EA042566B1 - METHOD AND SYSTEM FOR FINDING SIMILAR FRAUD GROUPS ON GRAPH MODELS - Google Patents

Description

Technical field

The invention relates to methods for processing data using computer systems, in particular to a method and system for searching for similar fraudulent groups using graph models of transactional data.

State of the art

The problem of analyzing bank transactions for the detection of suspicious and/or fraudulent transactions is that in order to work effectively, it is necessary to carry out a large amount of calculation of transaction data in a short period of time. In particular, there is a need to search for similar fraudulent groups with known patterns of fraudulent transactions.

A solution is known for displaying and analyzing transaction flows, in which the principle of building a graph model is used for data processing (US20020156724, PayPal Inc., 24.10.2002). In the well-known solution, the graph model is used to analyze transaction nodes in order to track the movement of the transaction flow and visually represent the route of their movement using the graph model.

In the well-known solution, the principle of constructing a route for the movement of transaction flows can also be used to detect fraudulent activity or graph nodes that are doubtful and are subject to additional verification outside the system.

From patent RU 2699677, a solution is known for finding the shortest paths by constructing iterations for each node of the graph model (PJSC Sberbank, 09/06/2019).

In the well-known solution, an iterative list is compiled for each node of the graph model. Based on iterative lists, the distances between each node of the graph model are built, which makes it possible to estimate how far, based on the distance, the nodes of the graph are located. However, the solution given in the analogue does not allow one to numerically estimate the degree of similarity of a particular graph model based on the construction of nodes and edges for the purpose of analyzing the belonging of graph nodes to known fraudulent details.

Disclosure of invention

The claimed solution proposes a new approach to solving an existing technical problem, which consists in the analysis of graph models of transactional data of known fraudulent schemes, which allows you to identify similar fraudulent schemes and identify fraudulent groups according to fraudulent schemes and / or indicate that the fraudulent scheme was involved or other fraudulent group.

The technical result is to ensure the identification of nodes associated with schemes for the implementation of fraudulent financial transactions.

The claimed result is achieved due to a computer-implemented method of searching for fraudulent transactions, performed using a processor, in which:

a) receive data on transactions in which all data relate to fraudulent transactions;

b) based on the obtained data, graphs are formed, in which nodes are data on transactions, and edges are completed transactions or links with attributes;

c) for each graph built in step b), the following steps are performed:

lists of iterations are determined for each vertex;

are determined for each node of the graph using an iterative distance algorithm for other nodes;

chains with the maximum distance are determined;

carrying out the formation of a graph frame based on certain chains in step c), while said frame consists of all vertices and edges of said chains;

based on the formed frame, the diameter of the graph is determined, which is the distance of any of its chains;

determine the number of chains in the graph frame;

the frame density is determined as the ratio of the number of graph frame vertices to the total number of vertices in the graph;

d) carry out a comparison of the graphs obtained in step b), which performs

i. calculation of the ratio of graph diameters;

ii. calculation of the ratio of the number of frame chains;

iii. calculation of the ratio of the densities of the frameworks of the compared graphs;

iv. calculation of similarity coefficients based on the ratio values obtained in steps i), ii) and iii);

e) at least one graph is determined that is similar to at least one known fraudulent scheme represented as a graph; And

f) determining transaction data associated with at least one known fraudulent scheme.

In one of the particular embodiments of the method, transaction data is selected from the group:

- 1 042566 device identifier, IP address, account number, payment card PAN, phone number, payer or payee details, or combinations thereof. In another particular embodiment, based on the calculated similarity coefficient, a record is created in the database about details related to a new group of fraudsters, or a connection of the analyzed transaction data is formed with at least one known fraudulent group.

The claimed invention is also implemented by means of a computer system for detecting fraudulent transactions, the system comprising at least one processor and at least one memory containing machine readable instructions which, when executed by the processor, perform the above method.

Description of figures

Fig. 1 illustrates a block diagram of the implementation of the presented method.

Fig. 2 illustrates a set of analyzed graphs.

Fig. 3 illustrates an example of defining graph frameworks.

Fig. 4 illustrates an example of graph comparison.

Fig. 5 illustrates a general view of the computing device.

Implementation of the invention

Further description of an exemplary embodiment of the claimed solution will be presented in accordance with references to the presented figures of the drawings.

According to FIG. 1, the claimed method of comparing fraudulent transactions (100) is performed using a computing device, such as a computer.

The first step (101) collects a lot of data on transactions in which there are fraudulent schemes. A transaction is a banking transaction between two entities. Transaction data can come from various sources of information, for example, from payment systems, POS-terminals, processing systems, etc., and can also be transmitted using any protocol from the TCP/IP stack. Transactions are accumulated and stored, as a rule, in a database (DB) of a computer device, such as a server.

The next step is to create transaction graphs in step (102). As shown in FIG. 2 according to the received transactions, a set of graphs is formed

GM={G1...G _n ) (200), where each graph (201)-(203) Gi is an unweighted undirected graph

G:=(V, E), where V is a non-empty set of nodes, and

E is a non-empty set of unordered edges, n is the number of graphs.

Transaction data can be: device identifier (for example, smartphone), IP address, geolocation data, account number, payment card PAN, phone number, payer or payee data, or combinations thereof. Transaction data allows you to accurately determine the sender and recipient of funds.

For each graph G (201)-(203) from the set of obtained graphs GM (200), a sequential algorithm is performed, which includes the following steps. At step (103), for each vertex of each of the graphs Gi (201)-(203), a list of neighborhoods V is found:

OKR _V ={OKR _[0] , OKR _[1] ... OKR _[i] }, where i is an integer, the distance index from node V, determined by the number of edges between the examined vertices.

At step (104), the determination of the distance for each vertex of graphs (201)-(203) to other vertices of the corresponding graph is performed. This stage is implemented using an iterative algorithm for finding the shortest chain described in patent RU2699677 (PJSC Sberbank, 09/06/2019), VV:

^L V= ^{L 1... ^L j} ^, where j is an integer, j=i-1.

Chain - is a route, all the edges of which are different; the number of edges determines the length of the chain.

All chains with the maximum distance are identified (step 105):

^W = ^{L V1... ^L Vm} ^, where m is an integer, the number of chains with the maximum distance.

Further, as shown in FIG. 3, at step (106), for each graph (201)-(203), a graph framework (2011, 2021, 2031) is formed:

KG:=(VK, EK), where VK=VW,uVW2u...uVW _k is the union of the vertices of all chains of the set W of each graph Gi (201)-(203),

EK=EW1uEW ₂ u...uEW _k - union of edges of all chains of the set W of each graph Gi (201)(203),

- 2 042566 k is an integer, the number of chains of the set W of each of the graphs (201)-(203).

Next, at step (107), the determination of the diameter DG of each graph (201)-(203) from the set GM (200) is performed. The diameter of the graph DG is equal to the distance of any of the chains in the set W for the corresponding graph from the set GM (200). At step (108), the number of chains KLW from the set W in the obtained frameworks KG (2011, 2021, 2031) of each graph G, (201)-(203) is determined,

KLw=|W|.

Based on the calculation of the number of chains KLW at step (109), the ratio of the number of vertices VK in the frameworks of graphs KG (2011, 2021, 2031) to the total number of vertices V in the corresponding graph c, (201)-(203), i.e. PV=|VK|/|V|, 0<PV<1. The PV coefficient reflects the density of the graph and shows how many graphs (201)-(203) have vertices that are not included in the formed frame KG (2011, 2021, 2031), and, accordingly, how much the frame differs from the corresponding graph for which it was formed. When PV=1, the graph and its wireframe are isomorphic, and the more the value of PV differs from 1, the more vertices are not included in the wireframe.

Next, the graphs from the set GM (200) are compared. The comparison of graphs is performed in pairs; for this, for each pair of graphs {G1, G ₂ } e GM, the following is defined. At step (110), the calculation of the ratio of the diameters of graphs G1 and G2 dDG=min(DG ₁ ,DG ₂ )/max(DG ₁ ,DG ₂ ) is performed.

Next, at step (111), the ratio of the numbers of chains of sets W in graphs G1 and G2 is determined dKLW=min(KLW1,KLW ₂ )/max(KLW1,KLW ₂ ), 0<dKLW<1.

At step (112) the ratio of the density coefficients of the frameworks PV of graphs G ₁ and G ₂ dPV=min(PV1,PV ₂ )/max(PV1,PV ₂ ), 0<dPV<1 is determined.

Then, at step (113), the similarity coefficient of graphs is calculated

POD=dDGxdKLWxdPV, 0<POD<1.

As a result, at step (114), the similarity coefficients of the two graphs are compared, as a result of which the closer the similarity coefficient POD is to 1, the more similar the graphs G ₁ and G ₂ are to each other, with the similarity coefficient POD=1, the graphs G ₁ and G ₂ are isomorphic .

The identification of similar graphs using the presented algorithm can be considered in the following example, shown in Fig. 4.

Data is obtained on transactions between subjects, characterized by transaction details and attributes. Transaction details and attributes are, in a particular case, transaction identifiers by which you can determine the sender and recipient of the transaction, i.e. nodes between which a money transfer has occurred. In this example, details are selected from the group: account number, PAN of the payment card, phone number, data of the payer or payee, or combinations thereof, and attributes from the group: device identifier (for example, smartphone), IP address, geolocation data, or combinations thereof . From the above data, graph models G1 (201), G2 (202), G3 (203) are formed. At the same time, there is a separate database containing data on transactions of fraudulent groups, which also has details and attributes. From this base, a graph model of fraudulent transactions GH (210) is formed.

All generated graph models are a set of graphs GM={GH,G1,G ₂ ,G ₃ }, which are used to build the frameworks of each graph:

A. for the graph GH - the framework of the graph KGH (2101),

b. for the graph G1 - the framework of the graph KG1 (2011),

With. for the graph G2 - the framework of the graph KG2 (2021),

d. for the graph G3 - the framework of the graph KG3 (2031).

We define the characteristics of each graph:

a. for the graph GH (210), the following characteristics are calculated:

i. graph diameter DG=3, ii. number of chains KLW=3, iii. graph density PV=0.87;

b. for graph G1 (201):

i. graph diameter DG=1, ii. number of chains KLW=4, iii. graph density PV=1;

c. for graph G2 (202):

i. graph diameter DGH=4, ii. number of chains KLW=2, iii. graph density PV=0.75;

d. for graph G3 (203):

i. graph diameter DGH=1, ii. number of chains KLW=5,

- 3 042566 iii. graph density PV=1.

Next, the graphs of the GM set are compared, the comparison is performed in pairs, on the basis of which the similarity coefficient is calculated for the graph frames:

a. comparing GH and G1 - POD=0.22,

b. comparing GH and G ₂ - POD=0.43,

c. comparing GH and G ₃ - POD=0.08,

d. comparing G1 and G ₂ - POD=0.09,

e. comparing G1 and G ₃ - POD=0.8,

f. comparing G ₂ and G ₃ - POD=0.08.

As a result of calculations, when comparing graphs GH (210) and G2 (202), there is a suspicion that a group of scammers from the fraudulent scheme GH (210) is involved in the fraudulent scheme G2 (202), due to the fact that the similarity coefficient of all graphs compared in pairs is the most .

The meaning of the similarity coefficient is that the closer it is to 1, the higher the probability that fraudulent schemes are similar and that the same group of persons is involved in their implementation.

When the similarity coefficient is equal to 1, the graphs are isomorphic, and, consequently, the graph schemes built on the basis of transaction data are identical.

According to the result of the graph comparison algorithm (100), fraudulent schemes similar to each other in terms of transaction data are determined, details and attributes used by both fraudulent schemes are identified.

Based on a comparative analysis of the nature of the change in the account numbers, PAN of payment cards used by fraudsters, phone numbers from similar fraudulent schemes, a decision is made to mass block a group (pools) of details and attributes that are a generalization of the identified details and attributes of similar fraudulent schemes.

Also, as a result of the execution of method (100), a decision is made to create a new group of fraudsters in the catalog of fraudulent schemes, or to assign the fraudulent scheme to an existing group.

With the help of the claimed method (100), it becomes possible to identify similar fraudulent schemes to which the same type of countermeasures can be applied at the stage of their formation, as well as combine the identified fraudulent schemes into criminal communities and identify the organizers of criminal communities based on an additional analysis of the links of similar fraudulent schemes using analysis of graphs generated on the basis of transaction data.

In FIG. 5 shows a general view of the computing system implemented on the basis of the computing device (300). In general, the computing device (300) contains one or more processors (301) connected by a common information exchange bus, memory means such as RAM (302) and ROM (303), input/output interfaces (304), input/output devices (305), and a device for networking (306).

The processor (301) (or multiple processors, multi-core processor) may be selected from a variety of devices currently widely used, such as Intel™, AMD™, Apple™, Samsung Exynos™, MediaTEK™, Qualcomm Snapdragon™, etc. . Under the processor, it is also necessary to take into account a graphics processor, such as an NVIDIA or ATI GPU, which is also suitable for the full or partial execution of the method (100). In this case, the memory means can be the available memory of the graphics card or graphics processor.

RAM (302) is a random access memory and is designed to store machine-readable instructions executable by the processor (301) to perform the necessary data logical processing operations. The RAM (302) typically contains the executable instructions of the operating system and associated software components (applications, program modules, etc.).

The ROM (303) is one or more persistent storage devices such as a hard disk drive (HDD), a solid state data drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media (CD-R/ RW, DVD-R/RW, BlueRay Disc, MD), etc.

Various types of I/O interfaces (304) are used to organize the operation of device components (300) and organize the operation of external connected devices. The choice of appropriate interfaces depends on the particular design of the computing device, which can be, but not limited to: PCI, AGP, PS/2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS/Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc. To ensure user interaction with the computing device (300), various means (305) of I/O information are used, for example, a keyboard, a display (monitor), a touch screen, a touchpad, a joystick, a mouse, a light pen, a stylus, a touchpad, a trackball , speakers, microphone, augmented reality tools, optical sensors, tablet, light indicators, projector, camera, biometric identification tools (retinal scanner, fingerprint scanner, voice recognition module), etc.

The networking tool (306) provides data transfer by the device (300) mediated

Claims (4)

via an internal or external computer network, such as Intranet, Internet, LAN, etc. As one or more means (306) can be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, etc. Additionally, satellite navigation tools in the device (300) can also be used, such as GPS, GLONASS, BeiDou, Galileo. The submitted application materials disclose preferred examples of the implementation of the technical solution and should not be interpreted as limiting other, particular examples of its implementation that do not go beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology. CLAIM 1. A computer-implemented method for searching for fraudulent transactions, performed using a processor, in which: a) receive data on transactions in which all data relate to fraudulent transactions; b) based on the obtained data, graphs are formed, in which nodes are data on transactions, and edges are completed transactions or links with attributes; c) for each graph built in step b), the following steps are performed: lists of iterations for each vertex are determined; are determined for each node of the graph using an iterative distance algorithm for other nodes; circuits with the maximum distance are determined; carry out the formation of the framework of the graph on the basis of certain chains in step c), while the said framework consists of all the vertices and edges of the mentioned chains; based on the formed frame, the diameter of the graph is determined, which is the distance of any of its chains; determine the number of chains in the graph frame; determine the density of the frame as the ratio of the number of vertices of the frame of the graph to the total number of vertices in the graph; d) carry out a comparison of the graphs obtained in step b), which performs i. calculation of the ratio of graph diameters; ii. calculation of the ratio of the number of frame chains; iii. calculation of the ratio of the densities of the frameworks of the compared graphs; iv. calculation of similarity coefficients based on the ratio values obtained in steps i), ii) and iii); e) at least one graph is determined that is similar to at least one known fraudulent scheme represented as a graph; And f) determining transaction data associated with at least one known fraudulent scheme. 2. The method according to claim 1, characterized in that the transaction data is selected from the group: device identifier, and/or IP address, and/or geolocation data of the transaction, and/or account number, and/or PAN of the payment card, and/or the payer's telephone number, and/or the data of the payer or payee, or combinations thereof. 3. The method according to claim 1, characterized in that, based on the calculated similarity coefficient, a record is created in the database about details related to a new group of fraudsters, or a connection of the analyzed transaction data is formed with at least one known fraudulent group. 4. A system for searching for fraudulent transactions, comprising at least one processor and at least one memory containing machine-readable instructions, which, when executed by the processor, carry out the method according to any one of claims 1-3. -