A method of threat management of subscriber identifier of a subscriber and system thereof

The ML-based system effectively categorizes and scores threats associated with mobile numbers by analyzing historical message data, addressing the inefficiencies of manual reporting and outdated algorithms, ensuring timely and precise fraud detection.

WO2026146537A1PCT designated stage Publication Date: 2026-07-09TANLA DIGITAL LABS PTE LTD

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
TANLA DIGITAL LABS PTE LTD
Filing Date
2025-12-31
Publication Date
2026-07-09

AI Technical Summary

Technical Problem

Existing methods for managing threats associated with mobile numbers, such as scams and fraudulent activities, are inadequate due to their reliance on manual reporting and outdated algorithms, leading to delayed identification, missed detections, and high false positive/negative rates.

Method used

A system and method utilizing a Machine Learning (ML) engine to analyze historical message data, extract key features like frequency and timeframe, categorize messages as legitimate or fraudulent, and determine a threat score for subscriber identifiers, employing ML models like linear, tree-based, and deep learning to block suspicious communications.

Benefits of technology

This approach provides faster, accurate identification of fraudulent activities, reducing false positives/negatives by leveraging comprehensive data sources and real-time threat scoring, enabling proactive prevention of scams.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure IN2025052168_09072026_PF_FP_ABST
    Figure IN2025052168_09072026_PF_FP_ABST
Patent Text Reader

Abstract

The present disclosure discloses a method and system for threat management of subscriber identifier associated with subscriber. The method comprises receiving one or more historical messages. Further, the method comprises determining type of service associated with each of one or more historical messages. Furthermore, the method comprises extracting one or more key features. Thereafter, the method comprises categorizing one or more historical messages into one of legitimate category and a fraudulent category. Finally, the method comprising employing, the type of services, and the one or more key features, a Machine Learning (ML) engine module to create an environment, such that a learning agent, associated with the environment, is configured to analyze one or more input messages, determine a threat score of the subscriber and blocks a transmission of the one or more input messages of the subscriber identifier.
Need to check novelty before this filing date? Find Prior Art

Description

CROSS-REFERENCE TO RELATED APPLICATIONThis application claims the benefit of priority to Indian Provisional Patent Application No.202441105226, titled "SYSTEM AND METHOD FOR MACHINE LEARNING BASED THREAT ASSESSMENT OF MOBILE NUMBERS," filed on December 31, 2024. The contents of said application are hereby incorporated by reference in their entirety.TECHNICAL FIELD

[0001] The present disclosure generally relates to threat management. More particularly, the present disclosure relates to a method and system for threat management of subscriber identifiers associated with the subscribers.BACKGROUND

[0002] Generally, mobile numbers are common target for malicious activities. The malicious activities include scams, phishing, and any other forms of fraudulent behaviour leading to significant financial losses, security breaches, and a great erosion of public trust in Short Messaging Service (SMS) communication. As the mobile communication has become integral part of the personal and professional life of a user, the impact of the above fraudulent activities extends across multiple domains which includes financial services, healthcare, and government operations. The increase of the fraudulent activities also poses broader threats to the integrity of digital communication networks.

[0003] Conventionally, to address the above mentioned issues, a primary method is used which uses manual reporting and blocking of suspicious mobile numbers by users or service providers. The manual reporting method is typically implemented through user initiated reports. Accordingly, the user initiated reports trigger a review process and identified scam numbers are blacklisted. Some service providers use integrated basic algorithms to detect patterns associated with fraudulent activities. However, these methods are predominantly reactive and mainly rely on timely and accurate reporting of incidents reported by the user.

[0004] From the above, it is evident that the existing solutions are inadequate in addressing the scale and complexity of modern-day scams occurring through mobile numbers and phone numbers. For example, the manual reporting process is inherently slow and often ineffective, as it requires a significant delay before fraudulent numbers are identified and blacklisted. Similarly, relying on user reports for the scam activities is not effective as a large number of such activities go unreported. This leaves numerous victims vulnerable. In another example,the algorithms currently in use are limited by outdated or incomplete data sources, resulting in missed detections and false positives and false negatives. Due to the above reasons, the existing techniques are ineffective in solving the existing issues related to said fraudulent activities.

[0005] Based on the above, there is a need for an effective method and system for determining a threat score of a subscriber identifier associated with a subscriber.

[0006] The information disclosed in this background of the disclosure section is only for enhancement of understanding of the general background of the invention and should not be taken as an acknowledgement or any form of suggestion that this information forms the prior art already known to a person skilled in the art.SUMMARY

[0007] In an embodiment, the present disclosure discloses a method for threat management of a subscriber identifier associated with a subscriber. The method comprises receiving one or more historical messages received by a plurality of subscriber identifiers. Further, the method comprises determining a type of service associated with each of the one or more historical messages. Furthermore, the method comprises extracting, based on the type of service, one or more key features associated with the one or more historical messages, wherein the one or more key features include one or more of a frequency and a timeframe of the one or more historical messages. Thereafter, the method comprises categorizing the one or more historical messages into one of a legitimate category and a fraudulent category based on the extracted one or more key features. Further, the method comprising employing, based on the categorized one or more historical messages, the type of services, and the one or more key features, a Machine Learning (ML) engine module to create an environment, such that a learning agent, associated with the environment, is configured to analyze one or more input messages received from the subscriber identifier, determine a threat score of the subscriber identifier based on analysis of the one or more input messages and blocks a transmission of the one or more input messages of the subscriber identifier based on the determined threat score.

[0008] In another embodiment, the present disclosure discloses a threat management system comprising a processor and a memory. The processor is configured to receive one or more historical messages received by a plurality of subscriber identifiers. Further, the processor is configured to determine a type of service associated with each of the one or more historicalmessages. Furthermore, the processor is configured to extract, based on the type of service, one or more key features associated with the one or more historical messages, wherein the one or more key features include one or more of a frequency and a timeframe of the one or more historical messages. Thereafter, the processor is configured to categorize the one or more historical messages into one of a legitimate category and a fraudulent category based on the extracted one or more key features. Further, the processor is configured to employ, based on the categorized one or more historical messages, the type of services, and the one or more key features, a Machine Learning (ML) engine module to create an environment, such that a learning agent, associated with the environment, is configured to analyze one or more input messages received from the subscriber identifier, determine a threat score of the subscriber identifier based on analysis of the one or more input messages and blocks a transmission of the one or more input messages of the subscriber identifier based on the determined threat score.

[0009] The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS

[0010] The novel features and characteristics of the disclosure are set forth in the appended claims. The disclosure itself, however, as well as a preferred mode of use, further objectives, and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying figures. One or more embodiments are now described, by way of example only, with reference to the accompanying figures wherein like reference numerals represent like elements and in which:

[0011] Figure 1 illustrates an exemplary environment showing a threat management system for managing threat of a subscriber identifier associated with a subscriber, in accordance with some embodiments of the present disclosure.

[0012] Figure 2 illustrates a detailed diagram of the threat management system shown in Figure 1, in accordance with some embodiments of the present disclosure.

[0013] Figure 3a depicts an exemplary flow chart illustrating method steps for training a Machine Learning (ML) engine module to manage threat of a subscriber identifier associated with a subscriber, in accordance with some embodiments of the present.

[0014] Figure 3b depicts an exemplary flow chart illustrating continuation of method steps of Figure 3a for implementing a Machine Learning (ML) engine module to manage threat of a subscriber identifier associated with a subscriber in real-time, in accordance with some embodiments of the present.

[0015] Figure 4 illustrates a block diagram of a general-purpose computing system for managing threat of a subscriber identifier associated with the subscriber, in accordance with some embodiments of the present disclosure.

[0016] It should be appreciated by those skilled in the art that any block diagram herein represents conceptual views of illustrative systems embodying the principles of the present subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, state transition diagrams, pseudo code, and the like represent various processes which may be represented in computer readable medium and executed by a computer or processor, whether or not such computer or processor is explicitly shown.DETAILED DESCRIPTION

[0017] In the present document, the word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment or implementation of the present subject matter described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.

[0018] While the disclosure is susceptible to various modifications and alternative forms, specific embodiment thereof has been shown by way of example in the drawings and will be described in detail below. It should be understood, however, that it is not intended to limit the disclosure to the particular forms disclosed, but on the contrary, the disclosure is to cover all modifications, equivalents, and alternatives falling within the scope of the disclosure.

[0019] The terms “comprises”, “comprising”, or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a setup, device, or method that comprises a list of components or steps does not include only those components or steps but may include othercomponents or steps not expressly listed or inherent to such setup or device or method. In other words, one or more elements in a system or apparatus proceeded by “comprises... a” does not, without more constraints, preclude the existence of other elements or additional elements in the system or apparatus.

[0020] The terms like “at least one” and “one or more” may be used interchangeably throughout the description. The terms like “a plurality of’ and “multiple” may be used interchangeably throughout the description.

[0021] Figure 1 illustrates an exemplary environment showing a threat management system 102 for managing threat of a subscriber identifier associated with a subscriber, in accordance with some embodiments of the present disclosure.

[0022] As illustrated in Figure 1, the exemplary environment 100 may comprise a threat management system 102. The threat management system 102 may comprise an extraction module 104, an employment module 106, and an ML engine module 108. The exemplary environment 100 may also comprise a plurality of data sources 110, a communication network 112, and a cellular network 114 connected to an end user device 116. In some embodiments, the threat management system 102 may comprise other modules (not shown in Figure 1). The threat management system 102 may receive one or more historical messages. The historical messages may be referred to messages received from the plurality of data sources 110 (e.g., via the communication network 112). The plurality of data sources 110 may include, without limitation, at least one of government data sources, telecommunication network operators’ data sources, one or more third party aggregators, one or more crowdsourced data sources, and data sources related to one or more banking and financial institutions. In another example, the threat management system 102 may receive the one or more historical messages by a plurality of subscriber identifiers.

[0023] In one example, the government data sources may include data, without limitation, from a Ministry of Home Affairs (MHA), data related to known scammers, information related to fraudulent activities, information related to criminal records, law enforcement records such as First Information Reports (FIR), incident reports, data related to broader crime data from police departments across a country, public court records concerning scam, data related to fraud, information related to cybercrime, and the like.

[0024] In one example, the telecommunication and mobile network operators’ data sources may include, without limitation, data from telecommunication operators including Call Detail Records (CDRs) which may provide metadata on calls (for example, timestamps, call duration, and location), Short Messaging Service (SMS), and Multimedia Messaging Service (MMS) logs and the like. The data from the telecommunication operators may also include both message content and sender / recipient information, as well as Mobile Number Portability (MNP) data which may track number porting history and related behaviour pattern.

[0025] In one example, a database of the one or more third party aggregators may include, without limitation, data from third-party services, for example, a smartphone application which may comprise features of caller ID, call-blocking, flash-messaging, call / chat recording, and the like. The database related to one or more third party aggregators may also include information from public social media profiles, online forums, marketplaces and user-reported scam incidents.

[0026] In an example, the one or more crowdsourced data source may include, without limitation, data from public complaint forums and websites, along with reports from user communities regarding scam incidents, detailed reports on subscriber identifiers of the subscriber and descriptions of fraudulent activities.

[0027] In one example, the data sources 110 related to one or more banking and financial institutions may include, without limitation, data from financial institutions and Banking, Financial Services and Insurance (BFSI) sectors to help identify potential financial fraud or suspicious transactions linked to specific subscriber identifiers. The aforementioned data sources may form a robust and comprehensive dataset for training a Machine Learning (ML) model. The communication network 112 may include, without limitation, a direct interconnection, a peer to peer (P2P) network, a Local Area Network (LAN), a Wide Area Network (WAN), a wireless network (for example, using Wireless Application Protocol), an internet, Wi-Fi, and the like.

[0028] The threat management system 102 may determine a type of service associated with each of the one or more historical messages. The type of service may be various domains that send genuine messages to the subscriber identifier associated with the subscriber. The type of service may include, without limitation, at least one of Banking and Financial SectionInstitutions (BFSIs), government sectors, e-commerce sectors, entertainment sectors, gaming sectors, utility service providers, service sectors, transport sectors and the like.

[0029] The threat management system 102 may extract one or more key features associated with the one or more historical messages based on the type of service. The one or more key features may include one or more of a frequency and a timeframe of the one or more messages. The frequency of the one or more historical messages may include an average of number of received messages for the type of service. The timeframe of the one or more historical messages may include an average interval of consecutive received messages. The count of messages and averaged interval timings at which the messages may be received may be used to identify messaging pattern for the subscriber identifier. In one example, the subscriber identifier may be a phone number associated with the subscriber. In one example, the subscriber may be an end user, associated with the end user device 116.

[0030] The one or more key features may be extracted using data pre-processing techniques. The data preprocessing techniques for extracting the one or more key features may include, without limitation, data cleaning, dimensionality reduction, feature engineering, sampling data, data transformation and the like.

[0031] In one example, the one or more key features (also referred hereinafter as hyperparameters) may be extracted from the one or more historical messages to provide structured insights into the subscriber identifiers messaging history across different one or more domains. Specifically, the average message counts and the average message interval from the different type of service may be identified. For example, count of unique BFSI messages and total number of messages from BFSI sectors, count of unique government sectors messages and total number of messages from government sectors, count of unique e-commerce messages and total number of messages from e-commerce sectors, count of unique entertainment related messages and volume of number of messages from entertainment sectors, total number of messages from gaming sectors, count of unique utilities (for example, electricity, water, telecommunication bills and the like) messages and total number of messages from utilities, count of unique product messages and volume of number of messages from the service sectors, and count of unique travel related messages and total number of messages from the transport sectors.

[0032] The additional information related to message frequency and timeframes of the messages may include, total number of messages received over past year, average message counts over different timeframes (for example, 7 days, 30 days, 90 days and the like), average interval between consecutive messages, total number of distinct message templates received, time intervals from first and most recent SMS to a current date. The above features may provide a granular understanding of messaging patterns which contribute to identifying risky behaviour associated with the subscriber identifier of the subscriber.

[0033] In the next step, the threat management system 102 may categorize the one or more key features into one of a legitimate category and a fraudulent category based on the extracted one or more key features. For example, the threat management system 102 may determine at least one of legitimate and fraudulent patterns pertaining to the corresponding to the one or more messages based on the one or more of a frequency of the messages received and the timeframe of the one or more messages. Subsequently, the threat management system 102 may categorize the one or more historical messages into one of legitimate category and fraudulent category based on the determined pattern. The legitimate category may be referred to as a permitted or lawful category of the one or more key features extracted from the one or more historical messages. The fraudulent category may be referred to as a non-permitted or non-lawful category.

[0034] After categorizing the one or more historical messages, the threat management system 102 may employ a Machine Learning (ML) engine module 108 to create an environment comprising a learning agent. The learning agent associated with the ML engine module 108 may be configured to learn the at least one of legitimate and fraudulent patterns pertaining to the corresponding to the one or more messages. In other words, the learning agent of the ML engine module 108 may be trained to identify the fraudulent activities associated with the subscriber identifier. Once the ML engine module 108 is trained, the learning agent associated with the ML engine module 108 may analyse the one or more input messages received from the subscriber identifier.

[0035] The ML engine module 108 may include, without limitations, linear models, tree-based models, deep-learning models and the like. The linear models may be simple linear or logistic regression models that can be used when the relationship between the one or more key featuresand the threat score is expected to be linear or close to linear. These type of models may be interpretable but may underperform with more complex patterns in the data.

[0036] The tree-based models such as decision trees, random forests, or Gradient Boosting Machines (GBMs) (e.g., XGBoost, LightGBM) may often be effective in capturing non-linear relationships between one or more key features. These type of models may handle feature interactions well and may be often more interpretable in terms of feature importance.

[0037] The deep learning models may be used when the feature set is large and the relationship between features are highly non-linear. The deep neural networks (DNNs) may be employed and the DNNs may learn complex patterns but it requires a large amount of data and tuning of hyperparameters such as learning rate, batch size and layer depth.

[0038] The ML engine module 108 may be trained to analyze and identify the fraudulent activities of the subscriber identifiers based on one or more key features (or hyperparameters) extracted during the pre-processing stage. For example, the ML engine may be trained to learn relationships between the extracted features and target outcome to identify whether the subscriber identifier is safe or potential scammer.

[0039] In some embodiments, the one or more input messages are fed into the trained ML engine module 108 and the ML engine module 108 may process the one or more input messages. In the next step, the learning agent may determine a threat score of the subscriber identifier based on the analysis of the one or more input messages. Specifically, the learning agent may evaluate a difference between the threat score determined by the learning agent and pre-labelled threat indicators of the one or more historical messages received by the plurality of subscriber identifiers, and determine the threat score by minimizing the evaluated difference.

[0040] In one example, to evaluate and validate (for example, to ensure that the ML engine is learning effectively and generalizing to unseen data) the ML engine, evaluation techniques may be employed. The evaluation techniques may include calculating metrics, such as precision, recall, Fl -score and the like. The other metrics, such as accuracy, recall and precision may also be used under the evaluation techniques. Specifically, given that the task may involve identifying scammers, the metrics like precision (used to minimize false positives) may be maximized and the recall (used to catch more scammer) may be important.

[0041] In one example, the threat management system 102 may process the input messages using a supervised learning approach for the ML engine module 108. For example, the ML engine module 108 may initially use the supervised approach with static features where weights may be assigned to different hyperparameters and subsequently, the supervised learning approach may be used to train the ML engine module 108. The historical data with labelled outcomes or pre-labelled threat indicators of the one or more historical messages (for example, safe subscriber identifier or scam subscriber identifiers) may be used for training the ML engine module 108. Specifically, the threat management system 102 may evaluate difference between the threat score determined by the learning agent and pre-labelled outcome using a loss function. The loss function may be calculated using metrics, such as, but not limited to, accuracy, recall and precision which are further used to penalize incorrect threat scores. Over a time period, selected loss function may be minimized during training and subsequently, the ML engine may be guided to adjust its internal parameters to improve predictions.

[0042] In one example, the one or more key features (or hyperparameters) which are derived from the data pre-processing stage may play a different role in predicting or determining the threat score. In the initial phase of training the ML engine module 108, a static weight may be assigned to each feature, which represents its contribution to the final threat score. The static weights may be initialized to ensure that the ML engine starts with reasonable values which do not skew the learning process. Over time, the gradient-based optimization algorithms may be used for improving the ML engine module 108 during training. The gradient-based optimization algorithms, may include, without limitations, gradient variants such as Stochastic Gradient Descent (SGD), Adam, LightGBM (LGBM), XGB and the like.

[0043] In one example, the gradient descent process may include different steps. The gradient descent is an optimization algorithm which may be used to train the machine learning (ML) models or neural networks (referred hereinafter as the ML engine module 108). For example, the ML engine module 108 may compute predictions for each subscriber identifier based on current set of weights and the loss function may evaluate the difference between the predicted threat score and true label. The ML engine module 108 may calculate the gradient of the loss function with respect to each weight and may determine how each weight may be adjusted to reduce the loss. Subsequently, the weights may be updated in the direction that reduces the loss. Accordingly, the size of these updates may be determined by the learning rate and a hyperparameter that controls a step size in gradient descent. For example, the step size ingradient descent may control or identify whether the gradient descent algorithm converges to a minimum (global or local) quickly or slowly, or whether it diverges.

[0044] In one example, the weights may be adjusted to determine the ML engine module’s 108 predictions are progressive and more accurate. The optimization algorithm may seek to find a global minimum of the loss function or at least a local minimum, where the ML engine module 108 may perform well on both training and validation of data. In one example, the global minimum may be a point in a parameter space where the loss function is minimized globally. The local minimum may be a point where the loss function has a lower value compared to nearby points. In some example embodiments, the ML engine algorithm may use iterative optimization methods to find a local minimum.

[0045] In one example, to avoid overfitting, regularization techniques may be employed. These techniques may penalize large weights, ensure that the ML engine module 108 remains generalizable and avoids fitting noise in the training data.

[0046] In one example, given that fraudulent / scam subscriber identifiers are typically fewer compared to legitimate subscriber identifiers. Accordingly, dataset may be likely to be imbalanced. The imbalanced data may be handled using different techniques. For example, resampling methods such as Synthetic Minority Oversampling Technique (SMOTE). Over-sampling the minority class (for example, scammer subscriber identifiers or under-sampling the majority class (safe numbers). Further, cost sensitive learning which may include assigning higher penalties in the loss function for miss classifying scammer subscriber identifiers to make the ML engine more sensitive to fraudulent behaviour.

[0047] After employing the ML engine module 108, the threat management system 102 may determine, based on the analysis, the threat score for the subscriber identifier of the subscriber. For example, when the ML engine module 108 has been fully trained and validated, the ML engine module 108 may be used to compute the threat score for each subscriber identifier. The threat score may be a continuous value that represents the likelihood that the subscriber identifier may be associated with fraudulent activities. The final threat score may be a weighted sum of the features. Each feature’s contribution is determined by the learned weights. The threat score may be mapped to predefined thresholds to classify the subscriber identifier into a plurality of categories.

[0048] Specifically, the threat management system 102 may classify the plurality of subscriber identifiers into a plurality of categories. The plurality of categories may be indicative of respective risk levels associated with the one or more subscriber identifiers. For example, the plurality of categories of the subscriber identifiers comprises the risk level of high confidence safe, a low confidence safe, a neutral, a low confidence scammer, and a high confidence scammer and block a transmission of the one or more input messages of the subscriber identifier based on the determined threat score.

[0049] In one example, the high confidence safe may indicate that the subscriber identifiers may be legitimate, the low confidence safe may indicate that the subscriber identifiers may be safe, but with some uncertainty. The neutral may indicate that the subscriber identifiers with insufficient data to classify as safe or scam, the low confidence scammer may indicate that the subscriber identifiers may show some risk signals, but not conclusively fraudulent. The high confidence scammer may indicate that the subscriber identifiers may show indicative of fraudulent or malicious behaviour.

[0050] When the ML engine module 108 is trained, the ML engine module 108 may be deployed. The ML engine module 108 predictions may be compared with actual outcome based on using labelled datasets. The accuracy of the ML engine module 108 may be assessed using standard metrics, such as precision, recall, Fl -score and overall accuracy over time. The performance may be continuously monitored to ensure an effective model output.

[0051] In an embodiment, once the ML engine module 108 is trained and validated, it is deployed via an Application Programming Interface (API) to make its capabilities available for external systems. The API may act as an interface and may allow systems to send subscriber identifiers (or mobile numbers) as input and receive insights as output. The API may expose an endpoint (for example, a specific URL), which external systems can query. The endpoint may be responsible for accepting subscriber identifiers as inputs, processing through the model, and returning the prediction results. The API may be secured using method such as API keys, or OAuth tokens to ensure that only authorized users can access the service.

[0052] The external systems may interact with the Threat Assessment API by submitting data, typically in the form of the subscriber identifier, which is processed to evaluate its risk or safety.

[0053] Upon receiving the request, the API invokes the ML engine module 108. The input subscriber identifier may be analysed, and the ML engine module 108 evaluates the associated threat or safety risk. For scalability, the ML engine module 108 may be hosted on a cloud infrastructure, allowing for automatic scaling. This ensures that multiple concurrent requests are handled efficiently, delivering quick responses in real-time.

[0054] The API processes the input through the ML engine module 108 and returns a response containing the threat classification, associated metadata, and any additional insights. If an invalid subscriber identifier is provided or processing fails, the API returns meaningful error messages, such as a 400 (bad request) or 500 (server error) status code. The fraudulent activities may be communicated to the end user device 116 via a cellular network 114 before the messages are received by the end user. The cellular network 114 may be a cell / mobile network that may enable wireless communication between the mobile devices.

[0055] The API’s output can be seamlessly integrated into various systems and workflows. This allows for automated decision-making, real-time risk assessment, and enhanced user experiences. For example, an app could use this API to block suspicious numbers or provide alerts for high-risk contacts. External systems can use the API output to automate actions based on the threat classification, such as flagging or blocking risky numbers in real-time.

[0056] Maintaining security and ensuring smooth operation are critical to the API’s functionality. Sensitive data, such as subscriber identifiers are encrypted and are handled securely using encryption and secure connections (HTTPS).

[0057] Figure 2 illustrates a detailed diagram 200 of the threat management system shown in Figure 1, in accordance with some embodiments of the present disclosure.

[0058] In an embodiment, the threat management system 102 may comprise a Central Processing Units 206 (also referred as “CPUs” or “one or more processors 206”), a memory 204, and Input / Output (I / O) interface 202. In some embodiments, the memory 204 may be communicatively coupled to the one or more processors 206. For example, the memory 204 is in electronic communication with the processor 206. The memory 204 stores instructions are executable by the one or more processors 206. The one or more processors 206 may comprise at least one data processor for executing program components for executing user or systemgenerated requests. The instructions, which, on execution by the one or more processors 206,may cause the one or more processors 206 to manage threat of the subscriber identifier associated with the subscriber. The I / O interface 202 is coupled with the one or more processors 206 through which a one or more historical message may be received, and the information is communicated to the end user device 116. In an embodiment, the threat management system 102 may be implemented in a variety of computing systems, such as a laptop computer, a desktop computer, a Personal Computer (PC), a notebook, a smartphone, a tablet, a server, a network server, a cloud-based server, and the like.

[0059] In an embodiment, the memory 204 may include one or more modules and data 208. The one or more modules may be configured to perform the steps of the present disclosure using the data 208, to manage threat of the subscriber identifier associated with the subscriber. In an embodiment, each of the one or more modules may be a hardware unit which may be configured externally to the memory 204 and coupled with the processor 206. As used herein, the term modules refer to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a Field-Programmable Gate Arrays (FPGA), Programmable System-on-Chip (PSoC), a combinational logic circuit, and / or other suitable components that provide described functionality. The one or more modules when configured with the described functionality defined in the present disclosure, will result in a novel hardware.

[0060] In one implementation, the modules may include, for example, a reception module 222, a determination module 224, the extraction module 104, a categorization module 226, the employment module 106, and the ML engine module 108. It will be appreciated that such aforementioned modules may be represented as a single module or a combination of different modules. In one implementation, the data 208 may include, for example, one or more historical messages 210, key features 212, legitimate category 214, fraudulent category 216, input messages 218, and a threat score 220.

[0061] In an embodiment, the reception module 222 may be configured to receive one or more historical messages 210 from the plurality of subscriber identifiers. In another embodiment, the reception module 222 may be configured to receive the one or more historical messages 210 from the plurality of data sources 110. The determination module 224 may determine a type of service associated with each of the one or more historical messages 210. The extraction module 104 may extract the one or more key features 212 associated with the one or more historical messages 210. The categorization module 226 may categorize the one or more historical message into the one of a legitimate category 214 and a fraudulent category 216 based on theextracted one or more key features 212. The employment module 106 may employ the ML engine module 108 to create an environment so that the learning agent may learn to manage threat of the subscriber identifier of the subscriber.

[0062] A person skilled in the art will appreciate that the processor 206 may be configured to perform the steps of the present disclosure using the data 208 instead of the one or more modules, to manage threat of the subscriber identifier of the subscribers.

[0063] A person skilled in the art will appreciate that any techniques other than the above-mentioned technique may be used to manage threat of the subscriber identifier of the subscribers, receive one or more historical messages 210, extract one or more key features 212, identify legitimate category 214 and fraudulent category 216 of the messages, train the ML engine module 108, provide input messages 218 and determine the threat score 220 to manage threat of the subscriber identifier of the subscribers.

[0064] Figure 3a depicts an exemplary flow chart illustrating method steps for training a Machine Learning (ML) engine module 108 to manage threat of a subscriber identifier associated with a subscriber, in accordance with some embodiments of the present.

[0065] As illustrated in Figure 3a, the method 300a may comprise one or more steps. The method 300a may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, and functions, which perform particular functions or implement particular abstract data types.

[0066] The order in which the method 300a is described is not intended to be construed as a limitation, and any number of the method blocks described can be combined in any order to implement the method. Additionally, individual blocks may be deleted from the methods without departing from the scope of the subject matter described herein. Furthermore, the method can be implemented in any suitable hardware, software, firmware, or combination thereof.

[0067] At block 302, the reception module 222 may receive one or more historical messages 210 received by a plurality of subscriber identifiers. In one example, the one or more historical messages 210 may also be received from the plurality of data sources 110.

[0068] At block 304, the determination module 224 may determine the type of service associated with each of the one or more historical messages 210. The type of service may include, without limitation, at least one of Banking and Financial Section Institutions (BFSIs), government sectors, e-commerce sectors, entertainment sectors, gaming sectors, utility service providers, service sectors, transport sectors and the like.

[0069] At block 306, the extraction module 104 may extract the one or more key features 212 associated with the one or more historical messages 210. The one or more key features 212 include a frequency and a time frame of the one or more historical messages 210.

[0070] At block 308, the categorization module 226 may categorize the one or more historical messages 210 into one of the legitimate category 214 and the fraudulent category 216 based on the extracted one or more key features 212.

[0071] For example, the categorization module 226 may categorize the one or more historical messages 210 into one of a legitimate category 214 and a fraudulent category 216 based on the extracted one or more key features 212. The categorization module 226 may determine at least one of legitimate and fraudulent patterns corresponding to the one or more messages based on the one or more of a frequency of the received messages and the timeframe of the one or more messages. Subsequently, the one or more historical messages may be categorized into one of the legitimate category 214 and the fraudulent category 216 based on the determined pattern.

[0072] After categorizing the one or more historical messages 210, the ML engine module 108 may be employed to create an environment comprising a learning agent. The learning agent associated with the ML engine module 108 may be configured to learn the at least one of legitimate and fraudulent patterns pertaining to the corresponding to the one or more messages. In other words, the learning agent of the ML engine module 108 may be trained to identify the fraudulent activities associated with the subscriber identifier. Once the ML engine module 108 is trained, the learning agent associated with the ML engine module 108 may analyse the one or more input messages received from the subscriber identifier. The implementation steps are described in the description of Figure 3b. In a non-limiting example, training the machine learning (ML) engine module may be performed by accessing a dataset of categorized historical messages, wherein the categorized historical messages are categorized into the category based on the extracted one or more key features. Further, providing the extracted one or more keyfeatures from the categorized historical messages as input to the ML engine module. Further, training the learning agent of the ML engine module to learn patterns associated with the category based on the input key features and the categorization of the historical messages. Furthermore, validating the trained learning agent using a validation dataset to ensure effective learning of the patterns associated with the legitimate category and the fraudulent category. Further, training the learning agent of the ML engine module may comprise utilizing at least one machine learning model selected from the group comprising linear models, tree-based models, deep learning models, decision trees, random forests, Gradient Boosting Machines (GBMs), XGBoost, LightGBM and Deep Neural Networks (DNNs).

[0073] Figure 3b depicts an exemplary flow chart illustrating continuation of method steps of Figure 3a for implementing a Machine Learning (ML) engine module 108 to determine a degree of threat score to prevent fraudulent activities of a subscriber identifier associated with a subscriber in real-time, in accordance with some embodiments of the present.

[0074] As illustrated in Figure 3b, the method 300b may comprise one or more steps. The method 300b may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, and functions, which perform particular functions or implement particular abstract data types.

[0075] The order in which the method 300b is described is not intended to be construed as a limitation, and any number of the method blocks described can be combined in any order to implement the method. Additionally, individual blocks may be deleted from the methods without departing from the scope of the subject matter described herein. Furthermore, the method can be implemented in any suitable hardware, software, firmware, or combination thereof.

[0076] The method 300b is a continuation of method steps from method 300a, At block 310, the employment module 106 may employ a machine learning (ML) engine module 108, based on the categorized one or more key features 212, to create an environment for managing threat of the subscriber. The ML engine module 108 may comprise a learning agent.

[0077] At block 312, the learning agent may determine, the threat score 220 of the subscriber identifier based on analysis of the one or more input messages 218. At block 314, the learningagent may block a transmission of the one or more input messages 218 of the subscriber identifier based on the determined threat score 220.Advantages of the present disclosure

[0078] In the present disclosure, the frequency and timeframe of the one or more historical messages received from the plurality of subscribers or from the plurality data sources helps in categorizing the message into legitimate category or fraudulent category. Consequently, this helps in identifying the scams before sending the message to the end users. Thus, the present disclosure provides techniques for efficiently and accurately identifying the fraudulent activities or phone related scams.

[0079] The present disclosure uses Machine Learning (ML) implemented techniques instead of manual reporting process for scams. The process used in the present disclosure is comparatively effective, and identification of fraudulent activities is faster compared to the existing solutions.

[0080] The present disclosure accurately predicts the threat score of a subscriber identifier and categorize the subscriber identifier as different outputs (based on risk levels). Accordingly, the subscriber identifier can be accurately predicated as scammer or non-scammer.

[0081] In the present disclosure, the ML engine module is trained using a plurality of databases and not just relying on user reports which avoids any missed detections of fraudulent activities. Accordingly, the present disclosure also avoids instances of false positives and false negatives in identifying the scammer or phone related scams.COMPUTER SYSTEM

[0082] Figure 4 illustrates a block diagram of a general -purpose computing system 400 for managing threat of a subscriber identifier associated with the subscriber, in accordance with some embodiments of the present disclosure. In an embodiment, the computer system 400 may be the threat management system 102. Thus, the computer system 400 may be used to manage threat a subscriber identifier. The computer system 400 may comprise input / output (I / O) interface 401 and a Central Processing Unit 402 (also referred as “CPU” or “processor”). The processor 402 may comprise at least one data processor. The processor 402 may includespecialized processing units such as integrated system (bus) controllers, memory management control units, floating point units, graphics processing units, digital signal processing units, etc. The processor 402 may be used to realize the processor 206 described in Figure 2.

[0083] The processor 402 may be disposed of in communication with one or more input / output (I / O) devices (not shown) via the I / O interface 401. The I / O interface 401 may employ communication protocols / methods such as, without limitation, audio, analog, digital, monoaural, RCA, stereo, IEEE (Institute of Electrical and Electronics Engineers) -1394, serial bus, universal serial bus (USB), infrared, PS / 2, BNC, coaxial, component, composite, digital visual interface (DVI), high-definition multimedia interface (HDMI), Radio Frequency (RF) antennas, S-Video, VGA, IEEE 802. n / b / g / n / x, Bluetooth, cellular (e.g., code-division multiple access (CDMA), high-speed packet access (HSPA+), global system for mobile communications (GSM), long-term evolution (LTE), WiMax, or the like), etc.

[0084] Using the VO interface 401, the computer system 400 may communicate with one or more VO devices. For example, the input device 411 may be an antenna, keyboard, mouse, joystick, (infrared) remote control, camera, card reader, fax machine, dongle, biometric reader, microphone, touch screen, touchpad, trackball, stylus, scanner, storage device, transceiver, video device / source, etc. The output device 412 may be a printer, fax machine, video display (e.g., cathode ray tube (CRT), liquid crystal display (LCD), light-emitting diode (LED), plasma, Plasma display panel (PDP), Organic light-emitting diode display (OLED) or the like), audio speaker, etc.

[0085] The processor 402 may be disposed of in communication with the communication network 409 via a network interface 403. The network interface 403 may communicate with the communication network 409. The network interface 403 may employ connection protocols including, without limitation, direct connect, Ethernet (e.g., twisted pair 10 / 100 / 1000 Base T), transmission control protocol / intemet protocol (TCP / IP), token ring, IEEE 802.11a / b / g / n / x, etc. The communication network 409 may include, without limitation, a direct interconnection, local area network (LAN), wide area network (WAN), wireless network (e.g., using Wireless Application Protocol), the Internet, etc. The network interface 403 may employ connection protocols include, but not limited to, direct connect, Ethernet (e.g., twisted pair 10 / 100 / 1000 Base T), transmission control protocol / internet protocol (TCP / IP), token ring, IEEE 802.1 la / b / g / n / x, etc.

[0086] The communication network 409 includes, but is not limited to, a direct interconnection, an e-commerce network, a peer to peer (P2P) network, local area network (LAN), wide area network (WAN), wireless network (e.g., using Wireless Application Protocol), the Internet, Wi-Fi, and such. The first network and the second network may either be a dedicated network or a shared network, which represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol / Internet Protocol (TCP / IP), Wireless Application Protocol (WAP), etc., to communicate with each other. Further, the first network and the second network may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, etc. The computer system 400 may receive one or more historical messages 210 over a communication network 409.

[0087] In some embodiments, the processor 402 may be disposed of in communication with a memory 405 (e.g., RAM, ROM, etc. not shown in Figure 4) via a storage interface 404. The storage interface 404 may connect to memory 405 including, without limitation, memory drives, removable disc drives, etc., employing connection protocols such as serial advanced technology attachment (SATA), Integrated Drive Electronics (IDE), IEEE-1394, Universal Serial Bus (USB), fiber channel, Small Computer Systems Interface (SCSI), etc. The memory drives may further include a drum, magnetic disc drive, magneto-optical drive, optical drive, Redundant Array of Independent Discs (RAID), solid-state memory devices, solid-state drives, etc.

[0088] The memory 405 may store a collection of program or database components, including, without limitation, user interface / application 406, an operating system 407, web browser 408 etc. In some embodiments, computer system 400 may store user / application data, such as, the data, variables, records, etc., as described in this disclosure. Such databases may be implemented as fault-tolerant, relational, scalable, secure databases such as Oracle ® or Sybase®. The memory 405 may be used to realize the memory 204 described in Figure 2. The memory 405 may be communicatively coupled to the processor 402. The memory 405 stores instructions, executable by the one or more processors 402, which, on execution, may cause the processor 402 to manage threat of the subscriber identifier associated with the subscriber.

[0089] The operating system 407 may facilitate resource management and the operation of the computer system 400. Examples of operating systems include, without limitation, APPLE MACINTOSHR OS X, UNIXR, UNIX-like system distributions (E.G, BERKELEYSOFTWARE DISTRIBUTIONTM (BSD), FREEBSDTM, NETBSDTM, OPENBSDTM, etc ), LINUX DISTRIBUTIONSTM (E G., RED HATTM, UBUNTUTM, KUBUNTUTM, etc ), IBMTM OS / 2, MICROSOFTTM WINDOWSTM (XPTM, VISTATM / 7 / 8, 10 etc ), APPLER IOSTM, GOOGLER ANDROIDTM, BLACKBERRYR OS, or the like.

[0090] In some embodiments, the computer system 400 may implement the web browser 408 stored program component. The web browser 408 may be a hypertext viewing application, for example MICRO SOFTR INTERNET EXPLORERTM, GOOGLER CHROMETMO, MOZILLAR FIREFOXTM, APPLER SAFARITM, etc. Secure web browsing may be provided using Secure Hypertext Transport Protocol (HTTPS), Secure Sockets Layer (SSL), Transport Layer Security (TLS), etc. Web browsers 408 may utilize facilities such as AJAXTM, DHTMLTM, ADOBER FLASHTM, JAVASCRIPTTM, JAVATM, Application Programming Interfaces (APIs), etc. In some embodiments, the computer system 400 may implement a mail server (not shown in Figure) stored program component. The mail server may be an Internet mail server such as Microsoft Exchange, or the like. The mail server may utilize facilities such as ASPTM, ACTIVEXTM, ANSITM C++ / C#, MICROSOFTR, NETTM, CGI SCRIPTSTM, JAVATM, JAVASCRIPTTM, PERLTM, PHPTM, PYTHONTM, WEBOBJECTSTM, etc. The mail server may utilize communication protocols such as Internet Message Access Protocol (IMAP), Messaging Application Programming Interface (MAPI), MICROSOFTR exchange, Post Office Protocol (POP), Simple Mail Transfer Protocol (SMTP), or the like. In some embodiments, the computer system 400 may implement a mail client stored program component. The mail client (not shown in Figure) may be a mail viewing application, such as APPLER MAILTM, MICROSOFTR ENTOURAGETM, MICROSOFTR OUTLOOKTM, MOZILLAR THUNDERBIRDTM, etc.

[0091] Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non -transitory. Examples include Random Access Memory (RAM), Read-Only Memory (ROM), volatile memory, non-volatile memory, harddrives, Compact Disc Read-Only Memory (CD ROMs), Digital Video Disc (DVDs), flash drives, disks, and any other known physical storage media.

[0092] The terms “including”, “comprising”, “having” and variations thereof mean “including but not limited to”, unless expressly specified otherwise. The enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise. The terms “a”, “an” and “the” mean “one or more”, unless expressly specified otherwise.

[0093] In alternative embodiments, certain operations may be performed in a different order, modified, or removed. Moreover, steps may be added to the above-described logic and still conform to the described embodiments. Further, operations described herein may occur sequentially or certain operations may be processed in parallel. Yet further, operations may be performed by a single processing unit or by distributed processing units.

[0094] Finally, the language used in the specification has been principally selected for readability and instructional purposes, and it may not have been selected to delineate or circumscribe the inventive subject matter. It is therefore intended that the scope of the invention be limited not by this detailed description, but rather by any claims that issue on an application based here on. Accordingly, the disclosure of the embodiments of the invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.Referral Numerals:

Claims

We claim:

1. A method for threat management of a subscriber identifier associated with a subscriber, the method comprising:receiving one or more historical messages received by a plurality of subscriber identifiers from a plurality of data sources;determining a type of service associated with each of the one or more historical messages;extracting, based on the type of service, one or more key features associated with the one or more historical messages, wherein the one or more key features include one or more of a frequency and a timeframe of the one or more historical messages;categorizing the one or more historical messages into one of a legitimate category and a fraudulent category based on the extracted one or more key features;employing, based on the categorized one or more historical messages, the type of services, and the one or more key features, a machine learning (ML) engine module to create an environment, such that a learning agent, associated with the environment, is configured to:analyze one or more input messages received from the subscriber identifier;determine a threat score of the subscriber identifier based on analysis of the one or more input messages;classifying the plurality of subscriber identifiers into a plurality of threat categories based on mapping of the threat score with a predefined threat score threshold value for each threat category,block a transmission of the one or more input messages of the subscriber identifier based on the plurality of threat categories and the determined threat score.

2. The method as claimed in claim 1, wherein the plurality of data sources comprises at least one of government data sources, telecommunication network operators’ data sources, one or more third party aggregators, one or more crowdsourced data sources, and data sources related to one or more banking and financial institutions.

3. The method as claimed in claim 1, wherein categorizing the one or more historical messages into one of a legitimate category and a fraudulent category comprising steps of:based on the one or more of a frequency of the messages received and the timeframe of the one or more historical messages, determining at least one of legitimate and fraudulent patterns pertaining to the corresponding one or more historical messages; and categorizing the one or more historical messages into one of legitimate category and fraudulent category based on the determined pattern.

4. The method as claimed in claim 1, wherein the subscriber identifier is a phone number or mobile number associated with the subscriber.

5. The method as claimed in claim 1, wherein,the frequency of the one or more historical messages includes an average of number of received messages for the type of service, andthe timeframe of the one or more historical messages includes an average interval of consecutive received messages.

6. The method as claimed in claim 1, wherein the type of services comprises at least one of Banking and Financial Section Institutions (BFSIs), government sectors, e-commerce sectors, entertainment sectors, gaming sectors, utility service providers, service sectors, and transport sectors.

7. The method as claimed in claim 1, wherein determining the threat score comprises:evaluating a difference between the threat score determined by the learning agent and pre-labelled threat indicators of the one or more historical messages received by the plurality of subscriber identifiers; anddetermining the threat score by minimizing the evaluated difference.

8. The method as claimed in claim 1, wherein the plurality of threat categories comprises one of a high confidence safety category, a low confidence safety category, a neutral safety category, a low confidence scammer category, and a high confidence scammer category.

9. The method as claimed in claim 1, further comprising:training the machine learning (ML) engine module by:accessing a dataset of categorized historical messages, wherein the categorized historical messages are categorized into the category based on the extracted one or more key features;providing the extracted one or more key features from the categorized historical messages as input to the ML engine module;training the learning agent of the ML engine module to learn patterns associated with the category based on the input key features and the categorization of the historical messages; andvalidating the trained learning agent using a validation dataset to ensure effective learning of the patterns associated with the legitimate category and the fraudulent category.

10. The method as claimed in claim 9, wherein training the learning agent of the ML engine module comprises utilizing at least one machine learning model selected from the group comprising linear models, tree-based models, deep learning models, decision trees, random forests, Gradient Boosting Machines (GBMs), XGBoost, LightGBM and Deep Neural Networks (DNNs).IL A threat management system, comprising:a processor; anda memory communicatively coupled with the processor, wherein the processor is configured to:receive one or more historical messages received by a plurality of subscriber identifiers from a plurality of data sources;determine a type of service associated with each of the one or more historical messages; extract, based on the type of service, one or more key features associated with the one or more historical messages, wherein the one or more key features include one or more of a frequency and a timeframe of the one or more historical messages;categorize the one or more historical messages into one of a legitimate category and a fraudulent category based on the extracted one or more key features;employ, based on the categorized one or more historical messages, the type of services, and the one or more key features, a machine learning (ML) engine module to create an environment, such that a learning agent, associated with the environment, is configured to:analyze one or more input messages received from the subscriber identifier; determine a threat score of the subscriber identifier based on analysis of the one or more input messages;classify the plurality of subscriber identifiers into a plurality of threat categories based on mapping of the threat score with a predefined threat score threshold value for each threat category,block a transmission of the one or more input messages of the subscriber identifier based on the plurality of threat categories and the determined threat score.

12. The threat management system as claimed in claim 11,wherein the plurality of data sources comprises at least one of government data sources, telecommunication network operators’ data sources, one or more third party aggregators, one or more crowdsourced data source, and data sources related to one or more banking and financial institutions.

13. The threat management system as claimed in claim 11, wherein to categorize the one or more historical messages into one of a legitimate category and a fraudulent category, the processor is configured to:based on the one or more of a frequency of the messages received and the timeframe of the one or more historical messages, determine at least one of legitimate and fraudulent patterns pertaining to the corresponding one or more historical messages; andcategorize the one or more historical messages into one of legitimate category and fraudulent category based on the determined pattern.

14. The threat management system as claimed in claim 11, wherein the subscriber identifier is a phone number or mobile number associated with the subscriber.

15. The threat management system as claimed in claim 11, wherein,the frequency of the one or more historical messages includes an average of number of received messages for the type of service, andthe timeframe of the one or more historical messages includes an average interval of consecutive received messages.

16. The threat management system as claimed in claim 11, wherein the type of services comprises at least one of Banking and Financial Section Institutions (BFSIs), government sectors, e-commerce sectors, entertainment sectors, gaming sectors, utility service providers, service sectors, and transport sectors.

17. The threat management system as claimed in claim 11, wherein to determine the threat score, the processor is configured to:evaluate a difference between the threat score determined by the learning agent and prelabelled threat indicators of the one or more historical messages received by the plurality of subscriber identifiers; anddetermine the threat score by minimizing the evaluated difference.

18. The threat management system as claimed in claim 11,wherein the plurality of threat categories comprises one of a high confidence safety category, a low confidence safety category, a neutral safety category, a low confidence scammer category, and a high confidence scammer category.