System, method and computer program product for processing event records
First Claim
1. A multi-layer fraud detection system for a telecommunications system, the telecommunication system comprising a network layer having at least one telecommunications network, a service control layer for managing the network layer and for generating service records including data representing instances of telecommunications in the network layer, and a data management layer for receiving the service records from various components and processes of the service control layer and for reducing data by eliminating redundancy and consolidating multiple records into network event records, the multi-layer fraud detection system comprising:
- a detection layer to receive network event records from the data management layer to test the network event records for possible fraud and to generate alarms indicating incidences of suspected fraud;
an analysis layer to receive alarms generated by the detection layer and to consolidate the alarms into fraud cases; and
an expert system layer to receive fraud cases from the analysis layer and to act upon certain of the fraud cases, the expert system layer comprises a core infrastructure and a configurable, domain-specific implementation.
10 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for processing event records. The present invention includes a detection layer, an analysis layer, an expert systems layer and a presentation layer. The layered system includes a core infrastructure and a configurable, domain-specific implementation. The detection layer employs one or more detection engines, such as a rules-based thresholding engine and a profiling engine. The detection layer can include an Artificial Intelligence based pattern recognition engine for analyzing data records, for detecting new and interesting patterns and for updating the detection engines to insure that the detection engines can detect the new patterns. In one embodiment, the present invention is implemented as a telecommunications fraud detection system. When fraud is detected, the detection layer generates alarms which are sent to the analysis layer. The analysis layer filters and consolidates the alarms to generate fraud cases. The analysis layer preferably generates a probability of fraud for each fraud case. The expert systems layer receives fraud cases and automatically initiates actions for certain fraud cases. The presentation layer also receives fraud cases for presentation to human analysts. The presentation layer permits the human analysts to initiate additional actions.
83 Citations
22 Claims
-
1. A multi-layer fraud detection system for a telecommunications system, the telecommunication system comprising a network layer having at least one telecommunications network, a service control layer for managing the network layer and for generating service records including data representing instances of telecommunications in the network layer, and a data management layer for receiving the service records from various components and processes of the service control layer and for reducing data by eliminating redundancy and consolidating multiple records into network event records, the multi-layer fraud detection system comprising:
-
a detection layer to receive network event records from the data management layer to test the network event records for possible fraud and to generate alarms indicating incidences of suspected fraud;
an analysis layer to receive alarms generated by the detection layer and to consolidate the alarms into fraud cases; and
an expert system layer to receive fraud cases from the analysis layer and to act upon certain of the fraud cases, the expert system layer comprises a core infrastructure and a configurable, domain-specific implementation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
a network event normalizer to convert network event records from any of a plurality of formats into standardized formats for processing by said at least one fraud detection engine; and
a dispatcher to dispatch portions of said normalized network event records to said at least one fraud detection engine.
-
-
5. The multi-layer fraud detection system of claim 3, wherein said at least one fraud detection engine comprises a rules-based thresholding engine.
-
6. The multi-layer fraud detection system of claim 3, wherein said at least one fraud detection engine comprises:
-
a configurable enhancer that augments event records with additional data; and
a configurable informant to interface said enhancer to an external system and to retrieve additional data from the external system.
-
-
7. The multi-layer fraud detection system of claim 6, further comprising:
-
means for interfacing said informant with the external system in a format native to the external system; and
a rules database comprising instructions for processing the enhanced event records to detect fraud.
-
-
8. The multi-layer fraud detection system of claim 7, wherein:
-
said at least one fraud detection engine includes a rules-based thresholding engine; and
said rules database comprises threshold rules for use by said rules-based thresholding engine.
-
-
9. The multi-layer fraud detection system of claim 7, wherein:
-
said at least one fraud detection engine includes a profiling engine; and
said rules database comprises profiles for use by said profiling engine.
-
-
10. The multi-layer fraud detection system of claim 3, wherein said detection layer further comprises a pattern recognition engine that learns new patterns of fraud and that generates updates for said at least one fraud detection engine.
-
11. The multi-layer fraud detection system of claim 1, wherein said analysis layer comprises a core infrastructure and a configurable, domain-specific implementation.
-
12. The multi-layer fraud detection system of claim 11, wherein said analysis layer further comprises:
-
a configurable alarm enhancer to augment fraud alarms with data;
a configurable informant to interface said alarm enhancer to an external system and to retrieve additional data from the external system; and
a configurable fraud case builder to consolidate fraud alarms that are generated by said detection layer.
-
-
13. The multi-layer fraud detection system of claim 12, wherein said user-specific implementation layer of said analysis layer further comprises:
-
means for interfacing said informant with the external system in a format native to the external system; and
an analysis rules database comprising instructions for said fraud case builder for filtering and correlating fraud alarms into fraud cases according to at least one common attribute.
-
-
14. The multi-layer fraud detection system of claim 13, wherein said at least one common attribute is one of the following attributes:
-
ANI;
originating switch;
credit card number;
DNIS;
destination country;
originating geographic area;
originating area code; and
calling equipment type.
-
-
15. The multi-layer fraud detection system of claim 1, wherein said expert system layer domain-specific implementation comprises:
-
a configurable prioritizer that generates enhanced fraud cases, prioritizes the enhanced fraud cases and directs actions on external action systems for certain of the prioritized, enhanced fraud cases;
a configurable informant that interfaces said alarm enhancer to an external system and that retrieves the additional data from the external system; and
a configurable enforcer that interfaces said prioritizer to an external action system and that directs execution of actions by the external action system based upon commands that are generated by the prioritizer.
-
-
16. The multi-layer fraud detection system of claim 15, wherein the configurable prioritizer employs suppression techniques to enhance the efficiency of fraud detection.
-
17. The multi-layer fraud detection system of claim 16, wherein suppression techniques include the use of previous experienced analysts'"'"' rulings'"'"' and customer behaviour.
-
18. The multi-layer fraud detection system of claim 15, wherein said user-specific implementation layer of said expert system layer includes a configuration database, and wherein said configuration database comprises:
-
means for interfacing said informant with the external system in a format native to the external system; and
prioritizing rules for use by the prioritizer.
-
-
19. The multi-layer fraud detection system of claim 1, further comprising a presentation layer that receives prioritized fraud cases from said expert system layer and that presents the prioritized fraud cases to live operators, wherein said presentation layer includes a core infrastructure and a configurable, domain-specific implementation.
-
20. The multi-layer fraud detection system of claim 18, wherein said domain-specific implementation of said presentation layer comprises:
-
a configurable case enhancer that enhances prioritized fraud cases with additional data;
a configurable presentation interface that distributes the enhanced, prioritized fraud cases to one or more workstations and that sends action commands generated at the workstations to an external action system;
a configurable first informant that interfaces said case enhancer to a first external system and that retrieves data from the first external system;
a configurable second informant that interfaces said presentation interface to a second external system and that retrieves data from the second external system, based upon commands generated at the workstations; and
a configurable enforcer that interfaces the workstations, via said presentation interface, to the external action system and that directs execution of actions by the external action system based upon commands generated at the workstations.
-
-
21. The multi-layer fraud detection system of claim 20, wherein the first and second external systems are each a part of the same external system.
-
22. The multi-layer fraud detection system of claim 20, wherein said user-specific implementation layer of said presentation layer further comprises:
-
means for interfacing said informant with the first external system in an interfacing format that is native to the first external system; and
configurable presentation rules to direct presentation of enhanced, prioritized fraud cases at the workstations.
-
Specification