Feature/implementation

docker-compose.yml

@@ -14,6 +14,7 @@ services:
       - neo4j_data:/data
       - neo4j_logs:/logs
       - ./data/raw:/var/lib/neo4j/import
+      - ./queries:/var/lib/neo4j/import/queries
     healthcheck:
       test: ["CMD", "cypher-shell", "-u", "${NEO4J_USER}", "-p", "${NEO4J_PASSWORD}", "RETURN 1"]
       interval: 10s

queries/ring_detection.cypher

@@ -1,3 +1,10 @@
-MATCH (start:Account {fraud_confirmed: true})-[:HAS_PHONE|HAS_EMAIL|HAS_DEVICE*1..6]-(connected:Account)
-WHERE start <> connected
-RETURN DISTINCT connected.name, connected.fraud_confirmed
+// Graph visualization — paste into Neo4j browser, switch to graph view.
+// Returns fraud accounts and their shared identifier nodes (Phone/Email/Device).
+// The browser renders which identifiers are shared across accounts, revealing the rings.
+MATCH (a:Account {fraud_confirmed: true})-[r:HAS_PHONE|HAS_EMAIL|HAS_DEVICE]->(identifier)
+RETURN a, r, identifier
+
+// Tabular form — returns one row per connected account, useful for analysis.
+// MATCH (start:Account {fraud_confirmed: true})-[:HAS_PHONE|HAS_EMAIL|HAS_DEVICE*1..6]-(connected:Account)
+// WHERE start <> connected
+// RETURN DISTINCT connected.name, connected.fraud_confirmed

src/main/java/ringnet/LoadData.java

@@ -89,6 +89,20 @@ public static void main(String[] args) {
                         r.transaction_id = row.id
                     """).consume());
 
+            step("Computing FLAGGED_BY from shared identifiers", () ->
+                session.run("""
+                    MATCH (a:Account)-[:HAS_PHONE|HAS_EMAIL|HAS_DEVICE]->(shared) <-[:HAS_PHONE|HAS_EMAIL|HAS_DEVICE]-(b:Account)
+                    WHERE a.id < b.id
+                    WITH a, b, count(DISTINCT shared) AS shared_count
+                    MERGE (a)-[r:FLAGGED_BY]->(b)
+                    SET r.rule       = 'shared_identifier',
+                        r.confidence = CASE
+                            WHEN shared_count >= 3 THEN 0.9
+                            WHEN shared_count = 2  THEN 0.6
+                            ELSE 0.3
+                        END
+                    """).consume());
+
             System.out.println("\nLoad complete. Run VerifyLoad to confirm counts.");
         }
     }

src/main/java/ringnet/VerifyLoad.java

@@ -14,9 +14,10 @@ public static void main(String[] args) {
         String password = dotenv.get("NEO4J_PASSWORD");
 
         try (Driver driver = GraphDatabase.driver(uri, AuthTokens.basic(user, password));
-             Session session = driver.session()) {
+        Session session = driver.session()) {
 
             printNodeCounts(session);
+            printRelationshipCounts(session);
             List<List<String>> rings = detectFraudRings(session);
             printRingSummary(rings);
         }
@@ -32,6 +33,16 @@ static void printNodeCounts(Session session) {
         }
     }
 
+    static void printRelationshipCounts(Session session) {
+        System.out.println("\n--- Relationship counts ---");
+        String[] types = {"HAS_PHONE", "HAS_EMAIL", "HAS_DEVICE", "HAS_ADDRESS", "SENT", "TO", "TRANSFERRED_TO", "FLAGGED_BY"};
+        for (String type : types) {
+            long count = session.run("MATCH ()-[r:" + type + "]->() RETURN count(r) AS c")
+                    .single().get("c").asLong();
+            System.out.printf("  %-20s %d%n", type + ":", count);
+        }
+    }
+
     static List<List<String>> detectFraudRings(Session session) {
         List<String> fraudAccounts = session
                 .run("MATCH (a:Account {fraud_confirmed: true}) RETURN a.id AS id")

system_design/theory.md

@@ -58,7 +58,7 @@ If the phone number is stored as a text field on each account, it stays invisibl
 
 Ring membership is a **structural signal**: it tells you an account is connected to a network of other suspicious accounts, regardless of its own transaction history. An account could have very few transactions but still be deeply embedded in a fraud ring.
 
-The risk score in `05_risk_scoring.cypher` combines both signals into one number per account — how close it is to a confirmed fraud node, how many shared identifiers it has with flagged accounts, how fast it moves money, and whether it belongs to a ring. That combined score is what you hand to an analyst. Instead of reviewing thousands of accounts blindly, they start from the top of the list.
+The risk score in `risk_scoring.cypher` combines both signals into one number per account — how close it is to a confirmed fraud node, how many shared identifiers it has with flagged accounts, how fast it moves money, and whether it belongs to a ring. That combined score is what you hand to an analyst. Instead of reviewing thousands of accounts blindly, they start from the top of the list.
 
 ---