ITRM20120159A1 - APPARATUS FOR MONITORING OF PAYMENT TRANSACTIONS AND ITS PROCEDURE. - Google Patents

Description

APPARATUS FOR MONITORING TRANSACTIONS OF

PAYMENT AND RELATED PROCEDURE

The present invention relates to an apparatus, and the relative procedure, for monitoring payment transactions transiting through a payment gateway unit, an apparatus which allows, in an efficient, reliable and fast way, to prevent fraud and to control the security of transactions by adapting dynamically and in real time to data traffic.

The present invention also relates to the instruments that allow the monitoring procedure to be carried out.

It is well known that electronic commerce services, in which a plurality of users connect to an Internet site to purchase products and / or services, have been particularly popular for some years and are still growing in popularity.

Figure 1 schematically shows the architecture of the devices conventionally involved in an electronic commerce service. A user of a plurality of users, through a respective Client device U1, U2 and U # (for example a computer, a mobile phone, a smartphone, or a television) connects via the Internet 100 network to one of a plurality of sites Internet of online shops M1, M2 and M #, hereinafter also referred to as merchant, and purchases a product and / or service through the intermediation of a banking or financial institution, i.e. through a payment instrument, such as a credit and / or debit security (e.g. a credit card), issued by a 1B1, IB2, or IB # banking or financial institution. The payment transaction is managed by a PG payment gateway unit, to which the relative merchant is connected via the Internet 100, e.g. M1 or M2 or M #; Figure 1 shows that the PG payment gateway unit manages the payment transactions that purchasing users make on a plurality of merchants, even though a payment gateway unit could also manage only the transactions of a single merchant. In particular, the PG payment gateway unit collects payment requests from merchants M1, M2 and M #, checks the formal correctness of the data packets containing the payment requests, and routes them to one of a plurality of institutions. banking or financial IB1, IB2, and IB # (e.g. the institution that issued the credit card) according to communication rules defined by the individual institutions, which may include, by way of example, the application of a specific encryption algorithm to packages data transmitted.

It is also known that electronic commerce is often subject to fraud, such as purchases through false or unauthorized payment instruments.

Currently, in order to prevent such fraud, merchants use the black list mechanism, in which the IPs of Client devices and / or the digital identities of users and / or identification of payment instruments (e.g. credit cards) are stored. which caused fraud.

However, the black list system suffers from some drawbacks. First of all, it works only if the Client device or one of the buyer's digital identities or a payment instrument is identified as a source of fraud at least for the first time. In fact, although banking and financial institutions that issue payment instruments (eg credit cards) have more sophisticated systems for the prevention and analysis of anomalies, these systems are not made available to merchants. Consequently, in the case of digital identity theft or a more general bug in the security system, and consequent unauthorized use of information to produce fraud, such theft is detected only when the fraud is known, for example following a report by the owner of the digital identity or the payment instrument, or if the behavior in the use of the digital identity or the payment instrument is recognized as obviously anomalous, for example due to an excessive number of purchases on the same merchant.

Furthermore, the information relating to the recognized fraud is often confined to the bank or to the merchant who suffered the anomaly, for example due to technological problems. This means that a possible criminal, if careful in maintaining a suitable behavior, has a good chance of not being identified at least for a period of time, for example by acting on different institutions or on different merchants.

The purpose of the present invention is, therefore, to allow in an efficient, reliable and fast way to prevent fraud and to control the security of payment transactions by adapting dynamically and in real time to data traffic.

The specific object of the present invention is a procedure for monitoring payment transactions transiting through a payment gateway unit, in which each 3⁄4 transaction transiting through the payment gateway unit is identified by corresponding discrete values assumed by a plurality of n parameters x, of transaction in a ndimensional space, and in which each 3⁄4 transaction passing through the payment gateway unit belongs to an anomaly state A or to a quarantine state Q or to a coherence state C, the process being characterized in that it comprises the following steps:

A. define a SrX threshold of relevance and a Sixth threshold of irrelevance for each of the n transaction parameters x of said plurality;

B. selecting a first set of m anomaly symptom parameters from said plurality of n transaction parameters, with

0 <m <n;

C. define at least one anomaly symptom spot in said ndimensional space, each of the m anomaly symptom parameters assuming one or more anomaly symptom values in said at least one anomaly symptom patch;

D. select a second set of k parameters showing an anomaly from said plurality of n transaction parameters and not belonging to said first set, with

0 <k <n

k + m â ‰ ¤ n,

for which each of the k parameters evidenced by an anomaly is different from all the m parameters symptom of anomaly;

F. selecting a third set of z irrelevant parameters from said plurality of n transaction parameters including the transaction parameters that do not belong to said first set nor to said second set, with

0 <z <n

z = n- (k + m)

whereby each of the z irrelevant parameters is different from all the m parameters that are symptom of an anomaly and from all the k parameters that show an anomaly;

G. for each discrete value that can be assumed by each transaction parameter Xj of said plurality of n transaction parameters, initialize a first counter RC of relevance equal to a first initialization value and a second counter IC of irrelevance equal to a second initialization value ;

H. for each 3⁄4 transaction passing through the payment gateway unit, perform the following steps:

H.1 ascertain, on the basis of the values assumed by the m anomaly symptom parameters, whether the transaction t belongs to said at least one symptom patch of anomaly,

H.2 if the ascertainment of sub-phase H.1 is negative, classify the transaction t, as belonging to the state C of consistency and go to sub-phase H.7,

H.3 if the ascertainment of sub-phase H.1 is positive, classify transaction 3⁄4 as belonging to a set of transactions in quarantine status Q,

H.4 if the set of transactions in quarantine state Q includes at least two transactions, check if the value of at least one of the k anomaly evidence parameters of the transaction t is correlated with the value of the anomaly evidence homologous parameter of at least one other transaction previously classified as belonging to the quarantine Q status,

H.5 if the set of transactions in quarantine status Q includes at least two transactions and the verification of sub-phase H.4 is positive, classify transaction t, and dictate at least one other transaction previously classified as belonging in the anomaly state A,

H.6 if the transaction t has been classified as belonging to the anomaly state A, for each of the z parameters belonging to the third set, recognize that this parameter must be included in the first set of the m anomaly symptom parameters when it assumes a specific value for which the 3⁄4 transactions in transit are classified as belonging to the anomaly state A with a frequency such that the related first RC of relevance counter exceeds the threshold Srx of relevance,

H.7 if the transaction t has been classified as belonging to the coherence state C, for each of the values of the m parameters belonging to the first set that define said at least one symptom patch of anomaly, recognize that this value must be eliminated from the definition of dictates at least one anomaly symptom spot when it is assumed by the anomaly symptom parameter for transiting transactions t, which are classified as belonging to the coherence state C with a frequency such that the relative second counter IC of irrelevance exceeds the threshold SiX | di irrelevance, and in the event that, once this value has been eliminated from the definition of said at least one anomaly symptom spot, the relative anomaly symptom parameter does not assume any other value in said at least one anomaly symptom patch, delete this transaction parameter from the first set and include it as an additional irrelevant parameter in the third set.

Always according to the invention, phase H can also include, after sub-phase H.5, the following sub-phase:

H.8 if transaction t has been classified as belonging to the anomaly state A, for each of the m parameters belonging to the first set, recognize that this parameter must be included in the second set of k parameters evidence of anomaly when it assumes a value within said at least one spot symptom of anomaly for which the transiting transactions t are classified as belonging to the anomaly state A with such a frequency that the relative first RC of relevance counter exceeds the threshold Srx of relevance.

Still according to the invention, the process can include, before phase H, the following phase:

J. to define at least one spot evidence of anomaly in said ndimensional space, each of the k parameters evidence of anomaly assuming one or more values evidence of anomaly in said at least one spot evidence of anomaly;

and phase H can include the following sub-phase, before phase H.1:

H.9 ascertain, on the basis of the values assumed by the k parameters evidence of anomaly, if transaction 3⁄4 belongs to said at least one spot evidence of anomaly, and if so, classify transaction% as belonging to status A of anomaly and pass to sub-phase H.6.

Further according to the invention, sub-phase H.6 can also include, if the transaction has been classified as belonging to the anomaly state A,

for each of the m parameters belonging to the first set, recognize when a new value of the considered parameter must be included in the definition of said at least one spot symptom of anomaly when it assumes a specific value for which the transactions transiting you are classified as belonging to state A of anomaly with such a frequency that the relative first RC of relevance counter exceeds the Srx of relevance threshold.

Always according to the invention, the sub-phase H.6 can include the following sub-phases:

H.6.1 for each of the z transaction parameters belonging to the third set, increase the first relevance RC counter corresponding to the value assumed by this transaction parameter in transaction 3⁄4, and ascertain whether this first relevance RC counter is greater than the SrX threshold of relevance of this transaction parameter,

H.6. 2 if the ascertainment of sub-phase H.6.1 is positive, set the first relevant RC counter relative to the value assumed by this transaction parameter in the transaction ti equal to the first initialization value, delete this transaction parameter from the third set and include it as an additional anomaly symptom parameter in the first set, and redefine said at least one anomaly symptom patch in the n-dimensional space so that in said at least one anomaly symptom patch this additional anomaly symptom parameter assumes this value assumed by such transaction parameter in transaction t ,.

Still according to the invention, the sub-phase H.6.1 can also include decreasing the second counter IC of irrelevance corresponding to the value assumed by this transaction parameter in the transaction t ,, and the sub-phase H.6.2 can also include setting the second IC counter of irrelevance relative to the value assumed by this transaction parameter in the transaction 1⁄4 equal to the second initialization value.

Further according to the invention, the sub-phase H.7 can comprise the following sub-phases:

H.7.1 for each of the m transaction parameters belonging to said first set, if it assumes in the transaction ti a value that defines said at least one spot symptom of anomaly, increment the second IC irrelevance counter corresponding to the value assumed by this transaction parameter in transaction t ,, and ascertain whether this second counter IC of irrelevance is greater than the Sixidi threshold of irrelevance of this transaction parameter,

H.7. 2 if the ascertainment of sub-phase H.7.1 is positive, set the second counter IC of irrelevance relative to the value assumed by this transaction parameter in transaction t, equal to the second initialization value, and redefine said at least one symptom of anomaly in the n-dimensional space in such a way as to eliminate this value assumed by this anomaly symptom parameter, and ascertain whether, after the elimination of this value assumed by this anomaly symptom parameter, there is still at least one value that this symptom parameter of anomaly assumes in said at least one patch of anomaly and, in the event that this finding is negative, eliminate this transaction parameter from the first set and include it as an additional irrelevant parameter in the third set.

Again according to the invention, sub-phase H.7.1 can also include decreasing the first relevant RC counter corresponding to the value assumed by this transaction parameter in transaction t, and sub-phase H.7.2 can also include setting the first counter RC of relevance relative to the value assumed by this transaction parameter in transaction t, equal to the first initialization value.

Still according to the invention, phase H can be carried out in such a way that at the end of a predefined time period DT the set of transactions in the quarantine state Q is emptied.

Another specific object of the present invention is an apparatus for monitoring payment transactions transiting through a payment gateway unit, characterized in that it comprises processing means suitable for carrying out the monitoring procedure of payment transactions transiting through a payment gateway unit. as previously described.

The specific object of the present invention is also a computer program comprising code means suitable for executing, when operating on processing means of an apparatus, the method of monitoring payment transactions transiting through a payment gateway unit as previously described.

A further specific object of the present invention is a memory medium that can be read by a computer, having a program memorized thereon, characterized in that the program is the computer program just described.

The apparatus and the monitoring procedure according to the invention are based on the analysis of the data relating to the transactions that pass through a payment gateway unit to identify behavioral dynamics of the set of buyers and report in real time a behavior recognized as anomalous , such as an attempted fraud.

The payment gateway unit has the advantage of being a crossroads of data relating to different banking and financial institutions and to one or (even more preferably) more different merchants, thus allowing the detection of anomalous â € œtransversal 'behaviors that could individually pass unnoticed.

The apparatus and the method according to the invention overcome the following problems related to the payment gateway units:

- the constraint due to the fact that it is not possible to detect a digital identity, so the behavioral anomaly can only be detected at a probabilistic level by analyzing the amount of data of transactions in transit and, after identifying significant parameters with respect to the ™ anomaly, trace its presence in real time;

- the onerousness of data analysis from a computational point of view, which would risk heavily affecting the conventional performance of the current payment gateway units (such as the routing of payment data to banking and financial institutions).

The apparatus according to the invention is specifically dedicated to the execution of a procedure for monitoring bank transactions managed by a payment gateway unit. This device is preferably made in such a way as to be an integral element of the payment gateway unit (i.e. physically inserted in the payment gateway unit) and its processing is part of the computational path of each transaction managed by the payment gateway unit itself.

The procedure performed by the apparatus according to the invention is based on an analysis algorithm which, in addition to allowing the introduction of a new level of security, does not alter the data in any way and at the same time guarantees its integrity. payment gateway unit.

A further advantage that the apparatus according to the invention offers to merchants who adopt a payment gateway unit equipped with such an apparatus is that it guarantees that the payment gateway unit is physically well identified. In fact, the physical integration of the apparatus according to the invention with the payment gateway unit, when combined with the possibility of uniquely identifying it, guarantees that the payment gateway unit is in turn physically well identified. This feature can be transmitted by the merchant as a guarantee to its customers, who in this way know that their data is not scattered over the network without control, as in the case of a pure software gateway implemented in cloud computing mode, but are kept in one place. physically well confined and with clearly identifiable security policies.

The present invention will now be described, for illustrative but not limitative purposes, according to its preferred embodiments, with particular reference to the Figures of the attached drawings, in which:

Figure 1 schematically shows the architecture of the devices conventionally involved in an electronic commerce service;

Figure 2 shows an example of an n-dimensional space of the transaction parameters used by a preferred embodiment of the method according to the invention;

Figure 3 schematically shows an example of dynamic modification of the spots defined by the preferred embodiment of the process according to the invention; And

Figure 4 shows a block diagram of the use of a preferred embodiment of the apparatus in monitoring payment transactions transiting through a payment gateway unit. In the Figures identical reference numbers will be used for similar elements.

The preferred embodiment of the apparatus according to the invention comprises processing means (e.g. a microcontroller and / or a microprocessor and / or another electronic processing device) capable of carrying out a monitoring and analysis procedure in which each transaction ti passing through the payment gateway unit is identified by corresponding discrete values assumed by a plurality of n transaction parameters Xj in an n-dimensional space. In other words, each transaction f is a point in this n-dimensional space, where each coordinate of that space corresponds to a value of a transaction parameter Xj. By way of example, but not limited to, the transaction parameters that can be used in the procedure performed by the device may include: the value of the transaction, the currency of the transaction, the date of the transaction, the time of the transaction, a time period DT elapsed between the initial hour and the time of the transaction, the account and the bank or financial institution receiving the transaction, the merchant of the transaction, the IP address of the Client device that originated the transaction, etc. The values that can be assumed by the n transaction parameters Xj are discrete (and not continuous) since the procedure operates on digital data.

Within this n-dimensional space, the procedure performed by the apparatus dynamically defines areas of attention, within which a sub-set of parameters extracted from the n transaction parameters Xj assume specific values that identify a suspicious transaction or certainly anomalous. In the remainder of this description and of the claims, these areas of attention are referred to as â € œspotsâ €.

In particular, the preferred embodiment of the procedure performed by the apparatus defines two classes of stains: stains that are symptom of anomaly, each of which defines an area in which 3⁄4 transactions are suspicious and must therefore be further analyzed to ascertain its regularity; and spots evidence of anomaly, in which transactions f are certainly anomalous. Other embodiments of the apparatus and of the method according to the invention may not define spots as evidence of anomaly, limiting themselves to the analysis of transactions on the basis of the spots which are symptom of anomaly only.

By way of non-limiting example, Figure 2 shows a three-dimensional space of n = 3 transaction parameters (XÌ, X2, X3) including a spot 10 evidence of anomaly, which defines an area in which the transactions L are certainly anomalous , and two spots 21 and 22 symptom of anomaly, each of which defines an area in which the transactions t, are suspect and must therefore be further analyzed to ascertain their regularity. The spots of the n-dimensional space can be simple, i.e. identifiable by a range of values of a single transaction parameter, or complex, i.e. identifiable as the intersection of intervals of values of a sub-set of parameters extracted from the n parameters Xj of the transaction, or calculable through mathematical formulas according to the values of a 0 more specific parameters Xj of the transaction (for which, as shown in Figure 2, the boundaries of the relevant spot can be non-linear).

The spots are configured by the device manager according to the invention at the start of the procedure performed by the device (i.e., the spots are initialized) on the basis of indications from the merchants whose transactions are managed by the unit payment gateway to which the apparatus according to the invention is associated. By way of non-limiting example, these stains can be configured by entering the upper and lower limit values of the range of the transaction parameters Xj that contribute to the definition of the stain or by entering the formula that calculates the stain itself. During the operation of the apparatus according to the invention, the anomaly symptom spots and the anomaly evidence spots can be dynamically modified on the basis of the analysis carried out on the transactions transiting through the payment gateway unit, as will be better explained later.

In order to initialize the anomaly symptom spots, the procedure carried out by the apparatus selects, within the plurality of n parameters x, of transaction, a first set of m anomaly symptom parameters, with

0 <m <n

therefore the first set cannot be an empty set (i.e. m> 0), and defines at least one symptom patch of anomaly in the ndimensional space in which (i.e., in - at least one - anomaly symptom patch) each of the m symptom parameters of anomaly assumes one or more values that are symptom of anomaly.

Furthermore, in order to initialize the spots showing anomaly, the procedure carried out by the apparatus selects, within the plurality of n transaction parameters Xj that do not belong to the first set of m anomaly symptom parameters, a second set of k parameters evidence of anomaly, with

0 <k <n

k + m <n

hence the second set cannot be an empty set (i.e. k> 0). In other words, each of the k anomaly evident parameters a is different from all the anomaly symptom m parameters, i.e. the second set of k parameters showing an anomaly is disjoint from the first set of m parameters indicating an anomaly.

The preferred embodiment of the method and of the apparatus according to the invention initializes at least one spot evidence of anomaly in the n-dimensioned space, in which (i.e. in the - at least one - spot evidence of anomaly) each of the k parameters evidences of anomaly assumes one or more values which are evidence of anomaly. However, other embodiments of the procedure and of the apparatus may not configure any spot evidence of anomaly at the start of the procedure carried out by the apparatus according to the invention, and may also not dynamically define any spot evidence of anomaly during the operation of the apparatus according to the invention.

Furthermore, the procedure carried out by the apparatus selects, within the plurality of n parameters x, of the transaction, a third set of z irrelevant parameters including the transaction parameters that do not belong to the first set of m parameters, symptom of anomaly, nor evidence of anomaly to the second set of k parameters, with

0 â ‰ ¤ z <n

z = n- (k + m)

so the third set could also be an empty set (when z = 0). In other words, each of the z irrelevant parameters is different from all the m anomaly symptom parameters and from all the k anomaly-evident parameters, i.e. the third set of z irrelevant parameters is disjoint from the first set of m anomaly symptom parameters and from the second set of k anomaly symptom parameters.

Furthermore, for each of the n transaction parameters Xj, the procedure carried out by the apparatus according to the invention initializes a threshold Srx of relevance and a threshold Sixj of irrelevance, the role of which is illustrated below.

Still in the initialization phase, the procedure carried out by the apparatus according to the invention initializes a first relevant RC counter and a second IC irrelevance counter for each discrete assumable value to a corresponding initialization value, preferably equal to zero. from each transaction parameter Xj of said plurality of n transaction parameters.

The procedure performed by the apparatus assumes that each transaction tj passing through the payment gateway unit belongs to one of the following three states: anomaly state A, quarantine state Q, coherence state C. The analysis carried out by the procedure allows the apparatus to classify each transaction t, passing through the payment gateway unit, as belonging to one of these three states.

For this purpose, for each transaction tj transiting through the payment gateway unit, the procedure performed by the apparatus ascertains, on the basis of the values assumed in the same transaction 3⁄4 by the m parameters symptom of anomaly, if the transaction belongs to you to the (at least one) patch symptom of anomaly, (n positive case (i.e. the values assumed in the same transaction tj by the m parameters symptom of anomaly belong to - at least one - patch symptom of anomaly), the procedure performed by the classification apparatus the transaction ti as belonging to a set of transactions in the quarantine Q state.

In the case in which the transaction t, has been classified as belonging to the set of transactions in the quarantine state Q, if the set of transactions in the quarantine state Q includes the transaction t, just classified and at least one other transaction previously classified as belonging to the quarantine state Q (i.e., the set of transactions in quarantine state Q includes at least two transactions), the procedure performed by the apparatus ascertains whether the value of at least one of the k parameters evidence of anomaly of the transaction tj is correlated (according to at least one correlation criterion) with the value of the homologous parameter evidence of anomaly of at least one other previously classified transaction (as belonging to the quarantine state Q); in other words, the procedure performed by the apparatus verifies whether the value assumed in the transaction ti into consideration by at least one of the k parameters evidence of anomaly is correlated with the value assumed by that parameter evidence of anomaly in another of transactions previously classified as belonging to quarantine Q status. In particular, a pair of values of a parameter of two transactions are correlated to each other (according to at least one correlation criterion) when there is a relationship or a correspondence between these values; by way of non-limiting example, if the parameter is the account and the bank or financial institution that is the recipient of the transaction or is the IP address of the Client device that originated the transaction, this relationship between the pair of values it can be the identity between these values. Obviously, in the event that the set of transactions in the quarantine Q state includes only the transaction fi in question (i.e., no transaction has previously been classified as belonging to the quarantine Q state), the procedure performed by the device does not carry out this assessment (there are no values to compare).

In the positive case in which the value of at least one of the k parameters evidence of anomaly of the transaction fi is correlated with the value of the homologous parameter evidence of anomaly of at least one other transaction previously classified as belonging to the quarantine status Q, the procedure performed by the apparatus classifies the transaction tj in consideration and dictates at least one other transaction previously classified as belonging to the anomaly state A.

Otherwise, if the transaction fi has not been classified as belonging to the anomaly state A nor as belonging to the quarantine state Q, the procedure carried out by the apparatus classifies this transaction fi as belonging to a coherent state C.

In other words, on the basis of the analysis of the anomaly symptom parameters, the procedure carried out by the apparatus according to the invention ascertains whether the transaction under consideration is to be placed in quarantine and, if it is suspected on the basis of a subsequent comparison of the value assumed by at least one parameter evidence of anomaly in this transaction fi with the value assumed by the same parameter evidence of anomaly in at least one other quarantined transaction, the transaction in question and (at least one) other quarantined transaction are classified as abnormal.

In the preferred embodiments of the method and of the apparatus according to the invention, which initialize and / or dynamically define at least one spot evidence of anomaly in the ndimensional space, before ascertaining whether the transaction under consideration must be classified as belonging to the state Q, the procedure carried out by the apparatus ascertains, on the basis of the values assumed in the same transaction fc by the k parameters evidence of anomaly, if the transaction tj belongs to (at least one) spot evidence of anomaly. In the positive case (i.e. the values assumed in the same transaction ti by the k parameters evidencing anomaly belong to - at least one - spot evidence of anomaly), the procedure performed by the apparatus classifies transaction t as belonging to the anomaly state A. In other words, on the basis of the analysis of the parameters evidencing an anomaly, the procedure carried out by the apparatus according to the invention ascertains whether the transaction tj under consideration is certainly anomalous because it belongs to the - at least one - stain which is evidence of anomaly. However, as mentioned, other embodiments of the procedure and of the apparatus may not configure any spot evidence of anomaly at the start of the procedure performed by the apparatus according to the invention, and they may also not dynamically define any spot evidence of anomaly during the operation of the apparatus according to the invention, for which this ascertainment of evidence of anomaly (preliminary to ascertaining whether the transaction tj belongs to at least one stain symptom of anomaly) is not carried out.

The procedure carried out by the apparatus according to the invention recognizes when one of the z irrelevant parameters (belonging to the third set) must actually be considered in the analysis of the transactions tj passing through the payment gateway unit as a symptom of an anomaly (belonging to the first set); in other words, the procedure recognizes when a transaction parameter, hitherto neglected, turns out to be actually a symptom parameter of an anomaly because when it assumes a specific value an anomaly occurs (i.e. the transaction tj under consideration is classified as anomalous) with such a frequency that the relative RC of relevance counter exceeds the Srx of relevance threshold.

For this purpose, the process carried out by the apparatus according to the invention carries out a first recognition procedure as follows. If the transaction tj has been classified as belonging to the anomaly state A, for each of the z transaction parameters belonging to the third set, the procedure carried out by the apparatus according to the invention increases (precisely increases by one unit) the RC counter of relevance (and preferably decreases - precisely decreases by one unit - the IC of irrelevance counter) corresponding to the value assumed by this transaction parameter in the transaction and ascertains whether this RC of relevance counter is greater than the Srx threshold of relevance of this transaction parameter . In the positive case (i.e. the RC of relevance counter relative to the value assumed by this transaction parameter in the transaction tj is greater than the Srx of relevance threshold), the procedure carried out by the apparatus according to the invention sets the RC relevance counter (and preferably sets the IC counter of irrelevance) relative to the value assumed by this transaction parameter in transaction t, equal to its initialization value (preferably equal to zero), eliminates this transaction parameter from the third set (of irrelevant parameters) and includes it as an additional anomaly symptom parameter in the first set (of anomaly symptom parameters), and redefines the (at least one) anomaly symptom spot in the n-dimensional space so that in (at least one) anomaly symptom patch this additional symptom parameter of anomaly assumes this value assumed by this transaction parameter in transaction tj.

In the preferred embodiments of the method and of the apparatus according to the invention, which initiate and / or dynamically define at least one spot which is evidence of anomaly in the ndimensional space, with a second recognition procedure similar to the first recognition procedure, the procedure performed by the apparatus according to the invention it recognizes when a symptom parameter of anomaly is so relevant that it must be considered as an evidence of anomaly parameter, because when it assumes a value, already belonging to (at least one) patch of anomaly, verifies an anomaly (i.e. the transaction ti under consideration is classified as anomalous) with such a frequency that the relevant RC counter of relevance exceeds the Srx of relevance threshold; in this case, the correlation criterion can be equality with this value. Unlike the first recognition procedure, the third recognition procedure performs the processing on the m transaction parameters belonging to the first set (of the anomaly symptom parameters), instead of on the z transaction parameters belonging to the third set, and redefines the (at least one) spot evidence of anomaly, instead of (at least one) spot symptom of anomaly.

Furthermore, in the preferred embodiments of the process and of the apparatus according to the invention, which initiate and / or dynamically define at least one spot which is evidence of anomaly in the ndimensional space, the procedure carried out by the apparatus according to the invention modifies dynamically the (at least one) anomaly symptom spot in order to recognize when a value of one of the m anomaly symptom parameters, which value was not previously considered as a value that this anomaly symptom parameter assumed in the (at least one) symptom patch of anomaly, it must instead be considered as a symptom of anomaly. In other words, the procedure carried out by the apparatus according to the invention recognizes when a new value of one of the m anomaly symptom parameters (belonging to the first set) must be considered as a value that defines the (i.e. that this symptom parameter of anomaly assumes in the) (at least one) spot a symptom of anomaly, on the basis that, when it assumes that specific value, an anomaly occurs (i.e. the transaction fi in consideration is classified as anomalous) with a frequency such that the relative RC of relevance counter exceeds the Srx of relevance threshold.

In this case, the procedure carried out by the apparatus according to the invention carries out a third recognition procedure as follows. For each value assumed by an anomaly symptom parameter that is not considered in the definition of the (at least one) anomaly symptom spot in a transaction fc classified as belonging to anomaly state A, the procedure performed by the apparatus according to invention increases (precisely increases by one unit) the RC of relevance counter (and preferably decreases - precisely decreases by one unit - the IC of irrelevance counter) corresponding to this value, and ascertains whether this RC of relevance is greater than the threshold Srxà ¬ of relevance of this transaction parameter. If so (i.e. the RC of relevance counter relative to the value assumed by this transaction parameter in transaction tj is greater than the Srx of relevance threshold), the procedure carried out by the apparatus according to the invention sets the RC relevance counter ( and preferably sets the IC counter of irrelevance) relative to the value assumed by this transaction parameter in the transaction ti classified as anomalous equal to its initialization value (preferably equal to zero), and redefines the (at least one) patch symptom of anomaly in the space n-dimensional in such a way that in the (at least one) patch of anomaly this anomaly symptom parameter assumes this value assumed by this transaction parameter in transaction V

Always in the preferred embodiments of the process and of the apparatus according to the invention, which initiate and / or dynamically define at least one spot evidence of anomaly in the ndimensional space, with a fourth recognition procedure similar to the third recognition procedure, the procedure performed by the apparatus according to the invention dynamically modifies the (at least one) spot evidence of anomaly so as to recognize when a value of one of the k parameters evidence of anomaly, which value was not previously considered as a value that such parameter evidence of anomaly assumed evidence of anomaly in the (at least one) spot, it must instead be considered as evidence of anomaly. In other words, the procedure carried out by the apparatus according to the invention recognizes when a new value of one of the k parameters evidencing an anomaly (belonging to the second set) must be considered as a value that defines the anomaly assumes in the) (at least one) spot evidence of anomaly, on the basis that, when it assumes that specific value, an anomaly occurs (i.e. the transaction% considered is classified as anomalous) with a frequency such that the relative counter RC of relevance exceeds the Srx of relevance threshold. Unlike the second recognition procedure, the fourth recognition procedure performs the processing on the k transaction parameters belonging to the second set (of the anomaly evidence parameters), instead of on the m transaction parameters belonging to the first set, and redefines the ( at least one) spot evidence of anomaly, instead of (at least one) spot symptom of anomaly.

In a dual way, the procedure carried out by the apparatus according to the invention recognizes when one of the values assumed by one of the m anomaly symptom parameters (belonging to the first set) that defines the (at least one) patch symptom of anomaly must not reality to be considered in the analysis of the 3⁄4 transactions passing through the payment gateway unit as a value that defines a symptom of anomaly; in other words, the procedure recognizes when a value of an anomaly symptom parameter, until then considered a value that defines the (at least one) anomaly symptom spot, turns out to be in reality a non-significant value because, when assumed by the anomaly symptom parameter, an anomaly symptom does not occur (i.e. transaction t, in consideration is classified as belonging to the C coherence state) with a frequency such that the relative IC irrelevance counter exceeds the Sixidi irrelevance threshold. In particular, in the event that, once this value has been eliminated as the defining value of the (at least one) anomaly symptom spot, the relative anomaly symptom parameter does not assume any other value in the (at least one) anomaly symptom spot, then the procedure performed by the apparatus according to the invention, it eliminates this transaction parameter from the first set (of the anomaly symptom parameters) and includes it as an additional irrelevant parameter in the third set.

For this purpose, the process carried out by the apparatus according to the invention carries out a fifth recognition procedure as follows. For each of the m transaction parameters belonging to said first set, if it assumes a value that defines the (at least one) spot symptom of anomaly, the procedure carried out by the apparatus according to the invention increases (precisely increases by one unit) the counter IC of irrelevance (and preferably decreases - precisely decreases by one unit - the RC counter of relevance) corresponding to this value, and ascertains whether this IC counter of irrelevance is greater than the Sixth threshold of irrelevance of this transaction parameter. In the positive case (i.e. the IC counter of irrelevance relative to the value assumed by this transaction parameter in the transaction 3⁄4 is greater than the Sixld relevance threshold), the procedure carried out by the apparatus according to the invention sets the IC counter of irrelevance (and preferably sets the RC relevance counter) relative to the value assumed by this transaction parameter in transaction t, equal to its initialization value (preferably equal to zero), and redefines the (at least one) patch symptom of anomaly in the space ndimensional in such a way as to eliminate this value assumed by this parameter symptom of anomaly, i.e. in such a way that in the (at least one) patch of anomaly this anomaly symptom parameter does not assume the value assumed by this transaction parameter in transaction 3⁄4. Furthermore, the procedure carried out by the apparatus according to the invention ascertains whether, after the elimination of this value assumed by this anomaly symptom parameter, there is still at least one value that this anomaly symptom parameter assumes in (at least one) spot of anomaly; in the negative case (i.e. there is no value that this anomaly symptom parameter assumes in the - at least one - anomaly spot), the procedure eliminates this transaction parameter from the first set (of the anomaly symptom parameters) of the (at least one) anomaly and includes it as an additional irrelevant parameter in the third set (of irrelevant parameters).

By way of example, Figure 3 shows the dynamic modification of a two-dimensional anomaly symptom stain, initially defined as a stain 300 (in Figure 3a) and modified as a stain 301 (in Figure 3a), and the dynamic modification of an evident stain of two-dimensional anomaly, initially defined as a spot 310 (in Figure 3a) and modified as a pair of spots 311 and 312 (in Figure 3a).

Preferably, the procedure carried out by the apparatus according to the invention carries out the processing periodically within a sequence of predefined time periods DT following one another, while retaining memory of the changes made to the sets of the various parameters and to the defined spots, so that at the end of each predefined time period DT the set of transactions in Q state of quarantine is emptied. In particular, the time elapsing from the beginning of each period is preferably considered as a symptom parameter, which can be defined as a time delta (i.e. the time between a transaction and the next transaction within the gateway) necessary to define the windows. time in which the analyzes are significant.

Therefore, the apparatus and the related procedure dynamically adapt to new situations and, thanks to the analyzes based on the anomaly symptom parameters (and preferably on the anomaly symptom parameters) they can modify the anomaly symptom spots (and preferably the anomaly symptom spots anomaly) by expanding or reducing them automatically and in real time based on the events, thus automatically suggesting areas of potential anomalous behavior to pay attention to.

An example of elaboration of the apparatus according to the invention illustrated with reference to Figure 4 is provided below.

It is assumed that the manager of the apparatus 201 according to the invention, on the basis of the indications coming from the merchants whose transactions are managed by the payment gateway unit 200 to which the apparatus 201 according to the invention is associated, has previously configured a 9-dimensional space that includes the following transaction parameters:

- transaction parameter 1: axis of the value transacted ($);

- transaction parameter 2: axis of the time delta (sec);

- transaction parameter 3: hours axis (int [0,23]);

- transaction parameter 4: minute axis (int [0.59]);

- transaction parameter 5: seconds axis (int [0,59]);

- transaction parameter 6: days axis (int [0, 31]);

- transaction parameter 7: IP address (identification);

- transaction parameter 8: current account (identification); And

- transaction parameter 9: institution (identifier).

It is also assumed that transactions made with the same IP not exceeding $ 2 that take place over a period of time not exceeding 10 minutes from each other on at least two different accounts of different banks are considered relevant.

Consequently, the manager of the apparatus 201 defines an anomaly symptom spot in the 9-dimensional space considering the two parameters 1 and 2 as anomaly symptom parameters, as follows:

- values of transaction parameter 1: from 0 to 2 $;

- values of transaction parameter 2: from 0 to 600 seconds.

Furthermore, the manager of the apparatus 201 considering the three parameters 7, 8 and 9 as parameters that are evidence of anomalies, for which the correlations that give rise to the recognition of anomalies are defined as follows:

- number of distinct IP addresses: from 0 to 1;

- number of separate current accounts: from 2 to max; And

- number of different institutes: from 2 to max.

Transaction parameters 3, 4, 5, and 6 are treated as irrelevant parameters.

For each transaction t, passing through the payment gateway unit 200, the apparatus 201 detects, in real time, the position of the transaction in the 9-dimensional space. By way of example, the transaction is identified to you by the following vector of transaction parameter values: ti = [1.3; Sat Jul 23 02:16:57 2012; 77.252.238.23; 1T7904835096342281 000]

where is it:

- 1.3 indicates the value transacted, i.e. the value of parameter 1 symptom of anomaly;

- Sat Jul 23 02:16:57 2012 is the timestamp of the transaction from which they derive. the time delta, i.e. the value of parameter 2 symptom of anomaly; the hour, i.e. the value of parameter 3 is irrelevant; minutes, i.e. the value of parameter 4 is irrelevant; the second, i.e. the value of parameter 5 is irrelevant; the day, i.e. the value of parameter 6 is irrelevant;

- 77.252.238.23 à ̈ Î “Î ™ Ρ from which the request comes, i.e. the value of parameter 7 evidence of anomaly;

- IT7904835096342281000 à ̈ Î ™ ΊÎ'Î'Î of the transaction from which they derive: the current account, i.e. the value of parameter 8 evidence of anomaly; and the bank, i.e. the value of parameter 9 evidence of anomaly.

At this point the transaction ^ as it â € œpresents the symptomsâ € (transaction below $ 2 occurred in time = 0 sec) will have to be â € œto quarantineâ € for a time equal to the maximum limit of the time delta reported in the spot anomaly. The subsequent transaction t2, if it â € œpresents symptoms "(eg transaction below $ 2 occurred in time = 30 sec), will first have to be compared with the quarantined transactions for evidence validation. validated (based on the correlation criteria set out above for the anomaly evidence parameters) an anomaly signal is triggered If the evidence is not validated, transaction t2 is in any case placed in quarantine, as it is symptomatic.

If the transaction did not present anomalies, then the parameters that had been defined as relevant (the symptomatic and the evident ones) are analyzed and if some values that define the stain as a symptom of anomaly almost always lead to not generating an anomaly ( for example the transactions above 1, 5 $ are never involved in anomalies) are removed from the anomaly spot, which undergoes a consequent reduction (or will be broken into two small spots).

Similarly, if the transaction is identified as anomalous, the values of the previously neglected parameters are also analyzed (i.e. the irrelevant parameters) and if a significant number of anomalies with the same values are detected (for example, many anomalies are generated per minute 10 of every hour, symptom of an automatic system that periodically tries to force the gateway unit), that parameter is included in the anomaly spot with that value in a new anomaly symptom spot. Similarly in the case of a previously not considered value of an anomaly symptom parameter which is instead present in transactions classified as anomalous, extending the anomaly patch.

Preferably, a monitoring station 202 will allow an operator to verify the presence of any anomaly signals. These reports create a "seed" which is sent by the device 201 to the gateway unit 200 and which is managed according to the security policies internal to the transactional system.

The transaction data are preferably sent by the gateway unit 200 to the apparatus 201 deriving them from the banking communication protocols. In the communication between the apparatus 201 and the gateway unit 200 it will be advantageously possible to insert control keys to protect the integrity of the communication.

The preferred embodiment of the invention provides that the process is carried out by an apparatus 201 separate from the gateway unit 200, so as not to burden the computational capacity of the latter. Alternatively, the apparatus could be integrated into the gateway unit 200 and the procedure could be performed directly by the latter, provided its computational capacity allows it without depressing the performance of the system.

In the foregoing the preferred embodiments have been described and variants of the present invention have been suggested, but it is to be understood that those skilled in the art will be able to make modifications and changes without thereby departing from the relative scope of protection, as defined by claims attached.

Claims (12)

CLAIMS0N1 1. Procedure for monitoring payment transactions passing through a payment gateway unit (200), in which each transaction tj passing through the payment gateway unit is identified by corresponding discrete values assumed by a plurality of n transaction parameters Xj in an n-dimensional space, and in which each transaction passing through the payment gateway unit belongs to an anomaly state A or a quarantine state Q or a coherence state C, the procedure being characterized by understand the following steps: A. define a significance threshold Srxj and an irrelevance threshold Six1 for each of the n transaction parameters x of said plurality; B. selecting a first set of m anomaly symptom parameters from said plurality of n transaction parameters, with 0 <m <n; C. define at least one anomaly symptom spot in said ndimensional space, each of the m anomaly symptom parameters assuming one or more anomaly symptom values in said at least one anomaly symptom patch; D. select a second set of k parameters showing anomaly from said plurality of n transaction parameters and not belonging to said first set, with 0 <k <n k + m â ‰ ¤ n, for which each of the k parameters evidenced by an anomaly is different from all the m parameters symptom of anomaly; F. selecting a third set of z irrelevant parameters from said plurality of n transaction parameters including the transaction parameters that do not belong to said first set nor to said second set, with 0 â ‰ ¤ z <n z = n- (k + m) whereby each of the z irrelevant parameters is different from all the m parameters that are symptom of an anomaly and from all the k parameters that show an anomaly; G. for each discrete value that can be assumed by each transaction parameter x of said plurality of n transaction parameters, initialize a first RC counter of relevance equal to a first initialization value and a second IC irrelevance counter equal to a second value of initialization; H. for each 3⁄4 transaction passing through the payment gateway unit, perform the following steps: H.1 ascertain, on the basis of the values assumed by the m parameters symptom of anomaly, if the transaction tj belongs to said at least one symptom patch of anomaly, H.2 if the ascertainment of sub-phase H.1 is negative, classify the transaction tj as belonging to the state C of consistency and go to sub-phase H.7, H.3 if the ascertainment of sub-phase H.1 is positive, classify transaction t, as belonging to a set of transactions in quarantine state Q, H.4 if the set of transactions in quarantine Q state includes at least two transactions, check whether the value of at least one of the k anomaly parameters of the transaction 3⁄4 is correlated with the value of the homologous anomaly evidence parameter of at least one other transaction previously classified as belonging to quarantine Q status, H.5 if the set of transactions in quarantine status Q includes at least two transactions and the verification of sub-phase H.4 is positive, classify transaction tj and dictate at least one other transaction previously classified as belonging to the anomaly state A, H.6 if the transaction t has been classified as belonging to the anomaly state A, for each of the z parameters belonging to the third set, recognize that this parameter must be included in the first set of the m anomaly symptom parameters when it assumes a specific value for which the transiting transactions tj are classified as belonging to the anomaly state A with such a frequency that the related first RC of relevance counter exceeds the threshold Sr * of relevance, H.7 if the transaction 1⁄4 has been classified as belonging to the coherence state C, for each of the values of the m parameters belonging to the first set that define said at least one spot symptom of anomaly, recognize that this value must be eliminated from the definition of said at least one anomaly symptom spot when it is assumed by the anomaly symptom parameter for the transiting transactions ti that are classified as belonging to the state C of coherence with a frequency such that the relative second IC counter of irrelevance exceeds the threshold Six, of irrelevance, and in the event that, once this value has been eliminated from the definition of said at least one symptom of anomaly spot, the relative anomaly symptom parameter does not assume any other value in said at least one symptom of anomaly spot, delete this transaction parameter from the first set and include it as an additional irrelevant parameter in the third set. 2. Process according to claim 1, characterized in that phase H also comprises, after sub-phase H.5, the following sub-phase: H.8 if the transaction has been classified as belonging to the anomaly state A, for each of the m parameters belonging to the first set, recognize that this parameter must be included in the second set of k parameters evidence of anomaly when it assumes a value all the interior of said at least one spot symptom of anomaly for which the transiting transactions f are classified as belonging to the anomaly state A with such a frequency that the relative first RC of relevance counter exceeds the threshold Srx of relevance. 3. Process according to claim 1 or 2, characterized in that it comprises, before step H, the following step: J. to define at least one spot evidence of anomaly in said ndimensional space, each of the k parameters evidence of anomaly assuming one or more values evidence of anomaly in said at least one spot evidence of anomaly; and by the fact that phase H includes the following sub-phase, before phase H.1: H.9 ascertain, on the basis of the values assumed by the k parameters evidence of anomaly, if transaction t belongs to said at least one spot evidence of anomaly, and if so, classify transaction t as belonging to the anomaly state A and pass to sub-phase H.6. 4. Process according to claim 3, characterized in that the sub-phase H.6 also includes, if the transaction t, has been classified as belonging to the anomaly state A, for each of the m parameters belonging to the first set, recognize when a new value of the parameter considered must be included in the definition of said at least one spot that is a symptom of anomaly when it assumes a specific value for which the 1⁄4 transiting transactions are classified as belonging to the anomaly state A with such a frequency that the relative first RC of relevance counter exceeds the threshold Srx of relevance. 5. Process according to any one of the preceding claims, characterized in that the sub-phase H.6 comprises the following sub-phases: H.6.1 for each of the z transaction parameters belonging to the third set, increase the first relevant RC counter corresponding to the value assumed by this transaction parameter in transaction t3⁄4, and ascertain whether this first relevant RC counter is greater than Srx threshold of relevance of this transaction parameter, H.6. 2 if the ascertainment of sub-phase H.6.1 is positive, set the first relevant RC counter relative to the value assumed by this transaction parameter in the transaction tj equal to the first initialization value, delete this transaction parameter from the third set and include it as an additional anomaly symptom parameter in the first set, and redefine said at least one anomaly symptom patch in the n-dimensional space so that in said at least one anomaly symptom patch this additional anomaly symptom parameter assumes this value assumed by this parameter transaction in the transaction ti. 6. Process according to claim 5, characterized by the fact that the sub-phase H.6.1 also comprises decreasing the second counter IC of irrelevance corresponding to the value assumed by this transaction parameter in the transaction ti, and by the fact that the sub-phase H.6.2 comprises also set the second counter IC of irrelevance relative to the value assumed by this transaction parameter in transaction t, equal to the second initialization value. 7. Process according to any one of the preceding claims, characterized in that the sub-phase H.7 comprises the following sub-phases: H.7.1 for each of the m transaction parameters belonging to said first set, if it assumes in the transaction t, a value that defines said at least one spot that is a symptom of anomaly, increment the second counter IC of irrelevance corresponding to the value assumed by this parameter of transaction in transaction tj, and ascertain whether this second counter IC of irrelevance is greater than the Sixidi threshold of irrelevance of this transaction parameter, H.7.2 if the ascertainment of sub-phase H.7.1 is positive, set the second counter IC of irrelevance relative to the value assumed by this transaction parameter in transaction tj equal to the second initialization value, and redefine said at least one symptom spot of anomaly in the n-dimensional space in such a way as to eliminate this value assumed by this anomaly symptom parameter, and ascertain whether, after the elimination of this value assumed by this anomaly symptom parameter, there is still at least one value that this parameter symptom of anomaly assumes in said at least one patch of anomaly and, in the event of this finding being negative, eliminate this transaction parameter from the first set and include it as an additional irrelevant parameter in the third set. 8. Process according to claim 7, characterized in that the sub-phase H.7.1 also comprises decreasing the first RC counter of relevance corresponding to the value assumed by this transaction parameter in transaction 1⁄4, and by the fact that the sub-phase H. 7.2 also includes setting the first relevant RC counter relative to the value assumed by this transaction parameter in transaction tj equal to the first initialization value. Method according to any one of the preceding claims, characterized in that phase H is carried out in such a way that at the end of a predefined time period DT the set of transactions in the quarantine state Q is emptied. 10. Apparatus (201) for monitoring payment transactions transiting through a payment gateway unit (200), characterized in that it comprises processing means configured to perform the monitoring procedure of payment transactions transiting through a gateway unit (200 ) of payment according to any one of claims 1 to 9. 1 1. Computer program comprising code means suitable for executing, when operating on processing means of an apparatus (201), the method of monitoring payment transactions transiting through a payment gateway unit (200) according to any one of the claims 1 to 9. 12. A computer readable memory medium having a program stored thereon, characterized in that the program is the computer program according to claim 11.