Hell with Rules

Not long ago I found myself at a major financial institution talking about one of their fraud detection systems.  Over the course of the conversation I stumbled onto the fact they have over 10,000 rules in place to detect fraud ... and oh so proud they were.

On the surface that might sound “powerful and amazing.”  Nonetheless, that struck me funny it did.  10,000 rules … WOW!  That must be brittle, expensive, and one giant liability I thought to myself.  Such a detection system would catch exactly 10,000 things, nothing more, nothing less.  Every new discovery would lead to new rules.  Over time as the rule library further bloats it would get harder to manage and probably get slower and slower.  And by the way, how many people actually understand all those rules and their interrelationship?  Then as those people move on, how hard is it to get new people trained up on all those rules?  Will they still be bragging about their extensive rule library when they have 20,000 rules?

Imagine telling your kid one day to quit throwing rocks at cars.  Only to realize the next day you have to tell them to quit throwing rocks at SUV’s.  Then the coming days, you realize you must also tell your kid not to throw rocks at trucks, fire engines, and ambulances.  Ummm … 4,172 rules later you must come up with new rules like “don’t throw cans of Dr. Pepper at trolley cars.” 

How about: “Don’t throw things at other people’s stuff.” 

As parents quickly discover, teaching a principle like this is a much better course of action.  While certainly not a perfect principle, at least it would roll up hundreds of explicit rules and catch countless conditions you never thought of.  And yes, maybe this simple rule needs to be extended e.g., “unless they are bad people doing bad things and they need to be stopped.”  That way if someone is coming at them on a skateboard with a knife they know it is okay to throw a chair at them.

Now back to the real world and a real example from my past.  Circa 1993 we were building the first NORA (Non-Obvious Relationship Awareness) system for a casino.  In this system the first relevance rule was basically: “Tell me when the bad guy is the good guy.”  This one rule was created to detect and alert for such things as: the slot club loyalty card member is banned from gaming (on the Nevada Gaming Control Board’s Excluded Persons List) or the job applicant is a known gaming felon. 

The second relevance rule was: “Tell me when the bad guy knows the good guy.”

With just these two rules, the system started kicking out all kinds of valuable, unanticipated insight including one of my favorites: An alert surveillance room operator noticed a dude cheating on a roulette table … making bets after the ball fell (called “past posting”).  Dealers are supposed to watch for this.  But somehow today this dealer kept missing this obvious scam.  Casino security detains the cheater.  The dealer says “I can’t believe this happened to me, I am so embarrassed, you surveillance folks are sure doing a good job, it won’t happen again.”  During the arrest processing, the cheating player provided a different last name and address than used by the dealer.  Fortunately, the cheater provided his real home phone number which happened to be the same number that the dealer had used on her original employment application. 

The dealer pretending, up to this point, to not know the player rolled-over in an instant and confessed when NORA popped off a real-time alert: “The cheater is related to the dealer.”

Behind the scenes this was data finds data followed by relevance finds the user.  Relevance, in this case, based on the principle; alert when the bag guy knows the good guy.

Had we deployed a traditional rules-based alert system, there was some chance the specific rule – if the employee’s job application phone number matches an arrest record – might have been missed.  But because NORA was engineered around principles we caught this colluding roulette dealer.  Notably, we would have also detected this had they been connected via an emergency contact phone number.  Or maybe the player’s loyalty club card’s original address provided when they signed up (and since changed) was the same address used on the employee’s original job application (but not present on her current payroll record).

Data triage systems, especially those that must detect ever-changing crafty adversaries, should be principle-based where possible; otherwise, you won’t be one step behind.  You will be at two or more steps behind!

Principle-based decisioning systems may surprise you … in a good way. 

MISC NOTES

1. Maybe some classes of systems need a zillion rules, like the space shuttle program, for instance.  But, that is out of my field so I don’t know.

2. The notion that “principles outperform rules” probably applies to most, if not all, of the decisioning processes.  For example, I would prefer to see feature extraction, entity resolution, relevance detection, filtering, and insight publishing algorithms leverage principles over rules wherever possible.

3. Just to be fair, many systems will still have to have some very specific rules – like any transaction over $10,000 must be reported to FINCEN, it’s a law.  This being not much different than telling your child they have to be home by 9pm on school nights, period. 

4. And if you get to 10,000 principles, you might want to focus on more abstraction.

OTHER RELATED POSTS:

Data Finds Data

You Won’t Have to Ask -- Data Will Find Data and Relevance Will Find the User

When Federated Search Bites

I am probably stepping on some folks’ toes.  My apologies.

First, let me explain what I mean by federated search.  Federated search: conducting a search against “n” source systems via a broadcast mechanism without the benefit or guidance of an index.  This is somewhat like roaming the three buildings of the Library of Congress looking for a book title … without benefit of a card catalog.

I am speaking specifically about environments where the systems in the federation are heterogeneous, are physically dispersed, were not engineered for federation a priori, and are not managed by a common command and control system. 

By way of example, an airline might have a payroll system containing employees, a reservation system containing flight reservations and a watch list database containing people that are not permitted to fly.  If this airline implemented federated search the data in these three systems would remain in these three systems.  Searches (whether invoked by users or machines) are then broadcast to each source system.  Note: Source systems receive queries for information they may or may not have, and as we shall see, receive queries for data they may have but have no means to locate in any efficient manner.

Federated search works fine if the goal is simply a reference system used to answer periodic inquiry.  Such systems could be described as forensic in nature – when there is something of interest, one can look for it.  Think of such federated search environments as systems where “the data only speaks when spoken to.”  If this is what an organization needs, and there are a small number of queries and a finite number of source systems, federated search is a fine option.

Most organizations are not living in a world where “after-the-fact forensic discovery delivered only when asked” is acceptable. 

Most organizations have some obligation to make sense of what they know.  For example, the airline should know if the person added to the watch list is already an employee or already has a flight reservation.  Ideally, the moment such facts become knowable, someone or some system should be notified.  Think of this as “the data speaks to itself.”  I call this data finds data. 

This notion of data finds data implies the “data is the query.”  As each new piece of data enters the organization, the organization has just learned something.  And it is at this exact moment in time that one (a smart system) must ask: Now that I know this, how does this relate to what I already know?  Does this matter, and if so … to who? 

Whether the data is the query (generated by systems likely at high volumes) or the user invokes a query (by comparison likely lower volumes), there is no difference.  In both cases, this is simply a need for “discoverability” – the ability to discover if the enterprise has any related information.

If discoverability across a federation of disparate systems is the goal, federated search does not scale, in any practical way, for any amount of money.  Period.  It is so essential that folks understand this before they run off wasting millions of dollars on fairytale stories backed up by a few math guys with a new vision who have never done it before.

I will spare you the gory details of that day in 1996 when I came to witness such a federated search system.  Multi-million dollar, very smart, middleware developed over a number of years was sitting atop a reported 2,000 data stores and 50B rows of data.  Watching this large federated search system really drove home a series of epiphanies about the problems of federated search.  Fortunately, the purpose of this particular system was a reference/forensic system that only had to respond to a relatively low volume of queries, primarily generated by users.  And getting an incomplete answer from time-to-time would not be the end of the world.

To explain why federated search bites I will lay out three basic goals, three notional source systems, and four nasty problems (let’s call them challenges).  Mind you, the greater the number of source systems, and the greater the transactional volumes, the more impossible it becomes to discover similar data across dissimilar systems (data finds data).

GOALS

Goal 1: Because the data must find the data, this means for every record added or updated in the federation one must determine if this information is related to any other records in the federation. Such discoverability must be able to keep up with transactional volumes therefore must be near-real-time.  [Note: To keep this really simple let us say related only means: shares an exact passport number, address, or phone number.]

Goal 2: Users should be able to pose queries themselves.  Although, as it turns out, this goal does not matter because the discoverability properties needed to deliver on Goal 1 can just as easily be applied to this goal.

Goal 3: The federated search system must be scalable across hundreds or more disparate source systems.  As such, new source systems must be able to be added to the federation without adverse consequence to existing source systems in the federation, otherwise, the greater the number of systems the more unmanageable the environment.

SYSTEMS

Using the airline example, let’s say the three notional systems look like this:

System 1: A commercial-off-the-shelf payroll system (20K employees, <16 CPU’s, 200 transactions a day (subject to data finds data), system running at 90% utilization).

System 2: An airline reservation system (100M reservations, <265 CPU’s, 2,000 transactions a second, system running at 97% utilization).

System 3: A watch list database (subjects of interest) running on a commercial-off-the-shelf SQL database (1M records, <8 CPU’s, 1,000 changes a day, system running at 80% utilization).

CHALLENGES

Challenge 1: How will a new watch listing record containing a passport number (in System 3) efficiently locate related reservations records (in System 2) which share the same passport number?  Here is the problem: An airline reservation system is typically designed to search on things like reservation number or fight number and date of departure not passport number.  Source systems are optimized for their purpose –maintaining only the necessary indexes.  And, if by chance passport number is an indexed and searchable field in the airline system, are the addresses and phone numbers indexed as well?  And what about the key values in unstructured comment fields?  Due to this issue, federated search can produce incomplete results because a source system may contain related records but cannot find them.  Note: It is not practical to re-engineer every source systems to maintain all conceivable indexes.

Challenge 2: How will the payroll system (System 1) keep up with the flood of queries generated by the reservation system (System 2)?  Here is the problem: The payroll system does not have the compute resources to sustain thousands of queries a second; it was not designed for that.  Now maybe you are thinking why would you do that?  Well data finds data is used to construct context (determine what one knows) in order to determine the right course of action.  In this oversimplified example, maybe the airline likes to know when current or former employees make reservations so the right offers are made.  Maybe terminated employees are not provided the same kind of offers as other former employees.  Note: It is not practical to re-host the hardware of every source system such that it will be able to sustain the cumulative transactional volume of the federation.

Challenge 3: New information can be located during the federated search that warrants a re-query of the source systems.  This is recursive.  Imagine if the query is for a passport number that only exists in the watch listing database.  But what if the watch listing database contains a matching record which reveals a new phone number?  This newly discovered information, ideally, must be used to re-query the federated systems.  For example, maybe there is a record in the reservation system with the same phone number and maybe this reservation contains a new address!   Here is the problem: With each new feature discovered one must consider re-querying the source systems (again).  Note: The hardware at each source system would not only have to support the transactional volume of the federation – but the recursive queries on top of that.

Challenge 4: Can you be sure all systems, across all the time zones, are all on-line, all at the same time?  What if the fourth system added to the federation is a small, desktop application running a Microsoft Access database – will this system be left on-line at night and have high availability, failover system standing by?  The issue is: Heterogeneous systems have non-uniform availability.

[Theatrical pause]

Just how sure am I that federated search cannot handle discoverability at scale?  How about this: First person to describe a scalable federated search system that delivers on the goals and overcomes these technical challenges … in a practical way e.g., without having to re-host source system hardware … I’ll write you a personal check for $25,000 (see small print below).

So, if federated search is not the ideal approach for discoverability at scale, then what is?

Discovery at scale is best solved with some form of central directories or indexes.  That is how Google does it (queries hit the Google indexes which return pointers).  That is how the DNS works (queries hit a hierarchical set of directories which return pointers).  And this is how people locate books at the library (the card catalog is used to reveal pointers to books). 

Once a directory reveals a pointer, you can go fetch it.  Federated fetch does scale.  Yes, the source system will have to be on-line, in the same way the floor at the library must be open.  Yes, the user will have to have access privileges.  And yes, there are other challenges like the need to keep the directory current and semantically reconciled (to overcome the recursive issues described in Challenge 3).  But, at least these are all tractable problems!

Truthfully, I would love to be proven wrong here for a variety of reasons e.g., the privacy ramifications of having large centralized database directories.  Although, on the brighter side, the directory approach to discoverability results in fewer copies of the data floating around.  And another plus may be that data governance (accountability, oversight, immutable audit logs, etc.) is going to be vastly easier to manage with a smaller number of central directories.

[Small Print: Offer good for two years from the date of this posting.  If you have a solution in mind no need to physically prove it, just explain it on paper in plain English such that the average propeller-head can read it and go “oh yeah, that would work.”  But, don’t spend too much time on this as it’s obviously not a fair challenge.  I’m just trying to make a point as it seems a number of organizations, each desperate to quickly solve large scale discoverability, are being sold on the notion of federated search.  An absolute waste of money.

 

RELATED POSTS

Federated Discovery vs. Persistent Context – Enterprise Intelligence Requires the Later

Data Finds Data

To Know Semantic Reconciliation is to Love Semantic Reconciliation

It’s All About the Librarian! New Paradigms in Enterprise Discovery and Awareness

Discoverability: The First Information Sharing Principle

What Came First, the Query or the Data? 

Immutable Audit Logs (IAL’s)