Financial Fraud detection using Machine Learning

Real-time Anomaly Detection for User Behavioral Biometrics to Prevent Account Takeover (ATO) Fraud.

This use case directly addresses emerging fraud patterns, leverages real-time data, and offers significant potential for automation and efficiency gains, aligning perfectly with Saba’s goals.

---

Project: Real-time Anomaly Detection for User Behavioral Biometrics to Prevent Account Takeover (ATO) Fraud

Article: Safeguarding Digital Finance: A Real-time Behavioral Biometrics Anomaly Detection System for ATO Prevention

By Saba Shahrukh (Leveraging Insights from Manu Krishna, CAMS, CFE, CCI)

Abstract:

Account Takeover (ATO) fraud poses a significant and escalating threat in the digital financial landscape, leading to substantial financial losses for institutions and severe reputational damage.1 Traditional fraud detection methods, often reliant on static credentials or rule-based systems, are increasingly insufficient against sophisticated attackers.2 This article presents a comprehensive, real-time machine learning-driven solution for preventing ATO fraud by continuously monitoring and analyzing user behavioral biometrics. We delve into the intricacies of data collection, feature engineering, model selection for anomaly detection, real-time inference, and the critical role of Explainable AI (XAI) in fostering trust and operational efficiency. The provided Python code demonstrates a high-standard implementation, outlining the data generation, model training, and a simulated real-time detection pipeline.

1. Introduction

The financial sector is a prime target for fraudsters, with Account Takeover (ATO) being one of the most insidious forms of attack.3 ATO occurs when a malicious actor gains unauthorized access to a legitimate user’s account, often through stolen credentials (phishing, malware, data breaches) or social engineering.4 Once inside, fraudsters can drain funds, make unauthorized purchases, or leverage the account for further illicit activities like money laundering.5 The dynamic and evolving nature of these attacks necessitates advanced, adaptive fraud detection mechanisms.

Machine Learning (ML) offers a powerful paradigm shift in this fight. Instead of relying on predefined, static rules that can be bypassed, ML models learn patterns of legitimate behavior and identify deviations that signify potential fraud.⁶ Specifically, behavioral biometrics – the unique ways individuals interact with their devices and applications – provide a rich, continuous stream of data for real-time anomaly detection.⁷ This approach moves beyond “what you know” (passwords) and “what you have” (tokens) to “who you are” by analyzing typing rhythm, mouse movements, swipe patterns, device orientation, and navigation habits.

2. The Problem: The Escalating Threat of Account Takeover Fraud

Traditional security measures, such as usernames and passwords, are highly susceptible to breaches.8 Once credentials are compromised, an attacker can impersonate a legitimate user. The challenge lies in distinguishing between a legitimate user and a fraudster who possesses valid credentials. This is where behavioral biometrics shine. A fraudster, even with valid login details, will likely interact with the system differently than the legitimate account holder, exhibiting anomalies in their digital behavior.

Key Challenges:

• Data Imbalance: Fraudulent activities are rare compared to legitimate transactions, leading to highly imbalanced datasets.⁹
• Evolving Tactics: Fraudsters constantly adapt their methods, requiring models that can learn and evolve.¹⁰
• Real-time Processing: ATO attacks often happen quickly, demanding immediate detection and response.¹¹
• Interpretability: Financial institutions need to understand why a transaction or login attempt was flagged as suspicious for investigation and compliance.¹²

3. Solution Overview: Real-time Behavioral Biometrics Anomaly Detection

Our proposed solution leverages machine learning to build individual behavioral profiles for users. Any significant deviation from these established profiles in real-time triggers an alert for further investigation or immediate action (e.g., step-up authentication, temporary account lock).

System Architecture:

1. Data Collection Layer: Captures real-time behavioral data (keystrokes, mouse movements, touch gestures, device orientation, navigation paths) from user interactions within financial applications (web and mobile).
2. Feature Engineering Layer: Transforms raw behavioral data into meaningful numerical features.
3. User Profile Generation & Model Training: For each user, a baseline “normal” behavioral profile is created and updated. Anomaly detection models are trained on this normal behavior.
4. Real-time Inference Layer: Incoming user behavior data is fed to the trained models.
5. Anomaly Detection & Scoring: Models calculate an anomaly score.
6. Alerting & Action Layer: Based on the anomaly score and predefined thresholds, alerts are triggered, and appropriate actions are taken.
7. Feedback Loop (Continuous Learning): Analysts’ feedback on flagged events helps refine the models, differentiating between true anomalies and legitimate but unusual behavior.
8. Explainable AI (XAI) Module: Provides insights into why a particular activity was flagged, aiding human investigators.

4. Data Generation and Feature Engineering

Given the sensitivity and proprietary nature of real financial behavioral data, we will simulate it using the Faker library and custom logic. This synthetic data will capture the essence of behavioral patterns, including typical ranges and introduces anomalies to represent fraudulent activities.

4.1. Data Attributes (Synthetic):

For each user session, we can consider the following attributes:

• session_id: Unique identifier for the user session.
• user_id: Unique identifier for the user.
• timestamp: Time of the behavioral event.
• event_type: (e.g., ‘keypress’, ‘mousemove’, ‘click’, ‘swipe’).
• duration: Time taken for an action (e.g., time between key presses, duration of a swipe).
• x_coord, y_coord: Coordinates of mouse/touch events.
• key_pressed: Specific key pressed (for keystroke dynamics).
• pressure: Touch pressure (for mobile).
• scroll_speed: Speed of scrolling.
• device_orientation: (e.g., ‘portrait’, ‘landscape’, or gyroscope/accelerometer data).
• page_sequence: Sequence of pages visited in a session.
• time_on_page: Time spent on a particular page.
• typing_speed_wpm: Words per minute for typing.
• typing_rhythm_stddev: Standard deviation of inter-key intervals (a key indicator).
• mouse_movement_dist_per_sec: Total mouse movement distance per second.
• clicks_per_sec: Number of clicks per second.
• is_fraudulent: Binary label (0 for legitimate, 1 for fraudulent). This will be introduced synthetically to simulate anomalies.

4.2. Feature Engineering:

Raw behavioral data is noisy and needs transformation. Key features would include:

• Statistical Measures: Mean, median, standard deviation, min, max for metrics like duration, typing_speed_wpm, mouse_movement_dist_per_sec.
• Ratios: E.g., ratio of fast clicks to slow clicks.
• Sequences/Patterns: Using n-grams for page sequences or key press sequences. Time-series features (e.g., Fourier transforms to capture rhythms).
• Session-level Aggregations: Total session duration, number of unique pages visited, total characters typed.
• Time-based Features: Hour of day, day of week (fraud often occurs at unusual times).
• Device-specific features: Device type, operating system (could indicate suspicious access from an unfamiliar device).

Python Code for Synthetic Data Generation (High Standard)

Python

import pandas as pd
import numpy as np
from faker import Faker
import random
from datetime import datetime, timedelta
from collections import defaultdict

# Set a seed for reproducibility
Faker.seed(42)
np.random.seed(42)
random.seed(42)

fake = Faker('en_US')

def generate_user_profile_template(num_users=100):
    """
    Generates a template of 'normal' behavioral profiles for a set of users.
    This simulates learning a user's typical interaction patterns.
    """
    user_profiles = {}
    for i in range(num_users):
        user_id = f"user_{i+1:04d}"
        
        # Simulate typical ranges for behavioral metrics
        user_profiles[user_id] = {
            'avg_typing_speed_wpm': round(np.random.normal(50, 10)), # Words per minute
            'std_typing_rhythm': round(np.random.normal(0.05, 0.02), 3), # Std dev of inter-key interval
            'avg_mouse_dist_per_sec': round(np.random.normal(150, 50)), # Pixels per second
            'avg_clicks_per_sec': round(np.random.normal(2, 1), 1),
            'avg_session_duration_min': round(np.random.normal(10, 3)),
            'typical_login_hours': sorted(random.sample(range(0, 24), random.randint(3, 7))), # Typical login hours
            'typical_devices': random.sample(['desktop', 'mobile_ios', 'mobile_android'], random.randint(1, 2)),
            'avg_scroll_speed': round(np.random.normal(200, 50)),
        }
    return user_profiles

def generate_synthetic_behavioral_data(user_profiles, num_sessions_per_user=50, fraud_ratio=0.02):
    """
    Generates synthetic behavioral data for multiple user sessions,
    introducing anomalies to simulate fraud.
    """
    data = []
    
    for user_id, profile in user_profiles.items():
        for _ in range(num_sessions_per_user):
            is_fraudulent = random.random() < fraud_ratio
            
            session_id = fake.uuid4()
            start_time = fake.date_time_between(start_date='-1y', end_date='now')
            session_duration_min = profile['avg_session_duration_min'] + np.random.normal(0, 2)
            if is_fraudulent:
                # Introduce anomalies for fraudulent sessions
                session_duration_min *= np.random.uniform(0.1, 0.5) # Shorter session
                session_duration_min = max(1, session_duration_min) # Ensure minimum duration
            session_end_time = start_time + timedelta(minutes=session_duration_min)
            
            # Simulate behavioral metrics based on profile and fraud status
            typing_speed_wpm = profile['avg_typing_speed_wpm']
            std_typing_rhythm = profile['std_typing_rhythm']
            mouse_dist_per_sec = profile['avg_mouse_dist_per_sec']
            clicks_per_sec = profile['avg_clicks_per_sec']
            scroll_speed = profile['avg_scroll_speed']
            
            if is_fraudulent:
                typing_speed_wpm *= np.random.uniform(0.5, 1.5) # Potentially erratic typing
                std_typing_rhythm *= np.random.uniform(1.5, 3.0) # More erratic rhythm
                mouse_dist_per_sec *= np.random.uniform(0.5, 1.5) # Different mouse movement
                clicks_per_sec *= np.random.uniform(0.5, 2.0) # Different click rate
                scroll_speed *= np.random.uniform(0.5, 1.5)
                
                # Introduce unusual login time (outside typical hours)
                unusual_hour_found = False
                for _ in range(10): # Try a few times to find an unusual hour
                    potential_hour = random.randint(0, 23)
                    if potential_hour not in profile['typical_login_hours']:
                        start_time = start_time.replace(hour=potential_hour, minute=random.randint(0,59), second=random.randint(0,59))
                        unusual_hour_found = True
                        break
                if not unusual_hour_found: # If couldn't find an unusual hour, just pick a random one
                    start_time = start_time.replace(hour=random.randint(0,23), minute=random.randint(0,59), second=random.randint(0,59))

                # Introduce unusual device
                available_devices = ['desktop', 'mobile_ios', 'mobile_android', 'tablet']
                unusual_device = random.choice([d for d in available_devices if d not in profile['typical_devices']])
                device_used = unusual_device if unusual_device else random.choice(profile['typical_devices']) # Fallback
            else:
                start_time = start_time.replace(hour=random.choice(profile['typical_login_hours']), minute=random.randint(0,59), second=random.randint(0,59))
                device_used = random.choice(profile['typical_devices'])
                
            data.append({
                'session_id': session_id,
                'user_id': user_id,
                'timestamp_start': start_time,
                'timestamp_end': session_end_time,
                'session_duration_min': round(session_duration_min, 2),
                'typing_speed_wpm': max(0, round(typing_speed_wpm + np.random.normal(0, 5), 2)),
                'std_typing_rhythm': max(0.01, round(std_typing_rhythm + np.random.normal(0, 0.01), 4)),
                'mouse_dist_per_sec': max(0, round(mouse_dist_per_sec + np.random.normal(0, 20), 2)),
                'clicks_per_sec': max(0, round(clicks_per_sec + np.random.normal(0, 0.5), 2)),
                'scroll_speed': max(0, round(scroll_speed + np.random.normal(0, 20), 2)),
                'login_hour': start_time.hour,
                'day_of_week': start_time.weekday(),
                'device_type': device_used,
                'is_fraudulent': int(is_fraudulent)
            })
    
    return pd.DataFrame(data)

# Generate user profiles
user_profiles = generate_user_profile_template(num_users=200)

# Generate synthetic behavioral data with a small fraud ratio
df_behavioral = generate_synthetic_behavioral_data(user_profiles, num_sessions_per_user=100, fraud_ratio=0.01)

print(f"Generated {len(df_behavioral)} sessions.")
print(f"Number of fraudulent sessions: {df_behavioral['is_fraudulent'].sum()}")
print(df_behavioral.head())

# --- Feature Engineering (example of more advanced features) ---
def engineer_features(df):
    df['session_duration_sec'] = df['session_duration_min'] * 60
    df['typing_speed_normalized'] = df.groupby('user_id')['typing_speed_wpm'].transform(lambda x: (x - x.mean()) / x.std())
    df['typing_rhythm_normalized'] = df.groupby('user_id')['std_typing_rhythm'].transform(lambda x: (x - x.mean()) / x.std())
    df['mouse_movement_normalized'] = df.groupby('user_id')['mouse_dist_per_sec'].transform(lambda x: (x - x.mean()) / x.std())
    df['clicks_normalized'] = df.groupby('user_id')['clicks_per_sec'].transform(lambda x: (x - x.mean()) / x.std())
    df['scroll_speed_normalized'] = df.groupby('user_id')['scroll_speed'].transform(lambda x: (x - x.mean()) / x.std())

    # One-hot encode categorical features
    df = pd.get_dummies(df, columns=['device_type'], prefix='device', drop_first=True)
    
    # Cyclic features for time (hour and day of week)
    df['login_hour_sin'] = np.sin(2 * np.pi * df['login_hour'] / 24)
    df['login_hour_cos'] = np.cos(2 * np.pi * df['login_hour'] / 24)
    df['day_of_week_sin'] = np.sin(2 * np.pi * df['day_of_week'] / 7)
    df['day_of_week_cos'] = np.cos(2 * np.pi * df['day_of_week'] / 7)
    
    return df

df_features = engineer_features(df_behavioral.copy())
print("\nDataFrame with Engineered Features:")
print(df_features.head())
print(df_features.columns)

Explanation of Synthetic Data Generation:

• generate_user_profile_template: This function creates a dictionary of “normal” behavioral parameters for each synthetic user. These parameters (e.g., average typing speed, typical login hours) serve as the baseline against which anomalies will be detected.
• generate_synthetic_behavioral_data: This function iterates through the user profiles and generates session data.
  • For legitimate sessions (is_fraudulent=0), the behavioral metrics are sampled around the user’s defined profile with some normal variation. Login hours and device types are chosen from their typical patterns.
  • For fraudulent sessions (is_fraudulent=1), we introduce deliberate anomalies:
    • Shorter session duration (a common indicator of ATO where fraudsters act quickly).
    • Erratic typing speed and rhythm (humans type with a certain cadence; bots or unfamiliar users often show irregularities).¹³
    • Different mouse movement/click patterns.
    • Login attempts outside typical hours.
    • Login attempts from an unusual device.
• Feature Engineering:
  • Normalization: Behavioral metrics are normalized per user to account for individual differences. This is crucial because a fast typer’s “slow” might still be faster than a slow typer’s “fast.” Normalization helps in identifying deviations from a user’s own baseline.
  • One-Hot Encoding: Categorical features like device_type are converted into numerical format suitable for ML models.¹⁴
  • Cyclic Features: Time-based features (hour of day, day of week) are transformed using sine and cosine functions to capture their cyclical nature, avoiding the model from incorrectly inferring a linear relationship.¹⁵

5. Model Selection for Anomaly Detection

Given the data imbalance (fraud is rare) and the nature of identifying “unusual” behavior, unsupervised anomaly detection algorithms are highly suitable. These models learn the underlying structure of “normal” data without requiring explicit “fraud” labels during training.¹⁶

• Isolation Forest: An ensemble method that “isolates” anomalies by randomly selecting a feature and then randomly selecting a split value between the maximum and minimum values of the selected feature.¹⁷ Anomalies are data points that are few and far from the majority, thus they are easier to isolate (require fewer splits).¹⁸
• One-Class SVM (OCSVM): A supervised algorithm in a restricted sense, trained on only “normal” data. It learns a decision boundary that encapsulates the normal data points, flagging anything outside this boundary as an anomaly.
• Autoencoders (Deep Learning): Neural networks trained to reconstruct their input. For normal data, the reconstruction error will be low. For anomalous data, the reconstruction error will be high, as the model hasn’t learned to encode/decode these patterns effectively. This is particularly powerful for complex, high-dimensional behavioral data.

For this project, we will use Isolation Forest due to its effectiveness, speed, and good performance on high-dimensional data, making it suitable for real-time applications.¹⁹

6. Implementation: Building the Anomaly Detection System

We will demonstrate a pipeline that trains an Isolation Forest model for each user based on their historical normal behavior. In a real-time scenario, this model would be continuously updated.

Python

import pandas as pd
import numpy as np
from sklearn.ensemble import IsolationForest
from sklearn.preprocessing import StandardScaler
from sklearn.metrics import classification_report, roc_auc_score, precision_recall_curve, auc
import matplotlib.pyplot as plt
import seaborn as sns
import joblib # For saving/loading models
import warnings

warnings.filterwarnings('ignore') # Suppress warnings

# Reload data if needed
# user_profiles = generate_user_profile_template(num_users=200)
# df_behavioral = generate_synthetic_behavioral_data(user_profiles, num_sessions_per_user=100, fraud_ratio=0.01)
# df_features = engineer_features(df_behavioral.copy())

# Separate features and target
X = df_features.drop(columns=['session_id', 'user_id', 'timestamp_start', 'timestamp_end', 'is_fraudulent',
                              'session_duration_min', 'login_hour', 'day_of_week'])
y = df_features['is_fraudulent']
user_ids = df_features['user_id'] # Keep user_ids for per-user model training

# Identify features to scale (numerical, non-binary)
numerical_features = [col for col in X.columns if X[col].dtype in ['float64', 'int64'] and not X[col].nunique() < 3]

print(f"Features used for training: {X.columns.tolist()}")

# --- Per-User Model Training and Evaluation ---
user_models = {}
predictions = pd.DataFrame(columns=['session_id', 'user_id', 'true_label', 'anomaly_score', 'predicted_anomaly'])
all_true_labels = []
all_anomaly_scores = []

for user_id in user_ids.unique():
    user_data = df_features[df_features['user_id'] == user_id].copy()
    
    # Separate legitimate data for training and all data for testing
    # In a real scenario, training data would be purely legitimate historical data
    # and unseen data would be real-time. Here, we simulate by filtering.
    
    # We will train on the 'normal' instances of each user's data
    X_train_user = user_data[user_data['is_fraudulent'] == 0][X.columns]
    y_true_user = user_data['is_fraudulent'] # True labels for evaluation
    
    # Ensure there's enough legitimate data to train
    if len(X_train_user) < 5: # Arbitrary small threshold, adjust as needed
        # print(f"Skipping user {user_id} due to insufficient legitimate training data.")
        continue
    
    # Scale numerical features for the current user
    scaler = StandardScaler()
    X_train_user_scaled = scaler.fit_transform(X_train_user[numerical_features])
    X_test_user_scaled = scaler.transform(user_data[X.columns][numerical_features]) # Apply same scaler to all user data

    # Create DataFrames for scaled data
    X_train_user_scaled_df = pd.DataFrame(X_train_user_scaled, columns=numerical_features, index=X_train_user.index)
    X_test_user_scaled_df = pd.DataFrame(X_test_user_scaled, columns=numerical_features, index=user_data.index)
    
    # Reintegrate one-hot encoded and cyclic features (which don't need scaling)
    for col in X.columns:
        if col not in numerical_features:
            X_train_user_scaled_df[col] = X_train_user[col]
            X_test_user_scaled_df[col] = user_data[X.columns][col]

    # Initialize Isolation Forest model
    # contamination is the expected proportion of outliers in the dataset.
    # It's an important hyperparameter for IsolationForest.
    # For a highly imbalanced fraud dataset, a small contamination value is appropriate.
    # We'll use the overall fraud ratio for this synthetic dataset, but in real-world
    # training (on "normal" data), it might be set to a very small, fixed value
    # or determined through expert knowledge.
    
    model = IsolationForest(random_state=42, contamination=df_behavioral['is_fraudulent'].sum() / len(df_behavioral), n_estimators=100)
    
    # Train the model on legitimate data only
    model.fit(X_train_user_scaled_df)
    
    # Store the model and scaler
    user_models[user_id] = {'model': model, 'scaler': scaler}
    
    # Predict anomaly scores for all sessions of the current user
    # decision_function returns the anomaly score. Lower score = more anomalous.
    user_anomaly_scores = model.decision_function(X_test_user_scaled_df)
    
    # To convert scores to binary prediction, we need a threshold.
    # IsolationForest outputs a score where values closer to -1 are anomalous,
    # and values closer to 0 or positive are normal.
    # A common approach is to use the negative score, so higher is more anomalous.
    # Then set a threshold, e.g., based on the contamination parameter or a chosen percentile.
    
    # For evaluation, we can use the model's prediction which is based on contamination
    user_predicted_anomalies = model.predict(X_test_user_scaled_df) # -1 for outlier, 1 for inlier
    user_predicted_anomalies = np.where(user_predicted_anomalies == -1, 1, 0) # Convert to 0/1 for fraud/normal
    
    # Store results
    user_results = pd.DataFrame({
        'session_id': user_data['session_id'],
        'user_id': user_id,
        'true_label': user_data['is_fraudulent'],
        'anomaly_score': -user_anomaly_scores, # Invert for easier interpretation (higher score = more anomalous)
        'predicted_anomaly': user_predicted_anomalies
    })
    predictions = pd.concat([predictions, user_results], ignore_index=True)
    
    all_true_labels.extend(user_data['is_fraudulent'].tolist())
    all_anomaly_scores.extend([-s for s in user_anomaly_scores]) # Append inverted scores

print("\nSample of predictions:")
print(predictions.head())

# --- Overall Evaluation ---
print("\nOverall Classification Report:")
print(classification_report(predictions['true_label'], predictions['predicted_anomaly']))

# Calculate AUC-ROC
roc_auc = roc_auc_score(all_true_labels, all_anomaly_scores)
print(f"Overall AUC-ROC: {roc_auc:.4f}")

# Plot Precision-Recall Curve (more informative for imbalanced datasets)
precision, recall, _ = precision_recall_curve(all_true_labels, all_anomaly_scores)
pr_auc = auc(recall, precision)

plt.figure(figsize=(8, 6))
plt.plot(recall, precision, label=f'Precision-Recall Curve (AUC = {pr_auc:.2f})')
plt.xlabel('Recall')
plt.ylabel('Precision')
plt.title('Precision-Recall Curve for Anomaly Detection')
plt.legend()
plt.grid(True)
plt.show()

# --- Real-time Inference Simulation ---
def real_time_fraud_detection(new_session_data, user_models, numerical_features, X_columns):
    """
    Simulates real-time fraud detection for a new incoming session.
    """
    user_id = new_session_data['user_id'].iloc[0] # Assuming single session row
    
    if user_id not in user_models:
        print(f"Warning: No historical model for user {user_id}. Cannot perform behavioral biometrics analysis.")
        # Fallback to rule-based or other generic fraud detection
        return {'session_id': new_session_data['session_id'].iloc[0],
                'user_id': user_id,
                'anomaly_score': None,
                'is_suspicious': False,
                'reason': 'No historical profile'}

    model_info = user_models[user_id]
    model = model_info['model']
    scaler = model_info['scaler']

    # Ensure the new session data has the same columns as training data features
    # This is critical for real-time systems. Missing features should be handled.
    missing_cols = set(X_columns) - set(new_session_data.columns)
    for c in missing_cols:
        new_session_data[c] = 0 # Or appropriate default/imputation

    # Order columns to match training data
    new_session_data_ordered = new_session_data[X_columns]
    
    # Scale numerical features
    new_session_scaled_numerical = scaler.transform(new_session_data_ordered[numerical_features])
    new_session_scaled_df = pd.DataFrame(new_session_scaled_numerical, columns=numerical_features, index=new_session_data_ordered.index)

    # Reintegrate non-scaled features
    for col in X_columns:
        if col not in numerical_features:
            new_session_scaled_df[col] = new_session_data_ordered[col]

    # Get anomaly score
    anomaly_score = -model.decision_function(new_session_scaled_df)[0] # Invert score

    # Determine if suspicious based on a threshold (e.g., top X% of scores, or a fixed threshold)
    # For demo, we'll use a simple threshold from the overall data's quantiles
    # In practice, this threshold would be finely tuned.
    threshold = np.percentile(all_anomaly_scores, 99) # Top 1% most anomalous are flagged

    is_suspicious = anomaly_score > threshold

    reason = []
    if is_suspicious:
        # XAI-lite: Provide simple reasons based on deviations from user profile
        # This is a simplified example; a full XAI module would use SHAP/LIME etc.
        user_profile_template = user_profiles[user_id]
        current_data = new_session_data.iloc[0]

        if current_data['session_duration_min'] < (user_profile_template['avg_session_duration_min'] * 0.5):
            reason.append("Session duration significantly shorter than usual.")
        if current_data['std_typing_rhythm'] > (user_profile_template['std_typing_rhythm'] * 1.5):
            reason.append("Typing rhythm is more erratic than usual.")
        if current_data['login_hour'] not in user_profile_template['typical_login_hours']:
             reason.append("Login outside typical hours.")
        if current_data['device_type'] not in user_profile_template['typical_devices']:
             reason.append(f"Login from an unusual device: {current_data['device_type']}.")
        
        if not reason: # If no specific reason caught by simple rules, default
            reason.append("Behavioral patterns deviate significantly from normal profile.")


    return {
        'session_id': new_session_data['session_id'].iloc[0],
        'user_id': user_id,
        'anomaly_score': anomaly_score,
        'is_suspicious': is_suspicious,
        'reason': reason if is_suspicious else "Normal behavior"
    }

print("\n--- Simulating Real-time Detection ---")

# Pick a few legitimate and fraudulent sessions to test
test_sessions_legit = df_features[df_features['is_fraudulent'] == 0].sample(3, random_state=1)
test_sessions_fraud = df_features[df_features['is_fraudulent'] == 1].sample(3, random_state=1)

print("\nTesting Legitimate Sessions:")
for idx, row in test_sessions_legit.iterrows():
    result = real_time_fraud_detection(pd.DataFrame([row]), user_models, numerical_features, X.columns)
    print(f"Session {result['session_id']} (User: {result['user_id']}): Anomaly Score = {result['anomaly_score']:.4f}, Suspicious = {result['is_suspicious']}, Reason: {result['reason']}")

print("\nTesting Fraudulent Sessions:")
for idx, row in test_sessions_fraud.iterrows():
    result = real_time_fraud_detection(pd.DataFrame([row]), user_models, numerical_features, X.columns)
    print(f"Session {result['session_id']} (User: {result['user_id']}): Anomaly Score = {result['anomaly_score']:.4f}, Suspicious = {result['is_suspicious']}, Reason: {result['reason']}")

# --- Saving and Loading Models (for persistent deployment) ---
# It's good practice to save trained models and their scalers
# Example: joblib.dump(user_models, 'user_behavioral_models.pkl')
# Example: loaded_user_models = joblib.load('user_behavioral_models.pkl')

Explanation of Model Training and Real-time Simulation:

1. Per-User Model Training:
   • Data Preparation: The dataset is iterated through each unique user. For each user, the model is trained only on their legitimate historical data. This is crucial for behavioral biometrics, as “normal” behavior is highly individualistic.
   • Feature Scaling: StandardScaler is applied to numerical features per user. This ensures that features contribute equally to the distance calculations and model learning, and more importantly, it scales values relative to that specific user’s typical range.
   • Isolation Forest: An IsolationForest model is instantiated. The contamination parameter is set to the approximate fraud ratio in our synthetic data. In a real-world system, this might be a small fixed value (e.g., 0.001 to 0.01) based on expected anomaly rates, or dynamically tuned.
   • Model Fitting: The model is fit on the scaled legitimate data of the individual user.
   • Anomaly Scoring: decision_function() returns an anomaly score.²⁰ Lower values indicate a higher likelihood of being an outlier. We invert this score for easier interpretation (higher score = more anomalous).
   • Binary Prediction: predict() method returns -1 for outliers and 1 for inliers, which we convert to 0/1 for ‘normal’/’fraudulent’.
   • Storage: Each user’s trained model and their StandardScaler are stored in a dictionary (user_models) for later real-time inference.
2. Evaluation:
   • Classification Report: Provides a detailed breakdown of precision, recall, and F1-score for the overall model performance.
   • AUC-ROC & Precision-Recall Curve:
     • AUC-ROC measures the model’s ability to distinguish between positive and negative classes.²¹
     • Precision-Recall (PR) Curve is particularly important for highly imbalanced datasets like fraud detection.²² It focuses on the performance of the minority class (fraud). A high AUC on the PR curve indicates a good balance between precision (minimizing false positives) and recall (minimizing false negatives).²³
3. Real-time Inference Simulation (real_time_fraud_detection):
   • This function simulates an incoming session.
   • It retrieves the specific user’s pre-trained model and scaler.
   • The new session’s data is preprocessed (scaled, features aligned) in the exact same way as the training data.
   • The decision_function of the user’s model is used to get the anomaly score.
   • A threshold (e.g., 99th percentile of anomaly scores from the training phase) is applied to determine if the session is suspicious.
   • XAI-lite for Reasons: A rudimentary Explainable AI component is included. If a session is flagged, it attempts to provide simple, human-understandable reasons by comparing the current session’s metrics against the user’s learned profile. In a production system, this would be far more sophisticated (e.g., using SHAP values or LIME to pinpoint feature importance for the specific anomalous prediction).

7. Real-world Deployment Considerations

• Continuous Learning & Model Updates: User behavior evolves. Models must be retrained periodically (e.g., daily, weekly) with fresh legitimate data to adapt.²⁴ This involves a robust MLOps pipeline.
• Data Streaming & Processing: A real-time system requires efficient data ingestion (e.g., Kafka, Flink) and low-latency processing.²⁵
• Scalability: Handling millions of user sessions per day requires scalable infrastructure (cloud-based solutions, distributed computing).
• Threshold Tuning: The anomaly threshold is critical. A too-low threshold will generate too many false positives (annoying legitimate users, overburdening analysts). A too-high threshold will miss fraud. This requires continuous monitoring and A/B testing.
• Hybrid Approaches: Combining behavioral biometrics with other fraud detection techniques (e.g., transaction monitoring, identity verification, device fingerprinting) provides a more robust, multi-layered defense.²⁶
• Explainable AI (XAI): Essential for compliance, investigations, and building trust. When an alert is triggered, analysts need to understand why. This means going beyond just an “anomaly score” to pinpoint which behavioral features were most abnormal. Tools like SHAP and LIME can be integrated for this purpose.²⁷
• User Experience: Implementing step-up authentication (e.g., SMS OTP, push notification approval) for suspicious activities can provide an extra layer of security without completely blocking a legitimate user.²⁸
• Edge Cases and Cold Start: How to handle new users with no historical data? Generic models or progressive profiling can be used. How to handle legitimate but unusual behavior (e.g., user traveling, new device)? The system needs to be adaptive.

8. Conclusion

The integration of real-time behavioral biometrics with machine learning presents a powerful frontier in the fight against Account Takeover fraud. By continuously learning and adapting to individual user patterns, financial institutions can proactively identify and mitigate threats, moving beyond reactive detection. While the technical implementation requires robust data pipelines, sophisticated ML models, and careful operationalization, the benefits in terms of fraud prevention, reduced financial losses, and enhanced customer trust are immense. This project serves as a foundational blueprint for developing a cutting-edge, intelligent fraud detection system, aligning with the evolving landscape of financial crime and data science innovation.