KR20230146370A - Fraud detection method and server therefor - Google Patents

Abstract

The present invention relates to a method for detecting fraudulent activity according to set conditions. A fraud detection method performed on a server according to the present invention includes the steps of receiving a selection of a fraud target to be detected; receiving a detection condition for determining the range of the detection target based on a plurality of action values constituting the user's action data for the selected fraud target; displaying detection results based on past behavior data according to the input conditions; Setting the combination of the input conditions as a new detection rule; and detecting the user's behavior according to the new detection rule set above. The present invention can predict fraud in advance and prevent damage by using a database embedding users' past data.

Description

Fraud detection method and server therefor}

The present invention relates to a method for detecting fraudulent activities through setting real-time detection rules and a server that performs the same.

With the development of network technology, users can receive financial services anytime, anywhere and use a variety of non-face-to-face financial products.

In the past, in order to receive financial services, you had to visit the bank in person, but with the development of Internet communication technology, Internet banking, which allows people to use various financial services at banks online, has become active.

Recently, thanks to the development of mobile communication terminal technology, it has become possible to perform functions that were previously performed offline more simply and conveniently through mobile applications.

In particular, in order to improve user convenience by using the advanced camera photography technology of user terminals such as smart phones, technology has been developed and serviced to verify and process the user's identity non-face-to-face through an application provided by a financial company.

As the methods of providing financial services become more diverse, traditional fraud methods are also changing into forms that use intelligent network technologies, and the methods are becoming more diverse.

However, in order to respond to the detection of such fraudulent activities, it is necessary to develop and apply rules for determining fraud through data analysis, and after the actual application of the developed rules, the supplementation process takes more time. do.

Additionally, in most cases, there may be a delay in responding to financial fraud due to the difference between the entity that creates the detection rule and the entity that actually applies it to the engine.

The purpose of the present invention is to provide a method for setting fraud detection rules in real time.

The purpose of the present invention is to enable immediate prediction of the detection effect by visualizing the results according to set detection conditions and providing them to the user.

Additionally, the purpose of the present invention is to provide a solution that can be applied to services by exploring data in real time and immediately creating rules.

A fraud detection method performed on a server according to the present invention to solve the above technical problem includes receiving a selection of a fraud target to be detected; receiving a detection condition for determining the range of the detection target based on a plurality of action values constituting the user's action data for the selected fraud target; displaying detection results based on past behavior data according to the input conditions; Setting the combination of the input conditions as a new detection rule; and detecting the user's behavior according to the new detection rule set above.

The step of receiving the detection condition includes: receiving a variable to be used as the detection condition; and receiving a range selection value of the detection target of the input variable.

In the step of displaying the detection result, it is preferable to set the input detection condition as the database search condition in the database that manages the past behavior data and display the fraud corresponding rate of the behavior data in the database search result.

It is preferable that the database manages the past behavior data by dividing them into embedding vectors that embed the behavior values within the past behavior data according to the fraud rate.

In the step of setting the new detection rule, it is preferable to set the related action value with the same or similar vector as the detection range based on the embedding vector of the action value within the input condition and apply the set range as the detection condition. do.

The action value includes the user's user information or identification information of the device used by the user.

The action value includes time or space information where the user's action occurs.

The action value includes an action vector that embeds sequential actions according to the user's interface into an action occurrence sequence.

A server according to the present invention for solving the above technical problem includes a processor; a memory that loads a computer program executed by the processor; and storage for storing the computer program, wherein the computer program includes: generating a variable to be detected; Selecting a fraud target to be detected according to the generated variable and receiving detection conditions for determining a range of the detection target based on a plurality of behavior values constituting user behavior data for the selected fraud target; Displaying a detection result based on past behavior data according to the input conditions; Setting the combination of the input conditions as a new detection rule; and detecting the user's behavior according to the new detection rule set above.

The operation of receiving the detection condition is preferably performed by receiving a variable to be used as the detection condition and receiving a range selection value of the detection target of the input variable.

The operation of receiving the detection condition sets the input detection condition as the database search condition in the database that manages the past behavior data, and the operation of displaying the detection result determines the fraud corresponding rate of behavior data in the database search results. It is desirable to indicate this.

In the operation of receiving the detection condition, it is preferable to set the relevant action value with the same or similar vector as the detection range based on the embedding vector of the action value within the input condition and apply the set range as the detection condition. .

According to the present invention, conditions for fraud detection are provided in the form of a graphical user interface, allowing users to set and change fraud detection conditions more intuitively.

Additionally, the present invention provides visualization of results according to set conditions, allowing users to easily set the most effective detection conditions.

Additionally, the present invention can predict fraud in advance and prevent damage by using a database that embeds users' past data.

Additionally, the present invention can truly minimize inconvenience to users and target and detect fraudulent activities.

1 is a diagram illustrating a process of a real-time fraud detection method according to an embodiment of the present invention.
Figure 2 is a diagram showing some processes of a real-time fraud detection method according to an embodiment of the present invention.
Figure 3 is a diagram illustrating a condition setting interface of a real-time fraud detection method according to an embodiment of the present invention.
Figure 4 is a diagram illustrating result data for set detection conditions according to an embodiment of the present invention.
Figure 5 is a diagram illustrating changes in result data for set detection conditions according to an embodiment of the present invention.
Figure 6 is a diagram illustrating data displayed for setting the range of detection conditions according to an embodiment of the present invention.
Figure 7 is a diagram illustrating a condition setting interface of a real-time fraud detection method according to an embodiment of the present invention.
Figure 8 is a diagram illustrating a detection result of a detection rule created according to an embodiment of the present invention.
Figure 9 is a diagram showing a real-time fraud detection server according to an embodiment of the present invention.
10 to 12 are diagrams showing examples of data preprocessing of a real-time fraud detection server according to an embodiment of the present invention.
Figure 13 is a diagram showing a real-time fraud detection server according to an embodiment of the present invention.
Figure 14 is a diagram for explaining the hardware implementation of a server that performs a fraud detection method according to an embodiment of the present invention.

The following merely illustrates the principles of the invention. Therefore, a person skilled in the art can invent various devices that embody the principles of the invention and are included in the concept and scope of the invention, although not clearly described or shown herein. In addition, all conditional terms and embodiments listed in this specification are, in principle, expressly intended only for the purpose of ensuring that the inventive concept is understood, and should be understood as not limiting to the embodiments and conditions specifically listed as such. .

The above-mentioned purpose, features and advantages will become clearer through the following detailed description in relation to the attached drawings, and accordingly, those skilled in the art in the technical field to which the invention pertains will be able to easily implement the technical idea of the invention. .

Additionally, in describing the invention, if it is determined that a detailed description of the known technology related to the invention may unnecessarily obscure the gist of the invention, the detailed description will be omitted. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the attached drawings.

1 is a flowchart showing a fraud detection method performed by a fraud detection server according to an embodiment of the present invention.

First, to detect fraud, the selection of the fraud target to be detected is input (S100).

The fraud detection server according to this embodiment classifies fraudulent activities according to type and allows this to be set as a condition. Once the detection rule is determined based on the combination of set conditions, detection is performed for each fraudulent activity according to the detection rule.

For example, there are various fraudulent activities such as fraudulent activities through ID theft, account transfers through voice phishing, and loan fraud. The fraud detection server classifies fraudulent activities hierarchically, and the user selects the classification to be detected through the menu. You can choose the type of interface.

Next, once the fraud target is selected, the scope of the detection target is determined.

Specifically, the range of the detection target can be determined by a combination of various conditions.

The fraud detection server receives detection conditions that determine the range of the detection target based on a plurality of behavior values constituting the user's behavior data for the selected fraud target (S200).

Referring to FIG. 2, the step of receiving detection conditions (S200) may sequentially include a process of selecting variables to be used as detection conditions (S210) and a process of selecting a range for the selected variable (S220).

In this embodiment, variables used as detection conditions may include user identification information as information about the user, and device identification information as information about the device the user uses.

Identification information may have continuous numeric values depending on the type of data, or may be categorical variables classified according to items. Therefore, the user can select a category value among categories or, if the identification information has continuous values in numeric form, set the lower and upper limits of the range to be detected directly.

If explained in more detail with reference to FIG. 3, input of conditions may be performed through a user interface implemented in the form of a menu.

As described above, it is possible to select a fraud target to be detected first, and a menu for selecting a detection condition according to the selected fraud target is sequentially configured and provided as an interface.

Additionally, in the case of a relationship in which detection conditions influence each other, items in the lower menu may vary depending on the selection of the upper condition, and independent conditions may be set individually.

For example, if loan fraud is selected as the target of fraud and the type of device used as detection condition 1 is selected as the upper condition, detection condition 2 allows selection of items such as the model name or year of the device as the lower condition.

Alternatively, when selecting the user's identification information as the detection condition, the menu can be configured to select the user's gender as detection condition 1 and the user's age range as detection condition 2.

At this time, gender can be categorized into two categories, but age is continuous numeric data and has a range, so it can be provided as an interface that allows input of the upper and lower limit values of the detection target.

Next, when the selection of conditions is completed, the fraud detection server displays detection results based on behavioral data according to the entered conditions (S300).

Referring to FIG. 4, the detection results according to this embodiment can be provided in an intuitive interface such as a graph composed of the ratio of fraudulent behavior and normal behavior according to selected conditions.

At this time, the graph reflects changes in the ratio in real time according to the process of sequentially selecting detection condition sentences, allowing the user to immediately understand the impact of the combination of conditions selected by the user on the detection of errors.

For example, if you select gender as detection condition 1 and want to set the age range as detection condition 2, the user can check the change in the ratio of fraud/normality in a graph according to the range of upper and lower age limits set.

In other words, users can check the graph and predict the effect of the conditions they set.

More specifically, referring to Figure 5, the user selected loan fraud as the target of fraud, and the age range was set to 30 to 50 years as detection condition 1.

Next, if the most recent transfer amount is set to 100,000 won or more using detection condition 2, and then the range of the last loan amount is set to the range of 5 million won to 10 million won using detection condition 3, the rate of fraud compared to normal according to the conditions of previous detection condition 2 is It can be confirmed that the ratio increases with the setting of detection condition 3.

Therefore, it can be confirmed that the condition is efficient for detecting loan fraud and is an appropriate rule that can truly minimize user inconvenience by reducing the false positive rate for normal behavior.

In other words, the user considers the confirmation result, true positive rate, false positive rate, etc. and finally sets the combination of conditional statements judged to be effective in deriving the optimal result as the fraud detection rule.

Additionally, in this embodiment, in addition to the bar-shaped graph that provides results according to the set conditions, it is also possible to additionally provide an auxiliary graph to provide auxiliary information in the condition setting process.

For example, when selecting numeric data, it is possible to create and display an additional graph to assist the user in selecting the range.

Referring to FIG. 6, if the detection condition 3 described above in this embodiment sets the range of the last loan amount, the frequency of fraud compared to the loan amount is provided in the form of a distribution graph to help the user set the range of numerical data. You can.

Furthermore, referring to FIG. 7, in this embodiment, in addition to the identification information of the user performing the financial activity, information on the device used by the user can be additionally set (72). In other words, the fraud detection server according to this embodiment reflects the security policy or stability of the device itself and allows it to be used for detection. Finally, once the conditions are set by selecting the conditions for the device, a new detection rule can be created through the detection rule application menu (74).

The fraud detection server according to the present embodiment above predicts the detection effect of the conditions through a sequential condition setting process, and finally, the user sets the combination of the entered conditions as a new detection rule for detecting specific fraudulent activities. make it possible

In this embodiment, detection rules can be set through the user interface by general users who monitor user behavior in real time, so that general users who are not professional developers or security personnel can easily set detailed conditions for fraud detection and set rules. The process from creation to detection application can be performed.

The fraud detection server creates a final combination of new detection conditions as a rule and detects user behavior according to the created rule. In addition, the fraud detection server monitors user actions according to the detection conditions set within the rules and simultaneously collects and records the relevant information so that it can be used to set conditions.

For this purpose, the fraud detection server manages the detection results of user behavior data in a database. In other words, the fraud detection server applies the set conditions to past behavior data in the database to provide the fraud detection rate in the form of a graph. In addition, the current detection result is calculated as the ratio of the number of fraud cases and the number of true/false positives compared to the total number of monitored cases. Allows users to check with more detailed information.

Figure 8 illustrates a diagram that can be output from the database when applying the set detection rules. Referring to FIG. 8, the fraud detection server according to this embodiment can provide the true/false detection ratio of the number of frauds and the total damage prevention amount in data form based on established rules.

The displayed indicators include monitoring results (82) for past behavior data stored in the database other than when the rule is set, allowing time-series changes in monitoring results according to newly set detection conditions to be identified.

In addition, by providing monitoring results (84) for the period after the set rule was applied and monitoring results (86) to date in real time, conditions can be continuously checked and modified even after the rule is set.

As mentioned above, the targets and methods of fraud are continuously evolving and diversifying, so for the most effective detection of targets that frequently occur recently, users can check the fraud detection results in real time based on the currently collected behavioral data and provide feedback. You can set conditions accordingly.

For example, by identifying cases where the true positive rate of a set condition continues to increase or the false positive rate increases, it is possible to supplement or maintain specific conditions within the rule.

In the case of the embodiment of Figure 8, after the set detection rule is applied, the true detection rate of loan fraud in October 2021 is high, exceeding 10%, and the false positive rate is reduced to 90% or less, indicating that efficient fraud detection is being performed. You can check it.

Hereinafter, the structure of modules including the database 200 in the specific fraud detection server 1000 in this embodiment will be described in more detail.

Referring to FIG. 9, the database 200 stores and manages the collected data and simultaneously manages the fraudulent data separately, thereby enabling the characteristics of fraudulent activities to be more clearly identified.

The database 200 provides the collected data to the detection variable generator 10 so that condition variables to be set by the user can be extracted from the stored behavior data.

The detection variable generator 10 generates statistical data of variables of various users in the database through preprocessing according to the type of behavior data and creates conditions that can effectively classify the statistical data.

For example, with numerical data, the user's age can be set as a condition variable as a numerical value. At this time, the detection variable generator 10 statistics the frequency of fraud according to age in the form of a histogram and allows the user to refer to the histogram when setting conditions.

Additionally, in the case of categorical data, the frequency for each category can be calculated in advance, and the calculated frequency can be used to allow the user to set the most frequent category as a condition.

Referring to FIG. 10, in the case of the user's age, a separate embedding process can be omitted as it is continuous numeric data, and the detection variable generator 10 counts the frequency for each age in the preprocessing process to generate the detection rule generator ( According to the conditions set in 20), the data is expressed as a histogram so that the user can use it as additional explanatory material for setting conditions.

At this time, the detection variable generator 10 can determine the number of bins to express as a histogram, and the user can more intuitively determine the range of the condition according to the number of bins.

Next, referring to FIG. 11, gender, occupation, credit rating, etc. are categorical data, and the detection variable generator 10 can count values for each category. The detection variable generating unit 10 counts the number of fraudulent uses according to credit rating through preprocessing and provides it as a graph according to conditions set in the detection rule generating unit 20. Users can select the credit rating category to monitor by referring to the provided graph. The credit rating standards and values shown in this graph are an example to aid understanding of the present invention, and are not limited to the values or data described.

Other variables include the product code of the device, access IP address, current location, or user information such as address or company. These are values that do not appear as continuous numbers and are difficult to classify into categories, and the correlation between data is established through additional embedding. It can be vectorized through .

The detection variable generator 10 creates a system that can effectively classify the currently collected data and vectorizes it to allow the user to set conditions with normalized values.

For example, in the case of an IP address, it is a logical address system for representing a network address, and the number of digits used for the network ID and host ID can be differentiated depending on the class.

When a user accesses the service server using a specific device, the access IP address of the device can be extracted, and the detection variable generator 10 uses this to analyze the correlation between the specific location and the fraudulent activity based on the location on the network. can do.

For example, the detection variable generator 10 can directly use the correlation between the digits corresponding to the network ID in the IP address and the fraudulent activity for embedding.

Referring to Figure 12, the IP address is grouped according to the 3-digit network ID (192.0.0~223.255.255) excluding the host ID, and the result of whether the group has committed fraud is used to determine the association of fraud for the group. can be calculated as a vector.

In other words, by embedding using the probability of whether an IP address is eligible for fraud or not, IP addresses that are frequently used by users or have a high probability of fraud (IP address #1, IP address #9 in Figure 12) are set as monitoring targets. It is also possible to do so.

In addition, it is possible to determine the similarity of each IP address and expand the monitoring target to IP addresses that have similar characteristics to the IP address corresponding to the conditions selected by the user.

In this embodiment, the similarity for each IP address can be calculated through the ratio of the union and intersection of user groups using each address. For example, the similarity between IP address #4 and IP address #7 can be calculated through the ratio of users who use both IP address #4 and IP address compared to the entire set of users who use IP address #4 and IP address. If the ratio is higher than the threshold, it can be judged to be similar and included as a monitoring target. However, as the number of users using an IP address increases, a lot of resources may be consumed in comparing each user to determine common users, so the characteristics of users within the IP address are abbreviated through multiple hash functions, and a set consisting of only the minimum value of the hash function It is also possible to determine similarity using the common frequency of the minimum value by comparing them with each other.

Furthermore, the detection variable generator 10 is also capable of embedding the user's actions on the application or offline actions in a sequential sequence.

By assigning weights to specific actions that overlap or repeat during the use of applications by victims of loan fraud, the correlation between fraudulent actions is calculated as a vector, and when the order of actions is set as a condition, the similarity of values according to a series of user actions It is also possible to monitor through .

For example, in the process from account transfer to balance inquiry and remittance account entry, or in card payment behavior, the correlation between payment amount, payment product, and payment store address can be embedded as an action vector.

Next, the detection rule generator 20 receives detection conditions that determine the range of the detection target based on a plurality of behavior values constituting the user's behavior data as preprocessed variables and generates a detection rule through a combination of these.

In addition, the detection rule creation unit 20 displays detection results based on past behavior data according to the input conditions and allows the user to create a detection rule by combining more effective conditions.

Once the selection of detection conditions is completed through the above process, the detection rule creation unit 20 creates a detection rule using a combination of the set conditions.

Next, the detection rule created in the detection rule creation unit 20 is defined in the form of attribute-value pairs so that the detection target can be set and simulated in the form of a web service, and is used in a standardized form such as JSON (JavaScript Object Notation). It may be transmitted to the rule engine 112 in the fraud detection engine of the detection unit 100.

Hereinafter, with reference to FIG. 13, the fraud detection unit 100 that performs fraud detection according to the detection rule received by the rule engine 112 will be described in more detail.

The fraud detection unit 100 according to this embodiment includes a management module 120, a fraud detection engine 110, a messaging module 130, and a distributed processing module 140.

First, the detection rule creation unit 20 can transmit the conditions created by the user in an attribute-value format 25 and specifically transmits them to the fraud detection system through the messaging module 40.

The messaging module 40 allows data exchange for fraud detection to be easily sent and received in the form of messages in a server system with distributed resources, and allows conditions created in real time to be stored as a message queue and processed in batches. .

The rules engine 112 in the fraud detection engine 110 receives the message through the messaging module 40 and performs fraud detection according to the rules included in the message. The fraud detection engine 110 organically utilizes the resources of distributed servers through a distributed processing module and performs fraud detection tasks.

The fraud detection engine 110 includes an evaluation engine 114, and the evaluation engine 114 can evaluate the results of monitoring through false positive/true positive rates according to detection conditions independently of the rule engine 112. there is.

Additionally, the fraud detection engine 110 includes separate managers 111, 113, and 115 to hierarchically manage set rules according to policies/rules/conditions. Therefore, the fraud detection engine 110 can manage and apply fraud detection rules for each policy with the highest level conditions, and lower level conditions set by the user can be newly created as rules or integrated into previous rules.

The detection results of the fraud detection engine 110 are delivered back to a separate management module through the internal messaging module 130, and the event handler 122 within the management module 120 actually performs processing according to the detected results.

In addition, within the management server 120, policy/rule/condition managers 121, 123, 125 that are symmetrical to the fraud detection engine 110 are configured to hierarchically manage the processing results of the event handler 122. .

The hardware implementation of a server that performs a fraud detection method by setting fraud detection conditions according to an embodiment of the present invention will be described above.

Referring to FIG. 14, the fraud detection server 1000 according to some embodiments of the present invention may be implemented in the form of a computing device. One or more of each module constituting the fraud detection server 1000 is implemented on a general-purpose computing processor, and thus includes a processor 1010, an input/output I/O 1020, a memory 1030, an interface ( interface (1040), storage (1050), and a bus (1060). The processor 1010, input/output I/O 1020, memory device 1030, storage 1050, and/or interface 1040 may be coupled to each other through a bus 1050. The bus 1060 corresponds to a path through which data moves.

Specifically, the processor 1010 includes a Central Processing Unit (CPU), Micro Processor Unit (MPU), Micro Controller Unit (MCU), Graphic Processing Unit (GPU), microprocessor, digital signal processor, microcontroller, and application processor (AP). , application processor) and logic elements capable of performing similar functions.

The input/output I/O device 1020 may include at least one of a keypad, a keyboard, a touch screen, and a display device. The memory device 1030 may store data and/or programs.

The interface 1040 may perform a function of transmitting data to or receiving data from a communication network. Interface 1040 may be wired or wireless. For example, the interface 1040 may include an antenna or a wired or wireless transceiver. Although not shown, the memory device 1030 is an operating memory for improving the operation of the processor 1010 and may further include high-speed DRAM and/or SRAM.

Internal storage 1050 stores programming and data configuration that provides the functionality of some or all modules described herein. For example, it may include logic to perform selected aspects of the fraud detection conditions and detection methods described above.

The memory device 1030 loads a program or application with a set of instructions including each step of performing the above-described fraud detection method stored in the storage 1050 and allows the processor to perform each step.

According to the present invention, the conditions for fraud detection are provided in the form of a graphical user interface, thereby enabling fraud detection conditions to be set more intuitively.

Additionally, the present invention provides visualization of results according to the set conditions, allowing the user to set the most effective detection conditions.

Additionally, the present invention can predict fraud in advance and prevent damage by using a database that embeds users' past data.

Additionally, the present invention can truly minimize user inconvenience and target and detect fraudulent activity.

Furthermore, various embodiments described herein may be implemented in a recording medium readable by a computer or similar device, for example, using software, hardware, or a combination thereof.

According to hardware implementation, the embodiments described herein include application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), and field programmable gate arrays (FPGAs). It may be implemented using at least one of processors, controllers, micro-controllers, microprocessors, and other electrical units for performing functions. In some cases, as described herein, The described embodiments may be implemented as a control module itself.

According to software implementation, embodiments such as procedures and functions described in this specification may be implemented as separate software modules. Each of the software modules may perform one or more functions and operations described herein. Software code can be implemented as a software application written in an appropriate programming language. The software code may be stored in a memory module and executed by a control module.

The above description is merely an illustrative explanation of the technical idea of the present invention, and various modifications, changes, and substitutions can be made by those skilled in the art without departing from the essential characteristics of the present invention. will be.

Accordingly, the embodiments disclosed in the present invention and the accompanying drawings are not intended to limit the technical idea of the present invention, but are for illustrative purposes, and the scope of the technical idea of the present invention is not limited by these embodiments and the attached drawings. . The scope of protection of the present invention should be interpreted in accordance with the claims below, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of the present invention.

Claims (13)

In a method of detecting fraudulent activity performed on a server,
A step of receiving a selection of a fraud target to be detected;
receiving a detection condition for determining the range of the detection target based on a plurality of action values constituting the user's action data for the selected fraud target;
displaying detection results based on past behavior data according to the input conditions;
Setting the combination of the input conditions as a new detection rule; and
A method for detecting fraud, comprising the step of detecting user behavior according to the new detection rule set above. According to claim 1,
The step of receiving the detection conditions is,
Receiving variables to be used as the detection conditions; and
A fraud detection method comprising receiving a range selection value of the detection target of the input variable. According to claim 1,
The step of displaying the detection result is,
Setting the detection conditions entered into the database that manages the past behavior data as the database search conditions,
A method for detecting fraud, characterized in that displaying the proportion of fraud corresponding to behavioral data in the database search results. According to claim 3,
The database classifies and manages the past behavior data using an embedding vector that embeds the behavior values within the past behavior data according to the rate of fraud. According to claim 4,
The step of setting the new detection rule is,
A method of detecting fraud, characterized by setting related action values having the same or similar vectors as a detection range based on the embedding vector of the action values within the input conditions, and applying the set range as a detection condition. According to claim 3,
A method of detecting fraud, characterized in that the action value includes the user's user information or identification information of the device used by the user. According to claim 3,
A method of detecting fraud, characterized in that the action value includes time or space information in which the user's action occurs. According to claim 3,
A method of detecting fraud, characterized in that the behavior value includes a behavior vector that embeds sequential actions according to the user's interface into an action occurrence sequence. processor;
a memory that loads a computer program executed by the processor; and
Including storage for storing the computer program,
The computer program is,
a generating action that creates a variable to be detected;
Selecting a fraud target to be detected according to the generated variable and receiving detection conditions for determining a range of the detection target based on a plurality of behavior values constituting user behavior data for the selected fraud target;
Displaying a detection result based on past behavior data according to the input conditions;
Setting the combination of the input conditions as a new detection rule; and
A server comprising the operation of detecting user behavior according to the new detection rule set above. According to clause 9,
The operation of receiving the detection conditions is,
A server characterized in that it receives an input of a variable to be used as the detection condition, and receives an input of a range selection value of the detection target of the input variable. According to claim 10,
The operation of receiving the detection condition is to set the input detection condition as the database search condition in a database that manages the past behavior data,
A server characterized in that the operation of displaying the detection result displays the fraud corresponding rate of behavioral data in the database search results. According to claim 11,
The operation of receiving the detection conditions is,
A server characterized in that, based on the embedding vector of the behavior value within the input condition, the relevant behavior value having the same or similar vector is set as the detection range, and the set range is applied as the detection condition. A computer-readable recording medium storing a program for performing the method for detecting fraud according to any one of claims 1 to 8.

Images