Abstract: An improved technique trains a fraud detection system to use mouse movement data as part of a user profile. Along these lines, a training apparatus receives sets of mouse movement datasets generated by a legitimate user and/or a fraudulent user. The training apparatus assigns each mouse movement dataset to a cluster according to one of several combinations of representations, distance metrics, and cluster metrics. By correlating the clusters with the origins of the mouse movement datasets (legitimate or fraudulent user), the training apparatus constructs a robust framework for detecting fraud at least partially based on mouse movement data.

Abstract: Active learning-based fraud detection techniques are provided in adaptive authentication systems. An authentication request from an authentication requestor is processed by receiving the authentication request from the authentication requester; comparing current data for the user associated with the user identifier with historical data for the user; generating an adaptive authentication result based on the comparison indicating a likelihood current user data is associated with a fraudulent user; and performing one or more additional authentication operations to improve learning if the request satisfies one or more predefined non-risk based criteria. The predefined non-risk based criteria comprises, for example, (i) the request receiving a riskiness score below a threshold based on current data and wherein the request was expected to have a risk score above a threshold, or (ii) the request being in a bucket having a number of tagged events below a threshold.

Abstract: Similarity-based fraud detection techniques are provided in adaptive authentication systems. A method is provided for determining if an event is fraudulent by obtaining a plurality of tagged events and one or more untagged events, wherein the tagged events indicate a likelihood of whether the corresponding event was fraudulent; constructing a graph, wherein each node in the graph represents an event and has a value representing a likelihood of whether the corresponding event was fraudulent and wherein similar transactions are connected via weighted links; diffusing through weights in the graph to assign values to nodes such that neighbors of nodes having non-zero values receive similar values as the neighbors; and classifying whether at least one of the one or more untagged events is fraudulent based on the assigned values.

Abstract: An improved technique tracks errors in collecting geolocation data associated with a transaction. Along these lines, an adaptive authentication engine stores information indicative of a failure to collect geolocation data associated with the transaction. In particular, this information takes the form of a geolocation collection state; the adaptive authentication engine stores such a state in a field of a database that contains historical transaction information. If a service provider failed to collect geolocation information for a transaction, the adaptive authentication engine stores a “Fail” value in the geolocation collection state field of the database entry associated with the transaction. Adaptive authentication techniques may then correlate such “Fail” values with other field values such as time of submission and device type. The result of such a correlation is to build a risk model based on geolocation collection error which the risk engine may then use to compute risk score.

Abstract: There is disclosed some techniques for processing an authentication request which includes a user identifier and current user data. In one example, the technique comprises receiving the authentication request at an adaptive authentication system which includes a database having a set of entries with each entry of the set of entries including an identifier and previous user data in connection with previous authentication requests. The adaptive authentication system being constructed and arranged to perform an adaptive authentication operation on the authentication request as well as an unsupervised machine learning operation on the authentication request.

Abstract: An improved technique tailors a biometric challenge activity to a particular user. The particular user submits electronic input from which an authentication system extracts information concerning traits of the particular user; such traits can include keystroke and swiping patterns, handheld device positions, and place of origin. An authentication server maps values of user attributes such as place of origin, age, and UI device to the extracted traits. The authentication server then selects biometric challenges for the particular user based on user attributes having values which deviate most from a mean value of that attribute taken across a population of users. That is, the authentication server bases biometric challenges on the most distinguishing traits of the particular user.

Abstract: A technique provides user authentication. The technique involves generating a pointer data profile entry in a pointer data profile database, the pointer data profile entry having a pointer data profile which is based on first pointer data obtained during a first user session. Such pointer data can be collected from a standard pointing device such as an electronic mouse, a touch-based track pad, a trackball, a scroll wheel, etc. The technique further involves receiving new pointer data during a second user session, and performing an authentication operation based on (i) the pointer data profile entry in the pointer data profile database and (ii) the new pointer data to determine whether a user providing the first pointer data during the first user session and a user providing the new pointer data during the second user session is the same person.

Abstract: An improved technique identifies risky transactions from a set of transactions and updates risk scores only for those transactions identified as risky. Along these lines, a transaction sorting engine sorts the set of transactions according to risk score. The transaction sorting engine identifies as risky those transactions having risk scores above a specified percentile; for instance, the transactions having risk scores above the 90th percentile would be identified as risky. Some time later, a risk score engine adjusts, based on new historical transaction data, Bayesian weights which it uses to compute risk scores. The transaction sorting engine sends to the risk score engine only those transactions it identified as risky. The risk score engine computes new risk scores for the risky transactions and makes the new risk scores available to the transaction sorting engine so that it can sort all of current transactions (e.g., received within the past week).