Fraud protection using business process-based customer intent analysis

US 8,082,349 B1
Filed: 10/17/2006
Issued: 12/20/2011
Est. Priority Date: 10/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing a set of one or more business signatures, wherein each business signature specifies a pattern that indicates a business activity involving a user and one or more network-enabled applications;

monitoring information that is generated by at least a particular user'"'"'s interactions in a particular session with said one or more network-enabled applications;

detecting, based on said information, that a particular business activity, in the particular session, involving the particular user of at least one of said one or more network-enabled applications matches a particular signature of said set of one or more business signatures;

in response to said detecting that the particular business activity matches the particular signature, performing;

identifying a fraud rule associated with the particular signature;

evaluating said fraud rule, wherein the evaluating of the fraud rule is based on historical information that represents a prior pattern of behavior of said particular user prior to said particular session; and

based on said evaluating, determining to respond to said particular business activity in a first manner responsive to the fraud rule being satisfied and in a second manner responsive to the fraud rule not being satisfied, wherein the first manner is different than the second manner;

wherein at least the steps of monitoring, detecting, and evaluating are performed by one or more computing devices.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Online fraud is reduced by identifying suspicious activities in real time and providing alerting so that interdiction may be performed. Historical customer behavior is used to identify and flag deviations in activity patterns. An HTTP data stream is parsed, intelligently filtered, and key data is extracted in real time. The key data is periodically extracted from network traffic and used to update corresponding summaries stored in a fraud data mart. The data mart is constantly incrementally updated so that the most current historical information is available to a rules engine for real time comparison with new customer data and patterns occurring on the network. Fraud-related business signatures are applied to this data stream and/or a data mart to identify suspicious online transactions. By understanding the customer session, the customer'"'"'s intended use of the online application is derived and possible fraudulent activities identified.

122 Citations

View as Search Results

22 Claims

1. A method comprising:
- storing a set of one or more business signatures, wherein each business signature specifies a pattern that indicates a business activity involving a user and one or more network-enabled applications;
  
  monitoring information that is generated by at least a particular user'"'"'s interactions in a particular session with said one or more network-enabled applications;
  
  detecting, based on said information, that a particular business activity, in the particular session, involving the particular user of at least one of said one or more network-enabled applications matches a particular signature of said set of one or more business signatures;
  
  in response to said detecting that the particular business activity matches the particular signature, performing;
  
  identifying a fraud rule associated with the particular signature;
  
  evaluating said fraud rule, wherein the evaluating of the fraud rule is based on historical information that represents a prior pattern of behavior of said particular user prior to said particular session; and
  
  based on said evaluating, determining to respond to said particular business activity in a first manner responsive to the fraud rule being satisfied and in a second manner responsive to the fraud rule not being satisfied, wherein the first manner is different than the second manner;
  
  wherein at least the steps of monitoring, detecting, and evaluating are performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the first manner comprises one or more of:
    - generating an alert associated at least with said particular business activity;
      
      generating a fraud risk rating associated with said particular business activity;
      
      generating a fraud risk rating associated with said particular user.
  - 3. The method of claim 1, wherein the second manner comprises performing no additional action in response to the particular business activity matching the particular business signature.
  - 4. The method of claim 1, wherein the pattern of behavior of said particular user prior to said particular session is a pattern of activities that are similar to the particular business activity being performed by said particular user during the particular session.
  - 5. The method of claim 1, wherein the pattern of behavior of said particular user prior to said particular session is a pattern of activities performed by said particular user during one or more sessions with the one or more network-enabled applications prior to the particular session with the one or more network-enabled applications.
  - 6. The method of claim 1,wherein said monitoring comprises:
    - generating, based on said information, first data regarding the particular user'"'"'s interactions in the particular session with said one or more network-enabled applications;
      
      storing said first data in a first database;
      
      wherein the method further comprises;
      
      transforming the first data stored in said first database into summary data; and
      
      storing said summary dataas part of historical information to be used for evaluation of said fraud rule during a session after the particular session.
  - 7. The method of claim 6, further comprising:
    - in response to storing said summary data, updating one or more indexes that index said one or more summary tables if the one or more indexes are affected by said summary data.
  - 8. The method of claim 1, further comprising:
    - in response to said detecting, storing first data in a cache, wherein said first data is generated based on said information and said first data is regarding said particular business activity in the particular session;
      
      wherein said evaluating comprises comparing said particular business activity in the particular session with second data stored in said cache, wherein the second data is different than the first data.
  - 9. The method of claim 8, wherein said second data comprises data generated based on monitored information regarding other business activities performed with said one or more network-enabled applications during one or more sessions prior to said particular session.
  - 10. The method of claim 1,wherein the pattern indicating the business activity is a pattern in network traffic;
    - wherein monitoring the information comprises monitoring network traffic; and
      
      wherein detecting that the particular business activity matches the particular signature comprises detecting the pattern in the network traffic.
  - 11. The method of claim 1, further comprising:
    - generating summary profile data for the particular user based on monitored information from the particular user'"'"'s interactions in one or more sessions prior to the particular session with said one or more network-enabled applications;
      
      wherein detecting that the particular business activity matches the particular business signature is performed in real-time or near real-time relative to the particular business activity, during the particular session, but subsequent to generating the summary profile data;
      
      wherein the historical information upon which evaluation of the fraud rule is based is the summary profile data.

12. One or more non-transitory computer-readable storage media storing instructions that, when executed by one or more computing devices, cause performance of:
- storing a set of one or more business signatures, wherein each business signature specifies a pattern that indicates a business activity involving a user and one or more network-enabled applications;
  
  monitoring information that is generated by at least a particular user'"'"'s interactions in a particular session with said one or more network-enabled applications;
  
  detecting, based on said information, that a particular business activity, in the particular session, involving the particular user of at least one of said one or more network-enabled applications matches a particular signature of said set of one or more business signatures;
  
  in response to said detecting that the particular business activity matches the particular signature, performing;
  
  identifying a fraud rule associated with the particular signature;
  
  evaluating said fraud rule, wherein the evaluating of the fraud rule is based on historical information that represents a pattern of behavior of said particular user prior to said particular session; and
  
  based on said evaluating, determining to respond to said particular business activity in a first manner responsive to the fraud rule being satisfied and in a second manner responsive to the fraud rule not being satisfied, wherein the first manner is different than the second manner.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. One or more non-transitory computer-readable storage media as recited in claim 12, wherein the first manner comprises one or more of:
    - generating an alert associated at least with said particular business activity;
      
      generating a fraud risk rating associated with said particular business activity;
      
      generating a fraud risk rating associated with said particular user.
  - 14. One or more non-transitory computer-readable storage media as recited in claim 12, wherein the second manner comprises performing no additional action in response to the particular business activity matching the particular business signature.
  - 15. One or more non-transitory computer-readable storage media as recited in claim 12, wherein the pattern of behavior of said particular user prior to said particular session is a pattern of activities that are similar to the particular business activity being performed by said particular user during the particular session.
  - 16. One or more non-transitory computer-readable storage media as recited in claim 12, wherein the pattern of behavior of said particular user prior to said particular session is a pattern of activities performed by said particular user during one or more sessions with the one or more network-enabled applications prior to the particular session with the one or more network-enabled applications.
  - 17. One or more non-transitory computer-readable storage media as recited in claim 12, wherein the instructions, when executed by one or more computing devices, cause monitoring by:
    - generating, based on said information, first data regarding the particular user'"'"'s interactions in the particular session with said one or more network-enabled applications;
      
      storing said first data in a first database;
      
      wherein the instructions, when executed by one or more computing devices, further cause performance of;
      
      transforming the first data stored in said first database into summary data; and
      
      storing said summary data as part of historical information to be used for evaluation of said fraud rule during a session after the particular session.
  - 18. One or more non-transitory computer-readable storage media as recited in claim 17, wherein the instructions, when executed by one or more computing devices, further cause performance of:
    - in response to storing said summary data, updating one or more indexes that index said one or more summary tables if the one or more indexes are affected by said summary data.
  - 19. One or more non-transitory computer-readable storage media as recited in claim 12, wherein the instructions, when executed by one or more computing devices, further cause performance of:
    - in response to said detecting, storing first data in a cache, wherein said first data is generated based on said information and said first data is regarding said particular business activity in the particular session;
      
      wherein said evaluating comprises comparing said particular business activity in the particular session with second data stored in said cache, wherein the second data is different than the first data.
  - 20. One or more non-transitory computer-readable storage media as recited in claim 19, wherein said second data comprises data generated based on monitored information regarding other business activities performed with said one or more network-enabled applications during one or more sessions prior to said particular session.
  - 21. One or more non-transitory computer-readable storage media as recited in claim 12,wherein the pattern indicating the business activity is a pattern in network traffic;
    - wherein monitoring the information comprises monitoring network traffic; and
      
      wherein detecting that the particular business activity matches the particular signature comprises detecting the pattern in the network traffic.
  - 22. One or more non-transitory computer-readable storage media as recited in claim 12, wherein the instructions, when executed by one or more computing devices, further cause performance of:
    - generating summary profile data for the particular user based on monitored information from the particular user'"'"'s interactions in one or more sessions prior to the particular session with said one or more network-enabled applications;
      
      wherein detecting that the particular business activity matches the particular business signature is performed in real-time or near real-time relative to the particular business activity, during the particular session, but subsequent to generating the summary profile data;
      
      wherein the historical information upon which evaluation of the fraud rule is based is the summary profile data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Entrust Corp.
Original Assignee
Entrust Incorporated (Entrust Corp.)
Inventors
Relan, Peter, Faulkner, Roger, Feldman, Ben, Bhargava, Sunil
Primary Examiner(s)
NGUYEN, PHUOC H

Application Number

US11/582,739
Time in Patent Office

1,890 Days
Field of Search

709/203, 709/217, 709/227
US Class Current

709/227
CPC Class Codes

G06Q 30/0185 Product, service or busines...

H04L 63/1416 Event detection, e.g. attac...

Fraud protection using business process-based customer intent analysis

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Fraud protection using business process-based customer intent analysis

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others