System, method and computer program product for processing event records

US 7,117,191 B2
Filed: 09/08/2003
Issued: 10/03/2006
Est. Priority Date: 09/12/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for detecting fraud in at least one telecommunications network, the method comprising:

receiving a network event record from the at least one telecommunications network, the network event record being configured in a domain specific format;

reconfiguring at least a first portion of the method for detecting fraud in accordance with the domain specific format;

performing a plurality of types of fraud detection tests on the network event record;

generating a fraud alarm upon detection of suspected fraud by any of the fraud detection tests;

correlating the fraud alarms into fraud cases based on common aspects of the fraud alarms; and

automatically responding to certain of the fraud cases.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for processing event records. The present invention includes a detection layer, an analysis layer, an expert systems layer and a presentation layer. The layered system includes a core infrastructure and a configurable, domain-specific implementation. The detection layer employs one or more detection engines, such as a rules-based thresholding engine and a profiling engine. The detection layer can include an Artificial Intelligence based pattern recognition engine for analyzing data records, for detecting new and interesting patterns and for updating the detection engines to insure that the detection engines can detect the new patterns. In one embodiment, the present invention is implemented as a telecommunications fraud detection system. When fraud is detected, the detection layer generates alarms which are sent to the analysis layer. The analysis layer filters and consolidates the alarms to generate fraud cases. The analysis layer preferably generates a probability of fraud for each fraud case. The expert systems layer receives fraud cases and automatically initiates actions for certain fraud cases. The presentation layer also receives fraud cases for presentation to human analysts. The presentation layer permits the human analysts to initiate additional actions.

76 Citations

View as Search Results

54 Claims

1. A method for detecting fraud in at least one telecommunications network, the method comprising:
- receiving a network event record from the at least one telecommunications network, the network event record being configured in a domain specific format;
  
  reconfiguring at least a first portion of the method for detecting fraud in accordance with the domain specific format;
  
  performing a plurality of types of fraud detection tests on the network event record;
  
  generating a fraud alarm upon detection of suspected fraud by any of the fraud detection tests;
  
  correlating the fraud alarms into fraud cases based on common aspects of the fraud alarms; and
  
  automatically responding to certain of the fraud cases.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 14, 16, 17, 18, 19, 20, 21, 22, 24, 26, 30, 32, 33, 35, 36, 37, 39, 40, 41, 42, 43, 44, 45, 47, 48, 50, 51, 53, 54)
- - 2. The method of claim 1, further comprising the step of normalizing the network event record from the network specific format into a standardized format.
  - 3. The method of claim 1, wherein the domain specific infrastructure performs the step of normalizing.
  - 4. The method of claim 1, wherein the step of performing includes dispatching normalized network event records to a fraud detecting engine.
  - 5. The method of claim 1, wherein the step of performing comprises:
    - selecting a threshold rule from a plurality of threshold rules stored in a threshold rule database; and
      
      determining whether a network event record violates the selected threshold rule.
  - 6. The method of claim 1, wherein the step of updating comprises the steps of analyzing the network event records to identify new methods of fraud;
    - generating new threshold rules for detecting the new methods of fraud; and
      
      updating the threshold rule database with the new threshold rules.
  - 7. The method of claim 5, wherein the step of updating further comprises the steps of:
    - analyzing the network event records to identify new methods of fraud using artificial intelligence;
      
      generating new threshold rules fir detecting the new methods of fraud using artificial intelligence; and
      
      updating the threshold rule database with the new threshold rules.
  - 8. The method of claim 1, wherein the step of performing comprises:
    - selecting a profile from a plurality of profiles stored in a profile database; and
      
      determining whether a network event record violates the profile.
  - 9. The method of claim 1, wherein the step of generating a fraud alarm further comprises the step of prioritizing the fraud cases by assigning a probability of fraud to each of the fraud cases.
  - 10. The method of claim 1, further comprising:
    - presenting the fraud cases to live operators; and
      
      manually responding to certain of the fraud cases based on at least one predetermined criterion.
  - 12. The system of claim 10, wherein the telecommunications system includes a network layer having at least one telecommunications network, a service control layer for managing the network layer and for generating service records containing data representing instances of telecommunications in the network layer, and a data management layer for receiving the service records from various components and processes of the service control layer and for reducing data by eliminating redundancy, and consolidating multiple records into network event records.
  - 14. The system of claim 10, further comprising:
    - a detection system comprised of the core infrastructure and the configurable, domain specific implementation, the detection system being configured to receive network event records from the at least one telecommunications network, to test the network event records for possible fraud, and to generate alarms indicating incidences of suspected fraud;
      
      an analysis system configured to receive alarms generated by the detection system, and consolidate the alarms into fraud cases; and
      
      an expert system comprised of the core infrastructure and the configurable, domain specific implementation to receive fraud cases from the analysis system and to act upon certain of the fraud cases.
  - 16. The system of claim 14, wherein said detection system further comprises:
    - a network event normalizer configured to convert network event records from the network specific format into a standardized format, the standardized format being suitable for processing by said at least one fraud detection engine; and
      
      a dispatcher coupled to the network event normalizer, the dispatcher being configured to dispatch portions of said normalized network event records to said at least one fraud detection engine.
  - 17. The system of claim 14, wherein said at least one fraud detection engine comprises a rulesbased thresholding engine.
  - 18. The system of claim 14, wherein said at least one fraud detection engine comprises:
    - a reconfigurable enhancement module configured to insert external data into the network event records to thereby generate enhanced network event records; and
      
      an informant module configured to couple the reconfigurable enhancement module to an external system, the informant module also being configured to retrieve external data from the external system.
  - 19. The detection system of claim 17, further comprising:
    - an interface component configured to provide an interface between the informant module and the external system in a format native to the external system; and
      
      a rules database comprising instructions for processing the enhanced event records to detect fraud.
  - 20. The system of claim 18, wherein the at least one fraud detection engine includes a rules-based thresholding engine, and the rules database includes threshold rules for use by the rules-based thresholding engine.
  - 21. The system of claim 18, wherein the at least one fraud detection engine includes a profiling engine, and the rules database comprises profiles for use by the profiling engine.
  - 22. The system of claim 14, wherein the detection system further comprises a pattern recognition engine configured to learn new patterns of fraud, the pattern recognition engine being configured to update the at least one fraud detection engine in accordance with the new patterns.
  - 24. The system of claim 22, wherein said analysis system further comprises:
    - an alarm enhancement module configured to augment fraud alarms with external data;
      
      an informant module configured to interface the alarm enhancement module to an external system, the informant module being configured to retrieve the external data from the external system; and
      
      a fraud case builder configured to consolidate the fraud alarms generated by the detection system.
  - 26. The system of claim 24, wherein the user-specific implementation element further comprises:
    - an interface component configured to provide an interface between the informant module and the external system in a format native to the external system; and
      
      an analysis rules database having instructions disposed therein for the fraud case builder, the instructions are configured to filter and correlate fraud alarms into fraud cases according to at least one common attribute.
  - 30. The system of claim 24, further comprising a presentation system configured to receive prioritized fraud cases from the expert system and present the prioritized fraud cases to personnel, the presentation system being comprised of the core infrastructure and the configurable, domain-specific implementation.
  - 32. The system of claim 30, wherein the first external system and the second external system comprise a single external system.
  - 33. The system of claim 30, wherein the user-specific implementation system of the presentation system further comprises:
    - an interface between a reconfigurable first informant module and the first external system, the interface having an interfacing format that is native to the first external system; and
      
      configurable presentation rules configured to provide a presentation of the enhanced, prioritized fraud cases at the workstations.
  - 35. The method of claim 33, further comprising the steps of determining whether the network event record deviates from a selected profile;
    - andgenerating an alarm when the network event record deviates from the selected profile.
  - 36. The method of claim 33, wherein the step of generating an alarm when the network event record violates the selected threshold rule and the step of generating an alarm when the network event record deviates from the selected profile are performed in parallel.
  - 37. The method of claim 33, wherein a threshold rules database and a profile database are provided with updated data when a fraudulent pattern of use is identified.
  - 39. The system according to claim 37, wherein the core infrastructure is implemented as part of a telecommunications fraud detection system, and the configurable, domain-specific implementation comprises:
    - thresholding rules for testing telecommunications network event records; and
      
      fraudulent usage profiles for comparison to telecommunications network event records.
  - 40. The system according to claim 37, wherein the core infrastructure is implemented as part of a credit card fraud detection system and said configurable, domain-specific implementation comprises:
    - thresholding rules for testing credit card event records; and
      
      fraudulent usage profiles for comparison to credit card event records.
  - 41. The system according to claim 37, wherein said core infrastructure is implemented as part of a data mining system and said configurable, domain-specific implementation comprises:
    - thresholding rules for testing data mining event records; and
      
      fraudulent usage profiles for comparison to data mining event records.
  - 42. The system according to claim 37, wherein said core infrastructure is implemented as part of a consumer purchasing pattern analysis system and said configurable, domain specific implementation comprises:
    - thresholding rules for testing consumer purchasing event records; and
      
      fraudulent usage profiles for comparison to consumer purchasing event records.
  - 43. The system according to claim 37, further comprising:
    - a detection system that detects and normalizes event records, dispatches event records to one or more detection engines, and generates alarms when an event record meets a predetermined condition;
      
      an analysis system that receives alarms from the detection system, consolidates the received alarms into fraud cases based upon common traits of the alarms; and
      
      an expert system that receives the fraud cases from the analysis system, and performs an action in selected fraud cases.
  - 44. The system according to claim 42, wherein the detection system further comprises a vector generation module configured to generate feature vectors corresponding to multiple occurrences of an event feature.
  - 45. The system according to claim 43, further comprising a presentation system that receives cases from the detection system, and presents the received cases to system personnel, the presentation system also being configured to receive commands from the system personnel and transmit instructions to external action systems, the external action systems being directed to take actions based upon the commands.
  - 47. The method of claim 45, wherein the product is for use in a scalable core infrastructure with user-specific implementation rules.
  - 48. The method of claim 45, further comprising:
    - presenting a fraud case to personnel, the fraud case including correlated alarms; and
      
      manually initiating a response to a selected fraud case.
  - 50. The data processing system according to claim 48, further comprising a presentation component coupled to the prioritizing component and configured to present the ordered aggregated structures to personnel.
  - 51. The data processing system according to claim 48, further comprising an expert system coupled to the prioritizing component and configured to automatically take an appropriate action based upon the ordered aggregated structures.
  - 53. The data processing method according to claim 51, further comprising presenting the prioritized aggregated structures to human personnel.
  - 54. The data processing method according to claim 51, further comprising automatically taking the appropriate action based upon the prioritized aggregated structures.

11. A fraud detection system for use with a telecommunications system, the telecommunications system including at least one type of communications network, the at least one type of telecommunications network being configured to generate network event records in a network specific format, each network event record being generated in response to an event occurring in the telecommunications network, the fraud detection system comprising:
- a domain specific infrastructure configured to receive network event records from the at least one type of telecommunications network, the domain specific infrastructure being dynamically reconfigurable to operate in accordance with a domain specific implementation of the at least one type of communications network, the domain specific infrastructure also being reconfigurable by way of user-specific implementation rules, a core, infrastructure being non-domain specific, wherein the domain specific infrastructure and the core infrastructure operate in unison to detect an occurrence of fraud, and to perform a fraud prevention action in response thereto.
- View Dependent Claims (13, 15, 23, 25, 27, 28, 29, 31)
- - 13. The system of claim 11, wherein the at least one telecommunications network includes a global/Inter-exchange carrier PSTN network.
  - 15. The system of claim 13, wherein said detection system further comprises at least one fraud detection engine comprised of the core infrastructure and the configurable, domain specific implementation.
  - 23. The system of claim 13, wherein the analysis system is comprised of the core infrastructure and the configurable, domain-specific implementation.
  - 25. The system of claim 23, wherein the analysis system includes a user-specific implementation element.
  - 27. The system of claim 25, wherein said at least one common attribute includes at least one of an ANI, originating switch, a credit card number, a DNIS, a destination country, an originating geographic area, an originating area code, and/or a calling equipment type.
  - 28. The system of claim 25, wherein the domain-specific implementation of the expert system comprises:
    - a prioritization module configured to generate enhanced fraud cases, prioritize the enhanced fraud cases, and direct an external action system to implement the fraud prevention action fir selected prioritized, enhanced fraud cases;
      
      an informant module configured to provide an interface between the alarm enhancement module and an external system, the informant module also being configured to retrieve the external data from the external system; and
      
      an enforcement module configured to provide an interface between the prioritization module and an external action system, the enforcement module being configured to direct the external action system to execute the fraud prevention action based upon commands that are generated by the prioritization module.
  - 29. The system of claim 27, wherein the user-specific implementation system of the expert system includes a configuration database, the configuration database comprising:
    - an interface between the informant module and the external system, the interface being in a format native to the external system; and
      
      prioritizing rules configured to be suitable for use by the prioritization module.
  - 31. The system of claim 29, wherein the domain-specific implementation of the presentation system comprises:
    - a reconfigurable case enhancement module configured to enhance a prioritized fraud case with data;
      
      a reconfigurable presentation interface configured to distribute the enhanced, prioritized fraud cases to one or more workstations, the reconfigurable presentation interface also being configured to send action commands generated at the workstations to an external action system;
      
      a reconfigurable first informant module configured to provide an interface between the reconfigurable case enhancement module and a first external system, the reconfigurable first informant module also being configured to retrieve data from the first external system;
      
      a reconfigurable second informant module configured to provide an interface between the reconfigurable presentation interface and a second external system, the reconfigurable second informant module also being configured to retrieve data from the second external system based upon commands generated at the workstations; and
      
      a reconfigurable enforcement module configured to provide an interface between the workstations, via said presentation interface, and the external action system, the reconfigurable enforcement module being configured to direct the external action system to execute the fraud prevention action based upon commands that are generated at the workstations.

34. A method for preventing fraud in a telecommunications system including at least one telephone network, the method being performed in system comprising a scalable, nondomain specific core infrastructure and a user-configurable, domain-specific implementation corresponding to the at least one telephone network, the method comprising the steps of analyzing historical network event records to identify normal and fraudulent patterns, and generate fraudulent usage profiles and threshold rules based on the analysis;
- determining whether a network event record violates a selected threshold rule by comparing the network event record with a selected fraudulent usage profile, the network event record being based on a real time event; and
  
  generating an alarm when the network event record violates the selected threshold rule.

38. A system for processing event records generated by a telecommunications system, the event records being generated in response to an event occurring in the telecommunications system in accordance with a specific format, the system comprising:
- a scalable core infrastructure configured to implement each event record processing application without requiring an alteration to the core infrastructure; and
  
  a configurable, domain-specific implementation coupled to the scalable core infrastructure, the configurable, domain-specific implementation including configurable rules adapted to the specific format.

46. A computer readable product having computer readable instructions for performing a method for processing network event records, the method comprising:
- generating an alarm if a network event record includes data that deviates from a selected profile;
  
  correlating each alarm, whereby the alarm is assigned to a category based on predetermined criteria; and
  
  responding to selected alarms based on the categories of the selected alarms.

49. A data processing system comprising:
- a normalizing component configured to accept data arranged in any one of a plurality of formats, and arrange and filter the data into a predetermined format;
  
  a data enhancement component coupled to the normalizing component, the data enhancement component being configured to generate enhanced data, the enhanced data including external data or additional information derived from the data;
  
  an identifier component coupled to the data enhancement component, the identifier component being configured to identify predetermined patterns in the enhanced data;
  
  a correlator coupled to the identifier component and configured to correlate and consolidate the enhanced data based upon predetermined criteria, the correlator being configured to obtain additional information from external sources to generate aggregated structures; and
  
  a prioritizing component coupled to the correlator and configured to prioritize the aggregated structures in a suitable order for subsequent processing.

52. A data processing method comprising:
- receiving data arranged in one of a plurality of formats;
  
  converting the data from the one of a plurality of formats into a predetermined format;
  
  filtering the data;
  
  deriving additional attributes from the data in the predetermined format to thereby create enhanced data;
  
  filtering the enhanced data to identify predetermined patterns in the enhanced data;
  
  correlating and consolidating the filtered enhanced data based upon predetermined criteria;
  
  obtaining external data from external sources to generate aggregated structures; and
  
  prioritizing the aggregated structures for subsequent processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
MCI Incorporated (Verizon Communications Inc.)
Inventors
Mahone, Saralyn M., Paul, Kevin, Gavan, John, Arkel, Hans Van, Curtis, Terrill J., Richards, Jim, Herrington, Cheryl, Wagner, James J., Dallas, Charles A.
Primary Examiner(s)
STARKS, WILBERT L

Application Number

US10/657,328
Publication Number

US 20050075992A1
Time in Patent Office

1,121 Days
Field of Search

706/10, 706/47, 379/114.14
US Class Current

706/47
CPC Class Codes

G06Q 20/4016   involving fraud or risk lev...

H04J 3/175   Speech activity or inactivi...

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/0631   using root cause analysis; ...

H04L 41/16   using machine learning or a...

H04M 15/00   Arrangements for metering, ...

H04M 15/08   Metering calls to called pa...

H04M 15/47   Fraud detection or preventi...

H04M 2215/0148   Fraud detection or preventi...

H04M 2215/62   Called party billing, e.g. ...

H04M 3/2218   Call detail recording

H04M 3/36   Statistical metering, e.g. ...

H04Q 3/0062   Provisions for network mana...

System, method and computer program product for processing event records

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

54 Claims

Specification

Use Cases

Quick Links

Others

System, method and computer program product for processing event records

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

54 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others