Fraud detection and analysis system

US 10,410,220 B2
Filed: 06/12/2009
Issued: 09/10/2019
Est. Priority Date: 06/12/2008
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor;

a processor implemented risk engine configured to ascertain the risk of fraud associated with electronic access of financial systems, comprising one or more applications running on the processor and coupled to an account at a financial system of a financial institution, wherein the risk engine is configured to receive from the financial system account data of a user, and a first set of event parameters comprising network session parameters corresponding to actions taken in the account by the user of the account during electronic access of the account during a network session, and to dynamically generate from the account data and event parameters an account model characterizing the user, wherein the risk engine is configured to generate the account model using the event parameters of a previous event performed by the user in the account to generate predicted distributions comprising a first plurality of conditional probability distributions representing the event parameters for a next event in the account, wherein the risk engine is configured to receive a second set of event parameters of the next event as the next event occurs, said second set of event parameters comprising network session parameters corresponding to network based electronic access of the account during the next event, wherein the risk engine is configured to use the account model to generate a first probability that is a probability of observing the event parameters assuming the user is conducting the next event, wherein the risk engine is configured to use a fraud model to generate a second probability that is a probability of observing the event parameters assuming a fraudster is conducting the next event, wherein the fraud model includes a second plurality of conditional probability distributions generated from data of actions taken by a plurality of fraudsters excluding the user, wherein the events conducted in the account comprise the previous event and the next event, wherein the risk engine is configured to generate and output a risk score that represents the relative likelihood the next event is performed by the user versus the fraudster, wherein said risk score is generated based on combining the first probability of observing the event parameters assuming the user is conducting the next event, with the second probability of observing the event parameters assuming a fraudster is conducting the next event, and using the risk score to generate an alert; and

a risk application running on the processor, the risk application comprising an analytical user interface (AUI) that is configured to display for any event in the account at least one of the risk score and the event parameters,wherein the network session parameters comprise one or more of detected Internet Protocol (IP) data and Hypertext Transfer Protocol (HTTP) data relating to a network session.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is provided comprising a risk engine coupled to a financial system that includes an account. The risk engine generates an account model corresponding to a user and events of the account. Generation of the account model uses event parameters of a previous event performed by the user in the account. The risk engine uses the account model to generate a first probability of observing event parameters assuming the user is conducting the next event. The risk engine uses a fraud model to generate a second probability of observing event parameters assuming a fraudster is conducting the next event. The risk engine generates a risk score, using the first and second probabilities, which indicates the relative likelihood the next event is performed by the user. The system includes a risk application comprising an analytical user interface that displays for any event the risk score and/or event parameters.

51 Citations

View as Search Results

66 Claims

1. A system comprising:
- a processor;
  
  a processor implemented risk engine configured to ascertain the risk of fraud associated with electronic access of financial systems, comprising one or more applications running on the processor and coupled to an account at a financial system of a financial institution, wherein the risk engine is configured to receive from the financial system account data of a user, and a first set of event parameters comprising network session parameters corresponding to actions taken in the account by the user of the account during electronic access of the account during a network session, and to dynamically generate from the account data and event parameters an account model characterizing the user, wherein the risk engine is configured to generate the account model using the event parameters of a previous event performed by the user in the account to generate predicted distributions comprising a first plurality of conditional probability distributions representing the event parameters for a next event in the account, wherein the risk engine is configured to receive a second set of event parameters of the next event as the next event occurs, said second set of event parameters comprising network session parameters corresponding to network based electronic access of the account during the next event, wherein the risk engine is configured to use the account model to generate a first probability that is a probability of observing the event parameters assuming the user is conducting the next event, wherein the risk engine is configured to use a fraud model to generate a second probability that is a probability of observing the event parameters assuming a fraudster is conducting the next event, wherein the fraud model includes a second plurality of conditional probability distributions generated from data of actions taken by a plurality of fraudsters excluding the user, wherein the events conducted in the account comprise the previous event and the next event, wherein the risk engine is configured to generate and output a risk score that represents the relative likelihood the next event is performed by the user versus the fraudster, wherein said risk score is generated based on combining the first probability of observing the event parameters assuming the user is conducting the next event, with the second probability of observing the event parameters assuming a fraudster is conducting the next event, and using the risk score to generate an alert; and
  
  a risk application running on the processor, the risk application comprising an analytical user interface (AUI) that is configured to display for any event in the account at least one of the risk score and the event parameters,wherein the network session parameters comprise one or more of detected Internet Protocol (IP) data and Hypertext Transfer Protocol (HTTP) data relating to a network session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 65)
- - 2. The system of claim 1, wherein the AUI comprises a horizontal axis representing a sequence of events ordered by time.
  - 3. The system of claim 2, wherein the AUI comprises a vertical axis representing the event parameters.
  - 4. The system of claim 1, wherein the IP data includes one or more of an IP address, IP address country, IP address city, IP network block, and internet service provider supporting an event.
  - 5. The system of claim 1, wherein the HTTP data includes one or more of data of an operating system, a user agent string, a referrer string, and internet browser of a computer used for an event.
  - 6. The system of claim 3, wherein the AUI comprises a plurality of columns, wherein each column of the plurality of columns represents at least one event of the events conducted in the account, wherein the plurality of columns are arranged according to date.
  - 7. The system of claim 6, wherein the AUI comprises a plurality of rows, wherein a set of rows of the plurality of rows represent event parameters of the events.
  - 8. The system of claim 6, wherein the AUI comprises a plurality of intersection regions, each intersection region defined by an intersection of a row of the set of rows and a column, wherein the intersection region corresponds to an event parameter of the at least one event, wherein the intersection region includes color coding relating the event parameter to a corresponding probability of the account model.
  - 9. The system of claim 8, wherein the color coding represents a relative likelihood ratio that the event parameter corresponds to the user.
  - 10. The system of claim 6, wherein the AUI comprises a risk row representing risk of the event, wherein each intersection region defined by the intersection of the risk row with a column corresponds to the risk score of the at least one event corresponding to the column.
  - 11. The system of claim 10, wherein the intersection region includes color coding relating the risk score to the at least one event.
  - 12. The system of claim 11, wherein the color coding represents a relative likelihood ratio that the user conducted the at least one event.
  - 13. The system of claim 6, wherein the at least one event comprises at least one of an online event, an offline event, and a multiple-channel event.
  - 14. The system of claim 13, wherein online events are events undertaken via electronic access to the account.
  - 15. The system of claim 6, wherein the at least one event comprises a login event.
  - 16. The system of claim 6, wherein the at least one event comprises an activity event.
  - 17. The system of claim 6, wherein the at least one event comprises a session, wherein the session is a sequence of related events.
  - 18. The system of claim 17, wherein the sequence of related events comprises a session login event and a termination event.
  - 19. The system of claim 18, wherein the sequence of related events comprises at least one activity event following the login event.
  - 20. The system of claim 1, wherein generating the account model includes generating statistical relationships between predicted distributions.
  - 21. The system of claim 1, wherein generating the account model includes generating a joint probability distribution that includes the predicted distributions.
  - 22. The system of claim 21, wherein the predicted distributions include a plurality of probability distribution functions that represent the event parameters.
  - 23. The system of claim 22, wherein the event parameters are observable parameters collected during the previous event.
  - 24. The system of claim 1, wherein generating the account model includes generating statistical relationships between the event parameters and derived parameters.
  - 25. The system of claim 24, wherein the derived parameters include one or more of geographic area from which a device is initiating the next event, location of the device, identification of the device, and electronic service provider of the device.
  - 26. The system of claim 1, wherein generating the risk score includes generating expected event parameters of the next event.
  - 27. The system of claim 26, wherein generating the expected event parameters includes generating a first set of predicted probability distributions that represent the expected event parameters, wherein generating the first set of predicted probability distributions assumes the user is conducting the second set of events.
  - 28. The system of claim 27, comprising:
    - receiving a predictive fraud model; and
      
      generating a second set of predicted probability distributions that represent expected fraud event parameters, wherein generating the second set of predicted probability distributions assumes a fraudster is conducting the next event.
  - 29. The system of claim 28, comprising automatically generating the predictive fraud model by estimating a plurality of fraud components of the predictive fraud model using fraud event parameters of previous fraudulent events undertaken in a plurality of accounts, wherein the previous fraudulent events are events suspected as having been conducted by the fraudster.
  - 30. The system of claim 29, wherein automatically generating the predictive fraud model includes generating statistical relationships between fraud components of the plurality of fraud components.
  - 31. The system of claim 29, wherein automatically generating the predictive fraud model includes generating statistical relationships between the fraud event parameters and derived fraud parameters.
  - 32. The system of claim 31, wherein the derived fraud parameters include one or more of a location of the device, identification of the device, and electronic service provider of the device.
  - 33. The system of claim 28, comprising generating the predictive fraud model.
  - 34. The system of claim 33, wherein generating the predictive fraud model comprises generating an original fraud model to include a probability of observing an event given that the event is caused by the fraudster and absent any other information about the event.
  - 35. The system of claim 33, wherein generating the predictive fraud model comprises generating a probabilistic combination of the original fraud model and an impersonation model.
  - 36. The system of claim 35, comprising generating the original fraud model to include a probability of observing an event given that the event is caused by the fraudster and absent any other information about the event.
  - 37. The system of claim 35, wherein generating the predictive fraud model comprises generating the predictive fraud model to include an impersonation probability, wherein the impersonation probability is a probability that the fraudster successfully impersonates a parameter value of an event parameter of a set of events undertaken by the user.
  - 38. The system of claim 35, wherein the impersonation model comprises a probability that the fraudster mimics an event parameter of a set of events undertaken by the user.
  - 39. The system of claim 35, wherein the impersonation model comprises a probability that the fraudster observes an event parameter of a set of events undertaken by the user.
  - 40. The system of claim 35, comprising:
    - identifying at least one previous fraud event, a previous fraud event comprising a previous event in the account potentially caused by the fraudster;
      
      generating the original fraud model by estimating a plurality of components of the fraud model using event parameters of at least one previous fraud event undertaken in the account, the at least one previous fraud event potentially conducted by the fraudster.
  - 41. The system of claim 40, comprising modifying the predictive fraud model based on at least one previous event potentially conducted by the fraudster.
  - 42. The system of claim 40, comprising generating the predictive fraud model to include a fraud co-occurrence coefficient for at least one previous event potentially conducted by the fraudster.
  - 43. The system of claim 42, wherein the fraud co-occurrence coefficient represents an accumulated mistrust derived recursively from the at least one previous event potentially conducted by the fraudster.
  - 44. The system of claim 42, wherein the fraud co-occurrence coefficient comprises a coefficient representing an affect of a plurality of previous events potentially conducted by the fraudster.
  - 45. The system of claim 1, comprising selectively updating the account model using a second set of event parameters collected during the next event.
  - 46. The system of claim 45, wherein the second set of event parameters is observable parameters collected during the next event.
  - 47. The system of claim 45, wherein automatically updating the account model includes updating a joint probability distribution that includes a plurality of components of the account model.
  - 48. The system of claim 45, wherein automatically updating the account model includes updating at least one of a plurality of components of the account model.
  - 49. The system of claim 45, wherein automatically updating the account model includes updating at least one of a plurality of probability distribution functions that represent the event parameters, the updating modifying the at least one of the plurality of probability distribution functions by considering data of the second set of event parameters.
  - 50. The system of claim 45, comprising:
    - generating a probability distribution function for each of the event parameters of the prior event; and
      
      generating an updated probability distribution function for each of the event parameters by applying data of a second set of event parameters of the next event to the probability distribution function.
  - 51. The system of claim 50, comprising:
    - receiving a baseline account model that corresponds to the user, the baseline account model generated without using data of any event; and
      
      generating the account model by generating a joint probability distribution that includes a plurality of components of the account model, wherein the plurality of components includes the updated probability distribution function for any event parameter represented in the account model.
  - 52. The system of claim 1, wherein the previous event and the next event comprise at least one of online events, and multiple channel events.
  - 53. The system of claim 52, wherein online events are events undertaken via electronic access to the account.
  - 54. The system of claim 1, wherein events comprise login events.
  - 55. The system of claim 1, wherein events comprise activity events.
  - 56. The system of claim 1, wherein the events comprise a session, wherein the session is a sequence of related events.
  - 57. The system of claim 56, wherein the sequence of related events comprises a session login event and a termination event.
  - 58. The system of claim 57, wherein the sequence of related events comprises at least one activity event.
  - 59. The system of claim 1, comprising:
    - determining probabilistically that the next event was conducted by the user;
      
      automatically updating the account model using a second set of event parameters collected during the next event.
  - 60. The system of claim 59, comprising updating the account model to include a trust factor, the trust factor representing a probability that the next event was in fact conducted by the user.
  - 61. The system of claim 59, comprising updating the account model to include an accumulated trust factor, the accumulated trust factor representing a cumulative probability across a plurality of events that an event parameter in the plurality of events was in fact conducted by the user.
  - 62. The system of claim 1, wherein automatically generating the account model comprises generating the account model to include a decay parameter.
  - 63. The system of claim 62, wherein the decay parameter comprises an exponential decay function by which a relative weight of each event of the events in the account changes with passage of time since the event.
  - 65. The system as claimed in claim 1, wherein the fraud model is based on session data or event data of all online account holders other than the user.

64. A system comprising:
- a processor;
  
  a processor implemented risk engine configured to ascertain the risk of fraud associated with electronic access of financial systems, comprising one or more applications running on the processor, wherein the risk engine is configured to receive from a remote financial system of a financial institution observed network session parameters corresponding to a prior event, the prior event including data of actions taken by a user in an account of the financial institution during electronic access of the account by the user, wherein the risk engine is configured to use the observed network session parameters to generate estimated parameters and dynamically generate an account model from the parameters, wherein the account model includes a first plurality of conditional probability distributions generated from the data of actions taken by the user, wherein the risk engine is configured to use the account model in combination with a fraud model that includes a second plurality of conditional probability distributions generated from data of actions taken by a plurality of fraudsters excluding the user to generate and output a risk score that is a relative likelihood an event in the account following the prior event is performed by the user versus a fraudster, wherein said risk score is generated based on a set of network session parameters corresponding to network based electronic access of the account during said event that follows the prior event, and wherein said risk score is based on combining an account model generated first probability of observing the event in the account assuming the user is conducting the event, with a fraud model generated second probability of observing the event in the account assuming a fraudster is conducting the event, and using the risk score to generate an alert; and
  
  a risk application running on the processor, the risk application comprising an analytical user interface (AUI) that is configured to display for any event in the account at least one of the risk score and event parameters of any event in the account.
- View Dependent Claims (66)
- - 66. The system as claimed in claim 64, wherein the fraud model is based on session data or event data of all online account holders other than the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Guardian Analytics Incorporated (Nice Ltd)
Original Assignee
Guardian Analytics Incorporated (Nice Ltd)
Inventors
Miltonberger, Tom
Primary Examiner(s)
Gilkey, Carrie S

Application Number

US12/483,963
Publication Number

US 20100094768A1
Time in Patent Office

3,742 Days
Field of Search

705 52, 705325, 705348
US Class Current
CPC Class Codes

G06N 5/02   Knowledge representation; S...

G06N 7/01   Probabilistic graphical mod...

G06Q 10/067   Enterprise or organisation ...

G06Q 10/10   Office automation; Time man...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4016   involving fraud or risk lev...

G06Q 30/0185   Product, service or busines...

G06Q 30/0225   Avoiding frauds

G06Q 40/02   Banking, e.g. interest calc...

G06Q 50/265   Personal security, identity...

Fraud detection and analysis system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

Fraud detection and analysis system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links