Implementing detection in ICFM (Analysis)

An analysis flow is invoked by the ICFM Analysis Director that is responsible for invoking the correct analysis flow for the data that is imported, or ingestion notification received. The Analysis Director then performs a specified set of analytics and produces a set of assessments.

The input for every analysis flow contains the context, analysis run ID, and time stamp for the last time the flow was run. The context and analysisRunID values that are passed in must also be passed back from the analysis flow to the Analysis Director. The lastRunTimestamp value is used primarily to obtain data that is newer than the last time that this analysis flow was run.

The output from an analysis flow is a set of assessments for the objects that were analyzed. Each assessment represents the fraud risk for that context. The analysis flow context is the scope in which this analysis’ fraud assessment was determined. In other words, the type of fraud and its related risk is within the context of that analysis. The analysis flow is responsible for producing the assessment output. The input and output parameters are discussed later.

The middle part of an analysis flow is the analytics that determine the risk score, the fraud assessment, or both. The analysis flow works with the analytics to reach this conclusion. Sometimes those analytics are computational and sometimes the analytics are simple-rule based.

Automated analysis in ICFM is composed of several parts. The analytics that are used by an analysis flow can vary, as shown in the following diagram.

As shown in this diagram, both synchronous and asynchronous types of analysis are performed in ICFM.

Identity resolution and unstructured data analysis are asynchronous. These items do not need an analysis flow assessment. The data is persisted into the Counter Fraud fact store on receipt of that information by the ICFM software. An analysis flow that requires that information looks it up in the Counter Fraud database, and avoids an expensive synchronous call to perform these operations.

Remember: For asynchronous operations in ICFM, the results are available from the Counter Fraud fact store directly.

The synchronous calls that occur from an analysis flow have two primary components:

Rules component: Provides a fast and efficient way to run a set of rules by parallel processing across a cluster. The rules application receives the data on which to run rules and returns the score, fraud assessment, or both for each record or object instance. The analysis flow obtains the objects on which the rules are run and also builds the assessment response that is returned.
Computational component: Provides a fast and massively scalable runtime environment that supports various statistical nodes, predictive nodes, anomaly detection nodes, complex statistical analysis nodes, in-flight textual parsing, and various other capabilities.

You can use the two components individually or in combination to perform a wide variety of detection techniques based on the intent of a specific analysis scenario.

Analysis flow intent
All analysis flows start, run a specific set of analytics, and complete. The intent of the analysis is most often to obtain an assessment of the potential for fraud to be occurring.
Provided analysis flows and ODM rules
ICFM provides a set of analysis flows and rules to run against the common Counter Fraud fact store types.
Causing an analysis flow to run (AnalysisRequest)
When the initialization criteria conditions are met, an analysis flow is triggered to run. After ICFM ingests data that is to be analyzed and an AnalysisRequest message is sent to the CF.ANALYSIS.REQUEST queue, the analysis flow starts.
Implementing an analysis flow
The easiest way to get started with any analysis flow is to start from the closest pattern and adapt it. An analysis flow is a listener on a queue for a message, which causes the execution to start.
Implementing an analysis flow analytic
The implementation of an analytic is composed of the integration with IBM Counter Fraud Management and the actual analytic that is performed. First, determine the type of analysis that needs to be done.
Retrieving fact store objects for use in an analysis flow
The IBM Counter Fraud Management XSD schema files provide the format for the various messages that the ICFM REST services and MQ messages use to send and retrieve data from the ICFM database. You can use these schemas to provide your analysis flow orchestration with details about the specific messages it will receive and to properly format messages that it needs to send or to which it responds.
Causing ICFM to take action
The three primary sections in a programmatically created investigation are the investigation details, the related object details, and the creation or update details.

Parent topic: Developing

Related concepts:

The rules component

The computational component