RU2790946C1 - Method and system for analyzing voice calls for social engineering detection and prevention - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: processing of data from incoming audio calls to classify the presence of fraudulent activities. The claimed effect of the invention is achieved by a computer-implemented method of analysing the dialogue during audio calls to detect fraudulent activity, powered by a processor and containing the following steps: receive an incoming audio stream coming from the calling party; process the incoming audio stream using at least one machine-learning model, which includes: converting the incoming audio stream into a vector form; comparing the vector form of the audio stream with previously stored vectors characterizing fraudulent activity; transcribing the audio stream to analyse the dialogue of the calling party for at least the semantic composition of the information and the pattern of the dialogue; classifying the incoming audio stream based on the processing.

EFFECT: increased efficiency and accuracy of recognizing fraudulent activity in incoming audio calls due to the combined analysis of the audio stream and the semantics of the dialogue pattern.

15 cl, 5 dwg

Description

FIELD OF TECHNOLOGY

[0001] This technical solution relates to the field of computing, in particular to the processing of data from incoming audio calls to classify the presence of fraudulent activity.

BACKGROUND OF THE INVENTION

[0002] The use of various methods in terms of analyzing audio streams for their subsequent classification is a fairly common approach used in various fields of technology and business. The increased activity of cybersecurity crimes is especially often reflected in the financial sector, which negatively affects both the well-being of customers and the reputation of financial institutions. The most common technique used by scammers during phone calls is social engineering, in which the client is misled and forced to independently perform certain actions, leading, as a rule, to the theft of funds.

[0003] One of the examples of solutions aimed at combating fraudulent activity is a method for determining the risk score of a call, which consists in analyzing the caller's speech information and classifying it for the presence of specified triggers that indicate the caller's intentions (US 20170142252 A1, 05/18/2017 ).

[0004] Another example of approaches is the detection of a change in the caller's voice or the formation of synthetic speech reproduced by a robot or bot, based on the extraction of characteristic features from the audio track, indicating the synthetic nature of the sound (US 10944864 B2, 03/09/2021).

[0005] The main disadvantage of the known solutions is the lack of an integrated approach that allows for a multilateral analysis of the audio stream to identify a number of characteristics, in particular, in addition to analyzing the audio component of the dialogue, to transcribe audio information to process the caller's dialogue pattern. Also, the disadvantage is the lack of automated ways to protect the subscriber from fraudulent actions on incoming calls, as well as the automatic receipt of fraudulent audio streams.

SUMMARY OF THE INVENTION

[G006] The technical problem to be solved by the claimed invention is to improve the efficiency of recognition of fraudulent activity.

[0007] The technical result is to increase the efficiency and accuracy of recognizing the fraudulent activity of incoming audio calls, due to the combined analysis of the audio stream and the semantics of the dialogue pattern.

[0008] The claimed technical result is achieved by performing a computer-implemented method for analyzing the dialogue during audio calls to detect fraudulent activity, performed using the processor and containing the steps at which:

- receive an incoming audio stream coming from the calling party;

- carry out the conversion of the incoming audio stream into vector form;

- processing the converted audio stream using the first machine learning model, during which the vector form of the audio stream is compared with previously stored vectors characterizing fraudulent activity;

- performing transcription of the audio stream and its subsequent processing using the second machine learning model, which performs the analysis of the dialogue of the calling party, while in the course of said analysis, the following is carried out:

the semantic composition of the information and the pattern of the dialogue, while the pattern of the dialogue includes the analysis of the words used in the conversation, the analysis of the construction of phrases, the analysis of the following of phrases one after another;

the presence and duration of pauses in the dialogue of the incoming audio stream;

- classifying the incoming audio stream based on the processing performed by the first and second machine learning models.

[0009] In one of the particular examples of the implementation of the method in the semantic analysis of the transcribed dialogue, the identification of words inherent in fraudulent activity is performed.

[0010] In another particular example of the implementation of the method, an additional incoming audio stream is analyzed for at least one of: tonality, emotiveness, prosody, or combinations thereof.

[0011] In another particular example of the implementation of the method, the vector form of the incoming audio stream is analyzed for the presence of features selected from the group: voice change, synthetic voice formation, background audio stream overlay, or combinations thereof.

[0012] In another particular example of the implementation of the method, the outgoing audio stream is additionally analyzed.

[0013] In another particular example of the implementation of the method, the outgoing and incoming audio streams are separated.

[0014] In another particular example of the implementation of the method, at least one parameter of the incoming audio stream is additionally analyzed, selected from the group: timbre pitch, sound intensity, speech intensity, duration of pronunciation of words, aspiration, glottalization, palatalization, type of adjunction of a consonant to a vowel, or combinations thereof .

[0015] In another particular example of the implementation of the method, the presence of extraneous noise in the incoming audio stream is additionally analyzed.

[0016] In another particular example of the implementation of the method is performed on the user's device, which is a smartphone, tablet or computer.

[0017] In another particular example of the implementation of the method, upon receipt of the incoming audio track, a synthetic outgoing voice audio stream is generated.

[0018] In another particular example of the implementation of the method, the generation of the outgoing audio stream is performed before the classification of the input audio track.

[0019] In another particular example of the implementation of the method, the generation of a synthetic audio stream is based on the voice sample of the device user.

[0020] In another particular example of the implementation of the method, when classifying an incoming audio stream as fraudulent, its vector representation is saved.

[0021] In another particular example of the implementation of the method, when classifying an incoming audio stream as fraudulent, a status message is generated that is displayed on the display of the device.

[0022] The claimed technical result is also achieved using a dialogue analysis system during audio calls to detect fraudulent activity, which contains at least one processor and at least one memory storing machine-readable instructions that, when executed by the processor, implement the above method.

BRIEF DESCRIPTION OF THE DRAWINGS

[0023] FIG. 1 illustrates the general scheme of the claimed solution.

[0024] FIG. 2A illustrates a flowchart of a general process for parsing an audio call stream.

[0025] FIG. 2B illustrates a flow diagram of a process for analyzing an audio stream for synthetic changes.

[0026] FIG. 3 illustrates a flowchart of a process for generating a synthetic outgoing audio stream for dialogue.

[0027] FIG. 4 illustrates the general layout of a computing device.

IMPLEMENTATION OF THE INVENTION

[0028] In FIG. 1 shows a general scheme (100) of the claimed solution. The solution is based on a software and hardware complex implemented on one or more computing devices, for example, on a smartphone (111) of the user (110), or a device associated with it, which can process incoming audio calls coming from a third-party subscriber (120). Audio calls should be understood, for example, calls via telephone, calls made via instant messengers (WhatsApp, Viber, Telegram, Facebook Messenger, etc.) via the Internet, including video calls.

[0029] Incoming audio calls from subscribers (120) are sent to further processing (200) performed using software logic implemented by a computing device, such as a smartphone (111). Processing (200) is performed by one or more machine learning models that are trained to process the incoming audio stream (audio track) to analyze for risk of fraudulent activity by the subscriber (120).

[0030] In FIG. 2A is a flow diagram of a method (200) for processing an audio stream when an incoming call is received. In the first step (201), an audio call is received and an incoming audio stream is captured. Capture can be carried out by means of dialogue recording widely known from the prior art, for example, using specialized software (Voice Recorder, Cube ACR, etc.). The resulting audio stream is processed in parallel to simultaneously analyze both the audio component and the semantics of the dialogue.

[0031] The audio stream received at step (201) is converted to a vector format (embedding, from English) at step (202) for subsequent transmission to the machine learning model at step (203) for analysis for a match with previously recorded scam voice embeddings. Transformation of the input audio stream can be performed using the IBM Audio Embedding Generator technology (https://developer.ibm.com/technologies/artificial-intelligence/models/max-generator/).

[0032] Previously known vector representations of audio streams for which fraudulent activity has been detected may be stored in a database (DB). The database of said embeddings can be located on a remote server, the connection with which is established via a smartphone (111) during an audio call. In this case, the database can also be duplicated directly on the device itself (111).

[0033] At step (204), based on the results of embedding processing, a decision is made about the nature of the caller's audio call using a machine learning model that classifies the incoming audio stream. If the comparison of the embeddings indicates that a match is found that is higher than the set threshold for classification by the machine learning model, then the audio call is classified as fraudulent (step 210). Otherwise, the audio call is classified as secure (block 220).

[0034] An example of such a model can be a support vector model, a linear or non-linear regression model, a k-neighbor model. One implementation uses a single closest entry search based on the Euclidean distance between vectors. In another implementation, the Mahalanobis distance may be used. Also, in one of the particular implementation examples, cosine distance, Pearson's correlation coefficient, Minkowski's r-power distance, and so on can be used.

[0035] In parallel with step (202), the audio stream is transcribed in step (205), for which the incoming audio stream is converted to text format. This procedure can be performed by various well-known algorithms that convert an audio track to text, for example, Speech-To-Text technology. A machine learning model may also be applied to perform the transcription procedure.

[0036] To perform the analysis of audio streams, an algorithm is also used to separate the voices of the interlocutors in a multi-voice dialogue, which cleans the audio tracks from noise and other types of artifacts, which provides a clearer audio signal. As an example, for this you can apply approaches based on NMF decomposition (Non-negative matrix factorization) of the original or transformed signal, the use of convolutional artificial neural networks (Convolutional Neural Network), “Cone of Silence” models and other approaches.

[0037] The text-translated audio stream is analyzed in step (206) to classify the caller's conversation pattern (120). Classification can be carried out using natural language analysis technologies (NLP - Natural Language Processing), including technologies based on machine learning. Using the trained model, at step (206), text data is analyzed for their subsequent assignment to classes that characterize fraudulent behavior, for example, indicating the fact of social engineering. An example of social engineering can be phrases in which the client (110) is required to urgently transfer his money to someone else's account, is asked to provide a full card number, is required to take a loan, is asked for a CVV code, a confirmation code or a code from SMS, etc.

[0038] By "class" or "classes" is meant at least a class containing fraud data or a class containing non-fraud data. Also, the classification may be fuzzy, when it is impossible to unambiguously classify - a fraudster and not a fraudster (2 classes); Grade 3 - scammer, not scammer, unknown; several classes - type A swindler, type B swindler and so on.

[0039] The output of the model in step (206) is the classification of the conversation pattern in step (207). The pattern should be understood, in particular, the words used in the conversation, the construction of phrases, the following of phrases one after another, etc. The classification model was trained on examples of dialogs, a confirmed fact of fraudulent activity, in particular, on patterns that allow for subsequent classification of data when processing input audio streams.

[0040] The dialogue pattern analysis model at step (206) is trained to characterize the degree of confidence in the assertion that the direct source of text data is a fraud or not a fraud. The model can carry out such an assessment on the basis of identification, cumulative analysis, comparison in terms of proximity to stable semantic structures of speech, typical replicas, patterns of the general meaning of the dialogue. As a result of the classification of the model at step (207), a decision is made to classify the incoming audio call as fraudulent activity (210) or safe (220).

[0041] Additionally, when performing the method (200), the analysis of the audio stream is carried out using an emotive-prosodic model (model with analysis of emotiveness and prosody), which allows at least to characterize the degree of reliability of the statement that the direct source of the audio recording is a fraudster or not a fraudster based on how at least one of the following characteristics: highlighting the general immanent properties of the language by expressing the psychological (emotional) state and experience of a person when he makes a fraudulent call, highlighting the common features of fraudsters in pronunciation, for example, such as pitch, strength / intensity, duration, aspiration, glottalization, palatalization , the type of adjunction of a consonant to a vowel and other features that are additional to the main articulation of sound, accent, intonation in general and other features of speech, as well as features of the background accompaniment of speech, elements of extraneous noise, and the like. The key feature of the model is that it allows you to identify and analyze the common features of audio tracks that contain elements of fraudulent actions, dialogues and other information that testify to varying degrees of fraudulent activity.

[0042] This model is trained on the basis of examples of audio streams previously marked as fraudulent, according to feedback from victims in fraudulent schemes. It is also possible to expand the database through data augmentation or based on self-generated fraudulent dialogs. Such generation can be carried out through the recording of dialogues in which the techniques and methods of fraudsters will be actively used, identified from the available data or formed independently.

[0043] Classifying an incoming audio call may generate a status notification displayed on the smartphone screen (111). Vibration, information transmission to an external device associated with a smartphone, such as a smart watch, and other types of notifications can also be used to inform the user (110) about the status of an incoming call.

[0044] In FIG. 2B is a block diagram of the steps for further processing audio calls as they are vectorized in step (202). Additional processing is performed using several machine learning models at step (230), which allow you to identify certain changes in the audio stream. At step (230), the audio stream is analyzed for voice changes (231), synthetic voice formation (232), presence of background overlay (233), presence of extraneous noise (234).

[0045] In steps (231, 232), the model analyzes whether the voice of the caller (120) has been programmatically changed, for example, by applying Deep Fake Voice algorithms, voice cloning algorithms, and the like. The model assesses the conformity of the input audio track with the natural recording of the human voice and its surrounding space or the presence of additional electronic processing, elements of artificial sound generation, full or partial synthesis of the recording. The implementation of this detection can be based on the detection of synthetic features and machine artifacts in the artificial generation of human speech. Examples of such features and artifacts can be unnatural monotony in speech, creaks in pronunciation, a lot of noise, and so on. This model allows at least to characterize the probability of the presence of intentional distortions in a natural recording or its artificial generation. One of the examples of the implementation of the model functionality can be the analysis of a graphical representation of the spectrograms of an audio recording or the use of “transformer” architectures, for example, based on neural networks. This implementation example, however, does not limit other particular forms of implementation of the implementation of the functionality of the above machine learning model.

[0046] At step (233), an analysis is made of the fact that the background is superimposed on the incoming audio stream, for example, to generate the sound activity of an office, a call center, etc. This approach can be used by scammers to mask the audio track and hide the place of the real call, which can also be established by extraneous noise during the call. The trained model at step (233) analyzes artifacts inherent in synthetic audio signals that are uncharacteristic of the real environment.

[0047] At step (234), an analysis is made of the presence of extraneous noise in the audio track during an incoming call, for example, in speech synthesis, as a rule, crackling in the recording, interference, etc. is observed. The model, providing the specified functionality, can also carry out analysis by comparing spectrograms or by another principle that allows you to establish "uncharacteristic" audio data for a normal call.

[0048] The applied model at step (230) allows super-additive (synergistically) to combine and analyze at least two of any outputs from the applied models. A distinctive feature is that such a model allows you to analyze in aggregate the output data from previous models and obtain more reliable estimates of the presence of fraudulent elements in the audio recording than any use of the outputs from the models on its own or simple generalization, such as calculating the average, extracting the maximum and the like. This effect can be achieved by combining several outputs into a common numerical vector (ordered sequence) and using neural networks as a classifier, obtaining characteristic objects of each class through the support vector or k-neighbors method, building ensembles or boosting decision trees.

[0049] The result of working out one or more models at step (230) is an additional classification of the incoming audio call for fraudulent activity (210) or the absence of such (220).

[0050] In FIG. 3 shows a particular case of performing a method (300) for protecting a subscriber (110) from fraudulent actions on incoming calls. When an incoming call is received at step (301) using the user's device (110), for example, a smartphone (111), a synthetic outgoing audio stream is activated at step (302), which acts as a robotic interlocutor (bot) from the user (110). Special software activates the specified dialogue algorithm for an incoming audio call. This is necessary in order to collect data and analyze the incoming call from the subscriber (120) for fraudulent activity. The generation of a synthetic outgoing from the user (110) audio track (audio stream) can be performed based on cloning or synthesizing according to the user's voice pattern (110). For this, various well-known solutions for generating audio data from given samples can also be used, for example, AI Voice Generator or similar solutions.

[0051] At step (303), the audio track of the incoming audio call captured by the bot goes through the processing steps of the above described method (200). A software bot can run on voice assistant technologies using machine learning models to capture incoming phrases and generate appropriate response voice commands. At step (304) the final classification of the incoming call occurs and the user (110) is notified of the status of the call, for example, by displaying on the screen of a smartphone (111). The dialogue by the bot can be conducted for a specified amount of time required to classify an incoming call. The time range may vary based on the conversation of the subscriber (120) as well as when one or more machine learning models are fired when performing the classification method shown in FIG. 2A-2B, and making an accurate judgment depending on the set call type classification threshold.

[0052] The claimed method can also be used to collect a vector representation of fraudulent voice tracks, dialogue patterns, and other information that is accumulated and used for subsequent training of machine learning models, as well as the formation of stop lists that identify fraudsters.

[0053] In FIG. 4 is a perspective view of a computing device (400) suitable for performing methods (200, 300). The device (400) may be, for example, a server or other type of computing device that can be used to implement the claimed technical solution, including: smartphone, tablet, laptop, computer, etc. The device (400) may also be part of a cloud computing platform.

[0054] In general, the computing device (400) contains one or more processors (401) connected by a common information exchange bus, memory means such as RAM (402) and ROM (403), input/output interfaces (404), input devices / output (405), and a device for networking (406).

[0055] The processor (401) (or multiple processors, multi-core processor) may be selected from a variety of devices currently widely used, such as Intel™, AMD™, Apple™, Samsung Exynos™, MediaTEK™, Qualcomm Snapdragon™, and etc. The processor (401) can also be a graphics processor such as Nvidia, AMD, Graphcore, etc.

[0056] RAM (402) is a random access memory and is designed to store machine-readable instructions executable by the processor (401) to perform the necessary data logical processing operations. The RAM (402) typically contains the executable instructions of the operating system and associated software components (applications, program modules, etc.).

[0057] A ROM (403) is one or more persistent storage devices such as a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media ( CD-R/RW, DVD-R/RW, BlueRay Disc, MD), etc.

[0058] Various types of I/O interfaces (404) are used to organize the operation of device components (400) and organize the operation of external connected devices. The choice of the appropriate interfaces depends on the specific design of the computing device, which can be, but not limited to: PCI, AGP, PS/2, IrDa, FireWire, LPT, COM, SAT A, IDE, Lightning, USB (2.0, 3.0, 3.1, micro , mini, type C), TRS/Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0059] To ensure user interaction with the computing device (400), various means (405) of I/O information are used, for example, a keyboard, a display (monitor), a touch screen, a touchpad, a joystick, a mouse, a light pen, a stylus, touch panel, trackball, speakers, microphone, augmented reality, optical sensors, tablet, indicator lights, projector, camera, biometric identification tools (retinal scanner, fingerprint scanner, voice recognition module), etc.

[0060] The network communication tool (406) provides data transmission by the device (400) via an internal or external computer network, for example, Intranet, Internet, LAN, etc. As one or more means (406), it can be used, but not limited to : Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, etc.

[0061] Additionally, satellite navigation tools in the device (400) can also be used, for example, GPS, GLONASS, BeiDou, Galileo.

[0062] The submitted application materials disclose preferred examples of the implementation of the technical solution and should not be interpreted as limiting other, particular examples of its implementation that do not go beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology.

Claims (22)

1. A computer-implemented method for analyzing dialogue during audio calls to detect fraudulent activity, performed by a processor and comprising the steps of: - receive an incoming audio stream coming from the calling party; - carry out the conversion of the incoming audio stream into vector form; - processing the converted audio stream using the first machine learning model, during which the vector form of the audio stream is compared with previously stored vectors characterizing fraudulent activity; - performing transcription of the audio stream and its subsequent processing using the second machine learning model, which performs the analysis of the dialogue of the calling party, while in the course of said analysis, the following is carried out: the semantic composition of information and the pattern of conducting a dialogue, while the pattern of conducting a dialogue includes an analysis of the words used in the conversation, an analysis of the construction of phrases, an analysis of the sequence of phrases one after another; the presence and duration of pauses in the dialogue of the incoming audio stream; - classifying the incoming audio stream based on the processing performed by the first and second machine learning models. 2. The method according to p. 1, characterized in that during the semantic analysis of the transcribed dialogue, the identification of words inherent in fraudulent activity is performed. 3. The method according to claim 1, characterized in that the additionally incoming audio stream is analyzed for at least one of: tonality, emotiveness, prosody, or combinations thereof. 4. The method according to claim 1, characterized in that the vector form of the incoming audio stream is analyzed for the presence of features selected from the group: voice change, synthetic voice formation, background audio stream overlay, or combinations thereof. 5. The method according to claim 1, characterized in that the outgoing audio stream is additionally analyzed. 6. The method according to claim 5, characterized in that the outgoing and incoming audio streams are separated. 7. The method according to claim 1, characterized in that at least one parameter of the incoming audio stream is additionally analyzed, selected from the group: pitch, sound intensity, speech intensity, word pronunciation duration, aspiration, glottalization, palatalization, consonant-to-vowel junction type or their combinations. 8. The method according to claim 1, characterized in that the presence of extraneous noise in the incoming audio stream is additionally analyzed. 9. The method according to p. 1, characterized in that it is performed on the user's device, which is a smartphone, tablet or computer. 10. The method according to claim 9, characterized in that upon receipt of the incoming audio track, a synthetic outgoing voice audio stream is generated. 11. The method according to claim 10, characterized in that the generation of the outgoing audio stream is performed before the classification of the input audio track. 12. The method according to claim 10, characterized in that the generation of a synthetic audio stream is based on the voice sample of the user of the device. 13. The method according to claim 1, characterized in that when classifying an incoming audio stream as fraudulent, its vector representation is saved. 14. The method of claim. 12, characterized in that when the incoming audio stream is classified as fraudulent, a status message is generated and displayed on the display of the device. 15. A system for analyzing dialogue during audio calls to detect fraudulent activity, comprising at least one processor and at least one memory storing machine-readable instructions that, when executed by the processor, implement the method according to any one of paragraphs. 1-14.

Images