<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-15 -->
<p>Anomaly detection identifies unusual patterns, outliers, and suspicious behaviors in graph data. Geode’s native graph model excels at detecting relationship-based anomalies, structural outliers, and behavioral deviations that would be difficult to spot in traditional databases.</p>
<h3 id="what-is-graph-based-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>What Is Graph-Based Anomaly Detection?</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="what-is-graph-based-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: What Is Graph-Based Anomaly Detection?">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Graph-based anomaly detection leverages the structure and relationships in your data to identify entities or patterns that deviate from normal behavior. Unlike statistical methods that analyze individual attributes, graph-based approaches examine connectivity patterns, community membership, and relationship dynamics.</p>
<h4 id="types-of-anomalies" class="position-relative d-flex align-items-center group">
<span>Types of Anomalies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="types-of-anomalies"
aria-haspopup="dialog"
aria-label="Share link: Types of Anomalies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Point Anomalies</strong>: Individual nodes or edges with unusual properties (e.g., account with abnormally high transaction volume).</p>
<p><strong>Contextual Anomalies</strong>: Entities that are anomalous in a specific context but not globally (e.g., large transaction from a normally low-activity account).</p>
<p><strong>Collective Anomalies</strong>: Groups of entities that together form an unusual pattern (e.g., circular money transfer ring).</p>
<h3 id="statistical-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Statistical Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="statistical-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Statistical Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="threshold-based-detection" class="position-relative d-flex align-items-center group">
<span>Threshold-Based Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="threshold-based-detection"
aria-haspopup="dialog"
aria-label="Share link: Threshold-Based Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Identify outliers using statistical thresholds:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Detect</span><span class="w"> </span><span class="py">accounts</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">unusually</span><span class="w"> </span><span class="py">high</span><span class="w"> </span><span class="py">transaction</span><span class="w"> </span><span class="py">counts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">tx_count</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_count</span><span class="p">,</span><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">tx_count</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">stddev_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">suspicious</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t2</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">suspicious</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t2</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">account_tx_count</span><span class="p">,</span><span class="w"> </span><span class="py">avg_count</span><span class="p">,</span><span class="w"> </span><span class="py">stddev_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">account_tx_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">avg_count</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="p">(</span><span class="py">3</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">stddev_count</span><span class="p">)</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">3</span><span class="w"> </span><span class="py">sigma</span><span class="w"> </span><span class="py">rule</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">suspicious</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">account_tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">stddev_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">account_tx_count</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">avg_count</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">stddev_count</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">z_score</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="distribution-analysis" class="position-relative d-flex align-items-center group">
<span>Distribution Analysis</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="distribution-analysis"
aria-haspopup="dialog"
aria-label="Share link: Distribution Analysis">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Detect outliers based on value distributions:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">transactions</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">unusual</span><span class="w"> </span><span class="py">amounts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="p">[</span><span class="py">100</span><span class="p">,</span><span class="w"> </span><span class="py">500</span><span class="p">,</span><span class="w"> </span><span class="py">1000</span><span class="p">]</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">percentiles</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">t</span><span class="p">:</span><span class="nc">Transaction</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">percentile_cont</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="mf">.25</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">q1</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">percentile_cont</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="mf">.75</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">q3</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">percentile_cont</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="mf">.50</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">median</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w"> </span><span class="py">q1</span><span class="p">,</span><span class="w"> </span><span class="py">q3</span><span class="p">,</span><span class="w"> </span><span class="py">median</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">q3</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">q1</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">iqr</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Interquartile</span><span class="w"> </span><span class="py">range</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">q1</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="p">(</span><span class="py">1</span><span class="mf">.5</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">iqr</span><span class="p">)</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Lower</span><span class="w"> </span><span class="py">outliers</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">q3</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="p">(</span><span class="py">1</span><span class="mf">.5</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">iqr</span><span class="p">)</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Upper</span><span class="w"> </span><span class="py">outliers</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">transaction_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">median</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">iqr</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">q3</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="p">(</span><span class="py">1</span><span class="mf">.5</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">iqr</span><span class="p">)</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">high_outlier</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="err">'</span><span class="py">low_outlier</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">anomaly_type</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="pattern-based-detection" class="position-relative d-flex align-items-center group">
<span>Pattern-Based Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="pattern-based-detection"
aria-haspopup="dialog"
aria-label="Share link: Pattern-Based Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="unusual-relationship-patterns" class="position-relative d-flex align-items-center group">
<span>Unusual Relationship Patterns</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="unusual-relationship-patterns"
aria-haspopup="dialog"
aria-label="Share link: Unusual Relationship Patterns">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Detect suspicious connectivity patterns:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">accounts</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">circular</span><span class="w"> </span><span class="py">transaction</span><span class="w"> </span><span class="py">patterns</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="py">path</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="err">*</span><span class="py">2</span><span class="err">.</span><span class="mf">.5</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">ALL</span><span class="p">(</span><span class="py">r</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">relationships</span><span class="p">(</span><span class="py">path</span><span class="p">)</span><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">7</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">path</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">LENGTH</span><span class="p">(</span><span class="py">path</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">cycle_length</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">REDUCE</span><span class="p">(</span><span class="py">sum</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">0</span><span class="p">,</span><span class="w"> </span><span class="py">r</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">relationships</span><span class="p">(</span><span class="py">path</span><span class="p">)</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="py">sum</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">r</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">total_amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">total_amount</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">10000</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Significant</span><span class="w"> </span><span class="py">amount</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">cycle</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">cycle_length</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">total_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">[</span><span class="py">n</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">nodes</span><span class="p">(</span><span class="py">path</span><span class="p">)</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="py">n</span><span class="err">.</span><span class="py">account_id</span><span class="p">]</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">cycle_accounts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">total_amount</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Detect</span><span class="w"> </span><span class="py">rapid</span><span class="err">-</span><span class="py">fire</span><span class="w"> </span><span class="py">transactions</span><span class="w"> </span><span class="p">(</span><span class="py">possible</span><span class="w"> </span><span class="py">automation</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">b</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">b</span><span class="p">,</span><span class="w"> </span><span class="py">COLLECT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">transactions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">SIZE</span><span class="p">(</span><span class="py">transactions</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">b</span><span class="p">,</span><span class="w"> </span><span class="py">transactions</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">transactions</span><span class="p">[</span><span class="py">0</span><span class="p">]</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">first_tx</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">transactions</span><span class="p">[</span><span class="err">-</span><span class="py">1</span><span class="p">]</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">last_tx</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">b</span><span class="p">,</span><span class="w"> </span><span class="py">SIZE</span><span class="p">(</span><span class="py">transactions</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">duration</span><span class="err">.</span><span class="py">between</span><span class="p">(</span><span class="py">first_tx</span><span class="p">,</span><span class="w"> </span><span class="py">last_tx</span><span class="p">)</span><span class="err">.</span><span class="py">seconds</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">time_span_seconds</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">time_span_seconds</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">60</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">5</span><span class="err">+</span><span class="w"> </span><span class="py">transactions</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">under</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">minute</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">from_account</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">b</span><span class="err">.</span><span class="py">account_id</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">to_account</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">time_span_seconds</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">tx_count</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">time_span_seconds</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_per_second</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="structural-anomalies" class="position-relative d-flex align-items-center group">
<span>Structural Anomalies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="structural-anomalies"
aria-haspopup="dialog"
aria-label="Share link: Structural Anomalies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Identify unusual graph structures:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">isolated</span><span class="w"> </span><span class="py">cliques</span><span class="w"> </span><span class="p">(</span><span class="py">potential</span><span class="w"> </span><span class="py">fraud</span><span class="w"> </span><span class="py">rings</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">r1</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">m</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">r1</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">30</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">COLLECT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">m</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">SIZE</span><span class="p">(</span><span class="py">neighbors</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">5</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Minimum</span><span class="w"> </span><span class="py">clique</span><span class="w"> </span><span class="py">size</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">neighbors</span><span class="w"> </span><span class="py">form</span><span class="w"> </span><span class="py">a</span><span class="w"> </span><span class="py">complete</span><span class="w"> </span><span class="py">subgraph</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">ALL</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">n1</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="w"> </span><span class="py">WHERE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ALL</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">n2</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="w"> </span><span class="py">WHERE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">n1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">n2</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">EXISTS</span><span class="p">((</span><span class="py">n1</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">n2</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">neighbors</span><span class="p">,</span><span class="w"> </span><span class="py">SIZE</span><span class="p">(</span><span class="py">neighbors</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">clique_size</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">clique</span><span class="w"> </span><span class="py">is</span><span class="w"> </span><span class="py">isolated</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">the</span><span class="w"> </span><span class="py">rest</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">the</span><span class="w"> </span><span class="py">graph</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">member</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">member</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">OPTIONAL</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">member</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">outside</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">NOT</span><span class="w"> </span><span class="py">outside</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">neighbors</span><span class="p">,</span><span class="w"> </span><span class="py">clique_size</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">outside</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">external_connections</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">external_connections</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">clique_size</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">0</span><span class="mf">.1</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">10</span><span class="err">%</span><span class="w"> </span><span class="py">external</span><span class="w"> </span><span class="py">connections</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">n</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">[</span><span class="py">m</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="py">m</span><span class="err">.</span><span class="py">account_id</span><span class="p">]</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">ring_members</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">clique_size</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">external_connections</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="behavioral-analysis" class="position-relative d-flex align-items-center group">
<span>Behavioral Analysis</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="behavioral-analysis"
aria-haspopup="dialog"
aria-label="Share link: Behavioral Analysis">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="deviation-from-normal-behavior" class="position-relative d-flex align-items-center group">
<span>Deviation from Normal Behavior</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="deviation-from-normal-behavior"
aria-haspopup="dialog"
aria-label="Share link: Deviation from Normal Behavior">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Detect changes in user behavior patterns:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Compare</span><span class="w"> </span><span class="py">recent</span><span class="w"> </span><span class="py">activity</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">historical</span><span class="w"> </span><span class="py">baseline</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">recent</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">merchant</span><span class="p">:</span><span class="nc">Merchant</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">recent</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">7</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w"> </span><span class="py">merchant</span><span class="err">.</span><span class="py">category</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">category</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">recent</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">recent_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Get</span><span class="w"> </span><span class="py">historical</span><span class="w"> </span><span class="py">average</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">this</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">category</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">historical</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">(:</span><span class="nc">Merchant</span><span class="w"> </span><span class="p">{</span><span class="py">category</span><span class="p">:</span><span class="w"> </span><span class="nc">category</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">historical</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">90</span><span class="p">)</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">7</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w"> </span><span class="py">category</span><span class="p">,</span><span class="w"> </span><span class="py">recent_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">historical</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">12</span><span class="mf">.0</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">weekly_avg</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">90</span><span class="w"> </span><span class="py">days</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="err">~</span><span class="py">12</span><span class="w"> </span><span class="py">weeks</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">recent_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">weekly_avg</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">3</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">3x</span><span class="w"> </span><span class="py">normal</span><span class="w"> </span><span class="py">activity</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">user_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">category</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">recent_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">weekly_avg</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">recent_count</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">weekly_avg</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">activity_ratio</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">activity_ratio</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="velocity-checks" class="position-relative d-flex align-items-center group">
<span>Velocity Checks</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="velocity-checks"
aria-haspopup="dialog"
aria-label="Share link: Velocity Checks">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Detect impossible or suspicious transaction sequences:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Detect</span><span class="w"> </span><span class="py">geographically</span><span class="w"> </span><span class="py">impossible</span><span class="w"> </span><span class="py">transactions</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t1</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">m1</span><span class="p">:</span><span class="nc">Merchant</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t2</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">m2</span><span class="p">:</span><span class="nc">Merchant</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">t1</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">t2</span><span class="err">.</span><span class="py">timestamp</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">duration</span><span class="err">.</span><span class="py">between</span><span class="p">(</span><span class="py">t1</span><span class="err">.</span><span class="py">timestamp</span><span class="p">,</span><span class="w"> </span><span class="py">t2</span><span class="err">.</span><span class="py">timestamp</span><span class="p">)</span><span class="err">.</span><span class="py">minutes</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">60</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">m1</span><span class="err">.</span><span class="py">merchant_id</span><span class="w"> </span><span class="err"><></span><span class="w"> </span><span class="py">m2</span><span class="err">.</span><span class="py">merchant_id</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Calculate</span><span class="w"> </span><span class="py">distance</span><span class="w"> </span><span class="py">between</span><span class="w"> </span><span class="py">merchant</span><span class="w"> </span><span class="py">locations</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t1</span><span class="p">,</span><span class="w"> </span><span class="py">t2</span><span class="p">,</span><span class="w"> </span><span class="py">m1</span><span class="p">,</span><span class="w"> </span><span class="py">m2</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">point</span><span class="err">.</span><span class="py">distance</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">point</span><span class="p">({</span><span class="py">latitude</span><span class="p">:</span><span class="w"> </span><span class="nc">m1</span><span class="err">.</span><span class="py">latitude</span><span class="p">,</span><span class="w"> </span><span class="py">longitude</span><span class="p">:</span><span class="w"> </span><span class="nc">m1</span><span class="err">.</span><span class="py">longitude</span><span class="p">}),</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">point</span><span class="p">({</span><span class="py">latitude</span><span class="p">:</span><span class="w"> </span><span class="nc">m2</span><span class="err">.</span><span class="py">latitude</span><span class="p">,</span><span class="w"> </span><span class="py">longitude</span><span class="p">:</span><span class="w"> </span><span class="nc">m2</span><span class="err">.</span><span class="py">longitude</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">1000</span><span class="mf">.0</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">distance_km</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">duration</span><span class="err">.</span><span class="py">between</span><span class="p">(</span><span class="py">t1</span><span class="err">.</span><span class="py">timestamp</span><span class="p">,</span><span class="w"> </span><span class="py">t2</span><span class="err">.</span><span class="py">timestamp</span><span class="p">)</span><span class="err">.</span><span class="py">minutes</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">time_minutes</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t1</span><span class="p">,</span><span class="w"> </span><span class="py">t2</span><span class="p">,</span><span class="w"> </span><span class="py">m1</span><span class="p">,</span><span class="w"> </span><span class="py">m2</span><span class="p">,</span><span class="w"> </span><span class="py">distance_km</span><span class="p">,</span><span class="w"> </span><span class="py">time_minutes</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">distance_km</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="p">(</span><span class="py">time_minutes</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">60</span><span class="mf">.0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">required_speed_kmh</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">required_speed_kmh</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">800</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Faster</span><span class="w"> </span><span class="py">than</span><span class="w"> </span><span class="py">airplane</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">t1</span><span class="err">.</span><span class="py">transaction_id</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">first_tx</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">t2</span><span class="err">.</span><span class="py">transaction_id</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">second_tx</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">m1</span><span class="err">.</span><span class="py">city</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">first_location</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">m2</span><span class="err">.</span><span class="py">city</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">second_location</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">distance_km</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">time_minutes</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">required_speed_kmh</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="network-based-detection" class="position-relative d-flex align-items-center group">
<span>Network-Based Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="network-based-detection"
aria-haspopup="dialog"
aria-label="Share link: Network-Based Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="community-outliers" class="position-relative d-flex align-items-center group">
<span>Community Outliers</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="community-outliers"
aria-haspopup="dialog"
aria-label="Share link: Community Outliers">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Identify entities that don’t fit their community:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Find</span><span class="w"> </span><span class="py">users</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">unusual</span><span class="w"> </span><span class="py">connections</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">their</span><span class="w"> </span><span class="py">community</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">c</span><span class="p">:</span><span class="nc">Community</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">CONNECTED_TO</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">neighbor</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Calculate</span><span class="w"> </span><span class="py">within</span><span class="err">-</span><span class="py">community</span><span class="w"> </span><span class="py">vs</span><span class="err">.</span><span class="w"> </span><span class="py">outside</span><span class="err">-</span><span class="py">community</span><span class="w"> </span><span class="py">connections</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w"> </span><span class="py">c</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="p">(</span><span class="py">neighbor</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">c</span><span class="p">)</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">neighbor</span><span class="w"> </span><span class="py">END</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">internal_connections</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">NOT</span><span class="w"> </span><span class="p">(</span><span class="py">neighbor</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">c</span><span class="p">)</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">neighbor</span><span class="w"> </span><span class="py">END</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">external_connections</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w"> </span><span class="py">c</span><span class="p">,</span><span class="w"> </span><span class="py">internal_connections</span><span class="p">,</span><span class="w"> </span><span class="py">external_connections</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">external_connections</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="p">(</span><span class="py">internal_connections</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">external_connections</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">external_ratio</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Compare</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">community</span><span class="w"> </span><span class="py">average</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">c</span><span class="p">,</span><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">external_ratio</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_external_ratio</span><span class="p">,</span><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">external_ratio</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">stddev_external</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">outlier</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">c</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">outlier</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">CONNECTED_TO</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">n</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">outlier</span><span class="p">,</span><span class="w"> </span><span class="py">c</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">c</span><span class="p">)</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">n</span><span class="w"> </span><span class="py">END</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">user_internal</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">NOT</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">BELONGS_TO</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">c</span><span class="p">)</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">n</span><span class="w"> </span><span class="py">END</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">user_external</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_external_ratio</span><span class="p">,</span><span class="w"> </span><span class="py">stddev_external</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">outlier</span><span class="p">,</span><span class="w"> </span><span class="py">c</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">user_external</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="p">(</span><span class="py">user_internal</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">user_external</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">user_external_ratio</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_external_ratio</span><span class="p">,</span><span class="w"> </span><span class="py">stddev_external</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">user_external_ratio</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">avg_external_ratio</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="p">(</span><span class="py">2</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">stddev_external</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">outlier</span><span class="err">.</span><span class="py">user_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">user_external_ratio</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_external_ratio</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">user_external_ratio</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">avg_external_ratio</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">stddev_external</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_score</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="bridge-detection" class="position-relative d-flex align-items-center group">
<span>Bridge Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="bridge-detection"
aria-haspopup="dialog"
aria-label="Share link: Bridge Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Find accounts that bridge normally disconnected communities (potential money mules):</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Detect</span><span class="w"> </span><span class="py">bridge</span><span class="w"> </span><span class="py">nodes</span><span class="w"> </span><span class="py">connecting</span><span class="w"> </span><span class="py">separate</span><span class="w"> </span><span class="py">clusters</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">bridge</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">neighbor</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">bridge</span><span class="p">,</span><span class="w"> </span><span class="py">COLLECT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">neighbor</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">SIZE</span><span class="p">(</span><span class="py">neighbors</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">10</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Check</span><span class="w"> </span><span class="py">if</span><span class="w"> </span><span class="py">neighbors</span><span class="w"> </span><span class="py">are</span><span class="w"> </span><span class="py">disconnected</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">each</span><span class="w"> </span><span class="py">other</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">bridge</span><span class="p">,</span><span class="w"> </span><span class="py">neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">NOT</span><span class="w"> </span><span class="py">ANY</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">n1</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="p">[</span><span class="py">0</span><span class="err">..</span><span class="py">SIZE</span><span class="p">(</span><span class="py">neighbors</span><span class="p">)</span><span class="err">-</span><span class="py">1</span><span class="p">]</span><span class="w"> </span><span class="py">WHERE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ANY</span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">n2</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="p">[</span><span class="py">1</span><span class="err">..</span><span class="p">]</span><span class="w"> </span><span class="py">WHERE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">n1</span><span class="w"> </span><span class="err"><></span><span class="w"> </span><span class="py">n2</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">EXISTS</span><span class="p">((</span><span class="py">n1</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="err">*</span><span class="py">1</span><span class="err">.</span><span class="mf">.2</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">n2</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">bridge</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SIZE</span><span class="p">(</span><span class="py">neighbors</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">connected_clusters</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">[</span><span class="py">n</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">neighbors</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="py">n</span><span class="err">.</span><span class="py">account_id</span><span class="p">]</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">cluster_representatives</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="time-series-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Time-Series Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="time-series-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Time-Series Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="change-point-detection" class="position-relative d-flex align-items-center group">
<span>Change Point Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="change-point-detection"
aria-haspopup="dialog"
aria-label="Share link: Change Point Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Identify sudden changes in activity patterns:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Detect</span><span class="w"> </span><span class="py">sudden</span><span class="w"> </span><span class="py">spikes</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">transaction</span><span class="w"> </span><span class="py">volume</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">date</span><span class="err">.</span><span class="py">truncate</span><span class="p">(</span><span class="err">'</span><span class="py">day</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">day</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">daily_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SUM</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">daily_amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">day</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Calculate</span><span class="w"> </span><span class="py">moving</span><span class="w"> </span><span class="py">average</span><span class="w"> </span><span class="py">and</span><span class="w"> </span><span class="py">detect</span><span class="w"> </span><span class="py">deviations</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">day</span><span class="p">,</span><span class="w"> </span><span class="py">daily_count</span><span class="p">,</span><span class="w"> </span><span class="py">daily_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">daily_count</span><span class="p">)</span><span class="w"> </span><span class="py">OVER</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">PARTITION</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">a</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">day</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ROWS</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">7</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_count_7d</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">daily_count</span><span class="p">)</span><span class="w"> </span><span class="py">OVER</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">PARTITION</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">a</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">day</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ROWS</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">7</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">stddev_count_7d</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">daily_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">avg_count_7d</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="p">(</span><span class="py">3</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">stddev_count_7d</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">day</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">daily_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_count_7d</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">daily_count</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">avg_count_7d</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">NULLIF</span><span class="p">(</span><span class="py">stddev_count_7d</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">z_score</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="seasonal-anomalies" class="position-relative d-flex align-items-center group">
<span>Seasonal Anomalies</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="seasonal-anomalies"
aria-haspopup="dialog"
aria-label="Share link: Seasonal Anomalies">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Detect unusual patterns accounting for seasonality:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Compare</span><span class="w"> </span><span class="py">current</span><span class="w"> </span><span class="py">week</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">same</span><span class="w"> </span><span class="py">week</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">previous</span><span class="w"> </span><span class="py">periods</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">now</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">now</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">7</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">this_week_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Get</span><span class="w"> </span><span class="py">counts</span><span class="w"> </span><span class="py">from</span><span class="w"> </span><span class="py">same</span><span class="w"> </span><span class="py">week</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">previous</span><span class="w"> </span><span class="py">months</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">historical</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">historical</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">weekOfYear</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">weekOfYear</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">historical</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">year</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">year</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w"> </span><span class="py">this_week_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">COUNT</span><span class="p">(</span><span class="py">historical</span><span class="p">))</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">historical_avg</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">COUNT</span><span class="p">(</span><span class="py">historical</span><span class="p">))</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">historical_stddev</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">this_week_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">historical_avg</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="p">(</span><span class="py">2</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">historical_stddev</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">user_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">this_week_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">historical_avg</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">this_week_count</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">historical_avg</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">historical_stddev</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_score</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="real-time-anomaly-scoring" class="position-relative d-flex align-items-center group">
<span>Real-Time Anomaly Scoring</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="real-time-anomaly-scoring"
aria-haspopup="dialog"
aria-label="Share link: Real-Time Anomaly Scoring">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="composite-anomaly-score" class="position-relative d-flex align-items-center group">
<span>Composite Anomaly Score</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="composite-anomaly-score"
aria-haspopup="dialog"
aria-label="Share link: Composite Anomaly Score">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Combine multiple signals into a risk score:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Calculate</span><span class="w"> </span><span class="py">multi</span><span class="err">-</span><span class="py">factor</span><span class="w"> </span><span class="py">anomaly</span><span class="w"> </span><span class="py">score</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">transaction</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="w"> </span><span class="p">{</span><span class="py">transaction_id</span><span class="p">:</span><span class="w"> </span><span class="nv">$tx_id</span><span class="p">}]</span><span class="err">-></span><span class="p">(</span><span class="nc">m</span><span class="p">:</span><span class="nc">Merchant</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Factor</span><span class="w"> </span><span class="py">1</span><span class="p">:</span><span class="w"> </span><span class="nc">Transaction</span><span class="w"> </span><span class="py">amount</span><span class="w"> </span><span class="py">vs</span><span class="err">.</span><span class="w"> </span><span class="py">account</span><span class="w"> </span><span class="py">history</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">hist</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">hist</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">30</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w"> </span><span class="py">m</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">hist</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">hist</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">stddev_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">hist</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w"> </span><span class="py">m</span><span class="p">,</span><span class="w"> </span><span class="py">tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">tx_count</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">5</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.5</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">New</span><span class="w"> </span><span class="py">account</span><span class="w"> </span><span class="py">penalty</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">stddev_amount</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">0</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">LEAST</span><span class="p">(</span><span class="py">ABS</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">avg_amount</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">stddev_amount</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">3</span><span class="mf">.0</span><span class="p">,</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">amount_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Factor</span><span class="w"> </span><span class="py">2</span><span class="p">:</span><span class="w"> </span><span class="nc">Merchant</span><span class="w"> </span><span class="py">category</span><span class="w"> </span><span class="py">vs</span><span class="err">.</span><span class="w"> </span><span class="py">user</span><span class="w"> </span><span class="py">history</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">(:</span><span class="nc">Merchant</span><span class="w"> </span><span class="p">{</span><span class="py">category</span><span class="p">:</span><span class="w"> </span><span class="nc">m</span><span class="err">.</span><span class="py">category</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w"> </span><span class="py">m</span><span class="p">,</span><span class="w"> </span><span class="py">amount_score</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">category_familiarity</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w"> </span><span class="py">m</span><span class="p">,</span><span class="w"> </span><span class="py">amount_score</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">category_familiarity</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">0</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.8</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Never</span><span class="w"> </span><span class="py">used</span><span class="w"> </span><span class="py">this</span><span class="w"> </span><span class="py">category</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">category_familiarity</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">3</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.4</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Rarely</span><span class="w"> </span><span class="py">used</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">0</span><span class="mf">.0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">category_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Factor</span><span class="w"> </span><span class="py">3</span><span class="p">:</span><span class="w"> </span><span class="nc">Time</span><span class="w"> </span><span class="py">of</span><span class="w"> </span><span class="py">day</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w"> </span><span class="py">m</span><span class="p">,</span><span class="w"> </span><span class="py">amount_score</span><span class="p">,</span><span class="w"> </span><span class="py">category_score</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">hour</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">2</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">5</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.6</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Late</span><span class="w"> </span><span class="py">night</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">hour</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">9</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">21</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.0</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Normal</span><span class="w"> </span><span class="py">hours</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">0</span><span class="mf">.3</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">time_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Factor</span><span class="w"> </span><span class="py">4</span><span class="p">:</span><span class="w"> </span><span class="nc">Velocity</span><span class="w"> </span><span class="p">(</span><span class="py">transactions</span><span class="w"> </span><span class="py">in</span><span class="w"> </span><span class="py">last</span><span class="w"> </span><span class="py">hour</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">recent</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">recent</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">minusHours</span><span class="p">(</span><span class="py">1</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w"> </span><span class="py">m</span><span class="p">,</span><span class="w"> </span><span class="py">amount_score</span><span class="p">,</span><span class="w"> </span><span class="py">category_score</span><span class="p">,</span><span class="w"> </span><span class="py">time_score</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">recent</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">recent_tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">recent</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">10</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">recent</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">5</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.7</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">recent</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">3</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.4</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">0</span><span class="mf">.0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">velocity_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Combine</span><span class="w"> </span><span class="py">scores</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">weights</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">t</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">amount_score</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">0</span><span class="mf">.4</span><span class="w"> </span><span class="err">+</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">category_score</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">0</span><span class="mf">.25</span><span class="w"> </span><span class="err">+</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">time_score</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">0</span><span class="mf">.15</span><span class="w"> </span><span class="err">+</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">velocity_score</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">0</span><span class="mf">.2</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">composite_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">transaction_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">composite_score</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">composite_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">0</span><span class="mf">.8</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">CRITICAL</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">composite_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">0</span><span class="mf">.6</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">HIGH</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">composite_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">0</span><span class="mf">.4</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">MEDIUM</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="err">'</span><span class="py">LOW</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">risk_level</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="machine-learning-integration" class="position-relative d-flex align-items-center group">
<span>Machine Learning Integration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="machine-learning-integration"
aria-haspopup="dialog"
aria-label="Share link: Machine Learning Integration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="feature-engineering" class="position-relative d-flex align-items-center group">
<span>Feature Engineering</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="feature-engineering"
aria-haspopup="dialog"
aria-label="Share link: Feature Engineering">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Extract graph features for ML models:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Extract</span><span class="w"> </span><span class="py">node</span><span class="w"> </span><span class="py">features</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">anomaly</span><span class="w"> </span><span class="py">detection</span><span class="w"> </span><span class="py">model</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">OPTIONAL</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">out</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">OPTIONAL</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err"><-</span><span class="p">[</span><span class="py">in</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">out</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">out_degree</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">in</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">in_degree</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">out</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_out_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">in</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_in_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">out</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">stddev_out_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MAX</span><span class="p">(</span><span class="py">out</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">max_out_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">duration</span><span class="err">.</span><span class="py">between</span><span class="p">(</span><span class="py">MIN</span><span class="p">(</span><span class="py">out</span><span class="err">.</span><span class="py">timestamp</span><span class="p">),</span><span class="w"> </span><span class="py">MAX</span><span class="p">(</span><span class="py">out</span><span class="err">.</span><span class="py">timestamp</span><span class="p">))</span><span class="err">.</span><span class="py">days</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">account_age_days</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Calculate</span><span class="w"> </span><span class="py">network</span><span class="w"> </span><span class="py">features</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">OPTIONAL</span><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="err">*</span><span class="py">2</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">indirect</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">out_degree</span><span class="p">,</span><span class="w"> </span><span class="py">in_degree</span><span class="p">,</span><span class="w"> </span><span class="py">avg_out_amount</span><span class="p">,</span><span class="w"> </span><span class="py">avg_in_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">stddev_out_amount</span><span class="p">,</span><span class="w"> </span><span class="py">max_out_amount</span><span class="p">,</span><span class="w"> </span><span class="py">account_age_days</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">indirect</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">two_hop_neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">out_degree</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">in_degree</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">out_degree</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">in_degree</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">total_degree</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_out_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_in_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">stddev_out_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">max_out_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">account_age_days</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">two_hop_neighbors</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">two_hop_neighbors</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">NULLIF</span><span class="p">(</span><span class="py">out_degree</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">in_degree</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">network_expansion</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="label-propagation-for-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Label Propagation for Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="label-propagation-for-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Label Propagation for Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Propagate known fraud labels through the graph:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">//</span><span class="w"> </span><span class="py">Initialize</span><span class="w"> </span><span class="py">known</span><span class="w"> </span><span class="py">fraudulent</span><span class="w"> </span><span class="py">accounts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">fraud</span><span class="p">:</span><span class="nc">Account</span><span class="w"> </span><span class="p">{</span><span class="py">is_fraud</span><span class="p">:</span><span class="w"> </span><span class="nc">true</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">fraud</span><span class="err">.</span><span class="py">fraud_score</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Propagate</span><span class="w"> </span><span class="py">fraud</span><span class="w"> </span><span class="py">score</span><span class="w"> </span><span class="py">to</span><span class="w"> </span><span class="py">connected</span><span class="w"> </span><span class="py">accounts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">fraud</span><span class="p">:</span><span class="nc">Account</span><span class="w"> </span><span class="p">{</span><span class="py">is_fraud</span><span class="p">:</span><span class="w"> </span><span class="nc">true</span><span class="p">})</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">neighbor</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">neighbor</span><span class="err">.</span><span class="py">is_fraud</span><span class="w"> </span><span class="py">IS</span><span class="w"> </span><span class="py">NULL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">neighbor</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">fraud</span><span class="err">.</span><span class="py">fraud_score</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_neighbor_score</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">fraud</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">fraud_neighbor_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">neighbor</span><span class="err">.</span><span class="py">fraud_score</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">avg_neighbor_score</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">0</span><span class="mf">.7</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Decay</span><span class="w"> </span><span class="py">factor</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">neighbor</span><span class="err">.</span><span class="py">fraud_neighbor_count</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">fraud_neighbor_count</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Flag</span><span class="w"> </span><span class="py">high</span><span class="err">-</span><span class="py">risk</span><span class="w"> </span><span class="py">accounts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">suspicious</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">suspicious</span><span class="err">.</span><span class="py">fraud_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">0</span><span class="mf">.5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">suspicious</span><span class="err">.</span><span class="py">is_fraud</span><span class="w"> </span><span class="py">IS</span><span class="w"> </span><span class="py">NULL</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">suspicious</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">suspicious</span><span class="err">.</span><span class="py">fraud_score</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">suspicious</span><span class="err">.</span><span class="py">fraud_neighbor_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">suspicious</span><span class="err">.</span><span class="py">fraud_score</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="best-practices" class="position-relative d-flex align-items-center group">
<span>Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="best-practices"
aria-haspopup="dialog"
aria-label="Share link: Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ol>
<li><strong>Combine Multiple Signals</strong>: Use both statistical and graph-based features for robust detection</li>
<li><strong>Set Context-Aware Thresholds</strong>: Different rules for different account types, regions, or time periods</li>
<li><strong>Handle False Positives</strong>: Implement feedback loops to reduce false alarms over time</li>
<li><strong>Monitor Model Drift</strong>: Regularly retrain models as normal behavior patterns evolve</li>
<li><strong>Real-Time Processing</strong>: Flag high-risk transactions immediately for review</li>
<li><strong>Explainability</strong>: Provide clear reasons why something was flagged as anomalous</li>
<li><strong>Incremental Updates</strong>: Update anomaly scores as new data arrives</li>
<li><strong>Historical Analysis</strong>: Backtest detection rules on labeled historical data</li>
<li><strong>Multi-Layer Defense</strong>: Use both rule-based and ML-based approaches</li>
<li><strong>Privacy-Preserving</strong>: Aggregate patterns without exposing individual behaviors</li>
</ol>
<h3 id="integration-with-geode-features" class="position-relative d-flex align-items-center group">
<span>Integration with Geode Features</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="integration-with-geode-features"
aria-haspopup="dialog"
aria-label="Share link: Integration with Geode Features">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Anomaly detection leverages:</p>
<ul>
<li><strong>Graph Algorithms</strong>: PageRank, community detection, centrality measures</li>
<li><strong>Real-Time Analytics</strong>: Stream processing for immediate threat detection</li>
<li><strong>Vector Embeddings</strong>: Learn behavioral embeddings for similarity-based detection</li>
<li><strong>Temporal Queries</strong>: Analyze time-series patterns and trends</li>
<li><strong>Row-Level Security</strong>: Control access to sensitive anomaly detection results</li>
</ul>
<p>Browse the tagged content below to discover documentation, tutorials, and guides for implementing anomaly detection in your Geode applications.</p>
<h3 id="statistical-methods-for-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Statistical Methods for Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="statistical-methods-for-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Statistical Methods for Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="z-score-analysis" class="position-relative d-flex align-items-center group">
<span>Z-Score Analysis</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="z-score-analysis"
aria-haspopup="dialog"
aria-label="Share link: Z-Score Analysis">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Detect outliers using standard deviation:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Multi</span><span class="err">-</span><span class="py">dimensional</span><span class="w"> </span><span class="py">z</span><span class="err">-</span><span class="py">score</span><span class="w"> </span><span class="py">anomaly</span><span class="w"> </span><span class="py">detection</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">stddev_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MAX</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">max_amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">tx_count</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">global_avg_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">tx_count</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">global_stddev_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">avg_amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">global_avg_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">avg_amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">global_stddev_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COLLECT</span><span class="p">({</span><span class="py">account</span><span class="p">:</span><span class="w"> </span><span class="nc">a</span><span class="p">,</span><span class="w"> </span><span class="py">tx_count</span><span class="p">:</span><span class="w"> </span><span class="nc">tx_count</span><span class="p">,</span><span class="w"> </span><span class="py">avg_amount</span><span class="p">:</span><span class="w"> </span><span class="nc">avg_amount</span><span class="p">})</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">accounts</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">UNWIND</span><span class="w"> </span><span class="py">accounts</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">acc_data</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">acc_data</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">acc_data</span><span class="err">.</span><span class="py">tx_count</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">global_avg_count</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">NULLIF</span><span class="p">(</span><span class="py">global_stddev_count</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">acc_data</span><span class="err">.</span><span class="py">avg_amount</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">global_avg_amount</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">NULLIF</span><span class="p">(</span><span class="py">global_stddev_amount</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">acc_data</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SQRT</span><span class="p">(</span><span class="py">z_count</span><span class="w"> </span><span class="err">^</span><span class="w"> </span><span class="py">2</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">z_amount</span><span class="w"> </span><span class="err">^</span><span class="w"> </span><span class="py">2</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">mahalanobis_distance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">mahalanobis_distance</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">3</span><span class="mf">.0</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">3</span><span class="err">-</span><span class="py">sigma</span><span class="w"> </span><span class="py">threshold</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">acc_data</span><span class="err">.</span><span class="py">account</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">acc_data</span><span class="err">.</span><span class="py">tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">acc_data</span><span class="err">.</span><span class="py">avg_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">mahalanobis_distance</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">anomaly_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">mahalanobis_distance</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="interquartile-range-iqr-method" class="position-relative d-flex align-items-center group">
<span>Interquartile Range (IQR) Method</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="interquartile-range-iqr-method"
aria-haspopup="dialog"
aria-label="Share link: Interquartile Range (IQR) Method">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Robust to outliers:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">IQR</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">outlier</span><span class="w"> </span><span class="py">detection</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">t</span><span class="p">:</span><span class="nc">Transaction</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">COLLECT</span><span class="p">(</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">amounts</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">percentile_cont</span><span class="p">(</span><span class="py">amount</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="mf">.25</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">q1</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">percentile_cont</span><span class="p">(</span><span class="py">amount</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="mf">.75</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">q3</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">amounts</span><span class="p">,</span><span class="w"> </span><span class="py">q1</span><span class="p">,</span><span class="w"> </span><span class="py">q3</span><span class="p">,</span><span class="w"> </span><span class="py">q3</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">q1</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">iqr</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">q1</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">1</span><span class="mf">.5</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="p">(</span><span class="py">q3</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">q1</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">lower_fence</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">q3</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">1</span><span class="mf">.5</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="p">(</span><span class="py">q3</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">q1</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">upper_fence</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">t</span><span class="p">:</span><span class="nc">Transaction</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">lower_fence</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">upper_fence</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">transaction_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">lower_fence</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">upper_fence</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="w"> </span><span class="err"><</span><span class="w"> </span><span class="py">lower_fence</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">LOW_OUTLIER</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="err">'</span><span class="py">HIGH_OUTLIER</span><span class="err">'</span><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">outlier_type</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="graph-based-anomaly-scores" class="position-relative d-flex align-items-center group">
<span>Graph-Based Anomaly Scores</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="graph-based-anomaly-scores"
aria-haspopup="dialog"
aria-label="Share link: Graph-Based Anomaly Scores">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="local-outlier-factor-lof" class="position-relative d-flex align-items-center group">
<span>Local Outlier Factor (LOF)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="local-outlier-factor-lof"
aria-haspopup="dialog"
aria-label="Share link: Local Outlier Factor (LOF)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Density-based outlier detection:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Compute</span><span class="w"> </span><span class="py">Local</span><span class="w"> </span><span class="py">Outlier</span><span class="w"> </span><span class="py">Factor</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">:</span><span class="nc">Node</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">CONNECTED</span><span class="err">*</span><span class="py">1</span><span class="err">.</span><span class="mf">.2</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">neighbor</span><span class="p">:</span><span class="nc">Node</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">neighbor</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="err">*</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">path_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">path_count</span><span class="w"> </span><span class="py">DESC</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">LIMIT</span><span class="w"> </span><span class="py">20</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">COLLECT</span><span class="p">(</span><span class="py">neighbor</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">k_neighbors</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">k_neighbors</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">([</span><span class="py">neighbor</span><span class="w"> </span><span class="py">IN</span><span class="w"> </span><span class="py">k_neighbors</span><span class="w"> </span><span class="p">|</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SIZE</span><span class="p">((</span><span class="py">neighbor</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">CONNECTED</span><span class="p">]</span><span class="err">-</span><span class="p">())])</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_neighbor_density</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">k_neighbors</span><span class="p">,</span><span class="w"> </span><span class="py">avg_neighbor_density</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SIZE</span><span class="p">((</span><span class="py">n</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">CONNECTED</span><span class="p">]</span><span class="err">-</span><span class="p">())</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">node_density</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">avg_neighbor_density</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">NULLIF</span><span class="p">(</span><span class="py">node_density</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">lof_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">lof_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">1</span><span class="mf">.5</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">LOF</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">indicates</span><span class="w"> </span><span class="py">outlier</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">n</span><span class="err">.</span><span class="py">id</span><span class="p">,</span><span class="w"> </span><span class="py">lof_score</span><span class="p">,</span><span class="w"> </span><span class="py">node_density</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">lof_score</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="isolation-forest-adaptation" class="position-relative d-flex align-items-center group">
<span>Isolation Forest Adaptation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="isolation-forest-adaptation"
aria-haspopup="dialog"
aria-label="Share link: Isolation Forest Adaptation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Random partitioning for anomaly detection:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Graph</span><span class="err">-</span><span class="py">based</span><span class="w"> </span><span class="py">isolation</span><span class="w"> </span><span class="py">scoring</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">:</span><span class="nc">Node</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="py">path</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">EDGE</span><span class="err">*</span><span class="py">1</span><span class="err">.</span><span class="mf">.5</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">other</span><span class="p">:</span><span class="nc">Node</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">other</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">reachable_nodes</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">LENGTH</span><span class="p">(</span><span class="py">path</span><span class="p">))</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">avg_distance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">reachable_nodes</span><span class="p">,</span><span class="w"> </span><span class="py">avg_distance</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">reachable_nodes</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">global_avg_reach</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">reachable_nodes</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">global_stddev_reach</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">:</span><span class="nc">Node</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="py">path</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">(</span><span class="py">n</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">EDGE</span><span class="err">*</span><span class="py">1</span><span class="err">.</span><span class="mf">.5</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">other</span><span class="p">:</span><span class="nc">Node</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">other</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">node_reach</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">node_reach</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">n</span><span class="p">,</span><span class="w"> </span><span class="py">node_reach</span><span class="p">,</span><span class="w"> </span><span class="py">global_avg_reach</span><span class="p">,</span><span class="w"> </span><span class="py">global_stddev_reach</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">global_avg_reach</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">node_reach</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">NULLIF</span><span class="p">(</span><span class="py">global_stddev_reach</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">isolation_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">isolation_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">2</span><span class="mf">.0</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">n</span><span class="err">.</span><span class="py">id</span><span class="p">,</span><span class="w"> </span><span class="py">node_reach</span><span class="p">,</span><span class="w"> </span><span class="py">isolation_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">isolation_score</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="time-series-anomaly-detection-1" class="position-relative d-flex align-items-center group">
<span>Time-Series Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="time-series-anomaly-detection-1"
aria-haspopup="dialog"
aria-label="Share link: Time-Series Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="arima-style-forecasting" class="position-relative d-flex align-items-center group">
<span>ARIMA-Style Forecasting</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="arima-style-forecasting"
aria-haspopup="dialog"
aria-label="Share link: ARIMA-Style Forecasting">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Detect deviations from predicted values:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Simple</span><span class="w"> </span><span class="py">moving</span><span class="w"> </span><span class="py">average</span><span class="w"> </span><span class="py">anomaly</span><span class="w"> </span><span class="py">detection</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">30</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">date</span><span class="err">.</span><span class="py">truncate</span><span class="p">(</span><span class="err">'</span><span class="py">day</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">day</span><span class="p">,</span><span class="w"> </span><span class="py">SUM</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">daily_amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">day</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">day</span><span class="p">,</span><span class="w"> </span><span class="py">daily_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">daily_amount</span><span class="p">)</span><span class="w"> </span><span class="py">OVER</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">PARTITION</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">a</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">day</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ROWS</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">7</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">moving_avg_7d</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">daily_amount</span><span class="p">)</span><span class="w"> </span><span class="py">OVER</span><span class="w"> </span><span class="p">(</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">PARTITION</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">a</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">day</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ROWS</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">7</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">PRECEDING</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">moving_stddev_7d</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">ABS</span><span class="p">(</span><span class="py">daily_amount</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">moving_avg_7d</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">3</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">moving_stddev_7d</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">day</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">daily_amount</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">moving_avg_7d</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">daily_amount</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="py">moving_avg_7d</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">NULLIF</span><span class="p">(</span><span class="py">moving_stddev_7d</span><span class="p">,</span><span class="w"> </span><span class="py">0</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">ABS</span><span class="p">(</span><span class="py">z_score</span><span class="p">)</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="seasonal-decomposition" class="position-relative d-flex align-items-center group">
<span>Seasonal Decomposition</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="seasonal-decomposition"
aria-haspopup="dialog"
aria-label="Share link: Seasonal Decomposition">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Account for cyclic patterns:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Weekly</span><span class="w"> </span><span class="py">seasonality</span><span class="err">-</span><span class="py">adjusted</span><span class="w"> </span><span class="py">anomaly</span><span class="w"> </span><span class="py">detection</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">dayOfWeek</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">dow</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">hourOfDay</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">hour</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SUM</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">total_amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">dow</span><span class="p">,</span><span class="w"> </span><span class="py">hour</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">tx_count</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">typical_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">tx_count</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">stddev_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">total_amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">typical_amount</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">dow</span><span class="p">,</span><span class="w"> </span><span class="py">hour</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">u</span><span class="p">:</span><span class="nc">User</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">recent</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">recent</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusDays</span><span class="p">(</span><span class="py">1</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">u</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">recent</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">dayOfWeek</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">current_dow</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">recent</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">hourOfDay</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">current_hour</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">recent</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">current_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Join</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">historical</span><span class="w"> </span><span class="py">patterns</span><span class="kd">...</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">current_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">typical_count</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">3</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">stddev_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">u</span><span class="err">.</span><span class="py">user_id</span><span class="p">,</span><span class="w"> </span><span class="py">current_count</span><span class="p">,</span><span class="w"> </span><span class="py">typical_count</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">SEASONAL_ANOMALY</span><span class="err">'</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="kd">type</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="ensemble-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Ensemble Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="ensemble-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Ensemble Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Combine multiple detection methods:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Multi</span><span class="err">-</span><span class="py">method</span><span class="w"> </span><span class="py">ensemble</span><span class="w"> </span><span class="py">scoring</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Method</span><span class="w"> </span><span class="py">1</span><span class="p">:</span><span class="w"> </span><span class="nc">Transaction</span><span class="w"> </span><span class="py">volume</span><span class="w"> </span><span class="py">anomaly</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_count</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">(</span><span class="py">tx_count</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="nv">$global_avg_tx</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="nv">$global_stddev_tx</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">z_volume</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">ABS</span><span class="p">(</span><span class="py">z_volume</span><span class="p">)</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">2</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.3</span><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">0</span><span class="mf">.0</span><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">volume_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Method</span><span class="w"> </span><span class="py">2</span><span class="p">:</span><span class="w"> </span><span class="nc">Unusual</span><span class="w"> </span><span class="py">connection</span><span class="w"> </span><span class="py">pattern</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[:</span><span class="nc">TRANSACTED_WITH</span><span class="p">]</span><span class="err">-</span><span class="p">(</span><span class="py">other</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">other</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">unique_connections</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">unique_connections</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">50</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">0</span><span class="mf">.4</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">pattern_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">CALL</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Method</span><span class="w"> </span><span class="py">3</span><span class="p">:</span><span class="w"> </span><span class="nc">Suspicious</span><span class="w"> </span><span class="py">timing</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="err">.</span><span class="py">hour</span><span class="w"> </span><span class="py">BETWEEN</span><span class="w"> </span><span class="py">2</span><span class="w"> </span><span class="py">AND</span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">late_night_tx</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHERE</span><span class="w"> </span><span class="py">late_night_tx</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">RETURN</span><span class="w"> </span><span class="py">0</span><span class="mf">.3</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">timing_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">volume_score</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">pattern_score</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">timing_score</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">ensemble_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">ensemble_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">0</span><span class="mf">.5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ensemble_score</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">'</span><span class="py">ENSEMBLE_DETECTION</span><span class="err">'</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">method</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">ensemble_score</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="real-time-streaming-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Real-Time Streaming Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="real-time-streaming-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Real-Time Streaming Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="incremental-statistics-update" class="position-relative d-flex align-items-center group">
<span>Incremental Statistics Update</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="incremental-statistics-update"
aria-haspopup="dialog"
aria-label="Share link: Incremental Statistics Update">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Update</span><span class="w"> </span><span class="py">running</span><span class="w"> </span><span class="py">statistics</span><span class="w"> </span><span class="py">incrementally</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">stats</span><span class="p">:</span><span class="nc">GlobalStats</span><span class="w"> </span><span class="p">{</span><span class="py">metric</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">daily_transactions</span><span class="err">'</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">new_tx</span><span class="p">:</span><span class="nc">Transaction</span><span class="w"> </span><span class="p">{</span><span class="py">processed</span><span class="p">:</span><span class="w"> </span><span class="nc">false</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">stats</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">new_tx</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">new_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">AVG</span><span class="p">(</span><span class="py">new_tx</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">new_avg</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">STDDEV</span><span class="p">(</span><span class="py">new_tx</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">new_stddev</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">stats</span><span class="err">.</span><span class="py">count</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">stats</span><span class="err">.</span><span class="py">count</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">new_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">stats</span><span class="err">.</span><span class="py">mean</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">(</span><span class="py">stats</span><span class="err">.</span><span class="py">mean</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">stats</span><span class="err">.</span><span class="py">count</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">new_avg</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">new_count</span><span class="p">)</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="p">(</span><span class="py">stats</span><span class="err">.</span><span class="py">count</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">new_count</span><span class="p">),</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">stats</span><span class="err">.</span><span class="py">M2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">stats</span><span class="err">.</span><span class="py">M2</span><span class="w"> </span><span class="err">+</span><span class="w"> </span><span class="py">new_stddev</span><span class="w"> </span><span class="err">^</span><span class="w"> </span><span class="py">2</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">new_count</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">Welford</span><span class="err">'</span><span class="py">s</span><span class="w"> </span><span class="py">algorithm</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">stats</span><span class="err">.</span><span class="py">last_updated</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">//</span><span class="w"> </span><span class="py">Mark</span><span class="w"> </span><span class="py">transactions</span><span class="w"> </span><span class="py">as</span><span class="w"> </span><span class="py">processed</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">new_tx</span><span class="p">:</span><span class="nc">Transaction</span><span class="w"> </span><span class="p">{</span><span class="py">processed</span><span class="p">:</span><span class="w"> </span><span class="nc">false</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">SET</span><span class="w"> </span><span class="py">new_tx</span><span class="err">.</span><span class="py">processed</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">true</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="sliding-window-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Sliding Window Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="sliding-window-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Sliding Window Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Fixed</span><span class="err">-</span><span class="py">size</span><span class="w"> </span><span class="py">sliding</span><span class="w"> </span><span class="py">window</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusHours</span><span class="p">(</span><span class="py">1</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">window_start</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">t</span><span class="p">:</span><span class="nc">TRANSACTION</span><span class="p">]</span><span class="err">-></span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">t</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="p">=</span><span class="w"> </span><span class="py">window_start</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">t</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">window_tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SUM</span><span class="p">(</span><span class="py">t</span><span class="err">.</span><span class="py">amount</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">window_total</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">a</span><span class="p">,</span><span class="w"> </span><span class="py">window_tx_count</span><span class="p">,</span><span class="w"> </span><span class="py">window_total</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">window_tx_count</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">3600</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">tx_per_second</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">tx_per_second</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">More</span><span class="w"> </span><span class="py">than</span><span class="w"> </span><span class="py">1</span><span class="w"> </span><span class="py">tx</span><span class="err">/</span><span class="py">second</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">window_tx_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">window_total</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">tx_per_second</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="err">'</span><span class="py">HIGH_VELOCITY</span><span class="err">'</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">anomaly_type</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="domain-specific-anomaly-detection" class="position-relative d-flex align-items-center group">
<span>Domain-Specific Anomaly Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="domain-specific-anomaly-detection"
aria-haspopup="dialog"
aria-label="Share link: Domain-Specific Anomaly Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="healthcare-patient-risk-scoring" class="position-relative d-flex align-items-center group">
<span>Healthcare: Patient Risk Scoring</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="healthcare-patient-risk-scoring"
aria-haspopup="dialog"
aria-label="Share link: Healthcare: Patient Risk Scoring">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Detect</span><span class="w"> </span><span class="py">high</span><span class="err">-</span><span class="py">risk</span><span class="w"> </span><span class="py">patient</span><span class="w"> </span><span class="py">patterns</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Patient</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">v</span><span class="p">:</span><span class="nc">VISIT</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">provider</span><span class="p">:</span><span class="nc">Provider</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">v</span><span class="err">.</span><span class="py">date</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">date</span><span class="p">()</span><span class="err">.</span><span class="py">minusMonths</span><span class="p">(</span><span class="py">12</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">p</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">v</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">visit_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">provider</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">provider_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SUM</span><span class="p">(</span><span class="py">v</span><span class="err">.</span><span class="py">cost</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">total_cost</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">p</span><span class="p">,</span><span class="w"> </span><span class="py">visit_count</span><span class="p">,</span><span class="w"> </span><span class="py">provider_count</span><span class="p">,</span><span class="w"> </span><span class="py">total_cost</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">visit_count</span><span class="w"> </span><span class="err">*</span><span class="w"> </span><span class="py">1</span><span class="mf">.0</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="py">12</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">visits_per_month</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">visits_per_month</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">3</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">provider_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">10</span><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">total_cost</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">100000</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">p</span><span class="p">,</span><span class="w"> </span><span class="py">visits_per_month</span><span class="p">,</span><span class="w"> </span><span class="py">provider_count</span><span class="p">,</span><span class="w"> </span><span class="py">total_cost</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">visits_per_month</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">5</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.4</span><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">0</span><span class="mf">.0</span><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="err">+</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">provider_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">15</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.3</span><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">0</span><span class="mf">.0</span><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="err">+</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">total_cost</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">150000</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="py">0</span><span class="mf">.3</span><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="py">0</span><span class="mf">.0</span><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">risk_score</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">risk_score</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">0</span><span class="mf">.5</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">patient_id</span><span class="p">,</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">risk_score</span><span class="p">,</span><span class="w"> </span><span class="py">visits_per_month</span><span class="p">,</span><span class="w"> </span><span class="py">provider_count</span><span class="p">,</span><span class="w"> </span><span class="py">total_cost</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">risk_score</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="cybersecurity-intrusion-detection" class="position-relative d-flex align-items-center group">
<span>Cybersecurity: Intrusion Detection</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="cybersecurity-intrusion-detection"
aria-haspopup="dialog"
aria-label="Share link: Cybersecurity: Intrusion Detection">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Network</span><span class="w"> </span><span class="py">intrusion</span><span class="w"> </span><span class="py">anomaly</span><span class="w"> </span><span class="py">detection</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">host</span><span class="p">:</span><span class="nc">Host</span><span class="p">)</span><span class="err">-</span><span class="p">[</span><span class="py">conn</span><span class="p">:</span><span class="nc">CONNECTION</span><span class="p">]</span><span class="err">-></span><span class="p">(</span><span class="py">target</span><span class="p">:</span><span class="nc">Host</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">conn</span><span class="err">.</span><span class="py">timestamp</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">datetime</span><span class="p">()</span><span class="err">.</span><span class="py">minusHours</span><span class="p">(</span><span class="py">24</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">host</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">target</span><span class="err">.</span><span class="py">ip_address</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">dest_ip</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">conn</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">connection_count</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">SUM</span><span class="p">(</span><span class="py">conn</span><span class="err">.</span><span class="py">bytes_sent</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">total_bytes</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">COUNT</span><span class="p">(</span><span class="py">DISTINCT</span><span class="w"> </span><span class="py">target</span><span class="err">.</span><span class="py">port</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">unique_ports</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">connection_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">1000</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">unique_ports</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">100</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">OR</span><span class="w"> </span><span class="py">total_bytes</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">10000000000</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="py">10</span><span class="w"> </span><span class="py">GB</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WITH</span><span class="w"> </span><span class="py">host</span><span class="p">,</span><span class="w"> </span><span class="py">dest_ip</span><span class="p">,</span><span class="w"> </span><span class="py">connection_count</span><span class="p">,</span><span class="w"> </span><span class="py">unique_ports</span><span class="p">,</span><span class="w"> </span><span class="py">total_bytes</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">CASE</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">connection_count</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">10000</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">PORT_SCAN</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">unique_ports</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">500</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">RECONNAISSANCE</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">WHEN</span><span class="w"> </span><span class="py">total_bytes</span><span class="w"> </span><span class="err">></span><span class="w"> </span><span class="py">100000000000</span><span class="w"> </span><span class="py">THEN</span><span class="w"> </span><span class="err">'</span><span class="py">DATA_EXFILTRATION</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ELSE</span><span class="w"> </span><span class="err">'</span><span class="py">SUSPICIOUS_ACTIVITY</span><span class="err">'</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">END</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">threat_type</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">host</span><span class="err">.</span><span class="py">hostname</span><span class="p">,</span><span class="w"> </span><span class="py">dest_ip</span><span class="p">,</span><span class="w"> </span><span class="py">connection_count</span><span class="p">,</span><span class="w"> </span><span class="py">unique_ports</span><span class="p">,</span><span class="w"> </span><span class="py">total_bytes</span><span class="p">,</span><span class="w"> </span><span class="py">threat_type</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">ORDER</span><span class="w"> </span><span class="py">BY</span><span class="w"> </span><span class="py">connection_count</span><span class="w"> </span><span class="py">DESC</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="best-practices-and-optimization" class="position-relative d-flex align-items-center group">
<span>Best Practices and Optimization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="best-practices-and-optimization"
aria-haspopup="dialog"
aria-label="Share link: Best Practices and Optimization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ol>
<li><strong>Set Domain-Appropriate Thresholds</strong>: Financial fraud (3σ), network security (2σ), manufacturing QA (6σ)</li>
<li><strong>Combine Statistical and Graph Methods</strong>: Leverage both attribute-based and structural anomalies</li>
<li><strong>Handle False Positives</strong>: Implement feedback loops to tune detection sensitivity</li>
<li><strong>Use Incremental Updates</strong>: Update statistics without full recomputation</li>
<li><strong>Monitor Concept Drift</strong>: Periodically retrain models as normal behavior evolves</li>
<li><strong>Explainability</strong>: Provide clear reasons for anomaly flags</li>
<li><strong>Multi-Tier Alerting</strong>: Low/Medium/High/Critical based on composite scores</li>
<li><strong>Privacy Preservation</strong>: Aggregate statistics without exposing individual records</li>
</ol>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><strong>Anomaly Detection</strong>: Theory and Practice in Large-Scale Systems</li>
<li><strong>Graph-Based Outlier Detection</strong>: LOF, Isolation Forest, and DBSCAN</li>
<li><strong>Time-Series Anomalies</strong>: ARIMA, Seasonal Decomposition, and Prophet</li>
<li><strong>Ensemble Methods</strong>: Combining Multiple Detection Algorithms</li>
<li><strong>Real-Time Anomaly Detection</strong>: Streaming Analytics and Incremental Learning</li>
<li><strong>Domain Applications</strong>: Fraud, Healthcare, Cybersecurity, Manufacturing</li>
</ul>
<p>Browse the tagged content below to discover documentation, tutorials, and guides for implementing anomaly detection in your Geode applications.</p>
Tag
2 articles
Anomaly Detection
Detect fraudulent transactions, suspicious patterns, and outliers in graph data using Geode's real-time analytics and graph algorithms. Learn statistical methods, pattern-based detection, and behavioral analysis.