In the complex context of modern businesses, anomaly detection is not just a beneficial practice but a crucial one across industries as diverse as anti-money laundering (AML), fraud detection, cybersecurity, supply chain management, and beyond. Anomalies within an organization’s data, often indicative of risks or cost-intensive issues, demand vigilant monitoring.
While many tools exist to sift through enormous data sets in search of these irregularities, traditional methods frequently fall short. They may involve the tedious examination of vast amounts of data stuck within silos, or they may overlook critical connections between various data patterns, leading to significant gaps in information and a lack of context.
Enter multi-model graph alerts, a key milestone in graph-based innovative detection features. Only in Linkurious Enterprise.
Multi-model alerts transform the process of anomaly detection by aggregating multiple detection rules powered by graph analytics into a single alert. As a result, they uncover more complex hidden patterns, delivering a maximum amount of context to analysts and investigators and reducing their backlog.
This article looks at how to maximize the potential of Linkurious Enterprise for anomaly detection through the multi-model alerts feature.
- We will explore the nuances of what multi-model alerts are,
- how they function,
- and their capacity to not only reduce the workload but also expedite decision-making processes.
Further, we'll examine a practical application of this feature, using an anti-money laundering alert as a case study to illustrate the step-by-step process of setting up and using multi-model alerts.
The drawbacks of conventional detection rules
Most organizations rely on automated alerting systems based on simple business rules for anomaly detection in data usually stored in relational databases. Even as these tools are usually good enough as a first line of anomaly detection around targeted entities, they are not without their challenges.
First, they are not purposely designed to analyze relationships between data points and fail at detecting sophisticated patterns involving a network of entities.
Because they are based on relatively simple rules, many automated anomaly detection systems also produce high volumes of results including duplicates and a high rate of false positives. This results in wasted time and alert fatigue, ultimately decreasing investigative efficiency.
Conventional approaches have drawbacks even when they tap into data stored in graph databases using graph analytics. In setting up detection rules focused on single patterns, such systems will generate multiple results around the same entity if it matches different anomalous patterns. Individually, those matches may only represent weak signals. The result is an increased volume of results to triage - and results that may fail to surface complex patterns that require broader contextual information.
Complex patterns don't necessarily require complex solutions
Multi-model alerts in Linkurious Enterprise help resolve these issues. They let you detect multiple anomalous graph patterns in a single alert.
When we talk about multi-model alerts,
- A model refers to a subset of criteria representing one detection pattern.
- “Multi-model” refers to a configuration using multiple models in a single alert to ensure deduplication and simple, maintainable models.
- Users can combine multiple rules of detection, written as graph patterns, around an entity of interest in one alert.
- Matches relating to the same entity are consolidated into one comprehensive case.
Multi-model alerts save you from both running one big, complex query, or relying on investigating multiple cases in separate alerts.
How do multi-model alerts work?
Let’s take a look at exactly how these alerts work. Multi-model alerts leverage graph analytics to search for patterns of interest within your graph database and create comprehensive cases when the system identifies those patterns of interest. These alerts give investigators a maximum amount of context for better informed decision making.
Multi-model alerts group detection rules - or models - into a single alert, so instead of multiple separate cases, you get a single consolidated case that delivers the full context you need to make a decision.
Configuring multi-model alerts in Linkurious Enterprise
Query set up
To set up a multi-model alert, you’ll need to define the target of your alert and at least one model. Each model - each pattern that you want to detect - will have a corresponding graph query (written with Cypher or Gremlin languages). These queries run on a regular basis on the data available in your dataset.
The result is an automatically generated list of cases that investigators can easily triage and analyze with information about the matching model(s), case attributes, and access to the graph visualization of the identified pattern.
Add case attributes
You can add up to 40 case attributes - additional data points from the case’s graph - to deliver even more context to your case. These attributes can be used to help prioritize cases (e.g. by calculating a "risk score"), to display information that makes it easy to assign cases to investigators (e.g. by displaying the type of fraud used), or to display important information about the target of the alert for quick decision making.
Program your alerts
You can choose the frequency at which your alerts automatically run. If users are able to modify parameters in your database in a way that will impact alerts, you can program them to run more frequently. On the other hand, if your database is updated automatically, you can program your alerts to run only after updates.
Applying multi-model alerts to real-life anomaly detection
Multi-model alerts in Linkurious Enterprise are beneficial for a wide range of use cases. Take the example of social benefits fraud, where bad actors often work in networks and scams evolve quickly. Multi-model alerts perform well in detecting the full extent of suspicious activity, even when it’s complex. And you can modify the models making up an alert as new schemes are identified.
To show you how multi-model alerts work in real life, this section will walk you through an example of anomaly detection around money laundering patterns.
Multi-model alert creation, step by step
The best way to understand how multi-model alerts work is to see them in action. Let’s take a look at the step-by-step process of setting up alerts in Linkurious Enterprise. In this case, we’ll set up an alert to detect money laundering through the purchase of real estate. There are plenty of different ways to identify real estate money laundering, which can include:
- A discrepancy between the usual income of the owner and the property value.
- An anonymous owner.
- A property is underestimated or over-valued.
- The indication of a country that there is a risk of money laundering by its citizens in another country.
- The location of the property is far away from the buyer location.
- The company or the type of company owned by the owner is suspicious.
There is a wide variety of schemes that can be used to launder money through real estate. A bad actor or a criminal ring might use different schemes to try to cover their tracks and evade detection.
Below we’ll look at how to set up an alert targeting someone who may be laundering money through the purchase of real estate.
Creating an alert
From the Alerts dashboard, you can create a new alert, giving it a name and a description (an optional field to give context on the alert's usability and purpose.) Alerts run hourly by default, but you can adjust the frequency according to your needs, for example to sync your alert with database updates.
In order for cases to be deduplicated properly, users have to set a target for their alert. The target will be used in all the models that will be added to the alert. In this case, our targets are nodes of the type Person who are potentially guilty of money laundering. We’ll call these nodes “p”.
Defining your alert models
The models of an alert are the detection patterns which users set. Each pattern has to be specified within a model using the Cypher or Gremlin query language. The model query should be a read query. Once the model is successfully saved, it will become visible on the list of models on the alert creation page. In the real estate money laundering case, we’ll set up four different models corresponding to suspicious patterns.
A discrepancy between the usual income of the owner and the property value.
with e,l,p,p.annual_revenues/36 as max_monthly_instalment
where max_monthly_instalment < toFloat(l.monthly_instalment)
The indication of a country that there is a risk of money laundering by its citizens in another country.
where p.nationality in ["Russia","North Korea", "China"]
The location of the property (represented by the location where the loan is done) is far away from the buyer location.
where point.distance(point(l),point(p))/1000 > 300
The company or the type of company owned by the owner is among a list of sensitive fields.
// We distinct two patterns here:
// - Company got the loan
where c.industry in ["Military/Government/Technical","Oil/Gas Transmission"]
// - Person got the loan
where c.industry in ["Military/Government/Technical","Oil/Gas Transmission"]
Setting up case attributes
Creating case attributes provides further information to help the analyst or investigator triage cases and focus on the ones that are most suspicious. For example, case attributes can help an investigator understand what type of laundering scheme a bad actor is using, along with information about the buyer in a suspicious real estate transaction:
- The name of the owner.
- His or her client id.
- His or her nationality.
- The sum of the values of all the properties for which the individual has taken out loans.
- The total number of bank loans taken out by the individual.
- The difference between the owner installment capacity and the monthly sum of all loans taken out.
- The average loan term.
- The distance between the individual's principal residence and the location where the loan was taken out.
You can set up case attributes by writing a Cypher query to call directly or perform calculations on the data of a case. This is what the query for the above attributes looks like:
When your alerts find matches for your detection models, those hits will appear in the unified case list. Cases can be filtered and sorted according to your needs and priorities using the case attributes you have set up. You can also assign cases to yourself or others.
You can investigate a case by clicking on it in the case list. This opens a dedicated interface where you can:
- See a visualization of the case
- Change the status of the case (from open to in progress, for example)
- Leave comments on the case
- Change the final status of the case to confirm or dismiss it.
The graph visualization interface offers several features to help in the case investigation: expanding nodes, hiding items, filtering, and grouping. Clicking on a node or edge opens the property panel that displays its type and properties. You can also download the case visualization, use geo mode, and more. You can save the current state of your investigation at any point.
Get started on multi-model alerts
The powerful multi-model alerts feature in Linkurious Enterprise offers a simple solution to see the full context around anomalies in your data, reduce triage time, and drive better decision making.
Ready to get started on multi-model alerts? Want to learn more about how to apply this feature to your use case? Contact your customer success manager.