Main Takeaways
- As the world’s largest crypto exchange, it’s crucial we have a risk detection system that is fast yet doesn’t compromise on accuracy.
- The challenge we encountered was ensuring our models always used up-to-date information, especially when detecting suspicious account activity in real-time.
- To achieve stronger feature consistency and greater production speed, we now make reasonable assumptions about our data and combine our batch and streaming pipelines.
Discover how our feature engineering pipeline creates strong, consistent features to detect fraudulent withdrawals on the Binance platform.
Inside our machine learning (ML) pipeline — which you can learn more about in a previous article — we recently built an automated feature engineering pipeline that funnels raw data into reusable online features that can be shared across all risk-related models.
In the process of building and testing this pipeline, our data scientists encountered an intriguing feature consistency problem: How do we create accurate sets of online features that dynamically change over time?
Consider this real-world scenario: A crypto exchange — in this case, Binance — is trying to detect fraudulent withdrawals before money leaves the platform. One possible solution is to add a feature to your model that detects time lapsed since the user’s last specific operation (e.g., log in or bind mobile). It would look something like this:
user_id|last_bind_google_time_diff_in_days|...
1|3.52|...
The Challenge of Implementation
The number of keys required to calculate and update features in an online feature store is impractical. Using a streaming pipeline, such as Flink, would be impossible since it can only calculate users with records coming into Kafka at the present moment.
As a compromise, we could use a batch pipeline and accept some delay. Let’s say a model can fetch features from an online feature store and perform real-time inference in around one hour. At the same time, if it takes one hour for a feature store to finish calculating and ingesting data, the batch pipeline would — in theory — solve the problem.
Unfortunately, there’s one glaring issue: using such a batch pipeline is highly time-consuming. This makes finishing within one hour unfeasible when you’re the world’s largest crypto exchange dealing with approximately a hundred million users and a TPS limit for writes.
We’ve found that the best practice is to make assumptions about our users, thereby shrinking the amount of data going into our feature store.
Easing the Issue With Practical Assumptions
Online features are ingested in real-time and are constantly changing because they represent the most up-to-date version of an environment. With active Binance users, we cannot afford to use models with outdated features.
It’s imperative that our system flags any suspicious withdrawals as soon as possible. Any added delay, even by a few minutes, means more time for a malicious actor to get away with their crimes.
So, for the sake of efficiency, we assume recent logins hold relatively higher risk:
- We find (250 days + 0.125[3/24 delay] day) produces relatively smaller errors than (1 day + 0.125[3/24 delay] day).
- Most operations won’t exceed a certain threshold; let’s say 365 days. To save time and computing resources, we omit users who haven’t logged in for over a year.
Our Solution
We use lambda architecture, which entails a process where we combine batch and streaming pipelines, to achieve stronger feature consistency.
What does the solution look like conceptually?
- Batch Pipeline: Performs feature engineering for a massive user base.
- Streaming Pipeline: Remedies batch pipeline delay time for recent logins.
What if a record is ingested into the online feature store between the delay time in batch ingestion?
Our features still maintain strong consistency even when records are ingested during the one-hour batch ingestion delay period. This is because the online feature store we use at Binance returns the latest value based on the event_time you specify when retrieving the value.
All Comments