My name is Pavel, I work in Finam and I successfully implemented such technology as messaging middleware, enterprise service bus, business process management, complex service processing, enterprise electric to practice. And today, let me present how we are using WSO2 CEP solution in our company for fraud prevention. 00:00 ▶

What is Finam? Finam, is an investment holding that consists of several broker companies, bank Investment company. It is a national leader and global broker in the flight of investment services. It operates in Russia, USA, Europe, India, China, and other countries. It has over three hundred thousand clients in forty countries, of which financial instruments market turnover is more than one point two trillion dollars. 0:42 ▶

As a company, we give the client opportunities to be an investor and to make orders and transactions in most global exchanges. The client can be anywhere at home, at work, or traveling. From anywhere he can successfully to make a deal on any stock exchange using a mobile application or a desktop application. Apart from clients, brokers, and stock exchange there are two other parts that can influence the business. One part is fraud, this is people who want to steal money from client accounts. And second one is regulators, who describe the rules on the financial markets. 1:24 ▶

About Fraud. Most attacks are targeted to claim terminals. Some attacks try to steal passwords or keys of trade/client terminals, and start using them from another device. For this case it is possible to detect parameters of claimed device and information about changing it. Another attack strike tried to get control on trade terminals on a claimed device and make operation directly from it. In most cases when somebody obtains access to change trade account, he will try to move money from one account to another account. In this case we can detect changes in trading in unusual volume, instruments or frequency. If you combine this to detections, we can improve signal about safe activity. 2:26 ▶

Regulatory rules. This list mostly refers to the company because all brokers must observe the financial rulings of a national regulatory rules. Stock market manipulation and insider trading are the biggest groups of illegal trading practice. Some sets of illegal orders can be done within milliseconds. You can see spoofing, pump and dump, and other algorithms. Some of the illegal practices can be done within hours or days. 3:42 ▶

We have several basic data sources, from exchange, from trade platforms and other data sources. From exchange we get information about market data and orders and trades. From trade platforms we can get information about clients, even such as access or orders. And from other systems we get information about any other events, such as the news. So we have up to one million stock data change per second and up to twenty five thousand deals per second. All events need to be analyzed before, to be analyzed to get an alarming signal. 3:42 ▶

For this task, I choose to use the CEP decision because it works in real time, it can work with many streams, and it can correlate even between streams. After we have chosen this type of solution, we had combined several CEP platforms, and we have chosen WSO2 because it has very good performance tests, very good documentation, it is an open source decision. We represented it to management and decided to start the power project. 5:17 ▶

In the first task, what you need to do when you start using this solution, you need to integrate your data with this solution. In our company we have two transport for market data. One transport is gRPC, and the second transport is JMS. gRPC is a google remote protocol, it allows organized fast point market integration between applications overridden in different languages such as C++, Java and Java Script. For gRPC we wrote a small convertor, it transforms gRPC protocol to thrift protocol. It works fast and doesn’t create any essential delay. CEP has several inbuilt transport adaptors. The JMS and thrift adaptor are a two of these adaptors. So events from the JMS channel can be automatically sent to WSO2. 6:05 ▶

Access data stream comes from any other data source types, such as database files and other messaging systems. In this case, what ESB does is eavesdrop. It integrates all types of incoming data, in which data with any additional information such as your IP data, your location, and sends data to complex processing using JMS transport. 7:32 ▶

When CEP generates an event, it sends it to the same JMS transport. These *EuroAds are hired to the right system, it can be CRM, BPM, a disc system or a trade platform system. 8:09 ▶

Before CEP will generate a signal, all incoming data must be analyzed. Any CEP solution provides such functionality such functions as transformation, filter, correlated data between several streams, aggregation events from several streams to one event. 8:30 ▶

WSO2 provides the same functionalities but with easy inbuilt language, Siddhi. As analyzed can be done very quickly. Some of the best files of Siddhi, when we found started using it, are skilled like language and the time intervals window and my property is very easy to loan for any software developer. 8:58 ▶

Some words about learning. WSO2 has a very good detailed documentation. So we spent only three days to connect our data stream to a JMS transport, three days to do gRPC transport, and we spent only five days to sit here and write our filed scripts. So after eleven days we had good connection for our fraud detection project. 9:32 ▶

So let me tell about several use cases where CEP is used now or will be used in the nearest future. First example is market manipulation type. One type of market manipulation is spoofing. In this case, a client places first a small order, after he places it technical big order in opposite direction to first order. Then he waits for the execution of the first order, and immediately closes technical order after execution of first order. In this case, we have three actions from client or from one group of clients to win one security term. And time between these actions can be several or tenths of milliseconds. And we successfully find such type of market manipulation. 10:08 ▶

Second use case is about access event. Clients can generate several access events. For example, from internet banking access, from trade terminal access, from bank card usage. Each event comes with an IP address. Using the IP we can determine the location, and if we find that a user had two or more access activities from different places with long distance between them in a short time period, we will generate alert signal. For example, user can not have a speed more than one thousand kilometers per hour. 11:15 ▶

Our next case, like I showed above, CEP can detect the connection from unusual device or from an unusual time or location. Also CEP can detect unusual order properties such as an unusual big volume of data operations, unusual instruments. And when CEP detect spots, it generates an alert for our operators. 12:08 ▶

Another type of use case is correlated data from stock market data streams and from news. For example, complex server processing framework can detect price changing of any company and at the same time it can detect increases of the reference count of the company in the blocks, in the news channels in the last 20 minutes. Combination of these events might generate a signal to trader to help him in choosing a right tactics. 12:41 ▶

With CEP we can simplify by maintaining use channels to detect negative information about our company and prevent it in the start. For example, we can find messages from news channels with our company name and negative words, and if you found several times messages, you know in the last hour, we can send signal our marketing department. 13:26 ▶

Conclusively, I’ve have shown you how using CEP, ESB and BPM solutions, and we have decisions. You can help your business improve using existing data, and open new perspectives and possibilities and to do it quickly. Thank you. 14:03 ▶