US20150039513A1 - User device profiling in transaction authentications - Google Patents
User device profiling in transaction authentications Download PDFInfo
- Publication number
- US20150039513A1 US20150039513A1 US14/517,863 US201414517863A US2015039513A1 US 20150039513 A1 US20150039513 A1 US 20150039513A1 US 201414517863 A US201414517863 A US 201414517863A US 2015039513 A1 US2015039513 A1 US 2015039513A1
- Authority
- US
- United States
- Prior art keywords
- user
- real
- user device
- database
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0601—Electronic shopping [e-shopping]
- G06Q30/0609—Buyer or seller confidence or verification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4016—Transaction verification involving fraud or risk level assessment in transaction processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/08—Payment architectures
- G06Q20/12—Payment architectures specially adapted for electronic shopping systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
- G06Q50/265—Personal security, identity or safety
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/535—Tracking the activity of the user
Abstract
A real-time fraud prevention system enables merchants and commercial organizations on-line to assess and protect themselves from high-risk users. A centralized database is configured to build and store dossiers of user devices and behaviors collected from subscriber websites in real-time. Real, low-risk users have webpage click navigation behaviors that are assumed to be very different than those of fraudsters. Individual user devices are distinguished from others by hundreds of points of user-device configuration data each independently maintains. A client agent provokes user devices to volunteer configuration data when a user visits respective webpages at independent websites. A collection of comprehensive dossiers of user devices is organized by their identifying information, and used calculating a fraud score in real-time. Each corresponding website is thereby assisted in deciding whether to allow a proposed transaction to be concluded with the particular user and their device.
Description
- 1. Field of the Invention
- The present invention relates to user authentication systems for webservers, and more particularly to webserver processes to provoke logged-in user devices to volunteer enriched device-identifying data sufficient to track and authenticate authorized users.
- 2. Background
- Up until recently all that has been required of a fraudster to spoof a commercial website into completing a card-not-present retail transaction is to have a few stolen user account details. These could even be provided anonymously. Controlling the resulting loses has proven to be very difficult and expensive.
- The most cost effective way to deal with fraud is to stop it in real-time before it has a chance to be completed. Once completed, detecting and recovering from the fraud has always been very inefficient.
- The world is not so small as it once was where we all knew each other on sight and understood through past experience who could be trusted. In nineteenth century America, households universally ran tabs at the corner grocery store and paid the tabs at the end of the month. Nobody ever required credentials to be presented, you were recognized immediately. Today, we very rarely have retail situations where the merchants and customers know each other. On-line transactions are even worse, they provide automatic anonymity and quick, easy escape.
- It seems obvious that collecting personal information from the users would be a good way to authenticate each user so the details could then be used as keys to authorize subsequent transactions. But very strong political groups have pushed back and prevented authentication technologies that would collect and use personally identifiable information (PII). In some jurisdictions, laws have been enacted to make the technology illegal.
- So in a less-than perfect fallback technology, remote users are being authenticated over a network connection with a webserver by reading the electronic signatures of personal trusted devices and the recognizable ways users use the to navigate webpages. But conventional methods have failed to uniquely identify users by their devices sufficient to enable tracking and authentication.
- Although there are a billion different users and devices possible, there are trillions of different ways the individual user devices can be configured and ways the users themselves behave. Given that enough descriptors can be collected, it would be possible to uniquely identify each user and their devices with very high confidence. Certainly enough to take away a large part of the risk away from on-line transactional fraud.
- ThreatMetrix, Inc. (San Jose, Calif.) markets their TrustDefender™ Mobile security product and describes it as a context-based authentication and fraud protection process for mobile devices. A Whitepaper published online by ThreatMetrix says its Mobile Device Analytics technology uses two ways to uniquely fingerprint mobile and PC user devices to detect cybercriminals and authenticate returning customers. An Exact-ID provides positive identification and context-based authentication based on cookies and multiple device identifiers across PCs and mobile devices. A Smart-ID provides cookie-less device identification using dynamic attribute matching based on from network packet and browser fingerprints instead of static fingerprint matching. The Smart-ID technology uses a machine learning approach that takes into account per-customer and global device profile patterns to generate reliable device identifiers with confidence. In contrast to fingerprint methods that are effectively static, Smart-ID is said to provide adaptive, cookie-less identification that is tolerant to incremental and non-linear changes.
- Both Technologies are claimed to be globally unique. Each are generated in real-time based on data collected for that transaction. The data collected is matched against “billions” of device profiles stored in the so-called “ThreatMetrix Global Trust Intelligence Network.” Such is used to identify both trusted users and known high risk attackers. It cross-correlates hardware, operating systems, applications, internet protocols and location-centric factors in a multi-factor authentication for spoof detection.
- The device attributes in mobile devices are described in the WhitePaper as being different than those in laptop/desktops, so different techniques and algorithms are needed to profile mobile-specific data. The mobile device attributes that can be collected include IMEI data, carrier information, protocol information, SIM card-related information, mobile device attributes, mobile device configuration related information, and other supported mobile device identifiers. GPS coordinate data can be used in authentications, but only if the user has granted the applicable permissions.
- Operating system, application, browser and network packet behavior, and other forensics are used by ThreatMetrix to detect malicious threats associated with transactions. Packet headers and their changes in state over time are analyzed to determine if the source is malicious or not. Hidden risks are detected by examining anonymous packet header data each time the a user requests a webpage. This can help determine whether the originating device is being masked or tunneled by anonymous or hidden proxies or subject man-in-the-middle attacks.
- Various conventional techniques are described in the WhitePaper to detect threats. E.g., Detection of VPN use; Detection of out-of-country satellite; dialup or mobile broadband connections; Proxy piercing to detect true IP address and true geolocation data; Detection of mismatch between operating system information detected by the browser and operating system information reported by packet information; and, Detection of device anomalies that suggest a jail-broken device or a transaction spoofing mobile device properties.
- ThreatMetrix describes using webpage fingerprinting to detect changes to webpages by malware or Man-In-the-Middle and Man-In-the-Browser attacks. Such whitelisting technology is said not to depend on traditional malware signature matching. Attempts by malware to modify the webpage by introducing any new elements or JavaScript is instantly recognized. When combined with other packet and browser based indicators, ThreatMetrix claims to provide high confidence scoring of malware on the PC or mobile device.
- Context data is used for analysis and risk scoring, as well as for building a personal-ID that represents a digital fingerprint of a user. Transaction data describes how a given user interacts and behaves, and provides an additional context to square historic behavior with a current action.
- ThreatMetrix customers are asked to forward hundreds of user device attributes they have access to when a user logs onto their webpages. These user device attributes represent digital fingerprints of users and are forwarded in real-time to the “global network.” The information is typically encrypted using private keys. The ThreatMetrix global network server works to identify returning customers and computes a baseline for good behavior.
- U.S. Pat. No. 8,141,148, titled, Method and System for Tracking Machines on a Network Using Fuzzy GUID Technology, describes cookie-less device identification and global device recognition. It claims to be impervious to cookie deletion and copying. The technology is described as being included in the ThreatMetrix SmartID™, which uses device fingerprint attributes to assess online transaction risks.
- U.S. Pat. No. 8,176,178, titled, Method for Tracking Machines on a Network Using Multivariable Fingerprinting of Passively Available Information, describes a device recognition risk-assessment method to detect cybercriminals who use proxies and VPNs. It looks into historical information related to user devices. This can help understand the true geo-locations of user devices and thereby improve the detection of cybercriminals.
- Conventional, Boolean Logic sorts information into black/white, yes/no, true/false, and day/night binaries. Fuzzy Logic allows for a middle ground, it allows for shades of gray, the partially true and partially false that make up much of day-to-day human reasoning.
- Fuzzy Logic is a superset of conventional logic that has been extended to include truth values between “completely true” and “completely false”. Fuzzy Logic alone is not capable of recognizing an individual device. The main benefit of using Fuzzy Logic is it allows a confidence score between zero and one to be computed, as opposed to take it or leave it binary results of just true or false. Individual elements can then belong to two different fuzzy sets, not just one set as in classical logic.
- Device identifications based on fuzzy logic, business rules, statistics, or neural networks can only be taken so far. The calculation of device ID's is unfortunately limited by the facts that can be extracted from the available browser, operating system, JavaScript version, language employed, plugins installed, font choices, IP-address, geo-location, screen resolution settings, HTTP header, and connecting user agent information. These data provide over a hundred points that can be used to search for comparables in its exiting records that were fashioned from previous website visits.
- Conventional techniques try to compare devices in each new connection to those encountered before and characterized in its database of records. For example, using a set of rules and/or probabilities and or neural networks and or fuzzy logic to provide a score between [0, 1] to identify the device.
- These simple techniques can only work if the device parameters do not change too much since the last visit and are relatively stable. Such simple technology can be challenged and fail if called on to recognize devices which have been refreshed into obscurity by device updates and upgrades.
- Briefly, a real-time fraud prevention embodiment of the present invention enables merchants and other commercial organizations on-line to assess and protect themselves from high-risk users. A centralized database is used to build and store dossiers of user devices and behaviors collected from numerous subscriber websites in real-time. Real, low-risk users have webpage click navigation behaviors that are very different than those of fraudsters. Individual user devices can be distinguished from a billion others by the hundreds of points of user-device configuration data each independently maintains. The user devices are persuaded into volunteering these configuration data when visiting respective webpages at independent websites. The collection of comprehensive dossiers of user devices are organized by their identifying behavior and device-ID information, and both are used to calculate a fraud score in real-time. Each corresponding website is thereby assisted in deciding whether to allow a proposed transaction to be concluded with the particular user and their device.
- The above and still further objects, features, and advantages of the present invention will become apparent upon consideration of the following detailed description of specific embodiments thereof, especially when taken in conjunction with the accompanying drawings.
-
FIG. 1 is functional block diagram of a network-based system embodiment of the present invention for controlling commercial fraud in electronic commerce. The three websites shown represent what can be millions of independent websites on the Internet, and the three user devices represent billions of unrelated and independent user devices of all types that could be employed by a user to access any of the websites; -
FIG. 2 is a flowchart diagram of a top level computer process useful in the system ofFIG. 1 ; -
FIG. 3 is a schematic diagram representing the four layers of activity that occur in the systems ofFIGS. 1 and 2 ; -
FIG. 4A is a functional block diagram of the endpoint layer ofFIG. 3 ; -
FIG. 4B is a functional block diagram of the profiling layer ofFIG. 3 ; -
FIG. 4C is a functional block diagram of the analytical layer ofFIG. 3 ; -
FIG. 4D is a functional block diagram of the relational layer ofFIG. 3 ; and -
FIG. 5 is a flowchart diagram of how user device risk levels can be accurately categorized by a five-layer identification process that includes endpoint, navigation, single-channel, multi-channel, and entity link analyses; -
FIG. 6 is a functional block diagram of the development, modeling, and operational aspects of a single-platform risk and compliance embodiment of the present invention; and -
FIG. 7 is a schematic diagram of how a smart agent embodiment of the present invention functions. - Device identifications that use behavioral data to advance over simple device ID techniques will outperform and provide better results and lowered losses due to fraud. Behaviorally enhanced device ID is therefore a critical part of all embodiments of the present invention. It recognizes individual users will use their tools in repeatable, recognizable ways no matter what devices they are using at the moment.
- It is important for merchant companies to constantly evolve their systems to stay in tune with developing standards, rapid technological changes, and keep up with ever more sophisticated and capable fraudsters trying to break in and abuse their systems.
- Very few single dimension device ID technologies are effective in being able to uniquely recognize devices when the legitimate devices themselves are changing daily. Multi-layer, multi-dimensional fraud device identification is required now in a world where ever-more clever thieves and surprising new malware behaviors pop up daily.
- In general, multi-layer behavioral device identifications can be had by combining multi-agent technology with case-based reasoning, real-time profiling, and long-term profiling. Multi-layer behavioral device identifications can guarantee correct device identifications even when many changes and updates have occurred on the devices. Better device identifications mean e-commerce can be safer and more secure for everyone.
- Smart-agents are used in the embodiments of the present invention to create a virtual agent for each user device. Each such virtual agent is configured to observe and learn the behavior of its host user device over time to create a device profile. The ways the user device is used, the frequency of its use, the types of actions taken, e.g., during the last minute, ten minutes, over days/weeks/years are all intelligently aggregated into a profile of what's normal for this user.
-
FIG. 1 represents a network-basedsystem 100 for controlling commercial fraud in retail electronic commerce.System 100 revolves around acentralized server 102 with a user-device dossier database 104. These support several independent and unrelated Internet websites 106-108, each presenting corresponding webpages 110-112. Each such website 106-108 sends activity reports 114-116 to thecentralized server 102 in real-time over the network as many independent and unrelated users visit and click through webpages 110-112. - What could be thousands, or even millions of user devices, are represented here in
FIG. 1 as user devices 120-122, each have a browser or app 124-126 capable of surfing or visiting webpages 110-112. Each user device 120-122 can freely access any website 106-108, but when they do them and their behaviors become the subject of activity reports 114-116. The user devices themselves include the spectrum of mobile smartphones, tablets, laptops, and desktop computers. - The browsers and apps 124-126 associated with this spectrum vary tremendously, as do their particular configurations, extensions, capabilities, and locations, not to mention a hundred other parameters and characteristics. Each user device will usually be associated, at least temporarily, with a unique Internet IP address that can reveal the geographic location of the user device. These IP addresses can be and often are spoofed by fraudsters.
- Many of these configurations, extensions, capabilities, locations, and other parameters and characteristics are volunteered by or can be queried from browsers and apps 124-126 and collected by websites 106-108.
-
FIG. 2 represents anetwork server method 200 for protecting websites from fraudsters.Method 200 includes astep 202 for accumulating and maintaining a database of comprehensive dossiers of user device identities. These identifying characteristics are fetched in astep 204 from activity reports about user-device visits to webpages as they are volunteered by the reporting websites. The assemblage and organization of user device identifying characteristics can be carried on over a period of time that can span months or even years. Astep 206 tries to match each newly presenting user device 120-122 (FIG. 1 ) currently visiting a website 106-108 by its identifying characteristics to a particular user device identity dossier already in thedatabase 104. - If a match is found in a
step 208, any previous experiences with the particular user device by this or other included websites is included in a first part calculation of a fraud score. Such first part of the score is computed in astep 210. Otherwise, astep 212 builds and adds a new file to be inserted thedatabase 104 for future use. - A
step 214 analyzes a sequence of webpage click navigation behaviors of each corresponding user device then being employed to visit a particular webpage and website. A real person with a real purpose will navigate around and between webpages in a particular way. Fraudsters and automated crawlers behave very differently. Astep 216 calculates a final or only part of the fraud score in real-time. Astep 218 is configured as an output which useful to assist each website in determining whether to allow a proposed transaction to be concluded by a particular user device. For example, a good score predetermined to be acceptable would trigger an approval of a user transaction. A marginal score could be used to signal a call should be made, or investigated further. A poor score would issue an outright denial. A red-flag score could be used to alert law enforcement. - Whenever a particular user device 120-122 cannot be matched to any particular dossier file in the database, a new dossier file is opened up for such user device according to the user device identification parameters then obtained. The determination of a fraud score is necessarily limited to what can be surmised by analyzing the sequences of webpage click navigation behaviors that occurred. This limitation is reflected in the fraud score.
- An endpoint client can be embedded in a webpage presented on a website and configured to provoke a browser 124-126 in a user device 120-122 to report back user device information, capabilities, extensions, add-ons, configurations, user device locations, and other data which are useful to sort through and contribute to corresponding user device dossier files maintained in the
database 104. For example, FLASH PLAYER video, ACTIVEX, and JAVASCRIPT objects embedded in webpages 110-112 all naturally provoke a lot of useful identifying and characterizing information to be reported back from plug-ins and extensions already present each user device 120-122. - For example, JavaScript can be used to check various non-universal physical attributes of a particular user device, including its operating system, CPU architecture, video card, screen size, and other items that fluctuate widely in the real-world population. The data that can usually be obtained by JavaScript includes, user agent, Screen resolution, user language, time zone offset, graphics processing unit (GPU) information, list of specific fonts availability, list of plugins, list of MimeTypes, availability of cookies, availability of HTML5 properties and methods, attributes specific to the browser, etc.
- If an innocuously small Flash video is included in the webpages, its normal protocols can be appropriated to provide extra information made available to the Flash player, e.g., information describing audio/video codecs, printers, touchscreens, and other peripherals. The physical location of a user device can be discerned from its IP address using a geo-location database to get the city, latitude, and longitude. Overall, two hundred fields can be gathered together and used to identify a single user device 120-122 with high degree confidence.
- A mobile endpoint client is similar to the endpoint clients used for personal computers. It may not always be possible to gather identifying user device information with a browser. So mobile endpoint clients are constructed from small libraries of Java (for Android) or Objective C (for iOS) and included in a downloadable app. Once installed, the app is empowered to request a device ID from the mobile client. It is configured to gather user device information in the background and send it to
server 102 for recognition and identification. - An unnoticeable web browser is launched in the background to gather data from various browser-specific fields. Running now as an application, all the system calls become available. These system calls can be used to retrieve the peculiar mobile user device's physical properties, e.g., the iOS/Android version, the size and resolution of the screen, the capabilities of the touchscreen, etc. The user's settings can also be accessed, as well as a list of all the apps then installed on this particular user device. All this information is useful in
database 104 to characterize and distinguish the particular user device 120-122 from a million others. - Using IP addresses for geo-location is not entirely satisfactory, these can vary as a user moves around from one cell tower to the next or between WiFi routers. It's better to use the built-in GPS app if available. Most smartphones now include these in their standard kit.
- A centralizing of the collecting and maintaining of a database of comprehensive dossiers of user device ID's allows for a much larger population to be obtained from countless user-device visits to numerous webpages maintained by many unrelated websites. The otherwise independent and unrelated websites each forward user device activity reports in real-time as they occur to a single
centralized server 102 that solely controls and maintainsdatabase 104. Fraud scores are reported back to the corresponding websites, e.g., over the Internet. Such service can be by paid subscription. Embodiments of the present invention would be useful in commercial payment systems, peer-to-peer money transactions, physical access controls to buildings and other facilities, communication-command-control applications, and in sensitive document control. - In general, embodiments of the present invention protect websites from fraudsters by analyzing webpage click navigation behaviors each of device visiting their webpages, and by collecting and maintaining comprehensive dossiers of device ID's, and by producing a fraud score in real-time to assist the website in deciding whether to allow a proposed transaction to be concluded.
- In the abstract, embodiments of the present invention involve four layers of functionality: endpoint, profile, analytical, and relational. These are represented in
FIG. 3 . - In regard to an
endpoint layer 301, whenever a user visits a customer's web site, an endpoint client is embedded in the webpage. The endpoint client is a lightweight collection of JavaScript, Flash, and other code. As a user scrolls through the webpage, the endpoint client runs in the background to gather all available information, and sends the collection back to a decision engine for identification. - A
profiling layer 302 maintains a unique profile for each user device without hindering the user's browsing or overburdening the customer's server. Whenever a user clicks a link, the customer's server sends a brief message to the server containing the user's current IP address and the page ID. If device information from that IP has been recently received, it updates the corresponding device profile and saves it to a user device permanent history. If that IP hasn't been heard from recently, the event is temporarily saved pending a user device ID. - An
analytical layer 303 runs in real-time whenever a device profile has been updated. After loading a user device profile from the database, the server updates its derived attributes and velocity counters. A series of clicks is interpreted to understand the user actions, such as viewing customer reviews and searching for products. The updated profile is sent to be scored in real-time. This scoring is based on an empirically developed fraud model, which uses business rules, neural networks, data mining, and other technologies to predict a user's future behavior. - A
fourth layer 304 is the relational system, case-based reasoning is used to identify families and clusters of devices. Tests are made to see if any families can be discerned that are related by physical location, device attributes, or historical behavior. The relational layer deals with clusters of devices instead of one user device at a time. The trustworthiness of user devices can be modified based on similar user devices, especially if they appear to be on the same network, or interrelated in other ways. -
FIG. 4A represents anendpoint layer 400 in greater detail. Whenever apersonal computer user 402 visits a customer'sweb site 404 hosted by a customer'sserver 406, anendpoint client 408 embedded in awebpage 410 is included in any payload downloaded. Theendpoint client 408 is configured to be an harmless collection of code that will trigger a volunteering of the user device's configuration andpreferences 412. As theendpoint client 408 runs in the background, it gathers the information freed up into a collection reported back to a decision engine, oriSecure server 414 for user device identification by dossier matching. For example, a user agent is a string sent by browsers with each request. Each are associated with a unique browser, operating system, and version, so the various properties of the user device can be deduced. For example, WebGL graphics libraries can be employed to see what kinds of pipelines, shaders, and rendering modes a graphics card in a user device supports. -
FIG. 4B represents aprofiling layer 420, like 302 inFIG. 3 , that maintains aunique profile 422 for each user device.Customer server 406 sends event messages to aniSecure server 414 enclosing the user's current IP address and the page ID. If device information from that same IP address has been recently received, thecorresponding device profile 422 is updated and saved it to a user device permanent history in a database 424 (e.g.,database 104,FIG. 1 ). If that IP hasn't been heard from recently, the event is temporarily saved pending further work to provide a user device identification. -
FIG. 4C represents ananalytical layer 440 in greater detail than 303 inFIG. 3 .Analytical layer 440 runs in real-time whenever adevice profile 422 has been updated. After loading auser device profile 422 from user device database, the server updates its derived attributes and velocity counters. A series of clicks is interpreted to understand the user actions, such as looking at customer reviews and searching for products. An updatedprofile 442 is sent to be scored in real-time by aniPrevent server 444. Such scoring is based on an empirically developedfraud model 446, which uses business rules, neural networks, data mining, and other technologies to predict a user's future behavior. - A Velocity Analyzer is used to build files that keep track of card/check/account/merchant usage and more. For example, if a payment card suddenly begins to rack up an unusually large number of transactions, the acquirer or the issuer may send a “call me” message to the merchant. Such tools are able to detect skimming and other fraud collisions.
- Several aspects of card use behavior can be quite telling when fraud is afoot. The next Table lists some of the more import things for financial institutions to monitor.
-
1. Product purchasing patterns 2. Suspicious change in card activities 3. number of transactions over a window of time 4. payment methods history, typical purchasing 5. patterns at the merchant's site 6. e-mail address activity 7. Ship-to/bill-to activity 8. Refund Watch, Manual T-Log 9. Excessive Cash Back 10. Decline Analyzer 11. Excessive Failed Pre-Authorizations 12. Unattended and attended Transactions 13. Many others attributes and parameters -
FIG. 4D represents arelational system 460, in more detail than 304 inFIG. 3 . It uses case-based reasoning to identify families and clusters ofdevices 462. Tests are made to see if anyfamilies 462 can be discerned that are related byphysical location 464, device attributes 466, orhistorical behavior 468. The relational layer deals with clusters of devices instead of one user device at a time. The trustworthiness of user devices can be modified based on similar user devices, especially if they appear to be on the same network, or interrelated in other ways. - Some of the functions described here can be purchased as libraries or modules and added to a custom system. iPrevent™ is a commercial product of Brighterion, Inc. (San Francisco, Calif.) useful to compare possible matches from database 104 (
FIG. 1 ) to either find a matching user device dossier or create a new user device dossier. iVelocity™ is a commercial product of Brighterion suitable for analyzing user clickstreams. These clickstreams result from visits to webpages on websites, and are analyzed to detect normal or abnormal behaviors. -
FIG. 5 represents how user device risk levels can be accurately classified and categorized by a five-layer identification process 500 that includesendpoint 501,navigation 502, single-channel 503, multi-channel 504, and entity link 505 analyses. Thefirst classification layer 501 is endpoint-centric, it identifies users by their behaviors and by the attribute signatures of their particular devices. Such attribute signatures can be extracted their browsers and used in the identification. - An endpoint client is embedded in a web page provided by a website server so it can be carried back to the user device by its browser and run in background to gather data. When the data collection is completed, the endpoint client automatically delivers the collected data up to the website server for immediate use in identifying this user device.
- Smart-agent technology, data-mining, a decision tree, and case-based reasoning are all used to find candidate matches in a large, server-side database. Such will either find a matching device or the collected data will be used to create a new device dossier. If the user device was recognized, the data fields in its dossier are updated as needed.
- Mobile devices have a variety of ID's built-in, some incidentally and others unintended. For example, the Android ID is randomly generated and will persist across phone resets. The SIM cards used universally by mobile providers in their phones provide unique identifiers, but these cards can be freely removed and plugged into another phone by any user. There are other inherent ID's that are less reliable for our purposes, but these nevertheless can be helpful to build confidence.
- The navigation-centric layer is the second layer mentioned. It is used to track session activities and do a clickstream analysis in real-time. The user's clickstream behaviors are compared to previously observed patterns of normal, suspect, abnormal, and malware attack activities for this particular user and the population in general. Smart-Agents are used in these categorizations.
- Clickstreams are the navigation pathways users follow through web pages and can be tracked by the webpage servers. The order of the pages a user views can be and which pages they visit can be quite telling and uncover their true motivations in the visit. An important conclusion can be made as to whether this is a real customer legitimately engaged in shopping or a fraudster bouncing around looking for a point of entry. Once the current user has been identified, a record of their navigation clicks is constructed and used in a behavior study to build a confidence score.
- One way to follow a user's path through a web site is to look first at the Referrer header for each page, e.g., to see where they came from. It can be informative to know if they arrived here from a search engine, from a competitor, from another one of the server's pages, or if they just typed the URL straight into their browser.
- A “site depth” is assigned to each web page to represent how far or how many clicks away it is from the home page. These statistics can be used to see if the visitor is convincingly browsing around and up/down a product tree like a real user would.
- Velocity counters track how fast a visitor is moving around in several dimensions, such as their reputed location, times of day, clickstreams, items added to carts, number and length of browsing sessions, click rates and quantities, category changes, reviews read, etc. For example, if a review is read for a product before buying it. Another important visitor attribute to recognize is the number of category changes they make as they navigate. Typical users usually have a single product goal in mind, they don't bounce randomly between categories nor shop for two or more items simultaneously.
- Suspicious browsing patterns are often generated by automated site-crawling scripts. Long-term profiling counters are useful to track the number of different products users have viewed or purchased in each category. The average prices and numbers of items per order are also useful points to remember. Big ticket buyers don't randomly drop from the sky unannounced. Tracking what cities and countries a user logs in from, and what local times of day they have been active can be used to distinguish legitimate users. A lot of fraud is generated from Eastern Europe, Asia, and Africa, and so those sources deserve extra scrutiny and wariness.
- Any new behavior raises a red-flag and can be used to match the historical actions on file. If a legitimate user were to leave their account logged in and a stranger sat down, or if an account is stolen with fraud or malware, the new behavior outside historical actions would be an early warning of fraud.
- The third layer, is account-centric for a specific channel, such as online sales. It monitors transactions, creates profiles associated with each user device and analyzes real-time behavior. A combination of technologies are employed, e.g., smart-agent, real-time profiling, geo-profiling, recursive profiling, long-term profiling, neural networks, data mining, data quality engine, fuzzy logic, business rules, and case-based reasoning.
- The fourth layer is device-centric, with behavioral perspectives taken across multiple channels of user device contact with independent merchant servers. The device-centric layer correlates alerts and activities for each device/user obtained from more than one channel.
- Layer five includes entity link analysis, it searches for relationships among the devices they encounter and the channels they employ. The entity link analysis layer inspects users and machines in an effort designed to detect organized criminal activities and misuse. For example, all devices of a device or type should be or could expected to be similarly affected by WINDOWS, ANDROID, or iOS system updates, patches, and new versions that occur in public and more or less around the same time. These broad transformations in the population can be used in the scoring of changes as normal/abnormal when identifying a particular user device.
- Each of the five layers 501-505 can by implemented with Smart-Agents that interact and negotiate with each other in order to reach their individual and collective goals. Algorithmic systems are very different and produce less reliable results in fraud risk assessments. Smart-Agents determine how to find a solution by providing each agent with goal information, e.g., situations that are desirable or undesirable.
- Smart-Agents solve problems without needing extensive programming or sets of specific rules to be predefined that make for inflexibilities common to neural networks and genetic programming. Smart-Agents are able to effectuate runtime changes and adapt as needed.
- Algorithmic programs follow successive operations applied in a fixed order. Algorithms enable computers to repeat long suites of logical operations tirelessly and accurately, which is great if the algorithm is fundamentally correct. Algorithmic programs are not equipped to take any initiative, and cannot stray even a little bit from each fixed line of code. It falls on the programmer to dictate, and spell out a precise succession of acts that the machine should follow. Often, there are just too many variables to code and too many decisions that can each be wrong. Business problems requiring even a minimum amount of reasoning are impossible to transcribe into algorithmic forms. Business decisions often require complex integration efforts involving large numbers of dynamic variables. And, having an algorithm available doesn't guarantee its practicality. Modest complexities can make it unwieldy.
- Neural networks are not much better, they need to be trained, and many samples are needed in order to have a satisfactory result. Object-oriented languages require one to foresee, know, and program all the possible methods.
- Smart-Agents can get past algorithmic limitations, and it is possible to design applications for them even when a suitable algorithm is unknown. Smart-Agents can adapt as the data they process changes. Each Smart-Agent is instructed to recognize information that favors the goals and is therefore “good”, and information that disfavors the goals and is therefore “bad”. Such instructions enable each Smart-Agent to automatically and autonomously make the “right” decision. This right-decision is referred to as the “THEN STATEMENT”, as in a classic IF-THEN programming statement. An optimum THEN STATEMENT is relatively easy for a programmer to coin and get right.
- The intelligence in the program springs from what the programmer embeds in each THEN STATEMENT. Smart-Agents can exist in a community of agents collected together to share a particular expertise, mimicking human society as they do. Smart-Agents can simulate human reasoning. Each Smart-Agent is able to operate independently according to its assigned functions, goals, representations of their environments, their runtime observations, acquired knowledge and interactions with other Smart-Agents. Systems of Smart-Agents marshal together many autonomous agents to interact and negotiate with one another.
- An application's overall solution builds from the interactions as each Smart-Agent moves toward their respective goals.
- Collections of Smart-Agents will appear to interact and negotiate to resolve complex and unpredictable problems, without any procedural programming or definition of rules. Each Smart-Agent is independent of the others, since each one of them only affects the others by the fact that they are in favor or disfavor of a specific goal. Smart-Agents are reusable in other applications.
- Goal-satisfaction mechanisms direct Smart-Agents to accept or reject one incoming message over another. Every message is evaluated in terms of its being in favor of, in disfavor with, or neutral to reaching of a goal. For example, a private goal, a sending agent's goal, an organization's goal, or a system's goal. The Smart-Agents depend on each goal's opinion with respect to the current situation, the goal justifies the means. Smart-Agents can refuse messages, because they can charge messages as being favorable, unfavorable or neutral.
- A bottom-line in fraud prevention systems is to decide how a particular transaction should be categorized. Every transaction is accepted by either a bad (fraud) agent or a good (normal) agent.
- Other technologies can be usefully combined with Smart-Agents to produce even better results. Neural networks are a kind of algorithmic system that can interpret historical data and help identify trends and patterns against which to compare subject cases. Neural networks have the remarkable ability to solve problems related to detecting trends and patterns that humans or other computer techniques are unable to solve.
- An Artificial Neural Network (ANN) models the ways in which biological nervous systems process information. The brain, e.g., consists of billions of processors, which process a large number of tasks concurrently. Neurons work collaboratively to solve the defined problem. Neural networks can resemble human reasoning, making them well suited to solve pattern recognition and forecasting problems.
- ANN's have two primary parts, neurons, represented by neural units; and, synapses, connections between the neurons, which send signals from neuron to neuron. Those synapses can be excited (positive weight), or inhibited (negative weight). Most known neural networks have input layers for the agent to receive data from the environment, and output layers for the agent's potential actions. Others (like Back Propagation) have one or more intermediate layers between these two layers. These layers are massively interconnected, as the units on one layer are connected to those in the next layer. Just like the factors that shape a human, the factors that shape a neural network are its environment and its genetic makeup. Both its initial state and its training play a role in the ANN's development. It is through the critical training process that ANN's are taught how to arrive at the correct answer. A well-trained neural network will be more successful than a poorly trained neural network. The training refers to its environment and the experiences and samples that help shape it. The more samples and experience a neural network receives has a direct correlation with its likelihood of its success.
- Case-based reasoning (CBR) can use past experiences or cases to solve new problems. Each “case” is translated into a list of steps to lead to a desirable outcome. The cases are stored and organized in a database, and used as an index for similar situations later. Solutions to complex problems can be found very quickly and accurately this way.
- Being able to retrieve and manipulate past problem-solving examples accurately is important. Case-based systems search their case memories for an existing cases that match the input “specifications”. As new cases are solved, the solutions are added to the case memory. Such will continue to grow the database of cases solved and increase the likelihood of success.
- The goal is to find a case that matches the input problem and that proceeds directly to a solution. Thus making it possible to provide solutions to potentially complex problems quickly. If, on the other hand, an exact match cannot be found, the case-based system look for a similar one to the input situation, and then offer it as a potential solution.
- How the system learns is when a nonperfect match is found that nevertheless solves the problem, the case is added to the systems case memory for future use. Each case is a recipe of steps that will lead to a particular outcome. A case is a connected set of subcases that form the problem-solving task's structure.
- One of the key differences between rule-based and case-based knowledge engineering is that automatic case-indexing techniques drastically reduce the need to extract and structure specific rule-like knowledge from an expert. CBR systems retrieve relevant cases quickly and accurately from its memory. When a case should be selected for retrieval in similar future situations is the goal of case-indexing processes. As cases accumulate, case generalizations can be used to define prototypical cases that can be stored with the specific cases, improving the accuracy of the system in the long run.
- The inductive-indexing capabilities in CBR systems provide several major advantages over neural networks and pattern-recognition techniques. Inductive systems can represent and learn from a wider range of feature types than either neural networks or pattern recognition. The ability to use richer feature sets for describing examples makes them at least as accurate and many time more precise. Case-Based Reasoning solves complex problems like planning, scheduling, and design by finding a similar, successful past plan, schedule, or design, and modifying it to meet the current problem's needs.
- Another technology that can be added in a combinational approach is Fuzzy Logic. Fuzzy logic is able to account for areas that are not clearly defined. The logic can be extended to handle partial truths in situations where the answer lies somewhere in between what is true and what is false. Many of the big problems in organizations cannot be solved by simple yes/no or black/white programming answers. Sometimes answers come in shades of gray, where fuzzy logic proves useful. Fuzzy logic handles imprecision or uncertainty by attaching various measures of credibility to propositions. Fuzzy technology enables clear definition of problems where imperfect or partial knowledge exists, such as when the goal is “about 12 years old” or between “all” and “nothing”. Traditional and classical logic typically categorize information into binary patterns such as: black/white, yes/no, true/false, or day/night.
- The power of fuzzy logic is exponential when it is combined with other technologies like genetic algorithms, neural networks, and business rules. Many of the big problems in organizations cannot be solved by simple yes/no or black/white programming answers. Sometimes answers come in shades of gray, this is where fuzzy logic proves useful. Fuzzy logic handles imprecision or uncertainty by attaching various measures of credibility to propositions.
- Genetic algorithms are able to address complicated problems with many variables and a large number of possible outcomes, by simulating the evolutionary process of “survival of the fittest” to reach a defined goal. They operate by generating many random answers to a problem, eliminating the worst and cross-pollinating the better answers. Repeating this elimination and regeneration process gradually improves the quality of the answers to an optimal or near-optimal condition. In computing terms, a genetic algorithm is a population of individuals represented by chromosomes, a set of character strings.
- Genetic algorithms include three stages: building and maintaining a population of solutions to a problem, choosing the better solutions for recombination with each other, and using their offspring to replace poorer solutions. Each stage produces a new generation of possible solutions for a given problem.
- In the first stage, an initial population of potential solutions is created as a starting point for the search process, each element of the population is encoded into a string (the chromosome), to be manipulated by the genetic operators. In the next stage, the performance (or fitness) of each individual of the population is evaluated with respect to the constraints imposed by the problem. Each individual of a population represents a possible solution to a given problem. Each individual is assigned a “fitness score” according to how good a solution to the problem it is. A potential solution to a problem may be represented as a set of parameters.
- Business Rules, or Expert Systems are the most widely used commercial applications developed using artificial intelligence (AI). Many use expert systems to solve business problems. Expert systems model information at a higher level of abstraction. When these systems are implemented well they closely resemble human logic and become more reliable and easier to maintain. The goal is for the expert system to apply heuristic knowledge to give advice or make recommendations just like a human expert. Rules are used to represent a rule-of-thumb to specify a group of actions performed for a given situation. Rules are composed of if-then statements that comprise the necessary solution. An inference engine automatically matches facts against patterns and automatically determines which rules are applicable. This process of selecting rules against historical patterns will continue to repeat itself until no applicable rules remain. It is critical that the knowledge source is reliable, because the system is only as good the knowledge assimilated into the rules. One of the most difficult tasks in developing an expert system is extracting the knowledge from an expert so the rules can be written. The most widely known algorithms for compiling rules are RETE and TREAT.
- Data mining, or knowledge discovery, in databases is the nontrivial extraction of implicit, previously unknown and potentially useful information from data. It is the search for relationships and global patterns that exist in large databases but are hidden among the vast amount of data. Using particular classifications, association rules and analyzing sequences; data is extracted, analyzed and presented graphically. Data mining, or knowledge discovery in databases is the nontrivial extraction of implicit, previously unknown and potentially useful information from data. It is the search for relationships and global patterns that exist in large databases but are hidden among the vast amount of data. Using particular classifications, association rules and analyzing sequences, data is extracted, analyzed and presented graphically.
- Data mining algorithms always requires a number of different technical approaches to address data cleaning, sampling, clustering, learning classification rules, analyzing changes and detecting anomalies.
- Descriptive Statistics is the process of obtaining meaningful information from sets of numbers that are often too large to deal with directly. While it is often impossible to calculate scores for all models when searching a large model space, it is often feasible to describe and calculate scores for a few equivalent classes of models receiving the highest scores. Prediction methods for this sort of problem always assume some regularity in the probability distribution.
- Real-time profiling keeps track of activities over time-windows spanning seconds, minutes, hours, days, months or even years. These profiles can highlight suspicious changes in device activities, by looking at the number of transactions from a device over a window of time, histories of payment methods, typical purchasing from the device, patterns and clickstreams of the device at the merchant's site, e-mail address activity from the device, ship-to and bill-to activity, etc.
- Single channels and single merchants, even large ones, don't usually generate enough device contact for rich dossiers to be collected. A centralized web-service that was provided device ID collections from all channels, and all merchants, and all acquirers would stand a much better chance of being able to reliably identify and authenticate every possible user that could attempt a transaction or log-on. Embodiments of the present invention therefore include centralized web-services and webservers that sell their authentication services to the public.
-
FIG. 6 represents the development, modeling, and operational aspects of a single-platform risk and compliance embodiment of the present invention. It represents an example of how user device identification and profiling is allied with accountholder profiling and merchant profiling to provide a three-dimensional examination of the behaviors in the penumbra of every transaction and authorization request. The development and modeling aspects are referred to herein by thegeneral reference numeral 600. The operational aspects are referred to herein by thegeneral reference numeral 600. In other words, compile-time and run-tine. - The intended customers of embodiments of the present invention are financial institutions who suffer attempts by fraudsters at payment transaction fraud and need fully automated real-time protection. Such customers provide the
full database dossiers 604 that they keep on their authorized merchants, the user devices employed by their accountholders, and historical transaction data. Such data is required to be accommodated in any format, volume, or source by an application development system and compiler (ADSC) 606.ADSC 606 assists expert programmers to use a dozen artificial intelligence andclassification technologies 608 they incorporate into a variety offraud models 610. This process is more fully described in U.S. patent application Ser. No. 14/514,381, filed Oct. 15, 2014 and titled, ARTIFICIAL INTELLIGENCE FRAUD MANAGEMENT SOLUTION. Such is fully incorporated herein by reference. - One or more
trained fraud models 612 are delivered as a commercial product or service to a single platform risk and compliance server with a real-time scoring engine 614 for real-time multi-layered risk management. In one perspective, trainedmodels 612 can be viewed as efficient and compact distillations ofdatabases 604, e.g., a 1000:1 reduction. These distillations are easier to store, deploy, and afford. - During operation, real-
time scoring engine 614 provides device ID and clickstream analytics, real-time smart agent profiling, link analysis and peer comparison for merchant/internal fraud detection, real-time cross-channel fraud prevention, real-time data breach detection and identification device ID and clickstream profiling for network/device protection. - A real-time smart
agent profiling engine 616 receives behavioral digests of thelatest transactions 618 and uses them to update three populations of profiles 620-622. Specifically, a population of card profiles 620, a population ofmerchant profiles 621, and a population ofdevice profiles 622 all originally generated byADSC 606 and included in the trainedmodels 612. These are all randomly and individually consulted in real-time by smartagent profiling engine 616 to understand what is “normal” for a particular card, merchant, and user device. - Real-time smart
agent profiling engine 616 accepts customer transaction data and scores each line. Such scores are in accordance with business rules provided by a business rules management system (BRMS) 624 and anyadaptive updates 626 needed to the original set ofmodels 610 produced by artificial intelligence technologies andclassifiers 608. A web-basedcase management system 628 uses false positives and false negatives to tighten upmodels 610. These are periodically used to remotely updatemodels 612. -
FIG. 7 represents asmart agent process 700 in an embodiment of the present invention. For example, these would include a smart agent population build and profiles, and smart agents and profiles. A series of payment card transactions (or user device parameters) arriving in real-time in an authorization request message is represented here by a random instantaneous incoming real-time transaction record 702. -
Such record 702 begins with anaccount number 704. It includes attributes A1-A9 numbered 705-713 here. These attributes, in the context of a payment card fraud application would include data points for card type, transaction type, merchant name, merchant category code (MCC), transaction amount, time of transaction, time of processing, etc. In the context of user device authentication the parameters would include attributes for browser type, device manufacturer, user preferences, software revision, monitor type, display resolutions, etc. -
Account number 704 inrecord 702 will issue atrigger 716 to a correspondingsmart agent 720 to present itself for action.Smart agent 720 is simply a constitution of its attributes, again A1-A9 and numbered 721-729 inFIG. 7 . These attributes A1-A9 721-729 are merely pointers to attribute smart agents. Two of these, one for A1 and one for A2, are represented inFIG. 7 . Here, an A1smart agent 730 and an A2 smart agent 740. These are respectively called into action bytriggers 732 and 742. - A1
smart agent 730 and A2 smart agent 740 will respectively fetch correspondent attributes 705 and 706 from incoming real-time transaction record 702. Smart agents for A3-A9 make similar fetches to themselves in parallel. They are not shown here to reduce the clutter forFIG. 7 that would otherwise result. - Each attribute smart agent like 730 and 740 will include or access a corresponding
profile data point - Each attribute smart agent like 730 and 740 will further include a
comparator time transaction record 702 for account number x with the same attributes held by the profiles for the same account.Comparators exception - These exceptions are collected by a smart
agent risk algorithm 750. One deviation or exception thrown on any one attribute being “abnormal” can be tolerated if not too egregious. But two or more should be weighted more than just the simple sum, e.g., (1+1)n=2n instead of simply 1+1=2. The product is output as a smartagent risk assessment 752. This output is the equivalent of an independent and separate vote or fraud score. - Although particular embodiments of the present invention have been described and illustrated, such is not intended to limit the invention. Modifications and changes will no doubt become apparent to those skilled in the art, and it is intended that the invention only be limited by the scope of the appended claims.
Claims (9)
1. A webserver process for identifying, tracking, and authenticating users by the devices they employ in online transactions, and comprising steps of:
inputting user log-on and webpage clickstream navigation information provided by a user device to a web-service over a network connection;
extracting user-device identifying parameters from said log-on and webpage clickstream navigation information for use in recognizing, tracking, and authenticating the devices of individual users;
provoking said user devices to supply even more user-device identifying parameters with webserver messages back to the user devices if needed to recognize, track, and authenticate the devices of said individual users;
cataloging and recording a current sequence of said webpage clickstream navigation information of a particular user device then being employed to browse through a subject webpage and a website maintained by a consumer website server, wherein said webpage clickstream navigation information is presumed to be characteristic of a corresponding particular user;
collecting and maintaining a database of comprehensive dossiers of user device identifications (ID's) obtained from many user-device visits to a variety of webpages maintained by many websites over a period of time;
matching a user device currently visiting a website by identifying characteristics obtainable through a user device browser, and forwarding these over a network to a dossier file already maintained in said database, if possible; and
calculating a fraud score in real-time based on results obtained in the steps of analyzing and collecting; and
configuring the calculation as a signal output useful to assist each consumer website server in determining whether to allow a proposed transaction to be concluded by a particular user computing device.
2. The webserver process of claim 1 , wherein:
if data describing a particular user's computing device cannot be matched by the network server to corresponding data already stored in an existing dossier file in said database, then a new dossier file is opened up in said database to be used later to track activities of such user computing device according to any user device identification parameters then obtainable; and
the step to calculate said fraud score is principally determined according to results obtainable from analyzing said sequence of webpage clickstream behaviors.
3. The webserver process of claim 1 , further comprising software instructions for enabling the network server to:
embed an endpoint client in a webpage presented on a website, and configured to provoke a browser in a user computing device to report back user device information (device ID), capabilities, extensions, add-ons, configurations, and user device locations, and other data useful for a machine to sort through and contribute to corresponding user device dossier files maintained in said database.
4. The webserver process of claim 1 , further comprising software instructions for enabling the network server to:
centralize the collecting and maintaining a database of comprehensive dossiers of user device ID's obtained from many user-device visits to many webpages maintained by many websites over a period of time;
wherein, a number of independent and unrelated websites are each programmed to forward user device activity reports to the network server for its sole control and maintenance of said database.
5. The webserver process of claim 1 , further comprising software instructions for enabling the network server to:
centralize the analyzing a sequence of webpage clickstream behaviors of each user device then being employed to visit particular webpages;
wherein, a number of independent and unrelated websites are each programmed to forward user device activity reports in real-time as they occur to a single centralized server for analyses of said webpage clickstream behaviors.
6. The webserver process of claim 1 , further comprising software instructions for enabling the network server to:
centralize the production of fraud scores in real-time based on results calculated in the steps of analyzing and collecting, and configuring the results as a signal output which useful to assist each website in determining whether to allow a proposed transaction to be concluded by a particular user device;
wherein, a number of independent and unrelated websites are each programmed to forward user device activity reports in real-time as they occur to a single centralized server for its calculation and return of said fraud score.
7. A computer program product for building behavioral device identifications (ID) of user devices visiting websites monitored by a network server, comprising software instructions for enabling the network server to:
extract a clickstream behavior related to the particular paths and order of webpages an individual user follows with a sequence of user clicks;
identify distinctive users according to their past clickstream behaviors and user device configurations and attributes;
record said clickstream behavior and comparing it to previously determined patterns of normal, suspicious, and fraudulent activity;
track session activity and pattern-match said clickstream behavior to normal-suspect-abnormal-malware patterns;
monitor and analyze online transactions according to pre-determined business rules and statistical models, and to update profiles of users and accounts;
correlate alerts and activities; and
search for relationships amongst users and channels;
wherein, a consumer website can be warned with a signal over the network of high risk users in real-time.
8. A network server adapted to provide real-time fraud prevention, comprising a processor, database, and memory including instructions that cause the network server to:
build and store dossiers of user devices and behaviors from user-device configuration data and clickstream behavior descriptors collected from subscriber websites in real-time;
distinguish individual user devices from others with said user-device configuration data;
embed a client agent to compel user devices to volunteer configuration data when a user visits respective webpages at independent websites; and
organize a collection of comprehensive dossiers of user devices by their identifying information, and calculating a fraud score in real-time;
wherein, each corresponding website is assisted with a signal in deciding whether to allow a proposed transaction to be concluded with the particular user and their device.
9. The network server of claim 9 , further comprising instructions that cause the network server to:
run an iSecure client in a sandbox to access information about browser settings, plugins, JavaScript and Flash properties in discovering device attributes field-by-field;
store profiles of user devices in device fields of a database;
compare possible matches from the database to either find a matching device or create a new device record, and if an old device was found, its fields are updated with the new data;
configure an end-point client to comprise a kernel of JavaScript, Flash Player video, and related technologies and to embed it in a webpage viewable by a user;
wherein, the end-point client is configured to run in background and gather data for forwarding to an iSecure server for user identification, and the server uses an iPrevent software service to compare possible matches from its database to either find a matching device or create a new device, if an old device was found, its fields are updated with the new data; and
including a Flash Player video in the endpoint client and configuring it to trigger a report back from the browser on what kind of screen, audio, and video formats a particular user device supports, and to survey the character of each of the peripherals, printers, touch screens, screen readers, and other peripherals this particular Flash Player has access to.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/517,872 US20150046181A1 (en) | 2014-02-14 | 2014-10-19 | Healthcare fraud protection and management |
US14/517,863 US20150039513A1 (en) | 2014-02-14 | 2014-10-19 | User device profiling in transaction authentications |
US14/521,667 US20150046332A1 (en) | 2014-08-08 | 2014-10-23 | Behavior tracking smart agents for artificial intelligence fraud protection and management |
US14/675,453 US9213990B2 (en) | 2014-02-14 | 2015-03-31 | Method of reducing financial fraud by user devices patronizing commercial websites |
US16/424,187 US20190279218A1 (en) | 2014-08-08 | 2019-05-28 | Behavior tracking smart agents for artificial intelligence fraud protection and management |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/180,370 US10019744B2 (en) | 2014-02-14 | 2014-02-14 | Multi-dimensional behavior device ID |
US14/454,749 US9779407B2 (en) | 2014-08-08 | 2014-08-08 | Healthcare fraud preemption |
US14/517,771 US20150039512A1 (en) | 2014-08-08 | 2014-10-17 | Real-time cross-channel fraud protection |
US14/517,863 US20150039513A1 (en) | 2014-02-14 | 2014-10-19 | User device profiling in transaction authentications |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/454,749 Continuation-In-Part US9779407B2 (en) | 2014-02-14 | 2014-08-08 | Healthcare fraud preemption |
Related Child Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/514,381 Continuation-In-Part US20150032589A1 (en) | 2014-08-08 | 2014-10-15 | Artificial intelligence fraud management solution |
US14/517,771 Continuation-In-Part US20150039512A1 (en) | 2014-02-14 | 2014-10-17 | Real-time cross-channel fraud protection |
US14/521,667 Continuation-In-Part US20150046332A1 (en) | 2014-08-08 | 2014-10-23 | Behavior tracking smart agents for artificial intelligence fraud protection and management |
US14/675,453 Division US9213990B2 (en) | 2014-02-14 | 2015-03-31 | Method of reducing financial fraud by user devices patronizing commercial websites |
Publications (1)
Publication Number | Publication Date |
---|---|
US20150039513A1 true US20150039513A1 (en) | 2015-02-05 |
Family
ID=52428581
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/517,863 Abandoned US20150039513A1 (en) | 2014-02-14 | 2014-10-19 | User device profiling in transaction authentications |
US14/675,453 Active US9213990B2 (en) | 2014-02-14 | 2015-03-31 | Method of reducing financial fraud by user devices patronizing commercial websites |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/675,453 Active US9213990B2 (en) | 2014-02-14 | 2015-03-31 | Method of reducing financial fraud by user devices patronizing commercial websites |
Country Status (1)
Country | Link |
---|---|
US (2) | US20150039513A1 (en) |
Cited By (67)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160127319A1 (en) * | 2014-11-05 | 2016-05-05 | ThreatMetrix, Inc. | Method and system for autonomous rule generation for screening internet transactions |
WO2016164274A1 (en) * | 2015-04-07 | 2016-10-13 | Zingbox, Ltd. | Packet analysis based iot management |
US9621576B1 (en) * | 2014-12-31 | 2017-04-11 | EMC IP Holding Company LLC | Detecting malicious websites |
US20170148026A1 (en) * | 2015-11-24 | 2017-05-25 | Vesta Corporation | Exclusion of nodes from link analysis |
US9679426B1 (en) | 2016-01-04 | 2017-06-13 | Bank Of America Corporation | Malfeasance detection based on identification of device signature |
WO2017093801A3 (en) * | 2015-12-02 | 2017-07-20 | Ori Einhorn | Systems and methods for electronic fraud detection and prevention |
US9813324B2 (en) | 2015-06-09 | 2017-11-07 | Cisco Technology, Inc. | Dynamic control of endpoint profiling |
US20180026983A1 (en) * | 2016-07-20 | 2018-01-25 | Aetna Inc. | System and methods to establish user profile using multiple channels |
US20180219895A1 (en) * | 2017-01-27 | 2018-08-02 | Vectra Networks, Inc. | Method and system for learning representations of network flow traffic |
US10057227B1 (en) * | 2015-03-27 | 2018-08-21 | Amazon Technologies, Inc. | Determination of authentication mechanism |
US20190052659A1 (en) * | 2017-08-08 | 2019-02-14 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US10218726B2 (en) | 2016-03-25 | 2019-02-26 | Cisco Technology, Inc. | Dynamic device clustering using device profile information |
US20190087820A1 (en) * | 2017-09-18 | 2019-03-21 | Mastercard International Incorporated | False decline alert network |
US20190199741A1 (en) * | 2017-12-22 | 2019-06-27 | Paypal, Inc. | System and method for creating and analyzing a low-dimensional representation of webpage sequences |
US20190205885A1 (en) * | 2017-12-28 | 2019-07-04 | Paypal, Inc. | Machine learning engine for fraud detection following link selection |
US10372907B2 (en) * | 2016-06-02 | 2019-08-06 | AO Kaspersky Lab | System and method of detecting malicious computer systems |
US10373131B2 (en) | 2016-01-04 | 2019-08-06 | Bank Of America Corporation | Recurring event analyses and data push |
US10404727B2 (en) | 2016-03-25 | 2019-09-03 | Cisco Technology, Inc. | Self organizing learning topologies |
US20190295089A1 (en) * | 2018-03-23 | 2019-09-26 | Microsoft Technology Licensing, Llc | Transaction fraud detection based on entity linking |
US20190312942A1 (en) * | 2016-02-25 | 2019-10-10 | InAuth, Inc. | Systems and methods for recognizing a device |
US20190385175A1 (en) * | 2018-06-15 | 2019-12-19 | Wells Fargo Bank, N.A. | Risk detection of false customer information |
US10536466B1 (en) * | 2017-04-26 | 2020-01-14 | Branch Banking And Trust Company | Risk assessment of electronic communication using time zone data |
US20200042723A1 (en) * | 2018-08-03 | 2020-02-06 | Verizon Patent And Licensing Inc. | Identity fraud risk engine platform |
US10601850B2 (en) * | 2015-03-02 | 2020-03-24 | Alibaba Group Holding Limited | Identifying risky user behaviors in computer networks |
US10664596B2 (en) | 2014-08-11 | 2020-05-26 | Sentinel Labs Israel Ltd. | Method of malware detection and system thereof |
US10762200B1 (en) | 2019-05-20 | 2020-09-01 | Sentinel Labs Israel Ltd. | Systems and methods for executable code detection, automatic feature extraction and position independent code detection |
US10825028B1 (en) | 2016-03-25 | 2020-11-03 | State Farm Mutual Automobile Insurance Company | Identifying fraudulent online applications |
US10872341B1 (en) * | 2018-11-09 | 2020-12-22 | American Express Travel Related Services Company, Inc. | Secondary fraud detection during transaction verifications |
CN112215513A (en) * | 2020-10-22 | 2021-01-12 | 国网辽宁省电力有限公司营销服务中心 | Offline analysis method and system for user behavior events of power system |
WO2021053646A1 (en) * | 2019-09-21 | 2021-03-25 | Cashshield Pte. Ltd. | Detection of presence of malicious tools on mobile devices |
US10972471B2 (en) | 2017-12-15 | 2021-04-06 | International Business Machines Corporation | Device authentication using synchronized activity signature comparison |
US11070568B2 (en) | 2017-09-27 | 2021-07-20 | Palo Alto Networks, Inc. | IoT device management visualization |
US11082296B2 (en) | 2017-10-27 | 2021-08-03 | Palo Alto Networks, Inc. | IoT device grouping and labeling |
US11087005B2 (en) | 2016-11-21 | 2021-08-10 | Palo Alto Networks, Inc. | IoT device risk assessment |
US11115799B1 (en) | 2020-06-01 | 2021-09-07 | Palo Alto Networks, Inc. | IoT device discovery and identification |
US11157914B2 (en) * | 2019-12-13 | 2021-10-26 | Visa International Service Association | Method, system, and computer program product for processing a potentially fraudulent transaction |
US20210383387A1 (en) * | 2020-06-09 | 2021-12-09 | Visa International Service Association | Name verification service |
WO2022071941A1 (en) * | 2020-09-30 | 2022-04-07 | Google Llc | Securely detecting online fraud malware |
US20220129900A1 (en) * | 2020-10-27 | 2022-04-28 | Payfone, Inc. | Transaction authentication, authorization, and/or auditing utilizing subscriber-specific behaviors |
US20220182824A1 (en) * | 2019-04-09 | 2022-06-09 | Orange | Methods and apparatus to discriminate authentic wireless internet-of-things devices |
US11379591B2 (en) * | 2019-03-28 | 2022-07-05 | Sony Corporation | Methods and devices for user authorization |
US11416863B2 (en) | 2018-04-11 | 2022-08-16 | Wells Fargo Bank, N.A. | System and methods for assessing risk of fraud in an electronic transaction |
US11451571B2 (en) | 2018-12-12 | 2022-09-20 | Palo Alto Networks, Inc. | IoT device risk assessment and scoring |
US11468444B2 (en) * | 2017-12-18 | 2022-10-11 | Mastercard International Incorporated | Method and system for bypassing merchant systems to increase data security in conveyance of credentials |
US11483710B2 (en) | 2020-12-01 | 2022-10-25 | Prove Identity, Inc. | Subscriber account identifier transfer in a telecommunications system |
US11488178B2 (en) * | 2020-11-01 | 2022-11-01 | Beijing Didi Infinity Technology And Development Co., Ltd. | Systems and methods for verifying digital payments |
US11496480B2 (en) | 2018-05-01 | 2022-11-08 | Brighterion, Inc. | Securing internet-of-things with smart-agent technology |
US11507663B2 (en) | 2014-08-11 | 2022-11-22 | Sentinel Labs Israel Ltd. | Method of remediating operations performed by a program and system thereof |
US11531754B2 (en) | 2018-09-11 | 2022-12-20 | Mastercard Technologies Canada ULC | Transpiration of fraud detection rules to native language source code |
US11538063B2 (en) | 2018-09-12 | 2022-12-27 | Samsung Electronics Co., Ltd. | Online fraud prevention and detection based on distributed system |
US11552975B1 (en) * | 2021-10-26 | 2023-01-10 | Palo Alto Networks, Inc. | IoT device identification with packet flow behavior machine learning model |
US11552954B2 (en) | 2015-01-16 | 2023-01-10 | Palo Alto Networks, Inc. | Private cloud control |
US11579857B2 (en) | 2020-12-16 | 2023-02-14 | Sentinel Labs Israel Ltd. | Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach |
US11616812B2 (en) | 2016-12-19 | 2023-03-28 | Attivo Networks Inc. | Deceiving attackers accessing active directory data |
US11651341B2 (en) * | 2016-01-08 | 2023-05-16 | Worldpay, Llc | Multi-platform electronic payment transaction risk profiling |
US11671819B2 (en) | 2019-02-12 | 2023-06-06 | Prove Identity, Inc. | Systems and methods for porting communication devices |
WO2023111662A1 (en) * | 2021-12-18 | 2023-06-22 | Knwn Technologies, Inc. | Biometric identification via holographic environmental data |
US11689573B2 (en) | 2018-12-31 | 2023-06-27 | Palo Alto Networks, Inc. | Multi-layered policy management |
US11695800B2 (en) | 2016-12-19 | 2023-07-04 | SentinelOne, Inc. | Deceiving attackers accessing network data |
US11722502B1 (en) | 2017-04-13 | 2023-08-08 | United Services Automobile Association (Usaa) | Systems and methods of detecting and mitigating malicious network activity |
US11729283B2 (en) * | 2018-07-03 | 2023-08-15 | Naver Corporation | Apparatus for analysing online user behavior and method for the same |
US11777965B2 (en) | 2018-06-18 | 2023-10-03 | Palo Alto Networks, Inc. | Pattern match-based detection in IoT security |
US11809448B2 (en) | 2021-04-19 | 2023-11-07 | Bank Of America Corporation | System for synchronizing dataflow migration between technical environments |
US11888897B2 (en) | 2018-02-09 | 2024-01-30 | SentinelOne, Inc. | Implementing decoys in a network environment |
US11902273B2 (en) | 2021-03-30 | 2024-02-13 | Bank Of America Corporation | System for dynamic chaffing for log obfuscation based on shifting exposure portfolio |
US11899782B1 (en) | 2021-07-13 | 2024-02-13 | SentinelOne, Inc. | Preserving DLL hooks |
US11973781B2 (en) * | 2022-04-21 | 2024-04-30 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
Families Citing this family (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10929923B1 (en) * | 2014-06-17 | 2021-02-23 | Wells Fargo Bank, N.A. | Security scoring |
US10237298B1 (en) | 2014-06-17 | 2019-03-19 | Wells Fargo Bank, N.A. | Session management |
GB2529150B (en) * | 2014-08-04 | 2022-03-30 | Darktrace Ltd | Cyber security |
US9565203B2 (en) * | 2014-11-13 | 2017-02-07 | Cyber-Ark Software Ltd. | Systems and methods for detection of anomalous network behavior |
US10542961B2 (en) | 2015-06-15 | 2020-01-28 | The Research Foundation For The State University Of New York | System and method for infrasonic cardiac monitoring |
US10250617B1 (en) * | 2015-11-22 | 2019-04-02 | Symantec Corporation | Systems and methods for detecting malware using machine learning |
US10846434B1 (en) * | 2015-11-25 | 2020-11-24 | Massachusetts Mutual Life Insurance Company | Computer-implemented fraud detection |
US20170169431A1 (en) * | 2015-12-14 | 2017-06-15 | Mastercard International Incorporated | Systems and methods for using browser history in online fraud detection |
GB2547202B (en) | 2016-02-09 | 2022-04-20 | Darktrace Ltd | An anomaly alert system for cyber threat detection |
US10148776B2 (en) * | 2016-02-18 | 2018-12-04 | Adobe Systems Incorporated | Clickstream visual analytics based on maximal sequential patterns |
US10373267B2 (en) * | 2016-04-29 | 2019-08-06 | Intuit Inc. | User data augmented propensity model for determining a future financial requirement |
US11107027B1 (en) | 2016-05-31 | 2021-08-31 | Intuit Inc. | Externally augmented propensity model for determining a future financial requirement |
US10528563B2 (en) * | 2016-12-16 | 2020-01-07 | Futurewei Technologies, Inc. | Predictive table pre-joins in large scale data management system using graph community detection |
WO2019036128A1 (en) * | 2017-08-15 | 2019-02-21 | Cognant Llc | System and method for detecting fraudulent activity on client devices |
US10789357B2 (en) | 2017-09-29 | 2020-09-29 | Cognant Llc | System and method for detecting fraudulent software installation activity |
US11477222B2 (en) | 2018-02-20 | 2022-10-18 | Darktrace Holdings Limited | Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications |
US11962552B2 (en) | 2018-02-20 | 2024-04-16 | Darktrace Holdings Limited | Endpoint agent extension of a machine learning cyber defense system for email |
EP3528458B1 (en) | 2018-02-20 | 2020-09-23 | Darktrace Limited | A cyber security appliance for a cloud infrastructure |
US11463457B2 (en) | 2018-02-20 | 2022-10-04 | Darktrace Holdings Limited | Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance |
US11924238B2 (en) | 2018-02-20 | 2024-03-05 | Darktrace Holdings Limited | Cyber threat defense system, components, and a method for using artificial intelligence models trained on a normal pattern of life for systems with unusual data sources |
CN108364219A (en) * | 2018-02-28 | 2018-08-03 | 深圳市买买提信息科技有限公司 | A kind of single monitoring method of record and terminal |
US10834112B2 (en) | 2018-04-24 | 2020-11-10 | At&T Intellectual Property I, L.P. | Web page spectroscopy |
US10263996B1 (en) | 2018-08-13 | 2019-04-16 | Capital One Services, Llc | Detecting fraudulent user access to online web services via user flow |
EP3633634A1 (en) * | 2018-10-02 | 2020-04-08 | Onfido Ltd | Character authenticity determination |
GB2574912B (en) * | 2018-11-30 | 2021-02-24 | Queryclick Ltd | Instructing server migration of a website based on reconstructed browser interaction data from session data having incomplete tracking data |
US10986121B2 (en) | 2019-01-24 | 2021-04-20 | Darktrace Limited | Multivariate network structure anomaly detector |
US10672005B1 (en) * | 2019-02-19 | 2020-06-02 | Capital One Services, Llc | Updating a machine learning fraud model based on third party transaction information |
EP3931734A4 (en) | 2019-03-01 | 2022-12-07 | Mastercard Technologies Canada ULC | Multi-page online application origination (oao) service for fraud prevention systems |
CO2019006711A1 (en) * | 2019-06-24 | 2019-07-10 | Banco Davivienda S A | System and method for the approval and disbursement of a loan quickly and quickly |
US11709944B2 (en) | 2019-08-29 | 2023-07-25 | Darktrace Holdings Limited | Intelligent adversary simulator |
CA3150122A1 (en) | 2019-10-01 | 2021-04-08 | Mastercard Technologies Canada ULC | Feature encoding in online application origination (oao) service for a fraud prevention system |
FR3104761A1 (en) * | 2019-12-12 | 2021-06-18 | Orange | Method for monitoring data passing through user equipment |
EP4111370A2 (en) | 2020-02-28 | 2023-01-04 | Darktrace Holdings Limited | Treating data flows differently based on level of interest |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040153555A1 (en) * | 2002-10-03 | 2004-08-05 | Henry Haverinen | Method and apparatus enabling reauthentication in a cellular communication system |
US20070239604A1 (en) * | 2006-04-10 | 2007-10-11 | O'connell Brian M | User-browser interaction-based fraud detection system |
US20120203698A1 (en) * | 2011-02-07 | 2012-08-09 | Dustin Duncan | Method and System for Fraud Detection and Notification |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8145562B2 (en) * | 2009-03-09 | 2012-03-27 | Moshe Wasserblat | Apparatus and method for fraud prevention |
-
2014
- 2014-10-19 US US14/517,863 patent/US20150039513A1/en not_active Abandoned
-
2015
- 2015-03-31 US US14/675,453 patent/US9213990B2/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040153555A1 (en) * | 2002-10-03 | 2004-08-05 | Henry Haverinen | Method and apparatus enabling reauthentication in a cellular communication system |
US20070239604A1 (en) * | 2006-04-10 | 2007-10-11 | O'connell Brian M | User-browser interaction-based fraud detection system |
US20120203698A1 (en) * | 2011-02-07 | 2012-08-09 | Dustin Duncan | Method and System for Fraud Detection and Notification |
Cited By (137)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11886591B2 (en) | 2014-08-11 | 2024-01-30 | Sentinel Labs Israel Ltd. | Method of remediating operations performed by a program and system thereof |
US10664596B2 (en) | 2014-08-11 | 2020-05-26 | Sentinel Labs Israel Ltd. | Method of malware detection and system thereof |
US11625485B2 (en) | 2014-08-11 | 2023-04-11 | Sentinel Labs Israel Ltd. | Method of malware detection and system thereof |
US11507663B2 (en) | 2014-08-11 | 2022-11-22 | Sentinel Labs Israel Ltd. | Method of remediating operations performed by a program and system thereof |
US20160127319A1 (en) * | 2014-11-05 | 2016-05-05 | ThreatMetrix, Inc. | Method and system for autonomous rule generation for screening internet transactions |
US9621576B1 (en) * | 2014-12-31 | 2017-04-11 | EMC IP Holding Company LLC | Detecting malicious websites |
US11552954B2 (en) | 2015-01-16 | 2023-01-10 | Palo Alto Networks, Inc. | Private cloud control |
EP3267348B1 (en) * | 2015-03-02 | 2020-04-08 | Alibaba Group Holding Limited | Method and apparatus for recognizing risk behavior |
US10601850B2 (en) * | 2015-03-02 | 2020-03-24 | Alibaba Group Holding Limited | Identifying risky user behaviors in computer networks |
US10057227B1 (en) * | 2015-03-27 | 2018-08-21 | Amazon Technologies, Inc. | Determination of authentication mechanism |
US10771491B2 (en) | 2015-04-07 | 2020-09-08 | Palo Alto Networks, Inc. | Packet analysis based IoT management |
US10212178B2 (en) | 2015-04-07 | 2019-02-19 | Zingbox, Ltd. | Packet analysis based IoT management |
WO2016164274A1 (en) * | 2015-04-07 | 2016-10-13 | Zingbox, Ltd. | Packet analysis based iot management |
US9813324B2 (en) | 2015-06-09 | 2017-11-07 | Cisco Technology, Inc. | Dynamic control of endpoint profiling |
US10496992B2 (en) * | 2015-11-24 | 2019-12-03 | Vesta Corporation | Exclusion of nodes from link analysis |
US20170148026A1 (en) * | 2015-11-24 | 2017-05-25 | Vesta Corporation | Exclusion of nodes from link analysis |
WO2017093801A3 (en) * | 2015-12-02 | 2017-07-20 | Ori Einhorn | Systems and methods for electronic fraud detection and prevention |
US10373131B2 (en) | 2016-01-04 | 2019-08-06 | Bank Of America Corporation | Recurring event analyses and data push |
US9679426B1 (en) | 2016-01-04 | 2017-06-13 | Bank Of America Corporation | Malfeasance detection based on identification of device signature |
US11100478B2 (en) | 2016-01-04 | 2021-08-24 | Bank Of America Corporation | Recurring event analyses and data push |
US11651341B2 (en) * | 2016-01-08 | 2023-05-16 | Worldpay, Llc | Multi-platform electronic payment transaction risk profiling |
US20190312942A1 (en) * | 2016-02-25 | 2019-10-10 | InAuth, Inc. | Systems and methods for recognizing a device |
US10873641B2 (en) * | 2016-02-25 | 2020-12-22 | InAuth, Inc. | Systems and methods for recognizing a device |
US11778059B1 (en) * | 2016-02-25 | 2023-10-03 | Accertify, Inc. | Systems and methods for recognizing a device |
US11687938B1 (en) | 2016-03-25 | 2023-06-27 | State Farm Mutual Automobile Insurance Company | Reducing false positives using customer feedback and machine learning |
US11741480B2 (en) | 2016-03-25 | 2023-08-29 | State Farm Mutual Automobile Insurance Company | Identifying fraudulent online applications |
US11170375B1 (en) | 2016-03-25 | 2021-11-09 | State Farm Mutual Automobile Insurance Company | Automated fraud classification using machine learning |
US11049109B1 (en) | 2016-03-25 | 2021-06-29 | State Farm Mutual Automobile Insurance Company | Reducing false positives using customer data and machine learning |
US11687937B1 (en) | 2016-03-25 | 2023-06-27 | State Farm Mutual Automobile Insurance Company | Reducing false positives using customer data and machine learning |
US11037159B1 (en) | 2016-03-25 | 2021-06-15 | State Farm Mutual Automobile Insurance Company | Identifying chargeback scenarios based upon non-compliant merchant computer terminals |
US11699158B1 (en) | 2016-03-25 | 2023-07-11 | State Farm Mutual Automobile Insurance Company | Reducing false positive fraud alerts for online financial transactions |
US10404727B2 (en) | 2016-03-25 | 2019-09-03 | Cisco Technology, Inc. | Self organizing learning topologies |
US10825028B1 (en) | 2016-03-25 | 2020-11-03 | State Farm Mutual Automobile Insurance Company | Identifying fraudulent online applications |
US10832248B1 (en) | 2016-03-25 | 2020-11-10 | State Farm Mutual Automobile Insurance Company | Reducing false positives using customer data and machine learning |
US11240259B2 (en) | 2016-03-25 | 2022-02-01 | Cisco Technology, Inc. | Self organizing learning topologies |
US10872339B1 (en) | 2016-03-25 | 2020-12-22 | State Farm Mutual Automobile Insurance Company | Reducing false positives using customer feedback and machine learning |
US11004079B1 (en) | 2016-03-25 | 2021-05-11 | State Farm Mutual Automobile Insurance Company | Identifying chargeback scenarios based upon non-compliant merchant computer terminals |
US11334894B1 (en) | 2016-03-25 | 2022-05-17 | State Farm Mutual Automobile Insurance Company | Identifying false positive geolocation-based fraud alerts |
US11348122B1 (en) | 2016-03-25 | 2022-05-31 | State Farm Mutual Automobile Insurance Company | Identifying fraudulent online applications |
US10218726B2 (en) | 2016-03-25 | 2019-02-26 | Cisco Technology, Inc. | Dynamic device clustering using device profile information |
US10949854B1 (en) | 2016-03-25 | 2021-03-16 | State Farm Mutual Automobile Insurance Company | Reducing false positives using customer feedback and machine learning |
US10949852B1 (en) | 2016-03-25 | 2021-03-16 | State Farm Mutual Automobile Insurance Company | Document-based fraud detection |
US10372907B2 (en) * | 2016-06-02 | 2019-08-06 | AO Kaspersky Lab | System and method of detecting malicious computer systems |
US10938815B2 (en) * | 2016-07-20 | 2021-03-02 | Aetna Inc. | System and methods to establish user profile using multiple channels |
US10924479B2 (en) * | 2016-07-20 | 2021-02-16 | Aetna Inc. | System and methods to establish user profile using multiple channels |
US20180026983A1 (en) * | 2016-07-20 | 2018-01-25 | Aetna Inc. | System and methods to establish user profile using multiple channels |
US11087005B2 (en) | 2016-11-21 | 2021-08-10 | Palo Alto Networks, Inc. | IoT device risk assessment |
US11681812B2 (en) | 2016-11-21 | 2023-06-20 | Palo Alto Networks, Inc. | IoT device risk assessment |
US11616812B2 (en) | 2016-12-19 | 2023-03-28 | Attivo Networks Inc. | Deceiving attackers accessing active directory data |
US11695800B2 (en) | 2016-12-19 | 2023-07-04 | SentinelOne, Inc. | Deceiving attackers accessing network data |
US10880321B2 (en) * | 2017-01-27 | 2020-12-29 | Vectra Ai, Inc. | Method and system for learning representations of network flow traffic |
US20180219895A1 (en) * | 2017-01-27 | 2018-08-02 | Vectra Networks, Inc. | Method and system for learning representations of network flow traffic |
US11722502B1 (en) | 2017-04-13 | 2023-08-08 | United Services Automobile Association (Usaa) | Systems and methods of detecting and mitigating malicious network activity |
US10536466B1 (en) * | 2017-04-26 | 2020-01-14 | Branch Banking And Trust Company | Risk assessment of electronic communication using time zone data |
US11245714B2 (en) * | 2017-08-08 | 2022-02-08 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20230007030A1 (en) * | 2017-08-08 | 2023-01-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US10462171B2 (en) * | 2017-08-08 | 2019-10-29 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20200059483A1 (en) * | 2017-08-08 | 2020-02-20 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20230007025A1 (en) * | 2017-08-08 | 2023-01-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20190052659A1 (en) * | 2017-08-08 | 2019-02-14 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11716342B2 (en) * | 2017-08-08 | 2023-08-01 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US10841325B2 (en) * | 2017-08-08 | 2020-11-17 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20230007026A1 (en) * | 2017-08-08 | 2023-01-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11876819B2 (en) * | 2017-08-08 | 2024-01-16 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11716341B2 (en) * | 2017-08-08 | 2023-08-01 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11212309B1 (en) * | 2017-08-08 | 2021-12-28 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11722506B2 (en) * | 2017-08-08 | 2023-08-08 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11245715B2 (en) * | 2017-08-08 | 2022-02-08 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20210152586A1 (en) * | 2017-08-08 | 2021-05-20 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20230007028A1 (en) * | 2017-08-08 | 2023-01-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11290478B2 (en) * | 2017-08-08 | 2022-03-29 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11838306B2 (en) * | 2017-08-08 | 2023-12-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11838305B2 (en) * | 2017-08-08 | 2023-12-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20230007031A1 (en) * | 2017-08-08 | 2023-01-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20230007027A1 (en) * | 2017-08-08 | 2023-01-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20230007029A1 (en) * | 2017-08-08 | 2023-01-05 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US11522894B2 (en) * | 2017-08-08 | 2022-12-06 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
US20190087820A1 (en) * | 2017-09-18 | 2019-03-21 | Mastercard International Incorporated | False decline alert network |
US11070568B2 (en) | 2017-09-27 | 2021-07-20 | Palo Alto Networks, Inc. | IoT device management visualization |
US11683328B2 (en) | 2017-09-27 | 2023-06-20 | Palo Alto Networks, Inc. | IoT device management visualization |
US11082296B2 (en) | 2017-10-27 | 2021-08-03 | Palo Alto Networks, Inc. | IoT device grouping and labeling |
US11671327B2 (en) | 2017-10-27 | 2023-06-06 | Palo Alto Networks, Inc. | IoT device grouping and labeling |
US10972471B2 (en) | 2017-12-15 | 2021-04-06 | International Business Machines Corporation | Device authentication using synchronized activity signature comparison |
US11468444B2 (en) * | 2017-12-18 | 2022-10-11 | Mastercard International Incorporated | Method and system for bypassing merchant systems to increase data security in conveyance of credentials |
US20190199741A1 (en) * | 2017-12-22 | 2019-06-27 | Paypal, Inc. | System and method for creating and analyzing a low-dimensional representation of webpage sequences |
US11100568B2 (en) * | 2017-12-22 | 2021-08-24 | Paypal, Inc. | System and method for creating and analyzing a low-dimensional representation of webpage sequences |
US20190205885A1 (en) * | 2017-12-28 | 2019-07-04 | Paypal, Inc. | Machine learning engine for fraud detection following link selection |
US11288672B2 (en) * | 2017-12-28 | 2022-03-29 | Paypal, Inc. | Machine learning engine for fraud detection following link selection |
US11888897B2 (en) | 2018-02-09 | 2024-01-30 | SentinelOne, Inc. | Implementing decoys in a network environment |
US20190295089A1 (en) * | 2018-03-23 | 2019-09-26 | Microsoft Technology Licensing, Llc | Transaction fraud detection based on entity linking |
US11416863B2 (en) | 2018-04-11 | 2022-08-16 | Wells Fargo Bank, N.A. | System and methods for assessing risk of fraud in an electronic transaction |
US11496480B2 (en) | 2018-05-01 | 2022-11-08 | Brighterion, Inc. | Securing internet-of-things with smart-agent technology |
US11842354B1 (en) | 2018-06-15 | 2023-12-12 | Wells Fargo Bank, N.A. | Risk detection of false customer information |
US11132697B2 (en) * | 2018-06-15 | 2021-09-28 | Wells Fargo Bank, N.A. | Risk detection of false customer information |
US20190385175A1 (en) * | 2018-06-15 | 2019-12-19 | Wells Fargo Bank, N.A. | Risk detection of false customer information |
US11777965B2 (en) | 2018-06-18 | 2023-10-03 | Palo Alto Networks, Inc. | Pattern match-based detection in IoT security |
US11729283B2 (en) * | 2018-07-03 | 2023-08-15 | Naver Corporation | Apparatus for analysing online user behavior and method for the same |
US20200042723A1 (en) * | 2018-08-03 | 2020-02-06 | Verizon Patent And Licensing Inc. | Identity fraud risk engine platform |
US11017100B2 (en) * | 2018-08-03 | 2021-05-25 | Verizon Patent And Licensing Inc. | Identity fraud risk engine platform |
US11531754B2 (en) | 2018-09-11 | 2022-12-20 | Mastercard Technologies Canada ULC | Transpiration of fraud detection rules to native language source code |
US11645389B2 (en) * | 2018-09-11 | 2023-05-09 | Mastercard Technologies Canada ULC | Optimized execution of fraud detection rules |
US11538063B2 (en) | 2018-09-12 | 2022-12-27 | Samsung Electronics Co., Ltd. | Online fraud prevention and detection based on distributed system |
CN113168637A (en) * | 2018-11-09 | 2021-07-23 | 美国运通旅游有关服务公司 | Secondary fraud detection during transaction verification |
KR102583919B1 (en) | 2018-11-09 | 2023-10-05 | 아메리칸 익스프레스 트레블 릴레이티드 서비스즈 컴퍼니, 아이엔씨. | Secondary fraud detection during transaction verifications |
KR20210095122A (en) * | 2018-11-09 | 2021-07-30 | 아메리칸 익스프레스 트레블 릴레이티드 서비스즈 컴퍼니, 아이엔씨. | Secondary fraud detection during transaction verifications |
US10872341B1 (en) * | 2018-11-09 | 2020-12-22 | American Express Travel Related Services Company, Inc. | Secondary fraud detection during transaction verifications |
US11706246B2 (en) | 2018-12-12 | 2023-07-18 | Palo Alto Networks, Inc. | IOT device risk assessment and scoring |
US11451571B2 (en) | 2018-12-12 | 2022-09-20 | Palo Alto Networks, Inc. | IoT device risk assessment and scoring |
US11689573B2 (en) | 2018-12-31 | 2023-06-27 | Palo Alto Networks, Inc. | Multi-layered policy management |
US11671819B2 (en) | 2019-02-12 | 2023-06-06 | Prove Identity, Inc. | Systems and methods for porting communication devices |
US11379591B2 (en) * | 2019-03-28 | 2022-07-05 | Sony Corporation | Methods and devices for user authorization |
US20220182824A1 (en) * | 2019-04-09 | 2022-06-09 | Orange | Methods and apparatus to discriminate authentic wireless internet-of-things devices |
US10762200B1 (en) | 2019-05-20 | 2020-09-01 | Sentinel Labs Israel Ltd. | Systems and methods for executable code detection, automatic feature extraction and position independent code detection |
US11580218B2 (en) | 2019-05-20 | 2023-02-14 | Sentinel Labs Israel Ltd. | Systems and methods for executable code detection, automatic feature extraction and position independent code detection |
US11210392B2 (en) | 2019-05-20 | 2021-12-28 | Sentinel Labs Israel Ltd. | Systems and methods for executable code detection, automatic feature extraction and position independent code detection |
US11790079B2 (en) | 2019-05-20 | 2023-10-17 | Sentinel Labs Israel Ltd. | Systems and methods for executable code detection, automatic feature extraction and position independent code detection |
WO2021053647A1 (en) * | 2019-09-21 | 2021-03-25 | Cashshield Pte. Ltd. | Detection of use of malicious tools on mobile devices |
WO2021053646A1 (en) * | 2019-09-21 | 2021-03-25 | Cashshield Pte. Ltd. | Detection of presence of malicious tools on mobile devices |
US11893586B2 (en) | 2019-12-13 | 2024-02-06 | Visa International Service Association | Method, system, and computer program product for processing a potentially fraudulent transaction |
US11157914B2 (en) * | 2019-12-13 | 2021-10-26 | Visa International Service Association | Method, system, and computer program product for processing a potentially fraudulent transaction |
US11115799B1 (en) | 2020-06-01 | 2021-09-07 | Palo Alto Networks, Inc. | IoT device discovery and identification |
US11722875B2 (en) | 2020-06-01 | 2023-08-08 | Palo Alto Networks, Inc. | IoT device discovery and identification |
US20210383387A1 (en) * | 2020-06-09 | 2021-12-09 | Visa International Service Association | Name verification service |
WO2022071941A1 (en) * | 2020-09-30 | 2022-04-07 | Google Llc | Securely detecting online fraud malware |
CN112215513A (en) * | 2020-10-22 | 2021-01-12 | 国网辽宁省电力有限公司营销服务中心 | Offline analysis method and system for user behavior events of power system |
US20220129900A1 (en) * | 2020-10-27 | 2022-04-28 | Payfone, Inc. | Transaction authentication, authorization, and/or auditing utilizing subscriber-specific behaviors |
US11488178B2 (en) * | 2020-11-01 | 2022-11-01 | Beijing Didi Infinity Technology And Development Co., Ltd. | Systems and methods for verifying digital payments |
US11483710B2 (en) | 2020-12-01 | 2022-10-25 | Prove Identity, Inc. | Subscriber account identifier transfer in a telecommunications system |
US11748083B2 (en) | 2020-12-16 | 2023-09-05 | Sentinel Labs Israel Ltd. | Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach |
US11579857B2 (en) | 2020-12-16 | 2023-02-14 | Sentinel Labs Israel Ltd. | Systems, methods and devices for device fingerprinting and automatic deployment of software in a computing network using a peer-to-peer approach |
US11902273B2 (en) | 2021-03-30 | 2024-02-13 | Bank Of America Corporation | System for dynamic chaffing for log obfuscation based on shifting exposure portfolio |
US11809448B2 (en) | 2021-04-19 | 2023-11-07 | Bank Of America Corporation | System for synchronizing dataflow migration between technical environments |
US11899782B1 (en) | 2021-07-13 | 2024-02-13 | SentinelOne, Inc. | Preserving DLL hooks |
US20230125310A1 (en) * | 2021-10-26 | 2023-04-27 | Palo Alto Networks, Inc. | Iot device identification with packet flow behavior machine learning model |
US11552975B1 (en) * | 2021-10-26 | 2023-01-10 | Palo Alto Networks, Inc. | IoT device identification with packet flow behavior machine learning model |
WO2023111662A1 (en) * | 2021-12-18 | 2023-06-22 | Knwn Technologies, Inc. | Biometric identification via holographic environmental data |
US11973781B2 (en) * | 2022-04-21 | 2024-04-30 | Sentinel Labs Israel Ltd. | Methods, systems, and devices for dynamically modeling and grouping endpoints for edge networking |
Also Published As
Publication number | Publication date |
---|---|
US20150206214A1 (en) | 2015-07-23 |
US9213990B2 (en) | 2015-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9213990B2 (en) | Method of reducing financial fraud by user devices patronizing commercial websites | |
US10019744B2 (en) | Multi-dimensional behavior device ID | |
US7089592B2 (en) | Systems and methods for dynamic detection and prevention of electronic fraud | |
Rovetta et al. | Bot recognition in a Web store: An approach based on unsupervised learning | |
US8356001B2 (en) | Systems and methods for application-level security | |
US20220327541A1 (en) | Systems and methods of generating risk scores and predictive fraud modeling | |
US11785030B2 (en) | Identifying data processing timeouts in live risk analysis systems | |
Vegesna | Analysis of Artificial Intelligence Techniques for Network Intrusion Detection and Intrusion Prevention for Enhanced User Privacy | |
Solano et al. | Risk-based static authentication in web applications with behavioral biometrics and session context analytics | |
Mohammadi et al. | An efficient hybrid self-learning intrusion detection system based on neural networks | |
WO2019156680A1 (en) | Proactive device authentication platform | |
CN114553456A (en) | Digital identity network alerts | |
Alswiti et al. | Users profiling using clickstream data analysis and classification | |
AU2022257616A1 (en) | Systems and methods of generating risk scores and predictive fraud modeling | |
CN112804192A (en) | Method, apparatus, electronic device, program, and medium for monitoring hidden network leakage | |
Jansi | An Effective Model of Terminating Phishing Websites and Detection Based On Logistic Regression | |
Yazdani et al. | Intelligent Detection of Intrusion into Databases Using Extended Classifier System. | |
Abuali et al. | Intrusion Detection Techniques in Social Media Cloud: Review and Future Directions | |
Akanchha | Exploring a robust machine learning classifier for detecting phishing domains using SSL certificates | |
Amin et al. | Compromised user credentials detection using temporal features: A prudent based approach | |
Gombiro et al. | A conceptual framework for detecting financial crime in mobile money transactions | |
Awodiji et al. | Malicious Malware Detection Using Machine Learning Perspectives | |
Rokade et al. | Detection of Malicious Activities and Connections for Network Security using Deep Learning | |
Rajwar et al. | Comparative Evaluation of Machine Learning Methods for Network Intrusion Detection System | |
Iliou | Machine Learning Based Detection and Evasion Techniques for Advanced Web Bots. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: BRIGHTERION, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ADJAOUTE, AKLI;REEL/FRAME:034138/0758 Effective date: 20141104 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: BRIGHTERION INC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ADJAOUTE, AKLI;REEL/FRAME:041545/0279 Effective date: 20170309 |