Real-time big data threat detection in online gaming
Detect emerging threats and proactively respond to collusion and fraud.
The Challenge
An online gaming platform must identify collusion between users from a 40-million-events-per-day data stream. This data gets stored in an SQL data lake and is monitored through standard metrics with BI tools, such as Tableau and MicroStrategy, for analytics. Although these metrics alert the team to significant problems, new signals can not easily be correlated with historical records to verify that they represent genuine threats. Thus, only major and known threats are monitored, and analysts are often slow to respond. Constantly evolving techniques for collusion and fraud, combined with the overwhelming amount of data, creates a situation where standard BI tools cannot reveal intricate, emerging connections that point to imminent threats. The response could take days or even weeks, which is often far too long to prevent substantial loss.
Our Solution
Kineviz implemented a two-tiered solution. First, we set up a system to detect patterns of interest in the real-time data stream as it feeds into the SQL data lake. The filter extracts patterns and saves them to a graph database. Simultaneously, another program monitors these real-time signals and generates alerts that can trigger both human and automated responses via API.
Alone, the patterns aren’t necessarily sufficient to trigger an alert. However, when combined with the historical data stored in the graph database, it becomes possible to detect subtle schemes as they begin to develop–and prevent them before they can lead to catastrophic loss.
Examples of features extracted to the graph database include:
Shared IPs by multiple accounts
Certain sequential actions taken by multiple accounts
Unusual behaviors
Unusual transactions
Furthermore, detecting these schemes is much faster and less expensive. And a comprehensive audit trail is maintained through the raw logs stored in the SQL data lake, which can be used for validation and in-depth analysis.
The Results
As a result of Kineviz’s solution, threat response time was reduced from days to minutes. The client has a maintained blacklist of accounts and IPs. Once our system was in place, they identified ten times as many accounts and IPs that met blacklist criteria. Extracted features enabled proactive, automated monitoring of a large number of suspicious accounts and IP addresses. Instead of performing forensic analysis on successful schemes to defraud the platform, the risk team shifted to proactively responding to threats, thereby preventing millions of dollars in losses.