Graph - Getting the complete picture

graph

(Tobias Berg) #1

We are evaluating Neo4j and Elasticsearch Graph to for detecting fraud among purchases.

One case that has come up is to detect when a phone number has been used by more than one person.

This doesn't seem to be possible using the graph UI. If I add a node for person (social security number) and one for phone number and search for everything, I get a bunch of nodes, but where most are 1-1 mappings. And after expanding the graph a couple of times with the +-sign, it stops expanding.

I guess that this is not a use case intended to be supported by the UI? Would a more practical way be to create a script that loops over all customers, gets the number of phone numbers and if there are more than one, add that to a task list which then has a link to the graph so it can be explored further?

Is that how one should think of the graph UI? You aren't supposed to get the complete picture from the UI, rather finding interesting patterns and once the patterns are identified, you create scripts that uses the api to find those patterns in the complete dataset?


(Mark Harwood) #2

The default settings are designed to look at connections in aggregate, filtering out noisy connections from lots of interactions. For more detailed forensic analysis such as yours these filter settings should be turned off in the GUI - this doc details the choices.

Also note,

  • the "+" button adds new vertices into your workspace
  • the chain-link button adds new lines between the existing vertices in your workspace

To avoid clutter, when using the "+" button the newly added vertices only draw lines between the new nodes and the currently selected vertices (which could have been only 1 selection). Consequently the graph shown may not have pulled in all of the connections that are available. The "link" button can be used to "back fill" more of the connections between existing vertices in the workspace.

Yes, the GUI can be used to formulate ideas for patterns to spot in your scripts that use the API.
However, the GUI is also useful for allowing investigators to act on alerts that have been created by your scripts for the (hopefully small) percentage of things that look risky. Each alert can contain a link that pops open the Graph workspace to show what the script saw as being risky and which can be further explored. A demo of configuring such a tasklist is here


(Tobias Berg) #3

Thank you for the explanation.

I have looked at your videos and they are very good at explaining the concept.

The combination of using the api, the graph and visualizations in Kibana will suit us very good I think.


(Mark Walkom) #4