WO2023032045A1 - 不正検知システム、不正検知方法、及びプログラム - Google Patents

不正検知システム、不正検知方法、及びプログラム Download PDF

Info

Publication number
WO2023032045A1
WO2023032045A1 PCT/JP2021/031999 JP2021031999W WO2023032045A1 WO 2023032045 A1 WO2023032045 A1 WO 2023032045A1 JP 2021031999 W JP2021031999 W JP 2021031999W WO 2023032045 A1 WO2023032045 A1 WO 2023032045A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
fraud detection
fraud
user
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2021/031999
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
恭輔 友田
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rakuten Group Inc
Original Assignee
Rakuten Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rakuten Group Inc filed Critical Rakuten Group Inc
Priority to PCT/JP2021/031999 priority Critical patent/WO2023032045A1/ja
Priority to US17/908,234 priority patent/US20240211950A1/en
Priority to JP2022529390A priority patent/JP7165841B1/ja
Priority to TW111132894A priority patent/TWI825963B/zh
Publication of WO2023032045A1 publication Critical patent/WO2023032045A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/018Certifying business or products
    • G06Q30/0185Product, service or business identity fraud
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4016Transaction verification involving fraud or risk level assessment in transaction processing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0601Electronic shopping [e-shopping]
    • G06Q30/0609Qualifying participants for shopping transactions

Definitions

  • the present disclosure relates to fraud detection systems, fraud detection methods, and programs.
  • Patent Literature 1 describes a technique for learning a learning model of supervised learning based on training data in JSON format.
  • Patent Literature 2 describes a technique that uses a JSON format tree structure as the data structure of a learning model.
  • Patent Literature 3 describes a technique for learning a learning model using a JSON-formatted privacy policy as training data.
  • Patent Literature 4 describes a technology that causes a trained learning model to analyze metadata in a structured data format such as JSON format in order to prevent unauthorized acquisition of data on the cloud.
  • Patent Literature 5 describes a technique for verifying the validity of a request from an IoT device, which is described in structured data such as JSON format, in order to ensure the validity of the IoT device.
  • Patent Literatures 1-5 fraud detection engines such as learning models or rules are defined independently for individual services, so fraud trends in other services cannot be utilized. If the result of fraud detection in another service Y can be used to detect fraud in a certain service X, fraud in service X can be easily detected, and security can be improved.
  • One of the purposes of this disclosure is to enhance security.
  • a fraud detection system includes user characteristic information acquisition means for acquiring user characteristic information related to user characteristics in a first service, and user identification information acquisition means for acquiring user identification information capable of identifying the user. and a result information acquisition means for acquiring result information related to a result of fraud detection of the user in a second service different from the first service by a fraud detection engine for detecting fraud, based on the user identification information; Fraud detection means for detecting fraud in the first service based on the user characteristic information in the first service and the result information in the second service.
  • FIG. 3 is a functional block diagram showing an example of functions implemented in the first embodiment;
  • FIG. It is a figure which shows an example of a 1st service database. It is a figure which shows an example of a history database. It is a figure which shows an example of a 2nd service database. It is a figure which shows an example of a dishonesty information database. It is a figure which shows an example of the acquisition method of a 2nd fraud detection engine.
  • FIG. 4 is a flow chart showing an example of processing executed in the first embodiment
  • FIG. FIG. 9 is a functional block diagram showing an example of functions implemented in the second embodiment
  • It is a figure which shows an example of the fraud detection of the 1st service in 2nd Embodiment.
  • It is a figure which shows an example of a history database.
  • 4 is a flow chart showing an example of processing executed in the first embodiment
  • FIG. It is a functional block diagram of a modification concerning a 1st embodiment.
  • FIG. 11 is a functional block diagram of a modification according to the second embodiment;
  • FIG. 1 is a diagram showing an example of the overall configuration of a fraud detection system.
  • the fraud detection system S includes a first server 10 , a second server 20 and a user terminal 30 .
  • Network N is any network such as the Internet or a LAN.
  • the fraud detection system S only needs to include at least one computer, and is not limited to the example shown in FIG.
  • the first server 10 is the server computer of the first provider who provides the first service.
  • the first server 10 detects fraud in the first service.
  • the first service system including the first server 10 can be referred to as a first fraud detection system.
  • Control unit 11 includes at least one processor.
  • the storage unit 12 includes a volatile memory such as RAM and a nonvolatile memory such as a hard disk.
  • the communication unit 13 includes at least one of a communication interface for wired communication and a communication interface for wireless communication.
  • the second server 20 is the server computer of the second provider who provides the second service.
  • the second service is another service different from the first service.
  • the first and second providers are different in the first embodiment, the first and second providers may be the same. That is, the second service may be another service provided by the same provider as the first service.
  • the provider is a service operating company.
  • the second server 20 detects fraud in the second service.
  • the system of the second service including the second server 20 can be called a second fraud detection system.
  • the fraud detection system S includes two systems, a first fraud detection system for the first service and a second fraud detection system for the second service.
  • Physical configurations of the control unit 21, the storage unit 22, and the communication unit 23 are the same as those of the control unit 11, the storage unit 12, and the communication unit 13, respectively.
  • the user terminal 30 is the user's computer.
  • the user terminal 30 is a personal computer, smart phone, tablet terminal, or wearable terminal.
  • Physical configurations of the control unit 31, the storage unit 32, and the communication unit 33 are the same as those of the control unit 11, the storage unit 12, and the communication unit 13, respectively.
  • the operation unit 34 is an input device such as a touch panel.
  • the display unit 35 is a liquid crystal display or an organic EL display.
  • each computer has a reading unit (for example, a memory card slot) for reading a computer-readable information storage medium, and an input/output unit (for example, a USB port) for inputting/outputting data with an external device. At least one may be included.
  • a program stored in an information storage medium may be supplied via at least one of the reading section and the input/output section.
  • an SNS Social networking service
  • SNS Social networking service
  • SNS whose main purpose is to post images
  • SNS whose main purpose is to post short messages
  • the first service and the second service may be arbitrary services and are not limited to SNS. Examples of other services will be described in variations below.
  • the first embodiment describes a case where the user uses both the first service and the second service
  • the user may use only either the first service or the second service. It is sufficient that at least one user uses the first service and at least one user uses the second service. All users of the first service and all users of the second service do not have to match exactly.
  • the user has already registered for use of the first service and the second service.
  • the user has already issued a user ID and password for logging into the first service and a user ID and password for logging into the second service.
  • a login screen for logging in to the first service is displayed on the display unit 35.
  • FIG. 2 is a diagram showing an example of how a user uses the first service.
  • the user enters the user ID and password of the first service in the input forms F10 and F11 of the login screen G1 and selects the button B12.
  • the first server 10 permits login to the first service.
  • the home screen G2 of the first service is displayed on the display unit 35 .
  • the user uses the first service from the home screen G2.
  • a user can log in to the second service in the same flow as the first service and use the second service.
  • a malicious person may obtain another person's user ID and password by phishing, etc., and log in to at least one of the first service and second service by impersonating another person.
  • malicious users are referred to as unauthorized users.
  • a fraudulent user is a user who fraudulently uses at least one of the first service and the second service.
  • a user who does not cheat will be referred to as a legitimate user.
  • users When there is no distinction between authorized users and unauthorized users, they are simply referred to as users.
  • Improper acts are illegal acts, acts that violate the terms of use, or other nuisance acts.
  • spoofing unauthorized login
  • the fraud itself to be detected may be of various kinds and is not limited to impersonation. Fraud other than spoofing will be explained in a later modified example.
  • a fraud detection engine is a general term for programs or systems used in fraud detection.
  • the second service has not yet introduced a fraud detection engine, and that fraud is determined manually in response to reports from users. It is also assumed that spoofing is increasing in the second service and the introduction of a fraud detection engine is being considered.
  • the fraud detection engine of the first service will be referred to as the first fraud detection engine.
  • the fraud detection engine of the second service is referred to as a second fraud detection engine.
  • creating the second fraud detection engine from scratch is extremely time-consuming, so the first fraud detection engine is used to create the second fraud detection engine.
  • the first fraud detection engine may be copied as it is and used as the second fraud detection engine. Customized to fit.
  • first fraud detection engine itself, which is the source of the second fraud detection engine.
  • a first fraud detection engine including both learning models and rules is taken as an example.
  • the learning model and rules of the first fraud detection engine are referred to as the first learning model and the first rule.
  • the learning model and rules of the second fraud detection engine are referred to as a second learning model and a second rule.
  • learning models and the second learning model are simply referred to as learning models.
  • the first rule and the second rule are not distinguished, they are simply described as rules.
  • the learning model is a model that uses machine learning.
  • a learning model is sometimes called AI (Artificial Intelligence).
  • Machine learning itself can use various known methods.
  • Machine learning in the first embodiment includes deep learning and reinforcement learning.
  • the learning model may be supervised machine learning, semi-supervised machine learning, or unsupervised machine learning.
  • the learning model may be a neural network.
  • various known rules can be used. For example, rules include conditions that can be determined based on user characteristic information.
  • the user characteristic information is information related to user characteristics.
  • the user characteristic information may be static information or dynamic information.
  • Static information is pre-registered information. Static information is information that, in principle, does not change unless the user himself/herself changes it. For example, user ID, user name, gender, email address, age, date of birth, nationality, address, or a combination thereof correspond to static information.
  • Dynamic information is information about user behavior. Dynamic information is information that may change each time a user accesses it. For example, the location of the user terminal 30, the time when the fraud detection is performed, the identification information of the user terminal 30, or a combination thereof correspond to dynamic information.
  • FIG. 2 shows an example of user characteristic information acquired when a user logs into the first service.
  • user feature information in a data format defined by JSON which is a type of domain specific language
  • JSON which is a type of domain specific language
  • the data format itself may be a known format.
  • specific data contents are described in the portion surrounded by curly braces.
  • a character string is written in the part surrounded by double quotation marks. Numeric values are not enclosed in double quotes.
  • the first server 10 acquires user characteristic information as shown in FIG.
  • the user characteristic information includes data named "original”.
  • "original” further includes data named “userid”, “ipadress”, and "time”. These individual data are data indicating some characteristics of the user.
  • “userid” indicates the user ID entered by the user.
  • “ipaddress” indicates the IP address of the user terminal 30 .
  • “time” indicates the date and time when the login was requested.
  • “deviceid” indicates a device ID that can identify the user terminal 30 of the user. IP addresses can change with location, but device IDs do not change with location.
  • “name”, “posts”, “followers”, “following”, “gender”, “email”, and “age” are the user name associated with the user ID, number of posts, number of followers, number of followers, gender , email address, and age.
  • Information included in the user characteristic information may be arbitrary information, and is not limited to the example in FIG. In the first service, fraud is detected based on user characteristic information as shown in FIG.
  • FIG. 3 is a diagram showing an example of fraud detection flow in the first service.
  • the processing of S1 to S5 is processing of the first fraud detection engine.
  • the first server 10 acquires user characteristic information (S2).
  • S2 user characteristic information
  • a tallying process or the like for acquiring information to be used for fraud detection is executed.
  • Calculation results such as aggregation processing are added to the user characteristic information one after another.
  • Various known methods can be used for this calculation itself.
  • the added data also conforms to the JSON data format.
  • the first server 10 identifies the municipality corresponding to the IP address based on "ipadress” and calculates the distance from the user's usual usage center. The first server 10 adds this distance to the user feature information with the data name of "feature1". Based on “time”, the first server 10 counts the number of logins made with the user ID indicated by "userid” during the current time period. The first server 10 adds this number of times to the user characteristic information with the data name of "feature2". In addition, for example, the first server 10 can execute various calculations. The first server successively stores the calculation results in the user characteristic information under a predetermined data name. These calculations may be performed by computers other than the first server 10 .
  • the first server 10 inputs the user feature information to the first learning model and acquires the score output from the first learning model (S3).
  • the first server 10 determines whether or not the first rule is met based on the user characteristic information (S4). As shown in FIG. 3, multiple first rules may exist, or only a single first rule may exist.
  • the first server 10 stores the score of the first learning model and the determination result of the first rule in the history database DB2, which will be described later (S5).
  • the first server 10 permits login if neither the score of the first learning model nor the determination result of the first rule indicates fraud.
  • the first server 10 does not permit login if at least one of the score of the first learning model and the determination result of the first rule indicates fraud. In this case, additional authentication using other passwords or biometric authentication may be required.
  • the confirmation timing for confirming whether or not it is fraudulent arrives (S6).
  • the length of this period may be common to all users, or may be a length depending on the user.
  • the administrator of the first service uses the user characteristic information and other information to determine whether or not it is fraudulent.
  • the first server 10 stores the determination result as to whether or not it is illegal in the history database (S7).
  • the tendency of unauthorized users in the first service may be similar to the tendency of unauthorized users in the second service.
  • an unauthorized user who has committed fraud in the first service may attempt to commit fraud in the second service using the same user terminal 30 at the same time, from the same IP address, and from the same location.
  • the legitimate user that the unauthorized user tries to impersonate may be similar in age, number of followers, and the like.
  • the fraud tendency of the first service and the fraud tendency of the second service are similar, even if the first fraud detection engine is diverted to the second fraud detection engine, the accuracy is sufficiently high. Fraud detection is possible. However, there is a possibility that the fraud tendencies of the first service and the fraud tendencies of the second service are different. In this case, even if the first fraud detection engine is used to create the second fraud detection engine, there is a possibility that fraud in the second service cannot be detected. That is, spoofing in the second service becomes possible, and there is a possibility that the security of the second service cannot be enhanced.
  • the fraud detection system S of the first embodiment determines whether the fraud that actually occurred in the second service can be detected by the second fraud detection engine created by using the first fraud detection engine. .
  • This second fraud detection engine is applied when it is determined that fraud actually occurring in the second service can be detected. This simplifies the creation of the second fraud detection engine and enhances security in the second service.
  • FIG. 4 is a functional block diagram showing an example of functions implemented in the first embodiment.
  • the data storage unit 100 is realized mainly by the storage unit 12 .
  • the user ID acquisition unit 101 , the user characteristic information acquisition unit 102 , and the fraud detection unit 103 are realized mainly by the control unit 11 .
  • the data storage unit 100 stores data necessary for detecting fraud in the first service.
  • the data storage unit 100 stores a first service database DB1 and a history database DB2.
  • FIG. 5 is a diagram showing an example of the first service database DB1.
  • the first service database DB1 is a database that stores information about users of the first service.
  • the first service database DB1 stores user IDs, passwords, user information, usage status information, and usage history information in association with each other.
  • a certain user completes registration for use of the first service, a new record is created in the first service database DB1, and the user ID and the like of this user are stored.
  • a user ID is an example of user identification information that can identify a user. Therefore, the user ID can be read as user identification information.
  • the user identification information may be information called by a name other than the user ID. For example, information called a user name, user account, or login ID may correspond to user identification information. Information such as an email address or phone number may be used as user identification information.
  • a password is authentication information required for login.
  • User information is information registered by the user.
  • user information includes user name, gender, email address, and age.
  • the user information may include other information such as nationality, telephone number, date of birth, zip code, address, occupation, annual income, user ID of other services linked with the first service, or family composition.
  • User information may include attributes (eg, age group, hobbies, etc.) to classify the user in some way.
  • Each content indicated by the user information is one of the features of the user.
  • the usage status information is information about the usage status of the first service.
  • the usage information includes the number of posts, the number of followers, the number of followers, content of posts, comments from other users, messages between users, and settings of the first service.
  • the user's usage information is updated.
  • a user's usage information may be updated by another user's usage.
  • a user's usage information may be updated as other users follow or comment on it.
  • Each content indicated by the usage information is one of user characteristics.
  • the usage history information is information related to the usage history of the first service.
  • the usage history can also be called an action history.
  • the usage status information is information about the current usage status, while the usage history information is information about the past usage status.
  • the usage history information stores the time of the past login, the IP address used in the past login, the device ID of the user terminal 30 used in the past login, and the user's behavior in the past login.
  • the usage history information is updated when login occurs.
  • Each content indicated by the usage history information is one of user characteristics.
  • FIG. 6 is a diagram showing an example of the history database DB2.
  • the history database DB2 is a database that stores a history of fraud detection in the first service.
  • the history database DB2 stores user characteristic information, result information, and status information.
  • a login to the first service occurs, a new record is created in the history database DB2, and information regarding fraud detection executed at the time of this login is stored.
  • the result information is information about the result of fraud detection.
  • the result information indicates whether or not it is fraudulent (presence or absence of fraud), but the result information may be a score indicating suspicion of fraud. If the score is expressed numerically, the higher the score, the higher the suspicion of fraud. Conversely, the score may indicate legitimacy. In this case, the lower the score, the higher the suspicion of fraud. Scores may be represented by characters such as S rank, A rank, and B rank in addition to numerical values. The score can also be referred to as the probability or likelihood of fraud.
  • the status information is information about the fraud detection status.
  • the result of fraud detection executed at the time of login is finalized when the confirmation timing arrives, so the status information indicates whether or not the result of fraud detection has been finalized.
  • "Undetermined” in FIG. 6 indicates that the determined timing has not yet come.
  • "Confirmed” in FIG. 6 indicates that the confirmation timing has come. Since the first fraud detection engine may make an erroneous judgment, the unconfirmed result information may be corrected by the administrator of the first service.
  • the data stored in the data storage unit 100 is not limited to the above examples.
  • the data storage unit 100 can store arbitrary data.
  • the data storage unit 100 stores a first fraud detection engine.
  • the first fraud detection engine includes the first learning model and the first rule, so the data storage unit 100 stores the learned first learning model, data indicating the content of the first rule, memorize
  • the first server 10 acquires training data for the first learning model based on user feature information in fraud that actually occurred.
  • This training data may be created by the administrator of the first service, or may be obtained using a known automatic generation method.
  • the training data is paired with user feature information as an input part and an output part as to whether or not it is fraudulent.
  • the first server 10 learns the first learning model so that the output portion of the training data is output when the input portion of the training data is input.
  • a method used in known machine learning may be used.
  • the first server 10 records the learned first learning model in the data storage unit 100 .
  • the first server 10 may record the first learning model trained using unsupervised learning or semi-supervised learning in the data storage unit 100 .
  • the first server 10 records in the data storage unit 100 the first rule created by the administrator of the first service.
  • the first rule does not have to be created manually by the administrator, and a known rule creation method may be used.
  • the first rule may be generated using machine learning to create a decision tree.
  • the first rule is not limited to detecting fraud, and may be used to detect legitimacy. For example, it may be a first rule for judging that a user who meets a certain condition is legitimate.
  • a user ID acquisition unit 101 acquires a user ID. This user ID is the user ID of the user who is the target of fraud detection. In the first embodiment, since fraud detection is executed when a login is requested, the user ID obtaining unit 101 obtains the user ID for which the login is requested. For example, the user ID acquisition unit 101 acquires the user ID entered in the input form F10 of the login screen G1.
  • the user characteristic information acquisition unit 102 acquires user characteristic information regarding user characteristics in the first service. This user is a target user for fraud detection. Details of the user characteristic information are as described above.
  • user feature information in a data format related to a domain-specific language such as JSON is used. Therefore, the user feature information acquisition unit 102 acquires user feature information in a data format related to a predetermined domain-specific language. .
  • the user characteristic information acquisition unit 102 acquires user characteristic information based on the user ID acquired by the user ID acquisition unit 101.
  • the user characteristic information acquisition unit 102 refers to the first service database DB1 and acquires user characteristic information based on all or part of the user information associated with this user ID.
  • the user characteristic information acquisition unit 102 obtains the user name, the number of posts, the number of followers, the number of followers, gender, e-mail address, and age associated with this user ID. Acquired as feature information.
  • the data name such as "name” included in the user characteristic information and the field name of the first service database DB1 may be the same or different. If these names are different, it is assumed that the data storage unit 100 stores data indicating the relationship between the data name such as "name” and the field name of the first service database DB1.
  • the user characteristic information acquisition unit 102 acquires the information of the field predetermined as the field used for fraud detection from the first service database DB1, and after the character string indicating the data name corresponding to the field name of the field, , acquire user characteristic information such that the acquired information is described.
  • the user characteristic information acquisition unit 102 may acquire user characteristic information based on information acquired from the user terminal 30.
  • the user terminal 30 transmits its own IP address and device ID when requesting login to the first server 10 .
  • the user characteristic information acquisition unit 102 acquires user characteristic information such that the IP address and device ID obtained from the user terminal 30 are described after the character strings indicating the data names of "ipadress" and "deviceid".
  • the device ID may be the individual identification number of the user terminal 30 or the ID stored in the SIM card, but may be the ID issued by the first server 10 in the first embodiment.
  • the first server 10 issues a device ID that can identify this user terminal 30 .
  • This device ID is recorded in this user terminal 30 .
  • the user terminal 30 may transmit the device ID to the first server 10 at the time of login.
  • the user characteristic information acquisition unit 102 acquires the user characteristic information so that the current date and time are written after the character string indicating the data name of "time”. do.
  • the current date and time may be obtained using a real-time clock, GPS, or the like.
  • the user characteristic information acquisition unit 102 acquires user characteristic information such that when a login is requested from the user terminal 30, the user ID for which the login is requested is described after the character string indicating the data name of "userid". to get
  • the user characteristic information acquisition unit 102 acquires information to be used for fraud detection through calculation such as aggregation processing. For example, the user characteristic information acquisition unit 102 calculates the center of usage of the user based on usage history information associated with the user ID acquired by the user ID acquisition unit 101 . The usage center is the average location of usage locations over the entire past period or part of the period. The user characteristic information acquisition unit 102 calculates the distance between the position estimated from the IP address of the user terminal 30 and the center of use. The user feature information acquisition unit 102 acquires user feature information so that this distance is described after the character string indicating the data name of "feature1".
  • the user characteristic information acquisition unit 102 calculates the number of times of past usage in the current time slot based on usage history information associated with the user ID acquired by the user ID acquisition unit 101 . Further, based on this usage history information, the user characteristic information acquisition unit 102 identifies device IDs and IP addresses that have been used in the past. The user characteristic information acquisition unit 102 acquires the user characteristic information so that the calculated number of times of use and the specified device ID and IP address are described after the character string indicating the data name of "feature2". to get
  • the user characteristic information acquisition unit 102 acquires user characteristic information so that calculation results used for fraud detection are added one after another.
  • Various methods can be used to acquire the user characteristic information, and the method is not limited to the example of the first embodiment.
  • the user characteristic information acquisition unit 102 may acquire user characteristic information without executing calculation such as aggregation processing.
  • the user characteristic information acquisition unit 102 may acquire user characteristic information so as to include only calculation such as aggregation processing.
  • the fraud detection unit 103 detects fraud in the first service based on the user feature information and the first fraud detection engine. For example, the fraud detection unit 103 acquires the output from the first learning model of the first fraud detection engine based on the user feature information. When the user characteristic information is input, the first learning model calculates and outputs a score indicating suspicion of fraud based on the user characteristic information. When the first learning model is a neural network, the input user feature information is convoluted as necessary. The fraud detection unit 103 acquires the score output from the first learning model. The first learning model may output a label indicating whether it is fraudulent or not instead of the score. In this case, the fraud detection unit 103 acquires the label output from the first learning model.
  • the fraud detection unit 103 determines whether or not the conditions included in the first rule of the first fraud detection engine are satisfied based on the user characteristic information. It is assumed that each condition is associated with the determination result of the presence or absence of dishonesty when the condition is satisfied. That is, each condition defines whether the fulfillment of this condition means that it is illegal or that it is valid.
  • the fraud detection unit 103 determines whether or not the first rule 1-1 is satisfied based on the user characteristic information. For example, the fraud detection unit 103 determines whether the distance from the center of use included in the user characteristic information is 50 km or more. If the distance is 50 km or more, the fraud detection unit 103 determines that it is fraudulent. If the distance is less than 50 km, the fraud detection unit 103 determines that there is no fraud.
  • the fraud detection unit 103 determines whether or not the first rule 1-2 is satisfied based on the user characteristic information. For example, the fraud detection unit 103 determines whether or not the number of times of use for each time slot included in the user characteristic information is less than two. The fraud detection unit 103 determines whether or not the device ID included in the user characteristic information is included in the usage history information, thereby determining whether or not the device is normally used. The fraud detection unit 103 determines that the device is fraudulent if it is used less than twice and the device is not normally used. The fraud detection unit 103 determines that the device is legitimate if the device is used twice or more in a time period, or if the device is used regularly.
  • the fraud detection unit 103 determines whether or not the first rule 1-3 is satisfied based on the user characteristic information. For example, the fraud detection unit 103 determines whether or not the number of posts included in the user characteristic information is 500 or more. The fraud detection unit 103 determines whether or not the number of followers included in the user characteristic information is 1000 or more. The fraud detection unit 103 determines whether or not the IP address included in the user characteristic information is included in the usage history information, thereby determining whether or not it is the first IP address. If the number of posts is 500 or more, the number of followers is 1000 or more, and the IP address is the first one, the fraud detection unit 103 determines that it is fraudulent. The fraud detection unit 103 determines that the number of posts is less than 500, the number of followers is less than 1000, or an IP address that has been used is valid.
  • the fraud detection unit 103 similarly determines whether the other first rules are satisfied based on the user characteristic information.
  • the fraud detection unit 103 may determine fraudulent when a predetermined number or more of the first rules match.
  • the fraud detection unit 103 determines that the user attempting to log in is fraudulent when the score from the first learning model is equal to or greater than the threshold, or when the result of fraud is obtained according to the first rule.
  • the fraud detection unit 103 determines that the user attempting to log in is fraudulent when the score from the first learning model is equal to or greater than the threshold and the result of fraud is obtained according to the first rule.
  • the fraud detection unit 103 determines whether or not the user attempting to log in is fraudulent, based on the score from the first learning model and the number of first rules that result in fraud. You may
  • the data storage unit 200 is implemented mainly by the storage unit 22 .
  • Other functions are realized mainly by the control unit 21 .
  • the data storage unit 200 stores data necessary for detecting fraud in the second service.
  • the data storage unit 200 stores a second service database DB3 and a fraud information database DB4.
  • FIG. 7 is a diagram showing an example of the second service database DB3.
  • the second service database DB3 is a database that stores information on users of the second service.
  • the second service database DB3 stores user IDs, passwords, user information, usage status information, and usage history information in association with each other. These pieces of information differ from the first service database DB1 in that they relate to the second service, but the details of each piece of information may be the same as those of the first service.
  • FIG. 8 is a diagram showing an example of the fraud information database DB4.
  • the fraud information database DB4 is a database that stores fraud information related to fraud that has actually occurred in the second service. Fraud information is information indicating details of fraud.
  • the unauthorized information includes user characteristic information of unauthorized users of the second service. The meaning of the user characteristic information is the same as that of the first service.
  • the user feature information of the second service also has a data format related to a domain-specific language such as JSON.
  • the data name included in the user characteristic information of the second service and the data name included in the user characteristic information of the first service may be different. These data names are different, but what the data indicate is the same or similar.
  • the fraud information database DB4 stores fraud information including user characteristic information and result information.
  • the meaning of result information is the same as that of the first service.
  • the fraud information includes the user characteristic information of the fraudulent user in the second service, so the result information indicates fraud.
  • the fraudulent information may include user characteristic information of legitimate users in the second service.
  • the characteristics of legitimate users are also information that can be used for fraud detection, and are one piece of information about fraud that actually occurred in the second service. If the fraudulent information includes the user characteristic information of the legitimate user in the second service, the result information indicates legitimate.
  • the engine acquisition unit 201 acquires a second fraud detection engine for detecting fraud in the second service based on the first fraud detection engine for detecting fraud in the first service.
  • a second fraud detection engine is based at least in part on the first fraud detection engine.
  • the second fraud detection engine may be created by manually customizing the first fraud detection engine by an administrator of the second service.
  • the engine acquisition unit 201 acquires the second fraud detection engine from the terminal of the administrator of the second service.
  • the engine acquisition unit 201 automatically customizes the first fraud detection engine to perform the second fraud detection engine.
  • the case of acquiring the detection engine will be explained.
  • the engine acquisition unit 201 customizes the first fraud detection engine by changing all or part of the content of the first fraud detection engine based on a predetermined method.
  • the engine acquisition unit 201 may customize the first fraud detection engine by deleting part of the contents of the first fraud detection engine.
  • the engine acquisition unit 201 may customize the first fraud detection engine by adding functions to the first fraud detection engine.
  • the engine acquisition unit 201 may combine these changes, deletions, and additions.
  • the engine acquisition unit 201 changes the data name included in the user characteristic information used by the first fraud detection engine to the data name used by the second service.
  • the engine acquisition unit 201 acquires the second fraud detection engine that uses the user characteristic information including the changed data name, which is in the data format related to the domain specific language.
  • data indicating the relationship between the data name in the first service and the data name in the second service is stored in the data storage unit 200 in advance.
  • These data names have the same or similar meanings. For example, if a user ID defined by the data name "userid” in the first service is defined by the data name "loginid” in the second service, then the data name “userid” of the first service and , and the data name of "loginid” of the second service.
  • the engine acquisition unit 201 customizes the first fraud detection engine by changing the data name portion of "userid” included in the first fraud detection engine to the data name of "loginid" of the second service.
  • the engine acquisition unit 201 customizes the first fraud detection engine by changing the data name portion of "time” included in the first fraud detection engine to the data name of "date/time” of the second service. . If there is any other data whose data name needs to be changed, the engine acquisition unit 201 customizes the first fraud detection engine by changing the data name to match the second service.
  • the second fraud detection engine does not include the second learning model, but includes only the second rule.
  • the engine acquisition unit 201 acquires the second rule included in the second fraud detection engine based on the first rule included in the first fraud detection engine. For example, the engine acquisition unit 201 creates the second rule by changing the data name included in the first rule to the data name of the second service.
  • FIG. 9 is a diagram showing an example of an acquisition method for the second fraud detection engine.
  • the engine acquisition unit 201 determines A second rule 2-1 is created by changing the data name of "feature1" to "distance".
  • the threshold of the first rule 1-1 may be changed.
  • the method of changing the threshold value magnification, difference, etc.
  • the engine acquisition unit 201 changes the threshold of the first rule 1-1 and determines it as the threshold of the second rule 2-1.
  • Other thresholds that need to be changed are similarly changed.
  • the engine acquisition unit 201 creates a second rule by changing the data name of "feature2" of the first rule to two data names of "featureA" and "featureB".
  • the engine acquisition unit 201 customizes the first rule and acquires the second rule by changing the data name to match the second service.
  • the fraud information acquisition unit 202 acquires fraud information about fraud that actually occurred in the second service.
  • the fraud information acquisition unit 202 acquires multiple pieces of fraud information corresponding to multiple frauds that have actually occurred in the second service. Since each piece of fraud information is stored in the fraud information database DB4, the fraud information acquisition unit 202 acquires a plurality of fraud information stored in the fraud information database DB4.
  • the fraudulent information acquisition unit 202 may acquire all the fraudulent information stored in the fraudulent information database DB4, or may acquire only part of the fraudulent information.
  • the determination unit 203 determines whether fraud in the second service can be detected by the second fraud detection engine. That is, the determination unit 203 evaluates the accuracy of the second fraud detection engine. If the accuracy of the second fraud detection engine is equal to or higher than the threshold, it means that fraud in the second service can be detected by the second fraud detection engine. If the accuracy of the second fraud detection engine is less than the threshold, it means that fraud in the second service cannot be detected by the second fraud detection engine.
  • the determination unit 203 determines whether fraud in the second service can be detected by the second rule based on the fraud information. . For example, the determination unit 203 calculates the accuracy rate of the second fraud detection engine based on multiple pieces of fraud information. The determination unit 203 acquires m fraud detection results output from the second fraud engine based on the m fraud information. The judging unit 203 calculates the rate of incorrect results among the m results as the correct answer rate.
  • the determination unit 203 determines whether fraud in the second service can be detected by the second fraud detection engine based on the calculated accuracy rate. If the accuracy rate is equal to or higher than a threshold value (for example, about 60% to 90%), it means that fraud in the second service can be detected by the second fraud detection engine. If the accuracy rate is less than the threshold, it means that fraud in the second service cannot be detected by the second fraud detection engine. Note that the determination unit 203 may determine whether detection is possible by the second fraud detection engine using an index other than the accuracy rate. For example, precision or recall may be utilized. Log Loss or the like may be used as long as the second fraud detection engine includes a learning model, as in a modified example described later.
  • a threshold value for example, about 60% to 90%
  • the application unit 204 applies the second fraud detection engine to the second service when it is determined that fraud in the second service can be detected by the second fraud detection engine.
  • Applying the second fraud detection engine to the second service means recording the second fraud detection engine in the data storage unit 200 .
  • Executing fraud detection with the second fraud detection engine is equivalent to applying the second fraud detection engine to the second service. That is, starting the actual operation of the second fraud detection engine corresponds to applying the second fraud detection engine to the second service.
  • the second fraud detection engine includes the second rule. Therefore, when it is determined that fraud in the second service can be detected by the second rule, the application unit 204 detects the second service. Apply the second rule to
  • Data storage unit 300 is realized mainly by storage unit 32 . Other functions are realized mainly by the control unit 31 .
  • the data storage unit 300 stores data required to provide at least one of the first service and the second service.
  • the display control unit 301 causes the display unit 35 to display various screens.
  • a reception unit 302 receives various operations from the operation unit 34 .
  • FIG. 10 is a flow chart showing an example of processing executed in the first embodiment. This processing is executed by the control units 11, 21 and 31 operating according to the programs stored in the storage units 12, 22 and 32, respectively.
  • the user terminal 30 requests the first server 10 to log in to the first service (S100).
  • the first server 10 acquires user characteristic information based on the first service database DB1 (S101), and executes fraud detection using the first fraud detection engine. (S102). Note that if the combination of the user ID and password does not exist in the first service database DB1, the processes of S101 and S102 are not executed, and login to the first service is not executed.
  • the first server 10 refers to a record in the first service database DB1 in which the user ID requested to log in is stored.
  • the first server 10 acquires all or part of the user information and usage information of this record as static information of user characteristic information.
  • the first server 10 acquires information such as the IP address included in the login request from the user terminal 30 as dynamic information of the user characteristic information.
  • the first server 10 executes calculation such as the tabulation process described above based on the usage history information of this record, and successively adds it to the user characteristic information.
  • the first server 10 acquires the score output from the first learning model based on the user characteristic information acquired at S101.
  • the first server 10 determines that it is illegal when the score is equal to or greater than the threshold.
  • the first server 10 determines whether individual conditions included in the first rule are satisfied based on the user characteristic information acquired in S101.
  • the first server 10 determines that it is illegal when the first rule equal to or greater than the threshold is satisfied.
  • the first server 10 determines fraud when the result of fraud detection of at least one of the first learning model and the first rule is fraudulent.
  • the first server 10 determines that it is legitimate when the fraud detection result of both the first learning model and the first rule is not fraudulent.
  • the first server 10 updates the history database DB2 based on these determination results.
  • the first server 10 If fraud is detected in S102 (S102; fraudulent), the first server 10 does not allow the user to log in, and causes the user terminal 30 to display a predetermined error message (S103). In S102, if fraud is not detected (S102; legitimate), the first server 10 logs the user into the first service (S104). After that, the user uses the first service. When the user uses the first service, the usage status information and usage history information stored in the first service database DB1 are updated. When the confirmation timing comes, the first server 10 confirms the presence or absence of fraud (S105). In S105, the first server 10 acquires the confirmation result of the presence or absence of fraud from the terminal of the manager of the first service, and updates the history database DB2.
  • the second server 20 acquires the second fraud detection engine based on the first fraud detection engine (S106).
  • the acquisition method of the second fraud detection engine is as described above.
  • the second server 20 acquires fraud information by referring to the fraud information database DB4 (S107).
  • the second server 20 acquires the accuracy rate of the second fraud detection engine acquired in S106 based on the fraud information acquired in S107 (S108).
  • the second server 20 determines whether or not the accuracy rate of the second rule obtained in S108 is equal to or greater than the threshold (S109). If it is determined that the accuracy rate is equal to or higher than the threshold (S109; Y), the second server 20 applies the second fraud detection engine to the second service (S110). After that, through the same processing as S100 to S105 in the first service, fraud in the second service is detected using the second fraud detection engine. If it is determined that the accuracy rate is less than the threshold (S109; N), the second server 20 terminates this process without applying the second fraud detection engine to the second service.
  • the second fraud detection engine is acquired based on the first fraud detection engine, and it is determined that fraud in the second service can be detected by the second fraud detection engine. If so, apply the second fraud detection engine to the second service. This simplifies the creation of the second fraud detection engine and enhances security in the second service. For example, after verifying the accuracy of a second fraud detection engine created by using the first fraud detection engine, the second fraud detection engine is applied to the second service. A highly accurate second fraud detection engine capable of detecting fraudulent activity can be applied to the second service. Further, by using the first fraud detection engine that is actually applied to the first service, the second fraud detection engine can be highly accurate.
  • the fraud detection system S applies the second rule to the second service when it is determined that fraud in the second service can be detected by the second rule based on the fraud information. This simplifies creation of the second rule and increases security in the second service. For example, it is possible to prevent the administrator of the second service from having to create the second rule from scratch.
  • the fraud detection system S determines whether fraud in the second service can be detected by the second fraud detection engine based on the accuracy rate of the second fraud detection engine. As a result, the second fraud detection engine with high fraud detection accuracy for the second service is applied, and security in the second service is enhanced.
  • the fraud detection system S acquires a second fraud detection engine that uses a domain-specific language based on a first fraud detection engine that uses a predetermined domain-specific language.
  • a domain-specific language By using a domain-specific language, it becomes easier to reuse the first fraud detection engine, so it becomes easier to create the second fraud detection engine.
  • the second fraud detection engine can be created while maintaining the data format of the user feature information input to the first fraud detection engine to some extent, the effort required to create the second fraud detection engine can be reduced more effectively.
  • the second fraud detection engine can be created simply by changing the data name of the JSON data format or changing the numerical threshold indicated by the data of this data name.
  • the second fraud detection engine in the second embodiment does not have to be acquired as in the first embodiment. That is, the fraud detection system S of the second embodiment does not have to be based on the fraud detection system S of the first embodiment.
  • the fraud detection system S of the second embodiment can omit the functions described in the first embodiment.
  • the second fraud detection engine may be created by an administrator of the second service without using the first fraud detection engine.
  • FIG. 11 is a functional block diagram showing an example of functions implemented in the second embodiment.
  • a data storage unit 100, a user ID acquisition unit 101, and a user characteristic information acquisition unit 102 are the same as in the first embodiment.
  • the fraud detection unit 103 has functions common to those of the first embodiment, but some functions are different.
  • the result information acquisition unit 104 is implemented mainly by the control unit 11 .
  • the result information acquisition unit 104 acquires result information regarding the result of fraud detection of the user in the second service, which uses a different fraud detection engine for detecting fraud than the first service.
  • This user ID may be the user ID for the first service or the user ID for the second service.
  • fraud detection of the second service is executed based on the user feature information in the data format of a predetermined domain-specific language. obtain result information about the result of fraud detection in the second service performed using the user characteristic information in the form;
  • the data storage unit 100 stores data indicating the relationship between a certain user's user ID for the first service and this user's user ID for the second service.
  • the user ID for the first service will be referred to as the first user ID
  • the user ID for the second service will be referred to as the second user ID.
  • user IDs When not distinguishing between them, they are simply referred to as user IDs.
  • the result information acquisition unit 104 acquires result information based on the second user ID associated with the first user ID acquired by the user ID acquisition unit 101.
  • the result information acquisition unit 104 requests the second server 20 for result information associated with the second user ID associated with the first user ID.
  • the second server 20 refers to the history database DB5, which will be described later, and transmits the result information associated with this second user ID to the first server 10.
  • FIG. The result information acquisition unit 104 acquires result information transmitted by the second server 20 .
  • the data storage unit 200 of the second server 20 may be associated with the first user ID of a certain user and the second user ID of this user.
  • the result information acquisition unit 104 requests result information from the second server 20 together with the first user ID acquired by the user ID acquisition unit 101 .
  • the second server 20 receives this request, it acquires the second user ID associated with this first user ID.
  • the second server 20 refers to a history database DB5, which will be described later, and transmits the result information associated with this second user ID to the first server 10.
  • the result information acquisition unit 104 acquires result information transmitted by the second server 20 .
  • the result information acquisition unit 104 may request the result information together with the user ID acquired by the user ID acquisition unit 101 from the second server 20 .
  • the second server 20 refers to the history database DB5, which will be described later, and transmits the result information associated with this user ID to the first server 10.
  • FIG. The result information acquisition unit 104 acquires result information transmitted by the second server 20 .
  • FIG. 12 is a diagram showing an example of fraud detection of the first service in the second embodiment.
  • data indicating the result of fraud detection in the second service is added to the user characteristic information in the first service.
  • the data with the data name "service2" is the result information of the second service.
  • the first learning model of the first fraud detection engine executes fraud detection using the result of fraud detection in the second service as one of the feature quantities.
  • One of the conditions of the first rule of the first fraud detection engine is the result of fraud detection in the second service.
  • the fraud detection unit 103 detects fraud in the first service based on user feature information in the first service and result information in the second service. For example, the fraud detection unit 103 detects fraud in the first service based on user feature information in the first service and result information based on the second rule in the second service. The fraud detection unit 103 incorporates the result information of the second service into part of the user feature information of the first service, and detects fraud of the first service based on the user feature information including the result information.
  • result information in the second service is included as one of the conditions of the first rule. For example, if the result information of the second service indicates fraud, the fraud detection unit 103 determines that the first service is also fraudulent. In addition, for example, when the result information indicates a score, the fraud detection unit 103 determines that the sum of the score output by the first learning model of the first fraud detection engine and the score indicated by the result information is equal to or greater than the threshold. Fraud in the first service may be detected by determining whether or not. Furthermore, the first learning model is trained based on the training data including the result information of the second service, and the fraud detection unit 103 inputs the user characteristic information including the result information to the first learning model. You can get the output from Each process executed by the fraud detection unit 103 may be automatically executed by a learning model using machine learning.
  • the fraud detection unit 205 is implemented mainly by the control unit 21 .
  • the fraud detection unit 205 detects fraud in the second service based on the second fraud detection engine.
  • the fraud detection unit 205 is different from the fraud detection unit 103 of the first server 10 in that it detects fraud in the second service, and the fraud detection method itself is the same. Therefore, the fraud detection processing of the fraud detection unit 205 is the same as the fraud detection processing of the fraud detection unit 103 .
  • a second rule is used that includes judgment conditions regarding fraud in the second service.
  • the result information which is the determination result of the fraud detection unit 205, indicates the result of fraud detection in the second service determined based on the second rule.
  • the engine acquisition unit 201, the fraud information acquisition unit 202, the determination unit 203, and the application unit 204 are the same as those in the first embodiment.
  • the data storage unit 100 is similar to that of the first embodiment, but differs in some functions.
  • FIG. 13 is a diagram showing an example of the history database DB5.
  • the history database DB5 is a database that stores a history of fraud detection in the second service.
  • the history database DB5 stores user characteristic information, result information, and status information.
  • a login to the second service occurs, a new record is created in the history database DB2, and information regarding fraud detection executed during this login is stored.
  • This information differs from the history database DB2 in that it relates to the second service, and the details of each piece of information are the same as those of the first service. It may be the same as the first service that the presence or absence of fraud is determined when a certain amount of time has passed since the login and the determination timing has arrived.
  • FIG. 14 is a flowchart illustrating an example of processing performed in the first embodiment; This processing is executed by the control units 11, 21 and 31 operating according to the programs stored in the storage units 12, 22 and 32, respectively.
  • fraud detection in the first service is executed between the first server 10 and the user terminal 30, and fraud detection in the second service is executed between the second server 20 and the user terminal 30.
  • fraud detection in the second service is executed between the second server 20 and the user terminal 30.
  • the processing of S206 and S207 is the same as the processing of S100 and S101.
  • the first server 10 requests the second server 20 for the result information of the user requested to login (S208).
  • the second server 20 Upon receiving the request for result information, the second server 20 refers to the history database DB5 to acquire the result information, and transmits the result information to the first server 10 (S209).
  • the first server 10 Upon receiving the result information, the first server 10 incorporates it as part of the user characteristic information acquired in S207, and executes fraud detection using the first fraud detection engine (S210).
  • the process of S210 differs from that of the first embodiment in that the result information of the second service is taken into consideration in the fraud detection of the first service, but other points are the same.
  • the subsequent processing of S211 to S213 is the same as the processing of S103 to S105.
  • fraud detection of the first service is not performed, and login to the first service is not performed.
  • fraud in the first service is detected based on user feature information in the first service and result information in the second service.
  • the fraud detection in the first service is performed by comprehensively considering the result of fraud detection in the second service, so the security in the first service is enhanced.
  • the result information in the second service may be useful in detecting fraud in the first service. Therefore, by using the result information of the second service, the accuracy of fraud detection of the first service is enhanced, and the security of the first service is enhanced.
  • the fraud detection system S detects fraud in the first service based on the user characteristic information in the first service and the result information based on the second rule in the second service.
  • the fraud detection in the first service is performed by comprehensively considering the result of fraud detection using the second rule in the second service, so the security in the first service is enhanced.
  • the fraud detection system S acquires result information regarding the result of fraud detection in the second service, which is performed using the user feature information in the domain specific language data format.
  • the first service and the second service can be easily coordinated.
  • FIG. 15 is a functional block diagram of a modification according to the first embodiment.
  • the changing unit 105 is implemented mainly by the control unit 21 .
  • the fraud detection unit 205 is as described in the second embodiment.
  • the first service and the second service may be arbitrary services and are not limited to the examples of the first embodiment and the second embodiment.
  • the first service may be a first electronic payment service
  • the second service may be a second electronic payment service different from the first electronic payment service.
  • the first electronic payment service is simply referred to as the first service
  • the second electronic payment service is simply referred to as the second service.
  • any electronic payment is possible, for example, credit card, debit card, electronic money, point, electronic cash, bank account, virtual currency, wallet, or other electronic value Payment means is available.
  • Electronic payment using barcodes or two-dimensional codes, electronic payment using short-range wireless communication, or electronic payment using biometric authentication can also be used.
  • modification 1-1 a case where a credit card is used for the first service and electronic money is used for the second service will be taken as an example.
  • Various well-known methods can be used for electronic settlement itself using a credit card.
  • Various known methods can be used for electronic settlement itself using electronic money.
  • the first service database DB1 can also be called a payment database.
  • card information and usage history information are stored in the first service database DB1.
  • Card information is information about individual credit cards.
  • card information includes card number, expiration date, name holder information, and usage limit.
  • the nominee information may store not only the name of the nominee but also information such as a telephone number and an address.
  • the usage history information is information related to credit card usage history.
  • the usage history information includes date and time of usage, place of usage (store used), and amount of usage. Since each credit card can be identified by its card number, the user ID need not be included in the first service database DB1 of Modification 1-1.
  • the location of use may be acquired using GPS information of the user terminal 30, or may be the location of the store where the electronic payment was made.
  • the history database DB2 of modification 1-1 is the same as that of the first embodiment, but differs in that the user characteristic information includes information about credit cards instead of information about SNS.
  • user characteristic information includes credit card usage location, usage date and time, usage amount, distance from the center of usage, difference from usual usage time, difference from average usage amount, borrowing amount for cash advance, user's annual income, etc. Contains information. Result information and status information are the same as in the first embodiment.
  • Information on individual payments is stored in the second service database DB3 of Modification 1-1, similar to the first service database DB1.
  • electronic money information and usage history information are stored in the first service database DB1.
  • Electronic money information is information about individual electronic money.
  • electronic money information includes electronic money ID, balance, and nominee information.
  • the usage history information is information related to the usage history of electronic money.
  • the usage history information includes date and time of usage, place of usage (store used), and amount of usage. Since individual electronic money can be identified by the electronic money ID, the second service database DB3 of Modification 1-1 does not have to include the user ID.
  • the fraud information database DB4 of modification 1-1 is similar to that of the first embodiment, but differs in that the user characteristic information includes information about electronic money instead of information about SNS.
  • the user characteristic information includes the place of use of electronic money, the date and time of use, the amount of use, the distance from the center of use, the difference from the usual time of use, the difference from the average amount of use, the amount borrowed for cash advances, and the annual income of the user. Contains information.
  • the result information is the same as in the first embodiment.
  • the history database DB5 also differs from the second embodiment in that it includes information on electronic money, but is otherwise the same.
  • the flow of fraud detection itself in modification 1-1 is the same as the flow of the first embodiment described with reference to FIG.
  • the login in S1 in FIG. 3 is a request for payment by credit card.
  • the first server 10 acquires user characteristic information (S2).
  • the first server 10 acquires various information such as the credit card number for which payment was requested, the name holder information, the distance from the center of use, the difference from the usual time of use, and the difference from the average amount of use, They are stored one after another in the user feature information in JSON format.
  • the first server 10 acquires the output from the first learning model based on the user feature information (S3).
  • the first learning model training data including user feature information regarding the use of credit cards and information on the presence or absence of fraudulent use of credit cards is learned.
  • the first learning model performs convolution as necessary and outputs a score indicating suspicion of fraud.
  • credit card fraud means the use of another person's credit card by an unauthorized user.
  • electronic payment using a bar code or two-dimensional code displayed on the user terminal 30 it is illegal to log in by impersonating another person's user ID and password and use the bar code or two-dimensional code.
  • the first server 10 acquires the determination result of the first rule based on the user characteristic information (S4).
  • the first rule includes conditions for user characteristic information regarding credit card usage.
  • the first rule is the same as the first embodiment, such as the distance from the center of use, the difference from the usual time of use, and the difference from the device that is usually used, as well as the difference from the average usage amount. There may be.
  • the first rule may be a rule in which a specific nominee is determined to be valid.
  • the first server 10 stores the output from the first learning model and the determination result of the first rule in the history database DB2 (S5).
  • the first server 10 does not permit the settlement when it is determined to be fraudulent by the first learning model or when it is determined to be fraudulent by the first rule.
  • the first server 10 executes the settlement when the first learning model does not determine that the transaction is fraudulent and the first rule does not determine that the transaction is fraudulent.
  • the confirmation timing arrives (S6)
  • the administrator of the first service confirms whether the payment is fraudulent (S7), and the history database DB2 is updated.
  • the engine acquisition unit 201 acquires the second fraud detection engine for detecting fraud related to electronic money based on the first fraud detection engine for detecting fraud related to credit cards.
  • the fraud information acquisition unit 202 acquires fraud information related to fraud that actually occurred using electronic money.
  • the determination unit 203 determines whether fraud related to electronic money can be detected by the second fraud detection engine.
  • the application unit 204 applies the second fraud detection engine to the second service when it is determined that fraud related to electronic money can be detected by the second fraud detection engine.
  • it may be possible to divert rules such as the distance from the center of use, the difference from the usual time of use, and the difference from the device that is usually used, which are used in the detection of fraudulent use of credit cards. Its adequacy is verified.
  • the first fraud detection engine uses a first learning model that outputs a first score regarding fraud in the first service.
  • a first rule included in the first fraud detection engine may include a condition regarding the first score.
  • the first score being equal to or greater than a threshold may be set as a condition for being determined to be fraudulent.
  • the condition that the first score is less than the threshold may be set as a condition for being determined to be valid.
  • the second fraud detection engine uses a second learning model that outputs a second score regarding fraud in the second service.
  • a second rule included in the second fraud detection engine may include a condition regarding the second score.
  • the second score being equal to or greater than a threshold may be set as a condition for being determined to be fraudulent.
  • the second score being less than the threshold may be set as a condition for being determined to be valid.
  • the threshold for the second rule may be the same as or different from the threshold for the first rule.
  • the data name and threshold value indicating the second score may be customized as in the first embodiment.
  • the second learning model may be created by using the first learning model as in Modification 1-3 described later, or may be created without using the first learning model.
  • the second rule included in the second fraud detection engine uses a second learning model that outputs a second score regarding fraud in the second service.
  • fraud detection for the second service is performed by comprehensively considering the result of fraud detection by the second learning model, and security in the second service is enhanced.
  • a second fraud detection engine may utilize a second learned model based on the first learned model.
  • the engine acquisition unit 201 acquires the second learning model including parameters based on the parameters of the first learning model.
  • the second learning model may be an exact copy of the first learning model, or part of the first learning model may be modified to suit the second service.
  • the engine acquisition unit 201 may acquire the second learning model by changing or deleting part of the first learning model, or may acquire the second learning model by adding functions to the first learning model. may For example, when the first learning model is a neural network, the engine acquisition unit 201 replaces the input layer of the first learning model with an input layer modified to match the user feature information of the second service, thereby obtaining the second A learning model may be obtained.
  • n (n is a natural number) items of the user characteristic information of the first service are input to the first learning model.
  • k (k is a natural number less than n) items of the user feature information of the second service are input to the second learning model.
  • the contents indicated by the k items are the same as or similar to the contents indicated by the k items out of the n items. For example, if the k items include the distance from the center of use, the usage amount, and the usage time when electronic money is used in the second service, the n items include credit in the first service. Contents such as the distance from the center of use, the amount of use, and the time of use when the card is used shall be included.
  • the engine acquisition unit 201 acquires a second learning model by changing the input layer of the first learning model to which n items are input so that it has only k items. Items that are missing (n ⁇ k items) out of the n items may be treated as missing values.
  • the engine acquisition unit 201 may acquire the second learning model by replacing the output layer of the first learning model with an output layer modified so as to obtain the desired result in fraud detection of the second service. good. For example, assume that the first learning model outputs a score. For the second service, we want to get the label of whether it is cheating or not, not the score. In this case, the engine acquisition unit 201 acquires the second learning model by replacing the output layer of the first learning model that outputs the score with the output layer that outputs the label. Alternatively, the engine acquisition unit 201 may acquire the second learning model by changing or deleting part of the intermediate layer of the first learning model.
  • the determination unit 203 determines whether fraud in the second service can be detected by the second learning model. As in the first embodiment, this determination method may use the accuracy rate.
  • the applying unit 204 applies the second learning model to the second service when it is determined that fraud in the second service can be detected by the second learning model.
  • the only difference from the first embodiment is that the second learning model is applied to the second service instead of the second rule, and the processing itself of the application unit 204 is as described in the first embodiment.
  • the determination unit 203 based on the fraud information, when it is determined that fraud in the second service can be detected by the second learning model based on the first learning model, 2 Apply the second learning model to the service. This saves the trouble of creating the second learning model and enhances security.
  • the fraud detection system S may include the result information acquisition unit 104 and the change unit 105 .
  • the result information acquisition unit 104 acquires result information about the result of fraud detection in the second service when the second fraud detection engine is applied to the second service.
  • the result information acquisition unit 104 is as described in the second embodiment.
  • the changing unit 105 executes processing for changing the first fraud detection engine based on the result information.
  • This process may be a process of incorporating the result information of the second service as one of the first rules, as described in the second embodiment, or may be another process.
  • Another process may be a process of notifying the manager of the first service of the result information obtained from the second service and prompting him to change the first fraud detection engine.
  • the process may be a process of using the result information of the second service as one of the feature values to be input to the first learning model.
  • the changing unit 105 may change the first fraud detection engine so as to use result information in fraud detection of the first service.
  • the second fraud detection engine when the second fraud detection engine is applied to the second service, based on the result information regarding the result of fraud detection in the second service, the first fraud detection engine is changed. Execute the process. As a result, the result of fraud detection in the second service is also used in fraud detection in the first service, increasing security in the first service.
  • the second service when a second user of the second service uses the second service, fraudulence of the second user may be detected based on the second fraud detection engine.
  • the second service after the second user uses the second service, it may be determined whether or not the second user is fraudulent.
  • the second service may be a service in which the length of time from when the second service is used to when the presence or absence of fraud is determined is shorter than that of the first service. That is, the length from the use of the second service to the timing of confirmation of fraud is shorter than the length of time from the use of the first service to the timing of confirmation of fraud.
  • the second service is a service in which the length of time from when the second service is used to when the presence or absence of fraud is determined is shorter than that of the first service.
  • This allows the latest fraud trends in the second service to be fed back to the first service.
  • the period until fraud is confirmed in the first service is about two months
  • the period until fraud is confirmed in the second service is about two weeks.
  • the first fraud detection engine may use the result of fraud detection in the third service.
  • the third service is a service different from the first service and the second service.
  • the third service may be any other service and is not limited to the third electronic payment service.
  • the payment method that can be used in the third electronic payment service may be any payment method, and in modification 1-6, the case of points will be described. A known method can be used for electronic payment using points.
  • the first learning model of the first fraud detection engine uses the result of fraud detection in the third service as one of the feature quantities.
  • the first rule of the first fraud detection engine uses the result of fraud detection in the third service as one of its conditions.
  • the engine acquisition unit 201 acquires a second fraud detection engine that uses fraud detection results in the third service based on the first fraud detection engine.
  • the second learning model of the second fraud detection engine uses the result of fraud detection in the third service as one of feature quantities.
  • the second rule of the second fraud detection engine uses the result of fraud detection in the third service as one of its conditions.
  • the engine acquisition unit 201 may also acquire the second fraud detection engine by changing the data name and the threshold indicating the fraud detection result in the third service as necessary.
  • the second fraud detection engine that uses the fraud detection result in the third service is obtained based on the first fraud detection engine.
  • the results of fraud detection in the third service can be used in the second service, so the results of fraud detection in various services are comprehensively considered, and the security of the second service is enhanced.
  • the engine acquisition unit 201 may acquire second fraud detection engines based on multiple first fraud detection engines corresponding to multiple first services.
  • a certain first service is an electronic payment service provided by a certain card company.
  • Another first service is an electronic payment service provided by another card company.
  • the diversion method of each first fraud detection engine is as described in the first embodiment.
  • the engine acquisition unit 201 does not need to use all of the plurality of first fraud detection engines, and may use only some of them.
  • the engine acquisition unit 201 acquires the second fraud detection engine by changing the data name and threshold value of each of the plurality of fraud detection engines.
  • the second fraud detection engine is acquired based on the plurality of first fraud detection engines corresponding to the plurality of first services.
  • the second fraud detection engine is obtained by comprehensively considering the plurality of first services, and the security of the second service is enhanced.
  • the engine acquisition unit 201 may acquire the second fraud detection engine based on the first fraud detection engine of the first service associated with the second service among the plurality of first services.
  • the first service associated with the second service is the first service to which the first fraud detection engine, which is the source of the second fraud detection engine, is applied.
  • first services such as an electronic credit card payment service, an electronic point payment service, an electronic payment service, and a travel reservation service.
  • the first service effective for fraud detection of the electronic payment service for electronic money, which is the second service is the electronic payment service for credit cards and the electronic payment service for points, then these two A first service is associated with a second service.
  • the engine acquisition unit 201 does not divert the first fraud detection engine of the first service that is not associated with the second service, but based on the first fraud detection engine of the first service that is associated with the second service. 2 Get a fraud detection engine.
  • the second fraud detection engine is acquired based on the first fraud detection engine of the first service associated with the second service among the plurality of first services.
  • the first fraud detection engine of the first service which is highly related to the second service, can be used, so the security of the second service is enhanced.
  • the result information may be used in the first fraud detection engine by combining the first embodiment and the second embodiment.
  • the method of using the result information itself is as described in the second embodiment.
  • each function described in the second embodiment is implemented.
  • the result information is used in the first fraud detection engine. This increases security in the first service.
  • FIG. 16 is a functional block diagram of a modification according to the second embodiment.
  • the confirmed information acquisition unit 106 and the change determination unit 107 are realized mainly by the control unit 11 .
  • the fraud detection system S of the second embodiment may also be applied to an electronic payment service as in the modification 1-1.
  • the first server 10 uses the result information regarding fraudulent use of electronic money in the second service to detect fraudulent use of credit cards in the first service.
  • the fraud detection method applied to the electronic payment service is as described in Modification 1-1.
  • the following modified examples also describe examples of application to electronic payment services.
  • modification 2-1 the security of the electronic payment service is enhanced.
  • the result information indicates the result of fraud detection in the second service determined based on each of the plurality of second rules. That is, the result information indicates the result of fraud detection in which a plurality of second rules are comprehensively used.
  • the result information may indicate the determination result of the presence/absence of illegality for each second rule, or may indicate whether or not even one second rule is determined to be illegal.
  • the fraud detection unit 103 detects fraud in the first service based on user feature information in the first service and result information based on a plurality of second rules in the second service. For example, the fraud detection unit 103 incorporates a plurality of pieces of result information in the second service into the user characteristic information to detect fraud in the first service. Although it is different from the second embodiment in that a plurality of pieces of result information are considered as one feature amount, detection of fraud itself in the first service is the same as in the second embodiment.
  • Modification 2-2 fraud in the first service is detected based on the user characteristic information in the first service and result information based on a plurality of second rules in the second service.
  • Security in the first service is enhanced by comprehensively considering a plurality of second rules.
  • a second service may utilize a second learning model that outputs a second score for fraud in the second service.
  • the second learning model may be created by using the first learning model as in modification 1-3, or may be created without using the first learning model.
  • the result information may be information about the second score output from the second learning model.
  • the result information may indicate the score output by the second learning model, or may be information indicating whether or not the score is equal to or greater than the threshold value (that is, information indicating the presence or absence of fraud).
  • the fraud detection unit 103 detects fraud in the first service based on user feature information in the first service and result information based on the second score in the second service.
  • the second embodiment differs from the second embodiment in that the second score is considered as one of the feature amounts, detection of fraud itself in the first service is the same as in the second embodiment.
  • the result information based on the second rule described in the second embodiment the result information based on the second score may be incorporated into the user characteristic information, or the result information may be used separately from the user characteristic information. good.
  • fraud in the first service is detected based on the user feature information in the first service and the result information based on the second score in the second service.
  • security in the first service is enhanced by using the result of fraud detection in the second service also in the first service.
  • the second service may utilize multiple second learning models.
  • the result information is information about the second scores output from each of the plurality of second learning models. That is, the result information indicates the result of fraud detection in which a plurality of second learning models are comprehensively used.
  • the result information may indicate the second score for each second learning model, or may indicate whether there is even one second learning model whose second score is equal to or greater than the threshold. .
  • the fraud detection unit 103 detects fraud in the first service based on user characteristic information in the first service and result information based on a plurality of second scores in the second service. Although it differs from the second embodiment in that a plurality of second scores are considered, fraud detection itself in the first service is the same as in the second embodiment.
  • Modification 2-4 fraud in the first service is detected based on the user feature information in the first service and result information based on a plurality of second scores in the second service. Thereby, security in the first service is enhanced by comprehensively considering a plurality of second learning models.
  • the result information acquisition unit 104 may acquire multiple result information corresponding to the multiple second services.
  • a certain second service is an electronic payment service for electronic money provided by a certain company.
  • Another second service is an electronic payment service for electronic money provided by another company.
  • individual result information itself is the same as in the second embodiment.
  • the second server 20 of each second service implements the functions described in the first and second embodiments.
  • the fraud detection unit 103 detects fraud in the first service based on the user characteristic information in the first service and a plurality of pieces of result information corresponding to a plurality of second services. Although it differs from the second embodiment in that the result information of each of the plurality of second services is taken into account, detection of fraud in the first service itself is the same as in the second embodiment.
  • the fraud detection unit 103 incorporates a plurality of pieces of result information into the user characteristic information and performs fraud detection using the first fraud detection engine. For example, the fraud detection unit 103 may determine that even the first service is fraudulent if there is even one second service whose result information indicates fraud.
  • the fraud detection unit 103 may determine that the first service is fraudulent if the number of second services whose result information indicates fraud is greater than or equal to a threshold. Furthermore, the fraud detection unit 103 may input the number of second services whose result information indicates fraud as one of the feature amounts to the first learning model and obtain an output from the first learning model. In this case, it is assumed that the relationship between the number of second services and the presence or absence of fraud has already been learned in the first learning model.
  • the result information acquisition unit 104 acquires result information corresponding to the second service associated with the first service among the plurality of second services.
  • a second service associated with the first service is a second service that refers to fraud detection results.
  • the second service effective for fraud detection of the first service the electronic payment service for credit cards
  • the electronic payment service for electronic money and the electronic payment service for points these two A second service is associated with the first service. It is assumed that these associations are pre-stored in the data storage unit 100 .
  • the result information acquisition unit 104 does not acquire result information corresponding to the second service that is not associated with the first service. Although it differs from the second embodiment in that the result information of the second service associated with the first service is acquired, the individual result information itself is the same as in the second embodiment.
  • the fraud detection unit 103 detects fraud in the first service based on user characteristic information in the first service and result information corresponding to the second service associated with the first service. Although it differs from the second embodiment in that the result information of each of the second services associated with the first service is taken into account, detection of fraud in the first service itself is the same as in the second embodiment. The fraud detection unit 103 does not use result information corresponding to the second service that is not associated with the first service in fraud detection of the first service.
  • fraud in the first service is detected based on the user feature information in the first service and the result information corresponding to the second service associated with the first service.
  • fraud detection can be executed using the result information corresponding to the second service, which is highly related to the first service, so the security of the first service is enhanced.
  • the second service may be a service in which the length of time from the time the second service is used until the presence or absence of fraud is determined is shorter than that of the first service.
  • the second service is a service in which the length of time from when the second service is used to when the presence or absence of fraud is determined is shorter than that of the first service. This allows the latest fraud trends in the second service to be fed back to the first service. For example, for the same reason as Modified Example 1-5, it becomes easier to deal with fraudulent changes in the first service.
  • the fraud detection system S may include a change unit 105 , a confirmed information acquisition unit 106 and a change determination unit 107 .
  • the confirmed information acquisition unit 106 acquires confirmed information regarding the confirmed result of fraud in the first service.
  • a data set of user characteristic information, result information, and status information stored in the history database DB2 is an example of definite information.
  • the confirmed information acquisition unit 106 acquires confirmed information by referring to the history database DB2.
  • the confirmed information acquisition unit 106 acquires all or part of the confirmed information stored in the history database DB2.
  • the change determination unit 107 determines whether or not to change the first fraud detection engine for detecting fraud in the first service based on the confirmation information in the first service and the result information in the second service. . For example, the change determination unit 107 determines whether or not a user whose fraudulence has been confirmed in the confirmation information in the first service is also determined to be fraudulent in the second service. The change determination unit 107 determines to change the first fraud detection engine when it is determined that the user whose fraud is confirmed by the confirmation information in the first service is also determined to be fraudulent in the second service. In this case, since the fraud tendencies of the first service and the fraud tendencies of the second service are similar, it is determined that the result information of the second service should be used in the first fraud detection engine.
  • the change determination unit 107 may calculate the percentage of the predetermined number of confirmed information that are determined to be fraudulent even in the second service.
  • the change determination unit 107 may determine to change the first fraud detection engine when this ratio is equal to or greater than the threshold.
  • the changing unit 105 executes processing for changing the first fraud detection engine based on the second fraud detection engine when it is determined to change the first fraud detection engine. This processing is as described in modification 1-4.
  • the changing unit 105 does not execute this process when it is not determined to change the first fraud detection engine.
  • the second fraud detection engine when it is determined to change the first fraud detection engine based on the confirmation information in the first service and the result information in the second service, the second fraud detection engine to execute processing for changing the first fraud detection engine.
  • the second fraud detection engine when it is effective to use the result of fraud detection in the second service, it is also used in the detection of fraud in the first service, thereby increasing security in the first service.
  • the result information acquisition unit 104 may acquire result information regarding the result of fraud detection within a predetermined period from the current time. This period of time may be of any length, for example, it may be on the order of several weeks or on the order of several months. The result information acquisition unit 104 does not acquire result information about the result of fraud detection executed before a predetermined period of time. It is assumed that the history database DB5 stores the date and time when fraud detection was performed in the second service. Only result information whose date and time is within a predetermined period is acquired.
  • the fraud detection unit 103 detects user fraud based on the user characteristic information in the first service and the result information in the second service within a predetermined period.
  • the second embodiment differs from the second embodiment in that the result information of the second service outside the predetermined period is not used for fraud detection, and the other points are the same as the second embodiment.
  • the fraud detection unit 103 detects user fraud based on the user characteristic information in the first service and the result information in the second service within a predetermined period. As a result, relatively new fraud detection results can be fed back and the latest fraud trends can be addressed, thereby enhancing security in the first service.
  • the result information acquisition unit 104 may acquire result information regarding the result of fraud detection based on the second fraud detection engine applied by the application unit 204 .
  • result information regarding the result of fraud detection based on the second fraud detection engine is obtained. This simplifies the creation of the second fraud detection engine while enhancing security in the first service.
  • the fraud detection system S can be applied to fraud detection in services such as electronic commerce services, electronic ticket services, financial services, or communication services.
  • a first fraud detection engine in a first e-commerce service provided by a certain company may be diverted to a second fraud detection engine in a second e-commerce service provided by another company. good too.
  • the result of fraud detection by the second fraud detection engine in the second electronic commerce service provided by another company is used by the first fraud detection engine in the first electronic commerce service provided by a certain company. It can also be used for fraud detection.
  • the functions described as being realized by the first server 10 may be realized by another computer, or may be shared by a plurality of computers.
  • the functions described as being realized by the second server 20 may be realized by another computer, or may be shared by a plurality of computers.
  • data to be stored in the data storage units 100 and 200 may be stored in a database server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Finance (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Economics (AREA)
  • Medical Informatics (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Biophysics (AREA)
  • Development Economics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Biomedical Technology (AREA)
  • Marketing (AREA)
  • Molecular Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
PCT/JP2021/031999 2021-08-31 2021-08-31 不正検知システム、不正検知方法、及びプログラム Ceased WO2023032045A1 (ja)

Priority Applications (4)

Application Number Priority Date Filing Date Title
PCT/JP2021/031999 WO2023032045A1 (ja) 2021-08-31 2021-08-31 不正検知システム、不正検知方法、及びプログラム
US17/908,234 US20240211950A1 (en) 2021-08-31 2021-08-31 Fraud detection system, fraud detection method, and program
JP2022529390A JP7165841B1 (ja) 2021-08-31 2021-08-31 不正検知システム、不正検知方法、及びプログラム
TW111132894A TWI825963B (zh) 2021-08-31 2022-08-31 欺詐檢測系統、欺詐檢測方法及程式產品

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/031999 WO2023032045A1 (ja) 2021-08-31 2021-08-31 不正検知システム、不正検知方法、及びプログラム

Publications (1)

Publication Number Publication Date
WO2023032045A1 true WO2023032045A1 (ja) 2023-03-09

Family

ID=83897813

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/031999 Ceased WO2023032045A1 (ja) 2021-08-31 2021-08-31 不正検知システム、不正検知方法、及びプログラム

Country Status (4)

Country Link
US (1) US20240211950A1 (https=)
JP (1) JP7165841B1 (https=)
TW (1) TWI825963B (https=)
WO (1) WO2023032045A1 (https=)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7542690B1 (ja) * 2023-06-30 2024-08-30 楽天グループ株式会社 不正検知システム、不正検知方法、及びプログラム
JP7591626B1 (ja) * 2023-08-07 2024-11-28 楽天グループ株式会社 不正検知システム、不正検知方法、及びプログラム

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020261426A1 (ja) * 2019-06-26 2020-12-30 楽天株式会社 不正推定システム、不正推定方法、及びプログラム

Family Cites Families (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080115192A1 (en) * 2006-11-07 2008-05-15 Rajandra Laxman Kulkarni Customizable authentication for service provisioning
US8666841B1 (en) * 2007-10-09 2014-03-04 Convergys Information Management Group, Inc. Fraud detection engine and method of using the same
US10841839B2 (en) * 2009-01-28 2020-11-17 Headwater Research Llc Security, fraud detection, and fraud mitigation in device-assisted services systems
US9760861B2 (en) * 2011-04-29 2017-09-12 Visa International Service Association Fraud detection system automatic rule population engine
US8346672B1 (en) * 2012-04-10 2013-01-01 Accells Technologies (2009), Ltd. System and method for secure transaction process via mobile device
US8645250B2 (en) * 2011-08-29 2014-02-04 Visa International Service Association Rules suggestion engine
JP2014529964A (ja) * 2011-08-31 2014-11-13 ピング アイデンティティ コーポレーション モバイル機器経由の安全なトランザクション処理のシステムおよび方法
US20140114840A1 (en) * 2012-10-19 2014-04-24 Cellco Partnership D/B/A Verizon Wireless Automated fraud detection
US20140250011A1 (en) * 2013-03-01 2014-09-04 Lance Weber Account type detection for fraud risk
US10902327B1 (en) * 2013-08-30 2021-01-26 The 41St Parameter, Inc. System and method for device identification and uniqueness
US10586234B2 (en) * 2013-11-13 2020-03-10 Mastercard International Incorporated System and method for detecting fraudulent network events
US10282728B2 (en) * 2014-03-18 2019-05-07 International Business Machines Corporation Detecting fraudulent mobile payments
US10990970B2 (en) * 2014-07-31 2021-04-27 Ncr Corporation Automated fraud detection
US10380508B2 (en) * 2016-04-25 2019-08-13 Fair Isaac Corporation Self-contained decision logic
US11132425B1 (en) * 2016-07-07 2021-09-28 Wells Fargo Bank, N.A. Systems and methods for location-binding authentication
US10375078B2 (en) * 2016-10-10 2019-08-06 Visa International Service Association Rule management user interface
US11102225B2 (en) * 2017-04-17 2021-08-24 Splunk Inc. Detecting fraud by correlating user behavior biometrics with other data sources
CN109257321B (zh) * 2017-07-13 2021-12-03 北京京东尚科信息技术有限公司 安全登录方法和装置
US10630729B2 (en) * 2017-12-15 2020-04-21 T-Mobile Usa, Inc. Detecting fraudulent logins
CN108492104B (zh) * 2018-02-12 2020-10-02 阿里巴巴集团控股有限公司 一种资源转移监测方法及装置
US20190385170A1 (en) * 2018-06-19 2019-12-19 American Express Travel Related Services Company, Inc. Automatically-Updating Fraud Detection System
US10796312B2 (en) * 2018-06-29 2020-10-06 Alegeus Technologies, Llc Fraud detection and control in multi-tiered centralized processing
CN111435507A (zh) * 2019-01-11 2020-07-21 腾讯科技(北京)有限公司 广告反作弊方法、装置、电子设备及可读存储介质
US11250429B1 (en) * 2019-03-29 2022-02-15 Square, Inc. Identity verification (IDV) using a payment processing platform
US20200334679A1 (en) * 2019-04-19 2020-10-22 Paypal, Inc. Tuning fraud-detection rules using machine learning
US11663602B2 (en) * 2019-05-15 2023-05-30 Jpmorgan Chase Bank, N.A. Method and apparatus for real-time fraud machine learning model execution module
US11244321B2 (en) * 2019-10-02 2022-02-08 Visa International Service Association System, method, and computer program product for evaluating a fraud detection system
US11431709B2 (en) * 2020-03-13 2022-08-30 International Business Machines Corporation Authentication using client login metrics
US11605084B2 (en) * 2020-05-14 2023-03-14 Capital One Services, Llc Methods for enhancing transaction authorizations with device location data
US12014372B2 (en) * 2020-06-16 2024-06-18 Paypal, Inc. Training a recurrent neural network machine learning model with behavioral data
PE20230526A1 (es) * 2020-07-09 2023-03-27 Featurespace Ltd Entrenamiento de un sistema de aprendizaje automatico para el procesamiento de datos de transaccion
US20220027915A1 (en) * 2020-07-21 2022-01-27 Shopify Inc. Systems and methods for processing transactions using customized transaction classifiers
US20220068501A1 (en) * 2020-09-01 2022-03-03 Autonomous Healthcare, Inc. System and method for tracking sensitive medications
US11610206B2 (en) * 2020-10-14 2023-03-21 Paypal, Inc. Analysis platform for actionable insight into user interaction data
US20220138753A1 (en) * 2020-10-30 2022-05-05 Raise Marketplace, Llc Interactive swarming
US20220237482A1 (en) * 2021-01-27 2022-07-28 Intuit Inc. Feature randomization for securing machine learning models
US20220269662A1 (en) * 2021-02-22 2022-08-25 Mastercard Technologies Canada ULC Event interval approximation
US12282925B2 (en) * 2021-05-10 2025-04-22 International Business Machines Corporation Multi-phase privacy-preserving inferencing in a high volume data environment
US12536277B2 (en) * 2021-06-09 2026-01-27 Mastercard Technologies Canada ULC SFTP batch processing and credentials API for offline fraud assessment
US20220405659A1 (en) * 2021-06-16 2022-12-22 International Business Machines Corporation Data-driven automated model impact analysis
US12437232B2 (en) * 2021-06-24 2025-10-07 Paypal, Inc. Edge device machine learning
AU2022297884A1 (en) * 2021-06-24 2024-02-08 Sean William HONEYWELL A transaction system and method
US12218926B2 (en) * 2021-06-29 2025-02-04 Paypal, Inc. Time constrained electronic request evaluation
US11842351B2 (en) * 2021-08-23 2023-12-12 Capital One Services, Llc Systems and methods for fraud monitoring
US20230061605A1 (en) * 2021-08-26 2023-03-02 Jpmorgan Chase Bank, N.A. Systems and methods for intelligent fraud detection

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020261426A1 (ja) * 2019-06-26 2020-12-30 楽天株式会社 不正推定システム、不正推定方法、及びプログラム

Also Published As

Publication number Publication date
TWI825963B (zh) 2023-12-11
TW202324168A (zh) 2023-06-16
US20240211950A1 (en) 2024-06-27
JP7165841B1 (ja) 2022-11-04
JPWO2023032045A1 (https=) 2023-03-09

Similar Documents

Publication Publication Date Title
JP7165840B1 (ja) 不正検知システム、不正検知方法、及びプログラム
EP3955143B1 (en) Fraud deduction system, fraud deduction method, and program
JP7177303B1 (ja) サービス提供システム、サービス提供方法、及びプログラム
JP7165841B1 (ja) 不正検知システム、不正検知方法、及びプログラム
TWI811574B (zh) 違規檢知系統、違規檢知方法及程式產品
JP7238214B1 (ja) 不正検知システム、不正検知方法、及びプログラム
JP7271778B2 (ja) サービス提供システム、サービス提供方法、及びプログラム
WO2022251513A1 (en) Method, device, and system of digital identity authentication
TWI813322B (zh) 學習模型作成系統、學習模型作成方法及程式產品
TWI827086B (zh) 學習模型評價系統、學習模型評價方法及程式產品
JP7591626B1 (ja) 不正検知システム、不正検知方法、及びプログラム
US20250097222A1 (en) Reducing false positives in entity matching based on image-linking graphs
JP7104133B2 (ja) カード登録システム、カード登録方法、及びプログラム

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2022529390

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 17908234

Country of ref document: US

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21955935

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21955935

Country of ref document: EP

Kind code of ref document: A1