System, method and computer program product for a dynamic rules-based threshold engine
First Claim
1. A rules-based method of threshold detection, comprising the steps of:
- (1) receiving a generating event record;
(2) enhancing the generating event record, identifying one or more features associated with the generating event record and generating a vector for identifying the generating event record and the one or more features associated with the generating event;
(3) placing a feature value in the vector for each of the one or more features associated with the generating event record, each feature value indicating a number of occurrences of the associated feature that occurred within a predetermined period of time;
(4) selecting one or more threshold rules from a database of threshold rules based on the features in the vector for testing the enhanced generating event record;
(5) testing the enhanced generating event record against the one or more selected threshold rules, including testing the enhanced generating event against a deactivation hot termination attempt (DHTA) rule to determine whether a telephone call is directed to a telephone number to which a previous telephone call was directed using a recently deactivated card, if the card was deactivated within a predetermined period of time; and
(6) generating an alarm if the enhanced generating event record exceeds the one or more selected threshold rules.
3 Assignments
0 Petitions
Accused Products
Abstract
A configurable and scalable rules-based thresholding system, method and computer program product for processing event records includes a core infrastructure and a configurable domain-specific implementation. The core infrastructure is generically employed regardless of the actual type of network being monitored. The domain-specific implementation is provided with user specific data and rules. The core infrastructure includes an event record enhancer which enhances events with additional data and a threshold detector which determines whether an enhanced event record, alone or in light of prior event records, exceeds one or more thresholds. The enhancer can access external databases for additional information related to an event record. In one embodiment, the enhancer generates feature vectors to represent enhanced event records. The threshold detector receives enhanced event records from the event record enhancer. The threshold detector selects one or more threshold rules from a database of threshold rules for applying to the enhanced event records. Where enhanced event records are in the form of feature vectors containing features and feature values, the threshold detector selects one or more threshold rules based upon the features or feature values in the vector. Where the feature vector includes a threshold for a feature value, the threshold detector tests the feature values against the threshold. The threshold detector may access prior event records in order to apply one or more threshold rules.
-
Citations
16 Claims
-
1. A rules-based method of threshold detection, comprising the steps of:
-
(1) receiving a generating event record;
(2) enhancing the generating event record, identifying one or more features associated with the generating event record and generating a vector for identifying the generating event record and the one or more features associated with the generating event;
(3) placing a feature value in the vector for each of the one or more features associated with the generating event record, each feature value indicating a number of occurrences of the associated feature that occurred within a predetermined period of time;
(4) selecting one or more threshold rules from a database of threshold rules based on the features in the vector for testing the enhanced generating event record;
(5) testing the enhanced generating event record against the one or more selected threshold rules, including testing the enhanced generating event against a deactivation hot termination attempt (DHTA) rule to determine whether a telephone call is directed to a telephone number to which a previous telephone call was directed using a recently deactivated card, if the card was deactivated within a predetermined period of time; and
(6) generating an alarm if the enhanced generating event record exceeds the one or more selected threshold rules.
-
-
2. A rules-based method of threshold detection, comprising the steps of:
-
(1) receiving a generating event record;
(2) enhancing the generating event record, identifying one or more features associated with the generating event record and generating a vector for identifying the generating event record and the one or more features associated with the generating event;
(3) placing a feature value in the vector for each of the one or more features associated with the generating event record, each feature value indicating a number of occurrences of the associated feature that occurred within a predetermined period of time;
(4) selecting one or more threshold rules from a database of threshold rules based on the features in the vector for testing the enhanced generating event record;
(5) testing the enhanced generating event record against the one or more selected threshold rules, including testing the enhanced generating event against a deactivation hot originating completion (DHOC) rule to determine whether a completed call originated from a telephone number from which a previous telephone call originated using a recently deactivated card, if the card was deactivated within a predetermined period of time; and
(6) generating an alarm if the enhanced generating event record exceeds the one or more selected threshold rules.
-
-
3. A rules-based method of threshold detection, comprising the steps of:
-
(1) receiving a generating event record;
(2) enhancing the generating event record, identifying one or more features associated with the generating event record and generating a vector for identifying the generating event record and the one or more features associated with the generating event;
(3) placing a feature value in the vector for each of the one or more features associated with the generating event record, each feature value indicating a number of occurrences of the associated feature that occurred within a predetermined period of time;
(4) selecting one or more threshold rules from a database of threshold rules based on the features in the vector for testing the enhanced generating event record;
(5) testing the enhanced generating event record against the one or more selected threshold rules, including testing the enhanced generating event against a deactivation hot termination completion (DHTC) rule to determine whether a completed call terminates to a telephone number to which a previous telephone call terminated using a recently deactivated card, if the card was deactivated within a predetermined period of time; and
(6) generating an alarm if the enhanced generating event record exceeds the one or more selected threshold rules.
-
-
4. A rules-based thresholding engine, comprising:
-
a core infrastructure including an enhancer that receives and enhances event records and detects when one or more enhanced event records exceed one or more thresholds; and
a configurable domain-specific implementation that provides configurable, user-specific procedures to said core infrastructure that permit said core infrastructure to receive and enhance the event records and to detect when one or more enhanced event records exceed the one or more thresholds, said configurable domain-specific implementation including thresholding rules, wherein said thresholding rules comprise one or more of the following types of rules;
a deactivation hot originating attempt (DHOA) rule to determine when a telephone call is attempted from a telephone number from which a previous telephone call was attempted using a recently deactivated card call, when the card was deactivated within a predetermined period of time;
a deactivation hot termination attempt (DHTA) rule to determine when a telephone call is directed to a telephone number to which a previous telephone call was directed using a recently deactivated card, when the card was deactivated within a predetermined period of time;
a deactivation hot originating completion (DHOC) rule to determine when a completed call originated from a telephone number from which a previous telephone call originate using a recently deactivated card, when the card was deactivated within a predetermined period of time; and
a deactivation hot termination completion (DHTC) rule to determine when a completed call terminates to a telephone number to which a previous telephone call terminated using a recently deactivated card, when the card was deactivated within a predetermined period of time. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
thresholding rules for testing telecommunications network event records for fraud; and
means for dynamically receiving new and updated thresholding rules during run-time.
-
-
6. The rules-based thresholding engine of claim 4, further comprising:
-
said enhancer augmenting event records;
configurable enhancement and configuration rules for specifying procedures for augmenting the event records; and
a threshold detector for detecting whether any of the augmented event records exceeds a threshold rule.
-
-
7. The rules-based thresholding engine of claim 6, further comprising:
-
means for identifying one or more features associated with a generating event record; and
means for generating a vector to identify the generating event record and the one or more features associated with the generating event.
-
-
8. The rules-based thresholding engine of claim 7, further comprising:
means for placing a feature value in the vector for each of the one or more features associated with the generating event record, each feature value indicating a number of occurrences of the associated feature that occurred within a pre-determined period of time.
-
9. The rules-based thresholding engine of claim 7, further comprising:
-
means for identifying a prior event record which includes a feature which is the same as the one or more features identified with the generating event record, the prior event record representing an event which occurred within a predetermined period of time;
means for including the prior event record in the vector as a contributing event; and
means for placing a feature value in the vector for each of the one or more features associated with the generating event record, each feature value indicating a number of occurrences of the associated feature that occurred within the pre-determined period of time.
-
-
10. The rules-based thresholding engine of claim 9, further comprising:
means for selecting one or more of said threshold rules based on the features in the vector.
-
11. The rules-based thresholding engine of claim 9, further comprising:
-
means for placing a threshold for a feature value in the vector; and
means for determining whether the feature value exceeds the threshold.
-
-
12. A rules-based method threshold detection, comprising the steps of:
-
(1) receiving a generating event record;
(2) enhancing the generating event record, identifying one or more features associated with the generating event record and generating a vector for identifying the generating event record and the one or more features associated with the generating event;
(3) placing a feature value in the vector for each of the one or more features associated with the generating event record, each feature value indicating a number of occurrences of the associated feature that occurred within a pre-determined period of time;
(4) selecting one or more threshold rules from a database of threshold rules based on the features in the vector for testing the enhanced generating event record;
(5) testing the enhanced generating event record against the one or more selected threshold rules, including testing the enhanced generating event against a deactivation hot originating attempt (DHOA) rule to determine whether a telephone call is attempted from a telephone number from which a previous telephone call was attempted using a recently deactivated card, if the card was deactivated within a predetermined period of time;
(6) generating an alarm if the enhanced generating event record exceeds the one or more selected threshold rules. - View Dependent Claims (13, 14, 15, 16)
(d) including a threshold for a feature value in the vector.
-
-
14. The method of claim 13, wherein step (5) comprises the steps of:
(a) determining whether the feature value identified in step (3)(d) exceeds the threshold that is included in the vector in step (3)(d).
-
15. The method of claim 12, wherein step (2) comprises the step of:
(a) interfacing with an external system in a format native to the external system in order to retrieve data for enhancing the generating event record.
-
16. The method of claim 12, further comprising the step of:
(7) dynamically modifying the database of threshold rules during run-time.
Specification