Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
  • G06N3/00—Computing arrangements based on biological models
  • G06N3/02—Neural networks
  • G06N3/08—Learning methods
  • G06N3/084—Backpropagation, e.g. using gradient descent
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
  • G06N3/00—Computing arrangements based on biological models
  • G06N3/02—Neural networks
  • G06N3/04—Architecture, e.g. interconnection topology
  • G06N3/045—Combinations of networks
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q20/00—Payment architectures, schemes or protocols
  • G06Q20/38—Payment protocols; Details thereof
  • G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
  • G06Q20/401—Transaction verification
  • G06Q20/4016—Transaction verification involving fraud or risk level assessment in transaction processing
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
  • H04L63/1416—Event detection, e.g. attack signature detection
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
  • G06N20/00—Machine learning
  • G06N20/20—Ensemble learning

Definitions

• the present invention relates to the automatic detection of fraud in a flow of transactions, in particular financial, intended for a service available on a telecommunications network.
• a fraud detection device based on a static model would therefore quickly become obsolete: it would no longer be able to detect the new behaviors of fraudsters, and would not be able to effectively consider what behavior is. normal (i.e. not fraudulent) due to changes in normal behavior.
• Figure I illustrates a schematic view of an architecture in which the invention may be part of one of its embodiments.
• Figure 2 schematically shows a flowchart of an example of embodiments of the invention.
• FIG. 1 illustrates a very high level functional context within the framework of which the invention can be implemented.
• a user 10 transmits a transaction 13 to a financial transaction management service 11, such as a payment service, through a telecommunications network 12.
• User 10 can be a telecommunications terminal with which an online payment order can be made. to be placed; it may also be a payment terminal located at a merchant, or even a complex system located within a banking establishment in the context of inter-bank transactions.
• a fraud detection device 14 can be inserted upstream, between the telecommunications network 12 and the financial transaction management service 11, for example within the same server 15 (or server farm).
• the fraud detection device 14 can use a model 16 developed by learning and then use it in prediction and generalization to classify new transactions 13 into classes such as "fraud” and "normal transaction".
• the classifier 16 can learn and, subsequently, process new transactions. It appears that the fraud detection device 14 can detect a fraud only if the latter has similarities with those presented in the learning game.
• this model 16 consists of a set of predictive models.
• this set of predictive models Prior to its use to predict a class for a new inbound transaction, this set of predictive models is trained on a learning set associating transactions and labels.
• This learning set is typically made up of real transactions that have been the subject of a study in order to assign them a label that represents a real class, i.e. if the transaction in question is an attempted fraud. or a normal transaction.
• This study can be automatic or carried out (partially or totally) by human operators. In general, a small portion of transactions that have been alerted by the fraud detection system are processed by human operators. For other transactions, if within a certain period (typically one month) no opposition has been made by the cardholders, the transactions are considered normal.
• the learning set therefore forms a series of transactions spanning time, as they arrive and as they are studied, allowing the attribution of a label. Typically, therefore, there is a lapse of time between the arrival of a transaction and its availability within the learning set (after its tag has been assigned).
• the label assignments are done periodically, so that the learning set is enriched by sets of transaction / label associations.
• the training set consists of a set of sections, each chunk, or "chunk” according to the terminology in English, consisting of associations between a transaction and a label representing a real class for said transaction
• the learning of the model comprises the incremental updating of a set of predictive models allowing the automatic detection of fraud.
• This update includes, for each of said sections, the duplication of an existing predictive model and its training on this section.
• duplication of a model means that all the parameters having been fixed by the prior learning are duplicated in the new predictive model, so that the behavior of the two models are exactly the same.
• the same transaction submitted to the two models will thus give the same predicted class (fraud or non-fraud).
• the set of predictive models can be reduced to a single model.
• a new predictive model is also created for each of said sections by training it thereon.
• This predictive model obviously has the same characteristics as the other predictive models but its parameters are at “default” values, and its first learning will be on the section which has just been received. It will therefore only be representative of the immediate history of transactions, represented by the last section received.
• the invention makes it possible to obtain a variety of models, thus making it possible to "capture" typical patterns in the flow of transactions with different periodicity.
• the sections can be of various sizes and can depend on the overall process in which the automatic fraud detection device fits.
• the size of the sections can be adapted according to the time required for the allocation of labels to the incoming transactions.
• the size of the sections must be large enough to take into account the fact that the proportion of fraudulent transactions is very low. Chunks of too small a size might not contain enough fraudulent transactions (if at all) to allow effective learning.
• the sections correspond to a duration of the order of the day. Longer durations can also be taken into account, due to the set mechanism.
• the predictive models can be of different types.
• they may be models of gradient stimulation ("gradient boosting" in English) such as for example implemented in the XGBoosting library.
• these predictive models are neural networks. All the predictive models are identical in terms of architecture (number of layers, number of neurons per layer, etc.), and the different learning mechanisms for each only influence the synaptic weights of these neural networks. . A duplication of a neural network therefore means the copy, in the new network, of these synaptic weights.
• FIG. 2 An example of a neural network 20 capable of implementing the predictive model is shown in FIG. 2.
• Each transaction has a certain number of parameters.
• these parameters can include: a date, an amount, a currency, an identifier of the parties to the transaction, etc.
• a mechanism can be provided to enrich the original parameters with more contextual parameters.
• this mechanism can consult a calendar in order to correlate the date of the transaction with an event (day of the week, holidays, calendar holidays, important sporting event, etc.).
• event day of the week, holidays, calendar holidays, important sporting event, etc.
• Another example can be to add aggregated parameters to the incoming transactions. It may for example be the average value of transactions for a given user, or the total value of their transactions over a given period (one month for example).
• a buffer memory can be set up, in order to be able to perform aggregations over a given period. The buffer memory must then be dimensioned according to the periods envisaged for the aggregations.
• the set of these parameters form a vector fi, fi, f3 ... f constituting the input of the neural network 20 (N being the number of parameters, or attributes, associated with the transactions).
• N being the number of parameters, or attributes, associated with the transactions.
• These parameters can be of two different types: quantitative (or numerical) or qualitative (or categorical).
• the neural network 20 can be broken down between a preprocessing subnetwork 21, and a prediction subnetwork 22.
• the preprocessing subnetwork makes it possible to transform the parameters fi, fi, f3 ... Î N into a vector ei, ei, e 3 ... e M so that the prediction subnetwork 22 can process l 'information.
• the preprocessing subnetwork 21 can implement two types of preprocessing depending on the nature of the parameters.
• the categorical parameters are provided at the input of an inclusion layer, or "rent embedding" according to the terminology in the English language, in order to transform it into a vector of real values, the dimension of which is calculated according to the formula log2 (ncat) where ncat is the number of categories that can be taken by the categorical parameter processed.
• This vector can be obtained by simple concatenation of the outputs of the preprocessing sub-network 21 for each of the parameters associated with the transactions (that is to say contained in the transactions or being the subject of an enrichment).
• the latter can be a multi-layer perceptron type neural network, typically with a hidden layer 221 and an output layer 222.
• a possible sizing can be 1000 neurons for the hidden layer and 2 neurons for the output layer, with a "softmax” function for the output P.
• the connections between neurons of the hidden layer and the layer of output can be of the “Relu” type (for “Rectified Linear Unit”).
• the neural network 20 can be trained, for each section, according to the learning methods suitable for multi-layer perceptrons.
• the learning aims to modify, iteratively, the synaptic weights of the network in order to minimize the error at the output, for all the transactions of a section, between a predicted probability of belonging to a class and the label associated with the respective transaction.
• each new chunk of a training set can be used to train an existing predictive model by changing the weights of the neural network.
• the inventors consider that in doing so, the neural network is gradually led to learn the most recent trends to the detriment of older trends. Thus, such a single neural network could not reflect both old trends, recent trends, and short term or long term trends, etc.
• the automatic fraud detection device must take into account recent fraud patterns (newly established by fraudsters, or resulting from recent trends in the population of users), conventional patterns, which exist for a long time, old diagrams (for example which relate to the same period but one year before), etc. There are therefore different periods of these patterns (year, month, week %), but also changes in trends. Also, the predictive model must be able to be sensitive to these different situations.
• a set of predictive models is provided, each one specializing in a sub-part of the learning set.
• each reception of a new section generates the duplication of an existing predictive model, and its training with data from this new section.
• the existing predictive model is the one trained with the greatest number of preceding sections, but other implementations are possible and in particular several existing predictive models can be chosen for duplication and training.
• FIG. 3 illustrates a concrete example of a set of models Mi, M 2 , M 3 M 4 , M 5 created from a set of sections Ci, C 2 , C 3 , received successively and forming the learning set.
• a first model Mi is trained with the data (transaction / label association) that it contains. For this first iteration, there can be no question of duplication, stricto-sensu, but we can assimilate this creation of a first model Mi to the duplication (which includes a creation) for the following iterations.
• the model Mi is duplicated and the data from the section C2 are used for its training, thus forming a model M2 trained on the data C1 + C2. Additionally, a new M3 model is created and trained only on the C2 edge data.
• the model M 2 is duplicated (because it is the only model trained with 2 previous sections), then this copy is trained on the data of the section C 3 to form a new model M 4 .
• a new model M 5 is created and trained only on the data of section C 3 .
• one or more chunks can be configured to contain data representative of a certain type of fraudulent attack.
• a predictive model will automatically be specialized to treat this type of attack and allow its detection.
• the set of neural networks can then be exploited to determine a classification for new transactions.
• This operation can be done concomitantly with the learning phase described above.
• the fraud detection device receives transactions intended for a service and will automatically determine a classification.
• all or parts of these transactions can be studied in order to provide them with labels (actual classification, as opposed to predicted classifications, determined by neural networks). With a delay, therefore, these studied transactions (and their respective labels) form the chunks of the learning set.
• neural networks can be continuously trained from actual transactions (after tagging). Therefore, the learning of neural networks is in sync with recent trends in the inflow of transactions.
• the predictive models are therefore used by the automatic fraud detection device in order to detect fraud in an incoming transaction flow.
• the set of predictive models helps determine a classification for each inbound transaction. This classification is typically a probability for the transaction to belong to each of the considered classes (fraud or normal). After thresholding, a binary classification can be obtained allowing a "fraud" or "normal” class to be assigned to the transaction.
• a weight is associated with each predictive model, and the final classification of the Inbound transaction is determined by the weighted sum of the P classifications obtained by each predictive model. This final classification can then be used, in the case of fraud, to trigger alerts, for example, or even automatically block an incoming transaction.
• Another strategy consists in determining a measure of proximity for each section, by correlating the transaction received with the distributions of transactions contained in these sections, and to give weights according to the measures of proximity of the sections corresponding to the respective models. Thus, if a transaction is close to those contained in a section Ci, then the predictive models which have been trained with this section Ci will obtain a higher weight.
• a step of deleting at least one predictive model within said set of predictive models is provided.
• This elimination step can be implemented for each new incoming section, or else according to another synchronism based on time or else on a threshold of the number of existing predictive models.
• a first strategy can be based on a performance measurement of each model, for example identical to that used to assign weights to the different models. We can then choose to delete the model or models with the lowest performance measurement.
• a second strategy can be based on an affinity measurement, for example determined by considering each pair of models of the set of models. If two models are sufficiently close (that is to say give very close predictions for the same set of transactions), then we can consider that they are redundant and we can eliminate one of the two.
• the invention makes it possible to solve a large number of problems left open by the state of the art.
• this model can be trained continuously, that is to say that each new available section can be used immediately for its training, without having to learn from zero.
• the sections can be destroyed.
• the mechanism thus makes it possible to comply with the various requirements for the retention of personal information, in particular the GDPR directive.

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Physics & Mathematics (AREA)
• Computing Systems (AREA)
• Business, Economics & Management (AREA)
• Computer Security & Cryptography (AREA)
• General Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• Computational Linguistics (AREA)
• Health & Medical Sciences (AREA)
• General Health & Medical Sciences (AREA)
• Molecular Biology (AREA)
• Data Mining & Analysis (AREA)
• Biophysics (AREA)
• Biomedical Technology (AREA)
• Mathematical Physics (AREA)
• Software Systems (AREA)
• Artificial Intelligence (AREA)
• Life Sciences & Earth Sciences (AREA)
• Evolutionary Computation (AREA)
• Accounting & Taxation (AREA)
• Computer Hardware Design (AREA)
• Signal Processing (AREA)
• Computer Networks & Wireless Communication (AREA)
• Finance (AREA)
• Strategic Management (AREA)
• General Business, Economics & Management (AREA)
• Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)
• Computer And Data Communications (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=70008575

Family Applications (1)

Country Status (3)

• 2019
  • 2019-09-10 FR FR1909923A patent/FR3100643B1/fr active Active
• 2020
  • 2020-09-10 EP EP20767562.0A patent/EP4028954A1/de active Pending
  • 2020-09-10 WO PCT/EP2020/075264 patent/WO2021048245A1/fr unknown

Also Published As

Similar Documents

Legal Events