Unauthorized activity detection and classification

US 9,594,907 B2
Filed: 02/12/2016
Issued: 03/14/2017
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more processors;

one or more non-transitory computer-readable storage mediums including instructions configured to cause the one or more processors to perform operations including;

generating a filtering rule for characterizing activity data into two groups;

accessing a database including activity data to obtain training data, wherein the training data includes past activity data representing unauthorized activity;

partitioning the training data using the filtering rule, wherein partitioning includes filtering different portions of the past activity data into two partitions corresponding to the two groups;

analyzing the partitions, wherein analyzing includes providing the partitions to a model, and wherein the model generates training classifications for the past activity data;

identifying an accurate set of classifications for the training data, wherein the accurate set of classifications provides known classifications for the past activity data;

comparing the known classifications for the past activity data with the training classifications for the past activity data to evaluate performance of the model, wherein the model performs better for a first of the two partitions and worse for a second of the two partitions;

assigning a first of the two groups as a retained group and a second of the two groups as a rejected group based on the performance of the model, wherein the first of the two groups corresponds to the first of the two partitions;

accessing a first database to obtain authorized activity data that represents activity involving a first service provided to a user, wherein the first service is provided by a service provider;

accessing a second database to obtain new activity data that represents activity involving a second service provided to the user, wherein the second service is provided by the service provider, and wherein the second service is different from the first service;

generating an initial classification for the new activity data, wherein the initial classification identifies the new activity data as including authorized activity and potentially unauthorized activity data;

filtering the potentially unauthorized activity data using the filtering rule to identify retained activity data, wherein the filtering rule characterizes at least a portion of the potentially unauthorized activity data within the retained group;

filtering the authorized activity data involving the first service to identify supplemental activity data for use in classifying the retained activity data, wherein the supplemental activity data corresponds to least a portion of the authorized activity data involving the first service that is filtered into the retained group using the filtering rule;

analyzing the retained activity data and the supplemental activity data to determine an updated classification for the retained activity data, wherein analyzing includes classifying the retained activity data as authorized activity or classifying the retained activity data as unauthorized activity;

deactivating an unnecessary security measure for the authorized activity classified from the retained activity dataselecting a new security measure for the unauthorized activity classified from the retained activity data; and

activating the new security measure for the authorized activity classified from the retained activity data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for identifying and detecting unauthorized user activity and for decreasing the rate of false-positives. The disclosed systems and techniques may involve analysis of users'"'"' past activity data so that individual classifications and authorization decisions with respect to requested user activity are based on activity data associated with a user'"'"'s use of multiple services.

119 Citations

View as Search Results

30 Claims

1. A system, comprising:
- one or more processors;
  
  one or more non-transitory computer-readable storage mediums including instructions configured to cause the one or more processors to perform operations including;
  
  generating a filtering rule for characterizing activity data into two groups;
  
  accessing a database including activity data to obtain training data, wherein the training data includes past activity data representing unauthorized activity;
  
  partitioning the training data using the filtering rule, wherein partitioning includes filtering different portions of the past activity data into two partitions corresponding to the two groups;
  
  analyzing the partitions, wherein analyzing includes providing the partitions to a model, and wherein the model generates training classifications for the past activity data;
  
  identifying an accurate set of classifications for the training data, wherein the accurate set of classifications provides known classifications for the past activity data;
  
  comparing the known classifications for the past activity data with the training classifications for the past activity data to evaluate performance of the model, wherein the model performs better for a first of the two partitions and worse for a second of the two partitions;
  
  assigning a first of the two groups as a retained group and a second of the two groups as a rejected group based on the performance of the model, wherein the first of the two groups corresponds to the first of the two partitions;
  
  accessing a first database to obtain authorized activity data that represents activity involving a first service provided to a user, wherein the first service is provided by a service provider;
  
  accessing a second database to obtain new activity data that represents activity involving a second service provided to the user, wherein the second service is provided by the service provider, and wherein the second service is different from the first service;
  
  generating an initial classification for the new activity data, wherein the initial classification identifies the new activity data as including authorized activity and potentially unauthorized activity data;
  
  filtering the potentially unauthorized activity data using the filtering rule to identify retained activity data, wherein the filtering rule characterizes at least a portion of the potentially unauthorized activity data within the retained group;
  
  filtering the authorized activity data involving the first service to identify supplemental activity data for use in classifying the retained activity data, wherein the supplemental activity data corresponds to least a portion of the authorized activity data involving the first service that is filtered into the retained group using the filtering rule;
  
  analyzing the retained activity data and the supplemental activity data to determine an updated classification for the retained activity data, wherein analyzing includes classifying the retained activity data as authorized activity or classifying the retained activity data as unauthorized activity;
  
  deactivating an unnecessary security measure for the authorized activity classified from the retained activity dataselecting a new security measure for the unauthorized activity classified from the retained activity data; and
  
  activating the new security measure for the authorized activity classified from the retained activity data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1, wherein analyzing the retained activity data and the supplemental activity data includes:
    - determining that the supplemental activity data indicates that activity involving the first service occurred at a first location;
      
      determining that the retained activity data indicates that activity involving the second service occurred at a second location;
      
      determining a distance between the first location and the second location;
      
      determining that the distance is greater than a distance threshold.
  - 3. The system of claim 2, wherein analyzing the retained activity data and the supplemental activity data includes:
    - determining an approximate amount of time between the activity at the first location and the activity at the second location, wherein the retained activity data associated with the second location is classified based on the amount of time.
  - 4. The system of claim 1, wherein analyzing the retained activity data and the supplemental activity data includes:
    - determining that the retained activity data represents a first instance of abnormal activity involving the second service;
      
      detecting an inconsistency between the first instance of abnormal activity and activity represented by the authorized activity data; and
      
      determining, based on the detected inconsistency, that the first instance of abnormal activity is unauthorized activity.
  - 5. The system of claim 4, wherein detecting the inconsistency includes determining that the user is unlikely to have initiated both the abnormal activity and the activity represented by the authorized activity data.
  - 6. The system of claim 1, wherein the operations further include:
    - determining that the retained activity data represents an instance of abnormal activity involving the second service;
      
      detecting activity that is represented by the authorized activity data and is consistent with the instance of abnormal activity; and
      
      in response to detecting the activity that is consistent, classifying the abnormal activity involving the second service as authorized activity.
  - 7. The system of claim 1, wherein the supplemental activity data is a subset of the authorized activity data, and wherein the filtering rule is associated with a condition satisfied by activity data in the supplemental activity data.
  - 8. The system of claim 7, wherein the training data corresponds to past activity data involving the second service.
  - 9. The system of claim 1, wherein the operations further include:
    - determining a filtering criteria for the filtering rule based on past information associated with authorized or unauthorized activity involving the second service.
  - 10. The system of claim 9, wherein determining the filtering criteria includes defining the filtering criteria to facilitate:
    - identifying a portion of the authorized activity data that is inconsistent with the new activity data;
      
      oridentifying a portion of the authorized activity data that is consistent with the new activity data.
  - 11. The system of claim 9, wherein the operations further include:
    - providing the authorized activity data to a detection mechanism prior to filtering the authorized activity data, wherein;
      
      the detection mechanism is configured to detect unauthorized activity involving the first service without processing information about user activity involving the second service.
  - 12. The system of claim 11, wherein the detection mechanism scores components of the authorized activity data, wherein scoring includes calculating a likelihood that the scored component corresponds to unauthorized activity, and wherein filtering the authorized activity data is further based on the scoring.
  - 13. The system of claim 1, wherein the new activity data is a subset of a data superset, wherein the data superset comprises information representing activity involving the second service, and wherein accessing the new activity data includes:
    - filtering the data superset, wherein filtering the data superset is performed using second data filtering criteria, and includes classifying activity represented by the new activity data.
  - 14. The system of claim 13, wherein the second data filtering criteria are for separating a subset of data from a data superset, wherein the subset is more informative for detecting unauthorized activity as compared to a portion of data that is in the data superset but which is not in the separated subset.
  - 15. The system of claim 1, wherein the authorized activity data represents multiple instances of activity involving the first service, wherein the authorized activity data includes multiple data components, and wherein each data component represents a unique one of the multiple instances of activity involving the first service.
  - 16. The system of claim 15, wherein filtering the authorized activity data includes:
    - identifying authorized activity data components that represent;
      
      an instance of activity associated with an amount transacted that is in excess of a predetermined threshold amount;
      
      an instance of activity which is abnormal activity for the user;
      
      an instance of activity determined to have occurred more than a threshold distance from a residence of the user;
      
      oran instance of activity determined to have occurred more than a threshold distance from a location at which a previous instance of activity occurred; and
      
      wherein the supplemental activity data includes the identified authorized activity data components.
  - 17. The system of claim 16, wherein filtering the authorized activity data is done without consideration of the new activity data.
  - 18. The system of claim 16, wherein filtering the authorized activity data includes using a machine-learning algorithm to filter the authorized activity data, and wherein using the machine-learning algorithm includes training with past data representing unauthorized activity involving the first service or the second service.

19. A computer-implemented method for detecting an unauthorized activity, the method comprising:
- generating a filtering rule for characterizing activity data into two groups;
  
  accessing a database including activity data to obtain training data, wherein the training data includes past activity data representing unauthorized activity;
  
  partitioning the training data using the filtering rule, wherein partitioning includes filtering different portions of the past activity data into two partitions corresponding to the two groups;
  
  analyzing the partitions, wherein analyzing includes providing the partitions to a model, and wherein the model generates training classifications for the past activity data;
  
  identifying an accurate set of classifications for the training data, wherein the accurate set of classifications provides known classifications for the past activity data;
  
  comparing the known classifications for the past activity data with the training classifications for the past activity data to evaluate performance of the model, wherein the model performs better for a first of the two partitions and worse for a second of the two partitions;
  
  assigning a first of the two groups as a retained group and a second of the two groups as a rejected group based on the performance of the model, wherein the first of the two groups corresponds to the first of the two partitions;
  
  accessing a first database to obtain authorized activity data that represents activity involving a first service provided to a user, wherein the first service is provided by a service provider;
  
  accessing a second database to obtain new activity data that represents activity involving a second service provided to the user, wherein the second service is provided by the service provider, and wherein the second service is different from the first service;
  
  generating an initial classification for the new activity data, wherein the initial classification identifies the new activity data as including authorized activity and potentially unauthorized activity data;
  
  filtering the potentially unauthorized activity data using the filtering rule to identify retained activity data, wherein the filtering rule characterizes at least a portion of the potentially unauthorized activity data within the retained group;
  
  filtering the authorized activity data involving the first service to identify supplemental activity data for use in classifying the retained activity data, wherein the supplemental activity data corresponds to at least a portion of the authorized activity data involving the first service that is filtered into the retained group using the filtering rule;
  
  analyzing the retained activity data and the supplemental activity data to determine an updated classification for the retained activity data, wherein analyzing includes classifying the retained activity data as authorized activity or classifying the retained activity data as unauthorized activity;
  
  deactivating an unnecessary security measure for the authorized activity classified from the retained activity dataselecting a new security measure for the unauthorized activity classified from the retained activity data; and
  
  activating the new security measure for the authorized activity classified from the retained activity data.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The method of claim 19, wherein the supplemental activity data is a subset of the authorized activity data, and wherein the filtering rule is associated with a condition satisfied by activity data in the supplemental activity data.
  - 21. The method of claim 19, further comprising:
    - determining a filtering criteria for the filtering rule based on past information associated with authorized or unauthorized activity involving the second service.
  - 22. The method of claim 21, further comprising:
    - providing the authorized activity data to a detection mechanism prior to filtering the authorized activity data, wherein;
      
      the detection mechanism is configured to detect unauthorized activity involving the first service without processing information about user activity involving the second service.
  - 23. The method of claim 19, wherein the authorized activity data represents multiple instances of activity involving the first service, wherein the authorized activity data includes multiple data components, and wherein each data component represents a unique one of the multiple instances of activity involving the first service.
  - 24. The method of claim 23, wherein filtering the authorized activity data includes:
    - identifying authorized activity data components that represent;
      
      an instance of activity associated with an amount transacted that is in excess of a predetermined threshold amount;
      
      an instance of activity which is abnormal activity for the user;
      
      an instance of activity determined to have occurred more than a threshold distance from a residence of the user;
      
      oran instance of activity determined to have occurred more than a threshold distance from a location at which a previous instance of activity occurred; and
      
      wherein the supplemental activity data includes the identified authorized activity data components.

25. A computer-program product, tangibly embodied in a machine-readable non-transitory storage medium, including instructions configured to cause a data processing apparatus to perform operations including:
- generating a filtering rule for characterizing activity data into two groups;
  
  accessing a database including activity data to obtain training data, wherein the training data includes past activity data representing unauthorized activity;
  
  partitioning the training data using the filtering rule, wherein partitioning includes filtering different portions of the past activity data into two partitions corresponding to the two groups;
  
  analyzing the partitions, wherein analyzing includes providing the partitions to a model, and wherein the model generates training classifications for the past activity data;
  
  identifying an accurate set of classifications for the training data, wherein the accurate set of classifications provides known classifications for the past activity data;
  
  comparing the known classifications for the past activity data with the training classifications for the past activity data to evaluate performance of the model, wherein the model performs better for a first of the two partitions and worse for a second of the two partitions;
  
  assigning a first of the two groups as a retained group and a second of the two groups as a rejected group based on the performance of the model, wherein the first of the two groups corresponds to the first of the two partitions;
  
  accessing a first database to obtain authorized activity data that represents activity involving a first service provided to a user, wherein the first service is provided by a service provider;
  
  accessing a second database to obtain new activity data that represents activity involving a second service provided to the user, wherein the second service is provided by the service provider, and wherein the second service is different from the first service;
  
  generating an initial classification for the new activity data, wherein the initial classification identifies the new activity data as including authorized activity and potentially unauthorized activity data;
  
  filtering the potentially unauthorized activity data using the filtering rule to identify retained activity data, wherein the filtering rule characterizes at least a portion of the potentially unauthorized activity data within the retained group;
  
  filtering the authorized activity data involving the first service to identify supplemental activity data for use in classifying the retained activity data, wherein the supplemental activity data corresponds to least a portion of the authorized activity data involving the first service that is filtered into the retained group using the filtering rule;
  
  analyzing the retained activity data and the supplemental activity data to determine an updated classification for the retained activity data, wherein analyzing includes classifying the retained activity data as authorized activity or classifying the retained activity data as unauthorized activity;
  
  deactivating an unnecessary security measure for the authorized activity classified from the retained activity dataselecting a new security measure for the unauthorized activity classified from the retained activity data; and
  
  activating the new security measure for the authorized activity classified from the retained activity data.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The computer-program product of claim 25, wherein the supplemental activity data is a subset of the authorized activity data, and wherein the filtering rule is associated with a condition satisfied by activity data in the supplemental activity data.
  - 27. The computer-program product of claim 25, wherein the operations further include:
    - determining a filtering criteria for the filtering rule based on past information associated with authorized or unauthorized activity involving the second service.
  - 28. The computer-program product of claim 27, wherein the operations further include:
    - providing the authorized activity data to a detection mechanism prior to filtering the authorized activity data, wherein;
      
      the detection mechanism is configured to detect unauthorized activity involving the first service without processing information about user activity involving the second service.
  - 29. The computer-program product of claim 25, wherein the authorized activity data represents multiple instances of activity involving the first service, wherein the authorized activity data includes multiple data components, and wherein each data component represents a unique one of the multiple instances of activity involving the first service.
  - 30. The computer-program product of claim 29, wherein filtering the authorized activity data includes:
    - identifying authorized activity data components that represent;
      
      an instance of activity associated with an amount transacted that is in excess of a predetermined threshold amount;
      
      an instance of activity which is abnormal activity for the user;
      
      an instance of activity determined to have occurred more than a threshold distance from a residence of the user;
      
      oran instance of activity determined to have occurred more than a threshold distance from a location at which a previous instance of activity occurred; and
      
      wherein the supplemental activity data includes the identified authorized activity data components.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAS Institute Incorporated
Original Assignee
SAS Institute Incorporated
Inventors
Duke, Brian Lee, Dulany, Paul C., Shah, Kannan Shashank
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/043,012
Publication Number

US 20160283715A1
Time in Patent Office

396 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/1064   Restricting content process...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6218   to a system of files or obj...

G06N 20/00   Machine learning

G06Q 20/308   using the Internet of Things

G06Q 20/4016   involving fraud or risk lev...

Unauthorized activity detection and classification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

119 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Unauthorized activity detection and classification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links