Fraud Signatures & Attack Patterns
Summary
The fraud_signatures.md document serves as the high-level behavioral specification for the simulation's adversary. It defines both individual fraud profiles and coordinated multi-entity campaigns, providing the theoretical basis for the synthetic anomalies generated by the engine.
Design Intent
I designed these signatures to move beyond "random noise" and toward Structured Adversarial Intelligence. Each profile (e.g., UPI Scam, Account Takeover) is anchored in a specific real-world financial threat observed in the Indian market. By layering Campaign Logic on top of individual profiles, I allow the simulation to model the "clustered" signals that are the hallmark of professional criminal organizations.
A critical design choice was the implementation of Probabilistic Mutation. Instead of every fraudulent transaction being an obvious outlier, I use configuration-driven probabilities to ensure that some fraud looks "legitimate" (e.g., Friendly Fraud). This forces ML models to learn subtle, high-dimensional boundaries rather than simple, hard-coded thresholds.
1. Fraud Profiles (Individual Patterns)
| Profile | Behavioral Signature | Spatial Signature |
|---|---|---|
| UPI Scam | High frequency, small to medium amounts (₹1,500 - ₹20,000). | 90% Geo-Anomaly: Scammer is remote. |
| Account Takeover | High-value transfers, sudden change in device/channel. | 40% Geo-Anomaly: Compromised from distant location. |
| Velocity Abuse | Rapid-fire "testing" transactions (₹1.01, ₹1.23, etc.). | 10% Geo-Anomaly: Low spatial signal. |
| Card Not Present | Online-only channel bias, standard e-commerce amounts. | 30% Geo-Anomaly: Card details used remotely. |
| Friendly Fraud | Legitimate channel/device, standard amounts. | 0% Geo-Anomaly: Customer is physically at home. |
2. Campaign Attack Patterns (Coordinated)
Coordinated Attack
- Signal: Multiple distinct cards/customers targeted simultaneously by a single entity.
- Hard Correlation: Every transaction in the campaign shares the exact same IP Address and geographic coordinate (simulating a scammer hub or proxy).
- Tuning: Coordinated IP is configurable via
fraud_tuning.yaml(Default:103.21.244.12).
Sequential Takeover
- Signal: A single card experiencing a progressive escalation of fraud.
- Monotonic Escalation: Each subsequent transaction amount is multiplied by the
ato_escalation_rate(Default: 30%). - Persistent Location: Once the takeover begins, the geographic coordinate "sticks" to the attacker's location for the remainder of the sequence.
Known Issues
I have currently implemented the "Spatial Signature" for fraud as a simple latitude/longitude jump. While this creates a clear anomaly, it doesn't account for Traveling Legitimate Customers. This leads to a higher-than-normal false positive rate in models that rely too heavily on distance-from-home. I need to implement a "Travel Profile" for legitimate customers to introduce more realistic noise.
Furthermore, my campaign logic is currently limited to "Shared IP" and "Shared Coordinate." I haven't yet implemented Account-to-Account (A2A) graph signals, where stolen funds are moved through a chain of "mule" accounts. This is a significant gap in the simulation's "Money Laundering" fidelity that I need to address in the next version of the fraud.rs engine.