Bank Fraud Detection with Apache Flink

A real-time fraud detection system for banking transactions using Apache Flink 1.13.

Overview

This application monitors bank transaction streams and flags suspicious activities based on four detection rules:

1. Alarmed Customers - Transactions from customers on the alarmed list
2. Lost Cards - Transactions using reported lost/stolen cards
3. Excessive Transactions - More than 10 transactions within a 10-second window
4. Frequent City Changes - 2+ city changes within a 10-second window

Architecture

Components

• BankDataServer.java - Socket server that streams transaction data from bank_data.txt to port 9090
• Bank.java - Flink streaming job that processes transactions and detects fraud
• AlarmedCustomer.java - POJO for alarmed customer data
• LostCard.java - POJO for lost card data

Data Files

• bank_data.txt - Transaction data (53 transactions)

  • Format: txn_id,timestamp,city,customer_id,card_id,account_number,amount
  • Example: HFXR347924,2018-06-14 23:32:23,Chandigarh,id_347hfx,hf98678167,123302773033,774

• alarmed_cust.txt - List of customers under investigation (17 customers)

  • Format: customer_id,card_id
  • Example: id_576tck,tc62668365

• lost_cards.txt - Reported lost/stolen cards (35 cards)

  • Format: account_number,timestamp,name,status
  • Example: 130288773617,2018-01-10 23:41:27,John,Under Process

Expected Fraud Detection Results

Based on the sample data, the following transactions should be flagged:

1. Alarmed Customers

• id_576tck (line 4 in bank_data.txt) - Customer on alarmed list
• id_158gsb (lines 5, 10, 14) - Customer on alarmed list
• id_909ktr (line 19) - Customer on alarmed list

2. Lost Cards

• Card 130288773617 (lines 6, 11 in bank_data.txt) - Card reported lost by John

3. Excessive Transactions (>10 in 10 seconds)

• id_741yce - Has 11+ transactions in rapid succession
• id_135pfx - Has 10+ transactions

4. Frequent City Changes (2+ changes in 10 seconds)

• id_741yce - Changes: Amsterdam → Paris → Amsterdam

How to Run

Step 1: Start the Data Server

java BankDataServer

Output: Bank Data Server started on port 9090

Step 2: Run the Flink Job

java Bank

Step 3: View Results

Console Output:

• Real-time logging of all fraud detection events
• Flagged transactions printed with __ALARM__ prefix

File Output:

• Flagged transactions saved to: /Users/alex/javaws/bank_flink_V_1.13/flagged_transaction/
• Files are created with rolling policy (new files created periodically)

Flink Processing Details

Broadcast State Pattern

• alarmed_cust.txt and lost_cards.txt are broadcast to all parallel operators
• Allows efficient checking of incoming transactions against reference data

Windowing

• Tumbling Windows: 10-second non-overlapping windows
• Used for excessive transaction counting and city change detection

Stream Union

All four fraud detection streams are merged into a single output stream for unified processing.

Configuration

• Port: 9090 (configurable in both BankDataServer and Bank)
• Window Size: 10 seconds (configurable in Bank.java)
• Excessive Transaction Threshold: 10 transactions (configurable in FilterAndMapMoreThan10)
• City Change Threshold: 2 changes (configurable in Citychange)

Requirements

• Java 8 or higher
• Apache Flink 1.13
• SLF4J for logging

Output Format

Flagged transactions are output as Tuple2<String, String>:

• f0: "__ALARM__"
• f1: Description of the fraud type and transaction details

Example:

(__ALARM__, Transaction: (id_576tck,TCKV576600,2018-06-14...) is by an ALARMED customer)
(__ALARM__, Transaction: (id_741yce,UXJT427774,2018-06-14...) marked for FREQUENT city changes)