rvanbruggen/securing a fraudgraph.cql

## securing a fraudgraph.cql
// Fraud database available FROM
// https://drive.google.com/open?id=1jWJrIFdv8tNECLn-nV4HJqotF1db3m6D

//what is related and how
match (n1)-[r]->(n2)
return distinct labels(n1) as `1st Label`, type(r) as `RelType`, labels(n2) as `2nd Label`
order by `1st Label`;

╒═════════════════╤═══════════════════╤══════════════════════╕
│"1st Label"      │"RelType"          │"2nd Label"           │
╞═════════════════╪═══════════════════╪══════════════════════╡
│["AccountHolder"]│"HAS_PHONENUMBER"  │["PhoneNumber"]       │
├─────────────────┼───────────────────┼──────────────────────┤
│["AccountHolder"]│"HAS_CREDITCARD"   │["AccountHolder"]     │
├─────────────────┼───────────────────┼──────────────────────┤
│["AccountHolder"]│"HAS_BANKACCOUNT"  │["BankAccount"]       │
├─────────────────┼───────────────────┼──────────────────────┤
│["AccountHolder"]│"HAS_UNSECUREDLOAN"│["UnsecuredLoan"]     │
├─────────────────┼───────────────────┼──────────────────────┤
│["AccountHolder"]│"HAS_SSN"          │["SSN"]               │
├─────────────────┼───────────────────┼──────────────────────┤
│["AccountHolder"]│"HAS_CREDITCARD"   │["CreditCard"]        │
├─────────────────┼───────────────────┼──────────────────────┤
│["AccountHolder"]│"HAS_ADDRESS"      │["Address"]           │
├─────────────────┼───────────────────┼──────────────────────┤
│["BankAccount"]  │"HAS_BANKACCOUNT"  │["AccountHolder"]     │
├─────────────────┼───────────────────┼──────────────────────┤
│["BankAccount"]  │"SEND"             │["MoneyTransfer"]     │
├─────────────────┼───────────────────┼──────────────────────┤
│["BankAccount"]  │"FROM"             │["FinancialInstitute"]│
├─────────────────┼───────────────────┼──────────────────────┤
│["IP"]           │"LOCATED_IN"       │["State"]             │
├─────────────────┼───────────────────┼──────────────────────┤
│["Login"]        │"FOR_SHOP"         │["Shop"]              │
├─────────────────┼───────────────────┼──────────────────────┤
│["MoneyTransfer"]│"WITH"             │["PhoneNumber"]       │
├─────────────────┼───────────────────┼──────────────────────┤
│["MoneyTransfer"]│"SEND"             │["BankAccount"]       │
├─────────────────┼───────────────────┼──────────────────────┤
│["Purchase"]     │"WITH_CARD"        │["BankCard"]          │
├─────────────────┼───────────────────┼──────────────────────┤
│["Purchase"]     │"FROM_IP"          │["IP"]                │
├─────────────────┼───────────────────┼──────────────────────┤
│["Purchase"]     │"WITH_LOGIN"       │["Login"]             │
├─────────────────┼───────────────────┼──────────────────────┤
│["Purchase"]     │"DELIVERED_AT"     │["DeliveryAddress"]   │
└─────────────────┴───────────────────┴──────────────────────┘


//find shared identity graphs
MATCH path = (accountHolder:AccountHolder)-[:HAS_ID|HAS_ADDRESS|HAS_PHONENUMBER|HAS_SSN]->(contactInformation)<-[]-(accountHolder2:AccountHolder)
RETURN path

//FRAUD RING query - BROWSER
MATCH       (accountHolder:AccountHolder)-[]->(contactInformation)
WITH        contactInformation, count(accountHolder) AS RingSize , collect(id(accountHolder)) AS _FraudRing
WHERE RingSize > 1
MATCH       (contactInformation)<-[]-(accountHolder2:AccountHolder) , (accountHolder2)-[r:HAS_CREDITCARD|HAS_UNSECUREDLOAN|HAS_SSN]->(unsecuredAccount)
WITH       collect(id(accountHolder2)) AS AccountHolders ,           contactInformation , RingSize , _FraudRing , TOFLOAT(SUM(CASE type(r)
WHEN 'HAS_CREDITCARD' THEN unsecuredAccount.limit
WHEN 'HAS_UNSECUREDLOAN' THEN unsecuredAccount.balance ELSE 0 END)) as FinancialRisk
Match (ah:AccountHolder)-[r*..2]-(connection)
where id(ah) in _FraudRing
RETURN  ah,r,connection
limit 20


// **Node structure**
// AccountHolder: firstName, lastName, fullName, UniqueId, birthDate
// Address: zip, streetAddress, state, city
// PhoneNumber: phone, provider, touched
// SSN: ssn


//in Neo4j Browser first switch to the system database
:USE system;
//create the users
CREATE USER admin_user SET PASSWORD "changeme" CHANGE NOT REQUIRED;
CREATE USER investigative_user SET PASSWORD "changeme" CHANGE NOT REQUIRED;

//create the roles
CREATE ROLE admin_role AS COPY OF reader;
CREATE ROLE investigative_role AS COPY OF reader;

//show the roles
SHOW ROLES;

//add the roles to the users
GRANT ROLE admin_role TO admin_user;
GRANT ROLE investigative_role TO investigative_user;

//Add read restriction on sensitive properties of certain labels
DENY READ {firstName,lastName,fullName,birthDate} ON GRAPH `fraudgraph` NODES AccountHolder TO admin_role;
DENY READ {zip,streetAddress,city} ON GRAPH `fraudgraph` NODES Address TO admin_role;
DENY READ {phone,touched} ON GRAPH `fraudgraph` NODES PhoneNumber TO admin_role;
DENY READ {ssn} ON GRAPH `fraudgraph` NODES SSN TO admin_role;

//show the privileges
SHOW ROLE admin_role PRIVILEGES;
SHOW USER admin_user PRIVILEGES;
	// Fraud database available FROM
	// https://drive.google.com/open?id=1jWJrIFdv8tNECLn-nV4HJqotF1db3m6D

	//what is related and how
	match (n1)-[r]->(n2)
	return distinct labels(n1) as `1st Label`, type(r) as `RelType`, labels(n2) as `2nd Label`
	order by `1st Label`;

	╒═════════════════╤═══════════════════╤══════════════════════╕
	│"1st Label" │"RelType" │"2nd Label" │
	╞═════════════════╪═══════════════════╪══════════════════════╡
	│["AccountHolder"]│"HAS_PHONENUMBER" │["PhoneNumber"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["AccountHolder"]│"HAS_CREDITCARD" │["AccountHolder"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["AccountHolder"]│"HAS_BANKACCOUNT" │["BankAccount"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["AccountHolder"]│"HAS_UNSECUREDLOAN"│["UnsecuredLoan"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["AccountHolder"]│"HAS_SSN" │["SSN"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["AccountHolder"]│"HAS_CREDITCARD" │["CreditCard"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["AccountHolder"]│"HAS_ADDRESS" │["Address"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["BankAccount"] │"HAS_BANKACCOUNT" │["AccountHolder"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["BankAccount"] │"SEND" │["MoneyTransfer"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["BankAccount"] │"FROM" │["FinancialInstitute"]│
	├─────────────────┼───────────────────┼──────────────────────┤
	│["IP"] │"LOCATED_IN" │["State"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["Login"] │"FOR_SHOP" │["Shop"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["MoneyTransfer"]│"WITH" │["PhoneNumber"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["MoneyTransfer"]│"SEND" │["BankAccount"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["Purchase"] │"WITH_CARD" │["BankCard"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["Purchase"] │"FROM_IP" │["IP"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["Purchase"] │"WITH_LOGIN" │["Login"] │
	├─────────────────┼───────────────────┼──────────────────────┤
	│["Purchase"] │"DELIVERED_AT" │["DeliveryAddress"] │
	└─────────────────┴───────────────────┴──────────────────────┘


	//find shared identity graphs
	MATCH path = (accountHolder:AccountHolder)-[:HAS_ID\|HAS_ADDRESS\|HAS_PHONENUMBER\|HAS_SSN]->(contactInformation)<-[]-(accountHolder2:AccountHolder)
	RETURN path

	//FRAUD RING query - BROWSER
	MATCH (accountHolder:AccountHolder)-[]->(contactInformation)
	WITH contactInformation, count(accountHolder) AS RingSize , collect(id(accountHolder)) AS _FraudRing
	WHERE RingSize > 1
	MATCH (contactInformation)<-[]-(accountHolder2:AccountHolder) , (accountHolder2)-[r:HAS_CREDITCARD\|HAS_UNSECUREDLOAN\|HAS_SSN]->(unsecuredAccount)
	WITH collect(id(accountHolder2)) AS AccountHolders , contactInformation , RingSize , _FraudRing , TOFLOAT(SUM(CASE type(r)
	WHEN 'HAS_CREDITCARD' THEN unsecuredAccount.limit
	WHEN 'HAS_UNSECUREDLOAN' THEN unsecuredAccount.balance ELSE 0 END)) as FinancialRisk
	Match (ah:AccountHolder)-[r*..2]-(connection)
	where id(ah) in _FraudRing
	RETURN ah,r,connection
	limit 20


	// Node structure
	// AccountHolder: firstName, lastName, fullName, UniqueId, birthDate
	// Address: zip, streetAddress, state, city
	// PhoneNumber: phone, provider, touched
	// SSN: ssn


	//in Neo4j Browser first switch to the system database
	:USE system;
	//create the users
	CREATE USER admin_user SET PASSWORD "changeme" CHANGE NOT REQUIRED;
	CREATE USER investigative_user SET PASSWORD "changeme" CHANGE NOT REQUIRED;

	//create the roles
	CREATE ROLE admin_role AS COPY OF reader;
	CREATE ROLE investigative_role AS COPY OF reader;

	//show the roles
	SHOW ROLES;

	//add the roles to the users
	GRANT ROLE admin_role TO admin_user;
	GRANT ROLE investigative_role TO investigative_user;

	//Add read restriction on sensitive properties of certain labels
	DENY READ {firstName,lastName,fullName,birthDate} ON GRAPH `fraudgraph` NODES AccountHolder TO admin_role;
	DENY READ {zip,streetAddress,city} ON GRAPH `fraudgraph` NODES Address TO admin_role;
	DENY READ {phone,touched} ON GRAPH `fraudgraph` NODES PhoneNumber TO admin_role;
	DENY READ {ssn} ON GRAPH `fraudgraph` NODES SSN TO admin_role;

	//show the privileges
	SHOW ROLE admin_role PRIVILEGES;
	SHOW USER admin_user PRIVILEGES;