Inferensys

Glossary

Feature Engineering

Feature engineering is the process of using domain knowledge to extract and transform raw data into informative input variables that make patterns more detectable to machine learning algorithms.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
PREDICTIVE VARIABLE CONSTRUCTION

What is Feature Engineering?

Feature engineering is the process of transforming raw transaction data into informative input variables that amplify the predictive signal of fraudulent behavior for machine learning algorithms.

Feature engineering is the systematic application of domain expertise to derive new input variables from raw, often unstructured, transactional data. In financial fraud detection, this involves constructing velocity features (e.g., transaction count per time window), frequency encodings for high-cardinality merchants, and time-decayed aggregations that capture behavioral momentum, making latent fraudulent patterns mathematically explicit for downstream models.

The goal is to bridge the gap between raw event logs and the geometric separability required by classifiers. Effective engineering creates ratio features (amount relative to user median) and network proximity metrics that expose collusion. This manual, high-signal curation remains critical because it injects causal risk logic into models, preventing them from learning spurious correlations in severely imbalanced data.

FEATURE ENGINEERING

Core Feature Engineering Techniques

The process of using domain knowledge to create new input variables from raw transaction data, such as velocity features or frequency encodings, that make fraudulent patterns more detectable to machine learning algorithms.

01

Transaction Velocity Features

Velocity features capture the rate of transactions over specific time windows, transforming raw timestamps into behavioral signals.

  • Card Velocity: Count of transactions per card in the last 1, 5, and 30 minutes
  • Account Velocity: Number of distinct merchants or devices accessed per hour
  • IP Velocity: Transactions originating from a single IP address within a sliding window

A sudden spike from a user's historical average of 2 transactions per day to 15 in 10 minutes is a strong anomaly indicator. These features are computed using sliding window aggregations in stream processing frameworks like Apache Flink or Kafka Streams.

02

Frequency and Target Encoding

Frequency encoding replaces categorical variables with their occurrence counts in the training data, while target encoding substitutes categories with the mean target value for that category.

  • Merchant Category Code frequency: How often a specific MCC appears in legitimate vs. fraudulent transactions
  • BIN encoding: Mean fraud rate associated with a specific Bank Identification Number
  • Device hash frequency: How common a specific device fingerprint is across all accounts

These encodings capture the predictive power of high-cardinality categoricals without exploding feature dimensionality. Apply smoothing techniques like additive smoothing or cross-fold target encoding to prevent overfitting on rare categories.

03

Time-Based Decomposition Features

Decomposing timestamps into cyclical and linear components allows models to learn periodic fraud patterns that raw timestamps obscure.

  • Hour of day and day of week encoded as sine/cosine pairs to preserve cyclical distance
  • Time since last transaction for the same card or account
  • Transaction hour deviation from the user's historical median transaction hour
  • Weekend/holiday flags capturing anomalous off-hours activity

Fraudulent transactions often cluster at 2-4 AM local time when legitimate users are inactive. Cyclical encoding ensures the model understands that 23:00 and 01:00 are only 2 hours apart.

04

Behavioral Profile Features

Behavioral profiles aggregate historical transaction patterns per entity (card, account, device) to establish a baseline of normal behavior against which new transactions are compared.

  • Average transaction amount and standard deviation per account over 30/90 days
  • Typical merchant categories visited by a specific user
  • Geographic radius of a user's typical transaction locations
  • Device-account age: How long a specific device has been associated with an account

A transaction that deviates significantly from the established profile—such as a high-value purchase in a foreign country on a new device—triggers a high anomaly score. These features are typically computed in batch feature stores and served at inference time with low latency.

05

Graph-Derived Features

Features extracted from transaction graphs capture relational structure that flat feature vectors miss, exposing fraud rings and collusion networks.

  • Degree centrality: Number of unique entities a node transacts with
  • PageRank score: Importance of a node within the transaction network
  • Community detection labels: Which subgraph cluster a node belongs to
  • Shared identity elements: Number of accounts sharing the same device, email, or address

A legitimate user typically has a sparse, localized graph neighborhood. Fraud rings create dense, highly interconnected subgraphs with unusual shared attributes. These features are computed using graph algorithms like Louvain community detection or GraphSAGE embeddings.

06

Amount Anomaly and Rounding Features

Transaction amount patterns reveal sophisticated fraud tactics that attempt to evade threshold-based rules.

  • Amount-to-account-average ratio: Current transaction amount divided by the user's 30-day mean
  • Rounding detection: Flagging transactions ending in .00, .99, or repeating digits
  • Benford's Law compliance score: Measuring deviation of leading digits from expected distribution
  • Micro-transaction sequences: Detecting multiple small test transactions followed by a large one

Fraudsters often use amounts just below reporting thresholds or perfectly round numbers to test stolen cards. Benford's Law analysis is particularly effective because legitimate transactions naturally follow the expected logarithmic distribution of leading digits.

FEATURE ENGINEERING FOR FRAUD DETECTION

Frequently Asked Questions

Clear, technically precise answers to the most common questions about transforming raw transaction data into powerful predictive signals for machine learning models.

Feature engineering is the systematic process of using domain knowledge to extract and construct new input variables from raw transaction data that make fraudulent patterns more detectable to machine learning algorithms. In financial fraud detection, this involves transforming raw attributes—such as timestamps, amounts, merchant categories, and device identifiers—into aggregated behavioral signals like transaction velocity, frequency encodings, and time-decayed recency metrics. Unlike generic automated feature generation, effective fraud feature engineering requires deep domain expertise to encode the temporal, relational, and behavioral signatures that distinguish legitimate activity from sophisticated fraud schemes. The goal is to create a feature space where the separation between genuine and fraudulent transactions is maximized, enabling downstream classifiers to achieve higher recall at lower false positive rates.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.