Telephonic communications – With usage measurement – Call charge metering or monitoring
Reexamination Certificate
1998-04-23
2001-03-27
Kuntz, Curtis A. (Department: 2743)
Telephonic communications
With usage measurement
Call charge metering or monitoring
C379S112030, C379S197000, C379S188000, C379S127030
Reexamination Certificate
active
06208720
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates generally to threshold detection engines and, more particularly, to a configurable and dynamically updatable rules-based thresholding engine for evaluating event records.
2. Related Art
Thresholding engines can process event records such as, for example, telecommunication event records of telephone calls, credit card and debit card event records of transactions, event records of customer purchases, etc. Thresholding engines can process event records as part of a fraud detection system, a data mining system, a market analysis system, etc.
For example, as the telecommunications industry rapidly grows, so does telecommunications fraud. In the United States alone, telecommunication fraud is estimated to have cost $3 billion in 1995. Telecommunications service providers have experienced difficulty in keeping up with new methods of fraud. As soon as service providers implement new systems to detect current methods of fraud, criminals innovate new methods.
Current methods of fraud are targeted at all types of services. Such services and corresponding fraud include use of calling cards, credit cards, customer premise equipment (CPE), including private branch exchanges (PBX), Dial 1+, 800 inbound, and cellular calls. In addition, international dialing is a frequent target of fraud because of its high price of service. Subscription fraud, where a customer subscribes to a service, such as 800 or Dial 1, and then never pays, is also a frequent target of fraud.
Existing methods of detecting patterns are based primarily on setting predetermined thresholds and then monitoring event records to detect when a threshold has been exceeded. For example, in a telecommunications environment, parameters for thresholds can include total number of calls in a day, number of calls less than one minute in duration, number of calls more than 1 hour in duration, calls to specific telephone numbers, calls to specific countries, calls originating from specific telephone numbers, etc.
In conventional systems, thresholds must be manually programmed, which is labor intensive and time consuming. Manually programmed thresholds are static and thus do not adjust to changing patterns of fraud. Moreover, thresholds are generally subjective, not directly based upon empirical data and easy for criminals to detect and circumvent. Also, in fraud detection systems, thresholds tend to be set conservatively in order to detect most fraud and are thus frequently exceeded by non-fraudulent calls, resulting in high rates of false alarms.
In conventional fraud detection systems, when a threshold is exceeded, an alarm is triggered and presented to an analyst who must then analyze the alarm to determine if it properly reflects fraud. The analyst must query many sources of data, such as customer payment history and service provisioning data, to assess the probability of fraud. This manual process is time consuming, labor intensive, highly subjective and prone to error.
Existing systems and methods for evaluating event records are thus rigid and generally not configurable for other service providers or industries. As a result, new rules, algorithms, routines, and thresholds must constantly be re-programmed.
What is needed is a configurable and scalable rules-based thresholding engine that automatically detects and acts upon new and evolving patterns in event records.
SUMMARY OF THE INVENTION
The present invention is a system, method and computer program product for a configurable and scalable rules-based thresholding engine that constantly monitors event records to determine whether one or more thresholds have been exceeded. When a threshold is exceeded, an alarm is generated.
The present invention combines a core infrastructure with configurable, user-specific, or domain-specific, implementation rules. The core infrastructure is generically employed regardless of the actual type of network being monitored. The domain-specific implementation is provided with user specific data, data files, rules and code that provide configurability to the system.
The core infrastructure includes an event record enhancer that enhances event records with additional data. In a telecommunications fraud detection system, enhancement data may include, for example, adding the bill paying history data of a particular caller. The enhancer may access external databases for additional information related to an event record. The enhancer may also retrieve data from other systems, including external systems, via an informant that interfaces with external systems in formats native to the external systems. The enhancer may also enhance by calculating/deriving information from a single event record and/or related record(s). The core infrastructure also includes a threshold detector that determines whether an enhanced event record, alone or in light of prior event records, exceeds one or more thresholds. The core infrastructure provides scalability to the configurable domain-specific implementation.
The domain-specific implementation includes enhancement rules, configuration rules and threshold detection rules. Rules may be created, deleted and modified according to the evolving needs of users, even while the thresholding engine is in operation. The rules may be easily tailored for specific uses and may be automatically updated, preferably with updates generated by a pattern recognition engine. The domain-specific implementation of the thresholding engine may employ complex thresholding rules that compare and aggregate various data and network event records.
The domain-specific implementation may include a user-configurable database for storing domain-specific data. The user-configurable database may include one or more databases including, for example, flat files databases, object oriented databases, relational database, etc.
In an exemplary embodiment, the event record enhancer identifies one or more features of each event record and determines whether any prior event records contain similar features. The enhancer then generates a feature vector that represents identified key features and key feature values. The feature vector may include one or more thresholds for a feature value. The feature vector may be built from a single record.
The threshold detector receives enhanced event records from the event record enhancer, preferably in the form of feature vectors. The threshold detector selects one or more threshold rules from a database of threshold rules for applying to the enhanced event records. Where enhanced event records are in the form of feature vectors containing features and feature values, the threshold detector applies one or more threshold rules to one or more features in the vector. Where the feature vector includes a threshold for a feature value, the threshold detector tests the appropriate feature value(s) against the threshold. The threshold detector may apply threshold rules to features based on the current record only or the current record and prior event records.
In an exemplary embodiment, rules within the database of threshold rules may be added or modified dynamically, during run-time, by human analysts and by a pattern recognition engine which detects new methods of fraud.
The thresholding engine may be implemented as a stand-alone system or as an integral part of a data processing system. For example, the thresholding engine may be implemented as an integral part of a multi-layer system for detecting and managing fraud and that employs artificial intelligence (Al) and expert system technologies within a layered logical systems architecture. The present invention may be implemented in software, firmware, hardware or any combination thereof. In an exemplary embodiment, the thresholding engine is implemented as a distributed and redundant software suite and hardware configuration.
In an exemplary embodiment, the present invention is implemented as a telecommunications fraud detection system in which the thresholding engine receives network event records from a
Arkel Hans Van
Curtis Terrill J.
Dallas Charles A.
Gavan John
Herrington Cheryl
Barnie Rexford N
Kuntz Curtis A.
MCI Communications Corporation
LandOfFree
System, method and computer program product for a dynamic... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System, method and computer program product for a dynamic..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System, method and computer program product for a dynamic... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2454694