Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces

US 9,898,509 B2
Filed: 10/27/2016
Issued: 02/20/2018
Est. Priority Date: 08/28/2015
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

a database storing a first data set and a second data set associated with one or more accounts, wherein the first data set comprises a first data section, a second data section, and first data corresponding to the first data section or the second data section, and wherein the second data set comprises the first data section, a third data section, and second data corresponding to the first data section or the third data section;

a computer processor; and

a computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;

select a first rule from a plurality of rules, wherein the first rule is associated with a behavior associated with the one or more accounts;

retrieve the first data set and the second data set from the database;

identify that the first data section is included in the first data set and the second data set;

run a deduplication operation on each entry in the first data set and the second data set to remove duplicate entries, wherein a first entry in the first data set is a duplicate of a second entry in the second data set if third data associated with the first data section in the first entry is equal to fourth data associated with the first data section in the second entry;

execute a join operation to generate a third data set using the first data section as a join key, wherein the third data set comprises the first data section, the second data section, the third data section, the first data, and the second data;

run the first rule on the third data set to determine whether the behavior is risky;

generate an alert in response to a determination that the behavior is risky; and

transmit the alert for display in an interactive user interface.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various systems and methods are provided that retrieve raw data from issuers, reorganize the raw data, analyze the reorganized data to determine whether the risky or malicious activity is occurring, and generate alerts to notify users of possible malicious activity. For example, the raw data is included in a plurality of tables. The system joins one or more tables to reorganize the data using several filtering techniques to reduce the processor load required to perform the join operation. Once the data is reorganized, the system executes one or more rules to analyze the reorganized data. Each rule is associated with a malicious activity. If any of the rules indicate that malicious activity is occurring, the system generates an alert for display to a user in an interactive user interface.

Citations

20 Claims

1. A computing system comprising:
- a database storing a first data set and a second data set associated with one or more accounts, wherein the first data set comprises a first data section, a second data section, and first data corresponding to the first data section or the second data section, and wherein the second data set comprises the first data section, a third data section, and second data corresponding to the first data section or the third data section;
  
  a computer processor; and
  
  a computer readable storage medium storing program instructions configured for execution by the computer processor in order to cause the computing system to;
  
  select a first rule from a plurality of rules, wherein the first rule is associated with a behavior associated with the one or more accounts;
  
  retrieve the first data set and the second data set from the database;
  
  identify that the first data section is included in the first data set and the second data set;
  
  run a deduplication operation on each entry in the first data set and the second data set to remove duplicate entries, wherein a first entry in the first data set is a duplicate of a second entry in the second data set if third data associated with the first data section in the first entry is equal to fourth data associated with the first data section in the second entry;
  
  execute a join operation to generate a third data set using the first data section as a join key, wherein the third data set comprises the first data section, the second data section, the third data section, the first data, and the second data;
  
  run the first rule on the third data set to determine whether the behavior is risky;
  
  generate an alert in response to a determination that the behavior is risky; and
  
  transmit the alert for display in an interactive user interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computing system of claim 1, wherein the first data comprises a first subset of data and a second subset of data, and wherein the program instructions are further configured to cause the computing system to:
    - determine that the first rule does not use the second subset of data to determine whether the behavior is risky; and
      
      remove the second subset of data from the first data prior to executing the join operation.
  - 3. The computing system of claim 1, wherein the interactive user interface comprises a button that allows a user to take an action associated with the displayed alert.
  - 4. The computing system of claim 1, wherein the program instructions are further configured to cause the computing system to:
    - use a clustering process to separate the first data and the second data into a plurality of clusters;
      
      identify a subset of the first data or the second data that fall outside of a first cluster in the plurality of clusters by at least a threshold value; and
      
      generate an alert for each of the items in the subset of the first data or the second data.
  - 5. The computing system of claim 1, wherein the first rule is a cash out rule.
  - 6. The computing system of claim 1, wherein the database further stores historical data, and wherein the program instructions are further configured to cause the computing system to:
    - retrieve the historical data from the database, wherein running the first rule on the historical data causes the computing system to determine that the behavior is risky;
      
      merge the first data and the historical data;
      
      run the first rule on the merged first data and historical data;
      
      determine whether the behavior is risky; and
      
      determine that the first data is valid in response to a determination that the behavior is risky.
  - 7. The computing system of claim 1, wherein the database receives data from an issuer database in periodic intervals, and wherein the program instructions are further configured to cause the computing system to:
    - select the first data set, wherein a first subset of the first data is expected to be received at a first time and a second subset of the first data is expected to be received at a second time;
      
      determine that the second subset of the first data was not received at the second time; and
      
      generate a notification for display in the interactive user interface, wherein the notification instructs a user to retrieve the second subset of the first data.
  - 8. The computing system of claim 1, wherein the first rule is one of a cash out rule, a cash in rule, a sustained cash rule, a behavior outlier rule, a cross-border cash rule, a foreign cash out rule, a high risk countries rule, an external funding rule, a tax refund rule, a card-to-card transfer rule, a watch list rule, or a manual trigger rule.
  - 9. The computing system of claim 1, wherein the alert comprises information identifying a user associated with a prepaid card that caused the computing system to determine that the behavior is risky.
  - 10. The computing system of claim 1, wherein the program instructions are further configured to cause the computing system to determine that the behavior is risky in response to a determination that a first regulation is violated.
  - 11. The computing system of claim 1, wherein the program instructions are further configured to cause the computing system to transmit the alert via one of an email, a push notification, or a text message.
  - 12. The computing system of claim 1, wherein the alert comprises a URL, and wherein receipt of the alert causes a browser to open on a user device and be redirected to a page associated with the URL.
  - 13. The computing system of claim 3, wherein the program instructions are further configured to cause the computing system to:
    - receive, from the user, a selection of the button;
      
      update the interactive user interface to display a plurality of actions in response to receiving the selection;
      
      receive, from the user, a second selection of a first action in the plurality of actions; and
      
      generate a report in response to receiving the second selection.
  - 14. The computing system of claim 4, wherein the program instructions are further configured to cause the computing system to update the clustering process based on actions taken by a user with regard to the generated alerts for each of the items in the subset of the first data or the second data.
  - 15. The computing system of claim 5, wherein the program instructions are further configured to cause the computing system to:
    - identify, based on an analysis of the first data and the second data, that a first user withdrew no money on a first day, no money on a second day, a first amount of money on a third day, no money on a fourth day, and no money on a fifth day, wherein a withdrawal of the first amount of money causes the computing system to determine that the behavior is risky; and
      
      generate the alert such that the alert corresponds with the first day, the second day, and the third day, does not correspond with the second day, the third day, and the fourth day, and does not correspond with the third day, the fourth day, and the fifth day.

16. A computer-implemented method comprising:
- as implemented by one or more computer systems comprising computer hardware and memory, the one or more computer systems configured with specific executable instructions,selecting a first rule from a plurality of rules, wherein the first rule is associated with a behavior associated with one or more accounts;
  
  retrieving a first data set and a second data set, wherein the first data set comprises a first data section, a second data section, and first data corresponding to the first data section or the second data section, and wherein the second data set comprises the first data section, a third data section, and second data corresponding to the first data section or the third data section;
  
  identifying that the first data section is included in the first data set and the second data set;
  
  running a deduplication operation on each entry in the first data set and the second data set to remove duplicate entries, wherein a first entry in the first data set is a duplicate of a second entry in the second data set if third data associated with the first data section in the first entry is equal to fourth data associated with the first data section in the second entry;
  
  executing a join operation to generate a third data set using the first data section as a join key, wherein the third data set comprises the first data section, the second data section, the third data section, the first data, and the second data;
  
  running the first rule on the third data set to determine whether the behavior is risky;
  
  generating an alert in response to a determination that the behavior is risky; and
  
  transmitting the alert for display in an interactive user interface.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-implemented method of claim 16, wherein the first data comprises a first subset of data and a second subset of data, and wherein the computer-implemented method further comprises:
    - determining that the first rule does not use the second subset of data to determine whether the behavior is risky; and
      
      removing the second subset of data from the first data prior to executing the join operation.
  - 18. The computer-implemented method of claim 16, further comprising:
    - using a clustering process to separate the first data and the second data into a plurality of clusters;
      
      identifying a subset of the first data or the second data that fall outside of a first cluster in the plurality of clusters by at least a threshold value; and
      
      generating an alert for each of the items in the subset of the first data or the second data.
  - 19. The computer-implemented method of claim 16, further comprising:
    - retrieving historical data, wherein running the first rule on the historical data causes the one or more computer systems to determine that the behavior is risky;
      
      merging the first data and the historical data;
      
      running the first rule on the merged first data and historical data;
      
      determining whether the behavior is risky; and
      
      determining that the first data is valid in response to a determination that the behavior is risky.

20. A non-transitory computer-readable medium comprising one or more program instructions recorded thereon, the instructions configured for execution by a computing system comprising one or more processors in order to cause the computing system to:
- select a first rule from a plurality of rules, wherein the first rule is associated with a behavior associated with one or more accounts;
  
  retrieve a first data set and a second data set, wherein the first data set comprises a first data section, a second data section, and first data corresponding to the first data section or the second data section, and wherein the second data set comprises the first data section, a third data section, and second data corresponding to the first data section or the third data section;
  
  identify that the first data section is included in the first data set and the second data set;
  
  run a deduplication operation on each entry in the first data set and the second data set to remove duplicate entries, wherein a first entry in the first data set is a duplicate of a second entry in the second data set if third data associated with the first data section in the first entry is equal to fourth data associated with the first data section in the second entry;
  
  execute a join operation to generate a third data set using the first data section as a join key, wherein the third data set comprises the first data section, the second data section, the third data section, the first data, and the second data;
  
  run the first rule on the third data set to determine whether the behavior is risky;
  
  generate an alert in response to a determination that the behavior is risky; and
  
  transmit the alert for display in an interactive user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palantir Technologies Incorporated
Original Assignee
Palantir Technologies Incorporated
Inventors
Saperstein, Craig, Schwartz, Eric, Cho, Hongjai
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Salehi, Helai

Application Number

US15/336,078
Publication Number

US 20170147654A1
Time in Patent Office

481 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2365   Ensuring data consistency a...

G06F 16/24544   Join order optimisation

G06F 16/2456   Join operations

G06F 16/24575   using context

G06F 16/248   Presentation of query results

G06F 16/9535   Search customisation based ...

G06Q 20/4016   involving fraud or risk lev...

G06Q 40/12   Accounting

H04L 2463/102   applying security measure f...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious activity detection system capable of efficiently processing data accessed from databases and generating alerts for display in interactive user interfaces

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links