JP2010512035A - Detection and prohibition of fraud in the network - Google Patents

Abstract

  A computer-based method and apparatus, including the described computer program product, detects and prohibits fraud on the network, restores data on the network, unifies user sessions on the network, and prevents fraud on the network. It is for detecting fraud on the network using the detected and stored information and agreeing to supply data on the network. In one aspect, a user uses a transmitting device to transmit a data packet that is split between multiple data centers for processing. The data packet is captured at the data center. The data packet is recombined. The recombined data can be analyzed for fraud detection, marketing analysis, network intrusion detection, customer service analysis, and / or performance analysis. If cheating is detected, the user uses the transmitter to send a user request that is split between multiple data centers for processing. User requests are captured at the data center. The user request is unified into a user session. The user session may be analyzed for fraud detection, marketing analysis, network intrusion detection, customer service analysis, and / or performance analysis. If cheating is detected, the user may be prohibited to prevent further cheating.

Description

  The present invention relates generally to computer-based methods and apparatus that include computer program products that detect and prohibit fraud in the network, restore (reconstruct) data in the network, and It is for unifying user sessions, detecting fraud in the network, detecting fraud in the network using stored information, and agreeing to supply data in the network.

  The increased use of the network for accessing and providing information has led to a dramatic increase in the amount of data transmitted over the network. In order to handle this increased traffic, computer systems used to store, process and transmit information have increased in size and have been distributed among data centers. Such distribution between data centers can increase speed and thereby reduce response time in information retrieval and processing.

  However, increased speed and diversified data centers present problems with data sent to multiple data centers. The problem is that the data sent to and from the user is distributed between the data centers. When data from a single data center is analyzed, it is very difficult if a complete display of user actions cannot be obtained.

  The ability to analyze user behavior as a whole is important in a wide range of industries that provide services that are trusted on the network. These industries must be able to analyze user behavior to provide feedback and improve system performance. In addition, industry must be able to effectively and efficiently identify fraudulent activity on its network.

  Fraud increased with the rise of network-based behavior. The industry has responded by using fraud detection systems to prevent loss of funds and prestige. However, it was difficult if these fraud detection systems could not collect (collect) data from all of the data centers in real time and without affecting customer performance. As fraud is increasing, it is important that industry, for example the financial services industry, has fraud detection systems that collect data packets from multiple data centers and detect fraud and other Data can be restored for use.

  One approach to recovering data over the network is to restore data packets transmitted over the network to data. In one aspect, a data recovery method is provided that receives data packets transmitted from a plurality of data centers. Each data center includes one or more servers. The data packet is sent to the data center from the same user location. The data packet is processed. A restoration engine restores the data from the data packet to a format that conforms to a specific protocol.

  In another aspect, a computer program product for data restoration is provided. Said computer program product is clearly embodied in an information carrier. The computer program product includes instructions that can be implemented by a data processing device to receive data packets from a plurality of data centers at a restoration engine. Each data center includes one or more servers. The data packets are transmitted from the same user location to different data centers in the plurality of data centers. The data packet is processed. The data is recovered from the data packet into a format that conforms to a specific protocol.

  In another aspect, a system for data restoration is provided. The system includes a data collection system and a restoration engine. The data collection system collects data packets at a data center. The data packet is transmitted to the restoration engine. The restoration engine receives data packets from a plurality of data collection systems over the network. The restoration engine processes the data packet and restores the data packet to data that conforms to a specific protocol.

  In another aspect, another system for data recovery is provided. The system includes means for retrieving data packets at a data center and means for restoring data. The data packet recovery means receives a data packet from a data center and transmits the data packet to the data restoration means. The data restoration means restores data from a data packet conforming to a specific protocol.

  In another aspect, user sessions on the network are unified. In another aspect, a method for unifying user sessions is provided. The method includes a unified engine that receives user requests from multiple data centers. Each data center includes one or more servers, and each user request includes one or more data packets. The user request is transmitted from the user location to the data center. The user request is processed. The user request is unified into a user session by the unification engine.

  In another aspect, a computer program product for user session unification is provided. This computer program product is clearly embodied in an information carrier. The computer program product includes instructions that can be implemented such that the data processing device receives a user request at a unified engine. The user request is received from a plurality of data centers. Each data center includes one or more servers, and each user request includes one or more data packets. The user request was split among the data centers for processing. The user request is restored to the user session by the restoration engine in a format compliant with a specific protocol.

  In another aspect, a system for user session unification is provided. The system includes a data collection system and a unified engine. The data collection system collects user requests from a data center and sends the user requests to the unified engine. Each user request includes one or more data packets. The unification engine receives user requests from the data collection system and processes the user requests to restore a user session.

  In another aspect, another system for user session unification is provided. The system includes user request collection means for collecting user requests at the data center. Each user request includes one or more data packets. The user request is transmitted from the user request collecting means to the user session unifying means. The user session unification means processes the user request to unify the user request within the user session.

  In another aspect, user sessions on the network are analyzed to detect fraud. In another aspect, a method for detecting fraud on a network is provided. The method includes receiving a user request from a data center. The user requests are separated from each other for transmission to multiple data centers, but are combined to form a user session. Each data center includes one or more servers, and each user request includes one or more data packets. The user session is processed to determine whether the user session is invalid using a profiling engine and / or a rules engine.

  In another aspect, a computer program product for detecting fraud on a network is provided. This computer program product is clearly embodied in an information carrier. The computer program product includes instructions that can be implemented by a data processing device to receive a user request from a data center. The user requests are combined to form a user session. Each data center includes one or more servers, and each user request includes one or more data packets. The user request was separated for processing between the data centers. A profiling engine and / or rules engine is used to determine if the user session is invalid.

  In another aspect, a system is provided for detecting fraud on a network. The system includes a unified engine and a fraud detection system. The unified engine receives user requests from the data center. Each user request includes one or more data packets. The unification engine processes the user request to restore a user session. The fraud detection system analyzes a user session to determine whether the user session is fraudulent.

  In another aspect, another system is provided for detecting fraud on a network. The system includes means for unifying user sessions and fraud detection means. The means for unifying user sessions receives user requests from the data center. Each user request includes one or more data packets. The user session unification unit processes the user request and unifies the user session. The fraud detection means analyzes the user session to determine whether the user session is fraudulent.

  In another aspect, the user session on the network detects fraud using analyzed and stored information. In another aspect, a method for detecting fraud on a network using stored information is provided. The method includes receiving a user request from a data center. Each data center includes one or more servers, and each user request includes one or more data packets. The user request is processed at the data center. Elements associated with the user session are stored in a memory module. Analysis is performed on the user session using at least some of the elements stored in the memory module.

  In another aspect, a computer program product for detecting fraud on a network using stored information is provided. This computer program product is clearly embodied in an information carrier. The computer program product includes instructions that can be implemented by a data processing device to receive a user request from a data center. The user requests are combined to form a user session. Each data center includes one or more servers, and each user request includes one or more data packets. The user request was separated between the data centers. Elements associated with the user session are stored in a memory module. Analysis is performed on the user session using at least a portion of the elements stored in the memory module to determine whether an activity associated with the user session is fraudulent.

  In another aspect, a method for detecting fraud on a network using stored information is provided. The system includes a unified engine, a database system, and a fraud detection system. The unified engine receives user requests from the data center. The unification engine processes the user requests and unifies them within a user session. Each user request includes one or more data packets. The database system stores elements related to the user session in a memory module. The fraud detection system uses at least some of the elements stored in the memory module to determine whether a first user session is fraudulent.

  In another aspect, another system is provided for detecting fraud on a network using stored information. The system includes means for unifying user sessions, means for storing elements, and fraud detection means. The user session unification means receives a user request from a data center and processes the user request to form a user session. Each user request includes one or more data packets. The element storage means stores an element related to the user session in a memory module. The fraud detection means processes the first user session using the elements stored in the memory module to determine whether the first user session is fraudulent.

  In another approach, the user session on the network is analyzed to detect and prohibit fraud on the network. In another aspect, a method for detecting and prohibiting fraud on a network is provided. The method includes receiving a user request from a data center and combining the user requests to form a user session. Each data center includes one or more servers, and each user request includes one or more data packets. The user session is analyzed to detect fraud and if a fraud is detected, the user session is prohibited.

  In another aspect, a computer program product is provided for detecting and prohibiting fraud on a network. This computer program product is clearly embodied in an information carrier. The computer program product includes instructions that can be implemented by a data processing device to receive a user request from a data center. The user requests are combined to form a user session. Each data center includes one or more servers, and each user request includes one or more data packets. The user session is analyzed to detect fraud. If cheating is detected, the user session is prohibited.

  In another aspect, a system is provided for detecting and prohibiting fraud on a network. The system includes a unified engine, a fraud detection system, and a session prohibition system. The unified engine receives user requests from a data center and combines the user requests to form a user session. Each user request includes one or more data packets. The fraud detection system analyzes the user session to detect fraud. If a fraudulent activity is detected, the session prohibition system prohibits the user session.

  In another aspect, a system is provided for detecting and prohibiting fraud on a network. This system includes means for unifying user sessions, fraud detection means, and session prohibition means. The means for unifying user sessions receives user requests from a data center and combines the user requests to form a user session. Each user request includes one or more data packets. The fraud detection means analyzes the user session and detects fraud. When an illegal act is detected, the session prohibiting means prohibits the user session.

  In another aspect, the recovered data on the network is distributed to consenters on the network. In another aspect, a method is provided for agreeing to provide data on a network. The method includes processing the data packet after receiving the data packet from a data center. Each data center includes one or more servers. The data packet is decompressed to form data in a format that conforms to a specific protocol. All or part of the restored data is transmitted to the requester.

  In another aspect, a computer program product for agreeing to provide data on a network is provided. This computer program product is clearly embodied in an information carrier. The computer program product includes instructions that can be implemented by a data processing device to receive a data packet on a data bus. The data packet can be received from multiple data centers. The data packets from the plurality of data centers are transmitted from the same user location to different data centers. Each data center includes one or more servers. The data packet is processed by the computer program product. Data in a specific protocol is recovered from the data. At least a portion of the data is requested by the requester. The requested data is transmitted to the requester.

  In another aspect, a system for agreeing to provide data on a network is provided. The system includes a data bus that receives data packets from a plurality of data centers. The system includes a restoration engine that restores data from the data packet. The data is restored to a format that conforms to a specific protocol. The system includes a request module that receives requests from some requesters of the recovered data. The request module transmits the requested restoration data to the requester.

  In another aspect, a system for agreeing to provide data on a network is provided. The system includes means for receiving data packets from a plurality of data centers. The system receives means for restoring data from the data packet to a format that conforms to a specific format and a request for at least a portion of the restored data and sends the requested data to a requester Means.

  In another example, any of the above aspects can include one or more of the following features. The data center receives the data packet from a load balancer. The load balancer is capable of obtaining the data center, the network status, the quality of service indicator for the data packet, the applicability, the number of connections to each data center and / or a predetermined routing. To send the data packet to the different data center. A server at the data center processes the data packet at the same or approximately the same time and separately from the restoration engine that restores the data. The processing of the data packet includes decoding the data packet and / or filtering the data packet.

  In yet another example, the protocol in which the data is formatted is Hypertext Transport Protocol (HTTP), Voice over the Internet (VoIP), Transmission Control Protocol (TCP) and / or Internet Protocol (IP). The hypertext transport protocol (HTTP) is converted into an open standard message protocol. The profiling engine may be a geographic location profiling engine and / or a behavior profiling engine. The rule engine may be an applied rule engine and / or a trading rule engine. The memory module is a volatile memory and / or a persistent storage device.

  In another example, prohibiting the user session requires the user to authenticate on the network, notify the user of the fraud, disconnect the user session from the network, and Instructs the user session to stop the act and / or isolate the network to mitigate the cheating. The user ban occurs by communicating with an authentication system to prevent the user session from accessing the network. The user's ban occurs by generating the rule based on the fraud and communicating the rule to the authentication system that prevents access to the system.

  In yet another example, the consent request is made for a set time. The requester is a marketing analysis engine, a network intrusion detection system, a customer service system and / or a performance analysis system.

  Any of the above aspects and examples can provide one or more of the following advantages. They can restore data and / or unify user sessions from multiple data centers. The recovered data and / or unified user session can be used for analysis as a complete or partial display of user activity. Restoration of data packets to data can improve the display of analyzed user actions, but data packets from only one data center will probably prevent user interaction with the data center. It only shows, not communicates with all of the data centers. The display of the user's actions allows for an overall analysis of actions to detect fraud, feed back to the user and system and / or improve system performance.

  Another advantage is the unification of user requests to user sessions for fraud detection. The unification of user requests sent to multiple data centers allows the fraud detection system to analyze an improved display of user behavior. This improved display of user behavior is more than user interaction with one data center in multiple data centers. It is part or all of the user's actions with multiple data centers. This allows user actions to be analyzed as a whole rather than individually.

  Another advantage is to collect data packets and / or user requests from the network without interfering with the transmission of data packets and / or user requests to the rest of the network (eg, server system). The processing of data packets and / or user requests by the server system is not interfered with the collection of data packets and / or user requests.

  Another advantage is the processing of data and / or user sessions by a fraud detection system in real time. The data collection system collects data packets and / or user requests at the same time that the server system receives the data packets and / or user requests. The restored data and / or unified user session is processed by the fraud detection system at the same time that the server system processes the data and / or user requests. Real-time fraud detection allows fraud to be prohibited before fraud can damage the system (eg fraud detection systems prevent fraudulent transactions before they are fully processed) be able to).

  Another advantage is that the memory module is a volatile memory. Processing data and / or user sessions to determine if fraud exists exists in real time. The fraud detection system takes advantage of the fast access capabilities of volatile memory to access elements stored in the memory module and to analyze data and / or user sessions in real time using the stored elements.

  Another advantage is the data bus consent service. The data bus agreement service is an agreement to supply data on the network. Agreeing to supply data on the network allows other requester systems to access data retrieved from multiple data centers. By providing consent services, other requester systems, such as performance analysis systems and customer service systems, are not just a part of user actions transmitted from one of the data centers. Rather, the overall display of user actions can be analyzed.

  Other aspects and advantages of the present invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, illustrating by way of example the principles of the invention.

  The foregoing and other objects, features and advantages of the present invention, as well as the invention itself, will be more fully understood from the following description of various embodiments when read with reference to the accompanying drawings.

FIG. 1 is a functional block diagram of a typical system that restores the data transmitted on the system and transmits the data to a fraud detection system. FIG. 2 is a functional block diagram of an exemplary system showing data being transferred from the data center to the data bus. FIG. 3 is a functional block diagram of an exemplary system illustrating the unification of user sessions from user requests. FIG. 4 is a functional block diagram of an exemplary system showing portions of a fraud detection system including a user session database. FIG. 5 is a functional block diagram of an exemplary system showing a system for receiving data from a data bus. FIG. 6A is a screen shot of the login module. FIG. 6B is a diagram of the information sent to the login module. FIG. 6C is a screen shot of the search module. FIG. 6D is a diagram of information transmitted to the search module. FIG. 6E is a diagram of information received from the search module. FIG. 6F is a screen shot of information received from the search module. FIG. 6G is a diagram of information transmitted to the transaction module. FIG. 6H is a diagram of information received from the information module. FIG. 6I is a screen shot of information received from the information module. FIG. 7 is a flowchart illustrating the transmission of data from a typical system. FIG. 8 is a flowchart illustrating transmission of a user session from an exemplary system. FIG. 9 is a flowchart illustrating the processing of user requests sent to the data center and sent from both the data center and the server system at the data collection system. FIG. 10 is a flowchart illustrating the processing of data packets by the system and the transmission of data packets to the requesting system. FIG. 11 is a flowchart showing prohibition of a user session when an illegal act is detected. FIG. 12 is a flowchart showing communication of fraud to the authentication system. FIG. 13 is a flowchart showing creation of a rule in response to detection of fraud. FIG. 14 is a flowchart illustrating mitigation of fraud by retransmitting a user session to another network.

  FIG. 1 is a functional block diagram of an exemplary system 100 that restores the data transmitted on the system and transmits this data to the fraud detection system 160. In some examples, the data includes a record of communication between the user 112 and the system 100. The record of communication includes, for example, a purchase order from the user 112 to an intermediary company and / or a credit card transaction for purchasing products and services by the user 112.

  Transmissions on system 100 can occur over packet-based networks and / or circuit-based networks. Packet-based networks include, for example, the Internet, Carrier Internet Protocol (IP) networks (eg, Local Area Network (LAN), Wide Area Network (WAN), Campus Area Network (CAN), Metropolitan Area Network (MAN), home area network (HAN)), private IP network, IP private branch exchange (IPBX), wireless network (eg, radio access network (RAN), 802.11 network, 802.16 network) General packet radio service (GPRS) network, hyper LAN) and / or other packet-based networks. Circuit-based networks include, for example, public switched telephone networks (PSTN), private branch exchange (PBX), wireless networks (eg, RAN, Bluetooth, code division multiple access (CDMA) networks, time division multiple access (TDMA) networks, mobile Global system for communications (GSM) networks) and / or other circuit-based networks.

  The system 100 includes a user 112 that communicates with a transmitting device 110 that transmits data in one or more portions to a load balancer 130 as a data packet. In some examples, the user 112 can use any type of transmitter 110 to transmit data packets. The transmission device 110 may be, for example, a computer, a computer with a browser device, a telephone, an IP phone, a mobile device (eg, a mobile phone, a personal digital assistant (PDA) device, a laptop computer, an electronic mail device) and / or other communication device. including. The browser device includes, for example, a computer (eg, a desktop computer, a laptop computer), which includes a global web browser (eg, Microsoft® Internet Explorer®, Mozilla® Firefox). The mobile computing device includes, for example, Blackberry (registered trademark).

  The load balancer 130 may be a network system. Network systems include, for example, network routers, network switches, network hubs, computers and / or other communication devices. The network system may be, for example, one or more network adapters (eg, 10/100/1000 base-T network interface adapter card (NIC), 1000 base-SX NIC, 1000 base-LX NIC, 1000 base-FX NIC) including. The network system includes one or more modules that process data packets. Modules are implemented in digital electronic circuitry, computer hardware, firmware and / or software. The modules include, for example, a data routing module, an internet protocol (IP) routing module, a domain name service (DNS) routing module, and / or other routing modules.

  In some examples, the system 100 receives data packets from other systems. Other systems include one or more network systems, each of which includes one or more transmitters 110. Other systems send data to load balancer 130 for transmission to data centers 120a and 120b for processing.

  The load balancer 130 transmits data packets to different data centers 120a or 120b based on load balancing techniques. In some examples, the load balancer 130 may provide data center availability (eg, processor capacity, disk capacity), network conditions (eg, packet trip time, packet loss), service indicator for data packets. Data packets are transmitted from the plurality of data centers 120a and 120b to the selected data center according to quality, applicability, number of connections to each data center and / or predetermined routing instructions.

  FIG. 1 shows an exemplary system 100 comprising data centers A 120a and B 120b. Although system 100 is shown with two data centers 120a and 120b, other examples include any number (eg, 3, 4, 10, 20, 100, 1,000, 10,000) of data centers. . Similarly, the system 100 illustrates one load balancer 130, but other examples include multiple load balancers in multiple layers. For example, the user's transmitter 110 transmits a data packet to the load balancer 130, where the balancer has a further load balancer to which the first load balancer 130 transmits the data packet. A second load balancer in a layer below the first load balancer 130 transmits data packets from a plurality of data centers to a selected data center.

  Data packets at data centers 120a and 120b are sent to server systems 122a and 122b and data collection systems 124a and 124b, respectively. For example, the data packet is transmitted from the user transmission device 110 to the load balancer 130. The data packet is transmitted from the load balancer 130 to the data center A 120a. The data packet is transmitted at data center A 120a to server system 122a and data collection system 124a.

  Transmission of data packets to server system 122a and data collection system 124a in data center A 120a can occur simultaneously and independently of one another using, for example, network devices. Network devices include, for example, network routers, network firewalls, network hubs, network switches, computers and / or other network devices (eg, GigamonGigaVUE-MP available from Gigamon Systems LLC).

  Server systems 122a and 122b may each include one or more servers (eg, 126a, 127a, 127b, and 128b). Servers are for example web servers (eg 126a), application servers (eg 128b) (eg Oracle® Application Server 10g available from Oracle Corporation), database servers (eg 127a and 127b) (eg obtained from Oracle Corporation) Oracle (R) Database 10g), communication server, fax server, file server, game server, authentication server (eg RSA (R) Authentication Manager available from RSASecurity Inc.), desktop computer, central・ Ad server, file transport protocol server, image server, mail server, news server, proxy server Printing including server, sound server, streaming media server, a terminal server, firewall, network routers, network hubs, network (e.g., intranet 125a) and / or a network switch.

  In some examples, the data collection systems 124a and 124b include one or more computing devices, such as computers, laptop computers, network routers, network switches, and / or network hubs (available from Radware Ltd.). Possible Radware (R) AS4, CovelightInflight (TM) 5000 available from CovelightSystem, Inc., GigamonGigaVUE-MP available from Gigamon Systems LLC).

  Data collection systems 124a and 124b can collect data packets from the network without interfering with data transmission to the rest of the network. For example, the data collection system 124a receives data packets sent from the load balancer 130 to the data center 120a, while at the same time the data packets are received by the server system 122a and follow a parallel path for receiving the data packets. Generate.

  Data collection systems 124a and 124b can collect data packets returned to the user by server systems 122a and 122b, respectively. For example, the user 112 transmits a data packet requesting information using the transmitter 110. The data packet is sent from the load balancer 130 to the data center B 120b. The data packet is transmitted to the server system 122b and the data collection system 124b. Server system 122b responds to the user's request by processing the data packet and sending a data packet response. The data packet response is captured by the data collection system 124b.

  Data packets and / or data packet responses are sent from the data collection systems 124a and 124b to the recovery engine 150. The restoration engine 150 receives data packets from a plurality of data centers 120a and 120b. The restoration engine 150 processes the data packet to form some or all of the data from the user 112. The restoration data represents a part or all of information transmitted on the network by the user transmission device 110 (for example, original information transmitted on the network).

  The processing of data packets by the server system 122a can occur simultaneously or nearly simultaneously and separately from the restoration engine 150 that restores the data. For example, the data packet is transmitted from the server system 122a, the data collection system 124a sends the data packet to the restoration engine 150, and the restoration engine 150 restores the data packet to data and is processed at or near the same time. Processing by server system 122a includes, for example, a data packet received by server system 122a being transmitted to intranet 125a, and the intranet transmitting the data packet to web server 126a. Web server 126a processes the data packet to determine whether web server 126a needs to respond to the data packet and / or web server 126a needs access to information from database server 127a. . Web server 126a needs information from database server 127a to respond to the data packet (eg, a search submission to a search module that is part of web server 126a). The web server 126a asks the database server 127a, and the database server 127a answers this question (eg, information requested from the search). The web server 126a processes the information returned from the question and returns a web page along with the requested information from the intranet 125a to the sending device 110 of the user 112.

  The restoration engine 150 can analyze the data packet to determine data packet information. The data packet information includes destination parameters and / or source parameters. The data packet parameters can be used by the restoration engine 150 to combine the data packets to form the user 112 data. Data packet parameters include network address, user address, operating system (OS) fingerprint, network card address, user cookie, formal data, cryptographic key and / or transaction identifier. The network address includes the address of the sending device 110 that sends the data packet, the address of the network address translation device (eg, firewall) that sends the data packet, or other network device that sends the data packet. The user address includes the address of the user 112 at the transmitting device 110 that transmits the data packet, the identification information of the user's transmitting device 110, or other identification information associated with the user 112. The OS fingerprint includes data formatting indicating the OS sending the data packet, identification information in the data packet from the OS, or other identification information related to the OS. The network card address includes the network card address at the user's sending device 110 or other identifying information of the sending device associated with the sending device 110. The user cookie includes information stored in the user's transmission device 110 (eg, information stored in a web browser on the user's transmission device 110) or other identification information stored in the user's transmission device 110. The formal data includes information in a data packet associated with the user 112 (eg, information in a data packet such as UserID = GeorgeSmith) or other identifying information in the data packet.

  In some examples, the restoration engine 150 processes the data packet to determine if the data packet meets the requests from the server systems 122a and 122b. For example, the server system 122a sends a request for information (ie, a data packet requesting information from the user 112) to the user 112 (eg, login information—user id and password). User 112 responds from sending device 110 by sending a data packet (eg, user id and password). The restoration engine 150 matches a request for information from the server system 122a (eg, a request for login information with login information) to a data packet from the user 112. Adapting the request for information from the server system 122a to the data packet from the user 112 is used by the reconstruction engine 150 to adapt the data packet.

  The restoration engine 150 can process the data packet. The processing of the data packet includes filtering, decryption and / or encryption (Radware® SSL decryption available from Radware Ltd.). Filtration includes, for example, internet protocol addresses, protocols, data types (eg graph interface format (gifs), hypertext markup language (html), joint photography expert group (jpegs), cascade Style sheet (css), javascript (js)), parameters (eg password, pin, personal identification information), content, content type, uniform resource location input device (URL) path and / or internet protocol (IP ) Filtering by range.

  The recovery engine 150 receives, for example, over 1 billion data packets per hour. For example, the restoration engine 150 can filter data packets from a trusted internet protocol address (eg, address 10.11.12.3.12 from a trusted data center). The restoration engine 150 filters all data packets from trusted Internet protocol addresses to reduce the load on the restoration engine 150. For example, the restoration engine 150 filters parameters such as passwords and pin numbers to prevent confidential information from being sent to the fraud detection system 160.

  The restoration engine 150 transmits data to the fraud detection system 160. The fraud detection system 160 processes the data to detect fraud. The processing of the data includes, for example, one or more systems that process the data (eg, TIBCO® BusinessEvents® available from TIBCOSoftware Inc., DeepNetworkAnalyzer® (DNA) available from SourceForge®).

  FIG. 2 is a functional block diagram of an exemplary system 200 showing data being transported from data centers 120a and 120b to data bus 210. As shown in FIG. The exemplary system 200 includes a user 112 that uses a transmitting device 110 that transmits data in one or more portions as data packets to a load balancer 130. The load balancer 130 transmits data packets to the data centers in the plurality of data centers 120a and 120b based on load balancing technology. Data packets are sent to server systems 122a and 122b and data collection systems 124a and 124b, respectively.

  Data collection systems 124 a and 124 b send data packets to data bus 210. In some examples, the data bus 210 consolidates data packets from multiple data centers 120a and 120b and distributes the data, such as the restoration engine 150, to a system that is in need and / or demanding.

  Data packets are transmitted from the data bus 210 to the database 220 and the restoration engine 150. The restoration engine 150 restores data from data packets received from the plurality of data centers 120a and 120b. The restored data is transmitted to the fraud detection system 160 and the database 220.

  In some examples, the data bus 210 includes one or more computer systems connected to a network (eg, computing blade, network server, network router, network switch, network hub). In some examples, the database 220 stores data packets and / or data. The database 220 is a memory module, for example. The memory module is, for example, a permanent storage device and / or a volatile storage device.

  FIG. 3 is a functional block diagram of an exemplary system 300 illustrating the unification of user sessions from user requests. System 300 includes a user 112 having a user session 310. User session 310 is an edited version of all user requests associated with user 112. User 112 requests and receives information from system 300. Requesting and receiving this information is accomplished by user request.

  The user request is transmitted to the load balancer 130. The load balancer 130 sends user requests to the data center 120a or 120b based on load balancing techniques. User requests are sent to the server system 122a or 122b and the data collection system 124a or 124b based on the data center (eg, 120a or 120b) to which the user request was sent. The data collection system 124 a or 124 b sends a user request to the data bus 210. User requests are sent from the data bus 210 to the database 220 and the unified engine 320. The unification engine 320 combines the user requests received from the user 112 to form a unified user session, which includes all or part of the user session 310 and is divided first. Sent to data centers 120a and 120b. A unified user session may include, for example, one that represents some or all of the user's actions including communications that are not transmitted from the transmitting device 110 over the network (eg, an application for interfacing with the server systems 122a and 122b, etc.) Information related to the application on the sending device).

  The unification engine 320 can analyze user requests and determine user request information. The user request information includes a source parameter and / or a destination parameter. One or more of the user request parameters are used, for example, by the unification engine 320 to combine user requests with each other to form a unified user session for the user 112.

  The unification engine 320 analyzes the user request and requests for information from the server systems 122a and 122b and / or information from application modules associated with the user's sending device 110 (eg, server system 122a). And the client side application communicating with 122b). For example, an application module associated with the user's sending device 110 requests information from the user 112. User 112 enters information into the application module. The application module from the sending device 110 sends information in the form of a user request to the server system 122a or 122b for processing. The unification engine 320 matches the user request with the information requested by the application module (i.e., the unification engine 320 is aware of what information is being requested by the application module and can therefore adapt the information to the user request). Matching information requests from application modules to user requests from user 112 is used by unified engine 320 to combine user requests to form a user session.

  The unification engine 320 can process user requests. Processing user requests includes, for example, filtering, decryption and / or encryption.

  The user session unified by the unified engine 320 is transmitted to the database 220 for saving and the fraud detection system 160. When fraud detection system 160 detects fraud, fraud detection system 160 communicates to prohibition system 330. The prohibition system 330 stops communication of a user request to the load balancer 130, for example.

  FIG. 4 is a functional block diagram of an exemplary system 400 showing portions of a fraud detection system 405 that includes a user session database 450. The portions of the exemplary system 400 are as described above with reference to FIGS.

  The unification engine 320 unifies user requests and transmits a unified user session to the fraud detection system 405. The fraud detection system 405 includes a geographic location profiling engine 410, a behavior profiling engine 420, an application rules engine 430, a trading rules engine 440 and a database 450. The fraud detection system 405 may include, for example, one of these engines or a combination of engines.

  The geographic location profiling engine 410 analyzes user locations, network paths and / or network addresses. For example, the geographic location profiling engine 410 analyzes the network address of the transmitter 110 and is known as an address where the network address is suspicious (eg, a foreign network address known to have significant fraud). Decide if it is an address. Determining that the network address is suspicious includes all or part of the information analyzed by fraud detection system 405 to determine whether the act is fraudulent. For example, the geographic location profiling engine 410 analyzes the network path of the user 112 to determine if the path that the user 112 is accessing passes through or is intercepted by the suspicious network. If the network path of user 112 is intercepted by a suspicious network, geographic location profiling engine 410 reports the fraud to fraud detection system 405.

  The behavior profiling engine 420 analyzes the behavior, which includes the number of page views that occur without logon, malicious software visits, search conditions classified as suspicious, uniform resource location input devices (URLs) classified as suspicious. Account access, classified as rapid access, access to a large number of accounts. This is done by analyzing multiple network connections per session and / or multiple users per session.

  For example, if user 112 accesses 10 different accounts and these accounts are not connected to each other, behavior profiling engine 420 determines that the user's activity is fraudulent and reports the fraud to fraud detection system 405. . However, if the user 112 accesses 10 different accounts and all of these accounts are connected to each other (eg, all have the same email address and the same unique user identifier), the behavior profiling engine 420 will Decide that the act is not fraudulent.

  Behavioral profiling engine 420 includes a profile-based profiling engine. The variant-based profiling engine uses the normal action baseline to detect when the action goes outside the baseline. Normal action baselines may be programmed into the profiling engine and / or learned by the profiling engine, for example, while processing information, data and / or user sessions on the network. Actions include any event, state, content, behavior, transaction and / or similar processing by the user 112 with the network 400.

  For example, user 112 has used an e-mail address on an exemplary system 400 from an internet service provider (eg, a standard user at standarddisp.com) for 10 years, but this is generically available E Change to E-mail address for mail host service (eg generic user at hotmail.com). Such a change in a user's email address may be normal behavior for some users, but for this particular user 112, the change in email address is outside normal behavior and behavior profiling. The engine 420 classifies the act as an illegal act. The classification of acts as fraud requires that, for example, the user 112 confirms the change of the email address outside the communication channel where the email change was submitted (eg, the email address change is Once the website associated with system 400 is passed, confirmation of the e-mail address change outside the communication channel will be by phone from system 400).

  Application rule engine 430 monitors communication between modules of exemplary system 400. The application rules engine 430 monitors, for example, login modules, search modules, transaction modules, information modules, and / or other modules that are part of the system 400. The application rules engine 430 monitors the modules of the exemplary system 400 to detect communications outside the normal range of communications with the modules (eg, communications that violate rules in the engine). By monitoring the module, the fraud detection system 405 can detect fraud patterns, but this fraud cannot be detected by simply analyzing user transactions, but with the application of a typical system. It may be detected by analyzing the communication.

  For example, a set of users is trying to exploit a security hole in the authentication module. The application rules engine 430 monitors the authentication module and detects that a set of users is attempting to authenticate to the system 400 using the same username and password (eg, username and / or password Shock absorber overflow in the field). The normal range of communication is no more than one user attempting to authenticate to the system 400 using the same username and password. Accordingly, the application rule engine 430 determines that the user's set action is illegal.

  The trading rules engine 440 assigns a confidence level to the user session. The confidence level is an analysis to determine the level at which the system 400 ranks user sessions. For example, if the user 112 is sending from a location in the user's profile (eg, the user's home computer) but the transaction by the user 112 is outside the user's profile (eg, all of the money in the financial market account The money is transferred to an overseas bank account, but in this case the user has never transferred money to an overseas bank account), the user session is assigned a low confidence level. This low number is utilized by the trading rules engine 440 and / or fraud detection system 405 to determine if the activity is fraudulent.

  However, for example, user 112 does not come from a location in the user's profile (eg, a New York City hotel, in which case the user has never logged in from a New York City hotel before), but the transaction by user 112 is within the user's profile. The computer signature of the user's computer is in the user's profile (for example, all money in a financial market account is transferred to an overseas bank account, in which case the user is transferred to an overseas bank account every other week) If it matches the computer signature (for example, the user is using a laptop usually used at home in a New York City hotel), the user session confidence level is a high number, which is a transaction Is within the user's normal behavior, but the user is It is because logging in from a position outside of yl. The high number is utilized by the trading rules engine 440 and / or fraud detection system 405 to determine whether the act is fraudulent.

  Trading rules engine 440 includes a signature-based rules engine. The signature-based rule engine searches for a predetermined pattern (eg, signature) in the user session. The pattern includes, for example, a set of conditions that characterize fraud. For example, the http header and / or http payload content may be analyzed to detect other types of behavior indicating that variable overwriting, parameter overload, and / or fraud may have occurred.

  For example, user 112 has submitted a request to transfer $ 1,000,000 from an account to an overseas bank account. The trading rules engine 440 monitors actions and examines http payload content to ensure that the content corresponds to action information. The http payload content includes user id = GeorgeRich while the user is logged on as user id = GeorgeFraud. User 112 is trying to transfer funds from another user's account instead of from his account by changing the user id parameter in the http payload content. Trading rule engine 440 detects this discrepancy and classifies the user session as fraudulent.

  Database 450 stores user session elements in a memory module. Elements include, for example, user identification, network address, time, network path, length of time logged into the system, transactions and / or other information included in the user session. The memory module is, for example, a volatile memory that increases the speed of access of stored user sessions. The memory module is, for example, a fixed storage device maintained for historical analysis (eg, Oracle® Berkeley DB available from Oracle Corporation).

  For example, fraud detection system 405 searches for user sessions stored in database 450 and is accessed by the same network address and / or network subnet. If the user session elements are stored in the database 450 and are similar and / or consistent with elements related to fraud, the fraud detection system 405 classifies the user session as fraudulent (eg, stored elements Subnet 10.10.10.0.0 is associated with cheating and user sessions from 10.10.10.0.5 are classified as cheating).

  For example, the database 450 stores all of the bond purchase transaction amounts in a fast access volatile memory. The fraud detection system 405 receives a user session from the unified engine 320. The user session is processed by the fraud detection system 405 to determine if fraud exists. Part of the processing by fraud detection system 405 is to compare the transaction amount in the user session with the previous transaction amount for the bond being purchased. The stored elements in the database 450 for purchased bonds include 10 years of transactions with over 100,000 transactions per year. The fraud detection system 405 retrieves over 1 million transactions from the database 450 in volatile memory and analyzes whether the transactions in the user session are fraudulent. The fraud detection system 405 takes advantage of the speed of the database 450 in volatile memory (eg, random access memory) to process transactions at the same or nearly the same time that the server system 122a or 122b is processing transactions. If the transaction (for example, purchase of 9,232 bonds) in the user session is in the normal range (for example, the purchase range is 1 to 10,342), the fraud detection system 405 does not prohibit the transaction. If the transaction in the user session (eg, purchase of 132,230 bonds) is not in the normal range (eg, the purchase range is 1-10,342), the fraud detection system 405 prohibits the transaction.

  FIG. 5 is a functional block diagram of an exemplary system 500 showing a requesting system for receiving data from data bus 210. The components of the exemplary system 500 are as described above with reference to FIGS. Data bus 210 transmits data packets to the requesting system. In some examples, the request system includes a marketing analysis system 562, a network intrusion detection system 564, a customer service system 566, and / or a performance analysis system 568.

  Data packets received by the data bus 210 are restored to data, for example, before being sent to the requesting system. User requests received by the data bus 210 are, for example, unified into a user session before being sent to the requesting system. The data bus 210 includes, for example, the unified engine 320 shown in FIG. 3 and / or the restoration engine 150 shown in FIG.

  Data bus 210 receives data packets and / or user requests as encrypted information from data collection systems 124a and 124b. Data bus 210 decrypts the information before sending it to the requesting system.

  The data bus 210 processes data packets and / or user requests in a format that conforms to a particular protocol. Specific protocols include: Voice Protocol (VoIP) over the Internet, Transmission Control Protocol (TCP), Internet Protocol (IP), Extensible Markup Language (XML), Hypertext Markup Language (HTML) and / or Standard General Generalized markup language (SGML).

  FIG. 6A is a screen shot 600a generated by the login module. Screen shot 600a shows a login screen generated by a login module, which is included in the network associated with load balancer 130 of FIG. The login screen includes a customer identification field 602a, a pin field 604a and a submit information button 606a. Fields 602a, 604a and 606a are some or all of the information in the user request.

  6B is a diagram 600b of information sent from the transmitter 110 of FIG. 1 to the login module containing information in FIG. 6A. Diagram 600b is a portion or all of a data packet and / or user request. Information parameter 610b defines how information is derived and / or processed. Information parameters 610b include the source of information, the destination of the information, routing information, information protocols and / or other types of transmission parameters. The information data 612b includes content information. Information data 612b includes formatting information, content information, transaction information, and / or other types of content information. The transaction information may comprise a customer id 602b corresponding to the customer id field of the login screen 602a. The transaction information may comprise a pin 604b corresponding to the pin field of the login screen 604a. The transaction information may include login-in 606b command information corresponding to the login submission button 606a. Fields 602b, 604b and 606b are some or all of the information in the data packet and / or information in the user request.

  The exemplary system 300 of FIG. 3 unifies user requests into user sessions, as indicated by 600a and 600b. User sessions are analyzed by fraud detection system 160 looking for account access to multiple accounts. The fraud detection system 160 detects that the user 112 has logged into an account that has been previously logged into a number of other accounts in the same or near time frame as the current login. The fraud detection system 160 determines that access to the account is fraudulent and transmits fraud information for the user 112 to the prohibition system 330. Forbidden system 330 blocks user 112 from accessing system 300.

  FIG. 6C is a screen shot 600c generated by the search module in the server system 122a or 122b of FIG. The fields in screen shot 600c may comprise some or all of the information in the user request.

  FIG. 6D is a diagram 600d of information transmitted from the transmitting device 110 of FIG. 3 to the search module in the server system 122a or 122b, which server system includes the information in FIG. 6C. FIG. 600d is part or all of a data packet and / or user request. Information parameter 610d defines how information is derived and processed. The information data 612d includes content information.

  6E is a diagram 600e of information received from the search module in the server system 122a or 122b of FIG. Diagram 600e is a portion or all of a data packet and / or user request. Information parameter 610e defines how information is derived and processed. The information data 612e includes content information.

  FIG. 6F is a screen shot 600f of information generated by the search module in the server system 122a or 122b of FIG. Screen shot 600f shows information received from the search module. The information shown in the screen shot 600f corresponds to the information 612e in the diagram of FIG. 6E.

  6G is a diagram 600g of information sent to the transaction module in the server system 122a or 122b of FIG. Diagram 600g is part or all of a data packet and / or user request. Information parameters 610g define how information is derived and processed. The information data 612g includes content information.

  6H is a diagram 600h of information received from the information module in the server system 122a or 122b of FIG. Diagram 600h is a portion or all of a data packet and / or user request. Information parameters 610h define how information is derived and processed. The information data 612h includes content information.

  FIG. 6I is a screen shot 600i of information generated by the information module in the server system 122a or 122b of FIG. The information shown in the screen shot 600i corresponds to the information 612h in the diagram of FIG. 6H.

  The diagrams of information 600b, 600d, 600e, 600g, and 600h show data packets and / or user requests collected by the data collection system 124a or 124b of FIG. The recovered data is all combinations of data packets collected by the data collection systems 124a and 124b. The restored data is information transmitted from the transmission device 110 and the server systems 122a and 122b (for example, all original packets transmitted on the system 100). The information contained in the screen shots 600a, 600c, 600f and 600i and the information 600b, 600d, 600e, 600g and 600h diagrams indicates some or all of the user session. A user session indicates some or all of a user's actions, including a transaction, which has not been transmitted from the transmitting device 110 over the network.

  For example, the transmitting device 110 includes an application for communicating with the server systems 122a and 122b. Communication between the user 112 and the application on the transmitting device 110 is part of the user's actions, and thus the user session includes communication between the application on the transmitting device 110 and the user 112. The unification engine 320 is aware of the application used on the sending device 110 (e.g., by storing information about the application and the communication with the application in the database 220), and the communication related to the application into a unified user session. Integrate.

  FIG. 7 is a flowchart 700 illustrating the process of transmitting data from the exemplary system 100 of FIG. User 112 transmits a data packet using transmitter 110 (710). Load balancer 130 receives the data packet and sends the data packet to one of data centers 120a and 120b (720). FIG. 7 includes processing performed at data center A 120a and shown as grouping 730a and processing performed at data center B 120b and shown as grouping 730b. In either data center, data packets are routed to server systems 122a and 122b, respectively (732a and 732b), and data collection systems 124a and 124b collect data packets (736a and 736b), respectively. Data packets are processed by server systems 122a and 122b, respectively (734a and 734b). Responses from server systems 122a and 122b are returned to the user and collected by data collection systems 124a and 124b (736a and 736b), respectively. Data collection systems 124a and 124b send data packets to restore engine 150 (738a and 738b). The restoration engine 150 receives data packets from the data centers 120a and 120b. The restore engine 150 restores data from the data packet (750).

  Data packet recovery (750) can occur in several different ways. For example, restoration (750) may include matching source parameters between data packets. For example, using the exemplary system 100 of FIG. 1 and the data portion of FIGS. 6A-6I, the restoration engine 150 restores the data packet to data. Data packets 600b, 600d, and 600g indicate information parameters 610b, 610d, and 610g. Information parameters 610b, 610d, and 610g include a source parameter (eg, a source field). The source field indicates that the data packet originated from address 192.168.0.1. The source field can be matched between data packets by the restoration engine 150. The matched data packet is converted to hypertext markup language (HTML) using information data 612b, 612d and 612g, which includes HTML tags to form part or all of the data.

  The advantage of the exemplary system 100 is that the data packets 600b, 600d and 600g are directed to the different data centers 130a and 130b by the load balancer 130 and processed by the server systems 122a and 122b (734a and 734b), and the different data centers. The data packets 600b, 600d and 600g directed to 130a and 130b are restored to some or all of the data transmitted and received by the user's transmitter 110. Data packet 600b is routed to data center A 120a by load balancer 130 (720), while data packets 600d and 600g are routed to data center B 120b by load balancer 130 (720). Data packet 600b is directed to server system 122a (732a) and collected by data collection system 124a at data center A 120a (736a). Data packets 600d and 600g are directed to server system 122b (732b) and collected by data collection system 124b at data center B 120b (736b). Data collection systems 124a and 124b send data packets to restore engine 150 (738a and 738b). The restoration engine 150 restores the data packets received from the data centers A 120a and B 120b to the data sent by the user 112 (750). Thus, data packets are split between data centers 120a and 120b and processed by server systems 122a and 122b (734a and 734b), but are recovered by recovery engine 150 (750).

  For example, restoration (750) may include matching source and destination parameters between data packets. For example, using the exemplary system 100 of FIG. 1 and the data portion of FIGS. 6A-6I, the restoration engine 150 restores the data packet to data. Data packets 600b, 600d, 600e, 600g, and 600h indicate information parameters 610b, 610d, 610e, 610g, and 610h. Information parameters 610b, 610d, 610e, 610g and 610h include source parameters (eg, source field, destination field). The source field indicates that the data packet shown in FIGS. 6B, 6D and 6G originates from address 192.168.0.1. The destination field indicates that data packets 600e and 600h are sent to address 192.168.0.1. The source and destination fields are matched between the data packets by the restoration engine 150 to form data. Matching is part or all of the data recovery (750).

  The advantage of the exemplary system 100 is that the data packets 600b, 600d and 600g are directed to the different data centers 130a and 130b by the load balancer 130 and processed by the server systems 122a and 122b (734a and 734b), and the different data centers. The data packets 600b, 600d and 600g derived from 130a and 130b and the data packets transmitted by the server systems 122a and 122b are restored to the data transmitted and received by the user transmitter 110. Data packet 600b is routed to data center A 120a by load balancer 130 (720), while data packets 600d and 600g are routed to data center B 120b by load balancer 130 (720). Data packet 600b is directed to server system 122a (732a) and collected by data collection system 124a at data center A 120a (736a). Data packets 600d and 600g are directed to server system 122b (732b) and collected by data collection system 124b at data center B 120b (736b). Data collection systems 124a and 124b collect data packets 600e and 600h (736a and 736b), which are responses to user 112. Data collection systems 124a and 124b send data packets to restore engine 150 (738a and 738b). The restoration engine 150 restores the data packets received from the data centers A 120a and B 120b to the data sent and received by the user 112 (750). Thus, data packets are split between data centers 120a and 120b and processed by server systems 122a and 122b (734a and 734b), but are recovered by recovery engine 150 (750).

  FIG. 8 is a flowchart 800 illustrating the process of sending a user request by the exemplary system 300 of FIG. User 112 transmits a user request using transmitter 110 (810). Load balancer 130 receives the user request and sends the user request to one of data centers 120a and 120b (820). FIG. 8 includes the processing performed at data center A 120a and shown as grouping 830a and the processing performed at data center B 120b and shown as grouping 830b. In either data center, user requests are received at data center 120a or 120b (832a and 232b). The user request is sent to server system 122a or 122b and data collection system 124a or 124b, respectively (834a or 834b). The data collection system sends a user request to the data bus 210 (836a or 836b). The unification engine 320 receives a user request from the data bus 210 (850). The unification engine 320 unifies user requests received from the data bus 210 (860) to form a user session.

  User request unification (860) can occur in several different ways. For example, unification (860) includes matching source and destination parameters between user requests. For example, using the exemplary system 300 of FIG. 3 and the user session portion of FIGS. 6A-6I, the unification engine 320 unifies user requests into user sessions (860). The user session includes information for user requests 600b, 600d and 600g, responses 600e and 600h, and screen shots 600a, 600c, 600f and 600i. User requests 600b, 600d and 600g and responses 600e and 600h indicate information parameters 610b, 610d, 610e, 610g and 610h. Information parameters 610b, 610d, 610e, 610g and 610h include source parameters (eg, source field, destination field). The source field indicates that user requests 600b, 600d and 600g are originating from 192.168.0.1. The destination field indicates that user requests 600e and 600h are being sent to address 192.168.0.1. The information data 612b, 612d, 612e, 612g and 612h are part or all of the information for the screen shots 600a, 600c, 600f and 600i, and these screen shots are part or all of the user session. The source and destination fields are matched by the unified engine 320 between user requests to form data. Based on the information stored in the database 220, the unification engine 320 can match the information in the screenshot with the user request (eg, the unification engine generates a user request including login information in FIG. 6 generated by the login module). Can match screen shot 600a). Matching fields and matching information in screenshots is part or all of user session unification (860).

  The advantages of the exemplary system 300 are that user requests 600b, 600d and 600g directed to different data centers 130a and 130b by the load balancer 130 are user requests 600e and 600h being sent to the user 112 and screenshots 600a, 600c, 600f and It is to be unified with the information included in 600i.

  FIG. 9 is a flowchart 900 illustrating the process of sending a user request by the exemplary system 300 of FIG. User 112 transmits a user request using transmitter 110 (910). The user request is sent by the load balancer 130 to the data center 120b (920). Although data center B 120b is used in this example, the load balancer can send 920 a user request to data center A 120a. The request is routed to server system 122b (932). Server system 122b processes the request (934). Server system 122b responds to the user request (936). The response is sent back to the user 112 by the user's sending device 110 and collected by the data collection system 124b (942). The data collection system 124b collects the user request (942) at or near the same time as the user request is directed to the server system 122b (932). The data collection system 124b collects (942) the user request without affecting the processing (934) of the user request by the server system 122b. After collecting the user request (942), the data collection system 124b sends the user request to the unified engine 320 (944). The unification engine 320 unifies (946) user requests to form a user session. The unification engine 320 unifies the user request with itself or with other user requests (946) to form a user session. The user session is processed by fraud detection system 160 (948) to detect fraud.

  For example, using the exemplary system 400 of FIG. 4 and the user session of FIGS. 6A-6I, the fraud detection system 405 processes (948) the user session to determine if the act is fraudulent. Fraud detection system 405 uses geographic location profiling engine 410, behavioral profiling engine 420, and trading rules engine 440 to process (948) the user session, which includes a buy order in user request 600g. (Ie 1,000,000 bonds of funds). Geographic location profiling engine 410 processes the location where user 112 is sending a buy order (948). The location is not suspicious based on the network address and network subnet (eg, the network address and network subnet are not on the list of suspicious networks). The geographic location profiling engine 410 generates a report of non-fraud. The behavior profiling engine 420 analyzes the buy order to determine if the buy order is outside the range of behavior of the user's profile. The behavior profiling engine 420 determines that the buy order is not outside the range of the behavior of the user 112, but by accessing the elements stored in the database 450, the behavior profiling engine 420 determines that the user 112 has Because they decide to buy and sell millions of bond allocations annually. The behavior profiling engine 420 generates a report of non-fraud. Trading rules engine 440 analyzes the buy order to determine if the buy order is outside the normal range of buy and sell orders for a particular bond. Trading rules engine 440 determines that buying and selling million bonds is in the normal range for a particular bond (eg, bonds average 100 million buying and selling transactions per week). Trading rule engine 440 generates a report of non-fraud. Based on reports from the geographic location profiling engine 410, behavioral profiling engine 420, and trading rules engine 440, the fraud detection system 405 determines that the user session is not fraudulent.

  FIG. 10 is a flowchart 1000 illustrating the steps for transmitting a data packet by the exemplary system 500 of FIG. User 112 transmits a data packet using transmitter 110 (1010). The data packet is sent by load balancer 130 to data center B 120b (1020). Although data center B 120b is used in this example, the load balancer can send 1020 a user request to data center A 120a. The data packet is routed to server system 122b (1032). Server system 122b processes the data packet (1034). Server system 122b responds to the data packet (1036). The response is sent back to the user 112 by the sending device 110 and collected by the data collection system 124b (1042). Data collection system 124b collects data packets (1042) at or near the same time as data packets are routed to server system 122b (1032). The data collection system 124b collects the data packet (1042) without affecting the data packet processing (1034) by the server system 122b. After collecting the data packet (1042), the data collection system 124b sends the data packet to the data bus 210 (1044). The requesting system requests a portion of data from the data bus 210 (1046). The requested data is transmitted 1048 from the data bus 210 to the requesting system.

  For example, using the exemplary system 500 of FIG. 5 and the data portion of FIGS. 6A-6I, a requesting system (eg, 562, 564, 566 and / or 568) requests a portion of data from the data bus 210 (1046). ). In this example, the request system is a performance analysis system 568. The performance analysis system 568 analyzes the data packet to determine the search module response time. The performance analysis system 568 requests (1046) data sent to and from the search module. Data bus 210 transmits the requested portion of data to performance analysis system 568 (1048). The portions of data are data packets 600d and 600e, which represent the portions of data sent to and from the search module. The performance analysis system 568 analyzes the response time between the data packet 600d requesting the search and the data packet 600e that transmitted the search result. A high response time indicates that the system 500 is loaded and the performance analysis system 568 has changed the configuration of the load balancer 130 and / or the server systems 122a and 122b to reduce the response time. A low response time indicates that the system 500 responded to the user request in an appropriate time frame and no corrective action was required. The performance analysis system 568 monitors the modules of the system 500 and modifies the system 500 to reduce response times when appropriate.

  In this example, the requesting system is customer service system 566. Customer service system 566 analyzes the data packets to diagnose and resolve problems that user 112 has with system 500. User 112 is seeking information using information data 612d by submitting information to a search module that is part of system 500. The search module does not return accurate information. User 112 contacts a customer service representative using customer service system 566 to view data for user 112. The portion of data is requested by the customer service system 566 (1046). The customer service representative identifies that the information request has failed because the information parameter 610d has not been correctly transmitted to the system 500. The customer service representative instructs user 112 to update and try again the world web browser software (eg, Mozilla® Firefox). User 112 updates the world web browser software and submits data packet 600 d to system 500. User 112 receives a data packet response 600e (ie, a response to the user's request) as shown in screenshot 600f.

  FIG. 11 is a flowchart 1100 illustrating the process of sending a user request by the exemplary system 300 of FIG. The user 112 transmits a user request using the transmission device 110 (1110). The prohibition system 330 determines whether the user session should be prohibited based on notification from the fraud detection system 160 (1164). The fraud detection system 160 sends a notification to the prohibition system 330 if, for example, the user 112 is trading outside of the user's behavior profile (eg, the user 112 has bought an allocation of 10 million shares, in which case the user 112 Only has an allocation of 100 shares in the portfolio prior to this transaction).

  If the ban system 330 does not ban the user session (1164), the user request is routed to the data center 120b by the load balancer 130 (1120). If the prohibited system 330 does not prohibit the user session (1164), access of the system 1100 is stopped (1166). Although data center B 120b is used in this example, the load balancer can send a user request to data center A 120a (920). The request is routed to server system 122b (1032). Server system 122b processes the request (1034). Server system 122b responds to the user request (1036). The response is sent back to the user 112 by the sending device 110, where the forbidden system 330 does not determine (1162) whether the user session should be forbidden based on the notification from the fraud detection system 160. If the banned system 330 does not ban the user session (1162), access is stopped (1166) for the system 1100 (ie, the response to the user request has not been returned to the user 112).

  Data collection system 124b collects user requests 1142 at or near the same time that user requests are directed to server system 122b (1132). The data collection system 124b collects the user request (1142) without affecting the processing of the user request (1134) by the server system 122b. After collecting the user request (1142), the data collection system 124b sends the user request to the data bus 210 (1144). Unified engine 320 receives a user request from data bus 210 (1146). The unification engine 320 unifies user requests (1148) to form a user session. The unification engine 320 unifies user requests (1148) by itself or with other user requests to form a user session. The user session is processed (1050) by the fraud detection system 160 to detect fraud. When the fraud detection system 160 detects fraud (1160), the fraud detection system 160 notifies the prohibition system 330. If fraud detection system 160 does not detect fraud (1160), fraud detection system 160 continues to process the user session (1150) looking for fraud.

  For example, using the exemplary system 400 of FIG. 4 and the user session of FIGS. 6A-6I, the prohibit system 330 determines whether to prohibit user requests and responses to user requests (1162 and 1164). The unification (1148) of the user request into the user session by the unification engine 320 is as described above. The user session is processed (1150) by the fraud detection system 405 looking for search conditions that are classified as suspicious. The fraud detection system 405 uses the behavior profiling engine 420 to process (1150) the user session. The behavior profiling engine 420 processes (1150) the search condition in the information data 612d to determine if the search condition is classified as suspicious by the behavior profiling engine 420. Highly profitable bond search conditions, 10+ year fund performance and 5-star Morningstar ratings are not classified as suspicious search conditions by behavioral profiling engine 420, but this is classified as long-term investment search and fraudulent search It is because it is not classified as. Accordingly, behavior profiling engine 420 does not classify searches by user 112 as fraud and fraud detection system 160 does not notify prohibition system 330 (1160) because no fraud has been detected.

  FIG. 12 is a flowchart 1200 illustrating the process of sending a user request by the exemplary system 400 of FIG. The process of transmitting the user request is partially similar to FIG. 11 described above. The user 112 transmits a user request using the transmission device 110 (1110). The user request is sent to the authentication system, which authenticates (1270) that the user 112 verifies that only user requests from the properly authenticated user 112 are allowed to access the system 1200. . If the user 112 is granted access to the system 1200 (1268), the user request is sent to the load balancer. If user 112 is not authorized to access system 1200 (1268), user access is suspended (1166).

  In some examples, the authentication system may be a computer, a network hub, a network switch, a network router, a network firewall, an authentication server (eg, a Kerberos authentication server in Windows Server 2003, Oracle Corporation, available from Microsoft Corporation). Oracle® Access Manager available from and / or other authentication modules.

  FIG. 13 is a flowchart 1300 illustrating the process of sending a user request by the exemplary system 400 of FIG. The process of sending user requests is partially similar to FIGS. 11 and 12 described above. When the fraud detection system 405 detects fraud (1160), the prohibition system 330 generates an authentication rule based on the fraud (1382). The authentication rule is communicated to the authentication system (1384). When the user 112 sends a user request (1110), the authentication system has a rule if the user 112 is authenticated (1270). In some examples, the rules may identify certain locations that are not allowed access to the typical system, identify certain user accounts that are not allowed access to the typical system, and / or during set times, Includes identification of certain user accounts that are not authorized to access the typical system.

  FIG. 14 is a flowchart 1400 illustrating the process of sending a user request by the exemplary system 400 of FIG. The process of sending user requests is partially similar to FIGS. 11, 12 and 13 described above. When the fraud detection system 405 detects fraud (1160), the prohibition system 330 prohibits the user request and response to the user request for the user session in which fraud is detected (1162 and 1164). The prohibition system 330 then resends the user request and the response to the user request to another network (1470). In some examples, another network includes a honeypot server, honeypot network, server system, network firewall, network router, network hub, network switch, and / or other network communication device. Another network is used, for example, so that the user 115 can continue to cheat without adversely affecting the data centers 120a and 120b. Since the user 115 can continue to perform fraud on another network, it is possible to analyze fraud against the addition or modification of rules and / or profiles to the fraud detection system 405.

  The systems and methods can be implemented in digital electronic circuitry, computer hardware, firmware and / or software. Implementation is performed as a computer program product (ie, a computer program product that is clearly embodied in an information carrier). Implementation can be performed, for example, on a machine readable storage device and / or propagated signal, which can be performed by a data processing device or controlled for operation of the device. Implementation can be performed, for example, in a programmable processing device, a computer, and / or multiple computers.

  A computer program can be written in any form of programming language, including any language that has been edited and / or translated, and the computer program can be implemented in any form, which can be a stand-alone program or subroutine, element And / or other devices suitable for use in a computing environment. The computer program is configured to run on a single computer or multiple computers at one location.

  The method steps can be performed by one or more programmable processors to execute a computer program to perform the functions of the present invention, which are performed by operating on input data and generating output. Also, the method steps can be performed by a special purpose logic circuit and the device can be implemented as this circuit. The circuit may be, for example, an FPGA (Field Programmable Gate Array) and / or an ASIC (Application Specific Integrated Circuit). Modules, subroutines and software agents may be computer programs, processors, special circuits, software and / or hardware implementing the functions.

  Processors suitable for the execution of computer programs include, for example, both general and special purpose microprocessors and one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. Important elements of the computer are a processor for executing instructions and one or more memory devices for storing instructions and data. In general, a computer may include one or more mass storage devices (eg, magnetic, magneto-optical discs or optical discs) for storing data, and operatively connected to these devices for receiving data from these devices. Data can be received and / or transferred to the device.

  Data transmission and instructions can occur over a communication network. Suitable information carriers for implementing computer program instructions and data include any type of non-volatile memory, including semiconductor memory devices as examples. The information carrier may be, for example, EPROM, EEPROM, flash memory device, magnetic disk, internal hard disk, removable disk, magneto-optical disk, CD-ROM and / or DVD-ROM disk. The processor and memory may be supplemented with and / or incorporated with special purpose logic circuitry.

  In order to communicate with the user, the technique can be implemented on a computer having a display device. The display device may be, for example, a cathode ray tube (CRT) and / or a liquid crystal display (LCD) monitor. Communication with the user may be, for example, a display of information to the user, a keyboard and a printing device (eg mouse or trackball), which allows the user to input into the computer (eg user interface elements and Communication). Other types of devices can be used to communicate with the user. Other devices may be, for example, feedback provided to the user in any form of sensory feedback (eg, visual feedback, audio feedback or haptic feedback). Input from the user can be received in any form including, for example, auditory, utterance and / or tactile input.

  The technique can be implemented in a distributed computing system that includes a back-end component. The backend component may be, for example, a data server, a middleware component and / or an application server. The technique can be implemented in a distributed computing system that includes a front-end component. The front-end component may be, for example, a client computer having a graphical user interface, a web browser with which a user can communicate according to embodiments, and / or other graphical user interfaces for a sending device. The components of the system can be interconnected by any form or medium of digital data communication (eg, a communication network). The communication network may include, for example, a local area network (LAN), a wide area network (WAN), the Internet, a wired network, and / or a wireless network.

  The system may include a client and a server. A client and server are generally remote from each other and typically interact through a communication network. The client-server relationship is caused by a computer program that runs on each computer and has a client-server relationship with each other.

  Including, including, and / or each plural form is an open end, includes the listed components, and may include additional components not listed. And / or open ends, including one or more of the listed parts and combinations of the listed parts.

  Those skilled in the art will recognize that the present invention may be embodied in other specific forms without departing from the spirit or key features of the invention. Accordingly, the foregoing embodiments are considered in all respects illustrative rather than limiting on the invention described herein. Thus, since the scope of the invention is indicated by the scope of the appended claims rather than by the foregoing description, all equivalent meanings and modifications within the scope of the claims are included in the present invention. Is intended.

DESCRIPTION OF SYMBOLS 100 System 110 Transmission apparatus 112 User 120a, 120b Data center 122a, 122b Server system 124a, 124b Data collection (collection) system 130 Load balancer 160 Fraud detection system

Claims (107)

A method of detecting and prohibiting fraud in the network,
Receiving each user request from a plurality of data centers, each data center comprising one or more servers, each user request including one or more data packets;
Combining the user requests to form a user session, wherein the user requests are separated for processing between the plurality of data centers;
Analyzing the user session to detect fraud;
Prohibiting the user session based on detected fraud.   The method of claim 1, further comprising communicating with an authentication system to prevent the user session from accessing the network.   The method of claim 1, further comprising generating a rule based on the fraud.   4. The method of claim 3, further comprising communicating the rules to the authentication system.   The method of claim 1, wherein prohibiting the user session requires the user to authenticate to the network.   The method of claim 1, wherein prohibiting the user session notifies the user of the fraud.   The method of claim 1, wherein prohibiting the user session blocks the user session from the network to stop the fraud.   The method of claim 1, wherein prohibiting the user session redirects the user session to a separate network to mitigate the fraud.   The method of claim 1, wherein the plurality of data centers receive the user request from a load balancer.   The load balancer can be used by the plurality of data centers, the state of the network, the quality of service indicators in data packets, application availability, the number of connections to each data center, predefined routing instructions, or 10. The method of claim 9, wherein the user request is sent to a different data center in the plurality of data centers according to a combination thereof.   The method of claim 1, wherein a server in the data center processes the user requests simultaneously or substantially simultaneously with a unified engine that unifies the user sessions. A computer program product tangibly embodied in an information medium,
For data processing equipment
Receiving each user request from a plurality of data centers, each data center comprising one or more servers, each user request including one or more data packets;
Combining the user requests to form a user session, wherein the user requests are separated for processing between the plurality of data centers;
Analyzing the user session to detect fraud;
A computer program product comprising instructions operable to cause the user session to be prohibited based on detected fraud. A system for detecting and prohibiting fraud in the network,
A unified engine configured and adapted to receive user requests from a plurality of data centers and combine the user requests to form a user session, wherein each user request includes one or more data packets; ,
A fraud detection system configured and adapted to analyze the user session to detect fraud;
A session banning system configured and adapted to ban the user session based on detected fraud.   Prohibition of the user session includes requesting the user to authenticate to the network, notifying the user of the fraud, and blocking the user session from the network to stop the fraud 14. The system of claim 13, wherein the user session is redirected to a separate network or a combination thereof to alleviate the fraud. A system for detecting and prohibiting fraud in the network,
Means for receiving user requests from a plurality of data centers and combining the user requests to form a user session, the means for unifying user sessions, wherein each user request includes one or more data packets;
Fraud detection means for analyzing the user session to detect fraud;
And a session prohibiting means for prohibiting the user session based on the detected fraud. A method for restoring data in a network,
In a step of receiving data packets from a plurality of data centers at a restoration engine, the data packets are transmitted from the same user location to different data centers in the plurality of data centers, each data center having one or more Including the server;
Processing the data packet;
Restoring data from the data packet to a format compliant with a particular protocol.   The method of claim 16, wherein the plurality of data centers receive the data packets from a load balancer.   The load balancer can be used by the plurality of data centers, the state of the network, the quality of service indicators in data packets, application availability, the number of connections to each data center, predefined routing instructions, or 18. The method of claim 17, wherein the data packet is transmitted to the different data centers according to a combination thereof.   17. The method of claim 16, wherein a server in the data center processes the data packets simultaneously or substantially simultaneously with the restoration engine that restores the data.   The method of claim 16, wherein processing the data packet comprises decoding the data packet.   The method of claim 16, wherein processing the data packet includes filtering the data packet.   The filtering step includes filtering by internet protocol address, protocol, data type, parameter, content, content type, uniform resource locator (URL) path, internet protocol (IP) range, or a combination thereof. The method of claim 21.   The method of claim 16, wherein the specific protocol comprises a hypertext transfer protocol (HTTP).   24. The method of claim 23, further comprising converting the data in a hypertext transfer protocol (HTTP) to an open standard message protocol.   The method of claim 16, wherein the specific protocol includes Voice over Internet Protocol (VoIP), Transmission Control Protocol (TCP), Internet Protocol (IP), Hypertext Markup Language (HTML), or a combination thereof.   The method of claim 16, wherein restoring the data includes matching one or more parameters between the data packets to restore the data.   27. The method of claim 26, wherein the parameter comprises a network address, a user address, an operating system (OS) fingerprint, a network card address, a user cookie, form data, an encryption key, a transaction identifier, or a combination thereof.   The method of claim 16, wherein restoring the data includes matching a data packet request from the network to a data packet response to restore the data. A computer program product tangibly embodied in an information medium,
For data processing equipment
In a step of receiving data packets from a plurality of data centers at a restoration engine, the data packets are transmitted from the same user location to different data centers in the plurality of data centers, each data center having one or more Comprising the step of providing a server;
Processing the data packet;
A computer program product comprising instructions operable to cause the data from the data packet to be restored to a format compliant with a particular protocol. A system for restoring data in a network,
A data collection system configured and adapted to collect data packets at a data center;
A system comprising: a restoration engine configured and adapted to receive the data packet from a plurality of data collection systems and process the data packet for restoration to a format compliant with a particular protocol.   31. The system of claim 30, further comprising a load balancer configured and adapted to transmit the data packet from a plurality of data centers to a selected data center.   The load balancer can be used by the plurality of data centers, the state of the network, the quality of service indicators in data packets, application availability, the number of connections to each data center, predefined routing instructions, or 31. The system of claim 30, wherein the data packet is transmitted to a different data center in the plurality of data centers according to a combination thereof.   31. The system of claim 30, further comprising one or more servers in the data center configured and adapted to process the data packets separately or concurrently with the restoration engine that restores the data.   31. The system of claim 30, wherein the restoration engine processes the data packet by matching one or more parameters between the data packets to restore the data.   35. The system of claim 34, wherein the parameter comprises a network address, a user address, an operating system (OS) fingerprint, a network card address, a user cookie, form data, an encryption key, a transaction identifier, or a combination thereof.   31. The system of claim 30, wherein the restoration engine matches a data packet request from the network to a data packet response to restore the data. A system for restoring data in a network,
Means for collecting data packets at the data center;
Means for recovering data from the means for retrieving a plurality of data packets and processing the data packets to recover to a format compliant with a particular protocol.   38. The system of claim 37, further comprising means for load balancing the data packets among a plurality of data centers by selecting a data center from a plurality of data centers.   38. The system of claim 37, further comprising means for processing the data packet separately or concurrently with the restoration engine that restores the data. A method for unifying user sessions in a network,
In the step of receiving user requests from a plurality of data centers at a unified engine, the user requests are transmitted from the same user location to different data centers in the plurality of data centers, each data center having one or more Comprising a server, wherein each user request includes one or more data packets;
Processing the user request;
Unifying user sessions from the user requests.   41. The method of claim 40, wherein the plurality of data centers receive the user request from a load balancer.   The load balancer can be used by the plurality of data centers, the state of the network, the quality of service indicators in data packets, application availability, the number of connections to each data center, predefined routing instructions, or 42. The method of claim 41, wherein the user request is sent to a different data center in the plurality of data centers according to a combination thereof.   41. The method of claim 40, wherein a server in the data center processes the user request separately or simultaneously with the unification engine that unifies the user sessions.   42. The method of claim 40, wherein unifying the user session comprises matching one or more parameters between the user requests to unify the user session.   45. The method of claim 44, wherein the parameter comprises a network address, user address, operating system (OS) fingerprint, network card address, user cookie, form data, encryption key, transaction identifier, or combinations thereof.   41. The method of claim 40, wherein the step of unifying the user session includes a process of matching a network user request with the user request to unify the user session. A computer program product tangibly embodied in an information medium,
For data processing equipment
In the step of receiving user requests from a plurality of data centers at a unified engine, the user requests are transmitted from the same user location to different data centers in the plurality of data centers, each data center having one or more Comprising a server, wherein each user request includes one or more data packets;
Processing the user request;
A computer program product comprising instructions operable to cause a user session from the user request to be restored to a format compliant with a particular protocol. A system for unifying user sessions in a network,
A data collection system configured and adapted to collect user requests in a data center;
A system comprising: a restoration engine configured and adapted to receive the user request from a plurality of data collection systems and process the user request to restore the user session.   50. The system of claim 49, further comprising a load balancer configured and adapted to transmit the user request from a plurality of data centers to a selected data center.   The load balancer can be used by the plurality of data centers, the state of the network, the quality of service indicators in data packets, application availability, the number of connections to each data center, predefined routing instructions, or 50. The system of claim 49, wherein the user request is sent to a different data center in the plurality of data centers according to a combination thereof.   49. The system of claim 48, further comprising one or more servers in the data center configured and adapted to process the user requests separately or concurrently with the unification engine that unifies the user sessions.   49. The system of claim 48, wherein the unification engine processes the user request by matching one or more parameters between the user requests to unify the user session.   53. The system of claim 52, wherein the parameter comprises a network address, user address, operating system (OS) fingerprint, network card address, user cookie, form data, encryption key, transaction identifier, or a combination thereof.   49. The system of claim 48, wherein the unification engine matches a network user request with the user request to unify the user session. A system for unifying data in a network,
Means for collecting user requests configured and adapted to collect user requests at a data center, wherein each user request includes one or more data packets;
Means for unifying user sessions configured and adapted to receive said user requests from a plurality of user request collection means and process said user requests to unify user sessions.   56. The system of claim 55, further comprising a load balancer configured and adapted to transmit the user request from a plurality of data centers to a selected data center.   56. The system of claim 55, further comprising means for server processing configured and adapted to process the user requests separately or concurrently with the unification engine that unifies the user sessions. A method for detecting fraud in a network,
Receiving each user request from a plurality of data centers, each data center comprising one or more servers, each user request including one or more data packets;
Combining the user requests to form a user session, wherein the user requests are separated for processing between the plurality of data centers;
Determining whether the user session is fraudulent using a profiling engine, a rules engine, or a combination thereof.   59. The method of claim 58, wherein a server in the data center processes the user request separately or simultaneously with a unified engine that unifies the user sessions.   59. The method of claim 58, wherein the profiling engine is a geographic location profiling engine.   61. The geographic location profiling engine uses global address lookup, network address, network information, routing information, time, data, device cookies, fraud history, fraud patterns, device fingerprints, or combinations thereof. the method of.   59. The method of claim 58, wherein the profiling engine is a behavioral profiling engine.   The behavior profiling engine can be global address lookup, network address, network information, routing information, time, data, device cookie, cheating history, user behavior history, user preference, user account information, fraud pattern, device fingerprint, or 64. The method of claim 62, wherein a combination of these is used.   59. The method of claim 58, wherein the profiling engine is a geographic location profiling engine and a behavioral profiling engine.   59. The method of claim 58, wherein the rule engine is an application rule engine.   The application rule engine is a global address lookup, network address, network information, routing information, time, data, device cookie, fraud history, user behavior history, user preference, user account information, user profile change, account behavior, or 66. The method of claim 65, wherein a combination of these is used.   59. The method of claim 58, wherein the rule engine is a transaction rule engine.   The transaction rule engine includes global address lookup, network address, network information, routing information, time, data, device cookie, fraud history, user behavior history, user preference, user account information, user profile change, account activity, transaction 68. The method of claim 67, using history, transactions, or a combination thereof.   59. The method of claim 58, wherein the rule engine is an application rule engine and a transaction rule engine. A computer program product tangibly embodied in an information medium,
For data processing equipment
Receiving each user request from a plurality of data centers, each data center comprising one or more servers, each user request including one or more data packets;
Combining the user requests to form a user session, wherein the user requests are separated for processing between the plurality of data centers;
A computer program product comprising instructions operable to cause a profiling engine, a rules engine, or a combination thereof to be used to determine whether the user session is fraudulent. A system for detecting fraud in a network,
A unified engine configured and adapted to receive user requests from a plurality of data centers and process the user requests to restore a user session;
A fraud detection system configured and adapted to determine whether the user session is fraudulent.   72. The system of claim 71, further comprising a data collection system configured and adapted to collect user requests at the data center.   72. The system of claim 71, further comprising a load balancer configured and adapted to transmit the user request from a plurality of data centers to a selected data center.   72. The system of claim 71, further comprising one or more servers in the data center configured and adapted to process the user requests separately or concurrently with the unification engine that unifies the user sessions.   72. The system of claim 71, wherein the fraud detection system is configured and adapted to determine whether the user session is fraudulent using a profiling engine, a rules engine, or a combination thereof. A system for detecting fraud in a network,
Means for receiving user requests from a plurality of data centers and processing the user requests to unify user sessions; and unifying user sessions;
A fraud detection means for determining whether the user session is fraudulent.   77. The system of claim 76, further comprising means for load balancing that transmits the user request from a plurality of data centers to a selected data center. A method for detecting fraud in a network,
Receiving each user request from a plurality of data centers, each data center comprising one or more servers, each user request including one or more data packets;
Combining the user requests to form a user session, wherein the user requests are separated for processing between the plurality of data centers;
Storing an element associated with the user session in a memory module;
Performing an analysis of the user session using the elements stored in the memory module.   79. The method of claim 78, wherein the memory module is a volatile memory.   79. The method of claim 78, wherein the elements in the memory module are stored in persistent storage.   79. The method of claim 78, wherein the element comprises a user identification code, a network address, a time, a network path, a length of time recorded in the system, a transaction, or a combination thereof.     79. The method of claim 78, wherein the plurality of data centers receive the user request from a load balancer.   The load balancer can be used by the plurality of data centers, the state of the network, the quality of service indicators in data packets, application availability, the number of connections to each data center, predefined routing instructions, or 83. The method of claim 82, wherein the user request is sent to a different data center in the plurality of data centers according to a combination thereof.   79. The method of claim 78, wherein a server in the data center processes the user request separately or simultaneously with a unified engine that unifies the user sessions. A computer program product tangibly embodied in an information medium,
For data processing equipment
Receiving each user request from a plurality of data centers, each data center comprising one or more servers, each user request including one or more data packets;
Combining the user requests to form a user session, wherein the user requests are separated for processing between the plurality of data centers;
Storing an element associated with the user session in a memory module;
A computer program product comprising instructions operable to cause an analysis of the user session to be performed using the elements stored in the memory module. A system for detecting fraud in a network,
A unified engine configured and adapted to receive user requests from multiple data centers and process the user requests to unify user sessions, wherein each user request includes one or more packets When,
A database system configured and adapted to store an element associated with the user session in a memory module;
A fraud detection system configured and adapted to determine whether the user session is fraudulent using the elements stored in the memory module.   90. The system of claim 86, wherein the memory module is a volatile memory.   90. The system of claim 86, wherein the elements in the memory module are stored in persistent storage.   The system of claim 86, wherein the fraud detection system comprises a memory module, a profiling engine, a rules engine, or a combination thereof.   87. The system of claim 86, further comprising a data collection system configured and adapted to collect user requests at the data center.   87. The system of claim 86, further comprising a load balancer configured and adapted to transmit the user request from a plurality of data centers to a selected data center.   87. The system of claim 86, further comprising one or more servers in the data center configured and adapted to process the user requests separately or concurrently with the unification engine that unifies the user sessions. A system for detecting fraud in a network,
User means for receiving user requests from a plurality of data centers, processing the user requests to unify user sessions, and means for unifying user sessions, wherein each user request includes one or more packets Session unification means,
Means for storing an element associated with the user session in a memory module;
A fraud determination unit that determines whether or not the user session is fraudulent.   94. The system of claim 93, further comprising means for load balancing that transmits the user request from a plurality of data centers to a selected data center. In the step of receiving data packets on the data bus from a plurality of data centers, the data packets are transmitted from the same user location to different data centers in the plurality of data centers, each data center having one or more Including the server;
Processing the data packet;
Restoring the data from the data packet to a format compliant with a specific protocol;
Receiving a request for at least a portion of the recovered data;
Transmitting the requested data to a requester.   96. The method of claim 95, wherein receiving the request accepts a subscription request for the portion of the data packet from the requesting system.   99. The method of claim 96, wherein the subscription request is for a set time.   96. The method of claim 95, wherein the user request is transmitted to a requester over a data bus.   96. The method of claim 95, wherein the requester is a marketing analysis engine, a network intrusion detection system, a customer service system, a performance analysis system, or a combination thereof. 96. The method of claim 95, wherein the particular protocol comprises a hypertext transfer protocol (HTTP).   101. The method of claim 100, further comprising converting the data in a hypertext transfer protocol (HTTP) to an open standard message protocol.   The specific protocols include Voice over Internet Protocol (VoIP), Transmission Control Protocol (TCP), Internet Protocol (IP), Extensible Markup Language (XML), Hypertext Markup Language (HTML), General Markup Language (SGML) 96) or a combination thereof. A computer program product tangibly embodied in an information medium,
For data processing equipment
In the step of receiving data packets on the data bus from a plurality of data centers, the data packets are transmitted from the same user location to different data centers in the plurality of data centers, each data center having one or more Including the server;
Processing the data packet;
Restoring the data from the data packet to a format compliant with a specific protocol;
Receiving a request for at least a portion of the recovered data;
A computer program product comprising instructions operable to cause the requested data to be transmitted to a requestor. A data bus for receiving data packets from multiple data centers;
A restoration engine that restores data from the data packet to a format that conforms to a specific protocol;
A request module that receives a request for at least a portion of the restored data and transmits the requested data to a requester.   105. The system of claim 104, wherein the requester is a marketing analysis engine, a network intrusion detection system, a customer service system, a performance analysis system, or a combination thereof.   The specific protocols include Voice over Internet Protocol (VoIP), Transmission Control Protocol (TCP), Internet Protocol (IP), Extensible Markup Language (XML), Hypertext Markup Language (HTML), General Markup Language (SGML) 105) or a combination thereof. Means for receiving data packets from a plurality of data centers;
Means for restoring data from the data packet to a format compliant with a particular protocol;
Means for requesting restored data, receiving a request for at least a portion of the restored data and transmitting the requested data to a requester.

Images