Detection of fraudulent user flows
By employing sequential machine learning models to analyze user flow data as a chronological sequence, the method addresses the challenge of identifying complex fraud patterns in user interactions, enhancing fraud detection efficacy in the financial sector.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- INTERNATIONAL BUSINESS MACHINE CORPORATION
- Filing Date
- 2024-04-03
- Publication Date
- 2026-06-30
AI Technical Summary
Existing fraud detection mechanisms in the financial sector, particularly for Account Takeover (ATO) fraud, fail to consider the sequential flow of user interactions on websites, making it difficult to identify sophisticated fraud attempts that appear benign in isolation but are part of a larger fraudulent pattern.
The use of sequential machine learning models, such as Hidden Markov Models (HMM), to analyze user flow data as a chronological sequence of website interactions, transforming it into a vector representation and classifying it as fraudulent or legitimate, thereby identifying complex fraud patterns.
This approach effectively detects fraudulent user flows before significant damage occurs by recognizing sequences of activities that individually appear legitimate but contribute to larger fraud schemes, preventing financial and reputational losses.
Smart Images

Figure 2026521307000001_ABST
Abstract
Description
Background Art
[0001] This application generally relates to improved data processing apparatuses and methods, and more particularly to improved computing tools for detecting unauthorized user flows with respect to user activities on websites and to the operation / function of the improved computing tools.
[0002] The financial industry is plagued by frequent frauds involving deceptive, misleading, or incorrect business practices. This causes significant damage not only to individuals but also to organizations. This is particularly true for organizations such as credit card companies and the like that need to deal with situations where their customers have been victimized by fraud and provide a level of isolation or protection to their customers from such fraud, and the organization tries to cover the customer losses while attempting to recover the illegally obtained funds. However, other losses may include less quantifiable or indirect costs such as the time, goodwill, and the like of the parties involved, so the types of losses occurring in the financial sector due to fraud are not limited to these.
[0003] Organizations attempt to defend themselves by identifying and stopping fraudulent actions before they cause irreversible damage. One of the most common fraud use cases is Account Takeover (ATO), where fraudsters gain unauthorized access to take over online accounts. Fraudsters can alter account details, make purchases, withdraw funds, and obtain sensitive data that should be handled with care. Online accounts can be associated with banks, credit cards, online shopping websites, or any other online entities and activities. In some cases, ATO fraud may not even involve the theft of money from the account holder, but may simply involve accessing sensitive data that should be handled with care to gain other benefits. Identifying (and stopping) ongoing ATO fraud before they succeed and cause damage is one of the highest priorities for organizations, however, existing mechanisms do not adequately consider the sequential flow of interactions with online content when attempting to detect such fraud. [Overview of the project]
[0004] This “Outline of the Invention” is provided to introduce the selection of concepts in a simplified form, which will be further described in the “Modes for Carrying Out the Invention” herein. This “Outline of the Invention” is not intended to identify any important factors or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
[0005] In one exemplary embodiment, a method in a data processing system for detecting fraudulent user flows associated with a website is provided. The method includes the steps of receiving user flow data representing a user's interaction with the website's content, and converting the user flow data into a vector representation. The vector representation represents a chronological transition from one part of the website's content to another part of the website. The method also includes the steps of processing the vector representation and inputting it into at least one trained sequential machine learning computer model that generates classifications of the vector representation. In addition, the method includes the steps of detecting, based on the classification, whether the user flow data represents a fraudulent user flow, and, based on the detection, outputting an output indicating whether the user flow is a fraudulent user flow. Thus, the exemplary embodiment can automatically detect whether a user flow, which may be part of the current user session or a previous user session, represents fraudulent activity or legitimate access to the website.
[0006] In some exemplary embodiments, the user flow data comprises one or more entries, each entry having a timestamp and a corresponding identifier for the corresponding content on the website, the timestamp specifying the time the user accessed the corresponding content on the website. In some exemplary embodiments, the corresponding content on the website is a web page on the website, and the corresponding identifier is the Uniform Resource Locator (URL) of the corresponding content on the website.
[0007] In some exemplary embodiments, the step of converting the user flow data into a vector representation includes sorting the entries in the user flow data according to the timestamp associated with the entries, and clustering the entries into a plurality of clusters based on a cluster mapping of the identifiers of the corresponding content of the website associated with the entries, wherein each cluster in the plurality of clusters has a corresponding cluster identifier. In addition, the converting step may include generating the vector representation as a vector of cluster identifiers arranged in chronological order according to the result of the sorting step. In some exemplary embodiments, the clustering step of the entries includes clustering uniform resource locator (URL) fragments into the clusters, wherein the vector representation has sequential chronological cluster identifiers corresponding to the user flow data. Thus, exemplary embodiments can evaluate sequences of activity, such as chronological transitions between web pages of a website, when determining whether website access is potentially part of fraudulent activity or not.
[0008] In some exemplary embodiments, the at least one trained sequential machine learning computer model has been trained to classify the vector representation in terms of whether or not it represents a user flow indicating fraud committed by a fraudulent user flow. In some exemplary embodiments, the fraud is an account takeover (ATO) fraud. Thus, exemplary embodiments can classify user flows in terms of a specific type of fraud, such as an ATO fraud, before substantial damage occurs.
[0009] In some exemplary embodiments, the at least one trained sequential machine learning computer model has at least one Hidden Markov Model (HMM) computer model, wherein the vector representation is a Markov chain.
[0010] In some exemplary embodiments, the at least one trained sequential machine learning computer model includes a first sequential machine learning computer model trained to classify the vector representation as to whether it represents a user flow indicating fraud committed by a fraudulent user flow, and a second sequential machine learning computer model trained to classify the vector representation as to whether it represents a user flow indicating a legitimate user flow. In some exemplary embodiments, the first sequential machine learning computer model generates a first score, and the second sequential machine learning computer model generates a second score. In some exemplary embodiments, the step of detecting whether the user flow data represents a fraudulent user flow based on the classification includes the step of comparing the first score against the second score, and the step of detecting whether the user flow data represents a fraudulent user flow based on the result of the comparison. Thus, the competing interests of the two trained models can be used to improve the classification generated by the system.
[0011] In other exemplary embodiments, a computer-readable medium containing a computer-readable program or a computer program product comprising a computer-readable medium is provided. When this computer-readable program is executed on a computing device, it causes the computing device to perform various operations and combinations thereof from the operations outlined above with respect to exemplary embodiments of the method.
[0012] In yet another exemplary embodiment, a system / device is provided. This system / device may comprise one or more processors and memory coupled to one or more processors. This memory may contain instructions, which, when executed by one or more processors, cause one or more processors to perform various operations and combinations thereof from the operations outlined above with respect to exemplary embodiments of the method.
[0013] These and other features and advantages of the present invention will be explained or will become apparent to those skilled in the art, based on the following detailed description of embodiments of the present invention. [Brief explanation of the drawing]
[0014] The present invention, its preferred uses and other purposes, and its advantages will be best understood by referring to the following detailed description of exemplary embodiments together with the accompanying drawings.
[0015] [Figure 1] This is an illustrative diagram of a distributed data processing system environment in which an exemplary embodiment is implemented and at least a portion of the computer code involved in performing the method of the present invention can be executed.
[0016] [Figure 2] This is an illustrative diagram showing the primary operating components of a fraudulent user flow detection engine according to one exemplary embodiment.
[0017] [Figure 3] This is an illustrative diagram showing a training stage process for training one or more sequential machine learning models to classify user flow data, according to one exemplary embodiment.
[0018] [Figure 4]This is an exemplary diagram illustrating a classification stage process for classifying user flows in terms of whether they indicate fraud or not, according to one exemplary embodiment.
[0019] [Figure 5] This flowchart outlines an exemplary operation for training one or more sequential machine learning models to classify user flow data, according to one exemplary embodiment.
[0020] [Figure 6] This flowchart outlines exemplary behavior for classifying a user flow as either invalid or legitimate, according to one exemplary embodiment. [Modes for carrying out the invention]
[0021] As noted above, identifying (and stopping) ongoing account takeover (ATO) frauds before they succeed and cause damage is a significant challenge for modern organizations, especially those involved in e-commerce across one or more data networks. To facilitate the identification and cessation of such ATO frauds, organizations employ different fraud detection techniques, some of which collect various data types, such as mouse movement data, device usage data, location data, and various others, from the computing devices used to access accounts. However, these mechanisms operate on a single instance in time, or a snapshot of data. While such mechanisms can be useful in detecting fraud, they may not identify all ATO frauds because they do not consider sequences of activities that together may be part of an ATO fraud. That is, as attackers become more sophisticated, they often exploit activities that may appear benign to themselves or in a single snapshot, but when combined with other activities, are part of a pattern of interactions that leads to an ATO fraud. Furthermore, attackers can manipulate the victim's flow during online sessions by using sophisticated bots and malware to create automated, accelerated user flow activity or by using remote access tools for social engineering, so that the victim's flow does not appear fraudulent to itself. While current fraud detection technologies work well in some cases, there are still situations where it is difficult to determine whether or not fraud is occurring.
[0022] The mechanisms of the exemplary embodiments focus on analyzing data representing user activity, or the ways in which a user can traverse an online website that can be composed of multiple web pages, various content, and various hyperlinks to the web pages, which can be organized into various hierarchies and the like. Data representing the chain of activities in which the user engages to traverse the website is herein referred to as a "user flow". For the purposes of the description of the exemplary embodiments, it will be assumed that the website being traversed is a financial-related website, where a "financial" website is any website that has a user account for the purpose of accessing monetary funds or otherwise electronically participating in financial transactions. While a "financial-related website" will be used herein as an example, the exemplary embodiments are not limited to such, and it should be understood that the mechanisms of the exemplary embodiments can be similarly applied to any online website where ATO fraud can occur, regardless of the domain.
[0023] User flow data representing the user's activity when traversing a website is constructed from the journey that the user takes when interacting with the website. For example, the following sequence, or path, of user activity can be a basis for the construction of the user flow: (1) The user starts at the login web page, (2) continues to the account settings web page with the user, then (3) continues to the account balance web page, and finally (4) visits the money transfer web page before logging off. Such a sequence of activities, e.g., user inputs to various web pages for navigating the website, is monitored and tracked / logged, thereby constructing a record of the user's interaction with the website.
[0024] An exemplary embodiment takes such user flow data and represents the user flow as a sequential series of web page transitions. The exemplary embodiment then applies a machine learning computer model, such as a Hidden Markov Model (HMM), a recurrent neural network (RNN), a long short-term memory (LSTM) network, a gated recurrent unit (GRU), a sequence-to-sequence neural network, a conditional random field (CRF), a Bayesian network, or the like, to classify the sequential series of web page transitions, i.e., user interactions with the website, as either fraudulent or legitimate. To achieve this operation, the exemplary embodiment generates user flow data from tracked user interactions with the website's web pages and then transforms the user flow data into web page clusters, e.g., Uniform Resource Locator (URL) clusters, or the like. An exemplary embodiment creates a Markov chain from sequential data, such as a Hidden Markov Model (HMM) in an embodiment using an HMM as a machine learning computer model, from user flow data of website interactions, and classifies the user flow data as either fraudulent or legitimate by training the machine learning computer model, such as a Hidden Markov Model (HMM). This classification may be a binary classification or may be based on probabilistic judgment, and thus lie on a spectrum of values from 0.0 to 1.0, where one extreme is considered clearly fraudulent and the other extreme of the spectrum is considered clearly legitimate. The classification may relate to a specific type of fraud that may be committed against a website, such as account takeover (ATO) fraud. It should be understood that different computer models may be trained to detect user flow data representing various types of fraud, such as social engineering fraud, malware fraud, and bot-based fraud.In some exemplary embodiments, a single computer model can be configured to return the probability, or score, of a user flow sequent being generally fraudulent or generally legitimate, or different probabilities / scores of different types of fraud.
[0025] Thus, using the mechanisms of the exemplary embodiments, the sequence of activities a user engages in when interacting with a website is represented as a sequence dataset, such as a Markov chain or other sequencing dataset, and this sequence can be classified as to whether it represents an improper or proper interaction with the website. As such, interactions that may appear legitimate individually but are part of a more complex fraud attempt when considered as a whole can be automatically identified using a trained machine learning computer model, thereby detecting such fraud and preventing such fraud from a financial loss perspective or other less quantifiable loss perspectives, such as loss of goodwill or reputation, loss from an employee utilization perspective, and the like, before significant continuing damage occurs.
[0026] Before continuing the description of the embodiments and various aspects of the improved computer operations performed by the embodiments, it should first be understood that throughout this description, the term “mechanism” is used to refer to elements of the present invention that perform various operations, functions, etc. When the term “mechanism” is used herein, it may be an implementation of a function or aspect of an exemplary embodiment in the form of an apparatus, procedure, or computer program product. In the case of a procedure, the procedure is implemented by one or more devices, apparatus, computers, data processing systems, etc. In the case of a computer program product, logic represented by computer code or instructions embodied within or on the computer program product is executed by one or more hardware devices in order to implement a function associated with a particular “mechanism” or to perform an operation associated with a particular “mechanism.” Thus, the mechanisms described herein may be implemented as special hardware, software that runs on the hardware and thereby configures the hardware to implement a special function of the present invention that the hardware cannot otherwise perform, software instructions stored on a medium that make the instructions easily executable by the hardware and thereby configure the hardware in particular to perform the functions shown herein and the specific computer operations described herein, or any combination thereof.
[0027] In this description and claims, the terms “one,” “at least one of,” and “one or more of” may be used with respect to certain features and elements of exemplary embodiments. It should be understood that these terms and phrases are intended to indicate that at least one of certain features or elements present in a particular exemplary embodiment is present, but there may be two or more. That is, these terms / phrases are not intended to limit this specification or the claims to a single present feature / element, nor are they intended to require the presence of multiple such features / elements. On the contrary, these terms / phrases require only at least a single feature / element, and there may be multiple such features / elements within this specification and the claims.
[0028] Furthermore, the use of the term “engine” as used herein in relation to the description of embodiments and features of the present invention is not intended to limit any particular technical implementation for realizing and / or performing actions, steps, processes, etc. resulting from and / or performed by an engine, however it should be understood that “engine” is limited in that it is implemented in computer technology and its actions, steps, processes, etc. are not performed as mental processes or through manual work, even if the engine may operate in conjunction with manual input or provide output intended for manual or mental consumption. An engine is implemented as one or more of software, dedicated hardware, and / or firmware, or any combination thereof, running on hardware and specifically configured to perform a specified function. Hardware may include, but is not limited to, the use of a processor loaded into or stored in machine-readable memory and executed by a processor, and thereby combined with appropriate software that specifically configures the processor for a special purpose including one or more of the functions of one or more embodiments of the present invention. Furthermore, any names associated with a particular engine are for convenience of reference unless otherwise specified and are not intended to limit any particular implementation. Furthermore, any function originating from one engine may be incorporated into or combined with a function of another engine of the same or different type, or both, or distributed across one or more engines in various configurations and executed in the same way by multiple engines.
[0029] In addition, it should be understood that the following description uses several different examples of various elements of the exemplary embodiment to further illustrate exemplary implementations of the exemplary embodiment and to aid in understanding the mechanism of the exemplary embodiment. These examples are intended to be non-limiting and do not encompass all possible implementations of the mechanism of the exemplary embodiment. In consideration of this description, it will be apparent to those skilled in the art that with respect to these various elements, there are many other alternative implementations that can be used in addition to, or in place of, the examples provided herein without departing from the spirit and scope of the invention.
[0030] Various aspects of this disclosure are described by explanatory text, flowcharts, block diagrams of computer systems, and / or block diagrams of mechanical logic included in embodiments of computer program products (CPPs). With respect to any flowchart, depending on the technology involved, operations may be performed in a different order than those shown in a given flowchart. For example, also depending on the technology involved, two operations shown in consecutive blocks of a flowchart may be performed in reverse order, as a single integrated step, simultaneously, or with at least partial time overlap.
[0031] Embodiments of a computer program product ("CPP Embodiment" or "CPP") are terms used in this disclosure to describe any set of one or more storage media ("mediums") that are collectively comprised of one or more storage devices that collectively contain machine-readable code corresponding to instructions and / or data for performing computer operations specified in a given CPP claim. "Storage device" is any tangible device capable of holding and storing instructions for use by a computer processor. Computer-readable storage media may, but are not limited to, electronic storage media, magnetic storage media, optical storage media, electromagnetic storage media, semiconductor storage media, mechanical storage media, or any preferred combination thereof. Some known types of storage devices, including these media, include diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static random access memory (SRAM), compact disk read-only memory (CD-ROM), digital versatile disk (DVD), memory stick, floppy disk, mechanically encoded devices (such as pits / lands formed on the main surface of a punch card or disk), or any preferred combination of those described above. When the term "computer-readable storage medium" is used in this disclosure, it shall not be construed as storage in the form of a transient signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides, optical pulses passing through optical fiber cables, electrical signals communicated through wires, and / or other transmission media. As those skilled in the art will understand, data is moved at several intermittent points in the normal operation of the storage device, such as during access, defragmentation, or garbage collection; however, data is not transient while it is stored, so the foregoing does not make the storage device transient.
[0032] For clarity, it should be understood that certain features of the present invention described in the context of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the present invention described in the context of a single embodiment for brevity may also be provided individually or in any preferred secondary combination.
[0033] The present invention may be a specifically configured computing system, a method implemented by the specifically configured computing system, and / or a computer program product comprising hardware and / or software specifically configured to implement the specific mechanisms and functions described herein, the hardware and / or software specifically configured to implement the specific mechanisms and functions described herein. Notwithstanding the descriptions of the computer program product as a system or method, it should be understood that the exemplary embodiments described herein specifically concern improved computing tools and methods implemented by such improved computing tools. In particular, the improved computing tool of the exemplary embodiments specifically provides a fraudulent user flow detection engine that operates to evaluate user flow data, which represents a sequence of user interactions with web pages of a website in terms of whether they are fraudulent or not, specifically whether they indicate an account takeover (ATO) fraud. The improved computing tool implements mechanisms and functions such as the fraudulent user flow detection engine, which cannot actually be performed by or using an external person in a technical environment such as a mental process or similar. The improved computing tools provide a practical application of the method in that they can at least track and generate user flow data representing user interactions with a website across multiple web pages, and classify the user flow data to determine whether it represents a fraudulent or legitimate interaction with the website, such as in the case of account takeover (ATO) fraud.
[0034] Figure 1 is an exemplary diagram of a distributed data processing system environment in which an exemplary embodiment is implemented and in which at least a portion of the computer code involved in performing the method of the present invention can be executed. That is, the computing environment 100 includes an example of an environment for the execution of at least some of the computer code involved in performing the method of the invention, such as a fraudulent user flow detection engine 200. In addition to the fraudulent user flow detection engine 200, the computing environment 100 includes, for example, a computer 101, a wide area network (WAN) 102, an end user device (EUD) 103, a remote server 104, a public cloud 105, and a private cloud 106. In this embodiment, the computer 101 includes a processor set 110 (including processing circuits 120 and cache 121), a communication fabric 111, volatile memory 112, persistent storage 113 (including an operating system 122 and a malicious user flow detection engine 200 as identified above), a peripheral device set 114 (including a user interface (UI)), a device set 123, storage 124, and an Internet of Things (IoT) sensor set 125), and a network module 115. The remote server 104 includes a remote database 130. The public cloud 105 includes a gateway 140, a cloud orchestration module 141, a host physical machine set 142, a virtual machine set 143, and a container set 144.
[0035] Computer 101 may take the form of a desktop computer, laptop computer, tablet computer, smartphone, smartwatch or other wearable computer, mainframe computer, quantum computer, or any other form of computer or mobile device that is currently known or may be developed in the future, capable of running programs, accessing networks, or querying databases such as remote database 130. As is well understood in the field of computer technology, and depending on the technology, the execution of a computer implementation may be distributed among multiple computers and / or multiple locations. On the other hand, in this description of the computing environment 100, in order to make the explanation as concise as possible, the detailed discussion will focus on a single computer, specifically computer 101. Computer 101 may be located in the cloud even if it is not shown in the cloud in Figure 1. On the other hand, computer 101 is not required to be located in the cloud, except to any extent that can be definitively shown.
[0036] The processor set 110 includes one or more computer processors of any kind currently known or to be developed in the future. The processing circuitry 120 may be distributed across multiple packages, for example, multiple interconnected integrated circuit chips. The processing circuitry 120 may implement multiple processor threads and / or multiple processor cores. The cache 121 is memory located within the processor chip package and is typically used for data or code that should be available for high-speed access by threads or cores running on the processor set 110. The cache memory is typically organized into multiple levels depending on its relative proximity to the processing circuitry. Alternatively, some or all of the cache for the processor set may be located "off-chip". In some computing environments, the processor set 110 may operate using qubits and be designed to perform quantum computing.
[0037] Computer-readable program instructions are typically loaded onto computer 101 and cause the processor set 110 of computer 101 to execute a series of operational steps, thereby realizing the computer implementation method. As a result, the instructions thus executed instantiate the methods specified in the flowcharts and / or descriptions of the computer implementation methods contained herein (collectively referred to as the "Methods of the Invention"). These computer-readable program instructions are stored in various types of computer-readable storage media, such as cache 121 and other storage media discussed below. The program instructions and associated data are accessed by the processor set 110 to control and direct the execution of the Methods of the Invention. In the computing environment 100, at least some of the instructions for executing the Methods of the Invention may be stored in the rogue user flow detection engine 200 in persistent storage 113.
[0038] The communication fabric 111 is a signal conduction path that enables various components of the computer 101 to communicate with one another. Typically, this fabric is made up of switches and conductive paths, such as buses, bridges, physical input / output ports, and similar components. Other types of signal communication paths, such as optical fiber communication paths and / or wireless communication paths, may be used.
[0039] Volatile memory 112 is any type of volatile memory currently known or to be developed in the future. Examples include dynamic random-access memory (RAM) or static RAM. Volatile memory is typically characterized by random access, but this is not mandatory unless explicitly stated. In computer 101, volatile memory 112 is located in a single package and resides inside computer 101, but alternatively or additionally, volatile memory may be distributed across multiple packages and / or located externally to computer 101.
[0040] The persistent storage 113 is any form of non-volatile storage for a computer, currently known or to be developed in the future. The non-volatility of this storage means that the stored data is maintained regardless of whether power is supplied to the computer 101 and / or directly to the persistent storage 113. The persistent storage 113 may be read-only memory (ROM), but typically at least a portion of the persistent storage allows for writing, deleting, and rewriting of data. Some well-known forms of persistent storage include magnetic disks and solid-state storage devices. The operating system 122 may take several forms, such as various known proprietary operating systems or open-source portable operating system interface type operating systems that utilize a kernel. The code contained in the malicious user flow detection engine 200 typically includes at least some computer code involved in performing the method of the invention.
[0041] The peripheral device set 114 includes a set of peripheral devices for the computer 101. Data communication connections between the computer 101's peripheral devices and other components can be implemented in various ways, including Bluetooth connections, Near-Field Communication (NFC) connections, connections made by cables (such as universal serial bus (USB) type cables), insert-type connections (e.g., secure digital (SD) cards), connections made through local area communication networks, and even connections made through wide area networks such as the internet. In various embodiments, the UI device set 123 may include components such as a display screen, speaker, microphone, wearable devices (such as goggles and smartwatches), keyboard, mouse, printer, touchpad, game controller, and haptic devices. Storage 124 is external storage such as an external hard drive, or insertable storage such as an SD card. Storage 124 may be persistent and / or volatile. In some embodiments, storage 124 may take the form of a quantum computing memory device for storing data in the form of qubits. In embodiments where computer 101 requires a large amount of storage (for example, when computer 101 locally stores and manages a large database), this storage may be provided by peripheral storage devices designed to store very large amounts of data, such as a storage area network (SAN) shared by multiple geographically distributed computers. The IoT sensor set 125 consists of sensors that can be used in Internet of Things applications. For example, one sensor may be a thermometer and another may be a motion detector.
[0042] The network module 115 is a collection of computer software, hardware, and firmware that enables computer 101 to communicate with other computers via the WAN 102. The network module 115 may include hardware such as a modem or Wi-Fi signal transceiver, software for packetizing and / or depacketizing data for communication network transmission, and / or web browser software for transmitting data over the internet. In some embodiments, the network control and network forwarding functions of the network module 115 are performed on the same physical hardware device. In other embodiments (e.g., embodiments utilizing Software-Defined Networking (SDN)), the control and forwarding functions of the network module 115 are performed on physically separate devices, such that the control function manages several different network hardware devices. Computer-readable program instructions for performing the methods of the present invention can typically be downloaded from an external computer or external storage device to computer 101 via a network adapter card or network interface included in the network module 115.
[0043] WAN102 is any wide area network (e.g., the Internet) that can communicate computer data over non-local distances using any currently known or future-developed technology for communicating computer data. In some embodiments, the WAN may be replaced and / or supplemented by a local area network (LAN), such as a Wi-Fi network, designed to communicate data between devices located in a local area. The WAN and / or LAN typically include computer hardware such as copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers, and edge servers.
[0044] The end-user device (EUD) 103 is any computer system used and controlled by an end-user (e.g., a customer of the company operating computer 101), and may take any of the forms described above in relation to computer 101. The EUD 103 typically receives useful and valuable data from the operation of computer 101. For example, in a hypothetical case where computer 101 is designed to provide recommendations to the end-user, these recommendations would typically be transmitted from computer 101's network module 115 to the EUD 103 via the WAN 102. Thus, the EUD 103 can display or otherwise present recommendations to the end-user. In some embodiments, the EUD 103 may be a client device such as a thin client, heavy client, mainframe computer, or desktop computer.
[0045] The remote server 104 is any computer system that provides at least some data and / or functionality to computer 101. The remote server 104 may be controlled and used by the same entity that operates computer 101. The remote server 104 represents a machine that collects and stores useful and beneficial data for use by other computers, such as computer 101. For example, in a hypothetical case where computer 101 is designed and programmed to provide recommendations based on historical data, this historical data may be provided to computer 101 from the remote database 130 of the remote server 104.
[0046] The public cloud 105 is any computer system available for use by multiple entities, providing on-demand availability of computer system resources and / or other computing capabilities, particularly data storage (cloud storage) and computing capabilities, without requiring direct and active management by the user. Cloud computing typically leverages resource sharing to achieve coherence and economies of scale. Direct and active management of the computing resources of the public cloud 105 is performed by the computer hardware and / or software of the cloud orchestration module 141. The computing resources provided by the public cloud 105 are typically implemented by virtual computing environments running on various computers that make up the host physical machine set 142, which is a universe of physical computers located within and / or available to the public cloud 105. The virtual computing environment (VCE) typically takes the form of virtual machines from the virtual machine set 143 and / or containers from the container set 144. These VCEs are understood to be stored as images and can be transferred either as images or after VCE instantiation, among and between various physical machine hosts. The cloud orchestration module 141 manages the transfer and storage of images, deploys new VCE instantiations, and manages the active instantiation of VCE deployments. The gateway 140 is a collection of computer software, hardware, and firmware that enables the public cloud 105 to communicate over the WAN 102.
[0047] Here, some further explanation of virtualized computing environments (VCEs) is provided. A VCE can be stored as an "image." A new active instance of a VCE can be instantiated from an image. Two well-known types of VCEs are virtual machines and containers. A container is a VCE that uses operating system-level virtualization. This refers to an operating system feature where the kernel allows for the existence of multiple isolated user-space instances called containers. These isolated user-space instances typically behave like actual computers in terms of the programs running within them. Computer programs running on a normal operating system can utilize all the resources of that computer, including connected devices, files and folders, network shares, CPU power, and quantifiable hardware capabilities. However, programs running inside a container can only use the contents of the container and the devices allocated to the container; this feature is known as containerization.
[0048] The private cloud 106 is similar to the public cloud 105, except that its computing resources are available only for use by a single enterprise. While the private cloud 106 is shown as being in communication with the WAN 102, in other embodiments, the private cloud may be completely isolated from the internet and accessible only via a local / private network. A hybrid cloud is a combination of multiple clouds of different types (e.g., private, community, or public cloud types), often implemented by different vendors. Each of the multiple clouds remains a separate, discrete entity, but the larger hybrid cloud architecture is bound together by standardized or proprietary technologies that enable orchestration, management, and / or data / application portability between the multiple configuration clouds. In this embodiment, both the public cloud 105 and the private cloud 106 are part of a larger hybrid cloud.
[0049] As shown in Figure 1, one or more computing devices, such as computer 101 or remote server 104, may be specifically configured to implement the fraudulent user flow detection engine 200. The configuration of the computing device may include providing application-specific hardware, firmware, etc., to facilitate the performance of the operations and generation of outputs described herein with respect to exemplary embodiments. The configuration of the computing device may also, or alternatively, include providing a software application loaded into the memory of a computing device, such as computing device 101 or remote server 104, to cause one or more hardware processors of the computing device to execute a software application stored in one or more storage devices, which configures the processor to perform the operations and generate outputs described herein with respect to exemplary embodiments. Furthermore, any combination of application-specific hardware, firmware, and software applications running on hardware may be used without departing from the spirit and scope of the exemplary embodiments.
[0050] It should be understood that when a computing device is configured in one of these ways, it becomes a specialized computing device specifically configured to implement the mechanism of the exemplary embodiment, and not a general-purpose computing device. Furthermore, as described below, the implementation of the mechanism of the exemplary embodiment provides useful and concrete results by improving the functionality of the computing device and facilitating the detection of fraudulent user flows and the prevention of fraud such as account takeover (ATO) fraud or similar that would cause significant damage to an organization, by focusing efforts against such detected fraud and preventing their continued use or spread.
[0051] As described above, exemplary embodiments provide a mechanism for detecting fraudulent user interactions or sessions with websites, such as financial websites. According to some exemplary embodiments, exemplary embodiments utilize user flow data, for example, user interactions with website web pages to traverse website web pages, by representing the user flow data as a sequential dataset, such as a Markov chain, used to train a supervised hidden Markov model (HMM) classifier to detect fraudulent user interactions, or financial-related sessions, in the case of financial websites, by classifying the sequential dataset as fraudulent or legitimate. While exemplary embodiments are described with respect to an HMM classifier and sequential user flow data that is a Markov chain, it should be understood that exemplary embodiments are not limited to such. Conversely, any suitable machine learning computer model that can be trained and operated on sequential datasets to classify those sequential datasets in terms of fraudulent and / or legitimate patterns of activity may be used without departing from the spirit and scope of the invention.
[0052] The mechanism of the exemplary embodiment operates under two primary operational stages: a training stage and a classification stage. During the operational training stage, a machine learning computer model is trained on training user flow data, which is labeled as legitimate or fraudulent through a machine learning process to learn to classify patterns of features in the training user flow data in relation to legitimate or fraudulent behavior. This machine learning process involves multiple different user flow data sets and multiple iterations or epochs, using one or more loss functions to measure the error between the machine learning model's classification and the labeled classification (or ground truth). Machine learning algorithms, such as linear regression or similar, may be used to adjust operational parameters, e.g., the weights of nodes in the machine learning computer model, to minimize loss or error until the loss falls below a predetermined acceptable threshold level or until a predetermined number of epochs of machine learning training have occurred. As will be described in more detail below, the exemplary embodiment utilizes specific time series of data and clustering of time series of data to perform this training of a machine learning model, e.g., a Hidden Markov Model (HMM).
[0053] In some exemplary embodiments, two machine learning models are trained, as described below, one for detecting fraudulent user flow data and the other for detecting legitimate user flow data. Each machine learning model independently generates a score or confidence level for whether the user flow data is fraudulent (for the first machine learning model) or legitimate (for the second machine learning model), and the confidence scores can be compared to determine the final legitimate or fraudulent classification for the user flow data. For example, if the first machine learning model determines that a user flow is fraudulent or the second machine learning model determines that a user flow is not legitimate, then the user flow can be flagged as fraudulent. In another example, the absolute difference between the scores of the first and second machine learning models can be evaluated and compared to a threshold. If the difference is equal to or greater than the threshold, then the result with the higher score is adopted; for example, if the first score is 0.64 and the second score is 0.43, then the absolute difference is 0.21. If the threshold is 0.10, then the difference will be greater than the threshold, and the result with the higher score will be adopted, which in this case would be "false".
[0054] In some exemplary embodiments, instead of using two machine learning models, only a machine learning model for evaluating fraudulent user flows may be used. In these exemplary embodiments, the fraudulent user flow detection machine learning model, or simply the fraud model, may provide a binary output of fraudulent or non-fraudulent.
[0055] Once a machine learning model is trained during the behavior training stage, the trained model can be used during the classification stage to classify new user flow data regarding whether it represents a legitimate or illegitimate interaction with the website. That is, during or shortly thereafter a user's session with the website, user flow data for that user session is transformed into a sequential dataset, e.g., a Markov chain, and the trained machine learning model, e.g., a HMM, can be run on the user flow data to classify whether it is legitimate or illegitimate. In some exemplary embodiments, it should be understood that this user flow data is constructed over time, and the machine learning model can be run repeatedly on the user flow data as it changes over time to make multiple classifications. If any of the classifications indicate an illegitimate user flow, the session is then terminated or otherwise logged / reported as illegitimate. Therefore, at the first point in time, the user flow may be considered legitimate, having activities A, B, and C. However, at a later point in the same user session, additional activities D, E, and F may be logged using a machine learning model that generates a fraudulent classification, the user session may be terminated, logged, or otherwise reported for appropriate security attention.
[0056] Therefore, the exemplary embodiment provides a mechanism for classifying user flows, such as financial sessions, to determine whether the user flow indicates a malicious interaction on a website. The exemplary embodiment represents user flow data as a sequential dataset, such as a Markov chain, and classifies the user flow data as either malicious or legitimate by applying a sequential machine learning model, such as an HMM, to the user flow data. Based on this classification, the user session may be terminated, logged, or otherwise reported for future security actions.
[0057] Figure 2 is an exemplary diagram showing a primary operational component of a fraudulent user flow detection engine according to one exemplary embodiment. The operational component shown in Figure 2 may be implemented as a dedicated computer hardware component, computer software running on computer hardware configured to perform specific computer operations resulting from that component, or any combination of dedicated computer hardware and computer software-configured computer hardware. It should be understood that these operational components may perform attributed operations automatically without human intervention, such as user input for traversing a website, even if the input may be provided by a human, and the resulting output may assist a human, for example, by reporting fraudulent user flows that may indicate fraudulent attacks on a website, such as account takeovers (ATOs) or similar. Specifically, the present invention targets an automatically operating computer component that targets classifying user flow data in relation to user flow data indicating fraudulent or legitimate user flows by providing specific solutions for implementing user flow data, clustering of user flow data, and training of sequential machine learning computer models, and not for organizing any human activities that cannot actually be performed as a mental process by a human.
[0058] As shown in Figure 2, the primary operating components of the fraudulent user flow detection engine 200 include a user flow data collection engine 210, a data clustering engine 220, a user flow vector representation generator 230, a first sequential machine learning computer model 240 (legitimate model) for classifying user flow vector representations as legitimate or fraudulent, a second sequential machine learning computer model 250 (fraudulent model) for classifying user flow vector representations as fraudulent or fraudulent, and a user flow classification output engine 260. While the illustrated embodiment shows two sequential machine learning computer models 240, 250, it should be understood that exemplary embodiments do not require two sequential machine learning computer models 240, 250. In some exemplary embodiments, a single sequential machine learning computer model, e.g., the fraudulent model 250, may be used with its classification as the final classification for user flows.
[0059] It should also be understood that there may be one or more separate sets of sequential machine learning computer models for each possible fraud to be detected. For example, the illustrated models 240 and 250, which in this example are considered HMMs, are specifically trained on training user flow data to identify instances of sequences of user interactions that indicate ATO fraud. Other sets of models (not illustrated) are also trained on other types of fraud to detect user flows that indicate these other frauds. It should also be understood that these models 240 and 250 are generally applicable to multiple websites, or can be specifically trained for a particular website. In the latter case, there may be a different set of models 240 and 250 for each website, and the fraudulent user flow detection engine 200 may run different sets of models 240 and 250 on the user flow based on which website the user flow corresponds to.
[0060] The user flow data collection engine 210 includes logic, application programming interfaces (APIs), network interfaces, and the like for communicating with one or more data networks 270 to acquire user flow data from the user flow data source computing systems 280. For example, the source computing system 280 may include computing systems that host websites 282, 284 of interest. That is, an organization such as a financial organization, such as a bank, credit card company, online shopping entity, or similar, can host its websites on one or more host computing systems 280 and conduct electronic interactions with users (customers) via one or more data networks, such as a WAN 270, and one or more computing devices, such as client 290, 292 and other organization computing systems 295. The organization can further obtain the services of the fraudulent user flow detection engine 200 to detect fraudulent user flows, such as user flow data 286, 288 associated with one or more websites 282, 284. In some exemplary embodiments, the fraudulent user flow detection engine 200 may be integrated into the organization's own computing system or host computing system 280 for use with its own website, although it is shown as a separate entity in Figure 2, for example, a cloud service provided by a cloud service provider computing system.
[0061] The user flow data collection engine 210 collects data from the computing system hosting the website regarding tracked user interactions with the website. In exemplary embodiments, these tracked user interactions include interactions to traverse from one webpage to another within the website, as well as time information indicating the timestamp of such interactions and / or time information regarding how long the user interacted with, viewed, or otherwise appeared using the website's webpages, for example, how long the user remained on a particular webpage. While this user interaction data will be used as an example herein, it should be understood that in other exemplary embodiments, other user interaction information, such as the user's link selection, mouseover information, or similar, may also be tracked and reported.
[0062] When determining a traverse from one webpage to another, for example, URL and / or URL fragment information may be captured along with timestamp information. During the training of one or more sequential machine learning computer models 240, 250, this data comprises data from multiple user flows, each labeled as legitimate or illegitimate, relating to a single session in which a user interacts with the website. An example of data collected during such a session might be of type {(created_at(timestamp), URL, time on page)}. While traversing from one page to another, the URL identifies the current page. "created at" is the timestamp of the time the user landed on the URL. The value of "time on page" is optional, but if provided, it measures the amount of time the user spends on a webpage before traversing to the next webpage or ending the session.
[0063] Instances of this data collected through the same user session represent a sequence or user flow for that session. Possible examples of financial session user flow data include the following types: [{'created_at': 1645368225,'url':'https: / / particulares.bancosantander.es / login / '},{'created_at': 1645368283,'url': 'https: / / particulares.bancosantander.es / nhb / # / posicion-global'},{'created_at': 1645368290,'url': 'https: / / particulares.bancosantander.es / nhb / # / cuentas / detalle'}]
[0064] User flow data, such as those described above, is converted into time-series datasets, such as Markov chains, for processing by sequential machine learning computer models 240 and 250. In particular, the user flow vector representation generator 230 operates on the user flow data and employs the data clustering engine 220 to perform clustering on the URL fragments of the collected user flow data. A URL fragment is an internal web page reference, sometimes called a named anchor, and contains a string of characters that points to a resource that is subordinate to another primary resource. The primary resource is identified by a Uniform Resource Identifier (URI), and the fragment points to the subordinate resource, often represented as a string after the character "#" in the URL.
[0065] During the training process, training user flow data is used to generate URL fragment clusters by examining each URL fragment and establishing a cluster identifier for each unique URL fragment. Subsequent instances of the same URL fragment in the training user flow data may be associated with the same cluster identifier. This allows instances of a URL fragment in the user flow data to be replaced by cluster identifiers during the classification stage. Furthermore, if a new URL fragment is encountered during the classification stage, a new cluster may be generated. The combination of cluster identifiers in the user flow represents a sequence of user traversals from one resource or sub-resource, e.g., a web page, to another in the user flow. Thus, each user flow session is transformed into a sequential list of URL cluster identifiers. While the exemplary embodiment utilizes URL fragment clustering as a mechanism for transforming the collected data from a user flow session into a sequential time-series data structure such as a Markov chain, it should be understood that the exemplary embodiment is not limited to clustering on URL fragments. Conversely, any other elements of the collected user flow data may be used to perform such clustering, insofar as this clustering results in a sequential list of cluster identifiers that represent the user's traverse of the website during the user's session with the website. For example, in other clusterings, raw or scrubbed URLs may be used as the basis for clustering.
[0066] The URL cluster mapper algorithm of the data clustering engine 220 operates to map each URL fragment I, where I=1 to n, to the corresponding cluster identifier, where J=1 to m. Thus, the URL mapper maps f(url_i)=url_cluster_j. For example, suppose there is a URL list = {url1,url2,url3,...,urln}. The URL cluster mapper is applied to this URL list to create a sequential list of URL clusters where clustered URLs := {url_cluster_1,url_cluster_1,...,url_cluster_6}. In this way, the cluster identifiers are provided to the user flow vector representation generator 230, which sorts the URLs in the user flow URL list by timestamp, and due to the mapping to cluster identifiers, it can generate a time-series vector representation of the cluster identifiers corresponding to the URLs in the user flow URL list of the user session with the website.
[0067] For example, suppose a user flow data collection engine 210 collects a set of user flow data, and a user flow vector representation generator 230 sorts this user flow data into the following exemplary time-sorted sequence, where the user visited three URLs of a website during those sessions. Furthermore, by applying the URL cluster mapper algorithm of the data clustering engine 220, these URLs, or URL fragments, are clustered as follows: {' / posicion-global':1,' / cuentas / detalle':2,…,' / area-personal':6,' / tarjetas':7…}, where 1, 2, 6, and 7 are cluster identifiers in this example. The resulting cluster list is therefore {url_cluster_1,url_cluster_6,…,url_cluster_7} or {1,6,…,7}. This cluster list, sorted by timestamp, represents a time series of user activity when interacting with a website and can be considered as a Markov chain that can be processed by sequential machine learning computer models such as Hidden Markov Models (HMMs)240,250.
[0068] It should be understood that a website contains numerous URLs, some of which are relevant, while others are not relevant to fraud detection. By performing clustering using a clustering mapper, the data is cleaned up, and the Markov chain of user flows becomes more accurate in its resemblance to user behavior. Clustering URLs, URL fragments, etc., also makes the resulting computer model more robust to changes in web pages, such as additions, deletions, or modifications.
[0069] In some exemplary embodiments, the amount of time spent on each webpage can be further utilized to extend the time-series representation of the vector, thereby reflecting patterns of user activity over time on the website's webpages. For example, the time-series vector representation, or Markov chain, generated by the user flow vector representation generator 230 is extended by the amount of time spent by the user on each webpage, which is an optional additional element of the user flow data collected from the user flow data source computing system, as described above. To perform such an extension, once the user flow vector representation generator 230 generates a time-series vector representation, e.g., a Markov chain of URL clusters, the vector is extended by multiplying each element by the amount of time spent by the user on each URL and normalized by the time interval. As a result, the vector is extended by the amount of time spent on each URL, and consequently, there may be multiple sequential instances of the same cluster identifier in the vector representation, where the combined sequential instances represent the amount of time spent by the user during their user session on that webpage of the website.
[0070] For example, suppose the time interval is 5, and the list of session URLs provided as part of the collected user flow data is {url1,url2,url3}. Suppose the amount of time in each of the web pages corresponding to these URLs is list(sec)={16,4,13}, and consequently, the normalized time in each web page list is {3,1,2}. That is, by dividing each of the amount of time by the time interval of 5, we obtain the given normalized time values. Based on these normalized time values, the corresponding URL list can be expanded as follows: {url1,url1,url1,url2,url3,url3}. This results in an expanded cluster identifier-based vector representation, e.g., {url_cluster_1,url_cluster_1,url_cluster_1,url_cluster_6,url_cluster_7,url_cluster_7}. That is, the expansion of the vector representation can occur at the URL or cluster ID level of the vector representation generation by the generator 230.
[0071] The cluster vector representations generated by the user flow vector representation generator 230 are provided as input to sequential machine learning computer models 240, 250, which will be considered HMMs for the purposes of this explanation below. The vector representations represent user flows during a user session. During the training of the HMMs 240, 250, these vector representations are part of a larger set of training data and may be labeled in terms of whether the user flows are considered to represent a particular fraud or a legitimate interaction with a website. In the illustrated example, one HMM 240 is trained to identify legitimate user flows based on the input vector representation of the cluster identifier and is therefore referred to as the legitimate HMM 240. The other HMM 250 is trained to identify fraudulent user flows based on the input vector representation of the cluster identifier and is therefore referred to as the fraudulent HMM 250. Separate training datasets are established for each of these HMM240,250. For example, a first training dataset containing a set of training data labeled "legitimate" may be used by a legitimate HMM240 to train it to recognize patterns in input vector representations of legitimate user flows, while a second training dataset containing a set of training data labeled "fraudulent" may be used by a fraudulent HMM250 to train it to recognize patterns in input vector representations of fraudulent user flows. In some exemplary embodiments, the training data may include both legitimate and fraudulent training data, and the HMM240,250 may be trained on both types of training data to distinguish between legitimate and fraudulent user flows.
[0072] The HMM240 and 250 can be trained using a variety of machine learning algorithms, such as backpropagation-based machine learning algorithms or similar ones. The machine learning algorithms utilize various losses, errors, or features to evaluate the accuracy of the classification performed by the HMM240 and 250 during machine learning training, and can backpropagate these losses or errors, thereby modifying the operating parameters of the HMM240 and 250 to reduce these losses or errors to an acceptable level, as may be specified by a threshold loss. For example, the weights of nodes that contribute relatively more to the final outcome classification can be adjusted based on the determined loss or error.
[0073] Each HMM240, 250 can be trained to output classification labels or probability values for fraudulent or legitimate user flows, e.g., {0,1} or {Fraud,Legitimate}. The HMM240, 250 can utilize a forward-backward algorithm with an observation matrix (clustered URL transition probabilities) and an observation probability matrix (probabilities of observations to be generated from states (fraudulent / legitimate)).
[0074] For each user flow in a session, each HMM240,250 is assigned a score, which is the probability that the user flow is fraudulent or legitimate. In some exemplary embodiments, this score can be a binary value of 0 or 1, indicating fraudulent (not legitimate) or legitimate (not fraudulent). In some exemplary embodiments, this score lies along a spectrum from 0.0 to 1.0 and is a probability value, i.e., the probability that the user flow is fraudulent or legitimate. In some exemplary embodiments where multiple HMMs, e.g., HMM240 and 250, are utilized, the HMM that provides the higher score may be used as the final classification of the user flow. In some exemplary embodiments, a threshold in the score difference between multiple HMMs is utilized, for example, if the difference between scores is equal to or greater than a given threshold, then HMM240 and 250 classify radially opposing classes, e.g., fraud vs. legitimate, and so then HMM240,250 with the higher score may be considered the final classification of the user flow.
[0075] In some exemplary embodiments, the HMMs 240 and 250 can be tuned according to the required use case, for example, by increasing true positives or decreasing false positives, as well as by tuning the machine learning model by changing thresholds. The user flow classification output engine 260, which generates the final classification of user flows based on the HMM classifications from the HMMs 240 and 250, can be tuned by setting a threshold difference between the scores of the fraudulent HMM 250 and the legitimate HMM 240. For example, to reduce false positives, the user flow classification output engine 260 may classify a user flow as fraudulent only if the difference between the legitimate score and the fraudulent score is equal to or higher than a certain threshold. The same is done to increase true positives, since the user flow classification output engine 260 classifies a user flow as legitimate only if the difference between the scores of the legitimate HMM 240 and the fraudulent HMM 250 is equal to or higher than a threshold. The threshold itself can be determined empirically or set otherwise according to the desired implementation.
[0076] The user flow classification output engine 260 may output a final classification of the user flow. This output may be logged to the security log storage 255 for later use when performing security actions, or it may be used by the website hosting system 280 to perform additional security processes. For example, in embodiments where the user flow is dynamically analyzed and classified during a user session, the hosting system 280 may use the final classification output by the engine 260 as a basis for determining whether to continue allowing the user to access the website. For example, if the user flow classification output engine 260 outputs a classification that the user flow is malicious, the hosting system 280 may then act to block or otherwise terminate the user's session with the website. In some exemplary embodiments, the output classification may be used as a risk score, potentially combined with other existing risk factors when evaluating the risk of the user flow. In some exemplary embodiments, the classification output may be used to perform other evaluations or authentications, such as one-time password (OTP) or fully automated public Turing test to tell Computers and Humans Apart (Captcha) authentication, terminate a session, block a transaction, delay transaction confirmation, pass a decision to a fraud analyst, or do something similar.
[0077] Therefore, an exemplary embodiment trains one or more sequential machine learning computer models to classify user flows in terms of whether they are fraudulent or legitimate. The exemplary embodiment may train such models for each type of fraud that needs to be identified in the user flows. Alternatively, the exemplary embodiment may train a model for each website being monitored. The exemplary embodiment can then classify newly received user flows to determine whether they are fraudulent or legitimate, and then invoke appropriate security measures if the user flows are determined to be fraudulent.
[0078] Figure 3 is an exemplary diagram illustrating a training stage process for training one or more sequential machine learning models to classify user flow data, according to one exemplary embodiment. As shown in Figure 3, a training dataset 310 is provided which may include user flow data for various user sessions with a website, where the user flow data is labeled as legitimate or fraudulent with respect to fraud of particular interest, e.g., ATO fraud. The training dataset 310 may include actual user session data captured during a user session with the website, synthetic user session data representing possible interactions with the website, or any combination of actual and synthetic user session data. The user session data includes information such as previously described collected user flow data representing user interactions and website traversal, which may include timestamps of users experiencing content on a particular URL, and in some cases, the amount of time the user experiences content on a particular URL before navigating to another URL or ending the user session.
[0079] In one exemplary embodiment, training dataset 310 is separated into two training datasets 320, 330, where one training dataset 320 contains user session data for user sessions labeled as legitimate, and the other training dataset 330 contains user session data for user sessions labeled as fraudulent. Each user dataset has user flow data for its session, including, for example, URL data of type {timestamp,url,time on page}. This user flow data is converted into cluster ID vector representations 340, 350 using the mechanism previously described. The cluster ID vector representations 340, 350 are input to corresponding sequential machine learning models, e.g., HMMs 360, 370, which process the cluster ID vector representations 340, 350. Models 360 and 370 generate predictive classifications based on input cluster ID vector representations 340 and 350, which are then processed by machine learning training logic 380 and 390 along with the labels of the training data to modify the corresponding models 360 and 370 and reduce the loss / error in predictive classification. Once the loss / error generated by models 360 and 370 reaches an acceptable level, e.g., a loss / error threshold level, the training can then be considered to have converged. Alternatively, after a predetermined number of epochs or machine learning iterations, models 360 and 370 can then be considered to have converged.
[0080] Figure 4 is an exemplary diagram illustrating a classification stage process for classifying user flows in terms of whether they indicate fraud or not, according to one exemplary embodiment. The operation in Figure 4 assumes that sequential machine learning computer models, e.g., HMM360,370, have been trained, for example, by using the process outlined in Figure 3. New user flow data 410 about a user session with a website is received, as shown in Figure 4. The user flow data 410 is converted into cluster ID vector representations in a similar manner as previously described, to generate cluster ID vector representations 420. The cluster ID vector representations 420 are input to both HMM360,370, each generating its own score or probability value. HMM360 scores the input cluster ID vector representations 420 with respect to the probability that the cluster ID vector representations 420 represent a legitimate user flow. HMM370 scores the input cluster ID vector representations 420 with respect to the probability that the cluster ID vector representations 420 represent a fraudulent user flow. Next, the two scores are compared to generate a final score 430, and based on the final score 430, a final classification 440 of the user flow, represented by the cluster ID vector representation 420, is generated, logged / reported, and / or used by downstream computing system processes such as security processes. For example, the final classification 440 may be used to automatically block or terminate user sessions that are determined to be malicious.
[0081] Figures 5 and 6 present flowcharts outlining exemplary operation of elements of the present invention in one or more exemplary embodiments. It should be understood that the operations outlined in Figures 5 and 6 are performed automatically, in particular by the improved computer tools of the exemplary embodiments, and are not intended, and indeed cannot, be performed by humans, either as mental processes or by organizing human activities. Conversely, humans may, in some cases, initiate the execution of the operations described in Figures 5 and 6, and in some cases utilize the results generated as a result of the operations described in Figures 5 and 6, but the operations in Figures 5 and 6 themselves are performed in an automated manner, in particular by the improved computing tools.
[0082] Figure 5 is a flowchart outlining exemplary operation for training one or more sequential machine learning models to classify user flow data according to one exemplary embodiment. As shown in Figure 5, a training dataset containing multiple user session data for multiple user sessions is received (step 510). Each user session represented in the training dataset contains the user flow of the user session, where the user flow is a set of session data specifying a timestamp, a URL, and optionally, the amount of time spent accessing the content associated with the URL. The user session data is transformed into a vector representation by performing clustering and timestamp-based sorting (step 520) to generate a time series of cluster identifiers as a vector representation (step 530). The vector representation is input to the corresponding sequential machine learning computer model (step 540). The sequential machine learning computer model generates a predictive classification label regarding whether the input vector representation processes the vector representation and indicates that the user flow is invalid or not (step 550).
[0083] The predicted classification labels are compared to the ground truth labels of the session data obtained from the training dataset (step 560). Based on the comparison, the loss or error is determined (step 570), and the loss / error is compared to a threshold loss / error. If the loss / error is equal to or greater than the threshold, then the operating parameters of the machine learning computer model are sequentially modified, such as through backpropagation, to reduce the loss / error (step 580). A determination is made as to whether the training of the machine learning model has reached convergence, for example, whether the loss / error is below the threshold or whether a predetermined number of iterations or epochs have occurred (step 590). If either the loss / error is below the threshold or a predetermined number of iterations or epochs have occurred, then the model is determined to have converged and the operation ends; otherwise, the operation returns to step 540 and continues training the machine learning model until convergence is reached.
[0084] Figure 6 is a flowchart outlining an exemplary operation for classifying a user flow as either fraudulent or legitimate, according to one exemplary embodiment. As shown in Figure 6, the operation is initiated by receiving new user session data (step 610). This new user session data is data collected over time during a user session and may be dynamically collected while the user session is occurring or received after the user session has been concluded. For example, user session data may be collected and periodically transmitted to the mechanism of the exemplary embodiment during a user session for classification.
[0085] The user session data is converted into a vector representation based on timestamp-based clustering and sorting, similar to steps 520 and 530 in Figure 5 (step 620). The vector representation is input to at least one pre-trained sequential machine learning computer model that processes the vector representation and generates a predictive classification score (step 630). Based on the predictive classification score, a classification of user flows in the user session data is generated (step 640), logged / reported and / or used to automatically implement security processes (step 650). The operation then terminates.
[0086] The description of the present invention is presented for illustrative and explanatory purposes and is not intended to encompass or limit the disclosed forms of the invention. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The embodiments have been selected and described to best illustrate the principles and practical applications of the invention and to enable others skilled in the art to understand the invention in various embodiments with various modifications suitable for specific intended uses. The terms used herein have been selected to best illustrate the principles, practical applications, or technical improvements to the technologies available on the market, or to enable others skilled in the art to understand the embodiments disclosed herein.
Claims
1. A method in a data processing system for detecting fraudulent user flows associated with a website, wherein the method is: The stage of receiving user flow data that represents the user's interaction with the website content; The step of converting the user flow data into a vector representation, where the vector representation represents a chronological transition from one part of the website's content to another part of the website; A step of inputting the vector representation into at least one trained sequential machine learning computer model that processes the vector representation and generates classifications of the vector representation; A step of detecting whether the user flow data represents a fraudulent user flow based on the classification; and Based on the above detection, the step of outputting an output indicating whether or not the user flow is an invalid user flow. A method that includes [a certain feature].
2. The method according to claim 1, wherein the user flow data comprises one or more entries, each entry having a timestamp and a corresponding identifier for the corresponding content of the website, the timestamp specifying the time when the user accessed the corresponding content of the website.
3. The method according to claim 2, wherein the corresponding content of the website is a web page of the website, and the corresponding identifier is the uniform resource locator (URL) of the corresponding content of the website.
4. The step of converting the aforementioned user flow data into a vector representation is: A step of sorting the entries in the user flow data according to the timestamp associated with the entry; A step of clustering an entry into multiple clusters based on a cluster mapping of identifiers of the corresponding content of the website associated with the entry, wherein each cluster in the multiple clusters has a corresponding cluster identifier; and A step of generating the vector representation as a vector of cluster identifiers arranged in chronological order according to the result of the sorting step. The method according to claim 1, comprising:
5. The method according to claim 4, wherein the step of clustering the entries includes the step of clustering uniform resource locator (URL) fragments into the cluster, wherein the vector representation has sequential time-series cluster identifiers corresponding to the user flow data.
6. The method according to claim 1, wherein the at least one trained sequential machine learning computer model is a sequential machine learning computer model trained to classify the vector representations in terms of whether or not they represent user flows indicating fraud committed by fraudulent user flows.
7. The method according to claim 6, wherein the fraud is an account takeover (ATO) fraud.
8. The method according to claim 1, wherein the at least one trained sequential machine learning computer model has at least one hidden Markov model (HMM) computer model, and the vector representation is a Markov chain.
9. The method according to claim 1, wherein the at least one trained sequential machine learning computer model comprises a first sequential machine learning computer model trained to classify the vector representations in terms of whether or not they represent user flows indicating fraud committed by fraudulent user flows, and a second sequential machine learning computer model trained to classify the vector representations in terms of whether or not they represent user flows indicating legitimate user flows.
10. The method according to claim 9, wherein the first sequential machine learning computer model generates a first score, the second sequential machine learning computer model generates a second score, and the step of detecting whether the user flow data represents a fraudulent user flow based on the classification includes the step of comparing the first score with the second score, and the step of detecting whether the user flow data represents a fraudulent user flow based on the result of the comparison.
11. A computer program product comprising a computer-readable storage medium in which a computer-readable program is stored internally, wherein, when the computer-readable program is executed in a data processing system, it is stored in the data processing system: Procedure for receiving user flow data that represents user interactions with website content; A procedure for converting the user flow data into a vector representation, wherein the vector representation represents a chronological transition from one part of the website's content to another part of the website; A procedure for inputting the vector representation into at least one trained sequential machine learning computer model that processes the vector representation and generates classifications of the vector representation; A procedure for detecting whether the user flow data represents a fraudulent user flow based on the classification; and A procedure to output an output indicating whether or not the user flow is an invalid user flow based on the above detection. A computer program product that executes a command.
12. The computer program product according to claim 11, wherein the user flow data comprises one or more entries, each entry having a timestamp and a corresponding identifier for the corresponding content of the website, the timestamp specifying the time when the user accessed the corresponding content of the website.
13. The step of converting the aforementioned user flow data into a vector representation is: A step of sorting the entries in the user flow data according to the timestamp associated with the entry; A step of clustering an entry into multiple clusters based on a cluster mapping of identifiers of the corresponding content of the website associated with the entry, wherein each cluster in the multiple clusters has a corresponding cluster identifier; and A step of generating the vector representation as a vector of cluster identifiers arranged in chronological order according to the result of the sorting step. A computer program product according to claim 11, having the following characteristics.
14. The computer program product according to claim 13, wherein the step of clustering entries includes the step of clustering uniform resource locator (URL) fragments into the cluster, wherein the vector representation has a sequential time-series cluster identifier corresponding to the user flow data.
15. The computer program product according to claim 11, wherein the at least one trained sequential machine learning computer model is a sequential machine learning computer model trained to classify the vector representations in terms of whether or not they represent user flows indicating fraud committed by fraudulent user flows.
16. The computer program product according to claim 15, wherein the fraud is an account takeover (ATO) fraud.
17. The computer program product according to claim 11, wherein the at least one trained sequential machine learning computer model has at least one hidden Markov model (HMM) computer model, and the vector representation is a Markov chain.
18. The computer program product according to claim 11, wherein the at least one trained sequential machine learning computer model comprises a first sequential machine learning computer model trained to classify the vector representations in terms of whether or not they represent user flows indicating fraud committed by fraudulent user flows, and a second sequential machine learning computer model trained to classify the vector representations in terms of whether or not they represent user flows indicating legitimate user flows.
19. The computer program product according to claim 18, wherein the first sequential machine learning computer model generates a first score, the second sequential machine learning computer model generates a second score, and the step of detecting whether the user flow data represents a fraudulent user flow based on the classification includes the step of comparing the first score with the second score, and the step of detecting whether the user flow data represents a fraudulent user flow based on the result of the comparison.
20. at least one processor; and At least one memory coupled to the at least one processor The memory comprises, and when executed by the at least one processor, the at least one processor: Procedure for receiving user flow data that represents user interactions with website content; A procedure for converting the user flow data into a vector representation, wherein the vector representation represents a chronological transition from one part of the website's content to another part of the website; A procedure for inputting the vector representation into at least one trained sequential machine learning computer model that processes the vector representation and generates classifications of the vector representation; A procedure for detecting whether the user flow data represents a fraudulent user flow based on the classification; and A procedure to output an output indicating whether or not the user flow is an invalid user flow based on the above detection. A device that has a command to execute an action.