Methods and systems for automated fraud risk detection in monitored systems
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Patents
- Current Assignee / Owner
- COMMISSARIAT A LENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES
- Filing Date
- 2021-12-28
- Publication Date
- 2026-06-17
Smart Images

Figure 0007875191000008 
Figure 0007875191000009 
Figure 0007875191000010
Abstract
Claims
1. A method for automatically detecting the risk of fraud in a monitored system from a data stream characterized by events generated by the monitored system and performed or generated by an operator in the monitored system, the method comprising the following steps performed by a computing processor: (A) Preprocessing of at least one set of data recorded over a period of time to obtain a subset of critical events related to the operator (30-38), (B) Iterative application of a first parameterized process for estimating the risk of misconduct (52, 56), wherein the parameters of the first parameterized process are obtained by learning on a first database representing events performed or generated by a legitimate operator, based on at least a subset of critical events, in order to obtain a first legitimacy score and a first associated probability of occurrence, (C) Iterative application of a second parameterized process for estimating the risk of fraudulent activity (54, 58), wherein the parameters of the second parameterized process are obtained by learning on a second database representing events performed or generated by a fraudulent operator, based on at least a subset of critical events, in order to obtain a second legitimacy score and a second associated probability of occurrence, (D) A comparison (60) of the results of the first parameterized process and the results of the second parameterized process in order to determine (64) whether the operator is a legitimate operator or an unauthorized operator. Includes, A method comprising successive iterations of applying the first parameterized process and the second parameterized process, wherein the first parameterized process is applied to distinct portions of the subset of critical events until a first convergence criterion is confirmed, and the second parameterized process is applied to distinct portions of the subset of critical events until a second convergence criterion is confirmed.
2. The method according to claim 1, wherein the preprocessing includes determining an event from the recorded data (32), calculating a signature for each event (36) of at least a portion of the events, the signature representing the risk of a malfunction of the monitored system following the event.
3. The method according to claim 2, wherein the preprocessing further includes determining a subset of critical events in which the signature is greater than a predetermined risk threshold (38).
4. The method according to any one of claims 1 to 3, wherein step (D) is performed on a set of data recorded over a time period called a first time period, followed by step (D) performing a third convergence criterion, and if convergence is insufficient according to the third convergence criterion, the method comprises repeating steps (A) to (D) on another set of data recorded over a second time period that is located prior to the first time period.
5. The method according to claim 2, wherein the calculation of the signature (36) of each event is performed according to past events by a logistic regression method.
6. The method according to any one of claims 1 to 5, wherein the parameters of the first parameterized process are obtained by supervised learning (46).
7. The method according to any one of claims 1 to 6, wherein the parameters of the second parameterized process are obtained by unsupervised learning (48).
8. The method according to any one of claims 1 to 7, comprising a preliminary step (34) of classifying the event into multiple classes, and applying steps (A) to (D) to at least one class of the event.
9. A computer program, when executed by a programmable electronic system, comprising software instructions that implement a method for automatically detecting the risk of malicious activity in a monitored system, as described in any one of claims 1 to 8.
10. A system for automatically detecting the risk of fraud in a monitored system based on data streams that characterize events generated by the monitored system and performed or generated by operators in the monitored system, namely, (A) A module (14) for preprocessing at least one set of data recorded over a certain period of time in order to obtain a subset of critical events related to the operator, (B) Module (16) for iterative application of a first parameterized process for estimating the risk of fraud, wherein the parameters of the first parameterized process are obtained by learning on a first database (BDD1) representing events performed or generated by a legitimate operator, based on at least a subset of critical events, in order to obtain a first legitimacy score and a first associated probability of occurrence. (C) Module (16) for iterative application of a second parameterized process for estimating the risk of fraudulent activity, wherein the parameters of the second parameterized process are obtained by learning on a second database (BDD2) representing events performed or generated by a fraudulent operator, based on at least a subset of critical events, in order to obtain a second legitimacy score and a second associated probability of occurrence. (D) A module (17) for comparing the results of the first parameterized process with the results of the second parameterized process in order to determine whether the operator is a legitimate operator or an unauthorized operator. A computing processor comprising at least one such processor configured to implement the following: The system is configured to implement successive iterations of the module for applying the first parameterized process and the module for applying the second parameterized process, characterized in that the first parameterized process is applied to distinct portions of the subset of critical events until a first convergence criterion is confirmed, and the second parameterized process is applied to distinct portions of the subset of critical events until a second convergence criterion is confirmed.