System and method for detecting and managing fraud

US 9,390,418 B2
Filed: 08/18/2008
Issued: 07/12/2016
Est. Priority Date: 04/21/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A method performed by one or more servers, the method comprising:

generating, by one or more servers, a first event record for one or more telephone calls handled by one or more telecommunications systems in one or more networks;

applying, by the one or more servers and using a first fraud detection test, a first fraud detection rule, of a plurality of fraud detection rules, to the first event record,the first event record being of an account and corresponding to information associated with suspected fraud at a first time;

generating, by the one or more servers and based on applying the first fraud detection rule, a first fraud alarmgenerating, by the one or more servers, a second event record for the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks,the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time;

applying, by the one or more servers and using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record;

generating, by the one or more servers and based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm,the second fraud alarm being different than the first fraud alarm;

obtaining, by the one or more servers, first information from a plurality of devices;

obtaining, by the one or more servers, an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information,the first information being based on a first type of alarm associated with the first fraud alarm, andthe first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm;

obtaining, by the one or more servers, second information from the plurality of devices;

obtaining, by the one or more servers, an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information,the second information being based on a second type of alarm associated with the second fraud alarm, andthe second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm;

correlating, by the one or more servers, the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and

instituting, by the one or more servers one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for processing event records. The present invention includes a detection layer, an analysis layer, an expert systems layer and a presentation layer. The layered system includes a core infrastructure and a configurable, domain-specific implementation. The detection layer employs one or more detection engines, such as, for example, a rules-based thresholding engine and a profiling engine. The detection layer can include an AI-based pattern recognition engine for analyzing data records, for detecting new and interesting patterns and for updating the detection engines to insure that the detection engines can detect the new patterns. In one embodiment, the present invention is implemented as a telecommunications fraud detection system. When fraud is detected, the detection layer generates alarms which are sent to the analysis layer. The analysis layer filters and consolidates the alarms to generate fraud cases. The analysis layer preferably generates a probability of fraud for each fraud case. The expert systems layer receives fraud cases and automatically initiates actions for certain fraud cases. The presentation layer also receives fraud cases for presentation to human analysts. The presentation layer permits the human analysts to initiate additional actions.

Citations

20 Claims

1. A method performed by one or more servers, the method comprising:
- generating, by one or more servers, a first event record for one or more telephone calls handled by one or more telecommunications systems in one or more networks;
  
  applying, by the one or more servers and using a first fraud detection test, a first fraud detection rule, of a plurality of fraud detection rules, to the first event record,the first event record being of an account and corresponding to information associated with suspected fraud at a first time;
  
  generating, by the one or more servers and based on applying the first fraud detection rule, a first fraud alarmgenerating, by the one or more servers, a second event record for the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks,the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time;
  
  applying, by the one or more servers and using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record;
  
  generating, by the one or more servers and based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm,the second fraud alarm being different than the first fraud alarm;
  
  obtaining, by the one or more servers, first information from a plurality of devices;
  
  obtaining, by the one or more servers, an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information,the first information being based on a first type of alarm associated with the first fraud alarm, andthe first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm;
  
  obtaining, by the one or more servers, second information from the plurality of devices;
  
  obtaining, by the one or more servers, an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information,the second information being based on a second type of alarm associated with the second fraud alarm, andthe second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm;
  
  correlating, by the one or more servers, the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and
  
  instituting, by the one or more servers one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, where, correlating the enhanced first fraud alarm with the enhanced second fraud alarm includes:
    - correlating the enhanced first fraud alarm with the enhanced second fraud alarm based on common aspects of the first fraud alarm and the second fraud alarm.
  - 3. The method of claim 1, where generating the first fraud alarm includes:
    - conforming the first event record to a particular format by normalizing the first event record.
  - 4. The method of claim 1, where, when generating the first fraud alarm includes:
    - enhancing the first event record to include data obtained from at least one external source.
  - 5. The method of claim 1, where, generating the first fraud alarm includes:
    - comparing at least a portion of the first event record to a profile detection rule, andgenerating the first fraud alarm when the first event record violates the profile detection rule.
  - 6. The method of claim 5, where the profile detection rule includes at least one of:
    - a normal usage profile, ora fraudulent usage profile.
  - 7. The method of claim 5, where the profile detection rule is based on historical network event records.
  - 8. The method of claim 1, further comprising:
    - assigning a priority to the fraud case; and
      
      performing a fraud prevention action based on the priority.

9. A non-transitory computer-readable medium storing instructions executable by one or more processors, the instructions comprising:
- one or more instructions that, when executed by the one or more processors, cause the one or more processors to;
  
  generate a first event record for one or more telephone calls handled by one or more telecommunications systems in one or more networks;
  
  apply, using a first fraud detection test, a first fraud detection rule of a plurality of fraud detection rules to the first event record,the first event record being of an account and corresponding to information associated with suspected fraud at a first time;
  
  generate, based on applying the first fraud detection rule, a first fraud alarm;
  
  generate a second event record for the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks,the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time;
  
  apply, using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record;
  
  generate, based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm,the second fraud alarm being different than the first fraud alarm;
  
  obtain first information from a plurality of devices;
  
  obtain an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information,the first information being based on a first type of alarm associated with the first fraud alarm, andthe first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm;
  
  obtain second information from the plurality of devices;
  
  obtain an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information,the second information being based on a second type of alarm associated with the second fraud alarm, andthe second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm;
  
  correlate the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and
  
  institute one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable medium of claim 9, where the one or more instructions that cause the one or more processors to correlate the enhanced first fraud alarm with the enhanced second fraud alarm include one or more instructions to cause the one or more processors to:
    - correlate the enhanced first fraud alarm with the enhanced second fraud alarm based on common aspects of the first fraud alarm and the second fraud alarm.
  - 11. The non-transitory computer-readable medium of claim 9, where the one or more instructions to cause the one or more processors to generate the first fraud alarm include one or more instructions to cause the one or more processors to:
    - conform the first event record to a predetermined format by normalizing the first event record.
  - 12. The non-transitory computer-readable medium of claim 9, where the one or more instructions to cause the one or more processors to generate the first fraud alarm include one or more instructions to cause the one or more processors to:
    - enhance the first event record to include data obtained from at least one external source.
  - 13. The non-transitory computer-readable medium of claim 9, where the one or more instructions to cause the one or more processors to generate the first fraud alarm include one or more instructions to cause the one or more processors to:
    - compare at least a portion of the first event record to a profile detection rule, andgenerate the first fraud alarm when the first event record violates the profile detection rule.
  - 14. The non-transitory computer-readable medium of claim 13, where the profile detection rule includes at least one of:
    - a normal usage profile, ora fraudulent usage profile.
  - 15. The non-transitory computer-readable medium of claim 13, where the profile detection rule is based on historical network event records.
  - 16. The non-transitory computer-readable medium of claim 9, where the instructions further include:
    - one or more instructions to cause the one or more processors to assign a priority to the fraud case; and
      
      one or more instructions to perform a fraud prevention action based on the priority.

17. A system comprising:
- one or more processors; and
  
  a memory, coupled to the one or more processors, comprising program instructions that, responsive to execution by the one or more processors, cause the one or more processors to;
  
  generate a first event record associated with one or more telephone calls handled by one or more telecommunications systems in one or more networks;
  
  apply, using a first fraud detection test, a first fraud detection rule of a plurality of fraud detection rules to the first event record,the first event record being of an account and corresponding to information associated with suspected fraud at a first time;
  
  generate, based on applying the first fraud detection rule, a first fraud alarm;
  
  generate a second event record associated with the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks,the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time;
  
  apply, using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record;
  
  generate, based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm,the second fraud alarm being different than the first fraud alarm;
  
  obtain first information from a plurality of devices;
  
  obtain an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information,the first information being based on a first type of alarm associated with the first fraud alarm, andthe first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm;
  
  obtain second information from the plurality of devices;
  
  obtain an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information,the second information being based on a second type of alarm associated with the second fraud alarm, andthe second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm;
  
  correlate the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and
  
  institute one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherethe one or more processors, when correlating the enhanced first fraud alarm with the enhanced second fraud alarm, are to:
    - correlate the enhanced first fraud alarm with the enhanced second fraud alarm based on common aspects of the first fraud alarm and the second fraud alarm, andthe one or more processors, when generating the first fraud alarm, are to;
      
      conform the first event record to a predetermined format by normalizing the first event record.
  - 19. The system of claim 17, where the one or more processors, when generating the first fraud alarm, are to:
    - compare at least a portion of the first event record to a profile detection rule,the profile detection rule being based on historical network event records, andthe profile detection rule including at least one of;
      
      a normal usage profile, ora fraudulent usage profile, andgenerate the first fraud alarm when the first event record violates the profile detection rule.
  - 20. The system of claim 17, where the one or more processors are further to:
    - assign a priority to the fraud case, andperform a fraud prevention action based on the priority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Curtis, Terrill J, Gavan, John, Paul, Kevin, Richards, Jim, Dallas, Charles A, Arkel, Hans Van, Herrington, Cheryl, Mahone, Saralyn, Wagner, James J
Primary Examiner(s)
Qayyum, Zeshan

Application Number

US12/193,233
Publication Number

US 20090129573A1
Time in Patent Office

2,885 Days
Field of Search

705/75
US Class Current

1/1
CPC Class Codes

G06Q 20/4016   involving fraud or risk lev...

H04J 3/175   Speech activity or inactivi...

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/0631   using root cause analysis; ...

H04L 41/16   using machine learning or a...

H04M 15/00   Arrangements for metering, ...

H04M 15/08   Metering calls to called pa...

H04M 15/47   Fraud detection or preventi...

H04M 2215/0148   Fraud detection or preventi...

H04M 2215/62   Called party billing, e.g. ...

H04M 3/2218   Call detail recording

H04M 3/36   Statistical metering, e.g. ...

H04Q 3/0062   Provisions for network mana...

System and method for detecting and managing fraud

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting and managing fraud

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links