracted when constructing low-frequency user are compared, the model UR performs better regardless of
behaviors. the disturbance rate or F1 value. If only the group behavior
As shown in table 4, because it is detecting fraudulent model GR and XB are compared, although the F1 values
transactions, so the confusion matrix is slightly modified. perform similarly, the model GR is better than XB on the
TP is the number of fraud transactions that are judged as fraud disturbance rate, indicating that the individual behavior and
transactions by the model. FP is the number of normal trans- group behavior proposed in this paper perform well on low-
actions that are judged as fraud transactions by the model. frequency users.
TN is the number of normal transactions that are judged as After analysis, the main reasons are as follows. The group
normal transactions by the model. FN is the number of fraud behavior model cannot accurately describe the transaction
transactions that are judged as normal transactions by the behavior of each user, resulting in a decrease in model effect.
model. However, the model GR effect is better than XB, because
In order to make the comparison results more convincing, GR is a clustering process for transactions that have already
we use several indicators commonly used in fraud detec- occurred, and the behavior of similar classes is extracted,
tion as the evaluation indicators, including precision, recall, and the effect is better than the model XB. The individ-
and F1. In order to consider the model’s misjudgment of nor- ual behavior model UR and UBC only consider the low-
mal transactions, the disturbance also needs to be considered. frequency users themselves, because the low-frequency user
The calculation method is shown in Table 5. The precision data is scarce, the behavioral characterization is not accu-
is the ratio of the number of fraudulent transactions judged rate enough. However, the model NM not only considers
by the model to the total fraudulent transactions detected by the users themselves, but also considers the behavior of the
the model. The recall is the ratio of the number of fraudu- current trading group, and can supplement the low-frequency
lent transactions judged by the model to the total fraudulent user’s own behavior to a certain extent. At the same time,

VOLUME 8, 2020 25217

 Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

FIGURE 9. Plot of precision comparison results.

FIGURE 10. Plot of disturbance comparison results.

FIGURE 11. Plot of recall comparison results.

FIGURE 12. Plot of F1 comparison results.

the model NM proposes a sliding window mechanism to cal- proposes a comprehensive decision-making method based
culate the current transaction status. Moreover, the model NM on the detection results of various behaviors, which is more

25218 VOLUME 8, 2020

Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

fully considered than other models. Therefore, the overall [13] Y. Meng, Z. Zhang, W. Liu, L. Chen, Q. Liu, L. Yang, and P. Wang,
performance of the model NM is better than the model UR, ‘‘A novel method based on entity relationship for online transaction fraud
detection,’’ in Proc. Turing Celebration Conf. China, 2019, p. 121.
UBC, XR and XB. [14] X. Wang, H. Wu, and Z. Yi, ‘‘Research on bank anti-fraud model based on
K -means and Hidden Markov model,’’ in Proc. IEEE 3rd Int. Conf. Image,
VI. CONCLUSION Vis. Comput. (ICIVC), Jun. 2018, pp. 780–784.
[15] P. Zhao, C. Yan, and C. Jiang, ‘‘Authenticating Web user’s identity through
In this paper, a new method for low-frequency user transac- browsing sequences modeling,’’ in Proc. IEEE 16th Int. Conf. Data Mining
tion detection is proposed for the problem that low-frequency Workshops (ICDMW), Dec. 2016, pp. 335–342.
users cannot accurately describe transaction behavior. Com- [16] H. Zhang, C. Yan, P. Zhao, and M. Wang, ‘‘Model construction and authen-
tication algorithm of virtual keystroke dynamics for smart phone users,’’
pared with other methods, the proposed method not only con- in Proc. IEEE Int. Conf. Syst., Man, (SMC), Oct. 2016, pp. 171–175.
siders the low-frequency users’ own transaction behavior, but [17] L. Chen, Z. Zhang, Q. Liu, L. Yang, Y. Meng, and P. Wang, ‘‘A method for
also considers the current trading group behavior and current online transaction fraud detection based on individual behavior,’’ in Proc.
Turing Celebration Conf., 2019. p. 119.
transaction status, and constitutes a new low-frequency user [18] B. Ji, L. Hu, W. Han, and J. Yan, ‘‘Research on e-commerce-oriented user
behavior. Based on this, a method based on user behavior and abnormal behaviour detection,’’ Netinfo Secur., no. 9, p. 19, Jun. 2014.
Naive Bayes detection is proposed to judge the user’s current [19] Y. Kültür and M. U. Çaǧlayan, ‘‘A novel cardholder behavior model for
detecting credit card fraud,’’ Intell. Autom. Soft Comput., vol. 2, pp. 1–11,
transaction. And in the experiment, the division problem of Jul. 2017.
high-frequency users and low-frequency users is considered. [20] L. Zheng, G. Liu, W. Luan, Z. Li, Y. Zhang, C. Yan, and C. Jiang, ‘‘A new
Experiments prove that the precision and F1 of the proposed credit card fraud detecting method based on behavior certificate,’’ in Proc.
IEEE 15th Int. Conf. Netw., Sens. Control (ICNSC), Mar. 2018, pp. 1–6.
method is higher than other models, although the recall is not [21] L. Zheng, G. Liu, C. Yan, and C. Jiang, ‘‘Transaction fraud detection based
the highest on a few data sets, the disturbance rate has always on total order relation and behavior diversity,’’ IEEE Trans. Comput. Soc.
been lower than other models. It shows that in the detection Syst., vol. 5, no. 3, pp. 796–806, Sep. 2018.
[22] Y. Xie, G. Liu, R. Cao, Z. Li, C. Yan, and C. Jiang, ‘‘A feature extraction
of low-frequency user transactions, the model proposed in method for credit card fraud detection,’’ in Proc. 2nd Int. Conf. Intell. Auto.
this paper can more accurately identify fraud transactions and Syst. (ICoIAS), Singapore, Feb. 2019, pp. 70–75.
has lower misjudgment of normal transactions. In the future [23] S. Nami and M. Shajari, ‘‘Cost-sensitive payment card fraud detection
based on dynamic random forest and k -nearest neighbors,’’ Expert Syst.
we will pay more attention to the problem of online model Appl., vol. 110, pp. 381–392, Nov. 2018.
updating and make the method more effective. [24] C. Jiang, J. Song, G. Liu, L. Zheng, and W. Luan, ‘‘Credit card fraud
detection: A novel approach using aggregation strategy and feedback
mechanism,’’ IEEE Internet Things J., vol. 5, no. 5, pp. 3637–3647,
REFERENCES Oct. 2018.
[1] (2018). Research Report on the Trend of Network Fraud in 2017. [Online]. [25] C. Wand, J. Luo, B. Yang, and C. Jiang, ‘‘On complementary effect of
Available: https://www.sohu.com/a/222391501_100017648 blended behavioral analysis for identity theft detection in mobile social
[2] R. Soram and E. S. Meitei, ‘‘On the performance of RSA in virtual networks,’’ Commun. Comput. Inf. Sci., vol. 747, pp. 32–44, Dec. 2018.
banking,’’ in Proc. Int. Symp. Adv. Comput. Commun. (ISACC), Sep. 2015, [26] N. Soltani, M. K. Akbari, and M. Sargolzaei Javan, ‘‘A new user-based
pp. 352–359. model for credit card fraud detection based on artificial immune system,’’
[3] A. Jarovsky, T. Milo, S. Novgorodov, and W.-C. Tan, ‘‘Rule sharing for in Proc. 16th CSI Int. Symp. Artif. Intell. Signal Process. (AISP), May 2012,
fraud detection via adaptation,’’ in Proc. IEEE 34th Int. Conf. Data Eng. pp. 029–033.
(ICDE), Apr. 2018, pp. 125–136. [27] F. Zhang, G. Liu, Z. Li, C. Yan, and C. Jiang, ‘‘GMM-based undersampling
[4] Z. Zhang, X. Zhou, X. Zhang, L. Wang, and P. Wang, ‘‘A model based and its application for credit card fraud detection,’’ in Proc. Int. Joint Conf.
on convolutional neural network for online transaction fraud detection,’’ Neural Netw. (IJCNN), Jul. 2019, pp. 1–8.
Secur. Commun. Netw., vol. 2018, pp. 1–9, Aug. 2018. [28] H. Wu and G. Liu, ‘‘A hybrid model on learning cross features for trans-
[5] X. Zhou, Z. Zhang, L. Wang, and P. Wang, ‘‘A model based on siamese action fraud detection,’’ in Proc. 19th Ind. Conf. Data Mining (ICDM),
neural network for Online transaction fraud detection,’’ in Proc. Int. Joint New York, NY, USA, Jul. 2019, pp. 1–5.
Conf. Neural Netw. (IJCNN), Jul. 2019, pp. 1–7. [29] I. K. Savvas, A. V. Chernov, M. A. Butakova, and C. Chaikalis, ‘‘Increasing
[6] S. Wang, C. Liu, X. Gao, H. Qu, and W. Xu, ‘‘Session-based fraud detection the quality and performance of N -dimensional point anomaly detection
in online e-commerce transactions using recurrent neural networks,’’ in in traffic using PCA and DBSCAN,’’ in Proc. 26th Telecommun. Forum
Proc. Joint Eur. Conf. Mach. Learn. Knowl. Discovery Databases. Cham, (TELFOR), Nov. 2018, pp. 1–4.
Switzerland: Springer, 2017, pp. 241–252.
[7] C. Liu, Y. Chan, S. H. Alam Kazmi, and H. Fu, ‘‘Financial fraud detection
model: Based on random forest,’’ Int. J. Econ. Finance, vol. 7, no. 7,
pp. 178–188, Jul. 2015.
[8] S. Xuan, G. Liu, Z. Li, L. Zheng, S. Wang, and C. Jiang, ‘‘Random forest
for credit card fraud detection,’’ in Proc. IEEE 15th Int. Conf. Netw., Sens.
Control (ICNSC), Zhuhai, China, Mar. 2018, pp. 1–6.
[9] C. Whitrow, D. J. Hand, P. Juszczak, D. Weston, and N. M. Adams, ZHAOHUI ZHANG received the B.S. degree in
‘‘Transaction aggregation as a strategy for credit card fraud detection,’’ computer science from Anhui Normal Univer-
Data Mining Knowl. Discovery, vol. 18, no. 1, pp. 30–55, Feb. 2009. sity, Wuhu, China, in 1994, the master’s degree
[10] K. Fu, D. Cheng, Y. Tu, and L. Zhang, ‘‘Credit card fraud detection using
from the University of Science and Technology
convolutional neural network,’’ in Proc. Int. Conf. Neural Inf. Process.
of China, from 1999 to 2000, and the Ph.D.
Cham, Switzerland: Springer, 2016, pp. 483–490.
degree in computer science from Tongji Uni-
[11] A. Dal Pozzolo, G. Boracchi, O. Caelen, C. Alippi, and G. Bontempi,
‘‘Credit card fraud detection: A realistic modeling and a novel learn- versity, Shanghai, China, in 2007. He became a
ing strategy,’’ IEEE Trans. Neural Netw. Learn. Syst., vol. 29, no. 8, Teacher with Anhui Normal University. He was a
pp. 3784–3797, Aug. 2018. Professor with Anhui Normal University, in 2015.
[12] E. Kim, J. Lee, H. Shin, H. Yang, S. Cho, S.-K. Nam, Y. Song, J.-A. Yoon, He is currently a Professor with the School of
and J.-I. Kim, ‘‘Champion-challenger analysis for credit card fraud detec- Computer Science and Technology, Donghua University, Shanghai. His
tion: Hybrid ensemble and deep learning,’’ Expert Syst. Appl., vol. 128, research interests include network information services, service computing,
pp. 214–224, Aug. 2019. and cloud computing.

VOLUME 8, 2020 25219

 Z. Zhang et al.: Fraud Detection Method for Low-Frequency Transaction

LIGONG CHEN was born in 1995. He received PENGWEI WANG received the B.S. and M.S.
the B.S. degree in Internet of Things engineering degrees in computer science from the Shandong
from Anhui Normal University. He is currently University of Science and Technology, Qingdao,
pursuing the M.S. degree with Donghua Univer- China, in 2005 and 2008, respectively, and the
sity. His research areas include artificial intel- Ph.D. degree in computer science from Tongji
ligence, big data, and financial transaction risk University, Shanghai, China, in 2013. He finished
prevention and control. his postdoctoral research work at the Department
of Computer Science, University of Pisa, Italy,
in 2015. He is currently an Associate Professor
with the School of Computer Science and Tech-
nology, Donghua University, Shanghai. His research interests include cloud
computing, service computing, and big data.

QIUWEN LIU was born in 1995. He received

the B.S. degree in software engineering from
Heilongjiang University. He is currently pursu-
ing the M.S. degree with Donghua University.
His research areas include big data management,
distributed data stream processing, and resource
scheduling.

25220 VOLUME 8, 2020