Methods and systems for automated fraud risk detection in monitored systems

JP7875191B2Active Publication Date: 2026-06-17COMMISSARIAT A LENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Patents
Current Assignee / Owner
COMMISSARIAT A LENERGIE ATOMIQUE ET AUX ENERGIES ALTERNATIVES
Filing Date
2021-12-28
Publication Date
2026-06-17

Smart Images

  • Figure 0007875191000008
    Figure 0007875191000008
  • Figure 0007875191000009
    Figure 0007875191000009
  • Figure 0007875191000010
    Figure 0007875191000010
Patent Text Reader

Abstract

The present invention relates to a method and system for automatically detecting a risk of fraud in a monitored system based on a data stream generated by the monitored system and characterizing events performed or generated by an operator in the monitored system. The method includes pre-processing (30-38) at least one set of data recorded over a period of time to obtain a subset of critical events related to the operator, iterative application (52, 56) of a first parameterized estimation process of the risk of fraud to obtain a first legitimacy score and a first associated probability of occurrence, iterative application (54, 58) of a second parameterized estimation process of the risk of fraud to obtain a second legitimacy score and a second associated probability of occurrence, and comparing (60) the results of the first process with the results of the second process to determine (64) whether the operator is a legitimate or fraudulent operator.
Need to check novelty before this filing date? Find Prior Art

Claims

1. A method for automatically detecting the risk of fraud in a monitored system from a data stream characterized by events generated by the monitored system and performed or generated by an operator in the monitored system, the method comprising the following steps performed by a computing processor: (A) Preprocessing of at least one set of data recorded over a period of time to obtain a subset of critical events related to the operator (30-38), (B) Iterative application of a first parameterized process for estimating the risk of misconduct (52, 56), wherein the parameters of the first parameterized process are obtained by learning on a first database representing events performed or generated by a legitimate operator, based on at least a subset of critical events, in order to obtain a first legitimacy score and a first associated probability of occurrence, (C) Iterative application of a second parameterized process for estimating the risk of fraudulent activity (54, 58), wherein the parameters of the second parameterized process are obtained by learning on a second database representing events performed or generated by a fraudulent operator, based on at least a subset of critical events, in order to obtain a second legitimacy score and a second associated probability of occurrence, (D) A comparison (60) of the results of the first parameterized process and the results of the second parameterized process in order to determine (64) whether the operator is a legitimate operator or an unauthorized operator. Includes, A method comprising successive iterations of applying the first parameterized process and the second parameterized process, wherein the first parameterized process is applied to distinct portions of the subset of critical events until a first convergence criterion is confirmed, and the second parameterized process is applied to distinct portions of the subset of critical events until a second convergence criterion is confirmed.

2. The method according to claim 1, wherein the preprocessing includes determining an event from the recorded data (32), calculating a signature for each event (36) of at least a portion of the events, the signature representing the risk of a malfunction of the monitored system following the event.

3. The method according to claim 2, wherein the preprocessing further includes determining a subset of critical events in which the signature is greater than a predetermined risk threshold (38).

4. The method according to any one of claims 1 to 3, wherein step (D) is performed on a set of data recorded over a time period called a first time period, followed by step (D) performing a third convergence criterion, and if convergence is insufficient according to the third convergence criterion, the method comprises repeating steps (A) to (D) on another set of data recorded over a second time period that is located prior to the first time period.

5. The method according to claim 2, wherein the calculation of the signature (36) of each event is performed according to past events by a logistic regression method.

6. The method according to any one of claims 1 to 5, wherein the parameters of the first parameterized process are obtained by supervised learning (46).

7. The method according to any one of claims 1 to 6, wherein the parameters of the second parameterized process are obtained by unsupervised learning (48).

8. The method according to any one of claims 1 to 7, comprising a preliminary step (34) of classifying the event into multiple classes, and applying steps (A) to (D) to at least one class of the event.

9. A computer program, when executed by a programmable electronic system, comprising software instructions that implement a method for automatically detecting the risk of malicious activity in a monitored system, as described in any one of claims 1 to 8.

10. A system for automatically detecting the risk of fraud in a monitored system based on data streams that characterize events generated by the monitored system and performed or generated by operators in the monitored system, namely, (A) A module (14) for preprocessing at least one set of data recorded over a certain period of time in order to obtain a subset of critical events related to the operator, (B) Module (16) for iterative application of a first parameterized process for estimating the risk of fraud, wherein the parameters of the first parameterized process are obtained by learning on a first database (BDD1) representing events performed or generated by a legitimate operator, based on at least a subset of critical events, in order to obtain a first legitimacy score and a first associated probability of occurrence. (C) Module (16) for iterative application of a second parameterized process for estimating the risk of fraudulent activity, wherein the parameters of the second parameterized process are obtained by learning on a second database (BDD2) representing events performed or generated by a fraudulent operator, based on at least a subset of critical events, in order to obtain a second legitimacy score and a second associated probability of occurrence. (D) A module (17) for comparing the results of the first parameterized process with the results of the second parameterized process in order to determine whether the operator is a legitimate operator or an unauthorized operator. A computing processor comprising at least one such processor configured to implement the following: The system is configured to implement successive iterations of the module for applying the first parameterized process and the module for applying the second parameterized process, characterized in that the first parameterized process is applied to distinct portions of the subset of critical events until a first convergence criterion is confirmed, and the second parameterized process is applied to distinct portions of the subset of critical events until a second convergence criterion is confirmed.