System and method for detecting and managing fraud
First Claim
1. A method performed by one or more servers, the method comprising:
- generating, by one or more servers, a first event record for one or more telephone calls handled by one or more telecommunications systems in one or more networks;
applying, by the one or more servers and using a first fraud detection test, a first fraud detection rule, of a plurality of fraud detection rules, to the first event record,the first event record being of an account and corresponding to information associated with suspected fraud at a first time;
generating, by the one or more servers and based on applying the first fraud detection rule, a first fraud alarmgenerating, by the one or more servers, a second event record for the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks,the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time;
applying, by the one or more servers and using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record;
generating, by the one or more servers and based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm,the second fraud alarm being different than the first fraud alarm;
obtaining, by the one or more servers, first information from a plurality of devices;
obtaining, by the one or more servers, an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information,the first information being based on a first type of alarm associated with the first fraud alarm, andthe first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm;
obtaining, by the one or more servers, second information from the plurality of devices;
obtaining, by the one or more servers, an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information,the second information being based on a second type of alarm associated with the second fraud alarm, andthe second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm;
correlating, by the one or more servers, the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and
instituting, by the one or more servers one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm.
2 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for processing event records. The present invention includes a detection layer, an analysis layer, an expert systems layer and a presentation layer. The layered system includes a core infrastructure and a configurable, domain-specific implementation. The detection layer employs one or more detection engines, such as, for example, a rules-based thresholding engine and a profiling engine. The detection layer can include an AI-based pattern recognition engine for analyzing data records, for detecting new and interesting patterns and for updating the detection engines to insure that the detection engines can detect the new patterns. In one embodiment, the present invention is implemented as a telecommunications fraud detection system. When fraud is detected, the detection layer generates alarms which are sent to the analysis layer. The analysis layer filters and consolidates the alarms to generate fraud cases. The analysis layer preferably generates a probability of fraud for each fraud case. The expert systems layer receives fraud cases and automatically initiates actions for certain fraud cases. The presentation layer also receives fraud cases for presentation to human analysts. The presentation layer permits the human analysts to initiate additional actions.
-
Citations
20 Claims
-
1. A method performed by one or more servers, the method comprising:
-
generating, by one or more servers, a first event record for one or more telephone calls handled by one or more telecommunications systems in one or more networks; applying, by the one or more servers and using a first fraud detection test, a first fraud detection rule, of a plurality of fraud detection rules, to the first event record, the first event record being of an account and corresponding to information associated with suspected fraud at a first time; generating, by the one or more servers and based on applying the first fraud detection rule, a first fraud alarm generating, by the one or more servers, a second event record for the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks, the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time; applying, by the one or more servers and using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record; generating, by the one or more servers and based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm, the second fraud alarm being different than the first fraud alarm; obtaining, by the one or more servers, first information from a plurality of devices; obtaining, by the one or more servers, an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information, the first information being based on a first type of alarm associated with the first fraud alarm, and the first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm; obtaining, by the one or more servers, second information from the plurality of devices; obtaining, by the one or more servers, an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information, the second information being based on a second type of alarm associated with the second fraud alarm, and the second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm; correlating, by the one or more servers, the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and instituting, by the one or more servers one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable medium storing instructions executable by one or more processors, the instructions comprising:
one or more instructions that, when executed by the one or more processors, cause the one or more processors to; generate a first event record for one or more telephone calls handled by one or more telecommunications systems in one or more networks; apply, using a first fraud detection test, a first fraud detection rule of a plurality of fraud detection rules to the first event record, the first event record being of an account and corresponding to information associated with suspected fraud at a first time; generate, based on applying the first fraud detection rule, a first fraud alarm; generate a second event record for the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks, the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time; apply, using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record; generate, based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm, the second fraud alarm being different than the first fraud alarm; obtain first information from a plurality of devices; obtain an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information, the first information being based on a first type of alarm associated with the first fraud alarm, and the first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm; obtain second information from the plurality of devices; obtain an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information, the second information being based on a second type of alarm associated with the second fraud alarm, and the second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm; correlate the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and institute one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
17. A system comprising:
-
one or more processors; and a memory, coupled to the one or more processors, comprising program instructions that, responsive to execution by the one or more processors, cause the one or more processors to; generate a first event record associated with one or more telephone calls handled by one or more telecommunications systems in one or more networks; apply, using a first fraud detection test, a first fraud detection rule of a plurality of fraud detection rules to the first event record, the first event record being of an account and corresponding to information associated with suspected fraud at a first time; generate, based on applying the first fraud detection rule, a first fraud alarm; generate a second event record associated with the one or more telephone calls handled by the one or more telecommunications systems in the one or more networks, the second event record being of the account and corresponding to the information associated with the suspected fraud at a second time; apply, using a second fraud detection test, a dynamically reconfigured fraud detection rule, of a plurality of dynamically reconfigured fraud detection rules, to the second event record; generate, based on applying the dynamically reconfigured fraud detection rule, a second fraud alarm, the second fraud alarm being different than the first fraud alarm; obtain first information from a plurality of devices; obtain an enhanced first fraud alarm by enhancing the first fraud alarm based on the first information, the first information being based on a first type of alarm associated with the first fraud alarm, and the first information including additional information and information indicating how the additional information is to be added to the first fraud alarm to obtain the enhanced first fraud alarm; obtain second information from the plurality of devices; obtain an enhanced second fraud alarm by enhancing the second fraud alarm based on the second information, the second information being based on a second type of alarm associated with the second fraud alarm, and the second information including other information and information indicating how the other information is to be added to the second fraud alarm to obtain the enhanced second fraud alarm; correlate the enhanced first fraud alarm with the enhanced second fraud alarm into a fraud case for the account; and institute one or more switch-based automatic number identification (ANI) blocks based on correlating the enhanced first fraud alarm with the enhanced second fraud alarm. - View Dependent Claims (18, 19, 20)
-
Specification