DISTRIBUTED DATAMINING IN CREDIT CARD FRAUD DETECTION

CONTENTS Abstract Organization Profile Introduction Object Oriented Analysis and Design (OOAD) Requirement Analysis Document 1. Introduction a. Purpose of the system b. Scope of the system c. Objectives and Success Criteria of the Project d. Definitions, acronyms and abbreviations 2. Current System 3. Proposed System a. Overview b. Functional Requirements c. Non Functional Requirements i. Usability ii. Reliability iii. Performance iv. Supportability v. Implementation vi. Interface vii. Packaging viii. Legal d. System Models i. Scenarios ii. Use Case Model iii. Object Model iv. Dynamic Model v. User interface Navigational Paths and Screen Mockups 4. Glossary

System Design Document 1. Introduction a. Purpose of the System b. Design Goals c. Definitions, acronyms and abbreviations d. References Current Software Architecture 2. Proposed Software Architecture a. Overview b. Subsystem Decomposition c. Hardware / Software mapping d. Persistent Data management e. Access Control and Security f. Global Software Control g. Boundary Conditions 3. Subsystem Services 4. Glossary Implementation Screens Testing Conclusion Bibliography

ABSTRACT

Credit card transactions continue to grow in number, taking a larger share of the US payment system, and have led to a higher rate of stolen account numbers and subsequent losses by banks. Hence, improved fraud detection has become essential to maintain the viability of the US payment system. Banks have been fielding early fraud warning systems for some years. We seek to improve upon the state-of-the-art in commercial practice via large scale data mining. Scalable techniques to analyze massive amounts of transaction data to compute efficient fraud detectors in a timely manner are an important problem, especially for e-commerce. Besides scalability and efficiency, the fraud detection task exhibits technical problems that include skewed distributions of training data and non-uniform cost per error, both of which have not been widely studied in the knowledge discovery and data mining community. Our proposed methods of combining multiple learned fraud detectors under a "cost model" are general and demonstrably useful; our empirical results demonstrate that we can significantly reduce loss due to fraud through distributed data mining of fraud models.

INTRODUCTION Credit card transactions continue to grow in number, taking an ever larger share in the US payment system and leading to the higher rate of stolen account numbers and subsequent losses by banks. Improved fraud detection thus has become essential to maintain the viability of the US-payment system. Banks has used early fraud warning systems for some years. Large-scale data-mining techniques can improve the state of art in commercial practice. Scalable techniques to analyze massive amounts of transaction data efficiently compute frauddetection tasks in a timely manner are an important problem, especially for e-commerce. Beside scalability and efficiency, the fraud-detection tasks exhibits technical problems that include screwed distributions of training data and non uniform cost per error, both of which had not been widely studied in the knowledge-discovery and data mining community. Our proposed methods of combining multiple learned fraud detectors under a cost model are general and demonstrate that we can significantly reduce loss due to fraud through distributed data-mining of fraud models. Our Approach In todays increasingly electronic society and with rapid advances of electronic commerce on the internet, the use of credit cards for purchases has become convenient and necessary. Credit card transactions have become the de facto standard for internet and web-based e-commerce. The growing number of credit card transactions provides more opportunity for thiefs to steal credit card numbers and subsequently commit fraud. When banks loose money of credit card fraud, card holders pay for all that loss through higher interest rates, higher fees, and reduced benefits. Hence it is in both the banks and the card holders interest to reduce illegitimate use of credit cards by early fraud detection. For many years the credit card industry has studied computing models for automated detection systems; recently, these models have been the subject of academic research, especially with respect to e-commerce.

The credit card fraud-detection domain presents a number of challenging issues for data mining. There is millions of credit card transactions processed each day. Mining such massive amounts of data requires highly efficient technique that scale. The data are highly screwed-many more transactions are legitimate than fraudulent. Typical accuracy based mining techniques can generate high accurate fraud detectors by simply predicting that all transactions are legitimate, although this is equivalent to not detecting fraud at all. Each transaction record has a different amount and thus has variable potential loss, rather than fixed misclassification cost per error-type, as is commonlyassumed in a cost based mining technique. Our approach addresses the efficiency and scalability issues in several ways. We divide a large data set of labeled transactions into smaller subsets; apply mining techniques to generate classifiers in parallel, and combine the resultant base models by metalearning from the classifiers behavior to generate Meta classifiers. Our approach treats the classifier as black boxes so that we can employ a variety of learning algorithms. Beside extensibility, combining multiple models computed over all available data produces met classifiers that can offset the loss of predictive performance that usually occurs when mining from data subsets or sampling. Furthermore, when we use the learned classifiers, the base classifiers can execute in parallel, with the Meta classifier then combining their results. So our approach is highly efficient in generating these models and also relatively efficient in applying them. Another parallel approach focuses on parallelizing a particular algorithm on a particular parallel architecture. However a new algorithm or architecture requires a substantial amount of parallel-programming work. Although our architecture and algorithm independent approach is not efficient as some fine grained parallelization approaches, it lets users plug different off-theshelf learning programs into a parallel and distributed environment with relative ease and eliminates the need for expensive parallel hardware.

Furthermore our approach can generate a potentially large no of classifiers from the currently processed data subsets, and therefore potentially require more computational resources during detection, we investigate pruning methods that identify redundant classifiers and remove them from the ensemble with out significantly degrading the predictive performance. This pruning technique increases learned detectors computational performance and throughput. The issue of screwed distributions has not been studied widely because many of the datasets used in this research do not exhibit this characteristic. We address skewness by partitioning the data into subsets with a desired distribution. Applying mining techniques to the subsets, and combining the mined classifiers by metal earning. Other researchers attempt to remove instances from the majority classes-instances that are in the border line region are candidates for removal. In contrast our approach keeps all the data for mining and doesnt change the underlying mining algorithms. We address the issue of non uniform cost by developing the appropriate cost model for the credit card fraud domain and biasing our methods toward reducing cost. This cost model determines the desired distribution just mentioned. AdaCost relies on the cost model for updating weights in the training distribution. Naturally, this cost model also defines the primary evaluation criterion for our techniques. Furthermore we investigate techniques to improve the cost performance of banks fraud detector by importing remote classifiers from other banks and combining this remotely learned knowledge with locally stored classifiers. The law and competitive concerns restrict banks from sharing information about their customers with other banks. However they may share black box fraud detection models. Our distributed data mining approach provides a direct and efficient solution to sharing knowledge with out sharing data. We also address possible incompatibility of data schemata among different banks. We designed and developed an agent based distribution environment to demonstrate our distributed and parallel data mining technique.

Credit Card Data and Cost Models: The records of the transactions consist of about 30 attributes including binary class label (fraudulent/ legitimate transaction). Some fields are numeric and categorical. Because account identification is not present in data, we cannot group transactions into accounts. Therefore, instead of learning behavioral models of individual customer accounts, we build overall models that try to differentiate legitimate transactions from fraudulent ones. Our models are customer independent and can serve as a second line of defense, the first being customer dependent models. Most machine learning literature concentrates on model accuracy This domain provides considerably different metric to evaluate the learned models performance models are evaluated and rated by a cost model. Due to different amounts of each credit card transaction and other factors, the cost failing to detect the fraud varies with each transaction. Hence the cost model for this domain relies on sum and average of loss caused by fraud. We define n CumulativeCost = Cost(i) i and CumulativeCost AverageCost = ---------------------------------n Where Cost(i) is the cost associated with transaction i, and n is the total no of transactions. Each investigation incurs an overhead, other related costs-for example, the operational resources needed for the fraud detection system-are consolidated into overhead. So if the amount of transaction is smaller than the overhead investigating the transaction is not worth while, even it is suspicious.

Cost model assuming fixed overhead Outcome Miss (false negative FN) False Alarm(false positive FP) Hit (true positive TP) Normal (true negative TN) Cost Tranamt Overhead if tranamt> overhead or 0 if tranamt overhead Overhead if tranamt>overhead or tranamt if tranamt overhead 0

Here for each Transaction, where tranamt is the amount of credit card transaction. The overhead threshold for obvious reasons is closely guarded secret and varies over time the range of values used here are probably reasonable levels as bound for this data set, but are probably significantly lower. We evaluated all our empirical studies using this cost model. Skewed Distributions Given skewed distribution, we would like to generate training set of labeled transactions with a desired distribution with out removing any data, which maximizes classifier performance. In this domain we found that determining the desired distributions is an experimental art and requires exclusive empirical tests to find the most effective training distribution. In our approach we first create data subsets with the desired distribution (determined by extensive sampling experiments). Then we generate classifiers from these subsets and combine them by metalearning from their classification behavior. For example the skewness distribution is 20:80 and desired distribution for generating the best models is 50:50, we randomly divide the majority instances into four partitions and from four data subsets by merging the minority instances with each of the four partitions from four data subsets to generate desired 50:50 distribution for each distributed training set. For concreteness. Let N be the size of the data set with a distribution of xy (x is the percentage of minority class) and u:v be the desired distribution. The no of minority instances is N*x, and desired number of majority instances in a subset is Nx * v/u. The number of subsets is the number of majority instances (N * y) divided by the no of desired majority instances in each

subset, which is Ny divided by the Nxv/u or y/x * u/v. so we have y/x * u/v subsets, each of which has Nx minority instances and Nxv/u majority instances. The next step is to apply a learning algorithm or algorithm to each subset. Because the learning processes on the subsets are independent, the subsets can be distributed to different processors and each learning process can run in parallel. For massive amounts of data, our approach can substantially improve speed for superliner time learning algorithms. The generated classifiers as combined by metalearning from their classification behavior. Class-Combiner strategy composes a metalevel training set by using the base classifiers predictions on a validations set as attribute values and the actual classification as the class label. This training set then serves for training a metaclassifier. For integrating subsets the class combiner strategy is more effective than the voting-based techniques. When the learned models are used during online fraud detection, transactions fed into the learned base classifiers and the metaclassifier then combines their predictions. Again the base classifiers are independent and can execute in parallel on different processors. In addition our approach can purne redundant base classifier with out effecting the cost performance, making it relatively efficient the credit card authorizatin process. C4.5, CART , Ripper and Bayes. Bayes the matalearner for all the applications, CART is used to generate classifiers. We calculate the R the ratio of the overhead amount to the average cost. R = Overhear/ Average Cost. Our approach is significantly more effective than the deployed COTS when R<6. Both methods are not effective when R>24. So under a reasonable cost model with a fixed overhead cost in challenging transactions as potentially fraudulent, when the number of fraudulent transactions is very small percentage of the total, is very un desirable to detect fraud. The loss due to fraud is yet another cost of conducting business. However- filtering out easy or low risk transaction can reduce a high overhead to-loss ratio. The filtering process can use fraud detectors that are built based on the individual customer profiles, which are now use by many credit card companies. These individual profiles characterize the customers purchasing behavior. For example, if customer regularly buys

groceries from a particular super market or has setup a monthly payment for telephone bills, these transactions are close to no risk; hence purchases of similar characteristics can be safely authorized with out further checking. Reducing the overhead through streamlining business operations and increased operation will also lower the ratio. Knowledge Sharing through Bridging Much of the prior work on the combining multiple models assumes that all models originate from different subsets of single data set as means to increase accuracy and not as a means to integrate distributed information. Although the JAM system addresses the later problem by employing meta learning techniques, integrating classification models derived from distinct distributed databases might not always be feasible. In all cases considered so far, all classification models are assumed to originate from databases from identical schemata because classifiers depends directly on the underlying datas format, minor differences in the schemata between databases derive in compatible classifiers That is a classifier that cannot be applied on data of different formats. Yet these classifiers may target the same concept. We seek the bridge these disparate classifiers in same principled fashion. The banks seek to be able to exchange their classifiers and thus incorporate useful information in their system that would otherwise be inaccessible to both. Indeed for each credit card transaction, both institutions record similar information, however they also include specific fields containing important information that each has acquired separately and that provides predictive value in determining fraudulent transaction patterns. To facilitate the exchange of knowledge and take advantage of in compactable and other wise useless classifiers, we need to devise methods that bridge the differences imposed by the different schemata.

Pruning An ensemble of classifiers can be unnecessarily complex, meaning that many classifiers might be redundant, wasting resources and reducing system throughput. We study the efficiency of metaclassifiers by investigating the effect of pruning on their performance. Determining optimal set of classifiers for metalearning is a combinatorial problem. Hence the objective of pruning is to utilized the heuristic methods to search for partially grown meta classifiers that are more efficient and scalable and at the same time archieve comparable or better predictive performance results than fully grown metaclassifier. There are two stages for pruning meta classifiers; The pre training and post training pruning stages.

Pretraining pruning refers to the filtering of classifiers before they are combined. Instead of combining classifiers in bruteforce manner, we introduce preliminary stage for analyzing the available classifiers and qualifying them from inclusion in a combined meta classifier. Only those classifiers that appear to be most promising participate in the final metaclassifier. Posttraining pruning denotes the evaluation and pruning of constituent base classifiers after a complete metaclassifier has been constructed.

OBJECT ORIENTED ANALYSIS AND DESIGN Object-oriented analysis and design (OAD) is often part of the development of large scale systems and programs often using the Unified Modeling Language (UML). OAD applies objectmodeling techniques to analyze the requirements for a context for example, a system, a set of system modules, an organization, or a business unit and to design a solution. Most modern object-oriented analysis and design methodologies are use case driven across requirements, design, implementation, testing, and deployment. Use cases were invented with object oriented programming, but they're also very well suited for systems that will be implemented in the procedural paradigm. The Unified Modeling Language (UML) has become the standard modeling language used in object-oriented analysis and design to graphically illustrate system concepts. Part of the reason for OAD is its use in developing programs that will have an extended lifetime. Object Oriented Systems An object-oriented system is composed of objects. The behavior of the system is achieved through collaboration between these objects, and the state of the system is the combined state of all the objects in it. Collaboration between objects involves them sending messages to each other. The exact semantics of message sending between objects varies depending on what kind of system is being modeled. In some systems, "sending a message" is the same as "invoking a method". In other systems, "sending a message" might involve sending data via a socket. Object Oriented Analysis Object-Oriented Analysis (OOA) aims to model the problem domain, the problem we want to solve by developing an object-oriented (OO) system. The source of the analysis is a written requirement statements, and/or written use cases, UML diagrams can be used to illustrate the statements.

An analysis model will not take into account implementation constraints, such as concurrency, distribution, persistence, or inheritance, nor how the system will be built. The model of a system can be divided into multiple domains each of which are separately analyzed, and represent separate business, technological, or conceptual areas of interest. The result of object-oriented analysis is a description of what is to be built, using concepts and relationships between concepts, often expressed as a conceptual model. Any other documentation that is needed to describe what is to be built, is also included in the result of the analysis. That can include a detailed user interface mock-up document. The implementation constraints are decided during the object-oriented design (OOD) process. Object Oriented Design Object-Oriented Design (OOD) is an activity where the designers are looking for logical solutions to solve a problem, using objects. Object-oriented design takes the conceptual model that is the result of object-oriented analysis, and adds implementation constraints imposed by the environment, the programming language and the chosen tools, as well as architectural assumptions chosen as basis of design. The concepts in the conceptual model are mapped to concrete classes, to abstract interfaces in APIs and to roles that the objects take in various situations. The interfaces and their implementations for stable concepts can be made available as reusable services. Concepts identified as unstable in object-oriented analysis will form basis for policy classes that make decisions, implement environment-specific or situation specific logic or algorithms. The result of the object-oriented design is a detail description how the system can be built, using objects.

Object-oriented software engineering (OOSE) is an object modeling language and methodology OOSE was developed by Ivar Jacobson in 1992 while at Objectory AB. It is the first object-oriented design methodology to employ use cases to drive software design. It also uses other design products similar to those used by OMT. The tool Objectory was created by the team at Objectory AB to implement the OOSE methodology. After success in the marketplace, other tool vendors also supported OOSE. After Rational bought Objectory AB, the OOSE notation, methodology, and tools became superseded.

As one of the primary sources of the Unified Modeling Language (UML), concepts and notation from OOSE have been incorporated into UML. The methodology part of OOSE has since evolved into the Rational Unified Process (RUP). The OOSE tools have been replaced by tools supporting UML and RUP.

OOSE has been largely replaced by the UML notation and by the RUP methodology.

SOFTWARE PROFILE About Java Initially the language was called as oak but it was renamed as Java in 1995. The primary motivation of this language was the need for a platform-independent (i.e., architecture neutral) language that could be used to create software to be embedded in various consumer electronic devices. Java is a programmers language. Java is cohesive and consistent. Except for those constraints imposed by the Internet environment, Java gives the programmer, full control. Finally, Java is to Internet programming where C was to system programming.

Importance of Java to the Internet Java has had a profound effect on the Internet. This is because; Java expands the Universe of objects that can move about freely in Cyberspace. In a network, two categories of objects are transmitted between the Server and the Personal computer. They are: Passive information and Dynamic active programs. The Dynamic, Self-executing programs cause serious problems in the areas of Security and probability. But, Java addresses those concerns and by doing so, has opened the door to an exciting new form of program called the Applet.

Java can be used to create two types of programs Applications and Applets: An application is a program that runs on our Computer under the operating system of that computer. It is more or less like one creating using C or C++. Javas ability to create Applets makes it important. An Applet is an application designed to be transmitted over the Internet and executed by a Java compatible web browser. An applet is

actually a tiny Java program, dynamically downloaded across the network, just like an image. But the difference is, it is an intelligent program, not just a media file. It can react to the user input and dynamically change. Features of Java Security Every time you that you download a normal program, you are risking a viral infection. Prior to Java, most users did not download executable programs frequently, and those who did scanned them for viruses prior to execution. Most users still worried about the possibility of infecting their systems with a virus. In addition, another type of malicious program exists that must be guarded against. This type of program can gather private information, such as credit card numbers, bank account balances, and passwords. Java answers both these concerns by providing a firewall between a network application and your computer. When you use a Java-compatible Web browser, you can safely download Java applets without fear of virus infection or malicious intent. Portability For programs to be dynamically downloaded to all the various types of platforms connected to the Internet, some means of generating portable executable code is needed .As you will see, the same mechanism that helps ensure security also helps create portability. Indeed, Javas solution to these two problems is both elegant and efficient. The Byte code The key that allows the Java to solve the security and portability problems is that the output of Java compiler is Byte code. Byte code is a highly optimized set of instructions designed to be executed by the Java run-time system, which is called the Java Virtual Machine (JVM). That is, in its standard form, the JVM is an interpreter for byte code.

Translating a Java program into byte code helps makes it much easier to run a program in a wide variety of environments. The reason is, once the run-time package exists for a given system, any Java program can run on it.

Although Java was designed for interpretation, there is technically nothing about Java that prevents on-the-fly compilation of byte code into native code. Sun has just completed its Just In Time (JIT) compiler for byte code. When the JIT compiler is a part of JVM, it compiles byte code into executable code in real time, on a piece-by-piece, demand basis. It is not possible to compile an entire Java program into executable code all at once, because Java performs various run-time checks that can be done only at run time. The JIT compiles code, as it is needed, during execution. Java Virtual Machine (JVM) Beyond the language, there is the Java virtual machine. The Java virtual machine is an important element of the Java technology. The virtual machine can be embedded within a web browser or an operating system. Once a piece of Java code is loaded onto a machine, it is verified. As part of the loading process, a class loader is invoked and does byte code verification makes sure that the code thats has been generated by the compiler will not corrupt the machine that its loaded on. Byte code verification takes place at the end of the compilation process to make sure that is all accurate and correct. So byte code verification is integral to the compiling and executing of Java code.

Overall Description
Java Source

Java byte code

JavaVM

Java

.Class
Picture showing the development process of JAVA Program

Java programming uses to produce byte codes and executes them. The first box indicates that the Java source code is located in a. Java file that is processed with a Java compiler called javac. The Java compiler produces a file called a. class file, which contains the byte code. The. Class file is then loaded across the network or loaded locally on your machine into the execution environment is the Java virtual machine, which interprets and executes the byte code.

Java Architecture Java architecture provides a portable, robust, high performing environment for development. Java provides portability by compiling the byte codes for the Java Virtual Machine, which is then interpreted on each platform by the run-time environment. Java is a dynamic system, able to load code when needed from a machine in the same room or across the planet. Compilation of code When you compile the code, the Java compiler creates machine code (called byte code) for a hypothetical machine called Java Virtual Machine (JVM). The JVM is supposed to execute the byte code. The JVM is created for overcoming the issue of portability. The code is written and compiled for one machine and interpreted on all machines. This machine is called Java Virtual Machine.

Compiling and interpreting Java Source Code

Source Code .. .. ..

PC Compiler Java Macintosh Compiler Byte code (Platform Indepen dent)

Java Interpreter (PC)

SPARC

Java Interpreter (Macintosh) Java Interpreter (Spare)

Compiler

During run-time the Java interpreter tricks the byte code file into thinking that it is running on a Java Virtual Machine. In reality this could be a Intel Pentium Windows 95 or SunSARC station running Solaris or Apple Macintosh running system and all could receive code from any computer through Internet and run the Applets. Simple Java was designed to be easy for the Professional programmer to learn and to use effectively. If you are an experienced C++ programmer, learning Java will be even easier. Because Java inherits the C/C++ syntax and many of the object oriented features of C++. Most of the confusing concepts from C++ are either left out of Java or implemented in a cleaner, more approachable manner. In Java there are a small number of clearly defined ways to accomplish a given task.

Object-Oriented Java was not designed to be source-code compatible with any other language. This allowed the Java team the freedom to design with a blank slate. One outcome of this was a clean usable, pragmatic approach to objects. The object model in Java is simple and easy to extend, while simple types, such as integers, are kept as high-performance non-objects. Robust The multi-platform environment of the Web places extraordinary demands on a program, because the program must execute reliably in a variety of systems. The ability to create robust programs was given a high priority in the design of Java. Java is strictly typed language; it checks your code at compile time and run time. Java virtually eliminates the problems of memory management and deallocation, which is completely automatic. In a well-written Java program, all run time errors can and should be managed by your program.

Client Server Over view: With the varied topic in existence in the fields of computers, Client Server is one, which has generated more heat than light, and also more hype than reality. This technology has acquired a certain critical mass attention with its dedication conferences and magazines. Major computer vendors such as IBM and DEC; have declared that Client Servers is their main future market. A survey of DBMS magazine reveled that 76% of its readers were actively looking at the client server solution. The growth in the client server development tools from $200 million in 1992 to more than $1.2 billion in 1996.

Client server implementations are complex but the underlying concept is simple and powerful. A client is an application running with local resources but able to request the database

and relate the services from separate remote server. The software mediating this client server interaction is often referred to as MIDDLEWARE. The typical client either a PC or a Work Station connected through a network to a more powerful PC, Workstation, Midrange or Main Frames server usually capable of handling request from more than one client. However, with some configuration server may also act as client. A server may need to access other server in order to process the original client request.

The key client server idea is that client as user is essentially insulated from the physical location and formats of the data needs for their application. With the proper middleware, a client input from or report can transparently access and manipulate both local database on the client machine and remote databases on one or more servers. An added bonus is the client server opens the door to multi-vendor database access indulging heterogeneous table joins.

What is a Client Server Two prominent systems in existence are client server and file server systems. It is essential to distinguish between client servers and file server systems. Both provide shared network access to data but the comparison dens there! The file server simply provides a remote disk drive that can be accessed by LAN applications on a file-by-file basis. The client server offers full relational database services such as SQL-Access, Record modifying, Insert, Delete with full relational integrity backup/ restore performance for high volume of transactions, etc. the client server middleware provides a flexible interface between client and server, who does what, when and to whom.

Why Client Server

Client server has evolved to solve a problem that has been around since the earliest days of computing: how best to distribute your computing, data generation and data storage resources in order to obtain efficient, cost effective departmental an enterprise wide data processing.

During mainframe era choices were quite limited. A central machine housed both the CPU and DATA (cards, tapes, drums and later disks). Access to these resources was initially confined to batched runs that produced departmental reports at the appropriate intervals. A strong central information service department ruled the corporation. The role of the rest of the corporation limited to requesting new or more frequent reports and to provide hand written forms from which the central data banks were created and updated. The earliest client server solutions therefore could best be characterized as SLAVE-MASTER.

Time-sharing changed the picture. Remote terminal could view and even change the central data, subject to access permissions. And, as the central data banks evolved in to sophisticated relational database with non-programmer query languages, online users could formulate adhoc queries and produce local reports with out adding to the MIS applications software backlog. However remote access was through dumb terminals, and the client server remained subordinate to the Slave\Master.

Front end or User Interface Design

The entire user interface is planned to be developed in browser specific environment with a touch of Intranet-Based Architecture for achieving the Distributed Concept.

The browser specific components are designed by using the HTML standards, and the dynamism of the designed by concentrating on the constructs of the Java Server Pages. Communication or Database Connectivity Tier The Communication architecture is designed by concentrating on the Standards of Servlets and Enterprise Java Beans. The database connectivity is established by using the Java Data Base Connectivity.

The standards of three-tire architecture are given major concentration to keep the standards of higher cohesion and limited coupling for effectiveness of the operations. SERVLETS Introduction The Java web server is JavaSoft's own web Server. The Java web server is just a part of a larger framework, intended to provide you not just with a web server, but also with tools. To build customized network servers for any Internet or Intranet client/server system. Servlets are to a web server, how applets are to the browser. About Servlets Servlets provide a Java-based solution used to address the problems currently associated with doing server-side programming, including inextensible scripting solutions, platform-specific APIs, and incomplete interfaces. Servlets are objects that conform to a specific interface that can be plugged into a Javabased server. Servlets are to the server-side what applets are to the client-side - object byte codes that can be dynamically loaded off the net. They differ from applets in that they are faceless objects (without graphics or a GUI component). They serve as platform independent, dynamically loadable, plugable helper byte code objects on the server side that can be used to dynamically extend server-side functionality.

For example, an HTTP Servlets can be used to generate dynamic HTML content. When you use Servlets to do dynamic content you get the following advantages:

Theyre faster and cleaner than CGI scripts They use a standard API (the Servlets API) They provide all the advantages of Java (run on a variety of servers without needing to be rewritten).

Attractiveness of Servlets There are many features of Servlets that make them easy and attractive to use. These include:

Easily configured using the GUI-based Admin tool Can be loaded and invoked from a local disk or remotely across the network. Can be linked together, or chained, so that one Servlets can call another Servlets, or several Servlets in sequence. Can be called dynamically from within HTML pages, using server-side include tags. Are secure - even when downloading across the network, the Servlets security model and Servlets sandbox protect your system from unfriendly behavior.

Advantages of the Servlet API One of the great advantages of the Servlet API is protocol independence. It assumes nothing about: The protocol being used to transmit on the net How it is loaded The server environment it will be running in

These qualities are important, because it allows the Servlet API to be embedded in many different kinds of servers. There are other advantages to the Servlet API as well. These include: Its extensible - you can inherit all your functionality from the base classes made available to you. Its simple, small, and easy to use.

Features of Servlets Servlets are persistent. Servlet are loaded only by the web server and can maintain services between requests. Servlets are fast. Since Servlets only need to be loaded once, they offer much better performance over their CGI counterparts. Servlets are platform independent. Servlets are extensible. Java is a robust, object-oriented programming language, which easily can be extended to suit your needs Servlets are secure. Servlets can be used with a variety of clients.

Loading Servlets Servlets can be loaded from three places From a directory that is on the CLASSPATH. The CLASSPATH of includes service root/classes/ which is where the system classes reside. the JavaWebServer

From the <SERVICE_ROOT /Servlets/ directory.

This is *not* in the servers class

path. A class loader is used to create Servlets from this directory. New Servlets can be added existing Servlets can be recompiled and the server will notice these changes.

From a remote location. For this a code base like http: // nine.eng / classes / foo / is required in addition to the Servlets class name. Refer to the admin GUI docs on Servlet section to see how to set this up.

Loading Remote Servlets Remote Servlets can be loaded by: 1. Configuring the Admin Tool to setup automatic loading of remote Servlets 2. Setting up server side include tags in. shtml files 3. Defining a filter chain configuration

Invoking Servlets A Servlet invoker is a Servlet that invokes the "service" method on a named Servlet. If the Servlet is not loaded in the server, then the invoker first loads the Servlet (either from local disk or from the network) and the then invokes the "service" method. Also like applets, local Servlets in the server can be identified by just the class name. In other words, if a Servlet name is not absolute, it is treated as local. A client can invoke Servlets in the following ways: The client can ask for a document that is served by the Servlet. The client (browser) can invoke the Servlet directly using a URL, once it has been mapped using the Servlet Aliases section of the admin GUI. The Servlet can be invoked through server side include tags. The Servlet can be invoked by placing it in the Servlets/ directory. The Servlet can be invoked by using it in a filter chain.

JavaScript JavaScript is a script-based programming language that was developed by Netscape Communication Corporation. JavaScript was originally called Live Script and renamed as JavaScript to indicate its relationship with Java. JavaScript supports the development of both client and server components of Web-based applications. On the client side, it can be used to

write programs that are executed by a Web browser within the context of a Web page. On the server side, it can be used to write Web server programs that can process information submitted by a Web browser and then updates the browsers display accordingly

Even though JavaScript supports both client and server Web programming, we prefer JavaScript at Client side programming since most of the browsers supports it. JavaScript is almost as easy to learn as HTML, and JavaScript statements can be included in HTML documents by enclosing the statements between a pair of scripting tags <SCRIPTS>.. </SCRIPT>. <SCRIPT LANGUAGE = JavaScript> JavaScript statements </SCRIPT> Here are a few things we can do with JavaScript:

Validate the contents of a form and make calculations. Add scrolling or changing messages to the Browsers status line. Animate images or rotate images that change when we move the mouse over them. Detect the browser in use and display different content for different browsers. Detect installed plug-ins and notify the user if a plug-in is required.

We can do much more with JavaScript, including creating entire application. JavaScript Vs Java JavaScript and Java are entirely different languages. A few of the most glaring differences are: Java applets are generally displayed in a box within the web document; JavaScript can affect any part of the Web document itself. While JavaScript is best suited to simple applications and adding interactive features to Web pages; Java can be used for incredibly complex applications.

There are many other differences but the important thing to remember is that JavaScript and Java are separate languages. They are both useful for different things; in fact they can be used together to combine their advantages. Advantages

JavaScript can be used for Sever-side and Client-side scripting. It is more flexible than VBScript. JavaScript is the default scripting languages at Client-side since all the browsers supports it.

Hyper Text Markup Language Hypertext Markup Language (HTML), the languages of the World Wide Web (WWW), allows users to produces Web pages that include text, graphics and pointer to other Web pages (Hyperlinks). HTML is not a programming language but it is an application of ISO Standard 8879, SGML (Standard Generalized Markup Language), but specialized to hypertext and adapted to the Web. The idea behind Hypertext is that instead of reading text in rigid linear structure, we can easily jump from one point to another point. We can navigate through the information based on our interest and preference. A markup language is simply a series of elements, each delimited with special characters that define how text or other items enclosed within the elements should be displayed. Hyperlinks are underlined or emphasized works that load to other documents or some portions of the same document. HTML can be used to display any type of document on the host computer, which can be geographically at a different location. It is a versatile language and can be used on any platform or desktop.

HTML provides tags (special codes) to make the document look attractive. HTML tags are not case-sensitive. Using graphics, fonts, different sizes, color, etc., can enhance the presentation of the document. Anything that is not a tag is part of the document itself. Basic HTML Tags : <! ---> Specifies comments Creates hypertext links Formats text as bold Formats text in large font. Contains all tags and text in the HTML document Creates text Definition of a term Creates definition list Formats text with a particular font Encloses a fill-out form Defines a particular frame in a set of frames Creates headings of different levels Contains tags that specify information about a document Creates a horizontal rule Contains all other HTML tags Provides meta-information about a document Contains client-side or server-side script Creates a table Indicates table data in a table Designates a table row Creates a heading in a table <A>.</A> <B>.</B> <BIG>.</BIG> <BODY></BODY> <CENTER>...</CENTER> <DD></DD> <DL>...</DL> <FONT></FONT> <FORM>...</FORM> <FRAME>...</FRAME> <H#></H#> <HEAD>...</HEAD> <HR>...</HR> <HTML></HTML> <META>...</META> <SCRIPT></SCRIPT> <TABLE></TABLE> <TD></TD> <TR></TR> <TH></TH>

Advantages

A HTML document is small and hence easy to send over the net. It is small because it does not include formatted information. HTML is platform independent. HTML tags are not case-sensitive.

Java Database Connectivity

What Is JDBC? JDBC is a Java API for executing SQL statements. (As a point of interest, JDBC is a trademarked name and is not an acronym; nevertheless, JDBC is often thought of as standing for Java Database Connectivity. It consists of a set of classes and interfaces written in the Java programming language. JDBC provides a standard API for tool/database developers and makes it possible to write database applications using a pure Java API. Using JDBC, it is easy to send SQL statements to virtually any relational database. One can write a single program using the JDBC API, and the program will be able to send SQL statements to the appropriate database. The combinations of Java and JDBC lets a programmer write it once and run it anywhere. What Does JDBC Do? Simply put, JDBC makes it possible to do three things:

Establish a connection with a database Send SQL statements Process the results.

JDBC versus ODBC and other APIs At this point, Microsoft's ODBC (Open Database Connectivity) API is that probably the most widely used programming interface for accessing relational databases. It offers the ability to connect to almost all databases on almost all platforms.

So why not just use ODBC from Java? The answer is that you can use ODBC from Java, but this is best done with the help of JDBC in the form of the JDBC-ODBC Bridge, which we will cover shortly. The question now becomes "Why do you need JDBC?" There are several answers to this question:

1. ODBC is not appropriate for direct use from Java because it uses a C interface. Calls from Java to native C code have a number of drawbacks in the security, implementation, robustness, and automatic portability of applications. 2. A literal translation of the ODBC C API into a Java API would not be desirable. For example, Java has no pointers, and ODBC makes copious use of them, including the notoriously error-prone generic pointer "void *". You can think of JDBC as ODBC translated into an object-oriented interface that is natural for Java programmers.

3. ODBC is hard to learn. It mixes simple and advanced features together, and it has complex options even for simple queries. JDBC, on the other hand, was designed to keep simple things simple while allowing more advanced capabilities where required. 4. A Java API like JDBC is needed in order to enable a "pure Java" solution. When ODBC is used, the ODBC driver manager and drivers must be manually installed on every client machine. When the JDBC driver is written completely in Java, however, JDBC code is automatically installable, portable, and secure on all Java platforms from network computers to mainframes.

Two-tier and Three-tier Models

The JDBC API supports both two-tier and three-tier models for database access.

In the two-tier model, a Java applet or application talks directly to the database. This requires a JDBC driver that can communicate with the particular database management system being accessed. A user's SQL statements are delivered to the database, and the results of those statements are sent back to the user. The database may be located on another machine to which the user is connected via a network. This is referred to as a client/server configuration, with the user's machine as the client, and the machine housing the database as the server. The network can be an Intranet, which, for example, connects employees within a corporation, or it can be the Internet.

JAVA Application JDBC

Client machine

DBMS-proprietary protocol

Java applet or Html browser

Client machine HTTP,(GUI) or CORBA RMI,

DBMS
Application Server (Java) JDBC

calls Server machine DBMS-proprietary (business Logic) protocol Database server

DBMS

In the three-tier model, commands are sent to a "middle tier" of services, which then send SQL statements to the database. The database processes the SQL statements and sends the results back to the middle tier, which then sends them to the user. MIS directors find the three-tier model very attractive because the middle tier makes it possible to maintain control over access and the kinds of updates that can be made to corporate data. Another advantage is that when there is a middle tier, the user can employ an easy-to-use higher-level API which is translated by the middle tier into the appropriate low-level calls. Finally, in many cases the three-tier architecture can provide performance advantages.

Until now the middle tier has typically been written in languages such as C or C++, which offer fast performance. However, with the introduction of optimizing compilers that translate Java byte code into efficient machine-specific code, it is becoming practical to implement the middle tier in Java. This is a big plus, making it possible to take advantage of Java's robustness, multithreading, and security features. JDBC is important to allow database access from a Java middle tier.

JDBC Driver Types

The JDBC drivers that we are aware of at this time fit into one of four categories: JDBC-ODBC bridge plus ODBC driver Native-API partly-Java driver JDBC-Net pure Java driver

Native-protocol pure Java driver

JDBC-ODBC Bridge

If possible, use a Pure Java JDBC driver instead of the Bridge and an ODBC driver. This completely eliminates the client configuration required by ODBC. It also eliminates the potential that the Java VM could be corrupted by an error in the native code brought in by the Bridge (that is, the Bridge native library, the ODBC driver manager library, the ODBC driver library, and the database client library).

What Is the JDBC- ODBC Bridge?

The JDBC-ODBC Bridge is a JDBC driver, which implements JDBC operations by translating them into ODBC operations. To ODBC it appears as a normal application program. The Bridge implements JDBC for any database for which an ODBC driver is available. The Bridge is implemented as the

Sun.jdbc.odbc Java package and contains a native library used to access ODBC. The Bridge is a joint development of Innersole and Java Soft. Java Server Pages (JSP) Java server Pages is a simple, yet powerful technology for creating and maintaining dynamic-content web pages. Based on the Java programming language, Java Server Pages offers proven portability, open standards, and a mature re-usable component model .The Java Server Pages architecture enables the separation of content generation from content presentation. This

separation not eases maintenance headaches; it also allows web team members to focus on their areas of expertise. Now, web page designer can concentrate on layout, and web application designers on programming, with minimal concern about impacting each others work.

Features of JSP

Portability: Java Server Pages files can be run on any web server or web-enabled application server that provides support for them. Dubbed the JSP engine, this support involves recognition, translation, and management of the Java Server Page lifecycle and its interaction components.

Components It was mentioned earlier that the Java Server Pages architecture can include reusable Java components. The architecture also allows for the embedding of a scripting language directly into the Java Server Pages file. The components current supported include Java Beans, and Servlets.

Processing A Java Server Pages file is essentially an HTML document with JSP scripting or tags. The Java Server Pages file has a JSP extension to the server as a Java Server Pages file. Before the page is served, the Java Server Pages syntax is parsed and processed into a Servlet on the

server side. The Servlet that is generated outputs real content in straight HTML for responding to the client.

Access Models: A Java Server Pages file may be accessed in at least two different ways. A clients request comes directly into a Java Server Page. In this scenario, suppose the page accesses reusable Java Bean components that perform particular well-defined computations like accessing a database. The result of the Beans computations, called result sets is stored within the Bean as properties. The page uses such Beans to generate dynamic content and present it back to the client. In both of the above cases, the page could also contain any valid Java code. Java Server Pages architecture encourages separation of content from presentation. Steps in the execution of a JSP Application: 1. The client sends a request to the web server for a JSP file by giving the name of the JSP file within the form tag of a HTML page. 2. This request is transferred to the JavaWebServer. At the server side JavaWebServer receives the request and if it is a request for a jsp file server gives this request to the JSP engine. 3. JSP engine is program which can understands the tags of the jsp and then it converts those tags into a Servlet program and it is stored at the server side. This Servlet is loaded in the memory and then it is executed and the result is given back to the JavaWebServer and then it is transferred back to the result is given back to the JavaWebServer and then it is transferred back to the client. JDBC connectivity The JDBC provides database-independent connectivity between the J2EE platform and a wide range of tabular data sources. JDBC technology allows an Application Component Provider to:

 Perform connection and authentication to a database server Manager transactions Move SQL statements to a database engine for preprocessing and execution Execute stored procedures Inspect and modify the results from Select statements

Purpose The generated application is the first version upon the system. The overall system is planned to be in the formal of distributed architecture with homogeneous database platform. The major objective of the overall system is to keep the following components intact.

System consistency System integrity Overall security of data Data reliability and Accuracy User friendly name both at administration and user levels Considering the fact of generality and clarity To cross check that the system overcomes the hurdles of the version specific standards Our Proposed system uses the MVC (Model View Controller Architecture for the project Development). MVC Architecture Defines that The controller is separated from the system model and View. It is composed of three different layers. Being a Web based architecture. The User Interface is completely separated from the entire Business Logic Layer. The database and business logic are bounded to gather. The Database Layer and Business Logic Layer runs on the server Machine and the User Interface Layer will run under the Client Machine. For developing the User Interface we are having HTML and Java Script. For Business Login and Database Connectivity Servlets and JSP are

used. In the Backed the servlets and Jsps are connected to Database through JDBC API. The web server plays a major role in connecting the client user interface and the servlets and JSP. The Block Diagram of the Architecture is as follows.

User Interface (HTML / Java Script) httpResponse httpRequest

Web Server
Servlets/ JSPs
JDBC

Oracle

REQUIREMENTS ANALYSIS DOCUMENT Introduction

a. Purpose of the system The main purpose of the system is to design and implement an effective intelligent system to detect the credit card fraud. The system is to be implemented in the credit card authorization process. The main client requires the system to be effective and must be capable of detecting the fraud transactions that will be occurred due to the stolen credit card numbers. b. Scope of the System The scope of the system includes designing the learning agents, classifiers, meta classifiers, meta learners, implementing the cost model in differentiating fraud transactions from legitimate ones. c. Objectives and Success Criteria of the Project The main objective of the system is to develop an efficient and intelligent authorization tool to detect the fraud credit card transactions for US Payment system. This includes the designing the project by using the object oriented programming approach. Technically the project is feasible by using the java web technologies. The possibility is being verified by the distributed data mining approach. d. Definitions, acronyms and abbreviation PAR Pre Authentication Request R PAR Response to Pre Authentication Request FR Fulfillment Request RFR Response to Fulfillment Request Classifier An agent that can classify massive data based on the cost model Learner An agent that is responsible for detecting the fraud transaction based on the classifier data.

Overhead Some cost incurred due to versification of transaction. Cumulative Cost Total Amount of transaction with the period. Average Cost Average of the Total Amount. Current System The current system will only accept the credit card payments blindly. There is no scientific and intelligent approach to detect the credit card frauds. Proposed System Overview: The proposed system is the most intelligent way to analyze and detect the fraud transactions. It uses cost model to analyze the transactions. The system requires more data mining and bridging techniques to connect to the different sites in the distributed databases. The transactions can be identified and classified using classifiers at a single site based on all the sites there is meta classifiers to classify the transactions. There are learning agents called learners which will learn from the classifiers. Functional Requirements: The major functional requirements of the system are as follows. 1. To classify the data on a single site 2. To implement the learners on the system 3. To create meta classifiers in based on different sites of the system 4. To create meta learners based on the different classifiers 5. To analyze each transaction and find fraud transactions 6. To Generate the reports based on the no of transactions detected as fraud Non Functional Requirements:

The major non functional Requirements of the system are as follows 1. The requests from the merchants. 2. Credit card transactions. 3. 2 months of credit card data for learning

1. Usability The system is designed with completely automated process hence there is no or less user intervention. 2. Reliability The system is more reliable because of the qualities that are inherited from the chosen platform java. The code built by using java is more reliable. 3. Performance The system exhibits high performance because it is well optimized. The areas like calculation of overhead. The code will be executed when ever there is more difference between the overhead and the transaction amount else it will ignore the transaction even if it is fraud transaction. 4. Supportability The system is designed to be the cross platform supportable. The system is supported on a wide range of hardware and any software platform which is having JVM built into the system. 5. Implementation The system is implemented in web environment. The apache tomcat is used as the web server and windows xp professional is used as the platform. 6. Interface The user interface is based on HTML and XHTML.

7. Packaging The entire application is packaged into the single package named ccfds. 8. Legal The code subjected in this project is user permissions are issued to the us payment system.

System Models i. SCENARIOS Scenario1: The Merchant required to register with the system in order to acquire the username and password from the US Payment system. US payment system will send the userid and password for the Merchant and post the content. Scenario2: The Merchant will use the user id and password when ever a credit card payment is made by the customer. Scenario3: The administrator will authorize the request for registration from the merchant.

Scenario 4:

When ever the merchant requires making a transaction first he must send the pre authentication request to the Us Payment system with his digital signature. Then the Us payment system will send the response to pre authentication request with the details like whether the amount is available or not. Later the merchant will send the fulfillment request. In response to the fulfillment request the Us payment system will deduct the funds and will send the fulfillment response to the merchant. Scenario 5: The customer requests the merchant for purchasing of product through the credit card. The merchant will provide the user interface to enter the credit card data and then submits the form. Scenario 6: The authorization process will be done based on the cost model and data is mined and overhead is calculated and authorized based on the fraud detection system. ii. Use Case Model An Use case is an description of the behavior of the system. That description is written from the point of view of a user who just told the system to do something particular. A use case captures the visible sequence of events that a system goes through in response to a single user stimulus. A visible event is a event that the user can see. Use cases dont discuss the hidden mechanisms of the system they only describe those things that a user can see. The use case diagrams for our project are as follows. Customer Use case:

Use Case Description Use Case Name Participating Actors Flow of Events Select Product Customer 1. The customer will browse the e-commerce web site of the marchant 2. The customer will select the products he required 3. The customer will finalize the products Pre Condition Post Condition Quality Requirements 4. The customer will enter the payment screen. Not Applicable The customer must confirm the order Merchant Perspective

Use Case Name Participating Actors Flow of Events

Enter the Card Details Customer 1. The customer will enter the payment screen 2. The customer will enter his credit card number

3. He will accept the agreement with the merchant Pre Condition Post Condition Quality Requirements Use Case Name Participating Actors Flow of Events Pre Condition Post Condition Quality Requirements Submit the Request Customer 1. After the completion of the filling the details, The customer required to submit the form for product purchase. The credit card must have sufficient amount of funds to purchase the product The response must be sent to the customer on successful or un-successful or fraud payment. Merchant Perspective 4. He will enter the pin number if applicable The Customer Must have a valid Credit Card Not Applicable Merchant Perspective

Administrator Use Case

Use Case Name Participating Actors Flow of Events

Authorize Merchant Administrator 1. The administrator after verify the merchant request. 2. The administrator will check whether the merchant is accepting the criteria or not. 3. The administrator will grant the privileges to use the system electronically. The merchant must have valid registration certificates for making ebusiness Not Applicable Verification of the merchant must be strict.

Pre Condition Post Condition Quality Requirements

Use Case Name Participating

Remove Merchant Administrator

Actors Flow of Events Pre Condition Post Condition Quality Requirements

1. The administrator will Remove and block the transactions from the specified merchant by disabling his account. The proper reason for removing the merchant must be shown. The merchant must not do any transaction after the removal. Not Applicable

Use Case Name Participating Actors Flow of Events

View Saved Transactions Administrator 1. The administrator will click on the view saved transaction 2. This administrator will select the duration when the transaction are saved. 3. The transactions that are identified as fraud and blocked are displayed Not Applicable Not Applicable Not Applicable

Pre Condition Post Condition Quality Requirements

Use Case Name Participating Actors Flow of Events Pre Condition Post Condition Quality

View Fraud Notified Administrator 1. The administrator will look at Fraud Notified Transactions of a specific period. Not Applicable Not Applicable Not Applicable

Requirements

Use Case Name Participating Actors Flow of Events

Authorized Fraud Detected Transaction Administrator 1. The admin will view all the detected transactions. 2. He will search with the reference number provided by the merchant 3. Then he will authorize the transaction based on the merchants or customer request from the bank. The Transaction must be in fraud transactions The transaction must restart Not Applicable

Pre Condition Post Condition Quality Requirements

Use Case Name Participating Actors Flow of Events

Commission Setting Administrator 1. The admin will click on the commission settings 2. And change the commission based on different criteria 3. Cost of transaction basis 4. Merchant business basis 5. No of transactions basis Not Applicable Not Applicable Not Applicable

Pre Condition Post Condition Quality Requirements

Merchant User Case

Use Case Name Participating Actors Flow of Events

Request Service Merchant 1. First the merchant will click on the request service 2. Then he will fill the form that displayed on the screen. 3. He will then submit the form. Not Applicable Not Applicable Good User interface Design

Pre Condition Post Condition Quality Requirements

Use Case Name Participating Actors Flow of Events

Send Pre-authentication Request Administrator 1. Merchant site will send the pre authentication request to the Us Payment system to authorize the credit card. 2. This includes the credit card no and cost of purchases from he merchant Not Applicable Not Applicable Not Applicable

Pre Condition Post Condition Quality Requirements Use Case Name Participating Actors Flow of Events

Send Fulfillment Request Administrator 1. The merchant site will communicate with Us Payment system with fulfillment request.

2. The fulfillment request will complete the transaction by deducting Pre Condition Post Condition Quality Requirements the amount. The pre authentication request must be done The fulfillment response must be sent to the client. Not Applicable

iii. Object Model

iv. Dynamic Model

The class diagram will show association between the classes. That is one class holds the reference to the other class. Merchant Module Class Diagram

v. User Interface Navigational Paths and Screen Mockups The user interface is designed to be the web based User interface Java Server Pages are used to build the User interface. Navigational Paths

1. Customer -> Choose the product from e-commerce site ->Choose credit card payment mode ->enter card id and password -> Look for the transaction response. 2. Merchant (e-commerce site concerned person) -> Register for Credit card Service -> get the userid and password -> Accept the terms and conditions -> Use the service.

3. Administrator (Us Payment System authorized person) -> Accept the Request from the new merchants -> looks at old clients requests -> Allow new merchants to use the site. 4. Administrator -> View the detected fraud transactions -> On request retake the transaction.

Glossary: The complete requirements of the system are analyzed are. US payment system requires a secured system that can detect the fraud transactions from the legitimate ones. The solution is based on the cost model. It is completely based on the purchased made by the customer in past few months. Hardly 1 or 2 months. Analysis of data can be done in two components called

classifier which will classify the data based on the distribution and learners which will learn from the classified data.

SYSTEM DESIGN DOCUMENT 1. INTRODUCTION a. Purpose of the System

The main purpose of the system to build an Intelligent and automated solution for the US payment system to detect the fraud transactions. b. Design Goals The major design goals of the system are as follows. 1. To train agents that learn from the database transactions 2. To write the classifiers that can classify the data based on the cost model 3. To implement the adacost algorithm. 4. To develop an user interface which is having control over it. c. Definitions, acronyms and abbreviations Cardholder: A person who is using credit card. Merchant: A person or organization that has goods and services to sell to the card holder Issuer: This is the company that provides the cardholder with the credit card in the first place. It is issuer that is responsible for the payment of the debt of the cardholder. Issuers are financial institutions like banks. Brand: The brands are owned by the bankcard associations, consortiums of financial institutions that promote and advertise the brand, establish operating rules and provide a network for payment authorizations and fund transfer. Acquirer: This is an organization that provides card authorization and payment capture services for merchants. A merchant will normally want to accept more than one credit card brand, but does not want to have to deal with multiple bank card associations. They achieve this by using the services of the acquirer.

Payment Gateway: This is a function that is provided on behalf of an acquirer. The payment gateway is the interface between the acquirer and the existing bank card associations networks for authorization and capture functions. The payment gateway acts as a proxy for the bank card network functions. Certification Authority: This is a function provides public key certification. d. References 1. Company Statements 2. Credit card description books 3. Credit card security issues 4. Credit transaction formats from the company old database.

2. CURRENT SOFTWARE ARCHITECTURE The current software is based on the web based architecture built on the strong foundations on Enterprise Java Beans. It follows the faade design pattern.

3. PROPOSE SOFTWARE ARCHITECTURE a. Overview The architecture is completely a four tier architectures, The bottom tier is designed as the database tier, on the database tier there exists database classifiers and learners, Up on the classifiers and learns there exist the Meta classifiers and Meta Learners, Above the Meta classifiers and learners layer there exists the User Interface along with the Business logic handlers. The User interface layer is concentrated in designing the screens for the administrators and merchants who requires services from the Us payment system. The Handlers Layer will take care about the business logic of the entire application where it was assembled. The Meta Classifiers and Meta Learners will take care about the Data Mining part to extract knowledge from the distributed database systems. The classifiers will classify data based on the distribution. The learners will extract the knowledge on the single system from the classifier. The database layer is based on the oracle will take care about the transaction data and the application data that is stored in it.

The Current software architecture block diagram will look like this.

User Interfaces & Business Logic

Meta Classifier & Meta Learners

Classifier & Learner

Classifier & Learner

Classifier & Learner

Classifier & Learner

DB1

DB2

DB3

DB4

b. Subsystem Decomposition The system is decomposed into four subsystems. The Algorithm implementation module, User Interface module, Intelligent Agent Module and Administration Module. The algorithm implementation module consists of implementation of AdaCost Algorithm. This module is implemented in single class which is dependent on the other raw data of the credit card payments. The User Interface module deals with the designing of the screens and JSP pages that are required to interact with the user, It also includes designing of the reports based on the user requests. The user interface is built on Java servlets and HTML technology. The Intelligent Agent Module consists of implementing the learners that will learn knowledge from the classifier which will classify the data using the data mining techniques based on the cost. There is also implementation of meta learners which will again gather data

from the many learners that exists in the distributed system. The meta classifiers will again classify the data based on the classifiers of each individual system. The administration module deals with the implementation of the record generation, commission details, detected fraud details, money saved due to fraud transaction details. It is also having the power of authorizing and restricting the merchant.

c. Hardware / Software Mapping

Hardware Requirements CPU RAM HDD Network : : : : Intel Pentium 4 Processor 512 MB 80 GB NIC Card Required

Software Requirements Programming Language Database Backend Technologies Scripting Language Operating System : : : : : Java (Version JDK 1.5) Oracle 10g Release 2 Servlets, JSP Java Script Windows XP Professional With Service pack 2

d. Persistent Data Management

The persistent data in this project is handled by the Oracle 10g Release 2 DataBase System, The data is distributed over many sites because to handle the huge database it is very complicated to handle on a single system. It incurs more cost to purchase a storage system of that capacity. The persistent data designed on a single node would be as follows. Database normalization is a design technique by which relational database tables are structured in such a way as to make them invulnerable to certain types of logical inconsistencies and anomalies. Tables can be normalized to varying degrees: relational database theory defines "normal forms" of successively higher degrees of stringency, so, for example, a table in third normal form is less open to logical inconsistencies and anomalies than a table that is only in second normal form. Although the normal forms are often defined (informally) in terms of the characteristics of tables, rigorous definitions of the normal forms are concerned with the characteristics of mathematical constructs known as relations. Whenever information is represented relationallythat is, roughly speaking, as values within rows beneath fixed column headingsit makes sense to ask to what extent the representation is normalized.

Problems addressed by normalization

A table that is not sufficiently normalized can suffer from logical inconsistencies of various types, and from anomalies involving data operations. In such a table:

The same fact can be expressed on multiple records; therefore updates to the table may result in logical inconsistencies. For example, each record in an unnormalized "DVD Rentals" table might contain a DVD ID, Member ID, and Member Address; thus a change of address for a particular member will potentially need to be applied to multiple records. If the update is not carried through successfullyif, that is, the member's address is updated on some records but not othersthen the table is left in an inconsistent state. Specifically, the table provides conflicting answers to the question of

what this particular member's address is. This phenomenon is known as an update anomaly.

There are circumstances in which certain facts cannot be recorded at all. In the above example, if it is the case that Member Address is held only in the "DVD Rentals" table, then we cannot record the address of a member who has not yet rented any DVDs. This phenomenon is known as an insertion anomaly.

There are circumstances in which the deletion of data representing certain facts necessitates the deletion of data representing completely different facts. For example, suppose a table has the attributes Student ID, Course ID, and Lecturer ID (a given student is enrolled in a given course, which is taught by a given lecturer). If the number of students enrolled in the course temporarily drops to zero, the last of the records referencing that course must be deletedmeaning, as a side-effect, that the table no longer tells us which lecturer has been assigned to teach the course. This phenomenon is known as a deletion anomaly.

Ideally, a relational database should be designed in such a way as to exclude the possibility of update, insertion, and deletion anomalies. The normal forms of relational database theory provide guidelines for deciding whether a particular design will be vulnerable to such anomalies. It is possible to correct an unnormalized design so as to make it adhere to the demands of the normal forms: this is normalization. Normalization typically involves decomposing an unnormalized table into two or more tables which, were they to be combined (joined), would convey exactly the same information as the original table.

Background to normalization: definitions

Functional dependency:Attribute B has a functional dependency on attribute A if, for each value of attribute A, there is exactly one value of attribute B. For example, Member Address has a functional dependency on Member ID, because a particular Member Address value corresponds to every Member ID value. An attribute may be functionally dependent either on a single attribute or on a combination of attributes. It is not possible to determine the extent to which a design is normalized without understanding what functional dependencies apply to the attributes within its tables; understanding this, in turn, requires knowledge of the problem domain.

Trivial functional dependency: A trivial functional dependency is a functional dependency of an attribute on a superset of itself. {Member ID, Member Address} {Member Address} is trivial, as is {Member Address} {Member Address}.

Full functional dependency: An attribute is fully functionally dependent on a set of attributes X if it is a) functionally dependent on X, and b) not functionally dependent on any proper subset of X. {Member Address} has a functional dependency on {DVD ID, Member ID}, but not a full functional dependency, for it is also dependent on {Member ID}.

Multivalued dependency: A multivalued dependency is a constraint according to which the presence of certain rows in a table implies the presence of certain other rows: see the Multivalued Dependency article for a rigorous definition.

Superkey: A superkey is an attribute or set of attributes that uniquely identifies rows within a table; in other words, two distinct rows are always guaranteed to have distinct superkeys. {DVD ID, Member ID, Member Address} would be a superkey for the "DVD Rentals" table; {DVD ID, Member ID} would also be a superkey.

Candidate key: A candidate key is a minimal superkey, that is, a superkey for which we can say that no proper subset of it is also a superkey. {DVD ID, Member ID} would be a candidate key for the "DVD Rentals" table.

Non-prime attribute: A non-prime attribute is an attribute that does not occur in any candidate key. Member Address would be a non-prime attribute in the "DVD Rentals" table.

Primary key: Most DBMSs require a table to be defined as having a single unique key, rather than a number of possible unique keys. A primary key is a candidate key which the database designer has designated for this purpose.

History Edgar F. Codd first proposed the process of normalization and what came to be known as the 1st normal form:

There is, in fact, a very simple elimination procedure which we shall call normalization. Through decomposition non-simple domains are replaced by "domains whose elements are atomic (non-decomposable) values."

Edgar F. Codd, A Relational Model of Data for Large Shared Data Banks

In his paper, Edgar F. Codd used the term "non-simple" domains to describe a heterogeneous data structure, but later researchers would refer to such a structure as an abstract data type. Normal forms The normal forms (abbrev. NF) of relational database theory provide criteria for determining a table's degree of vulnerability to logical inconsistencies and anomalies. The higher the normal form applicable to a table, the less vulnerable it is to such inconsistencies and anomalies. Each table has a "highest normal form" (HNF): by definition, a table always meets the requirements of its HNF and of all normal forms lower than its HNF; also by definition, a table fails to meet the requirements of any normal form higher than its HNF. The normal forms are applicable to individual tables; to say that an entire database is in normal form n is to say that all of its tables are in normal form n. Newcomers to database design sometimes suppose that normalization proceeds in an iterative fashion, i.e. a 1NF design is first normalized to 2NF, then to 3NF, and so on. This is not an accurate description of how normalization typically works. A sensibly designed table is likely to be in 3NF on the first attempt; furthermore, if it is 3NF, it is overwhelmingly likely to have an HNF of 5NF. Achieving the "higher" normal forms (above 3NF) does not usually require an extra expenditure of effort on the part of the designer, because 3NF tables usually need no modification to meet the requirements of these higher normal forms. Edgar F. Codd originally defined the first three normal forms (1NF, 2NF, and 3NF). These normal forms have been summarized as requiring that all non-key attributes be dependent on "the key, the whole key and nothing but the key". The fourth and fifth normal forms (4NF and 5NF) deal specifically with the representation of many-to-many and one-to-many relationships among attributes. Sixth normal form (6NF) incorporates considerations relevant to temporal databases.

First normal form

The criteria for first normal form (1NF) are:

A table must be guaranteed not to have any duplicate records; therefore it There must be no repeating groups, i.e. no attributes which occur a

must have at least one candidate key.

different number of times on different records. For example, suppose that an employee can have multiple skills: a possible representation of employees' skills is {Employee ID, Skill1, Skill2, Skill3 ...}, where {Employee ID} is the unique identifier for a record. This representation would not be in 1NF.

Note that all relations are in 1NF. The question of whether a given

representation is in 1NF is equivalent to the question of whether it is a relation. Second normal form The criteria for second normal form (2NF) are:

The table must be in 1NF. None of the non-prime attributes of the table are functionally dependent

on a part (proper subset) of a candidate key; in other words, all functional dependencies of non-prime attributes on candidate keys are full functional dependencies. For example, consider a "Department Members" table whose attributes are Department ID, Employee ID, and Employee Date of Birth; and suppose that an employee works in one or more departments. The combination of Department ID and Employee ID uniquely identifies records within the table. Given that Employee Date of Birth depends on only one of those attributes namely, Employee ID the table is not in 2NF.

Note that if none of a 1NF table's candidate keys are composite i.e.

every candidate key consists of just one attribute then we can say immediately that the table is in 2NF.

Third normal form The criteria for third normal form (3NF) are:

The table must be in 2NF. There are no non-trivial functional dependencies between non-prime

attributes. A violation of 3NF would mean that at least one non-prime attribute is only indirectly dependent (transitively dependent) on a candidate key, by virtue of being functionally dependent on another non-prime attribute. For example, consider a "Departments" table whose attributes are Department ID, Department Name, Manager ID, and Manager Hire Date; and suppose that each manager can manage one or more departments. {Department ID} is a candidate key. Although Manager Hire Date is functionally dependent on {Department ID}, it is also functionally dependent on the non-prime attribute Manager ID. This means the table is not in 3NF. Boyce-Codd normal form The criteria for Boyce-Codd normal form (BCNF) are:

The table must be in 3NF. Every non-trivial functional dependency must be a dependency on a

superkey. Fourth normal form The criteria for fourth normal form (4NF) are:

The table must be in BCNF. There must be no non-trivial multivalued dependencies on something

other than a superkey. A BCNF table is said to be in 4NF if and only if all of its multivalued dependencies are functional dependencies.

Fifth normal form The criteria for fifth normal form (5NF and also PJ/NF) are:

The table must be in 4NF. There must be no non-trivial join dependencies that do not follow from the

key constraints. A 4NF table is said to be in the 5NF if and only if every join dependency in it is implied by the candidate keys. Domain/key normal form Domain/key normal form (or DKNF) requires that a table not be subject to any constraints other than domain constraints and key constraints.

Sixth normal form

This normal form was, as of 2005, only recently proposed: the sixth normal form (6NF) was only defined when extending the relational model to take into account the temporal dimension. Unfortunately, most current SQL technologies as of 2005 do not take into account this work, and most temporal extensions to SQL are not relational. See work by Date, Darwen and Lorentzos for a relational temporal extension, or see TSQL2 for a different approach.

In our project the normalization satisfies up to Third Normal Form. The Tables used in our project are as follows. Table Name: Column Name MerchantID MerchantPswd TransactionReferenceNo Amount CreditCardNo CreditCardExpiryDate CreditCardIssueDate CreditCardIssueNo TransactionID PreAuthenticationRequest Type Size Description Varchar2 30 Varchar2 30 Varchar2 50 Reference Number at the merchant Number 9,2 Amount to be debited Number 16 CardHolder card no Date Expiry date of the credit card Date (Optional) Date (Optional) Varchar2(30) 30 Transactionid Generated by sequence Table Name: Column Name StatusNo StatusDescription TransactionReferenceNo Amount CreditCardNo CreditCardExpiryDate CreditCardIssueDate CreditCardIssueNo TransactionID PreAuthenticationResponse Type Size Description Varchar2 10 The status of the transaction Varchar2 250 Description about the transaction Varchar2 50 Reference Number at the merchant Number 9,2 Amount to be debited Number 16 CardHolder card no Date Expiry date of the credit card Date (Optional) Date (Optional) Varchar2 30 Reference from PreAuthenticationRequest

Table Name: Column Name TransactionID MerchantID MerchantPassword Type of transaction Authenticationcode ReferenceNo

Fulfillment Request Type Size Varchar2 30 Varchar2 Varchar2 Varchar2 Varchar2 Varchar2 30 30 30 30 30

Description Reference preauthenticationRequest

from

Fulfill

Table Name: Column Name TransactionID Status TransactionReferenceNo TranTime Mode

FulfillmentResponse Type Size Varchar2 30 Varchar2 Varchar2 TimeStamp Varchar2 30 50 10

Description Reference

from

preauthenticationrequest Fullfilledok Reference Number at the merchant Time the transaction processed Test when using test account, real when using realtime

Table Name: Column Name marchantID marchantPassword BusinessDetails BankAccountNo ContactDetails Table Name: Column Name MerchantID Cost of Agreement AmountRange Commissionid

Merchant Type Varchar2 Varchar2 Varchar2 Varchar2 Varchar2

Size 30 30 250 30 250

Description The identity

of

the

merchant

generated by sequence Marchant Password Includes registered

number,

affiliation, standards. Account No of the Mearchant Location, Contact no .. etc

CommissionSettings Type Size Varchar2 20 Number 9,2 Varchar2 50 Number

Description The MerchatID Percentage per transaction. Range of Amount that percentage is applicable Generated from the sequence

Table Name: Column Name TransactionID Commission Commissionid

CommissionEarned Type Size Varchar2 30 Number 9,2 Number

Description The transaction id As per percentage in table Generated from the sequence

e. Access Control and Security The access control over the system will be given to only two users one is administrator and other is merchant. The admin can modify the accounts, view the saved transactions, view the saved amount, view the saved money. He is the authorized person to authorize the merchant to use the system. The merchant is given permissions to send the requests to the Us payment system. Later after authorization the credit card services can be used by the merchant.

f. Global Software Control The software control is subjected to the all the copyright laws, Us law for information technology and Software standard owing to Institute for Electrical Electronics Engineers (IEEE). g. Boundary Conditions The system implementation is up to the fraud detection in the credit card transactions. All the implementations are based on only the distributed data mining. Some modules are added for testing the system, The modules such as administration, merchant payment and credit card modules only designed to test the fraud detection system.

4. SUB SYSTEM SERVICES The project is divided into four subsystems Algorithm Implementation module, User Interface Module, Intelligent Agent Module and Administration Module. Services of the Algorithm Implementation module 1. Required to calculate the cumulative cost of the entire database in the specified period of time 2. Required to calculate the average cost of the entire database in the specified period of time 3. Required to provide the data for the classifier for classification based on the distribution. 4. Required to provide the data for the learning agents to store the learning data. Service of the User Interface Module 1. It must provide the designs that are user friendly 2. The components must be categorized based on the user requirement. 3. The UI system must specify the UI level constraints for validation of input data.

Intelligent Agent Module 1. The module required to train the agents based on the data from the meta classifiers and meta learners. 2. The module must authorize the new transaction based on the knowledge learned from the database history. Administration Module 1. The administration module is responsible for the administrator level activities like authorizing the transaction. 2. Viewing the saved transactions and saved money. 3. Viewing the percentage saved. 4. Authorizing the merchant to use the service.

5. GLOSSARY At in the System design document we have identified how to develop the system and how the entire system was divided into sub systems. Here our project id divided into four sub systems each and every sub system functionality is defined. The process of handling the persistent data is done using the oracle database management system.

IMPLEMENTATION SCREENS

TESTING Software Testing is the process used to help identify the correctness, completeness, security, and quality of developed computer software. Testing is a process of technical investigation,

performed on behalf of stakeholders, that is intended to reveal quality-related information about the product with respect to the context in which it is intended to operate. This includes, but is not limited to, the process of executing a program or application with the intent of finding errors. Quality is not an absolute; it is value to some person. With that in mind, testing can never completely establish the correctness of arbitrary computer software; testing furnishes a criticism or comparison that compares the state and behaviour of the product against a specification. An important point is that software testing should be distinguished from the separate discipline of Software Quality Assurance (SQA), which encompasses all business process areas, not just testing. There are many approaches to software testing, but effective testing of complex products is essentially a process of investigation, not merely a matter of creating and following routine procedure. One definition of testing is "the process of questioning a product in order to evaluate it", where the "questions" are operations the tester attempts to execute with the product, and the product answers with its behavior in reaction to the probing of the tester[citation needed]. Although most of the intellectual processes of testing are nearly identical to that of review or inspection, the word testing is connoted to mean the dynamic analysis of the productputting the product through its paces. Some of the common quality attributes include capability, reliability, efficiency, portability, maintainability, compatibility and usability. A good test is sometimes described as one which reveals an error; however, more recent thinking suggests that a good test is one which reveals information of interest to someone who matters within the project community.

Introdu

ction

In general, software engineers distinguish software faults from software failures. In case of a failure, the software does not do what the user expects. A fault is a programming error that may or may not actually manifest as a failure. A fault can also be described as an error in the correctness of the semantic of a computer program. A fault will become a failure if the exact computation conditions are met, one of them being that the faulty portion of computer software executes on the CPU. A fault can also turn into a failure when the software is ported to a different hardware platform or a different compiler, or when the software gets extended. Software testing is the technical investigation of the product under test to provide stakeholders with quality related information. Software testing may be viewed as a sub-field of Software Quality Assurance but typically exists independently (and there may be no SQA areas in some companies). In SQA, software process specialists and auditors take a broader view on software and its development. They examine and change the software engineering process itself to reduce the amount of faults that end up in the code or deliver faster. Regardless of the methods used or level of formality involved the desired result of testing is a level of confidence in the software so that the organization is confident that the software has an acceptable defect rate. What constitutes an acceptable defect rate depends on the nature of the software. An arcade video game designed to simulate flying an airplane would presumably have a much higher tolerance for defects than software used to control an actual airliner. A problem with software testing is that the number of defects in a software product can be very large, and the number of configurations of the product larger still. Bugs that occur infrequently are difficult to find in testing. A rule of thumb is that a system that is expected to function without faults for a certain length of time must have already been tested for at least that length of time. This has severe consequences for projects to write long-lived reliable software.

A common practice of software testing is that it is performed by an independent group of testers after the functionality is developed but before it is shipped to the customer. This practice often results in the testing phase being used as project buffer to compensate for project delays.

Another practice is to start software testing at the same moment the project starts and it is a continuous process until the project finishes. Another common practice is for test suites to be developed during technical support escalation procedures. Such tests are then maintained in regression testing suites to ensure that future updates to the software don't repeat any of the known mistakes. It is commonly believed that the earlier a defect is found the cheaper it is to fix it. Time Detected Requirements 1 -

Time Introduced Requirements Architecture Construction .

Architecture 3 1 -

Construction 5-10 10 1

System Test 10 15 10

Post-Release 10-100 25-100 10-25

In counterpoint, some emerging software disciplines such as extreme programming and the agile software development movement, adhere to a "test-driven software development" model. In this process unit tests are written first, by the programmers (often with pair programming in the extreme programming methodology). Of course these tests fail initially; as they are expected to. Then as code is written it passes incrementally larger portions of the test suites. The test suites are continuously updated as new failure conditions and corner cases are discovered, and they are integrated with any regression tests that are developed. Unit tests are maintained along with the rest of the software source code and generally integrated into the build process (with inherently interactive tests being relegated to a partially manual build acceptance process). The software, tools, samples of data input and output, and configurations are all referred to collectively as a test harness. History

The separation of debugging from testing was initially introduced by Glenford J. Myers in his 1978 book the "Art of Software Testing". Although his attention was on breakage testing it illustrated the desire of the software engineering community to separate fundamental development activities, such as debugging, from that of verification. Drs. Dave Gelperin and William C. Hetzel classified in 1988 the phases and goals in software testing as follows: until 1956 it was the debugging oriented period, where testing was often associated to debugging: there was no clear difference between testing and debugging. From 1957-1978 there was the demonstration oriented period where debugging and testing was distinguished now - in this period it was shown, that software satisfies the requirements. The time between 1979-1982 is announced as the destruction oriented period, where the goal was to find errors. 1983-1987 is classified as the evaluation oriented period: intention here is that during the software lifecycle a product evaluation is provided and measuring quality. From 1988 on it was seen as prevention oriented period where tests were to demonstrate that software satisfies its specification, to detect faults and to prevent faults. Dr. Gelperin chaired the IEEE 829-1988 (Test Documentation Standard) with Dr. Hetzel writing the book "The Complete Guide of Software Testing". Both works were pivotal in to today's testing culture and remain a consistent source of reference. Dr. Gelperin and Jerry E. Durant also went on to develop High Impact Inspection Technology that builds upon traditional Inspections but utilizes a test driven additive. White-box and black-box testing White box and black box testing are terms used to describe the point of view a test engineer takes when designing test cases. Black box being an external view of the test object and white box being an internal view. Software testing is partly intuitive, but largely systematic. Good testing involves much more than just running the program a few times to see whether it works. Thorough analysis of the program under test, backed by a broad knowledge of testing techniques and tools are prerequisites to systematic testing. Software Testing is the process of executing software in a controlled manner; in order to answer the question Does this software behave as specified? Software testing is used in association with Verification and Validation. Verification is the checking of or testing of items, including software, for conformance and consistency with an associated specification. Software testing is just one kind of verification, which also uses

techniques as reviews, inspections, walk-through. Validation is the process of checking what has been specified is what the user actually wanted.

Validation: Are we doing the right job? Verification: Are we doing the job right?

In order to achieve consistency in the Testing style, it is imperative to have and follow a set of testing principles. This enhances the efficiency of Testing within SQA team members and thus contributes to increased productivity. The purpose of this document is to provide overview of the testing, plus the techniques. At SDEI, 3 levels of software testing is done at various SDLC phases

Unit Testing: in which each unit (basic component) of the software is tested to verify that the detailed design for the unit has been correctly implemented Integration testing: in which progressively larger groups of tested software components corresponding to elements of the architectural design are integrated and tested until the software works as a whole.

System testing: in which the software is integrated to the overall product and tested to show that all requirements are met

A further level of testing is also done, in accordance with requirements:

Acceptance testing: upon which the acceptance of the complete software is based. The clients often do this. Regression testing: is used to refer the repetition of the earlier successful tests to ensure that changes made in the software have not introduced new bugs/side effects.

In recent years the term grey box testing has come into common usage. The typical grey box tester is permitted to set up or manipulate the testing environment, like seeding a database, and can view the state of the product after his actions, like performing a SQL query on the database to be certain of the values of columns. It is used almost exclusively of client-server testers or others who use a database as a repository of information, but can also apply to a tester who has to

manipulate XML files (DTD or an actual XML file) or configuration files directly. It can also be used of testers who know the internal workings or algorithm of the software under test and can write tests specifically for the anticipated results. For example, testing a data warehouse implementation involves loading the target database with information, and verifying the correctness of data population and loading of data into the correct tables. Test levels

Unit testing tests the minimal software component and sub-component or modules by the programmers. Integration testing exposes defects in the interfaces and interaction between integrated components(modules). Functional testing tests the product according to programmable work. System testing tests an integrated system to verify/validate that it meets its requirements. Acceptance testing testing can be conducted by the client. It allows the end-user or customer or client to decide whether or not to accept the product. Acceptance testing may be performed after the testing and before the implementation phase. See also Development stage
o

Alpha testing is simulated or actual operational testing by potential users/customers or an independent test team at the developers' site. Alpha testing is often employed for off-the-shelf software as a form of internal acceptance testing, before the software goes to beta testing. Beta testing comes after alpha testing. Versions of the software, known as beta versions, are released to a limited audience outside of the company. The software is released to groups of people so that further testing can ensure the product has few faults or bugs. Sometimes, beta versions are made available to the open public to increase the feedback field to a maximal number of future users.

It should be noted that although both Alpha and Beta are referred to as testing it is in fact use emersion. The rigors that are applied are often unsystematic and many of the basic tenets of testing process are not used. The Alpha and Beta period provides insight into environmental and utilization conditions that can impact the software.

After modifying software, either for a change in functionality or to fix defects, a regression test re-runs previously passing tests on the modified software to ensure that the modifications haven't unintentionally caused a regression of previous functionality. Regression testing can be performed at any or all of the above test levels. These regression tests are often automated. Test cases, suites, scripts and scenarios A test case is a software testing document,which consists of

event,action,input,output,expected result and actual result. Clinically defined (IEEE 829-1998) a test case is an input and an expected result. This can be as pragmatic as 'for condition x your derived result is y', whereas other test cases described in more detail the input scenario and what results might be expected. It can occasionally be a series of steps (but often steps are contained in a separate test procedure that can be exercised against multiple test cases, as a matter of economy) but with one expected result or expected outcome. The optional fields are a test case ID, test step or order of execution number, related requirement(s), depth, test category, author, and check boxes for whether the test is automatable and has been automated. Larger test cases may also contain prerequisite states or steps, and descriptions. A test case should also contain a place for the actual result. These steps can be stored in a word processor document, spreadsheet, database or other common repository. In a database system, you may also be able to see past test results and who generated the results and the system configuration used to generate those results. These past results would usually be stored in a separate table. The term test script is the combination of a test case, test procedure and test data. Initially the term was derived from the byproduct of work created by automated regression test tools. Today, test scripts can be manual, automated or a combination of both. The most common term for a collection of test cases is a test suite. The test suite often also contains more detailed instructions or goals for each collection of test cases. It definitely contains a section where the tester identifies the system configuration used during testing. A group of test cases may also contain prerequisite states or steps, and descriptions of the following tests.

Collections of test cases are sometimes incorrectly termed a test Plan. They might correctly be called a test specification. If sequence is specified, it can be called a test script, scenario or procedure. A sample testing cycle Although testing varies between organizations, there is a cycle to testing: 1. Requirements Analysis: Testing should begin in the requirements phase of the software development life cycle. During the design phase, testers work with developers in determining what aspects of a design are testable and under what parameter those tests work. 2. Test Planning: Test Strategy, Test Plan(s), Test Bed creation. 3. Test Development: Test Procedures, Test Scenarios, Test Cases, Test Scripts to use in testing software. 4. Test Execution: Testers execute the software based on the plans and tests and report any errors found to the development team. 5. Test Reporting: Once testing is completed, testers generate metrics and make final reports on their test effort and whether or not the software tested is ready for release. 6. Retesting the Defects Not all errors or defects reported must be fixed by a software development team. Some may be caused by errors in configuring the test software to match the development or production environment. Some defects can be handled by a workaround in the production environment. Others might be deferred to future releases of the software, or the deficiency might be accepted by the business user. There are yet other defects that may be rejected by the development team (of course, with due reason) if they deem it inappropriate to be called a defect. Code coverage Code coverage is inherently a white box testing activity. The target software is built with special options or libraries and/or run under a special environment such that every function that

is exercised (executed) in the program(s) are mapped back to the function points in the source code. This process allows developers and quality assurance personnel to look for parts of a system that are rarely or never accessed under normal conditions (error handling and the like) and helps reassure test engineers that the most important conditions (function points) have been tested. Test engineers can look at code coverage test results to help them devise test cases and input or configuration sets that will increase the code coverage over vital functions. Two common forms of code coverage used by testers are statement (or line) coverage, and path (or edge) coverage. Line coverage reports on the execution footprint of testing in terms of which lines of code were executed to complete the test. Edge coverage reports which branches, or code decision points were executed to complete the test. They both report a coverage metric, measured as a percentage. Generally code coverage tools and libraries exact a performance and/or memory or other resource cost which is unacceptable to normal operations of the software. Thus they are only used in the lab. As one might expect there are classes of software that cannot be feasibly subjected to these coverage tests, though a degree of coverage mapping can be approximated through analysis rather than direct testing. There are also some sorts of defects which are affected by such tools. In particular some race conditions or similar real time sensitive operations can be masked when run under code coverage environments; and conversely some of these defects may become easier to find as a result of the additional overhead of the testing code.

Controversy This article or section does not adequately cite its references or sources. Please help improve this article by adding citations to reliable sources.

There is considerable controversy among testing writers and consultants about what constitutes responsible software testing. Members of the "context-driven" school of testing believe that there are no "best practices" of testing, but rather that testing is a set of skills that allow the tester to select or invent testing practices to suit each unique situation. This belief directly contradicts standards such as the IEEE 829 test documentation standard, and organizations such as the Food and Drug Administration who promote them. Some of the major controversies include: Agile vs. Traditional Starting around 1990, a new style of writing about testing began to challenge what had come before. The seminal work in this regard is widely considered to be Testing Computer Software, by Cem Kaner. Instead of assuming that testers have full access to source code and complete specifications, these writers, including Kaner and James Bach, argued that testers must learn to work under conditions of uncertainty and constant change. Meanwhile, an opposing trend toward process "maturity" also gained ground, in the form of the Capability Maturity Model. The agile testing movement (which includes but is not limited to forms of testing practiced on agile development projects) has popularity mainly in commercial circles, whereas the CMM was embraced by government and military software providers. However, saying that "maturity models" like CMM gained ground against or opposing Agile testing may not be right. Agile movement is a 'way of working', while CMM are a process improvement idea.

There is however another point of view that must be considered. That is the operational culture of an organization. While it may be true that testers must have an ability to work in a world of uncertainty, it is also true that their flexibility must have direction. In many cases test cultures are self-directed and as a result fruitless, unproductive results can ensue. Furthermore,

providing of positive defect evidence may only reflect either the tip of a much larger problem or that you have exhausted all possibilities. A framework is a test of Testing. It provides a boundary that can measure (validate) the capacity of our work. Both sides have, and will continue to argue the virtues of their work. The proof however is in each and every assessment of delivery quality. It does little good to test systematically if you are too narrowly focused. On the other hand, finding a bunch of errors is not an indicator that Agile methods was the driving force; you may simply have stumbled upon an obviously poor piece of work. Exploratory vs. Scripted Exploratory testing means simultaneous, test design, and test execution, with an emphasis on learning. Scripted testing means that learning and test design happens prior to test execution, and quite often the learning has to be done again during test execution. Exploratory testing is very common, but in most writing and training about testing it is barely mentioned and generally misunderstood. Some writers consider it a primary and essential practice. Structured exploratory testing is a compromise when the testers are familiar with the software. A vague test plan, known as a test charter, is written up, describing what functionalities need to be tested but not how, allowing the individual testers to choose the method and steps of testing. There are two main disadvantages associated with a primarily exploratory testing approach. The first is that there is no opportunity to prevent defects, which can happen when the designing of tests in advance serves as a form of structured static testing that often reveals problems in system requirements and design. The second is that, even with test charters, demonstrating test coverage and achieving repeatability of tests using a purely exploratory testing approach is difficult. For this reason, a blended approach of scripted and exploratory testing is often used to reap the benefits of while mitigating each approach's disadvantages. Manual vs. Automated Some writers believe that test automation is so expensive relative to its value that it should be used sparingly. Others, such as advocates of agile development, recommend automating 100% of all tests. A challenge with automation is that automated testing requires automated test oracles (an oracle is a mechanism or principle by which a problem in the software

can be recognized). Such tools have value in load testing software (by signing on to an application with hundreds or thousands of instances simultaneously), or in checking for intermittent errors in software. The success of automated software testing depends on complete and comprehensive test planning. Software development strategies such as test-driven development are highly compatible with the idea of devoting a large part of an organization's testing resources to automated testing. Many large software organizations perform automated testing. Some have developed their own automated testing environments specifically for internal development, and not for resale. Certification Several certification programs exist to support the professional aspirations of software testers and quality assurance specialists. No certification currently offered actually requires the applicant to demonstrate the ability to test software. No certification is based on a widely accepted body of knowledge. No certification board decertifies individuals. This has led some to declare that the testing field is not ready for certification Certification itself cannot measure an individual's productivity, their skill, or practical knowledge, and cannot guarantee their competence, or professionalism as a tester. Open Certification of Software Testers Certifications can be grouped into: exam-based and education-based. Exam-based certifications: For these there is the need to pass an exam, which can also be learned by selfstudy: e.g. for ISTQB or QAI. Education-based certifications are instructor-led sessions, where each course has to be passed, e.g. IIST (International Institute for Software Testing). Testing certifications

CSQE offered by the American Society for Quality CSTE offered by the Quality Assurance Institute (QAI) CSTP offered by the International Institute for Software Testing ISEB offered by the Information Systems Examinations Board ISTQB offered by the International Software Testing Qualification Board

Quality assurance certifications

CSQA offered by the Quality Assurance Institute (QAI)

Who watches the watchmen? One principle in software testing is summed up by the classical Latin question posed by Juvenal: Quis Custodiet Ipsos Custodes (Who watches the watchmen?), or is alternatively referred informally, as the "Heisenbug concept (a common misconception that confuses Heisenberg's uncertainty principle with observer effect). The idea is that any form of observation is also an interaction, that the act of testing can also affect that which is being tested. In practical terms the test engineer is testing software (and sometimes hardware or firmware) with other software (and hardware and firmware). The process can fail in ways that are not the result of defects in the target but rather result from defects in (or indeed intended features of) the testing tool. There are metrics being developed to measure the effectiveness of testing. One method is by analyzing code coverage (this is highly controversial) - where every one can agree what areas are not at all being covered and try to improve coverage on these areas. Finally, there is the analysis of historical find-rates. By measuring how many bugs are found and comparing them to predicted numbers (based on past experience with similar projects), certain assumptions regarding the effectiveness of testing can be made. While not an absolute measurement of quality, if a project is halfway complete and there have been no defects found, then changes may be needed to the procedures being employed by QA. Roles in software testing Software testing can be done by software testers. Until the 1950s the term software tester was used generally, but later it was also seen as a separate profession. Regarding the periods and the different goals in software testing (see D. Gelperin and W.C. Hetzel) there have been established different roles: test lead/manager, tester, test designer, test automater/automation developer, test administrator. participants of testing team 1.Tester 2.Developer 3.customer

4.Information Service Management He is the person who collects information from the customer 5.Senior Organization Management 6.Quality team

TEST CASE In software engineering, the most common definition of a test case is a set of conditions or variables under which a tester will determine if a requirement or use case upon an application is partially or fully satisfied. It may take many test cases to determine that a requirement is fully satisfied. In order to fully test that all the requirements of an application are met, there must be at least one test case for each requirement unless a requirement has sub requirements. In that situation, each sub requirement must have at least one test case. This is frequently done using a Traceability matrix. Some methodologies, like RUP, recommend creating at least two test cases for each requirement. One of them should perform positive testing of requirement and other should perform negative testing. Written test cases should include a description of the functionality to be tested, and the preparation required to ensure that the test can be conducted. If the application is created without formal requirements, then test cases can be written based on the accepted normal operation of programs of a similar class. In some schools or testing, test cases are not written at all but the activities and results are reported after the tests have been run. What characterizes a formal, written test case is that there is a known input and an expected output, which is worked out before the test is executed. The known input should test a precondition and the expected output should test a postcondition. Under special circumstances, there could be a need to run the test, produce results, and then a team of experts would evaluate if the results can be considered as a pass. This happens often on new products' performance number determination. The first test is taken as the base line for subsequent test / product release cycles. Written test cases are usually collected into Test suites.

A variation of test cases are most commonly used in acceptance testing. Acceptance testing is done by a group of end-users or clients of the system to ensure the developed system meets their requirements. User acceptance testing is usually differentiated by the inclusion of happy path or positive test cases.

Structure of test case Formal, written test cases consist of three main parts with subsections:

Information contains general information about Test case.

Identifier is unique identifier of test case for further references, for example, while describing found defect. Test case owner/creator is name of tester or test designer, who created test or is responsible for its development Version of current Test case definition Name of test case should be human-oriented title which allows to quickly understand test case purpose and scope. Identifier of requirement which is covered by test case. Also here could be identifier of use case or functional specification item. Purpose contains short description of test purpose, what functionality it checks. Dependencies Testing environment/configuration contains information about configuration of hardware or software which must be met while executing test case Initialization describes actions, which must be performed before test case execution is started. For example, we should open some file. Finalization describes actions to be done after test case is performed. For example if test case crashes database, tester should restore it before other test cases will be performed. Actions step by step to be done to complete test.

o o

o o

Test case activity

Input data description Expected results contains description of what tester should see after all test steps has been completed Actual results contains a brief description of what the tester saw after the test steps has been completed. This is often replaced with a Pass/Fail. Quite often if a test case fails, reference to the defect involved should be listed in this column

Results
o

CONCLUSION By using the proposed system the Us Payment system will be benefitted by the providing secure services to the customers through detecting the fraud credit card transactions. The system is based on the Artificial Intelligence Concept hence a little bit overhead is incurred on

authorizing the transaction. The limitation of the project is it will fail to detect the transactions which are below overhead are not detected even though those transactions are fraud.

BIBLIOGRAPHY IEEE Papers (Distributed Data Mining in Credit Card Fraud Detection ) By Phillip K.Chan, Andreas L. Prodromidis Salvatore J. Stolfo Intelligent Miner for Data: Enhance You Business Intelligence

Practice

By Jeorg Reinchemidt, Helena Gottschalk

Secured Electronic Transactions: Credit Card Payment on the Web in Theory and Hosung Kim

Credit Card Transactions Cost Based Modeling for Fraud and Intrusion Detection Java Agents for Meta Learning Credit Card Fraud Detection Using Meta Learning Advance Java Server Programming Oracle 10g SQL Reference Guide Oracle Press Subhrahmanyam Allamaraju Andreas L. Prodromidis Dave W. Fan Wenke Lee Damiaan Zwitering