Fraud Detection and Analysis System

US 20100094768A1
Filed: 06/12/2009
Published: 04/15/2010
Est. Priority Date: 06/12/2008
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a risk engine executing on a processor and coupled to a financial system that includes an account, the risk engine generating an account model corresponding to a user and events conducted in the account, the generating of the account model using event parameters of a previous event performed by the user in the account to generate predicted distributions of the event parameters for a next event in the account, the risk engine receiving event parameters of the next event as the next event occurs, the risk engine generating a first probability using the account model, wherein the first probability is a probability of observing the event parameters assuming the user is conducting the next event, the risk engine generating a second probability using a fraud model, wherein the second probability is a probability of observing the event parameters assuming a fraudster is conducting the next event, wherein the fraudster is a person other than the user, wherein the events conducted in the account comprise the previous event and the next event, the risk engine generating a risk score using the first probability and the second probability, the risk score indicating the relative likelihood the next event is performed by the user versus the fraudster; and

a risk application executing on the processor, the risk application comprising an analytical user interface (AUI), the AUI displaying for any event in the account at least one of the risk score and the event parameters.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided comprising a risk engine coupled to a financial system that includes an account. The risk engine generates an account model corresponding to a user and events of the account. Generation of the account model uses event parameters of a previous event performed by the user in the account. The risk engine uses the account model to generate a first probability of observing event parameters assuming the user is conducting the next event. The risk engine uses a fraud model to generate a second probability of observing event parameters assuming a fraudster is conducting the next event. The risk engine generates a risk score, using the first and second probabilities, which indicates the relative likelihood the next event is performed by the user. The system includes a risk application comprising an analytical user interface that displays for any event the risk score and/or event parameters.

237 Citations

65 Claims

1. A system comprising:
- a risk engine executing on a processor and coupled to a financial system that includes an account, the risk engine generating an account model corresponding to a user and events conducted in the account, the generating of the account model using event parameters of a previous event performed by the user in the account to generate predicted distributions of the event parameters for a next event in the account, the risk engine receiving event parameters of the next event as the next event occurs, the risk engine generating a first probability using the account model, wherein the first probability is a probability of observing the event parameters assuming the user is conducting the next event, the risk engine generating a second probability using a fraud model, wherein the second probability is a probability of observing the event parameters assuming a fraudster is conducting the next event, wherein the fraudster is a person other than the user, wherein the events conducted in the account comprise the previous event and the next event, the risk engine generating a risk score using the first probability and the second probability, the risk score indicating the relative likelihood the next event is performed by the user versus the fraudster; and
  
  a risk application executing on the processor, the risk application comprising an analytical user interface (AUI), the AUI displaying for any event in the account at least one of the risk score and the event parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
- - 2. The system of claim 1, wherein the AUI comprises a horizontal axis representing a sequence of events ordered by time.
  - 3. The system of claim 2, wherein the AUI comprises a vertical axis representing the event parameters.
  - 4. The system of claim 3, wherein the event parameters include one or more of Internet Protocol (IP) data and Hypertext Transfer Protocol (HTTP) data.
  - 5. The system of claim 4, wherein the IP data includes one or more of an IP address, IP address country, IP address city, IP network block, and internet service provider supporting an event.
  - 6. The system of claim 4, wherein the HTTP data includes one or more of data of an operating system, a user agent string, a referrer string, and internet browser of a computer used for an event.
  - 7. The system of claim 3, wherein the AUI comprises a plurality of columns, wherein each column of the plurality of columns represents at lease one event of the events conducted in the account, wherein the plurality of columns are arranged according to date.
  - 8. The system of claim 7, wherein the AUI comprises a plurality of rows, wherein a set of rows of the plurality of rows represent event parameters of the events.
  - 9. The system of claim 7, wherein the AUI comprises a plurality of intersection regions, each intersection region defined by an intersection of a row of the set of rows and a column, wherein the intersection region corresponds to an event parameter of the at least one event, wherein the intersection region includes color coding relating the event parameter to a corresponding probability of the account model.
  - 10. The system of claim 9, wherein the color coding represents a relative likelihood ratio that the event parameter corresponds to the user.
  - 11. The system of claim 7, wherein the AUI comprises a risk row representing risk of the event, wherein each intersection region defined by the intersection of the risk row with a column corresponds to the risk score of the at least one event corresponding to the column.
  - 12. The system of claim 11, wherein the intersection region includes color coding relating the risk score to the at least one event.
  - 13. The system of claim 12, wherein the color coding represents a relative likelihood ratio that the user conducted the at least one event.
  - 14. The system of claim 7, wherein the at least one event comprises at least one of an online event, an offline event, and a multiple-channel event.
  - 15. The system of claim 14, wherein online events are events undertaken via electronic access to the account.
  - 16. The system of claim 7, wherein the at least one event comprises a login event.
  - 17. The system of claim 7, wherein the at least one event comprises an activity event.
  - 18. The system of claim 7, wherein the at least one event comprises a session, wherein the session is a sequence of related events.
  - 19. The system of claim 18, wherein the sequence of related events comprises a session login event and a termination event.
  - 20. The system of claim 19, wherein the sequence of related events comprises at least one activity event following the login event.
  - 21. The system of claim 1, wherein generating the account model includes generating statistical relationships between predicted distributions.
  - 22. The system of claim 1, wherein generating the account model includes generating a joint probability distribution that includes the predicted distributions.
  - 23. The system of claim 22, wherein the predicted distributions include a plurality of probability distribution functions that represent the event parameters.
  - 24. The system of claim 23, wherein the event parameters are observable parameters collected during the previous event.
  - 25. The system of claim 1, wherein generating the account model includes generating statistical relationships between the event parameters and derived parameters.
  - 26. The system of claim 25, wherein the derived parameters include one or more of geographic area from which a device is initiating the next event, location of the device, identification of the device, and electronic service provider of the device.
  - 27. The system of claim 1, wherein generating the risk score includes generating expected event parameters of the next event.
  - 28. The system of claim 27, wherein generating the expected event parameters includes generating a first set of predicted probability distributions that represent the expected event parameters, wherein generating the first set of predicted probability distributions assumes the user is conducting the second set of events.
  - 29. The system of claim 1, comprising:
    - receiving a predictive fraud model; and
      
      generating a second set of predicted probability distributions that represent expected fraud event parameters, wherein generating the second set of predicted probability distributions assumes a fraudster is conducting the next event.
  - 30. The system of claim 29, comprising automatically generating the predictive fraud model by estimating a plurality of fraud components of the predictive fraud model using fraud event parameters of previous fraudulent events undertaken in a plurality of accounts, wherein the previous fraudulent events are events suspected as having been conducted by the fraudster.
  - 31. The system of claim 30, wherein automatically generating the predictive fraud model includes generating statistical relationships between fraud components of the plurality of fraud components.
  - 32. The system of claim 30, wherein automatically generating the predictive fraud model includes generating statistical relationships between the fraud event parameters and derived fraud parameters.
  - 33. The system of claim 32, wherein the derived fraud parameters include one or more of a location of the device, identification of the device, and electronic service provider of the device.
  - 34. The system of claim 29, comprising generating the predictive fraud model.
  - 35. The system of claim 34, wherein generating the predictive fraud model comprises generating an original fraud model to include a probability of observing an event given that the event is caused by the fraudster and absent any other information about the event
  - 36. The system of claim 34, wherein generating the predictive fraud model comprises generating a probabilistic combination of the original fraud model and an impersonation model.
  - 37. The system of claim 36, comprising generating the original fraud model to include a probability of observing an event given that the event is caused by the fraudster and absent any other information about the event.
  - 38. The system of claim 36, wherein generating the predictive fraud model comprises generating the predictive fraud model to include an impersonation probability, wherein the impersonation probability is a probability that the fraudster successfully impersonates a parameter value of an event parameter of a set of events undertaken by the user.
  - 39. The system of claim 36, wherein the impersonation model comprises a probability that the fraudster mimics an event parameter of a set of events undertaken by the user.
  - 40. The system of claim 36, wherein the impersonation model comprises a probability that the fraudster observes an event parameter of a set of events undertaken by the user.
  - 41. The system of claim 36, comprising:
    - identifying at least one previous fraud event, a previous fraud event comprising a previous event in the account potentially caused by the fraudster;
      
      generating the original fraud model by estimating a plurality of components of the fraud model using event parameters of at least one previous fraud event undertaken in the account, the at least one previous fraud event potentially conducted by the fraudster.
  - 42. The system of claim 41, comprising modifying the predictive fraud model based on at least one previous event potentially conducted by the fraudster.
  - 43. The system of claim 41, comprising generating the predictive fraud model to include a fraud co-occurrence coefficient for at least one previous event potentially conducted by the fraudster.
  - 44. The system of claim 43, wherein the fraud co-occurrence coefficient represents an accumulated mistrust derived recursively from the at least one previous event potentially conducted by the fraudster.
  - 45. The system of claim 43, wherein the fraud co-occurrence coefficient comprises a coefficient representing an affect of a plurality of previous events potentially conducted by the fraudster.
  - 46. The system of claim 1, comprising selectively updating the account model using a second set of event parameters collected during the next event.
  - 47. The system of claim 46, wherein the second set of event parameters is observable parameters collected during the next event.
  - 48. The system of claim 46, wherein automatically updating the account model includes updating a joint probability distribution that includes a plurality of components of the account model.
  - 49. The system of claim 46, wherein automatically updating the account model includes updating at least one of a plurality of components of the account model.
  - 50. The system of claim 46, wherein automatically updating the account model includes updating at least one of a plurality of probability distribution functions that represent the event parameters, the updating modifying the at least one of the plurality of probability distribution functions by considering data of the second set of event parameters.
  - 51. The system of claim 46, comprising:
    - generating a probability distribution function for each of the event parameters of the prior event; and
      
      generating an updated probability distribution function for each of the event parameters by applying data of a second set of event parameters of the next event to the probability distribution function.
  - 52. The system of claim 51, comprising:
    - receiving a baseline account model that corresponds to the user, the baseline account model generated without using data of any event; and
      
      generating the account model by generating a joint probability distribution that includes a plurality of components of the account model, wherein the plurality of components includes the updated probability distribution function for any event parameter represented in the account model.
  - 53. The system of claim 1, wherein the previous event and the next event comprise at least one of online events, offline events, and multiple channel events.
  - 54. The system of claim 53, wherein online events are events undertaken via electronic access to the account.
  - 55. The system of claim 1, wherein events comprise login events.
  - 56. The system of claim 1, wherein events comprise activity events.
  - 57. The system of claim 1, wherein the events comprise a session, wherein the session is a sequence of related events.
  - 58. The system of claim 57, wherein the sequence of related events comprises a session login event and a termination event.
  - 59. The system of claim 58, wherein the sequence of related events comprises at least one activity event.
  - 60. The system of claim 1, comprising:
    - determining probabilistically that the next event was conducted by the user;
      
      automatically updating the account model using a second set of event parameters collected during the next event.
  - 61. The system of claim 60, comprising updating the account model to include a trust factor, the trust factor representing a probability that the next event was in fact conducted by the user.
  - 62. The system of claim 60, comprising updating the account model to include an accumulated trust factor, the accumulated trust factor representing a cumulative probability across a plurality of events that an event parameter in the plurality of events was in fact conducted by the user.
  - 63. The system of claim 1, wherein automatically generating the account model comprises generating the account model to include a decay parameter.
  - 64. The system of claim 63, wherein the decay parameter comprises an exponential decay function by which a relative weight of each event of the events in the account changes with passage of time since the event.

65. A system comprising:
- a risk engine executing on a processor, the risk engine receiving from a financial system observations corresponding to a prior event, the prior event including actions taken in an account of the financial system during electronic access of the account, the risk engine estimating parameters of an account model using the observations and dynamically generating an account model to include the parameters, the account model corresponding only to the user, the risk engine using output of the account model to generate a risk score that is a relative likelihood an event in the account following the prior event is performed by the user versus the fraudster; and
  
  a risk application executing on the processor, the risk application comprising an analytical user interface (AUI), the AUI displaying for any event in the account at least one of the risk score and event parameters of any event in the account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guardian Analytics Incorporated (Nice Ltd)
Original Assignee
Guardian Analytics Incorporated (Nice Ltd)
Inventors
Miltonberger, Tom

Granted Patent

US 10,410,220 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/325
CPC Class Codes

G06N 5/02   Knowledge representation; S...

G06N 7/01   Probabilistic graphical mod...

G06Q 10/067   Enterprise or organisation ...

G06Q 10/10   Office automation; Time man...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4016   involving fraud or risk lev...

G06Q 30/0185   Product, service or busines...

G06Q 30/0225   Avoiding frauds

G06Q 40/02   Banking, e.g. interest calc...

G06Q 50/265   Personal security, identity...

Fraud Detection and Analysis System

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

237 Citations

65 Claims

Specification

Use Cases

Quick Links

Others

Fraud Detection and Analysis System

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

237 Citations

65 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others