• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    A computer-based method and apparatus for determining whether a financial transaction is fraudulent is disclosed. The apparatus in one embodiment collects transactions from a channel using eavesdropping techniques. The method uses linear programming algorithms to tune the rules (104) used to make the determination. The tuning first performs a simulation using historical data (101) and then creates a matrix of the rules which are processed by the linear programming algorithm to solve for the variables in the rules. With the updated rules, a second simulation is performed to visualize the performance improvement. The updated rules are then used to assess possible fraud in transactions.
    公开号:CH717742A2
    申请号:CH00346/21
    申请日:2021-04-06
    公开日:2022-02-15
    发明作者:Amitai Dalit;Cohen Shahar;Mayer Yulia;Avital Serfaty
    申请人:Bottomline Tech Ltd;
    IPC主号:
    专利说明:

    CONTEXT
    Prior request
    This application claims the priority of US application 16/985,773 filed on August 5, 2020.
    Technical area
    [0002] The apparatus and methods described herein relate generally to fraud detection, in particular the use of linear and non-linear programming techniques to detect financial fraud.
    Description of related technique
    [0003] The oldest trace of fraud appears in Greek literature, and history is replete with schemes and strategies aimed at taking money from others using deceptive means. A Forbes magazine article estimated the amount of money lost to fraud at $190 billion a year in 2009, with banks absorbing $11 billion and consumers losing $4.8 billion. dollars and traders taking the rest of the losses. The astronomical amount of money lost to fraud has forced banks to place increasing emphasis on detecting fraud.
    [0004] Today, bank fraud is a sophisticated activity affecting the four corners of the planet. Cybercriminals are organized, coordinated and highly specialized, creating a powerful network that is, in many ways, a significantly more efficient ecosystem than the banking industry. They continually reinvest their financial gains to advance the technology and methods used to circumvent the layers of security put in place by financial institutions.
    [0005] The rate of innovation of fraudsters in fraud and their ability to invest in order to attack banks and credit unions far exceeds the ability of these institutions to invest to protect themselves against evolving threats. quickly. Whether it's phishing scams, mobile malware, banking trojans, man-in-the-browser systems, or the many techniques to circumvent authentication multi-factor, the threats cover online banking, mobile banking, as well as payment channels through an automated clearing house and wire transfer. The range and complexity of threats that financial institutions must defend against continue to grow.
    [0006] The traditional approach to fraudulent activity is to manually analyze historical transactions for patterns or atypical transactions. However, these methods fail to prevent fraudulent activity and only serve to highlight something that has already taken place. And the colossal volume of transactions carried out precludes examining more than a small sample of the overall set of transactions.
    [0007] It has long been deemed necessary to effectively and automatically examine and identify potentially fraudulent transactions in real time as the transactions pass through the payment channel. Recent software solutions analyze payments or financial transfers against a set of rules to determine a risk score. The risk score is then compared to a threshold that determines whether the transaction is fraudulent. But these rules are basic and not verifiable against the reality of real transactions. Most thresholds are established based on rules of thumb rather than based on data. A method is needed to improve the rule set, to tune and verify the rule set to minimize false positives and false negatives.
    The present inventions fill this gap in the current state of the art.
    BRIEF SUMMARY OF INVENTIONS
    [0009] A computerized fraud detection apparatus is described herein. The apparatus includes a monitor, a channel, the monitor being connected to the channel and a data store (or data memory) connected to the monitor. The data store contains historical data and a set of rule drafts. The monitor is configured to: create a matrix of each rule in the set of draft rules for each historical transaction appearing in the historical data, solve the matrix for the score of each rule using linear programming, copy said rule scores in a model rule set, monitoring the channel for a possible new transaction, applying data from the new transaction to the model rule set to produce a new transaction score, and indicating that the new transaction is fraudulent if the new transaction score exceeds a threshold.
    [0010] The monitor can also be configured to perform other operations, as described below. For example, in some embodiments, the matrix is resolved for a constant in one of the rules. If the monitor determines that the new transaction is fraudulent, it may inform a fraud monitor that the new transaction is fraudulent and/or may inform a bank that the new transaction is fraudulent. The monitor can also ask the bank to block the new transaction.
    [0011] Further, in some embodiments, the monitor cycles through each transaction appearing in the historical data, calculating a transaction score for each historical transaction that is a sum of the rule scores for that historical transaction, and comparing that score with the threshold for making a fraud determination, said fraud determination being compared to an actual determination associated with the historical transaction to create a transaction accuracy score, the transaction accuracy score being summed to determine a quality indicator of the model ruleset. The model rule set quality indicator may further be compared to an expected quality indicator. The monitor then copies the rule scores only if the quality indicator of the model ruleset exceeds the expected quality indicator.
    [0012] The monitor can for example be connected to the channel via banking software, the banking software calling the monitor and transmitting the new transaction to the monitor. The monitor may also receive the new transaction in a message directed, on the channel, specifically to the monitor for processing. In another embodiment, the monitor monitors the channel for the new transaction destined for another network device.
    [0013] A computerized method for detecting a fraudulent transaction on a channel is also described. The method includes the steps of (1) creating a matrix of each rule in a set of draft rules for each historical transaction appearing in historical data stored in a data store; (2) solving the matrix for each rule score using linear programming; (3) copying rule scores into a model rule set; (4) monitoring the channel for a new transaction; (5) applying data from the new transaction to the model ruleset; (6) generating a new transaction score from the data and the model rule set; and (7) indicating that the new transaction is fraudulent if the new transaction score exceeds a threshold.
    [0014] In some embodiments, the matrix is solved for a constant in one of the rules. The method may also include the step (8) of notifying a fraud monitor that the new transaction is fraudulent and, in some embodiments, the step (9) of notifying a bank that the new transaction is fraudulent and possibly the step (10) of requesting the blocking of the new transaction from the bank.
    [0015] The method may also include the steps (2a) of reviewing each transaction appearing in the historical data; (2b) calculating a transaction score for each historical transaction which is a sum of the rule scores for that historical transaction; (2c) comparing the sum of the rule scores with the threshold to make a determination of fraud, said determination of fraud being compared to an actual determination associated with the historical transaction to create an accuracy score of the transaction; and (2d) adding said accuracy score of the transaction to determine a quality indicator of the set of model rules. Optionally, the method may also include modifying step (3) with (3a) comparing the quality score of the model ruleset with an expected quality score, and loading the rule scores only if the quality indicator of the model rule set exceeds the expected quality indicator.
    [0016] Step (4) can either be modified as follows: (4a) channel monitoring is indirectly performed via banking software, or (4b) channel monitoring for the new transaction includes receiving transactions intended for another network device.
    BRIEF DESCRIPTION OF DRAWINGS
    Figure 1 is a block diagram of the components of this system.
    Figure 2 is a flowchart of the rule optimization process.
    Figure 3 is a flowchart of the monitor channel monitoring process.
    Figure 4 is a diagram of the equipment used in one embodiment.
    Figure 5 is an x-y plot of the linear analysis of fraud detection.
    Figure 6 is an x-y graph depicting linear programming for fraud detection.
    DETAILED DESCRIPTION
    The present disclosure will now be described in detail with reference to the drawings. In the drawings, each element with a reference number is similar to other elements with the same reference number, regardless of any designation by a letter following the reference number. In the text, a reference number with a specific letter designation following the reference number refers to the specific item with the number and letter designation, and a reference number without a specific letter designation refers to all elements with the same reference number, regardless of any designation by a letter following the reference number on the drawings.
    [0024] The present inventions provide computerized solutions for monitoring banking and financial transactions for fraudulent activity. These techniques can also be used for opening financial accounts, analyzing payments and invoices, in monitoring pharmaceutical prescriptions for illegal distributions of controlled substances, in government monitoring of various activities, such as import and export for the purpose of circumventing customs tariffs and tax evasion, for example, or for other uses. In each case, these techniques solve the problems of improving and tuning the sets of rules used in activity monitoring.
    [0025] Referring to Figure 1, a diagram of the system is shown which depicts the fraud monitoring environment. A database containing historical data101 contains all transaction records for a period of time. This time frame can range from a few hours to decades of data, depending on the speed of the transactions, but it's usually months, maybe 6 or 12 months of data. In some embodiments, each transaction observed on channel 106 is added to historical data 101, either through another process in the system or through monitor software 105. This software forms, with the computer computer or the computer system on which is is implemented, a machine, that is to say a computerized monitoring device (or system), such as a payment monitoring device. This concept of "monitor" is called "p-monitor" in the priority request. In some embodiments, the historical data is further edited to add information or to remove outliers. This added information may include actual fraud determinations by a fraud investigation team. For example, if a transaction is flagged by the monitor105 software as fraudulent, it is sent to the fraud monitor107 for analysis by the fraud investigation team. This team investigates the fraud and is the one who ultimately decides whether it is a false positive or a true positive. This information can then be added to the transaction log in historical data101. Similarly, if a transaction is not identified as fraud by the monitor105 software, but the fraud is discovered later, perhaps by a customer or another financial institution, then the fraud investigation team may update the transaction log in historical data101 to reflect the false negative. These registers of false positives and false negatives are particularly relevant for the tuning of the model ruleset104 during the next tuning cycle.
    The purpose of the process is to optimize the allocation of scores to the various incidents created by the engine of the rule. Rulesets102,104 have many templates, where templates can have parameters and thresholds. Different thresholds can create different incidents. Each incident has a configured score. If the sum of the scores due to the incidents created reaches a predefined threshold, a fraud alert is created.
    [0027] In some embodiments, the historical data is analyzed to produce statistics about the data. For example, a count of the number of transactions, the sum of transaction amounts, the number of transactions sent to blacklisted destinations, etc. for a particular sending customer can be calculated and maintained as new transactions are added.
    [0028] A set of draft rules 102 is also stored in a database. Draft ruleset 102 is a set of rules that may indicate fraudulent behavior when applied to a transaction. The set of draft rules 102 may originate from the provider of the adjustment software 103 and the monitor software 105, and it may be refined by the financial institution operating the software. If the software has been installed for some time, the draft ruleset 102 may be the result of one or more tuning iterations in the past that have refined the original ruleset.
    [0029] In the present embodiment, each incident (i) generates an XI score. The scores for each incident for a given transaction are summed (∑ =0Xi), where n is the number of potential incidents, which can be produced by the set of rules102,104, and if the sum is greater than a threshold ( T), then the transaction is considered fraudulent.
    [0030] The ruleset may take the form of a human-readable description of the rules, a set of mathematical formulas, or may take the form of a parameter matrix for the ruleset. In an example rule, the rule might read „WPF0201 Customer performs a payment transaction on a blacklisted account: If the blacklisted customer's transaction count is > 0 and the transaction amount is > 0, assign the transaction a score of 1000“. In this example, natural language processing is used to translate the formula into computer-usable formats. In a second rule example, the rule can be written “WPF0201: score = if (customer.BlackListCount > 0) and (TransactionAmount > 0) then 1000 else 0”. In yet a third embodiment, the following matrix can be used: WPF0201 > 0 > 0 1000 WPF0208A > 50,000 and ≤ 80,000 50 WPF0208B > 80,000 80
    Table 1: Set of matrix rules
    [0031] Tuning software 103 transforms the draft rule set 102 into a model rule set 104 using the historical data 101 to set the parameters and score for each rule in the rule set. This transformation is performed using linear programming in this embodiment. In other embodiments, nonlinear programming is used, if nonlinear rules (curves, exponentials, logarithms, quadratics, etc.) are needed.
    [0032] The purpose of the adjustment is to optimize the value of the score for each incident and to optimize the parameters so that the rules generate the lowest overall score for a non-fraudulent transaction without allowing a false-negative result. At the same time, the setting minimizes false-positive results.
    [0033] In essence, this solves each Xisur a large number of transactions appearing in the historical data101. Let X1 be the score to be assigned to an incident i (i = 1, ... , n), or Cj the Boolean indicator of the occurrence of incident i in transaction j, and let a threshold score (so that according to the rule engine, if the sum of the scores by the incidents exceeds T, the transaction is a fraud). For example, for this example rule, if the transaction is destined for a blacklisted country, the value of the incident Xi is added to the sum. If it is not destined for a blacklisted country, then 0 is added to the sum.
    So that for all transactions jXi≥ 0 for all i
    [0034] The adjustment software 103 is described in more detail in the description of figure 2 below. The adjustment software103 outputs a set of model rules104 which is adjusted with the historical data101.
    [0035] The model rule set 104 is a set of rules that can indicate fraudulent behavior when applied to a transaction. The model ruleset 104 will use formats similar to the draft ruleset 102, in most embodiments. In some other embodiments, the model ruleset 104 will be in a machine-readable format, perhaps the raster format in Table 1 or machine code that is easily executable by a central processing unit 404 in the monitor 406. The model rule set104 is used by the monitor105 software to analyze each transaction observed on the channel106.
    [0036] Monitor 105 software, in some embodiments, listens for transactions on channel 106 in eavesdropper mode, retrieving all transactions that pass through channel 106. When a transaction is observed, it is stored in historical data101and the transaction is compared against the model rule set104to determine if the transaction is fraudulent. Details of monitor software 105 are found below in conjunction with the discussion of Figure 3. In another embodiment, a bank, financial institution, or other software package may collect transactions and send them to monitor software 105. For example, a bank 108 may run banking software that processes every transaction that the bank 108 receives on channel 106. The banking software can send each transaction to the monitor software before processing the transaction to see if the transaction is fraudulent.
    The channel106 is a payment or banking channel used to connect banks, financial institutions or their customers. It is a high security network that uses encryption and limits access physically or virtually (VPN). The physical implementation of channel 106 may be via the Internet, a local area network, a wireless network, a combination of the above, or any other networking technology.
    [0038] If monitor software 105 determines that a transaction is fraudulent, then monitor software, in some embodiments, notifies bank 108 (or financial institution or customer) to hold the transaction. A notification is also sent to the fraud monitor107 for investigation by the fraud investigation team. The fraud investigation team will then review the transaction and historical data to decide whether or not to cancel the transaction. The fraud investigation team will also mark the transaction as a real fraud, a false positive or as justified. A transaction is marked as justified when it appears to be fraudulent and does not constitute fraud, but the fraud investigation team wishes to investigate this type of transaction. When settling in the future, justified transactions are considered fraudulent.
    [0039] Fraud monitor 107 could be a personal computer, laptop, smartphone, tablet, smartwatch, or similar device connected directly or indirectly via a network to monitor 406. The Fraud Monitor107 is the interface between the monitor software and the fraud investigation team.
    [0040] Figure 2 shows the details of the adjustment software 103. The beginning of the rules201 tuning process begins with defining the rules202and defining the parameters203. The original set of rules can originate from the software vendor and then be modified by the customer. In other instances of the rule setting process, the rules and parameters are set by a previous iteration through this software. Each rule can create one or more incidents and can have several parameters that affect its operation. Each incident has a score value. For example, rule WPF0208 covers incidents that are generated when a customer transacts excessively to a country where they have never transacted before. Relevant parameters can be the past analysis period (how far back do we know if a transaction has already been sent to this country), the acquisition period, the minimum learning period, the minimum number of transactions , the minimum total amount, the list of active countries and the set of scores. Different incidents can be created by the rule, depending for example on the payment amount. Large amount transactions may generate one incident, while smaller amount transactions may generate another incident.
    [0041] Each parameter can have static values (for example, the past analysis period can always be 180 days and not be adjustable), which means that it does not participate in the optimization or that it can receive a set of values. Each of these unique values is responsible for a single incident. The set of values can come from a calculation specific to each client. For example, the minimum total amount can be given [V1, V2, V3] where V1 is the 50 percentile of the accounts receivable transaction amount, V2 is the 75 percentile, and V3 is the 90 percentile. The number of unique values should not be too large, and it is recommended that it covers a range of values only for numeric parameters (eg transaction amount). Each unique combination of values for the different parameters defines a different incident for the rule. For example, WPF0208_V1 can be defined as the incident that is generated by rule WPF0208 when the transaction amount parameter receives V1 (assuming all other parameters of this rule are static).
    [0042] Once the rules, parameters and scores have been defined, a simulation 204 is run on the set of draft rules 102 using the historical data 101, creating a table with all the rules and transactions. The resulting table may look like table 2. 10201 0 50 0 0 1000 1050 YES NO 10202 1000 0 80 0 0 1080 YES YES 10215 0 0 0 0 0 0 NO NO
    Table 2 - Matrix of simulation results
    [0043] In Table 2, a subset of transaction rules and incidents are listed, as the number of transactions can be in the millions and the number of incidents can be in the hundreds. The transaction identifier comes either from the actual transaction number or from a unique identifier in historical data101. The value in each cell is the score associated with the incident. For example, in transaction 10202, the customer is attempting to send $85,000 and has sent money to a blacklisted destination in the last 180 days. The result for rule WPF0201: score = if (customer.BlackListCount > 0) and (TransactionAmount > 0) then 1000 else 0 will be 1000, due to blacklist history and the fact that the amount of the transaction is greater than 0. WPF0208A is 0 because the transaction amount is not between $50,000 and $80,000, and WPF0208B is 80 because the transaction is greater than $80,000 (rule WPF0208 produces an incident with a score of 50 if the transaction amount is greater than $50,000 and an incident with a score of 80 if the transaction amount is greater than $80,000). The sum of 1000, 0 and 80 is 1080, which is the score for this trade. Since the score is greater than T, and the fraud threshold is 1000, we calculate that the transaction is a fraud. This corresponds to the real fraud for this transaction, so the model produces real fraud. Transaction 10201 calculates 1050, above the fraud threshold T, so we calculate that it is fraudulent, but the reality determines that the transaction is not fraudulent; we are therefore in the presence of a false positive. Once the simulation is complete, an accuracy indicator is calculated by calculating the percentage of false positives and false negatives. These numbers represent the quality of the ruleset.
    [0044] Next, a linear programming matrix is initialized to zero, then the linear programming matrix is populated and solved for the minimum rule score values and minimum required constants, using the linear programming package PuLP in a embodiment. Other embodiments may use different software to solve the linear program. For each transaction206 appearing in the historical data101, step through the analysis of each rule. For each rule207in the set of draft rules102, iterate through the incidents, test the conditions208to see if the conditions are met, and if so, the incident is added to the matrix209and the next rule is retrieved221. In the PuLP embodiment, the entire row of the matrix is a string containing the formula to be solved, so adding the rule is a concatenation of the string containing that rule. The values are not connected, the rule is simple: WPF0201: score = if (customer.BlackListCount > 0) and (TransactionAmount > 0) then 1000 else 0 will be 1000. Other formats can be used without deviating inventions. When all rules are processed, the next transaction231 is retrieved.
    [0045] Once all rules are entered for all transactions, the linear program (as stored in the matrix) is solved using the PuLP solve() function. Other linear programming software packages can also be used without departing from these inventions.
    [0046] The PuLP software package uses algorithms such as the revised Simplex method or interior point methods for simple and well-understood matrices. More complex problems use heuristic methods that do not guarantee optimality. Other algorithms for solving linear programming problems include George Dantzig's simplex algorithm or a criss-cross algorithm.
    [0047] Once the linear program is solved 214, each calculated parameter and the calculated score for each rule are copied back into the set of draft rules 102 creating the set of model rules 104.
    [0048] The model ruleset 104 is then run through the simulation 210, using the historical data 101, in the same way that the simulation was performed in 204. Once the simulation is complete, an accuracy indicator is calculated by calculating the percentage of false positives and false negatives. These numbers represent the quality of the model rule set104. If the quality numbers have not improved, if the linear program could not be solved, or if the quality numbers are still not at an acceptable level211, reset the matrix205with a new set of rules213 (modifying various Cijou constraints by eliminating one or more rules) and run the linear programming again using the set of model rules104.
    [0049] If the results are acceptable211, return212the model rule set104 to the calling routine where it is saved.
    [0050] Figure 3 shows a flowchart of monitor software 105 using the model rule set 104 to determine if transactions on channel 106 are fraudulent. The monitor software301 begins by collecting a transaction from channel302. In this embodiment, monitor 406 listens to all traffic on channel 106 in eavesdropping mode and sorts network packets for application layer transactions. In other embodiments, transactions are sent to monitor software 105 either by calling monitor software 105 as a subroutine or by sending transaction messages to monitor software 105, operating as software as a service.
    [0051] Once the monitor software 105 has the transaction, the transaction is sent for storage 303 in the historical data 101, and various statistics appearing in the historical data 101 are updated. For example, the countries to which the client sends transactions are updated and the number of transactions per country is updated. In some embodiments, step 302 is performed in a call routine. In other embodiments, the historical data is not updated. In yet other embodiments, the transaction is stored, but the statistics are not updated immediately but are aggregated for later updating.
    [0052] The transaction is then executed via the set of model rules 304. Each rule in the Model104 rule set is first examined to see if the conditions are met (Ct) and, if the conditions are met, then the score is calculated based on the incident score (Xi) Incident scores are then added and compared to the threshold T.
    [0053] If the transaction is not determined to be fraudulent305, then the monitor software 105 waits for the next transaction310.
    [0054] If the transaction is fraudulent 305 , then the transaction is sent 306 to the fraud monitor 107 so that the fraud investigation team can search for the transaction, verify that it is a true positive and flag any false positives. The investigation team can also notify law enforcement, close accounts, and take other actions to prevent the recurrence of fraud.
    [0055] In addition, the bank 108 is informed that it must block the transaction 307, in most embodiments. This may involve sending a message to the sending and receiving financial institutions requesting that the transaction be reversed. In some embodiments, the monitor software 105 simply returns an indication that the transaction is fraudulent, and the calling software handles transaction cancellation and notifications.
    [0056] Figure 4 shows one possible physical embodiment of the fraud monitoring system. Channel 401 (see also 106) is a network, such as Ethernet (IEEE 802.3), Wi-Fi (IEEE 802.11), token ring, fiber optic, cellular network in the form of a local area network , wireless network, wide area network or similar. Channel 401 in this embodiment has a listening jack 402 allowing monitor 406 to access channel 401. The channel401 can be a payment network, a banking network, a financial transaction network, etc.
    [0057] The channel 401 is connected to a merchant 410 and to a bank 409. In a typical embodiment, there would be many merchants and there could be a number of banks as well. Merchant 410 would send a payment transaction message to bank 409 over channel 401, directing a payment to be made. Monitor 406 listens to channel 401 and sees the transaction, and determines if it is fraudulent. If this is the case, the monitor 406 sends the bank 409 a message on the channel 401 stopping the transaction.
    [0058] Listening jack 402 connects to eavesdropping transceiver 403, a wired or wireless transceiver that is configured to receive all channel 401 traffic.
    The monitor 406 includes an eavesdropping transceiver 403, a central processing unit 404 to compare rules to transactions and to operate an eavesdropping network stack. This central processing unit 404 may be a high performance multi-core device for processing transaction volume. In some embodiments, the central processing unit 404 may be a combination of ASICs for processing the network stacks and ASICs for high performance comparison of transactions against rule sets. A microprocessor can also be part of this ASIC combination to handle the processing. Monitor 406 also includes memory 405 to store data during processing. In this embodiment, transceiver 403, central processing unit 404, and memory 405 are mechanically and electrically connected inside monitor 406. Monitor 406 runs monitor software 105 and, in some embodiments, also runs adjustment software 103.
    [0060] The monitor 406 is connected, electrically, optically or wirelessly, to the rule data store 407 and to the historical data store 408. The rules data store 407 may contain both the rule draft 101 and the rule template 104 in some embodiments. Historical data101is stored in the historical data store408. In some embodiments, the historical data store 408 and the rules data store 407 may be the same physical device. The two data stores 407,408 can be a magnetic hard drive, optical drive, solid state drive, RAM or similar data storage device.
    Figure 5 is a graph of the linear analysis of fraud detection. The sum of the scores of each rule (Xi) is plotted on the line t, and if the sum is less than T (1000 in this embodiment), no fraud is determined, otherwise the transaction is judged to be fraudulent.
    Figure 6 is an x-y graph showing, in graphical form, how linear programming is used in fraud detection. The x601 axis goes from zero to the right and represents the number of false positives. The y602 axis goes from zero upwards and represents the number of false negatives. The goal is to minimize false positives and false negatives. In some embodiments, the goal is to minimize false positives while preventing any false negatives. In other embodiments, some false negatives may be allowed. The curve of the ratio603 of false positives to false negatives is seen as a continuous line in Figure 6. Using linear programming, the algorithms seek to minimize false positives and false negatives while remaining within the limits of the constraints. This refers to the full circle607. The constraints are then adjusted using the tuning software103 to focus the rules towards this solution607.
    [0063] It should be understood that many of the items discussed in this description may be implemented in one or more hardware circuits, a circuit executing software code or instructions that are encoded in computer-readable media accessible to the circuits, or a combination of one or more hardware circuits and a circuit or control block of an integrated circuit executing machine-readable code encoded in a computer-readable medium. As such, the term circuit, module, server, application or other equivalent description of an item as used in any description is, unless otherwise specified, intended to encompass hardware circuitry (whether separate elements or integrated circuit block), a circuit or control block executing code encoded in a computer-readable medium, or a combination of one or more hardware circuits and a circuit and/or of a command block executing such code.
    [0064] All ratio ranges and limits disclosed in the description and claims may be combined in any way. Unless otherwise specified, references to "a", "an", and/or "the" may include one or more items, and such reference to a singular item may also include the plural item.
    [0065] Although the inventions have been presented and described with respect to a certain embodiment or embodiments, equivalent alterations and modifications will become apparent to those skilled in the art on reading and understanding this description and the attached drawings. In particular with respect to the various functions performed by the elements described above (components, assemblies, devices, compositions, etc.), the terms (including a reference to a "means") used to describe such elements are intended to correspond, unless otherwise stated, to any item which performs the specified function of the item described (i.e. is functionally equivalent), even if not structurally equivalent to the structure described which performs the function in the exemplary embodiment illustrated herein or the embodiments of the inventions. Additionally, although a particular feature of the inventions may have been described above with respect only to one or more of the illustrated embodiments, that feature may be combined with one or more other features of the other embodiments, such as this may be desired and advantageous for any given or particular application.
    [0066] The above description of embodiments, alternative embodiments and specific examples are given by way of illustration and should not be construed as limiting. Further, many changes and modifications within the scope of the present embodiments can be made without departing from their spirit, and the present inventions include such changes and modifications.
    权利要求:
    Claims (20)
    [1]
    1. Computerized fraud detection apparatus, the apparatus comprising:a monitor ;a channel, the monitor being connected to the channel; anda data memory connected to the monitor, the data memory containing historical data and a set of draft rules,in which the monitor is configured tocreate a matrix of each rule in the set of stub rules for each historical transaction appearing in the historical data,solve the matrix for each rule score using linear programming,copy said rule scores into a set of model rules,monitor the channel for a new transaction,apply the data from the new transaction to the model ruleset to produce a new transaction score, andindicating that the new transaction is fraudulent if the new transaction score exceeds a threshold.
    [2]
    2. Apparatus according to claim 1, wherein the monitor is further configured to solve the matrix for a constant in one of the rules.
    [3]
    3. Apparatus according to claim 1 or 2, wherein the monitor is further configured to notify a fraud monitor that the new transaction is fraudulent.
    [4]
    4. Apparatus according to claim 1, 2, or 3, wherein the monitor is further configured to notify a bank that the new transaction is fraudulent.
    [5]
    5. Apparatus according to claim 4, wherein the monitor is further configured to request the bank to block the new transaction.
    [6]
    6. Apparatus according to any of claims 1 to 5, wherein the monitor is further configured to: cycle through each transaction appearing in the historical data; calculating a transaction score for each historical transaction which is a sum of the rule scores for that historical transaction; comparing this score with the threshold for making a fraud determination, to compare said fraud determination to an actual determination associated with the historical transaction to create a transaction accuracy score; and summing said transaction accuracy score to determine a quality indicator of the model ruleset.
    [7]
    7. The apparatus of claim 6, wherein the monitor is further configured to compare the quality indicator of the model rule set to an expected quality indicator and only copy the rule scores if the quality indicator of the model rule set exceeds the expected quality indicator.
    [8]
    8. Apparatus according to any one of claims 1 to 7, wherein the monitor is connected to the channel via banking software, said banking software being adapted to call the monitor and transmitting the new transaction to the monitor.
    [9]
    9. Apparatus according to any of claims 1 to 8, wherein the monitor is further configured to receive the new transaction in a message directed specifically to the monitor for processing.
    [10]
    10. Apparatus according to any of claims 1 to 9, wherein the monitor is further configured to monitor the channel for the new transaction destined for another network device.
    [11]
    11. A computerized method for detecting a fraudulent transaction on a channel, the method comprising:creating a matrix of each rule in a set of draft rules for each historical transaction appearing in historical data stored in a data store;solving the matrix for each rule score using linear programming;copying rule scores into a model rule set;monitoring the channel for a new transaction;applying data from the new transaction to the model ruleset;generating a new transaction score from the data and the model rule set; andindicating that the new transaction is fraudulent if the new transaction score exceeds a threshold.
    [12]
    12. A method according to claim 11, wherein the matrix is solved for a constant in one of the rules.
    [13]
    13. The method of claim 11 or 12, further comprising notifying a fraud monitor that the new transaction is fraudulent.
    [14]
    14. A method according to any of claims 11 to 13, further comprising notifying a bank that the new transaction is fraudulent.
    [15]
    15. The method of claim 14, further comprising requesting the bank to block the new transaction.
    [16]
    16. Method according to any one of claims 11 to 15, further comprising:reviewing each transaction appearing in historical data;calculating a transaction score for each historical transaction that is a sum of the rule scores for that historical transaction;comparing the sum of the rule scores with the threshold to make a fraud determination, said fraud determination being compared to an actual determination associated with the historical transaction to create an accuracy score of the transaction; andadding said transaction accuracy score to determine a quality indicator of the model ruleset.
    [17]
    The method of claim 16, further comprising comparing the quality indicator of the model rule set to an expected quality indicator, and copying the rule scores only if the quality indicator of the set of model rules exceeds the expected quality indicator.
    [18]
    18. A method according to any of claims 11 to 17, wherein channel monitoring is indirectly performed via banking software.
    [19]
    19. A method according to any of claims 11 to 18, wherein monitoring the channel for the new transaction includes receiving transactions destined for another network device.
    [20]
    20. A computerized method for detecting a fraudulent transaction on a channel, the method comprising:providing a means to create a matrix of each rule in a set of draft rules for each historical transaction appearing in historical data stored in a data store;solving the matrix for each rule score using linear programming;loading said rule scores into a set of model rules;providing a means to monitor the channel for a new transaction;applying data from the new transaction to the model ruleset;providing a means to generate a new transaction score from the data and the model rule set; andproviding a means of indicating that the new transaction is fraudulent if the new transaction score exceeds a threshold.
    类似技术:
    公开号 | 公开日 | 专利标题
    WO2019178914A1|2019-09-26|Fraud detection and risk assessment method, system, device, and storage medium
    US10510078B2|2019-12-17|Anomaly detection in groups of transactions
    US8458090B1|2013-06-04|Detecting fraudulent mobile money transactions
    CN108304486A|2018-07-20|A kind of data processing method and device based on block chain
    US11019063B2|2021-05-25|System and method for aggregating client data and cyber data for authentication determinations
    US10496992B2|2019-12-03|Exclusion of nodes from link analysis
    WO2020102395A1|2020-05-22|Systems and methods for anti-money laundering analysis
    CA3113876A1|2020-04-02|An apparatus, computer program and method
    CH717742A2|2022-02-15|A computerized method and apparatus for detecting fraudulent transactions.
    CN112308565A|2021-02-02|Many-to-many cross-border fund wind control method and system based on knowledge graph
    EP3629273A1|2020-04-01|An apparatus, computer program and method
    Diadiushkin et al.2019|Fraud detection in payments transactions: Overview of existing approaches and usage for instant payments
    Adedoyin2018|Predicting fraud in mobile money transfer
    Afanu et al.2013|Mobile Money Security: A Holistic Approach
    US20140289085A1|2014-09-25|System and Method For Identifying Suspicious Financial Transactions
    WO2019194679A1|2019-10-10|Systems and methods for detecting fraudulent transactions
    Khattri et al.2018|Parameters of automated fraud detection techniques during online transactions
    WO2018193085A1|2018-10-25|System and method for managing fraud detection in a financial transaction system
    Hämmerli2012|Financial services industry
    WO2016041985A1|2016-03-24|Method for detecting a risk for the substitution of a terminal, and corresponding device, programme and recording medium
    BE1021030B1|2017-03-01|SYSTEM AND METHOD FOR CHARACTERIZING FINANCIAL MESSAGES
    GB2542369A|2017-03-22|Apparatus and method for connection-based anomaly detection
    US20200081990A1|2020-03-12|Methods and devices for identifying relevant information for a first entity
    US20200081991A1|2020-03-12|Methods and devices for determining, and identifying information to manage, a level of risk of a first entity
    FR3067899A1|2018-12-21|METHOD AND MODULE FOR MANAGING SECURE DATA TRANSMISSIONS AND CORRESPONDING PROGRAM.
    同族专利:
    公开号 | 公开日
    US20220044248A1|2022-02-10|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    法律状态:
    优先权:
    申请号 | 申请日 | 专利标题
    US16/985,773|US20220044248A1|2020-08-05|2020-08-05|Fraud Detection Rule Optimization|
    [返回顶部]