Feature engineering is the systematic application of domain expertise to derive new input variables from raw, often unstructured, transactional data. In financial fraud detection, this involves constructing velocity features (e.g., transaction count per time window), frequency encodings for high-cardinality merchants, and time-decayed aggregations that capture behavioral momentum, making latent fraudulent patterns mathematically explicit for downstream models.
Glossary
Feature Engineering

What is Feature Engineering?
Feature engineering is the process of transforming raw transaction data into informative input variables that amplify the predictive signal of fraudulent behavior for machine learning algorithms.
The goal is to bridge the gap between raw event logs and the geometric separability required by classifiers. Effective engineering creates ratio features (amount relative to user median) and network proximity metrics that expose collusion. This manual, high-signal curation remains critical because it injects causal risk logic into models, preventing them from learning spurious correlations in severely imbalanced data.
Core Feature Engineering Techniques
The process of using domain knowledge to create new input variables from raw transaction data, such as velocity features or frequency encodings, that make fraudulent patterns more detectable to machine learning algorithms.
Transaction Velocity Features
Velocity features capture the rate of transactions over specific time windows, transforming raw timestamps into behavioral signals.
- Card Velocity: Count of transactions per card in the last 1, 5, and 30 minutes
- Account Velocity: Number of distinct merchants or devices accessed per hour
- IP Velocity: Transactions originating from a single IP address within a sliding window
A sudden spike from a user's historical average of 2 transactions per day to 15 in 10 minutes is a strong anomaly indicator. These features are computed using sliding window aggregations in stream processing frameworks like Apache Flink or Kafka Streams.
Frequency and Target Encoding
Frequency encoding replaces categorical variables with their occurrence counts in the training data, while target encoding substitutes categories with the mean target value for that category.
- Merchant Category Code frequency: How often a specific MCC appears in legitimate vs. fraudulent transactions
- BIN encoding: Mean fraud rate associated with a specific Bank Identification Number
- Device hash frequency: How common a specific device fingerprint is across all accounts
These encodings capture the predictive power of high-cardinality categoricals without exploding feature dimensionality. Apply smoothing techniques like additive smoothing or cross-fold target encoding to prevent overfitting on rare categories.
Time-Based Decomposition Features
Decomposing timestamps into cyclical and linear components allows models to learn periodic fraud patterns that raw timestamps obscure.
- Hour of day and day of week encoded as sine/cosine pairs to preserve cyclical distance
- Time since last transaction for the same card or account
- Transaction hour deviation from the user's historical median transaction hour
- Weekend/holiday flags capturing anomalous off-hours activity
Fraudulent transactions often cluster at 2-4 AM local time when legitimate users are inactive. Cyclical encoding ensures the model understands that 23:00 and 01:00 are only 2 hours apart.
Behavioral Profile Features
Behavioral profiles aggregate historical transaction patterns per entity (card, account, device) to establish a baseline of normal behavior against which new transactions are compared.
- Average transaction amount and standard deviation per account over 30/90 days
- Typical merchant categories visited by a specific user
- Geographic radius of a user's typical transaction locations
- Device-account age: How long a specific device has been associated with an account
A transaction that deviates significantly from the established profile—such as a high-value purchase in a foreign country on a new device—triggers a high anomaly score. These features are typically computed in batch feature stores and served at inference time with low latency.
Graph-Derived Features
Features extracted from transaction graphs capture relational structure that flat feature vectors miss, exposing fraud rings and collusion networks.
- Degree centrality: Number of unique entities a node transacts with
- PageRank score: Importance of a node within the transaction network
- Community detection labels: Which subgraph cluster a node belongs to
- Shared identity elements: Number of accounts sharing the same device, email, or address
A legitimate user typically has a sparse, localized graph neighborhood. Fraud rings create dense, highly interconnected subgraphs with unusual shared attributes. These features are computed using graph algorithms like Louvain community detection or GraphSAGE embeddings.
Amount Anomaly and Rounding Features
Transaction amount patterns reveal sophisticated fraud tactics that attempt to evade threshold-based rules.
- Amount-to-account-average ratio: Current transaction amount divided by the user's 30-day mean
- Rounding detection: Flagging transactions ending in .00, .99, or repeating digits
- Benford's Law compliance score: Measuring deviation of leading digits from expected distribution
- Micro-transaction sequences: Detecting multiple small test transactions followed by a large one
Fraudsters often use amounts just below reporting thresholds or perfectly round numbers to test stolen cards. Benford's Law analysis is particularly effective because legitimate transactions naturally follow the expected logarithmic distribution of leading digits.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about transforming raw transaction data into powerful predictive signals for machine learning models.
Feature engineering is the systematic process of using domain knowledge to extract and construct new input variables from raw transaction data that make fraudulent patterns more detectable to machine learning algorithms. In financial fraud detection, this involves transforming raw attributes—such as timestamps, amounts, merchant categories, and device identifiers—into aggregated behavioral signals like transaction velocity, frequency encodings, and time-decayed recency metrics. Unlike generic automated feature generation, effective fraud feature engineering requires deep domain expertise to encode the temporal, relational, and behavioral signatures that distinguish legitimate activity from sophisticated fraud schemes. The goal is to create a feature space where the separation between genuine and fraudulent transactions is maximized, enabling downstream classifiers to achieve higher recall at lower false positive rates.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Master the core techniques for transforming raw transaction data into high-signal features that expose fraudulent patterns. These related concepts are essential for building robust detection models.
Transaction Velocity Features
Calculate the rate of transactions over sliding time windows to detect sudden bursts of activity. These features capture behavioral momentum that individual transactions miss.
- Count per time unit: Transactions per minute, hour, or day
- Amount velocity: Total sum transacted in a window
- Distinctiveness: Count of unique merchants, devices, or IPs
- Acceleration: Rate of change in velocity itself
A legitimate user typically exhibits stable velocity profiles. A fraudster testing stolen cards often shows a sharp spike in transaction frequency and amount velocity within minutes.
Frequency Encoding
Replace high-cardinality categorical variables with their empirical occurrence rates in the training data. This transforms sparse identifiers into smooth, continuous signals.
- Simple frequency: Count of occurrences divided by total records
- Target encoding: Mean fraud rate per category, often with smoothing
- Weight of Evidence: Log-odds ratio of fraud vs. non-fraud per category
For example, a merchant ID is replaced by the historical fraud rate at that merchant. This captures the riskiness of entities without exploding feature dimensionality.
Time-Based Decomposition
Decompose timestamps into cyclical and linear components so models can learn temporal fraud patterns. Raw datetime objects are opaque to most algorithms.
- Cyclical encoding: Map hour-of-day to
sin(2π * hour/24)andcos(2π * hour/24)to capture daily periodicity - Day-of-week flags: Fraud patterns often cluster on weekends
- Time since last event: Recency features for user-specific sequences
- Session gaps: Time elapsed between consecutive user actions
This allows a model to learn that 3 AM transactions from a user who normally operates at noon are highly anomalous.
Aggregate Behavioral Profiles
Build historical behavioral baselines per entity (user, card, device) and derive deviation features. The gap between current behavior and established norms is a powerful fraud signal.
- Rolling averages: Mean transaction amount over the last 30 days
- Standard deviation bands: Flag amounts exceeding
μ + 3σ - Ratio features: Current amount / user's average amount
- Categorical consistency: Has this user transacted with this merchant category before?
A $5,000 transaction is not inherently fraudulent. It is suspicious only if the user's historical average is $45 with a standard deviation of $20.
Graph-Derived Features
Extract structural features from transactional graphs where nodes are entities (users, cards, merchants) and edges are transactions. These features expose coordinated fraud rings.
- Degree centrality: How many unique connections an entity has
- PageRank: Importance score based on connected entities' importance
- Community detection labels: Which cluster or group the entity belongs to
- Shared identity signals: Number of users sharing a device, IP, or address
Fraud rings often form dense subgraphs with high interconnectivity. A single fraudulent account may look normal, but its graph neighborhood reveals collusion.
Feature Scaling and Normalization
Transform raw feature values to a common scale so that distance-based algorithms like k-NN, SVM, and neural networks don't bias toward features with larger magnitudes.
- Standardization (Z-score):
(x - μ) / σ, resulting in zero mean and unit variance - Min-Max scaling: Squeeze values into
[0, 1]range - Robust scaling: Use median and IQR, resistant to outliers
- Log transformation: Tame heavy-tailed distributions like transaction amounts
Without scaling, a feature like transaction amount (range: $1–$50,000) would dominate a feature like hour of day (range: 0–23) in Euclidean distance calculations.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us