Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces

US 9,485,265 B1
Filed: 02/05/2016
Issued: 11/01/2016
Est. Priority Date: 08/28/2015
Status: Active Grant

First Claim

Patent Images

1. A computing system configured to process a large amount of dynamically updating data, the computing system comprising:

a database storing a first table and a second table associated with transaction data received from one or more accounts, wherein the first table comprises a first column header, a second column header, and first data corresponding to the first column header or the second column header, and wherein the second table comprises the first column header, a third column header, a fourth column header, and second data corresponding to the first column header or the third column header;

a computer processor; and

a computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;

select a first rule from a plurality of rules, wherein the first rule is associated with a behavior associated with the one or more accounts;

retrieve the first table and the second table from the database;

identify that the first column header is included in the first table and the second table;

determine that the first rule does not use data associated with the fourth column header to determine whether the behavior is risky;

remove the fourth column header from the second table in response to the determination that the first rule does not use data associated with the fourth column header to determine whether the behavior is risky;

execute a join operation to generate a third table using the first column header as a join key, wherein the third table comprises the first column header, the second column header, the third column header, the first data, and the second data and does not comprise the fourth column header;

run the first rule on the third table to determine whether the behavior is risky;

generate an alert in response to a determination that the behavior is risky; and

transmit the alert for display in an interactive user interface.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems and methods are provided that retrieve raw data from issuers, reorganize the raw data, analyze the reorganized data to determine whether the risky or malicious activity is occurring, and generate alerts to notify users of possible malicious activity. For example, the raw data is included in a plurality of tables. The system joins one or more tables to reorganize the data using several filtering techniques to reduce the processor load required to perform the join operation. Once the data is reorganized, the system executes one or more rules to analyze the reorganized data. Each rule is associated with a malicious activity. If any of the rules indicate that malicious activity is occurring, the system generates an alert for display to a user in an interactive user interface.

249 Citations

16 Claims

1. A computing system configured to process a large amount of dynamically updating data, the computing system comprising:
- a database storing a first table and a second table associated with transaction data received from one or more accounts, wherein the first table comprises a first column header, a second column header, and first data corresponding to the first column header or the second column header, and wherein the second table comprises the first column header, a third column header, a fourth column header, and second data corresponding to the first column header or the third column header;
  
  a computer processor; and
  
  a computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;
  
  select a first rule from a plurality of rules, wherein the first rule is associated with a behavior associated with the one or more accounts;
  
  retrieve the first table and the second table from the database;
  
  identify that the first column header is included in the first table and the second table;
  
  determine that the first rule does not use data associated with the fourth column header to determine whether the behavior is risky;
  
  remove the fourth column header from the second table in response to the determination that the first rule does not use data associated with the fourth column header to determine whether the behavior is risky;
  
  execute a join operation to generate a third table using the first column header as a join key, wherein the third table comprises the first column header, the second column header, the third column header, the first data, and the second data and does not comprise the fourth column header;
  
  run the first rule on the third table to determine whether the behavior is risky;
  
  generate an alert in response to a determination that the behavior is risky; and
  
  transmit the alert for display in an interactive user interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computing system of claim 1, wherein the program instructions are further configured to cause the computing system toremove the fourth column from the second table prior to executing the join operation.
  - 3. The computing system of claim 1, wherein the first data comprises a first subset of data and a second subset of data, and wherein the program instructions are further configured to cause the computing system to:
    - determine that the first rule does not use the second subset of data to determine whether the behavior is risky; and
      
      remove the second subset of data from the first data prior to executing the join operation.
  - 4. The computing system of claim 1, wherein the first table comprises a first row that includes a first subset of the first data and a second row that includes a second subset of the first data, and wherein the program instructions are further configured to cause the computing system to:
    - determine that the first subset of the first data is the same as the second subset of the first data; and
      
      remove the second row from the first table prior to executing the join operation.
  - 5. The computing system of claim 1, wherein the interactive user interface comprises a button that allows a user to take an action associated with the displayed alert.
  - 6. The computing system of claim 1, wherein the program instructions are further configured to cause the computing system to:
    - use a clustering process to separate the first data and the second data into a plurality of clusters;
      
      identify a subset of the first data or the second data that fall outside of a first cluster in the plurality of clusters by at least a threshold value; and
      
      generate an alert for each of the items in the subset of the first data or the second data.
  - 7. The computing system of claim 1, wherein the first rule is a cash out rule.
  - 8. The computing system of claim 1, wherein the database further stores historical data, and wherein the program instructions are further configured to cause the computing system to:
    - retrieve the historical data from the database, wherein running the first rule on the historical data causes the computing system to determine that the behavior is risky;
      
      merging the first data and the historical data;
      
      running the first rule on the merged first data and historical data;
      
      determining whether the behavior is risky; and
      
      determining that the first data is valid in response to a determination that the behavior is risky.
  - 9. The computing system of claim 1, wherein the database receives data from an issuer database in periodic intervals, and wherein the program instructions are further configured to cause the computing system to:
    - select the first table, wherein a first subset of the first data is expected to be received at a first time and a second subset of the first data is expected to be received at a second time;
      
      determine that the second subset of the first data was not received at the second time; and
      
      generate a notification for display in the interactive user interface, wherein the notification instructs a user to retrieve the second subset of the first data.
  - 10. The computing system of claim 1, wherein the first rule is one of a cash out rule, a cash in rule, a sustained cash rule, a behavior outlier rule, a cross-border cash rule, a foreign cash out rule, a high risk countries rule, an external funding rule, a tax refund rule, a card-to-card transfer rule, a watch list rule, or a manual trigger rule.
  - 11. The computing system of claim 1, wherein the alert comprises information identifying a user associated with a prepaid card that caused the computing system to determine that the behavior is risky.
  - 12. The computing system of claim 1, wherein the program instructions are further configured to cause the computing system to determine that the behavior is risky in response to a determination that a first regulation is violated.
  - 13. The computing system of claim 1, wherein the program instructions are further configured to cause the computing system to transmit the alert via one of an email, a push notification, or a text message.
  - 14. The computing system of claim 5, wherein the program instructions are further configured to cause the computing system to:
    - receive, from the user, a selection of the button;
      
      update the interactive user interface to display a plurality of actions in response to receiving the selection;
      
      receive, from the user, a second selection of a first action in the plurality of actions; and
      
      generate a report in response to receiving the second selection.
  - 15. The computing system of claim 6, wherein the program instructions are further configured to cause the computing system to update the clustering process based on actions taken by a user with regard to the generated alerts for each of the items in the subset of the first data or the second data.
  - 16. The computing system of claim 7, wherein the program instructions are further configured to cause the computing system to:
    - identify, based on an analysis of the first data and the second data, that a first user withdrew no money on a first day, no money on a second day, a first amount of money on a third day, no money on a fourth day, and no money on a fifth day, wherein a withdrawal of the first amount of money causes the computing system to determine that the behavior is risky; and
      
      generate the alert such that the alert corresponds with the first day, the second day, and the third day, does not correspond with the second day, the third day, and the fourth day, and does not correspond with the third day, the fourth day, and the fifth day.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Saperstein, Craig, Schwartz, Eric, Cho, Hongjai
Primary Examiner(s)
Tran, Ellen
Assistant Examiner(s)
Salehi, Helai

Application Number

US15/017,324
Time in Patent Office

270 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2365   Ensuring data consistency a...

G06F 16/24544   Join order optimisation

G06F 16/2456   Join operations

G06F 16/24575   using context

G06F 16/248   Presentation of query results

G06F 16/9535   Search customisation based ...

G06Q 20/4016   involving fraud or risk lev...

G06Q 40/12   Accounting

H04L 2463/102   applying security measure f...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

249 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

249 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others