System and method for detecting and managing fraud
First Claim
1. A method for detecting fraud and automatically generating alarms based on real-time event data in a telecommunications system by using artificial intelligence, comprising the steps of:
- (1) combining core infrastructure with configurable user-specific implementation rules and automatically acting upon evolving fraud patterns;
(2) performing a plurality of types of fraud detection tests on network event records by normalizing the network event records from a variety of formats into standardized formats;
(3) dispatching normalized network event records to at least one fraud detecting engine from among a plurality of fraud detecting engines;
(4) parallel processing the dispatched portions in the plurality of fraud detecting engines by enhancing the normalized dispatched network event records prior to testing for fraud;
(5) generating fraud alarms upon detection of suspected fraud by any of the fraud detection tests;
(6) correlating the fraud alarms into fraud cases based on common aspects of the fraud alarms; and
(7) automatically responding to certain of the fraud cases.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for processing event records. The present invention includes a detection layer, an analysis layer, an expert systems layer and a presentation layer. The layered system includes a core infrastructure and a configurable, domain-specific implementation. The detection layer employs one or more detection engines, such as, for example, a rules-based thresholding engine and a profiling engine. The detection layer can include an AI-based pattern recognition engine for analyzing data records, for detecting new and interesting patterns and for updating the detection engines to insure that the detection engines can detect the new patterns. In one embodiment, the present invention is implemented as a telecommunications fraud detection system. When fraud is detected, the detection layer generates alarms which are sent to the analysis layer. The analysis layer filters and consolidates the alarms to generate fraud cases. The analysis layer preferably generates a probability of fraud for each fraud case. The expert systems layer receives fraud cases and automatically initiates actions for certain fraud cases. The presentation layer also receives fraud cases for presentation to human analysts. The presentation layer permits the human analysts to initiate additional actions.
267 Citations
52 Claims
-
1. A method for detecting fraud and automatically generating alarms based on real-time event data in a telecommunications system by using artificial intelligence, comprising the steps of:
-
(1) combining core infrastructure with configurable user-specific implementation rules and automatically acting upon evolving fraud patterns;
(2) performing a plurality of types of fraud detection tests on network event records by normalizing the network event records from a variety of formats into standardized formats;
(3) dispatching normalized network event records to at least one fraud detecting engine from among a plurality of fraud detecting engines;
(4) parallel processing the dispatched portions in the plurality of fraud detecting engines by enhancing the normalized dispatched network event records prior to testing for fraud;
(5) generating fraud alarms upon detection of suspected fraud by any of the fraud detection tests;
(6) correlating the fraud alarms into fraud cases based on common aspects of the fraud alarms; and
(7) automatically responding to certain of the fraud cases. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
(a) selecting a threshold rule from a plurality of threshold rules stored in a threshold rule database; and
(b) determining whether a network event record violates the selected threshold rule.
-
-
3. The method of claim 2, further comprising the step of:
(c) updating the threshold rule database during run-time.
-
4. The method of claim 3, wherein step (c) comprises the steps of:
-
(i) analyzing the network event records to identify new methods of fraud;
(ii) generating new threshold rules for detecting the new methods of fraud; and
(iii) updating the threshold rule database with the new threshold rules.
-
-
5. The method of claim 3, wherein step (c) comprises the steps of:
-
(i) analyzing the network event records to identify new methods of fraud using artificial intelligence;
(ii) generating new threshold rules for detecting the new methods of fraud using artificial intelligence; and
(iii) updating the threshold rule database with the new threshold rules.
-
-
6. The method of claim 1, wherein step (2) comprises the steps of:
-
(a) selecting a profile from a plurality of profiles stored in a profile database; and
(b) determining whether a network event record violates the profile;
wherein step (4) comprises the step of generating an alarm and a probability of fraud based upon the extent of the departure if a network event record violates the profile.
-
-
7. The method of claim 6, further comprising the step of:
(d) updating the profile database during runtime.
-
8. The method of claim 7, wherein step (d) comprises the steps of:
-
(i) analyzing the network event records to identify new methods of fraud;
(ii) generating new profiles representative of the new methods of fraud; and
(iii) updating the profile database with the new profiles.
-
-
9. The method of claim 8, wherein steps (ii) and (iii) are performed via artificial intelligence.
-
10. The method of claim 1, wherein step (5) comprises the step of:
(a) prioritizing the fraud cases to indicate a probability of fraud associated with each of the fraud cases.
-
11. The method of claim 10, wherein step (a) comprises the step of enhancing the fraud alarms with data prior to correlating.
-
12. The method of claim 10, wherein step (a) comprises the steps of:
-
(i) retrieving data from an external system; and
(ii) enhancing the fraud alarms with the retrieved data prior to correlating.
-
-
13. The method of claim 1, further comprising the steps of:
-
(8) presenting the fraud cases to live operators; and
(9) manually responding to certain of the fraud cases.
-
-
14. A multi-layer fraud detection system using artificial intelligence for a telecommunications system, the telecommunications system comprising a network layer having at least one telecommunications network, a service control layer for managing the network layer and for generating service records containing data representing instances of telecommunications in the network layer, and a data management layer for receiving the service records from various components and processes of the service control layer and for reducing data by eliminating redundancy and consolidating multiple records into network event records, the multi-layer fraud detection system comprising:
-
a detection layer comprising a core infrastructure and a configurable, domain specific implementation to receive network event records from the data management layer, to test the network event records for possible fraud and to generate alarms indicating incidences of suspected fraud;
an analysis layer to receive alarms generated by the detection layer and to consolidate the alarms into fraud cases; and
an expert system layer comprising a core infrastructure and a configurable, domain specific implementation to receive fraud cases from the analysis layer and to act upon certain of the fraud cases. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
a network event normalizer to convert network event records from any of a plurality of formats into standardized formats for processing by said at least one fraud detection engine; and
a dispatcher to dispatch portions of said normalized network event records to said at least one fraud detection engine.
-
-
17. The multi-layer fraud detection system of claim 15, wherein said at least one fraud detection engine comprises a rules-based thresholding engine.
-
18. The multi-layer fraud detection system of claim 15, wherein said at least one fraud detection engine comprises:
-
a configurable enhancer that augments event records with additional data; and
a configurable informant to interface said enhancer to an external system and to retrieve additional data from the external system.
-
-
19. The multi-layer fraud detection system of claim 18, further comprising:
-
means for interfacing said informant with the external system in a format native to the external system; and
a rules database comprising instructions for processing the enhanced event records to detect fraud.
-
-
20. The multi-layer fraud detection system of claim 19, wherein:
-
said at least one fraud detection engine includes a rules-based thresholding engine; and
said rules database comprises threshold rules for use by said rules-based thresholding engine.
-
-
21. The multi-layer fraud detection system of claim 19, wherein:
-
said at least one fraud detection engine includes a profiling engine; and
said rules database comprises profiles for use by said profiling engine.
-
-
22. The multi-layer fraud detection system of claim 15, wherein said detection layer further comprises a pattern recognition engine that learns new patterns of fraud and that generates updates for said at least one fraud detection engine.
-
23. The multi-layer fraud detection system of claim 14, wherein said analysis layer comprises a core infrastructure and a configurable, domain-specific implementation.
-
24. The multi-layer fraud detection system of claim 23 wherein said analysis layer further comprises:
-
a configurable alarm enhancer to augment fraud alarms with data;
a configurable informant to interface said alarm enhancer to an external system and to retrieve additional data from the external system; and
a configurable fraud case builder to consolidate fraud alarms that are generated by said detection layer.
-
-
25. The multi-layer fraud detection system of claim 24, wherein said user-specific implementation layer of said analysis layer further comprises:
-
means for interfacing said informant with the external system in a format native to the external system; and
an analysis rules database comprising instructions for said fraud case builder for filtering and correlating fraud alarms into fraud cases according to at least one common attribute.
-
-
26. The multi-layer fraud detection system of claim 25, wherein said at least one common attribute is one of the following attributes:
-
ANI;
originating switch;
credit card number;
DNIS;
destination country;
originating geographic area;
originating area code; and
calling equipment type.
-
-
27. The multi-layer fraud detection system of claim 14, wherein said expert system layer domain-specific implementation comprises:
-
a configurable prioritizer that generates enhanced fraud cases, prioritizes the enhanced fraud cases and directs actions on external action systems for certain of the prioritized, enhanced fraud cases;
a configurable informant that interfaces said alarm enhancer to an external system and that retrieves the additional data from the external system; and
a configurable enforcer that interfaces said prioritizer to an external action system and that directs execution of actions by the external action system based upon commands that are generated by the prioritizer.
-
-
28. The multi-layer fraud detection system of claim 27, wherein said user-specific implementation layer of said expert system layer includes a configuration database, and wherein said configuration database comprises:
-
means for interfacing said informant with the external system in a format native to the external system; and
prioritizing rules for use by the prioritizer.
-
-
29. The multi-layer fraud detection system of claim 14, further comprising:
a presentation layer that receives prioritized fraud cases from said expert system layer and that presents the prioritized fraud cases to live operators, wherein said presentation layer includes a core infrastructure and a configurable, domain-specific implementation.
-
30. The multi-layer fraud detection system of claim 29, wherein said domain-specific implementation of said presentation layer comprises:
-
a configurable case enhancer that enhances prioritized fraud cases with additional data;
a configurable presentation interface that distributes the enhanced, prioritized fraud cases to one or more workstations and that sends action commands generated at the workstations to an external action system;
a configurable first informant that interfaces said case enhancer to a first external system and that retrieves data from the first external system;
a configurable second informant that interfaces said presentation interface to a second external system and that retrieves data from the second external system, based upon commands generated at the workstations; and
a configurable enforcer that interfaces the workstations, via said presentation interface, to the external action system and that directs execution of actions by the external action system based upon commands generated at the workstations.
-
-
31. The multi-layer fraud detection system of claim 30, wherein the first and second external systems are each a part of the same external system.
-
32. The multi-layer fraud detection system of claim 30, wherein said user-specific implementation layer of said presentation layer further comprises:
-
means for interfacing said informant with the first external system in an interfacing format that is native to the first external system; and
configurable presentation rules to direct presentation of enhanced, prioritized fraud cases at the workstations.
-
-
33. A method for detecting fraud and automatically generating alarms based on real-time event data in a telecommunications system by using artificial intelligence, comprising the steps of:
-
(1) analyzing a history of network event records to identify normal and fraudulent patterns;
(2) determining whether a network event record violates a selected threshold rule by comparing said network event record with a selected profile, wherein said threshold rule and said selected profile include a scalable core infrastructure and a user-configurable, domain-specific implementation within a layered logical systems architecture;
(3) determining whether the network event record deviates from a selected profile;
(4) generating an alarm when the network event record violates the selected threshold rule; and
(5) generating an alarm when the network event record deviates from the selected profile. - View Dependent Claims (34, 35)
(5) performing steps (2) and (3) in parallel.
-
-
35. The method of claim 33, further comprising the step of:
-
generating at least one of the following types of updates when a fraudulent pattern of use is identified;
updates for a threshold rules database; and
updates for a profile database.
-
-
36. A system for processing event records by using artificial intelligence for detecting fraud and automatically generating alarms based on real time event data in a telecommunications system, comprising:
-
a scalable core infrastructure that can be implemented in more than one application; and
a configurable, domain-specific implementation including configurable rules. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43)
thresholding rules for testing telecommunications network event records; and
profiles for comparison to telecommunications network event records.
-
-
38. The system according to claim 36, wherein said core infrastructure is implemented as part of a credit card fraud detection system and said configurable, domain-specific implementation comprises:
-
thresholding rules for testing credit card event records; and
profiles for comparison to credit card event records.
-
-
39. The system according to claim 36, wherein said core infrastructure is implemented as part of a data mining system and said configurable, domain-specific implementation comprises:
-
thresholding rules for testing data mining event records; and
profiles for comparison to data mining event records.
-
-
40. The system according to claim 36, wherein said core infrastructure is implemented as part of a consumer purchasing pattern analysis system and said configurable, domain-specific implementation comprises:
-
thresholding rules for testing consumer purchasing event records; and
profiles for comparison to consumer purchasing event records.
-
-
41. The system according to claim 36, further comprising:
-
a detection layer that detects and normalizes event records, dispatches event records to one or more detection engines and generates alarms when an event record meets a condition;
an analysis layer that receives alarms from said detection layer and that consolidates the received alarms into cases based upon common traits of the alarms; and
an expert system layer that receives cases from said analysis layer and that acts upon certain cases.
-
-
42. The system according to claim 41, said detection layer further comprising:
means for generating feature vectors for representing multiple occurrences of an event feature.
-
43. The system according to claim 36, further comprising:
a presentation layer that receives cases from the detection layer, presents the received cases to human analysts, receives commands from human analysts and sends instructions to external action systems to take actions based upon the commands from human analysts.
-
44. A computer program product comprising a computer readable medium having computer program logic stored therein for enabling a computer system to process network event records to detect fraud and automatically generate alarms in a telecommunications system based on real-time event data and using artificial intelligence in a scalable core infrastructure with user-specific implementation rules, wherein said computer-program logic comprises:
-
means for enabling a computer system to test network event records;
means for enabling said computer system to generate alarms when a network event record pattern deviates from a selected profile;
means for enabling said computer system to correlate the alarms generated into categories based on known common aspects of said alarms; and
means for enabling said computer system to respond to certain alarms of said categories. - View Dependent Claims (45, 46)
means for enabling the computer to present the cases to live operators; and
means for enabling the computer to permit the live operators to manually initiate responses to certain of the cases.
-
-
46. The computer program product according to claim 44, further comprising:
-
user configurable means for enabling the computer to process user-specific types of event records; and
core infrastructure means for enabling the computer to process event records for a variety of types of event records.
-
-
47. A data processing system comprising:
-
normalizing means for accepting data in various formats and converting it into a predetermined formats and filtering it;
data enhancing means accepting the data in a predetermined format from the normalizing means and based upon information included in the data or extended data, deriving additional attributes to create enhanced data;
means, accepting the enhanced data from the data enhancing means, for identifying particular patterns in the enhanced data;
correlation means, accepting the filtered enhanced data from the filtering means, for correlating and consolidating the filtered enhanced data based upon predetermined criteria and obtaining additional information from external sources to generate aggregated structures; and
prioritizing means, accepting the aggregated structures from the correlation means, for ordering the aggregated structures for subsequent processing. - View Dependent Claims (48, 49)
-
-
50. A data processing method comprising:
-
converting data in various formats into predetermined formats and filtering it;
creating enhanced data by deriving additional attributes from the data in a predetermined format;
filtering the enhanced data to identify particular patterns in the enhanced data;
correlating and consolidating the filtered enhanced data based upon predetermined criteria and obtaining additional information from external sources to generate aggregated structures; and
prioritizing the aggregated structures for subsequent processing. - View Dependent Claims (51, 52)
-
Specification