Description:
FORM 2
THE PATENTS ACT 1970
(39 of 1970)
&
The Patent Rules 2003
COMPLETE SPECIFICATION
(refer section 10 & rule 13)

TITLE OF THE INVENTION:
ANOMALY DETECTION BASED METHODS AND SYSTEMS FOR A PLURALITY OF EVENTS WITH IMPROVED PRECISION

APPLICANT(S):

Name:

Nationality:

Address:

MASTERCARD INTERNATIONAL INCORPORATED

United States of America

2000 Purchase Street, Purchase, NY 10577, United States of America

PREAMBLE TO THE DESCRIPTION

The following specification particularly describes the invention and the manner in which it is to be performed.

DESCRIPTION
(See next page)

 
ANOMALY DETECTION BASED METHODS AND SYSTEMS FOR A PLURALITY OF EVENTS WITH IMPROVED PRECISION

TECHNICAL FIELD
The present disclosure relates to artificial intelligence systems and, more particularly to, electronic methods and complex processing systems for improving anomaly detection systems for a plurality of events (e.g., identifying common-point-of purchase (CPP) compromised merchants, cardholder fraud detection, anti-money laundering detection, etc.) that is represented in tabular event dataset form.

BACKGROUND
An anomaly (also termed as noise, outlier, deviation, etc.) is defined as anything that is different from the expectations. For example, an anomaly may be termed as a calculated mathematical value that comes out to be different from the expected range of values. In computer science, anomaly detection is a technique to identify events, data, or conditions that do not conform to an expected pattern or events in a group. Conventionally, anomaly detection is a manual process performed by humans by studying a trace. In general, a trace is a log of information that may have been generated as an outcome of an application, process, and so on. Over the last few years, there has been an increase in the methods for performing anomaly detection with time series forecasting. Generally, time series is any data that is associated with a time period (for example, daily, monthly, quarterly, etc.).
One such example of performing anomaly detection may be termed as identifying the actual common point of purchase (CPP) compromised merchants from a trace of already identified CPP compromised merchants. Generally, the CPP is a physical or virtual location of a payment network that is compromised or attacked by fraudsters (scammers) to perform identity theft or steal sensitive information (e.g., payment card information). In one example, the CPP may include an automated teller machine (ATM), a point-of-sale (POS) device, a payment website that collects or processes payment-related information, and so on. In general, fraudsters install skimming devices in ATM machines or POS devices to steal the payment card information from the payment cards of cardholders. In general, a skimming device is a piece of equipment that fraudsters attach over card readers at ATMs, or POS devices to steal sensitive payment card information. In other words, fraudsters may use advanced techniques to steal payment card information of the cardholder without even stealing the payment instrument (i.e., the payment card) of the cardholder.
After performing the identity theft with the usage of CPP breached merchants, the fraudsters may use fraudulent attacks including, for example, testing attack and fraud attack. Generally, in a testing attack, the fraudster checks the validity of a stolen payment card of a cardholder by performing a small amount of electronic payment transaction that is usually unnoticeable to the cardholder at a fixed terminal (e.g., ATM machine, POS device, etc.). In a fraud attack, the fraudster utilizes the information of the stolen payment card to make purchases of goods or services using bulk fraudulent payment cards.
Currently, CPP detection models based on advanced techniques (such as artificial intelligence, machine learning, deep learning, neural networks, etc.) are executed to detect CPP breached merchants. One such example of an existing CPP detection model is BreachRadar, set forth in a paper titled “BreachRadar: Automatic Detection of Points-of-Compromise” authored by Miguel Araujo, Miguel Almeida, Jaime Ferreira, Luis Silva, and Pedro Bizarro published on SIAM's 2017 International Conference on Data Mining (SDM17). However, the existing CPP detection models have a lot of drawbacks. One of the main drawbacks of the existing CPP detection models is the generation of a lot of false positives due to the large scale. For example, the CPP detection models run on millions of payment cards every month that further roll back to millions of merchants. This scalability problem may further lead to detection of the CPP breached merchants with very less precision. Furthermore, the manual process of detection of actual CPP breached merchants out of the trace of CPP breached merchants identified based on the conventional CPP detection models is indeed time-consuming and cumbersome.
In view of the above discussion, there exists a technological need for a method of analyzing large-scale transactional information for detecting CPP breached merchants with high precision.

SUMMARY
Various embodiments of the present disclosure provide methods and systems for improving anomaly detection systems for a plurality of events that can be represented in tabular event dataset form.
In an embodiment, a computer-implemented method is disclosed. The method includes accessing, by a server system, historical event data associated with a plurality of entities within a particular time window from a database. The historical event data includes at least information of probable anomaly events detected at the plurality of entities. The particular time window is divided into a set of timestamp intervals. The method includes generating, by the server system, an event ratio table corresponding to an individual entity of the plurality of entities based, at least in part, on the historical event data. The event ratio table is generated based, at least in part, on an event detection rate of an anomaly event within a particular time frame from a time of first occurrence of the anomaly event across the set of timestamp intervals. The method includes determining, by the server system, event features associated with each timestamp interval for the individual entity of the plurality of entities based, at least in part, on the event ratio table and binomial distribution modelling methods. The method further includes executing, by the server system, a neural network model based, at least in part, on the determined event features of the individual entity of the plurality of entities. Furthermore, the method includes determining, by the server system, whether the individual entity is a fraudulent entity or not based, at least in part, on the executing step.
Other aspects and example embodiments are provided in the drawings and the detailed description that follows.

BRIEF DESCRIPTION OF THE FIGURES
For a more complete understanding of example embodiments of the present technology, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:
FIG. 1A illustrates an exemplary representation of an environment related to at least some embodiments of the present disclosure;
FIG. 1B illustrates another exemplary representation of an environment related to at least some embodiments of the present disclosure;
FIG. 2 illustrates a simplified block diagram of a server system, in accordance with an embodiment of the present disclosure;
FIG. 3A is an example representation of a fraud ratio table corresponding to an individual merchant of a plurality of merchants, in accordance with an embodiment of the present disclosure;
FIG. 3B is an example representation of event features corresponding to the individual merchant of the plurality of merchants, in accordance with an embodiment of the present disclosure;
FIG. 4 represents a simplified block diagram of a neural network model, in accordance with an embodiment of the present disclosure;
FIG. 5 is a flow chart of a training process for a neural network model, in accordance with an embodiment of the present disclosure;
FIG. 6 represents a flow chart of a method for performing anomaly event detection with improved precision, in accordance with an embodiment of the present disclosure;
FIG. 7 represents a flow chart of a method for determining actual CPP compromised merchants from possible CPP compromised merchants with higher precision, in accordance with an embodiment of the present disclosure; and
FIG. 8 illustrates a flow diagram depicting a computer-implemented method for anomaly event detection with improved precision, in accordance with an embodiment of the present disclosure.
The drawings referred to in this description are not to be understood as being drawn to scale except if specifically noted, and such drawings are only exemplary in nature.

DETAILED DESCRIPTION
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure. It will be apparent, however, to one skilled in the art that the present disclosure can be practiced without these specific details.
Reference in this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. The appearance of the phrase “in an embodiment” in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not for other embodiments.
Moreover, although the following description contains many specifics for the purposes of illustration, anyone skilled in the art will appreciate that many variations and/or alterations to said details are within the scope of the present disclosure. Similarly, although many of the features of the present disclosure are described in terms of each other, or in conjunction with each other, one skilled in the art will appreciate that many of these features can be provided independently of other features. Accordingly, this description of the present disclosure is set forth without any loss of generality to, and without imposing limitations upon, the present disclosure.
The term "payment network", used herein, refers to a network or collection of systems used for the transfer of funds through the use of cash substitutes. Payment networks may use a variety of different protocols and procedures in order to process the transfer of money for various types of transactions. Transactions that may be performed via a payment network may include product or service purchases, credit purchases, debit transactions, fund transfers, account withdrawals, etc. Payment networks may be configured to perform transactions via cash-substitutes, which may include payment cards, letters of credit, checks, financial accounts, etc. Examples of networks or systems configured to perform as payment networks include those operated by such as Mastercard®.
The term "merchant", used throughout the description generally refers to a seller, a retailer, a purchase location, an organization, or any other entity that is in the business of selling goods or providing services, and it can refer to either a single business location or a chain of business locations of the same entity.
The terms "cardholder", “user”, and “customer” are used interchangeably throughout the description and refer to a person who holds a credit or a debit card that will be used by a merchant to perform a payment transaction.
The term "payment account", used throughout the description, refers to a financial account that is used to fund the financial transaction (interchangeably referred to as "payment transaction"). Examples of the payment account include, but are not limited to a savings account, a credit account, an e-wallet account, a checking account, and a virtual payment account. The payment account may be associated with an entity such as an individual person, a family, a commercial entity, a company, a corporation, a governmental entity, a non-profit organization, and the like. In some scenarios, a payment account may be a virtual or temporary payment account that can be mapped or linked to a primary payment account, such as those accounts managed by payment wallet service providers.
The term "payment card", used throughout the description, refers to a physical or virtual card linked with a financial or payment account that may be presented to a merchant or any such facility in order to fund a financial transaction via the associated payment account. Examples of payment card include, but are not limited to, debit cards, credit cards, prepaid cards, virtual payment numbers, virtual card numbers, forex cards, charge cards, e-wallet cards, and stored-value cards. A payment card may be a physical card that may be presented to the merchant for funding the payment. Alternatively, or additionally, the payment card may be embodied in form of data stored in a user device, where the data is associated with a payment account such that the data can be used to process the financial transaction between the payment account and a merchant's financial account.
The terms "common point of purchase compromised merchants", “common point of purchase breached merchants”, “CPP compromised merchants”, and “CPP breached merchants” are used interchangeably throughout the description and refer to entities such as merchants or websites that suffer from a security breach that further results in compromise of payment cards, online credentials, and so on. In addition, fraudsters may use CPP compromised merchants to steal sensitive information such as the personal identification number (PIN) of payment cards associated with cardholders.
OVERVIEW
Various embodiments of the present disclosure provide methods, systems electronic devices, and computer program products for improving anomaly detection systems for a plurality of events (e.g., identifying common-point-of purchase (CPP) compromised merchants, cardholder fraud detection, anti-money laundering detection, etc.). In an example, embodiments of the present disclosure disclose a method of performing error reduction during identification of the common point of purchase (CPP) compromised merchants.
Conventional CPP detection models have various limitations or drawbacks. For example, the conventional CPP detection models generate a lot of false positives due to the large scale of millions of cards that transact at each merchant every month. In addition, this scalability problem leads to detection of the CPP breached merchants with an increased error rate and less precision.
To overcome such problems or limitations, the present disclosure describes a server system that is configured to perform identification of actual CPP compromised merchants out of already identified CPP compromised merchants with increased precision. More specifically, the server system is configured to reduce error while identifying the actual CPP compromised merchants out of the already identified CPP compromised merchants.
The server system is configured to identify anomalous entities (for example, CPP merchants or merchants supporting money laundering transactions, etc.) out of the plurality of entities (for example, CPP compromised merchants detected based on conventional algorithms already known in the art or merchants that support money laundering transactions, etc.). The server system includes at least a processor and a memory. In one non-limiting example, the server system is a payment server. The server system is configured to access historical event data associated with the plurality of entities within a particular time window (e.g., 1 year, 2 years, 3 years, etc.) from a database. In addition, the particular time window is divided into a set of timestamp intervals (e.g., monthly, quarterly, half-yearly, etc.). The historical event data includes at least information of probable anomaly events detected at the plurality of entities. For example, the probable anomaly events may include fraudulent transactions performed at CPP compromised merchants, money laundering transactions performed at a plurality of merchants already identified for supporting money laundering transactions, and the like.
In addition, the server system is configured to generate an event ratio table corresponding to an individual entity of the plurality of entities based, at least in part, on the historical event data. Further, the event ratio table is defined based, at least in part, on an event detection rate of an anomaly event within a particular time frame from the time of the first occurrence of the anomaly event across the set of timestamp intervals. The event features for each timestamp interval are based, at least in part, on binomial probability function corresponding to the particular time frame, a total number of events that occurred at the entity within the timestamp interval, and the event detection rate of the anomaly event within the particular time frame.
The server system is further configured to determine event features associated with each timestamp interval for the individual entity of the plurality of entities based, at least in part, on the event ratio table and binomial distribution modelling methods.
The server system is further configured to execute a neural network model based, at least in part, on the determined event features of the individual entity of the plurality of entities. In one embodiment, the neural network model includes an encoder-decoder-based long short-term memory (LSTM) architecture and a fully-connected neural network layer.
In one embodiment, the server system is configured to train the neural network model based on the training data. The training data includes a plurality of event ratio tables corresponding to the plurality of entities. During the training of the neural network model, the server system is configured to determine the event features associated with each timestamp interval for an entity of the plurality of entities based, at least in part, on the event ratio table corresponding to the entity and binomial distribution modelling methods. The server system is further configured to execute the neural network model based, at least in part, on the training data. The neural network model includes the encoder-decoder-based long short-term memory (LSTM) architecture and the fully-connected neural network layer.
The server system is configured to optimize neural network parameters (e.g., weights and biases) of the neural network model based, at least in part, on a cumulative loss function. The cumulative loss function includes an entity loss function and a timestamp-based loss function.
During the execution of the neural network model, the server system is configured to generate a hidden state vector based, at least in part, on the event features for each timestamp interval for each entity into an encoder architecture of the neural network model. The server system is further configured to provide the hidden state vector as an input to a decoder architecture of the neural network model. Furthermore, the server system is configured to determine a current decoding output for a current timestamp interval based, at least in part, on a sigmoid value of previous decoding output of a previous timestamp interval and an event feature associated with the current timestamp interval.
Moreover, the server system is configured to determine whether the entity is a fraudulent entity or not based, at least in part, on decoding outputs corresponding to the set of timestamp intervals and the fully-connected neural network layer.
Various embodiments of the present disclosure offer multiple advantages and technical effects. For instance, the present disclosure employs multiple strategies to generate the event ratio table to reduce the false positives. The present disclosure uses binomial distribution modelling methods to convert the event ratios in the corresponding cumulative distribution functions (CDFs) at an overall level and at the merchant level. The present disclosure further uses a time-series Long Short-Term Memory (LSTM) based encoder-decoder architecture along with teacher forcing with re-look architecture to perform classification of each merchant into CPP compromised merchant or non-CPP compromised merchant with high precision. The present disclosure uses time-series classification on the CDFs based on the binomial distribution modelling methods to reduce the false positives, while maintaining the true positive cases.
Various example embodiments of the present disclosure are described hereinafter with reference to FIGS. 1A-1B to FIG. 8.
FIG. 1A illustrates an exemplary representation of an environment 100 related to at least some embodiments of the present disclosure. Although the environment 100 is presented in one arrangement, other embodiments may include the parts of the environment 100 (or other parts) arranged otherwise depending on, for example, error reduction in anomaly event detection, etc. The environment 100 generally includes a server system 102, a plurality of entities 104a, 104b, and 104c, an event database 106, and an anomaly detection model 108, each coupled to, and in communication with (and/or with access to) a network 110. The network 110 may include, without limitation, a light fidelity (Li-Fi) network, a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a satellite network, the Internet, a fiber-optic network, a coaxial cable network, an infrared (IR) network, a radio frequency (RF) network, a virtual network, and/or another suitable public and/or private network capable of supporting communication among the entities illustrated in FIG. 1A, or any combination thereof.
Various entities in the environment 100 may connect to the network 110 in accordance with various wired and wireless communication protocols, such as Transmission Control Protocol and Internet Protocol (TCP/IP), User Datagram Protocol (UDP), 2nd Generation (2G), 3rd Generation (3G), 4th Generation (4G), 5th Generation (5G) communication protocols, Long Term Evolution (LTE) communication protocols, or any combination thereof. For example, the network 110 may include multiple different networks, such as a private network made accessible by the network 110 to the server system 102, and a public network (e.g., the Internet, etc.).
In one embodiment, the set of entities 104a-104c include real-world objects. In an example, the set of entities 104a-104c may include cardholders, users, authors, and the like. In another example, the set of entities 104a-104c may include merchants, movies, books, and the like. In addition, an entity of the set of entities 104a-104c may connect with or have a relationship with other entities of the set of entities 104a-104c. More specifically, an entity of the set of entities 104a-104c may be associated (in some way or the other) or interact with other entities of the set of entities 104a-104c.
The anomaly detection model 108 is configured to receive event data associated with the set of entities 104a-104c from associated data sources of the set of entities 104a-104c. The anomaly detection model 108 is configured to determine probable abnormal or anomaly events corresponding to the set of entities 104a-104c and send the probable anomaly events to the server system 102 to identify actual anomaly events.
The server system 102 is configured to perform one or more of the operations described herein. The server system 102 is configured to predict anomalous entities of the plurality of entities 104 with high precision. The server system 102 is a separate part of the environment 100 and may operate apart from (but still in communication with, for example, via the network 110), the set of entities 104a-104c, and any third-party external servers (to access data to perform the various operations described herein). However, in other embodiments, the server system 102 may actually be incorporated, in whole or in part, into one or more parts of the environment 100, for example, the entity 104a. In addition, the server system 102 should be understood to be embodied in at least one computing device in communication with the network 110, which may be specifically configured, via executable instructions, to perform as described herein, and/or embodied in at least one non-transitory computer-readable media.
The event database 106 may securely store data associated with the plurality of entities 104a-104c. In one embodiment, the event database 106 is associated with the server system 102. In one embodiment, information associated with the plurality of entities 104a-104c may be accessed, stored or modified in the event database 106 using a database management system (DBMS) or a relational database management system (RDBMS).
The server system 102 is configured to access historical event data associated with the plurality of entities 104a-104c within a particular time window (e.g., 1 year, 2 years, 3 years, etc.) from the event database 106. The historical event data includes at least information of probable anomaly events (for example, fraudulent payment cards or payment cards supporting money laundering transactions, etc.) detected at the plurality of entities 104a-104c. The particular time window is further divided into a set of timestamp intervals. In one embodiment, each timestamp interval may include monthly, quarterly, annually, and the like.
The server system 102 is further configured to generate an event ratio table corresponding to each entity of the plurality of entities 104a-104c based, at least in part, on the historical event data. The event ratio table is defined based on an event detection rate of an anomaly event within a particular time frame from the time of the first occurrence of the anomaly event across the set of timestamp intervals. In one embodiment, the set of timestamp intervals are represented in a plurality of rows and the particular time frame is represented in a plurality of columns in the event ratio table. Furthermore, the server system 102 is configured to convert the event detection rate into event features for the individual entity of the plurality of entities 104a-104c based, at least in part, on the event ratio table and binomial distribution modelling methods. The event features for each timestamp interval are based, at least in part, on binomial probability function corresponding to the particular time frame, a total number of events that occurred at the entity within the timestamp interval, and the event detection rate of the anomaly event within the particular time frame.
The server system 102 is further configured to execute a neural network model (not shown in FIG. 1A) based, at least in part, on the event features of the individual entity of the plurality of entities 104a-104c. The neural network model includes an encoder-decoder-based long short-term memory (LSTM) architecture and a fully-connected neural network layer. The server system 102 is configured to predict anomalous entities of the plurality of entities 104a-104c based, at least in part, on the execution of the neural network model. The method steps for execution of the neural network model are herein explained in detail with reference to FIG. 4, and therefore, they are not reiterated for the sake of brevity.
FIG. 1B illustrates another exemplary representation of an environment 120 related to at least some embodiments of the present disclosure. Although the environment 120 is presented in one arrangement, other embodiments may include the parts of the environment 120 (or other parts) arranged otherwise depending on, for example, detection of the actual common point of purchase (CPP) compromised or breached merchants with increased precision, etc. The environment 120 generally includes a server system 122, a plurality of merchants 124a, 124b, and 124c, a transaction database 126, a common point of purchase (CPP) model 128 (hereinafter referred to as the CPP model 128), an acquirer server 132, and a payment network 134 including a payment server 136, each coupled to, and in communication with (and/or with access to) a network 130. The network 130 may include, without limitation, a light fidelity (Li-Fi) network, a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a satellite network, the Internet, a fiber-optic network, a coaxial cable network, an infrared (IR) network, a radio frequency (RF) network, a virtual network, and/or another suitable public and/or private network capable of supporting communication among the entities illustrated in FIG. 1B, or any combination thereof.
Various entities in the environment 120 may connect to the network 130 in accordance with various wired and wireless communication protocols, such as Transmission Control Protocol and Internet Protocol (TCP/IP), User Datagram Protocol (UDP), 2nd Generation (2G), 3rd Generation (3G), 4th Generation (4G), 5th Generation (5G) communication protocols, Long Term Evolution (LTE) communication protocols, or any combination thereof. For example, the network 130 may include multiple different networks, such as a private network made accessible by the network 130 to the server system 122, and a public network (e.g., the Internet, etc.).
The plurality of merchants 124a-124c includes a list of merchants where a plurality of cardholders (not shown in figures) may have transacted with help of a payment instrument (e.g., payment card, payment wallet, payment account, etc.). In an embodiment, the plurality of merchants 124a-124c may include CPP compromised merchants or non-compromised merchants. In addition, the CPP compromised merchants may be identified based on the execution of the CPP model 128.
For example, the plurality of cardholders may perform an online payment transaction (i.e., by accessing the merchant’s website on a web browser or an application installed in a mobile device) or an offline payment transaction (i.e., by performing the payment transaction on a payment terminal (e.g., point-of-sale (POS) device, automated teller machine (ATM), etc.) installed inside a facility. In a successful payment transaction, a payment amount gets debited from the payment account of the cardholder and gets credited in the payment account of the merchant (e.g., the plurality of merchants 124a-124c).
In one embodiment, the payment account of the plurality of merchants 124a-124c is associated with an acquirer bank (e.g., the acquirer server 132). The acquirer server 132 is associated with a financial institution (e.g., a bank) that processes financial transactions. This can be an institution that facilitates the processing of payment transactions for physical stores, merchants, or an institution that owns platforms that make online purchases or purchases made via software applications possible (e.g., shopping cart platform providers and in-app payment processing providers). The terms “acquirer”, “acquiring bank”, or “acquirer server” will be used interchangeably herein.
In one embodiment, the payment account of the plurality of cardholders is associated with an issuing bank (e.g., issuer server) (not shown in figures), in which a cardholder may have a payment account, (which also issues a payment card, such as a credit card or a debit card), and provides microfinance banking services (e.g., payment transaction using credit/debit cards) for processing electronic payment transactions, to the cardholder. The terms "issuer bank", "issuing bank" or simply "issuer" will be used interchangeably herein.
The transaction database 126 may securely store data associated with the plurality of merchants 124a-124c. In one embodiment, information associated with the plurality of merchants 124a-124c may be accessed, stored, or modified in the transaction database 126 using a database management system (DBMS) or a relational database management system (RDBMS).
The CPP model 128 is configured to identify possible common points of purchase (CPP) compromised merchants. The procedure is preferably performed periodically-e.g., once per week-in a continuing succession of analysis cycles. The illustrated procedure utilizes payment card transaction data (such as the data collected by payment networks) and fraud data (such as anomalous fraud cards reported by issuers to payment associations). These data may be maintained in two separate data sets or databases or may be combined into a larger data set or database. For ease of use, the data can be sorted by payment account number, merchant name, acquirer bank ID (an alphanumeric code), merchant category code (MCC), and/or transaction date, and may be summarized—for example, daily counts can be taken of transactions and number of accounts transacted by merchant name, acquirer bank ID and MCC. However, the CPP model 128 provides an undesirably high false positive rate.
To reduce the false positives, the server system 122 is configured to perform one or more of the operations described herein. The server system 122 is configured to detect actual CPP compromised merchants out of the plurality of merchants 124a-124c. In particular, the server system 122 is configured to implement a post-CPP process that utilizes time-series classification features generated by distribution modelling, thereby reducing the false positives and maintaining true positive cases.
In an embodiment, the server system 122 is identical to the server system 102 of FIG. 1A. In another embodiment, the server system 122 is the payment server 136. The server system 122 is a separate part of the environment 120 and may operate apart from (but still in communication with, for example, via the network 130), the plurality of merchants 124a-124c, and any third-party external servers (to access data to perform the various operations described herein). However, in other embodiments, the server system 122 may actually be incorporated, in whole or in part, into one or more parts of the environment 120, for example, the merchant 124a. In addition, the server system 122 should be understood to be embodied in at least one computing device in communication with the network 130, which may be specifically configured, via executable instructions, to perform as described herein, and/or embodied in at least one non-transitory computer-readable media.
The server system 122 is configured to access historical transaction data associated with the plurality of merchants 124a-124c within a particular time window (e.g., 1 year, 2 years, 3 years, etc.) from the transaction database 126. The historical transaction data includes at least information of probable anomaly transactions (i.e., fraudulent payment transactions performed using fraudulent payment cards) detected at the plurality of merchants 124a-124c. The particular time window is further divided into a set of timestamp intervals. In one embodiment, each timestamp interval may include monthly, quarterly, annually, and the like. In an embodiment, the plurality of merchants 124a-124c includes already identified CPP compromised merchants based on execution of the CPP model 128. In another embodiment, the plurality of merchants 124a-124c includes already identified merchants that support money laundering transactions, and such merchants are identified based on conventional methods already known in the art.
The server system 122 is further configured to generate a fraud ratio table corresponding to each merchant of the plurality of merchants 124a-124c based, at least in part, on the historical transaction data. In one embodiment, the fraud ratio table is identical to the event ratio table of FIG. 1A. The fraud ratio table is generated based, at least in part, on fraud reporting of payment accounts used at the individual merchant within the particular time window across the set of timestamp intervals. In one example, the anomaly transaction may include a fraudulent transaction, money laundering transaction, and the like. In one embodiment, the set of timestamp intervals are represented in a plurality of rows and the particular time frame is represented in a plurality of columns in the fraud ratio table.
Furthermore, the server system 122 is configured to convert the probability values into event features for each merchant of the plurality of merchants 124a-124c based, at least in part, on the fraud ratio table and binomial distribution modelling methods (explained in detail hereinafter with reference to FIGS. 3A-3B).
The server system 122 is further configured to execute the neural network model (not shown in FIG. 1B) based, at least in part, on the event features of the individual merchant of the plurality of merchants 124a-124c. The neural network model includes the encoder-decoder-based long short-term memory (LSTM) architecture and the fully-connected neural network layer. The server system 122 is configured to predict actual fraudulent merchants from the plurality of merchants 124a-124c based, at least in part, on the execution of the neural network model. The method steps for execution of the neural network model are herein explained in detail with reference to FIG. 4, and therefore, they are not reiterated for the sake of brevity.
In one embodiment, the payment network 134 may be used by the payment card issuing authorities as a payment interchange network. The payment network 134 may include a plurality of payment servers such as the payment server 136. Examples of payment interchange networks include, but are not limited to, Mastercard® payment system interchange network. The Mastercard® payment system interchange network is a proprietary communications standard promulgated by Mastercard International Incorporated® for the exchange of financial transactions among a plurality of financial activities that are members of Mastercard International Incorporated®. (Mastercard is a registered trademark of Mastercard International Incorporated located in Purchase, N.Y.).
The number and arrangement of systems, devices, and/or networks shown in FIG. 1B is provided as an example. There may be additional systems, devices, and/or networks; fewer systems, devices, and/or networks; different systems, devices, and/or networks; and/or differently arranged systems, devices, and/or networks than those shown in FIG. 1B. Furthermore, two or more systems or devices shown in FIG. 1B may be implemented within a single system or device, or a single system or device shown in FIG. 1B may be implemented as multiple, distributed systems or devices. Additionally, or alternatively, a set of systems (e.g., one or more systems) or a set of devices (e.g., one or more devices) of the environment 120 may perform one or more functions described as being performed by another set of systems or another set of devices of the environment 120.
Referring now to FIG. 2, a simplified block diagram of a server system 200 is shown, in accordance with an embodiment of the present disclosure. The server system 200 is similar to the server system 102 or the server system 122. In some embodiments, the server system 200 is embodied as a cloud-based and/or SaaS-based (software as a service) architecture.
The server system 200 includes a computer system 202 and a database 204. The computer system 202 includes at least one processor 206 for executing instructions, a memory 208, a communication interface 210, and a storage interface 214 that communicate with each other via a bus 212.
In some embodiments, the database 204 is integrated within the computer system 202. For example, the computer system 202 may include one or more hard disk drives as the database 204. The storage interface 214 is any component capable of providing the processor 206 with access to the database 204. The storage interface 214 may include, for example, an Advanced Technology Attachment (ATA) adapter, a Serial ATA (SATA) adapter, a Small Computer System Interface (SCSI) adapter, a RAID controller, a SAN adapter, a network adapter, and/or any component providing the processor 206 with access to the database 204. In one embodiment, the database 204 is configured to store a neural network model 224.
Examples of the processor 206 include, but are not limited to, an application-specific integrated circuit (ASIC) processor, a reduced instruction set computing (RISC) processor, a complex instruction set computing (CISC) processor, a field-programmable gate array (FPGA), and the like. The memory 208 includes suitable logic, circuitry, and/or interfaces to store a set of computer-readable instructions for performing operations. Examples of the memory 208 include a random-access memory (RAM), a read-only memory (ROM), a removable storage drive, a hard disk drive (HDD), and the like. It will be apparent to a person skilled in the art that the scope of the disclosure is not limited to realizing the memory 208 in the server system 200, as described herein. In another embodiment, the memory 208 may be realized in the form of a database server or cloud storage working in conjunction with the server system 200, without departing from the scope of the present disclosure.
The processor 206 is operatively coupled to the communication interface 210 such that the processor 206 is capable of communicating with a remote device 216 such as, the payment server 136, or communicating with any entity connected to the network 110 (as shown in FIG. 1A) or the network 130 (as shown in FIG. 1B). In one embodiment, the processor 206 is configured to access historical event data (e.g., historical transaction data) associated with the plurality of entities 104a-104c (e.g., the plurality of merchants 124a-124c) within a particular time window (e.g., 1 year, 2 years, 3 years, etc.) from a database (e.g., the event database 106 or the transaction database 126).
It is noted that the server system 200 as illustrated and hereinafter described is merely illustrative of an apparatus that could benefit from embodiments of the present disclosure and, therefore, should not be taken to limit the scope of the present disclosure. It is noted that the server system 200 may include fewer or more components than those depicted in FIG. 2.
In one embodiment, the processor 206 includes a data pre-processing engine 218, a feature generation engine 220, and a neural network engine 222. It should be noted that components, described herein, such as the data pre-processing engine 218, the feature generation engine 220, and the neural network engine 222 can be configured in a variety of ways, including electronic circuitries, digital arithmetic and logic blocks, and memory systems in combination with software, firmware, and embedded technologies.
With reference to FIG. 1A, the data pre-processing engine 218 is configured to access historical event data associated with the plurality of entities 104a-104c within the particular time window (e.g., 6 months, 1 year, 2 years, etc.) from the event database 106. The historical event data includes at least information of probable anomaly events detected at the plurality of entities 104a-104c.
In one example, the historical event data may include information of a plurality of transactions (e.g., financial payment transactions performed using fraudulent payment cards) performed at the plurality of entities 104a-104c (e.g., the plurality of merchants 124a-124c) within the particular time window. In addition, the probable anomaly events may refer to money laundering transactions performed at the plurality of merchants 124a-124c for money laundering related activities. It is to be noted that the plurality of merchants 124a-124c may include merchants that are already identified for supporting money laundering transactions based on conventional money laundering-based algorithms already known in the art.
The data pre-processing engine 218 is configured to perform operations (such as data-cleaning, normalization, feature extraction, and the like) on the historical event data (with reference to FIG. 1A) or the historical transaction data (with reference to FIG. 1B). In one embodiment, the particular time window is divided into a set of timestamp intervals. For example, the historical transaction data may include information of a plurality of payment transactions performed at the plurality of merchants 124a-124c within the particular time window. In addition, the probable anomaly events may refer to fraudulent payment transactions that may be performed at the plurality of merchants 124a-124c. It is to be noted that the plurality of merchants 124a-124c may include CPP compromised merchants already identified based on conventional CPP detection algorithms already known in the art.
In one example, the historical transaction data includes information such as merchant name identifier, unique merchant identifier, a timestamp, geo-location data, information of the payment instrument involved in the payment transaction, and the like. In addition, the historical transaction data includes information of a plurality of transactions (e.g., fraudulent transactions or non-fraudulent transactions, money laundering transactions or non-money laundering transactions, etc.).
Further, the data pre-processing engine 218 is configured to generate an event ratio table corresponding to an individual entity of the plurality of entities 104a-104c based, at least in part, on the historical event data (with reference to FIG. 1A). More specifically, the data pre-processing engine 218 is configured to generate a separate event ratio table for each entity of the plurality of entities 104a-104c based on the historical event data.
In one embodiment, the event ratio table shows the distribution of event ratios across the various time windows and the set of timestamp intervals. The event ratio may further be termed as an event detection rate of the previously occurred anomaly event within a particular time frame from the time of the first occurrence of the anomaly event across the set of timestamp intervals.
The event ratio table (or the fraud ratio table) includes a plurality of rows, a plurality of columns, and a plurality of cells. In general, a cell refers to the intersection of a row and a column in a table. In one embodiment, the plurality of rows refers to the set of timestamp intervals. More specifically, each row of the plurality of rows refers to a timestamp interval of the set of timestamp intervals. For example, each row refers to a monthly interval, quarterly interval, half-yearly interval, and the like.
In addition, the plurality of columns in the event ratio table (or the fraud ratio table) represents a plurality of time frames. The event ratio table represents an event detection rate of an anomaly event within a particular time frame from the time of first occurrence of the anomaly event across the set of timestamp intervals. More specifically, each column of the plurality of columns represents a particular time frame of the plurality of time frames. Further, a plurality of cells represents the corresponding event detection rate of the anomaly event (for example, fraudulent transaction, money laundering transaction, etc.) within the particular time frame (i.e., denoted by columns) from a time of first occurrence of the anomaly event across the set of timestamp intervals (i.e., denoted by rows).
More illustratively, with reference to FIG. 1B, the data pre-processing engine 218 is configured to receive a list of possible CPP compromised merchants from the CPP model 128. Upon receiving the list of possible CPP compromised merchants, the data pre-processing engine 218 is configured to identify payment accounts having fraudulent transactions of a certain type (e.g., anomalous) during a predetermined time basis (e.g., monthly) for each merchant (for example, the merchant 124a) from the list of possible CPP compromised merchants.
For reference, the payment accounts will be called “compromised accounts”. For each compromised account, payment transactions performed prior to the date of the first fraudulent transaction and later than a predetermined start date are identified. For reference, these transactions will be called “pre-fraud transactions” and payment accounts with pre-fraud transactions will be called “pre-fraud” payment accounts to distinguish them among the other accounts transacted at a merchant. The transaction information can be stored in one or more databases and/or can be streamed or otherwise provided to the server system 122. In one embodiment, the transaction information can include, for example, a purchase date and time, a purchase amount, a merchant name, merchant category code (MCC), a bank identification number (BIN), a merchant location (including street number, address, city, state, country, uniform resource locator, and/or the like), and/or can include any other suitable information about a transaction.
Thereafter, the data pre-processing engine 218 is configured to determine the number of pre-fraud payment accounts that are involved with the merchant 124a during a particular time window. For example, for each merchant, the total number of transactions performed at the merchant is calculated. The number of payment accounts involved in the transactions is computed for each date occurring in the pre-fraud transactions at that merchant. The number of payment accounts is used as the denominator to determine fraud ratios.
In one example, there are 100 merchants M1-M100 identified as possible CPP compromised merchants. Then, the data pre-processing engine 218 is configured to perform fraud analysis for each merchant for the past year. For example, consider the following scenario: Account 1 had performed a payment transaction at M1 in January month, at M4 in February month, at M7 in April month, and at M9 in November month for the past one year. The Account 1 was reported as fraud after performing the payment transaction at the M7 in the May month. Thus, it can be inferred that the merchant accounts M1, M4, and M7 may be more likely point of compromise. To capture such fraud analysis, a fraud ratio table for a merchant M1 is calculated for the past one year. The fraud ratio for a particular time interval of interest depends on total number of accounts transacted at the merchant within the particular time interval of interest and a number of payment cards who have reported as fraud within the particular time interval and prior-transacted with the merchant.
In other words, the data pre-processing engine 218 is configured to determine fraud ratios for each merchant on a monthly basis. The fraud ratios are determined based on the time of the report of the payment accounts as fraudulent. In one example, these payment accounts are basically reported as fraudulent because payment cards associated with these payment accounts may have been used for performing fraudulent payment transactions at the merchant without the consent of their respective cardholders. The fraud ratio table shows the distribution of fraud ratios across the various time windows and the set of timestamp intervals. The fraud ratio may further be defined based on the fraud reporting rate of payment accounts from corresponding times of usage of the payment accounts at the individual merchant across the set of timestamp intervals.
A detailed explanation of the format of the event ratio table (or the fraud ratio table) is hereinafter explained in detail with reference to FIG. 3A, and therefore, it is not reiterated for the sake of brevity. The processor 206 is configured to pass the event ratio table (or the fraud ratio table) as an input to the feature generation engine 220.
The feature generation engine 220 includes suitable logic and/or interfaces for generating event features associated with each timestamp interval (i.e., each row of the event ratio table) of the set of timestamp intervals for the individual entity of the plurality of entities 104 based, at least in part, on the event ratio table and binomial distribution modelling methods (with reference to FIG. 1A).
With reference to FIG. 1B, the feature generation engine 220 is configured to generate event features associated with each timestamp interval (i.e., each row of the fraud ratio table) of the set of timestamp intervals for the individual merchant of the plurality of merchants 124 based, at least in part, on the fraud ratio table and binomial distribution modelling methods.
In one embodiment, the feature generation engine 220 is configured to create a Poisson/binomial distribution of fraud payment accounts at merchant level.
More specifically, each value (i.e., denoted with a cell) in the event ratio table or the fraud ratio table is converted into the event feature (i.e., cumulative distribution function (CDF)). In general, CDF of a random variable is a probability that the random variable X is less than or equal to X. Mathematically, CDF of a random variable X may be defined as:
F_X (x)=P(X≤x),for all x ∈R. … Eqn. (1)
In one embodiment, the feature generation engine 220 is configured to determine each event feature (i.e., denoted as a cell in the plurality of cells) based on three inputs, including a total number of payment cards used to perform payment transactions at the corresponding merchant for the particular timestamp interval of the set of timestamp intervals, p-value of the binomial distribution for the particular time frame (i.e., the particular column of the plurality of columns), and a number of the probable anomaly events (i.e., the fraudulent payment cards used to perform fraudulent payment transactions) performed for the particular timestamp interval of the set of timestamp intervals. In other words, the event features for each timestamp interval are based, at least in part, on binomial probability function corresponding to the particular time frame, a total number of events that occurred at the entity within the timestamp interval and the event detection rate of the anomaly event within the particular time frame.
In one embodiment, the generation of the event ratio table (or the fraud ratio table) results in the reduction of false-positive error while execution of the neural network model 224. In general, the false-positive error is an error in binary classification in which a test result wrongly indicated the presence of a condition, when the condition is not actually present (for example, a test result may show disease when the disease is not actually present). Additionally, the event ratio table (or the fraud ratio table) distributes the event ratios (or the fraud ratios) over different time periods (i.e., across the set of timestamp intervals and the time frames). It is to be noted that generation of the event ratio table (or the fraud ratio table) is computationally easier than generation of a graph or adjacency matrix.
In an embodiment, the feature generation engine 220 is configured to generate the event features for the individual entity at an entity level and an overall level (with reference to the FIG. 1A). In another embodiment, the feature generation engine 220 is configured to generate the event features for the individual merchant at a merchant level and an overall level (with reference to the FIG. 1B).
It is to be noted that utilization of only the event ratios (or the fraud ratios) as the event features may lead to the generation of a lot of errors, and utilization of only the number of anomaly events (i.e., the fraudulent transactions, money laundering transactions, etc.) may always favor the large entities (e.g., the large merchants), and therefore, binomial distribution modelling methods are utilized to generate the event features at the entity level and the overall level. The feature generation engine 220 is configured to generate an overall event feature (overall CDF) for each time window (i.e., column-wise). In an embodiment, the feature generation engine 220 is configured to generate a Poisson/binomial distribution, where mean is the average number of the anomaly events (i.e., fraudulent payment cards) for each total number of payment cards bin by sampling over these bins. In another embodiment, the feature generation engine 220 is configured to generate a Poisson/binomial distribution, where the mean is the average number of the anomaly events (i.e., fraudulent payment cards) for the corresponding merchant in the last 6 months.
In one embodiment, the feature generation engine 220 is configured to categorize the plurality of entities 104a-104c (i.e., the plurality of merchants 124a-124c) into a plurality of categories. The feature generation engine 220 is further configured to generate a distribution curve for each category of the plurality of categories and each entity (or the merchant) of the plurality of entities 104a-104c (or the plurality of merchants 124a-124c) based, at least in part, on the binomial distribution modelling methods. Furthermore, the feature generation engine 220 compares the distribution curve of each entity with the distribution curve of the category in which the entity belongs to detect outlier entities out of the plurality of entities 104. The event features (CDFs) corresponding to an individual entity (e.g., individual merchant) are fed as an input to the neural network engine 222.
In one embodiment, the neural network engine 222 includes suitable logic and/or interfaces for determining actual CPP compromised merchants from the possible CPP compromised merchants based, at least in part, on the event features and neural network model 224. The neural network model 224 includes an encoder-decoder based long short-term memory (LSTM) architecture and a fully-connected neural network layer. In an example, the neural network engine 222 is configured to perform error reduction in the already identified CPP compromised merchants based on conventional CPP detection algorithms (e.g., the CPP model 108) already known in the art.
The encoder-decoder-based LSTM architecture includes an LSTM encoder architecture and an LSTM decoder architecture. The LSTM encoder architecture includes a plurality of LSTM encoders and the LSTM decoder architecture includes a plurality of LSTM decoders. The neural network engine 222 is configured to input the event features (i.e., the CDFs) corresponding to a particular timestamp interval of the set of timestamp intervals for each merchant (e.g., the merchant 124a) in the LSTM encoder architecture. More specifically, each event feature (i.e., each CDF) corresponding to a particular timestamp interval is fed as an input to each LSTM encoder of the plurality of LSTM encoders. In a similar manner, the entire fraud ratio table corresponding to each merchant is fed as an input to the LSTM encoder architecture.
The neural network engine 222 is configured to input the event features (i.e., CDFs) corresponding to a particular timestamp interval for each merchant in the LSTM encoder architecture. The LSTM encoder architecture is further configured to generate a hidden state vector for the event features (CDFs) inputted for the corresponding timestamp interval based, at least in part, on the LSTM encoder architecture of the neural network model 224.
Furthermore, the neural network engine 222 is configured to feed the output of the LSTM encoder architecture as an input to the LSTM decoder architecture. In an embodiment, a number of the plurality of LSTM encoders is equal to a number of the plurality of LSTM decoders. In another embodiment, a number of the plurality of LSTM encoders is not equal to the number of the plurality of LSTM decoders.
The neural network engine 222 is further configured to input the hidden state vector as an input to the LSTM decoder architecture of the neural network model 224. The hidden state vector is a combination of a plurality of vectors. In one embodiment, the LSTM decoder architecture of the neural network model 224 receives the hidden state vector for a current timestamp interval as an input. In addition, each vector of the plurality of vectors is fed as an input to each LSTM based decoder of a plurality of LSTM based decoders of the decoder architecture at a current time step. The neural network engine 222 is further configured to generate a plurality of time-series values based on execution of the plurality of LSTM based decoders for the current time step. In one embodiment, each time-series value is generated as an output for each LSTM based decoder of the plurality of LSTM based decoders. In one embodiment, each time-series value is a binary value that helps in predicting whether the merchant is an actual CPP compromised merchant or not for the corresponding time frame (i.e., values represented as columns in the fraud ratio table).
The neural network engine 222 is configured to receive the hidden state vector for the next time interval and the plurality of time-series values generated at the current time interval as an input at the next time step. Each time-series value generated from each LSTM based decoder is fed as an input to a next subsequent LSTM based decoder of the plurality of LSTM based decoders of the decoder architecture. The neural network engine 222 is configured to execute the plurality of LSTM based decoders based on the hidden state vector for the next time interval and the generated plurality of time-series values at the current time interval for each iteration of a plurality of iterations to determine the probability of whether the merchant is actual CPP compromised merchant for the particular time interval or not.
The neural network engine 222 is configured to pass the output of the plurality of LSTM based decoders through the fully-connected neural network layer to predict whether the merchant of the plurality of possible CPP compromised merchants is an actual CPP compromised merchant or not. Similarly, the neural network engine 222 is configured to execute the neural network model 224 for the plurality of merchants 124a-124c to determine the actual CPP compromised merchants from the possible CPP compromised merchants. In one embodiment, the neural network engine 222 is configured to determine whether the merchant is actual CPP compromised merchant or not for the particular time frame of the plurality of time frames. In addition, the neural network engine 222 is configured to determine whether the merchant is actual CPP compromised merchant or not at an overall level. With reference to FIG. 1B, the neural network engine 222 is configured to determine whether the merchant is compromised (i.e., used to perform money laundering transactions) or not for the particular time frame of the plurality of time frames, and also determine whether the merchant is actually compromised (i.e., used to perform money laundering transactions) or not.
During training phase, the neural network engine 222 is configured to train the neural network model 224 based on the training data. The training data includes the fraud ratio tables corresponding to the plurality of merchants 124a-124c. The fraud ratio tables are converted into the event features (i.e., the CDFs) based on the methods explained above. The neural network engine 222 is further configured to execute the neural network model 224 based on the training data. The encoder-decoder-based LSTM architecture is trained based on the training data with the execution of the neural network model 224.
During the training phase, the neural network engine 222 is configured to optimize the neural network parameters (e.g., weights and biases) of the neural network model 224 based, at least in part, on a cumulative loss function. It is to be noted that the objective of the training process is to minimize the cumulative loss function till a threshold value is reached. The cumulative loss function includes an entity loss function and a timestamp-based loss function. In general, the loss function is a prediction error of any neural network, and the method of calculation of the loss is termed as the loss function.
In one embodiment, the entity loss function is the error rate for prediction of the actual CPP compromised merchant based on the calculation of the individual timestamp-based loss functions. The neural network engine 222 is configured to optimize the neural network parameters (i.e., weights and biases) of the LSTM decoder architecture to minimize the entity loss function for each merchant till the threshold value. In one embodiment, the timestamp-based loss function is the error rate for prediction of the actual CPP compromised merchant for each LSTM decoder of the plurality of LSTM decoders. The neural network engine 222 is configured to optimize the neural network parameters (i.e., weights and biases) of each LSTM decoder of the plurality of LSTM decoders to minimize the timestamp-based loss function for each timestamp interval (or each LSTM decoder of the plurality of LSTM decoders) till the threshold value.
FIG. 3A is an example representation 300 of a fraud ratio table corresponding to an individual merchant 124a from possible CPP compromised merchants, in accordance with an embodiment of the present disclosure. Each cell in the fraud ratio table represents the fraud reporting rate of payment accounts from corresponding times of usage of the payment accounts at the individual merchant 124a across the set of timestamp intervals. In other words, the fraud ratio table represents the fraud reporting rate of payment accounts within a particular time frame (e.g., same month, first 3 months, first 6 months, etc.) from corresponding times of usage of the payment accounts at the individual merchant across the set of timestamp intervals.
As explained above, the processor 206 is configured to generate the fraud ratio table corresponding to the individual merchant (e.g., the merchant 124a). The fraud ratio table includes a plurality of rows, a plurality of columns, and a plurality of cells. The plurality of rows includes a caption row and a plurality of timestamp rows. The caption row depicts the captions or headings (for example, ꞌexposed startꞌ, ꞌtotal primary account number (PAN)ꞌ, ꞌfraud cards_samemonthꞌ, ꞌfraud cards_1st3monthsꞌ, ꞌfraud cards_1st6monthsꞌ, ꞌfraud cards_1styearꞌ, and ꞌfraud cards_totalꞌ). The plurality of timestamp rows depicts the set of timestamp intervals. With reference to FIG. 3A, each timestamp row depicts a monthly timestamp interval of the set of timestamp intervals.
For example, the plurality of timestamp intervals depicts ꞌ 201901ꞌ, ꞌ 201902ꞌ, ꞌ201903ꞌ, ꞌ 201904ꞌ, ꞌ 201905ꞌ, and the like. In addition, the plurality of columns includes a plurality of normal columns and a plurality of time window columns. In one embodiment, the plurality of normal columns includes ꞌexposed_startꞌ column and ꞌtotal primary account number (PAN)ꞌ column. In one embodiment, the plurality of time window columns includes five columns namely, ꞌfraud cards_samemonthꞌ, ꞌfraud cards_1st3monthsꞌ, ꞌfraud cards_1st6monthsꞌ, ꞌfraud cards_1styearꞌ, and ꞌfraud cards_totalꞌ (as shown in the FIG. 3A).
The ꞌtotal PANꞌ column depicts the total number of payment cards that have transacted at the corresponding merchant of the plurality of merchants 124a-124c. The ꞌexposed_startꞌ column depicts the set of timestamp intervals (e.g., 201901, 201902, 201903, etc.). The ꞌfraud cards_samemonthꞌ column depicts the number of fraudulent payment cards that have transacted at the corresponding merchant of the plurality of merchants 124a-124c in the same month. It is to be noted that the fraudulent payment cards here refer to payment cards that have been used to conduct fraudulent payment transactions, and the payment cards have been used earlier at a CPP compromised merchant where the payment cards have been compromised.
The ꞌfraud cards_1st3monthsꞌ column depicts the number of fraudulent payment cards that have transacted at the corresponding merchant of the plurality of merchants 124a-124c in the first three months of report of the CPP merchant. The ꞌfraud cards_1st6monthsꞌ column depicts the number of fraudulent payment cards that have transacted at the corresponding merchant of the plurality of merchants 124a-124c in the first six months of report of the CPP merchant. The ꞌfraud cards_1styearꞌ column depicts the number of fraudulent payment cards that have transacted at the corresponding merchant of the plurality of merchants 124a-124c in the first year of report of the CPP merchant. Further, the ꞌfraud cards_totalꞌ column depicts the total number of the fraudulent payment cards that have transacted at the corresponding merchant of the plurality of merchants 124a-124c. In one embodiment, all the cells under the plurality of time frame columns are termed as the plurality of cells, and values stored in these plurality of cells are converted into the event features (i.e., CDFs).
With reference to FIG. 3A, the fraud ratio table depicts the distribution of the fraudulent payment cards that have transacted at the corresponding merchant of the plurality of merchants 124a-124c across the set of timestamp intervals. As explained above in FIG. 2, the fraud ratios depicted in the fraud ratio table are further converted into the event features. In one embodiment, the processor 206 is configured to input the event features corresponding to each merchant of the plurality of merchants 124a-124c to a neural network. The processor 206 is configured to identify a trend based on the execution of the neural network. In one embodiment, the neural network is a convolution neural network (CNN). Based on the execution of the CNN, an inverse L-shaped trend is observed depicting an increase in the probable anomaly event (e.g., the fraudulent payment cards) in the last time frames (e.g., ꞌfraud cards_1st6monthsꞌ, ꞌfraud cards_1styearꞌ, and ꞌfraud cards_totalꞌ). It is to be noted that the inverse L-shaped trend depicts the increase in the probable anomaly event in the last time frames because the fraudulent payment cards are generally reported after some time of occurrence of the fraudulent payment transactions. In one embodiment, the fraudulent payment transactions may be reported by the cardholders after some time of occurrence of the fraudulent payment transactions.
FIG. 3B is an example representation 310 of event features corresponding to a merchant of the plurality of merchants 124a-124c, in accordance with an embodiment of the present disclosure. In one embodiment, the processor 206 is configured to convert the fraud ratio table (shown in FIG. 3A) into the event features (shown in FIG. 3B).
As explained above, the feature generation engine 220 is configured to generate the event features (i.e., CDFs) from the event ratios (or the fraud ratios) (denoted as the plurality of cells) based, at least in part, on the binomial distribution modelling methods. In one embodiment, the event ratios (or the fraud ratios) are converted into the corresponding cumulative distribution function (CDF) for each merchant of the plurality of merchants 124a-124c.
With reference to FIG. 3B, a table depicts the event features corresponding to a merchant of the plurality of merchants 124a-124c. In an example, the table includes ꞌexposed_startꞌ column and ꞌtotal primary account number (PAN)ꞌ column. The ꞌexposed_startꞌ column and ꞌtotal primary account number (PAN)ꞌ column shown in FIG. 3B are similar to the ꞌexposed_startꞌ column and ꞌtotal primary account number (PAN)ꞌ column, shown in FIG. 3A respectively. In addition, the event features are shown in five columns including ꞌoverall CDF_samemonthꞌ, ꞌoverall CDF_1st3monthsꞌ, ꞌoverall CDF_1st6monthsꞌ, ꞌoverall CDF_1styearꞌ, and ꞌoverall CDF_totalꞌ.
In an example, the fraud ratios are converted into the CDFs for each merchant of the plurality of merchants 124a-124c. In another example, the event ratios are converted into the CDFs for each entity of the plurality of entities 104a-104c. The event ratios or the fraud ratios are converted into the CDFs based on three inputs, including the total number of PANs (i.e., total_PAN), p-value of the binomial distribution for each time frame (e.g., 'same month', ‘1st3months’, ‘1st6months’, etc.) (i.e., overall CDF for a particular time window), and a number of fraudulent payment cards at each time frame for a given timestamp interval.
In one example, the total number of the payment cards is denoted as N = 20. p-value of the binomial distribution for the corresponding time frame is denoted as P = 0.7. In addition, the number of fraudulent payment cards is equal to 15. Based on the above three values, the CDF for the particular cell turns out to be 0.76. Thus, the event features for each timestamp interval are based, at least in part, on binomial probability function (p) corresponding to the particular time frame, total number of events occurred (e.g., total number of payment accounts) at the entity (e.g., the merchant) within the timestamp interval and the event detection rate (e.g., fraud reporting rate) of the payment accounts in the particular time frame.
FIG. 4 represents a simplified block diagram 400 of the neural network model 224, in accordance with an embodiment of the present disclosure.
As explained above, the neural network model 224 includes an LSTM encoder architecture 402 and an LSTM decoder architecture 404. The LSTM encoder architecture 402 includes a plurality of LSTM encoders 402a, 402b, 402c, 402d, and 402e and the LSTM decoder architecture 404 includes the plurality of LSTM decoders 404a, 404b, 404c, 404d, and 404e.
The encoder-decoder LSTM architecture (i.e., the neural network model 224) is a type of deep neural network that models the sequence of cumulative distributive functions (CDFs) using a Long Short-Term Memory (LSTM).
As shown in FIG. 4, the encoder-decoder-based LSTM architecture facilitates end-to-end mapping between an ordered multidimensional input sequence of CDFs and its matching output sequence. The LSTM encoder architecture 402 includes the plurality of LSTM encoders 402a-402e and the LSTM decoder architecture 404 includes the plurality of LSTM decoders 404a-404e. Although only five LSTM encoders 402a-402e are shown in the FIG. 4, it will be appreciated that any number of LSTM blocks may be used (e.g., corresponding to the number of time frames that are selected for generation of these CDFs). More particularly, the plurality of LSTM encoders 402a-402e is fed with multi-dimensional vectors representing CDFs which appear for a particular timestamp interval of the set of timestamp intervals. The input to the plurality of LSTM encoders 402a-402e at each time duration is simply a vector associated with a CDF appeared at that timestamp interval of the set of timestamp intervals. More specifically, a time length sequence of CDFs is captured by the plurality of LSTM encoders 402a-402e at different time intervals.
Each LSTM encoder (e.g., 402a, 402b, 402c, 402d, and 402e) learns a representation of a sequence of CDFs during a particular time duration and maintains a hidden vector "Hk," and a cell state vector "Ct-k". Both the hidden vector and the cell state vector are passed to a next LSTM encoder (e.g., from LSTM encoder 402a to LSTM encoder 402b) to initialize the next/subsequent LSTM encoder’s state. At the end, hidden and cell state vectors of the last LSTM encoder 402e are passed to a hidden layer 406. In one embodiment, the hidden layer 406 is configured to set the final hidden state of the LSTM encoder architecture 402 as the initial state of the LSTM decoder architecture 404.
As shown in FIG. 4, encoded hidden and cell state vectors (represented as the hidden state vector) are transferred to the plurality of LSTM decoders 404a-404e. The plurality of LSTM decoders 404a, 404b, 404c, 404d, and 404e try to reconstruct the same input time-length CDF at the output. A reconstructed time-length CDF sequence may then be compared with the original input time-length CDF sequence by calculating a reconstruction error. The LSTM decoder architecture 404 tries to reconstruct the same input vector and generate a context decoder output and a current decoder hidden state at each decoder time step. The context decoder output of each LSTM decoder (e.g., 404a, 404b, 404c, 404d, and 404e) passes to a fully-connected layer 408 which generates a probability vector representing an occurrence of all the set of distinct clusters. The sum of all probability vector values is ‘1’ which acts as one of the constraints for reconstruction. In one example, if the LSTM decoder architecture 404 is not able to reconstruct more than a predetermined number of CDFs, the encoder-decoder LSTM architecture adjusts various factors of the plurality of LSTM encoders 402 and the plurality of LSTM decoders 404.
In one non-limiting example, in order to configure the LSTM encoder architecture 402 and the LSTM decoder architecture 404, machine learning training techniques (e.g., using Stochastic Gradient Descent, backpropagation, etc.) can also be used. Thus, the encoder-decoder-based LSTM architecture provides a prediction accuracy as an output which represents a reconstruction probability of a time-length CDF sequence of CDFs at decoder side.
In one embodiment, the LSTM architecture (i.e., “the neural network model 224”) is trained using the event features (CDFs) corresponding to the plurality of entities 104a-104c. Further, during the execution process, when the neural network model 224 detects a reconstruction probability for a sequence of CDFs being higher than a threshold value, it means that the sequence of the CDFs has an anomalous behavior, and the entity may be classified as the anomalous entity.
In one embodiment, an LSTM encoder-decoder architecture (i.e., “the neural network model 224”) is trained using the event features (CDFs) corresponding to the plurality of merchants 124a-124c. Further, during the execution process, when the neural network model 224 detects a reconstruction probability for a sequence of CDFs being higher than a threshold value, it means that the sequence of the CDFs has an anomalous behavior, and the merchant may be classified as the CPP compromised merchant.
In one embodiment, during the training phase, the processor 206 is configured to optimize the neural network parameters (e.g., weights and biases) of the neural network model 224 based, at least in part, on the cumulative loss function. The objective is to minimize the cumulative loss function as much as possible. In one embodiment, the cumulative loss function is a weighted sum of the entity loss function and the timestamp-based loss function. More specifically, the timestamp-based loss function is used to calculate loss coming from row-level prediction (i.e., prediction based on a particular timestamp interval), and the entity loss function is used to calculate overall loss for the individual entity (e.g., the merchant).
In one embodiment, the cumulative loss function may be defined as:
Cumulative loss function = α * overall loss + β * row level loss … Eqn. (2)
The overall loss may further be calculated as:
overall loss = logloss(overall) … Eqn. (3)
In an example, the overall loss herein represents the entity loss function for the individual entity (e.g., the merchant).
Furthermore, the row level loss may be calculated as:
row level loss=logloss(o1)+logloss(o2)+logloss(o3)+logloss(o4)+…logloss(oN)… Eqn.(4)
o1 = σ(w*d1+b) … Eqn. (5)
Where σ is sigmoid function. In an example, the row level loss herein represents the timestamp-based loss function for a particular timestamp interval. The cumulative loss is thus a weighted sum of the entity loss function (i.e., the overall loss) and the row level loss (i.e., the timestamp-based loss function) (as shown in Eqn. (2)).
In one embodiment, all the outputs of the plurality of LSTM decoders 404a-404e are concatenated together to make the final determination whether the particular entity (e.g., the particular merchant) is fraudulent (or compromised) or not. In one embodiment, the final output of the fully-connected layer is used to make the final determination whether the particular entity (e.g., the merchant) is fraudulent or not. It is to be noted that utilization of all the outputs of the plurality of LSTM decoders 404a-404e ensures that the determination of the fraudulent entity is performed based on the utilization of the CDFs of the corresponding timestamp interval also and not only based on the general trend of the entity, thus resulting in a better and enhanced performance of the neural network model 224.
In one embodiment, the encoder-decoder based LSTM architecture utilizes teacher forcing technique along with re-look architecture before the determination of the final output of the neural network model 224. In teacher forcing, the output of each LSTM decoder (e.g., the LSTM decoder 404a) is passed as an input to the next subsequent LSTM decoder (e.g., the LSTM decoder 404b), along with the original input. In teacher forcing along with re-look architecture, the LSTM decoder architecture 404 utilizes the output from the last time step along with the original input at the current time step for computation of the final output. The LSTM decoder architecture 404 also concatenates the outputs at every time step (i.e., time frame) and further applies the sigmoid function over that layer for the final classification whether the merchant is actual CPP compromised merchant or not. It is to be noted that the hidden state of the LSTM encoder architecture 402 captures only the general trend of the input, but it fails to consider each time input event feature. By adding the input at every step, the LSTM decoder architecture 404 is allowed to consider the individual time step event features before making the final prediction, and thereby increasing the performance of the neural network model 224 significantly.
Performance Evaluation
The encoder-decoder-based LSTM architecture is replaced with a random forest model. It is noted that execution of the random forest model on the CDFs to perform the classification of the plurality of entities 104 lead to a precision value of 75% and a recall value of 61%. On the other hand, execution of the encoder-decoder LSTM architecture on the CDFs to perform the classification of the plurality of entities 104 lead to a precision value of 89% and a recall value of 61%. Although the recall value is same using both the models, however, there is a high increase in precision with execution of the encoder-decoder LSTM architecture (i.e., the neural network model 224).
FIG. 5 is a flow chart 500 of a training process for the neural network model 224, in accordance with an embodiment of the present disclosure. The sequence of operations of the flow chart 500 may not be necessarily executed in the same order as they are presented. Further, one or more operations may be grouped and performed in form of a single step, or one operation may have several sub-steps that may be performed in parallel or in a sequential manner. It is to be noted that to explain the flow chart 500, references may be made to elements described in FIG. 1A and FIG. 2.
At 502, the server system 102 accesses training data associated with the plurality of entities 104a-104c (e.g., the plurality of merchants 124a-124c etc.) within the particular time window from the event database 106 (e.g., the transaction database 126). In one example, the training data includes event ratio tables (e.g., the fraud ratio tables) corresponding to the plurality of entities 104a-104c (e.g., the plurality of merchants 124a-124c).
At 504, the server system 102 determines the event features (i.e., CDFs) associated with each timestamp interval for each individual entity of the plurality of entities 104a-104c (e.g., each individual merchant of the plurality of merchants 124a-124c) based, at least in part, on the event ratio table (or the fraud ratio table) corresponding to the individual entity (e.g., the individual merchant) and binomial distribution modelling methods.
At 506, the server system 102 trains the neural network model 224 based, at least in part, on the training data. In one embodiment, the neural network model 224 includes the encoder-decoder based long short-term memory (LSTM) architecture and the fully-connected neural network layer.
At 506a, the server system 102 optimizes the neural network parameters (i.e., weights and biases) of the neural network model 224 based, at least in part, on the cumulative loss function. The cumulative loss function includes the entity loss function and the timestamp-based loss function. The objective of the training process is to minimize the cumulative loss function below a threshold value.
The sequence of steps of the flow chart 500 need not be necessarily executed in the same order as they are presented. Further, one or more operations may be grouped together and performed in form of a single step, or one operation may have several sub-steps that may be performed in parallel or in a sequential manner.
FIG. 6 represents a flow chart 600 of a method for performing anomaly event detection with improved precision, in accordance with an embodiment of the present disclosure. The sequence of operations of the flow chart 600 may not be necessarily executed in the same order as they are presented. Further, one or more operations may be grouped and performed in form of a single step, or one operation may have several sub-steps that may be performed in parallel or in a sequential manner. It is to be noted that to explain the flow chart 600, references may be made to elements described in FIG. 1A and FIG. 2.
At 602, the server system 102 accesses the historical event data associated with the plurality of entities 104a-104c within the particular time window from the event database 106. The historical event data includes at least information of probable anomaly events detected at the plurality of entities 104a-104c. In one embodiment, the plurality of entities 104a-104c represents anomaly entities identified based on execution of the anomaly detection model 108.
At 604, the server system 102 generates the event ratio table corresponding to the individual entity of the plurality of entities 104a-104c based, at least in part, on the historical event data. The event ratio table represents corresponding probability values of re-occurrence of the anomaly event within the particular time frame from a time of first occurrence of the anomaly event across the set of timestamp intervals.
At 606, the server system 102 determines the event features (i.e., CDFs) associated with each timestamp interval for the individual entity of the plurality of entities 104a-104c based, at least in part, on the event ratio table and binomial distribution modelling methods.
At 608, the server system 102 executes the neural network model 224 based, at least in part, on the determined event features of the individual entity of the plurality of entities 104a-104c. The neural network model 224 includes the encoder-decoder based long short-term memory (LSTM) architecture and the fully-connected neural network layer.
At 608a, the server system 102 generates the hidden state vector based, at least in part, on the event features for each timestamp interval for each entity into an encoder architecture of the neural network model 224.
At 608b, the server system 102 provides the hidden state vector as an input into a decoder architecture of the neural network model 224.
At 608c, the server system 102 determines a current decoding output for a current timestamp interval based, at least in part, on a sigmoid value of previous decoding output of a previous timestamp interval and the event feature associated with the current timestamp interval.
At 610, the server system 102 determines the actual fraudulent entities from the plurality of entities 104a-104c based, at least in part, on the execution of the neural network model 224.
The sequence of steps of the flow chart 600 need not be necessarily executed in the same order as they are presented. Further, one or more operations may be grouped together and performed in form of a single step, or one operation may have several sub-steps that may be performed in parallel or in a sequential manner.
FIG. 7 represents a flow chart 700 of a method for determining actual CPP compromised merchants from possible CPP compromised merchants with higher precision, in accordance with an embodiment of the present disclosure. The sequence of operations of the flow chart 700 may not be necessarily executed in the same order as they are presented. Further, one or more operations may be grouped and performed in form of a single step, or one operation may have several sub-steps that may be performed in parallel or in a sequential manner. It is to be noted that to explain the flow chart 700, references may be made to elements described in FIG. 1B and FIG. 2.
At 702, the server system 122 accesses the historical transaction data associated with the possible CPP compromised merchants (e.g., the plurality of merchants 124a-124c) within the particular time window from the transaction database 126. In one embodiment, the possible CPP compromised merchants are identified based on execution of the CPP model 128.
At 704, the server system 122 generates the fraud ratio table corresponding to the individual merchant of the possible CPP compromised merchants based, at least in part, on the historical transaction data. The fraud ratio table is generated based, at least in part, on fraud reporting of payment accounts (e.g., payment cards) used at the individual merchant within the particular time window across the set of timestamp intervals.
At 706, the server system 122 determines the event features associated with each timestamp interval for the individual merchant based, at least in part, on the fraud ratio table and binomial distribution modelling methods.
At 708, the server system 102 executes the neural network model 224 based, at least in part, on the determined event features for the individual merchant of the possible CPP compromised merchants. The neural network model 224 includes the encoder-decoder based long short-term memory (LSTM) architecture and the fully-connected neural network layer.
At 708a, the server system 102 generates the hidden state vector based, at least in part, on the event features for each timestamp interval for the individual merchant into an encoder architecture of the neural network model 224.
At 708b, the server system 102 provides the hidden state vector as an input into a decoder architecture of the neural network model 224.
At 708c, the server system 102 determines a current decoding output for a current timestamp interval based, at least in part, on a sigmoid value of previous decoding output of a previous timestamp interval and the event feature associated with the current timestamp interval.
At 710, the server system 102 determines the actual CPP compromised merchants from the possible CPP compromised merchants based, at least in part, on the execution of the neural network model 224.
The sequence of steps of the flow chart 700 need not be necessarily executed in the same order as they are presented. Further, one or more operations may be grouped together and performed in form of a single step, or one operation may have several sub-steps that may be performed in parallel or in a sequential manner.
FIG. 8 illustrates a flow diagram depicting a computer-implemented method 800 for anomaly event detection with improved precision, in accordance with an embodiment of the present disclosure. The method 800 depicted in the flow diagram may be executed by, for example, the server system 200. Operations of the method 800, and combinations of operation in the method 800, may be implemented by, for example, hardware, firmware, a processor, circuitry, and/or a different device associated with the execution of software that includes one or more computer program instructions. The operations of the method 800 are described herein may be performed by an application interface that is hosted and managed with help of the server system 200. The method 800 starts at operation 802.
At operation 802, the method 800 includes accessing, by the server system 200, historical event data associated with the plurality of entities 104a-104c within the particular time window from the event database 106. The historical event data includes at least information of probable anomaly events detected at the plurality of entities 104a-104c. The particular time window is divided into the set of timestamp intervals.
At operation 804, the method 800 includes generating, by the server system 200, the event ratio table corresponding to the individual entity of the plurality of entities 104a-104c based, at least in part, on the historical event data. The event ratio table includes the plurality of cells. The event ratio table is based on an event detection rate of an anomaly event within a particular time frame from a time of first occurrence of the anomaly event across the set of timestamp intervals.
At operation 806, the method 800 includes determining, by the server system 200, event features associated with each timestamp interval for the individual entity of the plurality of entities 104a-104c based, at least in part, on the event ratio table and binomial distribution modelling methods.
At operation 808, the method 800 includes executing, by the server system 200, the neural network model 224 based, at least in part, on the determined event features of the individual entity of the plurality of entities 104a-104c. The neural network model 224 includes the encoder-decoder based long short-term memory (LSTM) architecture and the fully-connected neural network layer.
At operation 810, the method 800 includes determining, by the server system 200, whether the individual entity is a fraudulent (i.e., anomalous) entity or not based, at least in part, on the executing step. In similar manner, steps 802-810 are performed for all remaining entities for identifying the fraudulent entities from the plurality of entities 104a-104c.
The sequence of operations of the method 800 need not be necessarily executed in the same order as they are presented. Further, one or more operations may be grouped together and performed in form of a single step, or one operation may have several sub-steps that may be performed in parallel or in a sequential manner.
The disclosed methods with reference to FIGS. 1A-1B to FIG. 8, or one or more operations of the methods 500, 600, 700, and 800 may be implemented using software including computer-executable instructions stored on one or more computer-readable media (e.g., non-transitory computer-readable media, such as one or more optical media discs, volatile memory components (e.g., DRAM or SRAM), or nonvolatile memory or storage components (e.g., hard drives or solid-state nonvolatile memory components, such as Flash memory components) and executed on a computer (e.g., any suitable computer, such as a laptop computer, netbook, Webbook, tablet computing device, smartphone, or other mobile computing devices). Such software may be executed, for example, on a single local computer or in a network environment (e.g., via the Internet, a wide-area network, a local-area network, a remote web-based server, a client-server network (such as a cloud computing network), or other such networks) using one or more network computers. Additionally, any of the intermediate or final data created and used during implementation of the disclosed methods or systems may also be stored on one or more computer-readable media (e.g., non-transitory computer-readable media) and are considered to be within the scope of the disclosed technology. Furthermore, any of the software-based embodiments may be uploaded, downloaded, or remotely accessed through a suitable communication means. Such suitable communication means include, for example, the Internet, the World Wide Web, an intranet, software applications, cable (including fiber optic cable), magnetic communications, electromagnetic communications (including RF, microwave, and infrared communications), electronic communications, or other such communication means.
Although the disclosure has been described with reference to specific exemplary embodiments, it is noted that various modifications and changes may be made to these embodiments without departing from the broad scope of the disclosure. For example, the various operations, blocks, etc. described herein may be enabled and operated using hardware circuitry (for example, complementary metal-oxide-semiconductor (CMOS) based logic circuitry), firmware, software, and/or any combination of hardware, firmware, and/or software (for example, embodied in a machine-readable medium). For example, the apparatuses and methods may be embodied using transistors, logic gates, and electrical circuits (for example, application-specific integrated circuit (ASIC) circuitry and/or in Digital Signal Processor (DSP) circuitry).
Particularly, the server system 200 (e.g., the server system 102 or the server system 122) and its various components such as the computer system 202 and the database 204 may be enabled using software and/or using transistors, logic gates, and electrical circuits (for example, integrated circuit circuitry such as ASIC circuitry). Various embodiments of the disclosure may include one or more computer programs stored or otherwise embodied on a computer-readable medium, wherein the computer programs are configured to cause a processor or computer to perform one or more operations. A computer-readable medium storing, embodying, or encoded with a computer program, or similar language may be embodied as a tangible data storage device storing one or more software programs that are configured to cause a processor or computer to perform one or more operations. Such operations may be, for example, any of the steps or operations described herein. In some embodiments, the computer programs may be stored and provided to a computer using any type of non-transitory computer-readable media. Non-transitory computer-readable media include any type of tangible storage media. Examples of non-transitory computer-readable media include magnetic storage media (such as floppy disks, magnetic tapes, hard disk drives, etc.), optical magnetic storage media (e.g., magneto-optical disks), CD-ROM (compact disc read-only memory), CD-R (compact disc recordable), CD-R/W (compact disc rewritable), DVD (Digital Versatile Disc), BD (BLU-RAY® Disc), and semiconductor memories (such as mask ROM, PROM (programmable ROM), EPROM (erasable PROM), flash memory, RAM (random access memory), etc.). Additionally, a tangible data storage device may be embodied as one or more volatile memory devices, one or more non-volatile memory devices, and/or a combination of one or more volatile memory devices and non-volatile memory devices. In some embodiments, the computer programs may be provided to a computer using any type of transitory computer-readable media. Examples of transitory computer-readable media include electric signals, optical signals, and electromagnetic waves. Transitory computer-readable media can provide the program to a computer via a wired communication line (e.g., electric wires, and optical fibers) or a wireless communication line.
Various embodiments of the invention, as discussed above, may be practiced with steps and/or operations in a different order, and/or with hardware elements in configurations, which are different than those which are disclosed. Therefore, although the invention has been described based upon these exemplary embodiments, it is noted that certain modifications, variations, and alternative constructions may be apparent and well within the scope of the invention.
Although various exemplary embodiments of the invention are described herein in a language specific to structural features and/or methodological acts, the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as exemplary forms of implementing the claims.
, Claims:CLAIMS
We claim:

1. A computer-implemented method, comprising:
accessing, by a server system, historical event data associated with a plurality of entities within a particular time window from an event database, the historical event data comprising at least information of probable anomaly events detected at the plurality of entities, the particular time window divided into a set of timestamp intervals;
generating, by the server system, an event ratio table corresponding to an individual entity of the plurality of entities based, at least in part, on the historical event data, the event ratio table based, at least in part, on an event detection rate of an anomaly event within a particular time frame from a time of first occurrence of the anomaly event across the set of timestamp intervals;
determining, by the server system, event features associated with each timestamp interval for the individual entity of the plurality of entities based, at least in part, on the event ratio table and binomial distribution modelling methods;
executing, by the server system, a neural network model based, at least in part, on the determined event features of the individual entity of the plurality of entities; and
determining, by the server system, whether the individual entity is a fraudulent entity or not based, at least in part, on the executing step.

2. The computer-implemented method as claimed in claim 1, wherein the neural network model comprises encoder-decoder based long short-term memory (LSTM) architecture and a fully-connected neural network layer, and wherein the encoder-decoder based LSTM architecture is trained based, at least in part, on a combination of an entity loss function and a timestamp-based loss function.

3. The computer-implemented method as claimed in claim 1, wherein the plurality of entities represents possible common point of purchase (CPP) compromised merchants, and wherein the probable anomaly events represent reporting of probable fraudulent payment accounts at the possible CPP compromised merchants.

4. The computer-implemented method as claimed in claim 3, further comprising:
accessing, by the server system, historical transaction data associated with the possible CPP compromised merchants within a particular time window from a transaction database, the particular time window divided into a set of timestamp intervals;
generating, by the server system, a fraud ratio table corresponding to an individual merchant of the CPP compromised merchants based, at least in part, on the historical transaction data;
determining, by the server system, the event features associated with each timestamp interval for the individual merchant based, at least in part, on the fraud ratio table and the binomial distribution modelling methods; and
determining, by the server system, actual CPP compromised merchants from the possible CPP compromised merchants based, at least in part, on the neural network model.

5. The computer-implemented method as claimed in claim 4, wherein the fraud ratio table is generated based, at least in part, on fraud reporting rate of payment accounts from corresponding times of usage of the payment accounts at the individual merchant across the set of timestamp intervals.

6. The computer-implemented method as claimed in claim 1, wherein executing the neural network model comprises:
generating, by the server system, a hidden state vector based, at least in part, on the event features for each timestamp interval for each entity into an encoder architecture of the neural network model;
providing, by the server system, the hidden state vector as an input into a decoder architecture of the neural network model; and
determining, by the server system, a current decoding output for a current timestamp interval based, at least in part, on a sigmoid value of previous decoding output of a previous timestamp interval and an event feature associated with the current timestamp interval.

7. The computer-implemented method as claimed in claim 6, further comprising:
determining, by the server system, whether the entity is a fraudulent entity or not based, at least in part, on decoding outputs corresponding to the set of timestamp intervals and the fully-connected neural network layer.

8. The computer-implemented method as claimed in claim 1, wherein the event features for each timestamp interval are based, at least in part, on binomial probability function corresponding to the particular time frame, total number of events occurred at the entity within the timestamp interval and the event detection rate of the anomaly event within the particular time frame.

9. A server system configured to perform the computer-implemented method as claimed in any of the claims 1-8.