Detecting Fraudulent Activity
Described are computer-based methods and apparatuses, including computer program products, for detecting fraudulent activity. A computing device in a second network receives a plurality of interactions between data centers in a first network and one or more devices, remote from the data centers, of a user, the interactions forming an aggregate user session representing the user's activity over a period of time with the data centers via the devices. The computing device monitors data transaction requests of the interactions and is configured to respond to each request with a response that appears as if the request was executed. If the interactions are harmful, the computing device interdicts the interactions from execution by the data centers and allows the devices to submit additional interactions. If unable to determine whether the subsequent interactions are harmful, the computing device transmits the interactions to the data centers for execution and marks the interactions.
Latest FMR LLC Patents:
- Systems and methods for bot dialog delegation
- Systems, methods, and media for generating and using a multi-signature token for electronic communication validation
- Automatic validation of a hybrid digital document
- Intelligent smoothing of 3D alternative reality applications for secondary 2D viewing
- Automated testing of mobile computing devices
This application is a continuation of U.S. patent application Ser. No. 11/559,784 filed on Nov. 14, 2006, the disclosure of which is hereby incorporated by reference in its entirety.
FIELD OF THE INVENTIONThe present invention relates generally to computer-based methods and apparatuses, including computer program products, for detecting fraudulent activity.
BACKGROUNDThe increased use of networks to access and provide information has caused a dramatic increase in the amount of data transmitted over networks. To handle this increased amount of traffic, computer systems used to store, process, and transmit the information have been increasing in size and distributed among data centers. This distribution among data centers allows for increased speed which allows for decreased response time in the retrieval and processing of information.
However, the increased speed and diversified data centers create an issue with the data that is sent to a plurality of data centers. The issue is that the data sent to and from users is distributed among the data centers. When the data from only one data center is analyzed, then it is extremely challenging if not impossible to obtain a complete representation of a user's activity.
The ability to analyze a user's activity as a whole is important in a wide spectrum of industries that provide trusted services over a network. These industries have to be able to analyze user activity to provide feedback and improve performance of the systems. In addition, industries have to be able to effectively and efficiently identify fraudulent activity on their networks.
Fraudulent activity has been increasing along with the rise in network based activity. Industries have responded by utilizing fraud detection systems to attempt to stop the loss of money and prestige. However, it has been challenging if not impossible for these fraud detection systems to collect the data from all of the data centers in real time and without impacting the customer's experience. Since fraudulent activity is increasing, it is important for industries, such as the financial services industry, to have a fraud detection system that can collect data packets from a plurality of data centers and reconstruct the data for the detection of fraudulent activity and other uses.
SUMMARY OF THE INVENTIONThe invention, in one aspect, features a method for detecting fraudulent activity. A computing device in a second network receives a plurality of interactions between a plurality of data centers in a first network and one or more devices, remote from the data centers, of a user, the plurality of interactions forming an aggregate user session representing the user's activity over a period of time with the plurality of data centers via the one or more devices. The computing device monitors data transaction requests of the plurality of interactions, the computing device configured to respond to each data transaction request with a response that appears to the user as if the request was executed by the respective data center. If the computing device determines that the interactions are harmful, the computing device interdicts the interactions from execution by the plurality of data centers and allows the one or more devices to submit additional interactions. If the computing device is unable to determine whether the subsequent interactions are harmful, the computing device transmits the interactions to the plurality of data centers for execution and marks the interactions for monitoring purposes.
The invention, in another aspect, features a system for detecting fraudulent activity. The system includes a computing device in a second network configured to receive a plurality of interactions between a plurality of data centers in a first network and one or more devices, remote from the data centers, of a user, the plurality of interactions forming an aggregate user session representing the user's activity over a period of time with the plurality of data centers via the one or more devices. The computing device is configured to monitor data transaction requests of the plurality of interactions, the computing device configured to respond to each data transaction request with a response that appears to the user as if the request was executed by the respective data center. If the computing device determines that the interactions are harmful, the computing device is configured to interdict the interactions from execution by the plurality of data centers and allow the one or more devices to submit additional interactions. If the computing device is unable to determine whether the subsequent interactions are harmful, the computing device is configured to transmit the interactions to the plurality of data centers for execution and mark the interactions for monitoring purposes.
The invention, in another aspect, features a computer program product, tangibly embodied in a non-transitory computer readable storage medium, for detecting fraudulent activity. The computer program product includes instructions operable to cause a computing device in a second network to receive a plurality of interactions between a plurality of data centers in a first network and one or more devices, remote from the data centers, of a user, the plurality of interactions forming an aggregate user session representing the user's activity over a period of time with the plurality of data centers via the one or more devices. The computer program product includes instructions operable to cause the computing device to monitor data transaction requests of the plurality of interactions, the computing device configured to respond to each data transaction request with a response that appears to the user as if the request was executed by the respective data center. If the computing device determines that the interactions are harmful, the computer program product includes instructions operable to cause the computing device to interdict the interactions from execution by the plurality of data centers and allow the one or more devices to submit additional interactions. If the computing device is unable to determine whether the subsequent interactions are harmful, the computer program product includes instructions operable to cause the computing device to transmit the interactions to the plurality of data centers for execution and mark the interactions for monitoring purposes.
In some embodiments, any of the above aspects can include one or more of the following features. In some embodiments, if the computing device determines that the interactions are harmful and if the computing device is able to simulate the interactions, the computing device transmits a response for each interaction to the one or more devices, the transmitted responses appearing to the user as if the plurality of data centers executed the interactions. If the computing device determines that the interactions are harmful and if the computing device is unable to simulate the interactions, the computing device transmits a response for each interaction to the one or more devices, the transmitted responses appearing to the user as if the plurality of data centers failed to execute the interactions due to a system error. The computing device monitors data transaction requests of additional interactions submitted from the one or more devices.
In some embodiments, the computing device generates a signature based on the monitoring step and correlates the signature with previous user sessions to determine whether the plurality of interactions and the previous user sessions share one or more characteristics. In some embodiments, the characteristics include at least one of: a common user, a common remote device, a common location, or a common activity pattern. In some embodiments, the signature is generated using one or more data analysis tools that have access to the plurality of interactions.
In some embodiments, detecting fraudulent activity is performed in real time. In some embodiments, the response that appears to the user as if the request was executed by the respective data center includes dummy data to prevent the user from accessing data stored in the data center. In some embodiments, if the computing device determines that the interactions are harmful, the computing device provides responses to the additional interactions that encourage the user to stay connected to the computing device until an enforcement action is executed. In some embodiments, the responses to the additional interactions extend a session between the computing device and the one or more remote devices.
In some embodiments, if the computing device determines that the interactions are harmful, the computing device determines one or more vulnerabilities associated with the plurality of data centers based on the interactions submitted by the one or more remote devices.
Any of the aspects and examples above can provide one or more of the following advantages. They can reconstruct data and/or unify user sessions from multiple data centers. The reconstructed data and/or unified user sessions can be used for analysis as a complete or partial representation of a user's activity. The reconstruction of data packets into data allows for an improved representation of the user's activity to be analyzed, since data packets from only one data center most likely only shows the user's interactions with that data center and not the interactions with all of the data centers. A representation of the user's activity allows for a holistic analysis of the activity to detect fraudulent activity, to provide feedback to the user and of the system, and/or to improve performance of the system.
Other advantages include the unification of user requests into user sessions for fraud detection. The unification of user requests that are transmitted to a plurality of data centers allows the fraud detection system to analyze an improved representation of the user's activity. This improved representation of the user's activity is more than the user's interactions with one data center in the plurality of data centers. It is part or all of the user's activity with the plurality of data centers. This allows the user's activity to be analyzed as a whole instead of piece by piece.
Other advantages include the capture of data packets and/or user requests from the network without interfering with the transmission of the data packets and/or user requests to the rest of the network (e.g., the server system). The processing of the data packets and/or the user requests by the server systems is not interfered with by the capture of the data packets and/or the user requests.
Other advantages include the processing of the data and/or user session by the fraud detection system in real time. The data collection system collects the data packets and/or user requests at the same time that the server systems receive the data packets and/or user requests. The reconstructed data and/or unified user sessions are processed by the fraud detection system at the same time that the server system processes the data and/or user request. The real time fraud detection allows for the interdiction of fraudulent activity before the fraudulent activity can harm the system (e.g., the fraud detection system can stop fraudulent transactions before the fraudulent transaction is completely processed).
Other advantages include the memory module being volatile memory. The processing of data and/or user sessions to determine whether fraudulent activity exists occurs in real time. The fraud detection system utilizes the fast access capabilities of the volatile memory to access the elements stored in the memory module and analyze the data and/or user sessions using the stored elements in real time.
Other advantages include the data bus subscription service. The data bus subscription service is the subscription of data feeds on the network. The subscription of data feeds on the network allows other requestor systems to access the data that is collected from the plurality of data centers. By providing the subscription service, the other requestor systems, such as a performance analysis system and a customer service system, can analysis the entire representation of the user's activity instead of just a portion of the user's activity that is transmitted through one data center out of the plurality of data centers.
Other aspects and advantages of the present invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, illustrating the principles of the invention by way of example only.
The foregoing and other objects, features, and advantages of the present invention, as well as the invention itself, will be more fully understood from the following description of various embodiments, when read together with the accompanying drawings.
The transmission on the system 100 can occur over packet-based networks and/or circuit-based networks. Packet-based networks can include, for example, the Internet, a carrier internet protocol (IP) network (e.g., local area network (LAN), wide area network (WAN), campus area network (CAN), metropolitan area network (MAN), home area network (HAN)), a private IP network, an IP private branch exchange (IPBX), a wireless network (e.g., radio access network (RAN), 802.11 network, 802.16 network, general packet radio service (GPRS) network, HiperLAN), and/or other packet-based networks. Circuit-based networks can include, for example, the public switched telephone network (PSTN), a private branch exchange (PBX), a wireless network (e.g., RAN, Bluetooth, code-division multiple access (CDMA) network, time division multiple access (TDMA) network, global system for mobile communications (GSM) network), and/or other circuit-based networks.
The system 100 includes the user 112 who interacts with a transmitting device 110 which transmits data in one or more parts as data packets to a load balancer 130. In some examples, the user 112 uses any type of transmitting device 110 to transmit the data packets. The transmitting device 110 includes, for example, a computer, a computer with a browser device, a telephone, an IP phone, a mobile device (e.g., cellular phone, personal digital assistant (PDA) device, laptop computer, electronic mail device), and/or other communication devices. The browser device includes, for example, a computer (e.g., desktop computer, laptop computer) with a world wide web browser (e.g., Microsoft® Internet Explorer®, Mozilla® Firefox). The mobile computing device includes, for example, a Blackberry®.
The load balancer 130 can be a network system. The network system includes, for example, a network router, a network switch, a network hub, a computer and/or other communication devices. The network system includes, for example, one or more network adapters (e.g., 10/100/1000 Base-T network interface adapter card (NIC), 1000 Base-SX NIC, 1000 Base-LX NIC, 1000 Base-FX NIC). The network system includes one or more modules that process the data packets. The module is implemented in digital electronic circuitry, computer hardware, firmware, and/or software. The module includes, for example, a data routing module, an internet protocol (IP) routing module, a domain name service (DNS) routing module, and/or other routing modules.
In some examples, the system 100 receives data packets from other systems. The other systems include one or more network systems that each contains one or more transmitting devices 110. The other systems transmit data to the load balancer 130 for transmission to the data centers 120a and 120b for processing.
The load balancer 130 transmits the data packets to the different data centers 120a or 120b based on load balancing techniques. In some examples, the load balancer 130 transmits the data packets to a data center selected from the plurality of data centers 120a and 120b according to the available capabilities of the data centers (e.g., processor availability, disk capacity), the conditions of the network (e.g., packet trip time, packet losses), a quality of service indicators on the data packet, application availability, number of connections to each data center, and/or a pre-defined routing instruction.
The data packets in the data centers 120a and 120b are transmitted to the server systems 122a and 122b and the data collection systems 124a and 124b, respectively. For example, a data packet is transmitted from the user's transmitting device 110 to the load balancer 130. The data packet is transmitted to data center A 120a from the load balancer 130. The data packet is transmitted in the data center A 120a to the server system 122a and to the data collection system 124a.
The transmission of the data packet in the data center A 120a to the server system 122a and to the data collection system 124a can occur simultaneously and independently from each other using for example, a network device. The network device includes, for example, a network router, a network firewall, a network hub, a network switch, a computer, and/or other network devices (e.g., Gigamon GigaVUE-MP available from Gigamon Systems LLC).
The server systems 122a and 122b each can include one or more servers (e.g., 126a, 127a, 127b, and 128b). The server includes, for example, a web server (e.g., 126a), an application server (e.g., 128b) (e.g., Oracle® Application Server 10g available from Oracle Corporation), a database server (e.g., 127a and 127b) (e.g., Oracle® Database 10g available from Oracle Corporation), a communication server, a fax server, a file server, a game server, an authentication server (e.g., RSA® Authentication Manager available from RSA Security Inc.), a desktop computer, a central ad server, a file transport protocol server, an image server, a mail server, a news server, a proxy server, a printer server, a sound server, a streaming media server, a terminal server, a firewall, a network router, a network hub, a network (e.g., an intranet 125a) and/or a network switch.
In some examples, the data collection system 124a and 124b includes one or more computing devices which can be, for example, a computer, a laptop computer, a network router, a network switch, and/or a network hub (e.g., Radware® AS4 available from Radware Ltd., Covelight Inflight™ 5000 available from Covelight System, Inc., Gigamon GigaVUE-MP available from Gigamon Systems LLC).
The data collection systems 124a and 124b can capture the data packets from the network without interfering with the transmission of the data to the rest of the network. For example, the data collection system 124a receives data packets transmitted to the data center 120a from the load balancer 130 while at the same time the data packets are received by the server system 122a, creating a parallel path for receiving the data packets.
The data collection systems 124a and 124b can capture the data packets transmitted by the server systems 122a and 122b, respectively, back to the user. For example, the user 112 using a transmitting device 110 transmits a data packet requesting information. The data packet is routed through the load balancer 130 to data center B 120b. The data packet is transmitted to the server system 122b and the data collection system 124b. The server system 122b processes the data packet and responds to the user's request by transmitting a data packet response. The data packet response is captured by the data collection system 124b.
The data packet and/or data packet response are transmitted from the data collection systems 124a and 124b to the reconstruction engine 150. The reconstruction engine 150 receives data packets from the plurality of data centers 120a and 120b. The reconstruction engine 150 processes the data packets to form part or all of the data from the user 112. The reconstructed data is a representation of part or all of the information transmitted over the network by the user's transmitting device 110 (e.g., the raw information that is transmitted over the network).
The processing of the data packets by the server system 122a can occur at or near the same time and separately from the reconstruction engine 150 reconstructing the data. For example, the data packets are transmitted through the server system 122a for processing at or near the same time as the data collection system 124a transmits the data packets to the reconstruction engine 150 and the reconstruction engine 150 is reconstructing the data packets into data. The processing by the server system 122a includes, for example, the transmission of the data packets received by the server system 122a to an intranet 125a which transmits the data packet to a web server 126a. The web server 126a processes the data packet to determine if the web server 126a needs to respond to the data packet and/or if the web server 126a needs to access information from the database server 127a. The web server 126a needs information from the database server 127a to respond to the data packet (e.g., a search submission to a search module that is part of the web server 126a). The web server 126a queries the database server 127a and the database server 127a responds to the query (e.g., the information that is requested from the search). The web server 126a processes the information returned from the query and transmits a web page with the requested information back to the transmitting device 110 of the user 112 through the intranet 125a.
The reconstruction engine 150 can analyze the data packets to determine data packet information. The data packet information includes a destination parameter, and/or an origination parameter. The data packet parameters can be used by the reconstruction engine 150 to match data packets together to form the data of the user 112. The data packet parameters includes a network address, a user address, an operating system (OS) fingerprint, a network card address, a user cookie, form data, an encryption key, and/or a transaction identifier. The network address includes the address of the transmitting device 110 transmitting the data packet, the address of the network address translation device (e.g., firewall) that transmits the data packet, or other network devices that transmit data packets. The user address includes the address of the user 112 at the transmitting device 110 transmitting the data packet, identifying information of the user's transmitting device 110, or other identifying information that is associated with the user 112. The OS fingerprint includes the formatting of the data that indicates the OS that transmits the data packet, identifying information in the data packet from the OS, or other identifying information that is associated with the OS. The network card address includes the address of the network card in the user's transmitting device 110 or other identifying information of the transmitting device that is associated with the transmitting device 110. The user cookie includes information stored on the user's transmitting device 110 (e.g., information stored in a web browser on the user's transmitting device 110) or other identifying information that is stored on the user's transmitting device 110. The form data includes information in the data packets associated with the user 112 (e.g., information in the data packet such as UserID=GeorgeSmith) or other identifying information in the data packets.
In some examples, the reconstruction engine 150 processes the data packet to determine if the data packet matches a request from the server systems 122a and 122b. For example, the server system 122a transmits a request for information (i.e., a data packet requesting information from a user 112) to a user 112 (e.g., login information—userid and password). The user 112 responds through the transmitting device 110 by transmitting a data packet (e.g., userid and password). The reconstruction engine 150 matches the request for information from the server system 122a to the data packet from the user 112 (e.g., the request for login information to the login information). The matching of the request for information from the server system 122a to the data packet from the user 112 is used by the reconstruction engine 150 to match data packets together.
The reconstruction engine 150 can process the data packets. The processing of the data packets includes filtering, decrypting, and/or encrypting (e.g., Radware® SSL Decryption available from Radware Ltd.). The filtering includes, for example, filtering by an internet protocol address, a protocol, a data type (e.g., graphic interface format (gifs), hypertext markup language (html), joint photographic experts group (jpegs), cascading style sheets (css), javascript (js)), a parameter (e.g., password, pin, personal identifying information), content, a content-type, an uniform resource locator (URL) path, and/or an internet protocol (IP) range.
The reconstruction engine 150 receives, for example, over one billion data packets per hour. For example, the reconstruction engine 150 can filter out data packets that are from a trusted internet protocol address (e.g., address 10.111.23.12 which is from a trusted data center). The reconstruction engine 150 filters out all of the data packets from the trusted internet protocol address to reduce the load on the reconstruction engine 150. For example, the reconstruction engine 150 can filter out parameters, such as passwords and pin numbers, to protect sensitive information from being transmitted to the fraud detection system 160.
The reconstruction engine 150 transmits the data to the fraud detection system 160. The fraud detection system 160 processes the data to detect fraudulent activity. The processing of the data includes, for example, one or more systems that process the data (e.g., TIBCO® BusinessEvents® available from TIBCO Software Inc., Deep Network Analyzer (DNA) available from SourceForge®).
The data collection systems 124a and 124b transmit the data packets to the data bus 210. In some examples, the data bus 210 aggregates the data packets from the plurality of data centers 120a and 120b for distribution to the systems that need and/or request the data such as the reconstruction engine 150.
The data packets are transmitted from the data bus 210 to a database 220 and to the reconstruction engine 150. The reconstruction engine 150 reconstructs data from the data packets received from the plurality of data centers 120a and 120b. The reconstructed data is transmitted to the fraud detection system 160 and the database 220.
In some examples, the data bus 210 includes one or more computer systems connected to the network (e.g., a computing blade, a network server, a network router, a network switch, a network hub). In some examples, the database 220 stores data packets and/or data. The database 220 includes, for example, a memory module. The memory module includes, for example, persistent storage and/or volatile storage.
The user requests are transmitted to the load balancer 130. The load balancer 130 transmits a user request to a data center 120a or 120b based on load balancing techniques. The user request is transmitted to the server system 122a or 122b and the data collection system 124a or 124b based on the data center (e.g., 120a or 120b) to which the user request is sent. The data collection system 124a or 124b transmit the user request to a data bus 210. The user request is transmitted from the data bus 210 to the database 220 and an unification engine 320. The unification engine 320 combines all of the received user requests from the user 112 to form an unified user session which comprises all or part of the user session 310, which was initially split apart for transmission to the data centers 120a and 120b. The unified user session can, for example, include a representation of part or all of the user's activity including interactions that are not transmitted through the transmitting device 110 over the network (e.g., information associated with applications on the transmitting device such as an application that interfaces with the server systems 122a and 122b).
The unification engine 320 can analyze the user requests to determine user request information. The user request information includes an origination parameter and/or a destination parameter. One or more of the user request parameters are, for example, used by the unification engine 320 to match user requests together to form the unified user session of the user 112.
The unification engine 320 can analyze the user requests to determine if the user request matches a request for information from the server systems 122a and 122b and/or a request for information from an application module associated with the user's transmitting device 110 (e.g., client side application that communicates with the server systems 122a and 122b). For example, the application module associated with the user's transmitting device 110 requests information from the user 112. The user 112 inputs the information into the application module. The application module through the transmitting device 110 transmits the information in the form of an user request to the server system 122a or 122b for processing. The unification engine 320 matches the user request with information that is requested by the application module (i.e., the unification engine 320 is aware of what information is requested by application modules so that it can match the information to user requests). The matching of the request for information from the application module to the user request form the user 112 is used by the unification engine 320 to match user requests together to form user sessions.
The unification engine 320 can process the user requests. The processing of the user requests includes, for example, filtering, decrypting, and/or encrypting.
The user session unified by the unification engine 320 is transmitted to the database 220 for storage and to the fraud detection system 160. If the fraud detection system 160 detects fraudulent activity, then the fraud detection system 160 communicates to the interdiction system 330. The interdiction system 330, for example, stops the communication of the user requests to the load balancer 130.
The unification engine 320 unifies the user requests and transmits the unified user session to the fraud detection system 405. The fraud detection system 405 includes a geolocation profiling engine 410, a behavior profiling engine 420, an application rules engine 430, a transactional rules engine 440, and a database 450. The fraud detection system 405 can, for example, include one of the engines or combinations of the engines.
The geolocation profiling engine 410 analyzes the user location, the network path, and/or the network address. For example, the geolocation profiling engine 410 analyzes the network address of the transmitting device 110 to determine if the network address is one that is known as a suspicious address (e.g., a network address from a foreign country that is known to have a high amount of fraudulent activity). The determination that the network address is suspicious includes all or part of the information analyzed by the fraud detection system 405 to determine whether the activity is fraudulent. For example, the geolocation profiling engine 410 analyzes the network path of the user 112 to determine if the pathway that the user 112 is accessing travels through or is intercepted by a suspicious network. If the network path of the user 112 is being intercepted by a suspicious network, the geolocation profiling engine 410 reports the fraudulent activity to the fraud detection system 405.
The behavior profiling engine 420 analyzes behavior by analyzing how many page views without a logon occur, visits with malicious software, search terms that are categorized as suspect, uniform resource locators (URL) that are categorized as suspect, account access that is categorized as rapid access, access into multiple accounts, multiple network connections per session, and/or multiple users per session.
For example, if the user 112 accesses ten different accounts which are not interconnected, then the behavior profiling engine 420 determines that the user activity is fraudulent and reports the fraudulent activity to the fraud detection system 405. However, if the user 112 accesses ten different accounts but the accounts are all interconnected (e.g., all have the same mailing address, the same unique user identifier), then the behavior profiling engine 420 determines that the user activity is not fraudulent.
The behavior profiling engine 420 includes an anomaly-based profiling engine. The anomaly-based profiling engine uses a baseline of normal activity to detect when activity falls outside of the baseline. The baseline of normal activity can, for example, be programmed into the profiling engine, and/or learned by the profiling engine while processing the information, data, and/or user sessions on the network. The activity includes any event, state, content, behavior, transaction, and/or similar processing by the user 112 with the network 400.
For example, the user 112 changes her email address on the exemplary system 400 from an internet service provider (e.g., standarduser at standardisp.com) that the user had been using for ten years to an email address at a generic easily obtained email hosting service (e.g., genericuser at hotmail.com). This change of the user's email address may be normal behavior for some users but for this particular user 112, the change in email addresses falls outside of the normal behavior and the behavior profiling engine 420 classifies the activity as fraudulent activity. The classification of the activity as fraudulent activity requires, for example, the user 112 to confirm the change of email addresses outside of the communication channel in which the email change was submitted (e.g., if the email address change was through a website associated with the system 400, then the email address change confirmation outside of the communication channel is a phone call from the system 400).
The application rules engine 430 monitors the interactions between the modules of the exemplary system 400. The application rules engine 430 monitors, for example, a login module, a search module, a transaction module, an information module, and/or other modules that are part of the exemplary system 400. The application rules engine 430 monitors the modules of the exemplary system 400 for the detection of an interaction that is outside of the normal range of interactions with the module (e.g., violates a rule in the engine). The monitoring of the modules allows for the fraud detection system 405 to detect patterns of fraud that may not be detected by just analyzing the transaction of a user, but may be detected by analyzing the interactions with the applications of the exemplary system.
For example, a set of users is attempting to exploit a security hole in the authentication module. The application rules engine 430 is monitoring the authentication module and detects that the set of users is attempting to authenticate to the system 400 using the same username and password (e.g., a buffer overflow in the username and/or password fields). The normal range of interactions is not for more than one user to attempt to authenticate to the system 400 using the same username and password. Accordingly, the application rules engine 430 determines that the activity of the set of users is fraudulent.
The transactional rules engine 440 assigns a confidence level to the user session. The confidence level is an analysis to determine the level at which the system 400 ranks the user session. For example, if the user 112 is transmitting from a location that is within the user's profile (e.g., the user's home computer), but the transaction by the user 112 is outside of the user's profile (e.g., transferring all of the money in a money market account to an overseas bank account when the user never transferred money to an overseas bank account), then the confidence level of the user session is assigned a low number. This low number is utilized by the transactional rules engine 440 and/or the fraud detection system 405 to determine whether the activity is fraudulent.
However, for example, if the user 112 is not coming from a location that is within the user's profile (e.g., a hotel in New York City when the user never logged in from New York City before), but the transaction by the user 112 is within the user's profile (e.g., transferring all of the money in a money market account to an overseas bank account when the user transfers money to an overseas bank account every other week) and the computer signature of the computer that the user is using matches the computer signature in the user's profile (e.g., the user is using her laptop normally used at home at the hotel in New York City), then the confidence level of the user session is a higher number since the transaction is within the user's normal behavior although the user is logging in from a location outside of the user's profile. This high number is utilized by the transactional rules engine 440 and/or the fraud detection system 405 to determine whether the activity is fraudulent.
The transactional rules engine 440 includes a signature-based rules engine. The signature-based rules engine searches for pre-defined patterns (e.g., signatures) in the user session. The patterns include, for example, a set of conditions that characterize fraudulent activities. For example, http headers and/or http payload content are analyzed to detect variable overwriting, parameter overloading, and/or other types of activity that indicate fraudulent activity may be occurring.
For example, the user 112 is submitting a request to transfer $1,000,000 from an account to an overseas bank account. The transactional rules engine 440 is monitoring the activity and examines the http payload content to ensure that the content corresponds with the information of the activity. The http payload content contains userid=GeorgeRich while the user is logged on as userid=GeorgeFraud. The user 112 is attempting to transfer funds not from his account but from another user's account by changing the userid parameter in the http payload content. The transactional rules engine 440 detects this discrepancy and classifies the user session as fraudulent.
The database 450 stores elements of the user sessions in a memory module. The elements include, for example, user identification, network address, time, network path, length of time logged into the system, transactions, and/or other information contained in the user session. The memory module is, for example, volatile memory to speed the access of the stored user sessions. The memory module is, for example, persistent storage to keep for historical analysis (e.g., Oracle® Berkeley DB available from Oracle Corporation).
For example, the fraud detection system 405 searches the user sessions stored in the database 450 for access by the same network address and/or network subnet. If elements of the user session resemble and/or matches elements stored in the database 450 that have been associated with fraudulent activity, then the fraud detection system 405 classifies the user session as fraudulent (e.g., stored element is that subnet 10.10.10.0 is associated with fraudulent activity, then the user session from 10.10.10.5 is classified as fraudulent).
For example, the database 450 stores all of the transaction amounts for all bond purchases in volatile memory for fast access. The fraud detection system 405 receives a user session from the unification engine 320. The user session is processed by the fraud detection system 405 to determine if fraudulent activity exists. Part of the processing by the fraud detection system 405 is comparing the transaction amount in the user session to previous transaction amounts for the bond that is being purchased. The stored elements in the database 450 for the bond being purchased includes ten years of transactions with over a hundred thousand transactions per year. The fraud detection system 405 retrieves from the database 450 in volatile memory the over one million transactions to analyze whether the transaction in the user session is fraudulent activity. The fraud detection system 405 utilizes the speed of the database 450 in volatile memory (e.g., random access memory) to process the transaction at or near the same time that the server system 122a or 122b is processing the transaction. If the transaction in the user session (e.g., purchase of 9,232 bonds) is within the normal ranges (e.g., the range of purchases is 1 to 10,342), then the fraud detection system 405 does not interdict the transaction. If the transaction in the user session (e.g., the purchase of 132,230 bonds) is not within the normal range (e.g., the range of purchases is 1 to 10,342), then the fraud detection system 405 interdict the transaction.
The data packets received by the data bus 210 are, for example, reconstructed into data before being transmitted to the requestor system. The user requests received by the data bus 210 are, for example, unified into user sessions before being transmitted to the requestor system. The data bus 210 includes, for example, the unification engine 320 as shown in
The data bus 210 receives the data packets and/or the user request as encrypted information from the data collection systems 124a and 124b. The data bus 210 decrypts the information before transmission to the requestor system.
The data bus 210 processes the data packet and/or the user request into a format that conforms with a particular protocol. The particular protocol includes a voice over internet protocol (VoIP), a transmission control protocol (TCP), an internet protocol (IP), an extensible markup language (XML), a hypertext markup language (HTML), and/or a standard generalized markup language (SGML).
The exemplary system 300 of
The diagrams of information 600b, 600d, 600e, 600g, and 600h represent data packets and/or user requests collected at the data collection system 124a or 124b of
For example, the transmitting device 110 includes an application for interacting with the server systems 122a and 122b. The interaction between the user 112 and the application on the transmitting device 110 is part of the user's activity and thus the user session includes the interactions between the application on the transmitting device 110 and the user 112. The unification engine 320 is aware of the applications that are used on the transmitting device 110 (e.g., by keeping information about the applications and the interactions with the applications in the database 220) and integrates the interactions associated with the applications into the unified user session.
The reconstruction (750) of data packets can occur in several different ways. For example, the reconstruction (750) can include matching origination parameters between the data packets. Using, for example, the exemplary system 100 of
An advantage of the exemplary system 100 is that the data packets 600b, 600d, and 600g are routed to different data centers 130a and 130b by the load balancer 130 for processing (734a and 734b) by the server systems 122a and 122b and the data packets 600b, 600d, and 600g routed to the different data centers 130a and 130b are reconstructed into part or all of the data transmitted from and received by the user's transmitting device 110. The data packet 600b is routed (720) to data center A 120a by the load balancer 130 while the data packets 600d and 600g are routed (720) to data center B 120b by the load balancer 130. The data packet 600b is routed (732a) to the server system 122a and captured (736a) by the data collection system 124a in data center A 120a. The data packets 600d and 600g are routed (732b) to the server system 122b and captured (736b) by the data collection system 124b in data center B 120b. The data collection systems 124a and 124b send (738a and 738b) the data packets to the reconstruction engine 150. The reconstruction engine 150 reconstructs (750) the data packets received from data centers A 120a and B 120b into the data that the user 112 sent. Thus, the data packets are split among the data centers 120a and 120b for processing (734a and 734b) by the server systems 122a and 122b, but are reconstructed (750) by the reconstruction engine 150.
For example, the reconstruction (750) can include matching origination and destination parameters between the data packets. Using, for example, the exemplary system 100 of
The source field shows that the data packets as illustrated in
An advantage of the exemplary system 100 is that the data packets 600b, 600d, and 600g are routed to different data centers 130a and 130b by the load balancer 130 for processing (734a and 734b) by the server systems 122a and 122b and the data packets 600b, 600d, and 600g routed through the different data centers 130a and 130b and the data packets transmitted by the server systems 122a and 122b are reconstructed into the data transmitted from and received by the user's transmitting device 110. The data packet 600b is routed (720) to data center A 120a by the load balancer 130 while the data packets 600d and 600g are routed (720) to data center B 120b by the load balancer 130. The data packet 600b is routed (732a) to the server system 122a and captured (736a) by the data collection system 124a in data center A 120a. The data packets 600d and 600g are routed (732b) to the server system 122b and captured (736b) by the data collection system 124b in data center B 120b. The data collection systems 124a and 124b capture (736a and 736b) the data packets 600e and 600h that are responses to the user 112. The data collection systems 124a and 124b send (738a and 738b) the data packets to the reconstruction engine 150. The reconstruction engine 150 reconstructs (750) the data packets received from data centers A 120a and B 120b into the data that the user 112 sent and received. Thus, the data packets are split among the data centers 120a and 120b for processing (734a and 734b) by the server systems 122a and 122b, but are reconstructed (750) by the reconstruction engine 150.
The unification (860) of user requests can occur in several different ways. For example, the unification (860) includes matching origination and destination parameters between the user requests. Using, for example, the exemplary system 300 of
An advantage of the exemplary system 300 is that the user requests 600b, 600d, and 600g which are routed to different data centers 130a and 130b by the load balancer 130 are unified with the user requests 600e and 600h being sent to the user 112 and the information contained in the screenshots 600a, 600c, 600f, and 600i.
Using, for example, the exemplary system 400 of
Using, for example, the exemplary system 500 of
For this example, the requestor system is the customer service system 566. The customer service system 566 is analyzing data packets to diagnose and fix problems that the user 112 is having with the system 500. The user 112 is attempting to search for information utilizing the information data 612d by submitting the information to the search module that is part of the system 500. The search module is not returning the correct information. The user 112 contacts a customer service representative who uses the customer service system 566 to look at the data for the user 112. The portion of the data is requested (1046) by the customer service system 566.
The customer service representative identifies that the information parameters 610d are not being transmitted to the system 500 correctly and therefore the information request is failing. The customer service representative instructs the user 112 to update her world wide web browser software (e.g., Mozilla® Firefox) and to try again. The user 112 updates her world wide web browser software and submits the data packet 600d to the system 500. The user 112 receives the data packet response 600e (i.e., response to the user's request) as illustrated by the screenshot 600f.
If the interdiction system 330 does not interdict (1164) the user session, then the user request is routed (1120) by the load balancer 130 to the data center 120b. If the interdiction system 330 does interdict (1164) the user session, then access is the system 1100 is stopped (1166). Data center B 120b is used in this example, however the load balancer can send (920) the user request to data center A 120a. The request is routed (1032) to the server system 122b. The server system 122b processes (1034) the request. Server system 122b responds (1036) to the user request. The response is routed back to the user 112 through her transmitting device 110 unless the interdiction system 330 determines (1162) that the user session should be interdicted based on notifications from the fraud detection system 160. If the interdiction system 330 does interdict (1162) the user session, then access is the system 1100 is stopped (1166) (i.e., the response to the user request is not sent back to the user 112).
The data collection system 124b captures (1142) the user request at or near the same as the user request is routed (1132) to the server system 122b. The data collection system 124b captures (1142) the user request without affecting the processing (1134) of the user request by the server system 122b. After capturing (1142) the user request, the data collection system 124b sends (1144) the user request to the data bus 210. The unification engine 320 receives (1146) the user request from the data bus 210. The unification engine 320 unifies (1148) the user request to form the user session. The unification engine 320 unifies (1148) the user request by itself or with other user requests to form the user session. The user session is processed (1050) by the fraud detection system 160 to detect fraudulent activity. If the fraud detection system 160 detects (1160) fraudulent activity, then the fraud detection system 160 notifies the interdiction system 330. If the fraud detection system 160 does not detect (1160) fraudulent activity, then the fraud detection system 160 continues processing (1150) user sessions looking for fraudulent activity.
Using, for example the exemplary system 400 of
In some examples, the authentication system includes a computer, a network hub, a network switch, a network router, a network firewall, an authentication server (e.g., Kerberos authentication server in Windows® Server 2003 available from Microsoft Corporation, Oracle® Access Manager available from Oracle Corporation), and/or other authentication modules.
The above-described systems and methods can be implemented in digital electronic circuitry, in computer hardware, firmware, and/or software. The implementation can be as a computer program product (i.e., a computer program tangibly embodied in an information carrier). The implementation can, for example, be in a machine-readable storage device and/or in a propagated signal, for execution by, or to control the operation of, data processing apparatus. The implementation can, for example, be a programmable processor, a computer, and/or multiple computers.
A computer program can be written in any form of programming language, including compiled and/or interpreted languages, and the computer program can be deployed in any form, including as a stand-alone program or as a subroutine, element, and/or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site.
Method steps can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Method steps can also be performed by and an apparatus can be implemented as special purpose logic circuitry. The circuitry can, for example, be a FPGA (field programmable gate array) and/or an ASIC (application-specific integrated circuit). Modules, subroutines, and software agents can refer to portions of the computer program, the processor, the special circuitry, software, and/or hardware that implements that functionality.
Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor receives instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer can include, can be operatively coupled to receive data from and/or transfer data to one or more mass storage devices for storing data (e.g., magnetic, magneto-optical disks, or optical disks).
Data transmission and instructions can also occur over a communications network. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices. The information carriers can, for example, be EPROM, EEPROM, flash memory devices, magnetic disks, internal hard disks, removable disks, magneto-optical disks, CD-ROM, and/or DVD-ROM disks. The processor and the memory can be supplemented by, and/or incorporated in special purpose logic circuitry.
To provide for interaction with a user, the above described techniques can be implemented on a computer having a display device. The display device can, for example, be a cathode ray tube (CRT) and/or a liquid crystal display (LCD) monitor. The interaction with a user can, for example, be a display of information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer (e.g., interact with a user interface element). Other kinds of devices can be used to provide for interaction with a user. Other devices can, for example, be feedback provided to the user in any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback). Input from the user can, for example, be received in any form, including acoustic, speech, and/or tactile input.
The above described techniques can be implemented in a distributed computing system that includes a back-end component. The back-end component can, for example, be a data server, a middleware component, and/or an application server. The above described techniques can be implemented in a distributing computing system that includes a front-end component. The front-end component can, for example, be a client computer having a graphical user interface, a Web browser through which a user can interact with an example implementation, and/or other graphical user interfaces for a transmitting device. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network (LAN), a wide area network (WAN), the Internet, wired networks, and/or wireless networks.
The system can include clients and servers. A client and a server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
Comprise, include, and/or plural forms of each are open ended and include the listed parts and can include additional parts that are not listed. And/or is open ended and includes one or more of the listed parts and combinations of the listed parts.
One skilled in the art will realize the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing embodiments are therefore to be considered in all respects illustrative rather than limiting of the invention described herein. Scope of the invention is thus indicated by the appended claims, rather than by the foregoing description, and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Claims
1. A method for detecting fraudulent activity, the method comprising:
- receiving, by a computing device in a second network, a plurality of interactions between a plurality of data centers in a first network and one or more devices, remote from the data centers, of a user, the plurality of interactions forming an aggregate user session representing the user's activity over a period of time with the plurality of data centers via the one or more devices;
- monitoring, by the computing device, data transaction requests of the plurality of interactions, the computing device configured to respond to each data transaction request with a response that appears to the user as if the request was executed by the respective data center;
- if the computing device determines that the interactions are harmful: interdicting, by the computing device, the interactions from execution by the plurality of data centers; and allowing, by the computing device, the one or more devices to submit additional interactions;
- if the computing device is unable to determine whether the subsequent interactions are harmful: transmitting, by the computing device, the interactions to the plurality of data centers for execution; and marking, by the computing device, the interactions for monitoring purposes.
2. The method of claim 1, if the computing device determines that the interactions are harmful, the method further comprising:
- if the computing device is able to simulate the interactions, transmitting a response for each interaction to the one or more devices, the transmitted responses appearing to the user as if the plurality of data centers executed the interactions;
- if the computing device is unable to simulate the interactions, transmitting a response for each interaction to the one or more devices, the transmitted responses appearing to the user as if the plurality of data centers failed to execute the interactions due to a system error; and
- monitoring, by the computing device, data transaction requests of additional interactions submitted from the one or more devices.
3. The method of claim 1, the method further comprising:
- generating, by the computing device, a signature based on the monitoring step; and
- correlating, by the computing device, the signature with previous user sessions to determine whether the plurality of interactions and the previous user sessions share one or more characteristics.
4. The method of claim 3, wherein the characteristics include at least one of: a common user, a common remote device, a common location, or a common activity pattern.
5. The method of claim 3, wherein the signature is generated using one or more data analysis tools that have access to the plurality of interactions.
6. The method of claim 1, wherein the method is performed in real time.
7. The method of claim 1, wherein the response that appears to the user as if the request was executed by the respective data center includes dummy data to prevent the user from accessing data stored in the data center.
8. The method of claim 1, if the computing device determines that the interactions are harmful, the method further comprising:
- providing, by the computing device, responses to the additional interactions that encourage the user to stay connected to the computing device until an enforcement action is executed.
9. The method of claim 8, wherein the responses to the additional interactions extend a session between the computing device and the one or more remote devices.
10. The method of claim 1, if the computing device determines that the interactions are harmful, the method further comprising:
- determining, by the computing device, one or more vulnerabilities associated with the plurality of data centers based on the interactions submitted by the one or more remote devices.
11. A system for detecting fraudulent activity, the method comprising:
- a computing device in a second network configured to: receive a plurality of interactions between a plurality of data centers in a first network and one or more devices, remote from the data centers, of a user, the plurality of interactions forming an aggregate user session representing the user's activity over a period of time with the plurality of data centers via the one or more devices; monitor data transaction requests of the plurality of interactions, the computing device configured to respond to each data transaction request with a response that appears to the user as if the request was executed by the respective data center; if the computing device determines that the interactions are harmful: interdict the interactions from execution by the plurality of data centers; and allow the one or more devices to submit additional interactions; if the computing device is unable to determine whether the subsequent interactions are harmful: transmit the interactions to the plurality of data centers for execution; and mark the interactions for monitoring purposes.
12. The system of claim 11, if the computing device determines that the interactions are harmful, the computing device further configured to:
- transmit a response for each interaction to the one or more devices if the computing device is able to simulate the interactions, the transmitted responses appearing to the user as if the plurality of data centers executed the interactions;
- transmit a response for each interaction to the one or more devices if the computing device is unable to simulate the interactions, the transmitted responses appearing
- to the user as if the plurality of data centers failed to execute the interactions due to a system error; and
- monitor data transaction requests of additional interactions submitted from the one or more devices.
13. A computer program product, tangibly embodied in a non-transitory computer readable storage medium, for detecting fraudulent activity, the computer program product including instructions operable to cause a computing device in a second network to:
- receive a plurality of interactions between a plurality of data centers in a first network and one or more devices, remote from the data centers, of a user, the plurality of interactions forming an aggregate user session representing the user's activity over a period of time with the plurality of data centers via the one or more devices;
- monitor data transaction requests of the plurality of interactions, the computing device configured to respond to each data transaction request with a response that appears to the user as if the request was executed by the respective data center;
- if the computing device determines that the interactions are harmful: interdict the interactions from execution by the plurality of data centers; and allow the one or more devices to submit additional interactions;
- if the computing device is unable to determine whether the subsequent interactions are harmful: transmit the interactions to the plurality of data centers for execution; and mark the interactions for monitoring purposes.
14. The computer program product of claim 13, if the computing device determines that the interactions are harmful, the computer program product including further instructions operable to cause the computing device to:
- transmit a response for each interaction to the one or more devices if the computing device is able to simulate the interactions, the transmitted responses appearing to the user as if the plurality of data centers executed the interactions;
- transmit a response for each interaction to the one or more devices if the computing device is unable to simulate the interactions, the transmitted responses appearing to the user as if the plurality of data centers failed to execute the interactions due to a system error; and
- monitor data transaction requests of additional interactions submitted from the one or more devices.
Type: Application
Filed: May 11, 2012
Publication Date: Aug 30, 2012
Applicant: FMR LLC (Boston, MA)
Inventors: Vijay C. Bhatt (Burlington, MA), Stephen Singh (Westford, MA), Rajandra Laxman Kulkarni (Burlington, MA), Adam Greenberg (Lincoln, MA)
Application Number: 13/469,874
International Classification: G06F 15/173 (20060101); G06F 11/30 (20060101);