System, method and computer program product for processing event records
First Claim
1. A method for detecting fraud in at least one telecommunications network, the method comprising:
- receiving a network event record from the at least one telecommunications network, the network event record being configured in a domain specific format;
reconfiguring at least a first portion of the method for detecting fraud in accordance with the domain specific format;
performing a plurality of types of fraud detection tests on the network event record;
generating a fraud alarm upon detection of suspected fraud by any of the fraud detection tests;
correlating the fraud alarms into fraud cases based on common aspects of the fraud alarms; and
automatically responding to certain of the fraud cases.
8 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for processing event records. The present invention includes a detection layer, an analysis layer, an expert systems layer and a presentation layer. The layered system includes a core infrastructure and a configurable, domain-specific implementation. The detection layer employs one or more detection engines, such as a rules-based thresholding engine and a profiling engine. The detection layer can include an Artificial Intelligence based pattern recognition engine for analyzing data records, for detecting new and interesting patterns and for updating the detection engines to insure that the detection engines can detect the new patterns. In one embodiment, the present invention is implemented as a telecommunications fraud detection system. When fraud is detected, the detection layer generates alarms which are sent to the analysis layer. The analysis layer filters and consolidates the alarms to generate fraud cases. The analysis layer preferably generates a probability of fraud for each fraud case. The expert systems layer receives fraud cases and automatically initiates actions for certain fraud cases. The presentation layer also receives fraud cases for presentation to human analysts. The presentation layer permits the human analysts to initiate additional actions.
76 Citations
54 Claims
-
1. A method for detecting fraud in at least one telecommunications network, the method comprising:
-
receiving a network event record from the at least one telecommunications network, the network event record being configured in a domain specific format;
reconfiguring at least a first portion of the method for detecting fraud in accordance with the domain specific format;
performing a plurality of types of fraud detection tests on the network event record;
generating a fraud alarm upon detection of suspected fraud by any of the fraud detection tests;
correlating the fraud alarms into fraud cases based on common aspects of the fraud alarms; and
automatically responding to certain of the fraud cases. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 14, 16, 17, 18, 19, 20, 21, 22, 24, 26, 30, 32, 33, 35, 36, 37, 39, 40, 41, 42, 43, 44, 45, 47, 48, 50, 51, 53, 54)
-
-
11. A fraud detection system for use with a telecommunications system, the telecommunications system including at least one type of communications network, the at least one type of telecommunications network being configured to generate network event records in a network specific format, each network event record being generated in response to an event occurring in the telecommunications network, the fraud detection system comprising:
a domain specific infrastructure configured to receive network event records from the at least one type of telecommunications network, the domain specific infrastructure being dynamically reconfigurable to operate in accordance with a domain specific implementation of the at least one type of communications network, the domain specific infrastructure also being reconfigurable by way of user-specific implementation rules, a core, infrastructure being non-domain specific, wherein the domain specific infrastructure and the core infrastructure operate in unison to detect an occurrence of fraud, and to perform a fraud prevention action in response thereto. - View Dependent Claims (13, 15, 23, 25, 27, 28, 29, 31)
-
34. A method for preventing fraud in a telecommunications system including at least one telephone network, the method being performed in system comprising a scalable, nondomain specific core infrastructure and a user-configurable, domain-specific implementation corresponding to the at least one telephone network, the method comprising the steps of analyzing historical network event records to identify normal and fraudulent patterns, and generate fraudulent usage profiles and threshold rules based on the analysis;
-
determining whether a network event record violates a selected threshold rule by comparing the network event record with a selected fraudulent usage profile, the network event record being based on a real time event; and
generating an alarm when the network event record violates the selected threshold rule.
-
-
38. A system for processing event records generated by a telecommunications system, the event records being generated in response to an event occurring in the telecommunications system in accordance with a specific format, the system comprising:
-
a scalable core infrastructure configured to implement each event record processing application without requiring an alteration to the core infrastructure; and
a configurable, domain-specific implementation coupled to the scalable core infrastructure, the configurable, domain-specific implementation including configurable rules adapted to the specific format.
-
-
46. A computer readable product having computer readable instructions for performing a method for processing network event records, the method comprising:
-
generating an alarm if a network event record includes data that deviates from a selected profile;
correlating each alarm, whereby the alarm is assigned to a category based on predetermined criteria; and
responding to selected alarms based on the categories of the selected alarms.
-
-
49. A data processing system comprising:
-
a normalizing component configured to accept data arranged in any one of a plurality of formats, and arrange and filter the data into a predetermined format;
a data enhancement component coupled to the normalizing component, the data enhancement component being configured to generate enhanced data, the enhanced data including external data or additional information derived from the data;
an identifier component coupled to the data enhancement component, the identifier component being configured to identify predetermined patterns in the enhanced data;
a correlator coupled to the identifier component and configured to correlate and consolidate the enhanced data based upon predetermined criteria, the correlator being configured to obtain additional information from external sources to generate aggregated structures; and
a prioritizing component coupled to the correlator and configured to prioritize the aggregated structures in a suitable order for subsequent processing.
-
-
52. A data processing method comprising:
-
receiving data arranged in one of a plurality of formats;
converting the data from the one of a plurality of formats into a predetermined format;
filtering the data;
deriving additional attributes from the data in the predetermined format to thereby create enhanced data;
filtering the enhanced data to identify predetermined patterns in the enhanced data;
correlating and consolidating the filtered enhanced data based upon predetermined criteria;
obtaining external data from external sources to generate aggregated structures; and
prioritizing the aggregated structures for subsequent processing.
-
Specification