US2003153299A1PendingUtilityA1
Event manager for use in fraud detection
Est. expiryNov 18, 2018(expired)· nominal 20-yr term from priority
Inventors:Michael Adam PerfitDarin L. BuchananScott J. SamekTimothy W. ButlerElizabeth ManciniMichael ArenaKaren G. WiseMichael B. FarrarMichael D. UftringTheodore WillsonRichard Antell
G06Q 20/4016H04M 15/43H04M 15/47H04M 15/41H04W 12/126H04M 15/44
53
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
According to the principles of the invention, a fraud detection system receives data relating to telecommunications activity. Event generators generate events from the received data, with each event having a weight corresponding to an increased or decreased likelihood of fraud. The aggregated events for a subject (a subscriber or an account) determine a score for the subject, which is used to prioritize the subject in an investigation queue. Human analysts are assigned to open investigations on the investigation queue according to the priority of subjects. In this manner, investigation resources can be applied more effectively to high-risk subscribers and events.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for detecting fraud in a telecommunications system comprising:
receiving one or more events relating to a subscriber; combining the one or more events to provide a score; and storing the subscriber and the score in an investigation queue if the score exceeds a predetermined threshold.
2 . The method of claim 1 further comprising:
repeating the method for a plurality of subscribers; and
storing a plurality of suspect subscribers in the investigation queue, each one of the plurality of suspect subscribers having a score that exceeds the predetermined threshold.
3 . The method of claim 2 further comprising prioritizing the investigation queue according to the plurality of scores.
4 . The method of claim 2 further comprising updating the score of one of the plurality of suspect subscribers to provide an updated score, and removing the one of the plurality of suspect subscribers from the investigation queue if the updated score does not exceed the predetermined threshold.
5 . The method of claim 2 further comprising assigning a human analyst to investigate one of the plurality of suspect subscribers.
6 . The method of claim 2 further comprising:
determining a region for each one of the plurality of suspect subscribers; and
assigning a regional human analyst to investigate those ones of the plurality of suspect subscribers having a particular region.
7 . The method of claim 5 wherein assigning a human analyst further comprises:
receiving a request to investigate from the human analyst;
assigning to the human analyst a one of the plurality of suspect subscribers having a highest priority; and
removing the one of the plurality of suspect subscribers from the investigation queue.
8 . The method of claim 1 wherein combining the one or more events to provide a score further comprises:
weighting the one or more events according to one or more event weights, thereby providing one or more weighted events; and
summing the one or more weighted events to provide a score.
9 . The method of claim 8 further comprising aging each of the one or more weighted events using a half-life.
10 . The method of claim 8 wherein the one or more event weights are discounted according to a match quality.
11 . The method of claim 8 wherein the one or more event weights are determined using logistic regression.
12 . The method of claim 2 wherein combining the one or more events to provide a score comprises feeding the one or more events to a neural network, the neural network being trained to generate a score indicative of possible fraud from the one or more events.
13 . The method of claim 12 further comprising prioritizing the investigation queue according to the plurality of scores.
14 . A system for detecting telecommunications fraud comprising:
means for receiving one or more events relating to a subscriber; means for combining the one or more events to provide a score; and means for storing the subscriber and the score in an investigation queue if the score exceeds a predetermined threshold.
15 . The system of claim 14 further comprising:
means for applying the receiving means, the combining means, and the storing means to a plurality of subscribers; and
means for storing a plurality of suspect subscribers in the investigation queue, each one of the plurality of suspect subscribers having a score that exceed the predetermined threshold.
16 . The system of claim 15 further comprising means for prioritizing the investigation queue according to the plurality of scores.
17 . The system of claim 15 further comprising means for removing one of the plurality of suspect subscribers from the investigation queue if the one of the plurality of suspect subscribers has not been investigated within a predetermined time.
18 . The system of claim 15 further comprising means for assigning a human analyst to investigate one of the plurality of suspect subscribers.
19 . The system of claim 15 further comprising:
means for determining a region for each one of the plurality of suspect subscribers; and
means for assigning a regional human analyst to investigate those ones of the plurality of suspect subscribers having a particular region.
20 . The system of claim 18 wherein the assigning means further comprises:
means for receiving a request to investigate from the human analyst; and
means for assigning to the human analyst a one of the plurality of suspect subscribers having a highest priority.
21 . The system of claim 14 wherein the combining means further comprises:
means for weighting the one or more events according to one or more event weights, thereby providing one or more weighted events; and
means for summing the one or more weighted events to provide a score.
22 . The system of claim 21 further comprising means for aging each of the one or more weighted events using a half-life.
23 . The system of claim 21 wherein the one or more event weights are discounted according to a match quality.
24 . The system of claim 21 wherein the one or more event weights are determined using logistic regression.
25 . The system of claim 15 wherein the combining means further comprises means for feeding the one or more events to a neural network, the neural network being trained to generate a score indicative of possible fraud from the one or more events.
26 . The system of claim 25 further comprising means for prioritizing the investigation queue according to the plurality of scores.
27 . A computer program for detecting telecommunications fraud embodied in machine executable code comprising:
machine executable code to receive one or more events relating to a subscriber; machine executable code to combine the one or more events to provide a score; and machine executable code to store the subscriber and the score in an investigation queue if the score exceeds a predetermined threshold.
28 . The computer program of claim 27 further comprising:
machine executable code to repeat the machine executable code to receive, the machine executable code to combine, and the machine executable code to store for a plurality of subscribers; and
machine executable code to store a plurality of suspect subscribers in the investigation queue, each one of the plurality of suspect subscribers having a score that exceeds the predetermined threshold.
29 . The computer program of claim 28 further comprising machine executable code to prioritize the investigation queue according to the plurality of scores.
30 . The computer program of claim 28 further comprising machine executable code to remove one of the plurality of suspect subscribers from the investigation queue if the one of the plurality of suspect subscribers has not been investigated within a predetermined time.
31 . The computer program of claim 28 further comprising machine executable code to assign a human analyst to investigate one of the plurality of suspect subscribers.
32 . The computer program of claim 28 further comprising:
machine executable code to determine a region for each one of the plurality of suspect subscribers; and
machine executable code to assign a regional human analyst to investigate those ones of the plurality of suspect subscribers having a particular region.
33 . The computer program of claim 32 wherein the machine executable code to assign a human analyst further comprises:
machine executable code to receive a request to investigate from the human analyst; and
machine executable code to assign to the human analyst a one of the plurality of suspect subscribers having a highest priority.
34 . The computer program of claim 27 wherein the machine executable code to combine the one or more events to provide a score further comprises:
machine executable code to weight the one or more events according to one or more event weights, thereby providing one or more weighted events; and
machine executable code to sum the one or more weighted events to provide a score.
35 . The computer program of claim 34 further comprising machine executable code to age each of the one or more weighted events using a half-life.
36 . The computer program of claim 34 wherein the one or more event weights are discounted according to a match quality.
37 . The computer program of claim 34 wherein the one or more event weights are determined using logistic regression.
38 . The computer program of claim 28 wherein the machine executable code to combine the one or more events to provide a score comprises machine executable code to feed the one or more events to a neural network, the neural network being trained to generate a score indicative of possible fraud from the one or more events.
39 . The computer program of claim 38 further comprising machine executable code to prioritize the investigation queue according to the plurality of scores.
40 . A method for identifying possibly fraudulent activity in a telecommunications system comprising:
providing a fraud record, the fraud record including a first plurality of fields; providing an account change record, the account change record including a second plurality of fields; providing a search key, the search key indicating one or more search key fields corresponding to fields of the account change record and the fraud record; applying the search key and a first set of rules to the account change record and the fraud record, thereby determining whether there is a possible match; calculating a match quality for the one or more search key fields if there is a possible match; and generating an event if there is a possible match, the event having a weight indicative of the quality of a match between the account change record and the fraud record.
41 . The method of claim 40 further comprising providing a plurality of fraud records and collecting a plurality of matches.
42 . The method of claim 41 further comprising providing a plurality of account change records, and for each one of the plurality of account change records, repeating each of providing a fraud record, providing a search key, applying the search key and a first set of rules, calculating a match quality, and generating an event.
43 . The method of claim 40 wherein calculating a match quality further comprises calculating one or more field match terms for each field of the search key, weighting each field match term, and calculating a weighted sum of the field match terms.
44 . The method of claim 40 wherein the fraud record is a record of an account with known fraudulent activity.
45 . The method of claim 40 wherein the fraud record is a record of an account with suspected fraudulent activity.
46 . The method of claim 40 , further comprising providing a plurality of search keys.
47 . The method of claim 40 , further comprising providing each generated event to an event manager.
48 . A method for identifying possibly fraudulent activity in a telecommunications system comprising:
defining one or more events, each event corresponding to a category of account activity, assigning to each of the one or more events an event weight and an event half-life; receiving a provisioning record, the provisioning record corresponding to an activity in an account; determining which category of account activity corresponds to the provisioning record; and generating an event for the account activity, the event having the event weight and the event half-life of the category to which the account activity corresponds.
49 . The method of claim 48 further comprising providing a plurality of provisioning records, thereby generating a plurality of events.
50 . The method of claim 49 wherein the plurality of provisioning records is a daily billing information stream from a carrier.
51 . The method of claim 49 wherein the plurality of provisioning records is a real-time payment information stream from a carrier.
52 . The method of claim 49 wherein the plurality of provisioning records is a real-time account change information stream from a carrier.
53 . The method of claim 48 wherein one of the account activity categories is a change in account information.
54 . The method of claim 48 wherein one of the account activity categories is a change in bill payment information.
55 . The method of claim 48 , further comprising defining one or more types and one or more sub-types for each account activity category, and defining an event for each sub-type.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.