|Title of Invention||
"DATA PROXIMITY DETECTOR"
|Abstract||A data proximity detector (30) comprises a storage means (36), a processor (34) and an alert generator (38). A database of records known to satisfy a condition is stored in the storage means. The processor checks (14) a new record against each record retrieved from the database (12) for a close match. In the event that a close match is found (16) the alert generator creates an alert (18) indicating an inference that the new record also satisfies the condition.|
|Full Text||Field of the Invention
The present invention relates to a data proximity detector for applying a method of detecting proximate data.
In instances where a person establishes a service with an intention to commit fraud, the person has often been involved in a similar fraud before or is using a technique similar to known instances of fraud. In the establishment of a new service (such as a new mobile phone account) a new record is created with details provided by the fraudster. The details in the record are often deliberately incorrect (such as including a non-existent address). The definition of what record and field values indicate fraud depends on the particulars of the industry, policy and circumstance. However, a good example of fraud would be making an application for a service without intent to pay for the continued running of that service, possibly by disguising the applicant's identity.
When a new record arrives, the potential for fraud is normally only recognized by the service provider if the details provided match (exactly) previous fraud related records, for example if a fraudster uses the same address then this can be flagged. However fraudsters usually don't use the same address. In particular, with service applications where the fraudulent applicant alters parts
of the application in an attempt to subvert any anti-fraud checking the likelihood of detection is small. For example, altering the address so that a simple mechanised check would fail to match the addresses, but the change from a previous fraudulent address may be small enough that a postman would treat both as the same.
Summary of the Present Invention
The present invention seeks to address this shortcomming by detecting data similar (proximate) to existing cases of fraud.
According to a first aspect of the present invention there is provided a method of detecting proximate data for use in fraud detection comprising the steps of:
providing a database of records known to be fraudulent; and
checking a new record against each record in the database for a close match and in the event that a close match is found inferring that the new record is fraudulent.
Preferably the process of checking whether the new record is a close match comprises applying a matching algorithm to the new record and each record of the database to generate a probability of a match.
Preferably in the event that the probability exceeds a threshold then_there is deemed to be a close match. Preferably the probability is generated using field specific comparisons. Alternatively the probability is
generated using aggregating comparisons. Preferably the probability is generated using a combination of field specific comparisons and aggregating comparisons.
According to a second aspect of the present invention there is provided a data proximity detector comprising:
a storage means for storing a database of records known to be fraudulent;
a processor for checking a new record against each record in the database for a close match; and
an alert generator for indicating an inference that the new record is fraudulent in the event that the processor determines there to be a close match.
According to a further aspect of the present invention there is provided a method of detecting proximate data comprising the steps of:
providing a database of records known to satisfy a condition; and
checking a new record against each record in the database for a close match and in the event that a close match is found inferring that the new record also satisfied the condition.
According to a further aspect of the present invention there is provided data proximity detector comprising:
a storage means for storing a database of records known to satisfy a condition;
a processor for checking a new record against each record in the database retrieved from the storage means for a close match; and
an alert generator for indicating an inference that the new record also satisfies the condition in the event that the processor determines there to be a close match.
Brief Description of the Drawings
In order to provide a better understanding, preferred embodiments of the present invention will be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is an example class diagram showing the relationship between objects of the data proximity detector;
Figure 2 is a flow chart showing steps of the preferred form of the method of the present invention;
Figure 3 is an example tree diagram representing an aggregating algorithm for combining subsidiary matching algorithms of the method of the present invention; and
Figure 4 is a schematic block diagram representing a preferred form of a data proximity detector according to the present invention.
The data proximity detector of the present invention may form one part in the array, of fraud detection components used by a fraud detection system which automatically analyses a continuous list of records for fraudulent behaviour. These records may constitute call data records,
service applications (for example applications for a mobile phone) or other such communications of known format.
As shown in Figure 4, a preferred form of the data proximity detector (DPD) 30 of the present invention may be in the form of a computer configured to run a computer program for controlling the computer such that it performs thTe method of the present invention. The DPD is provided with a database of records known to be fraudulent, which are stored in a storage means 36 (such as a hard disk drive of the computer) . The DPD receives new records from input 32, which are to be checked for possible fraud. A processor 34 of the DPD performs the check according to the method described below. If the check results in a positive inference of fraud, the computer operates as an alert generator (by providing an appropriate signal to an output 40 from input/output device 38) to provide an indication of the inferred fraud.
The DPD matching procedure is described by the flow diagram of Figure 2. Each new record is tested at step 10. An entry in the database is retrieved 12. The new data and the retrieved record are compared at 14 where a probability of a match is calculated. This probability is then compared to a threshold at 16. If the probability is greater than the threshold then the new record is considered to be matched at 18 and an alert generated. If the probability is less than or equal to the threshold the processor then checks whether all of the records in the database have been checked at 20. If there are no remaining records then the new data is considered
unmatched at 22. If there is a record remaining 24 the process then returns to step 12 where the next record is retrieved and compared. Checking continues until all records of the fraud database have been searched.
The DPD matching algorithm is designed to be hiahlv configurable. The high level of configuration is provided to enable the DPD to cope with a wide variety of data sources that it may have to handle. To do this, the DPD match algorithm is constructed dynamically as guided by a configuration, out of several simple, small matching algorithms that can be plugged together. To get these constituent matching algorithms to plug into each other, all matching algorithms conform to a matching algorithm prototype. Figure 1 shows example algorithms that conform to this standard and the relationships between them. Figure 1 is a class diagram in accordance with the UML (Unified Modelling Language) standard. The constituent matching algorithms are grouped into two broad categories of matching tasks: field-specific comparisons; and aggregating comparisons.
The field-specific matching algorithms share a common prototype derived from the matching algorithm prototype. Each field match is dedicated to a single field of the two records being compared. The field-match creates an information-based distance measure to indicate how much of a change would be required to convert the value found in one record into the value found in the other record. A simple transformation referred to as the neighbourhood function converts this distance into a probability for use by other matching algorithms. Typical types of field
matching are: number match; code match; word match; and phrase match. The distance measures of these field-matching algorithms are described below.
The number match treats the contents of the field as a number and returns the absolute numeric difference between field values.
The code match returns the number of characters in the two values that do not match, often called the Hamming distance. The characters involved can be of any type so long as they do not have a meaningful ordering. An example of a field suitable for code matching would be telephone number. Where two code fields are of different lengths, the extra characters of the longer code add to the distance between the two fields.
Word matches return the minimum number of character operations required to convert one field into the other. The operations used are shown in the table below.
Table of Character Operations
The operations: repetition and deletion of repetition are given lighter weighting so that a smaller distance is incurred. The word-matching algorithm will not search beyond a maximum distance as defined by a preset threshold on the resulting probability.
Phrase matches return the minimum number of weighted word operations required to change one field into the other. The phrase match algorithm uses the same matching algorithm as the word match algorithm except that word operations are substituted for character operations. The distances of the word operations: substitute and exchange are given by the word-matching algorithm. The distances for the insert and delete operations are simply the length of the inserted or deleted word. The distances of the repeat and delete repetition operations are scaled down versions of the insert and delete distances. In addition, a dictionary of abbreviations may be supplied. Where a whole word precisely matches an abbreviation in the abbreviation dictionary, that word will be substituted with the word associated with that abbreviation. As with the word-matching algorithm, the phrase-matching algorithm will not search beyond a maximum distance as defined by a preset threshold on the resulting probability.
Any field match may be given a list of exceptions that will fail the match if the field value of either record is exactly set to one of those exceptions.
The standard neighbourhood function is the exponential neighbourhood, and this is used to treat the distance measure as an information measure. A Gaussian neighbourhood is provided, and this is equivalent to the exponential neighbourhood where the distance measure is squared first. The step neighbourhood generates probabilities of 100% if the distance is within a predefined proximity, but 0% otherwise. The full definitions of these functions are given in the table below.
Table of Neighbourhood Functions
The inputs x are the distances generated by the field-specific matching algorithms.
The constants x0 are 'proximity' values that control the range over which the neighbourhood operates.
The aggregating matching algorithms modify and combine the results from one or more child matching algorithms. They are used to combine the many probabilities generated for each field of the records by the field-specific comparisons into a single probability for the whole record. The result is a tree structure with a single
probability for the whole record at its root, an aggregating matching algorithm at each branch, and a field-specific matching algorithm at each leaf. For an example, see Figure 3. The construction of the tree is declared in the configuration. This configuration first defines which aggregating matching algorithm to use, and then which matching algorithms belong to it. The format and syntax of the configuration is irrelevant provided that it can express a tree structure and the various match-specific properties.
The not match algorithm owns a single matching algorithm of any of the given types. The probability returned by the not operator is one-minus the probability of its child matching algorithm.
The all match algorithm owns a list of matching algorithms of any of the given types. The all match returns the probability that all of its child matches detect a match. If at any point during this calculation, the combined probability drops below a preset threshold, then the match is deemed as failed, and the operation does not consult its child matching algorithms further.
The any match algorithm owns a list of matching algorithms of any of the given types. The any match returns the probability that any of its child matches detect a match. If at any point during this calculation, the result exceeds the preset threshold, then the match is deemed made, and the algorithm does not consult its child matching algorithms further.
Both the 'all' and the 'any' algorithms support an inference mechanism that can be used to capture dependencies between fields. For example, the discovery of a match between address fields makes a match between name fields more likely. This makes the combination of both name and address less significant. This combines with the above descriptions of the all and any matches to give the full definitions:
where n is the number of children, the r±j coefficients give the inference that can be made from Pj on pi, where i indexes the child algorithms for their direct contribution, and j indexes the child algorithms for the inference on the child i. The rij coefficients are set to give the actual probability of a match given that there is no match. For example, if addresses match, but we take it as given that names do not match, the matching algorithm assigned to the name field will on average give a significant non-zero probability because family members will share surnames. The rname ,address coefficient will be set to this probability.
Worked Examples Number Matches
a numeric match with a proximity of 2 and an exponential neighbourhood, will generate a probability of:
exp(-121 - 20|/2) = exp(-0.5) = 61%
Given the two records with the telephone number fields:
a number match with a proximity of 1 and an exponential neighbourhood, the distance is 2.0 (two digits had to be changed) giving a probability of:
Given the two records with the town fields:
a word match with a proximity of 6 and an exponential neighbourhood, the distance is given as the sum of the contributions from the character operations required to transform one into the other:
Word Operation Contribution
Pettersfield Duplication 0.5
Petterfield Deletion 1.0
Petterfeild Exchange 1.0
Examples of Transformations of Words
This totals to 2.5 giving a probability of: exp(-2.5/6) =66%
Given the two records with the road fields:
• Saint Gerassimo Road
• St. Grasimo Rd
a phrase match with a proximity of 10, an exponential neighbourhood, and an abbreviation dictionary that includes abbreviations for Saint and Road then the distance is given as the sum of the contribution from the word operations required to transform one into the other:
Phrase Operation -Contribution
Saint Gerassimo -Road
St. Gerassimo Abbreviation 0.0
St. Grasimo Rd Word substitution 1.5
St. Grasimo Rd Abbreviation 0.0
Examples of Transformations of Phrases
This totals to 1.5 giving a probability of: exp(-1.5/10) =86%
Given the two records:
• 20, Saint Gerassimo Road, Petersfield, 7821865874
• 21, St. Grasimo Rd, Petterfeild, 7821868574
an all match without inferences will combine the results from the previous examples to give:
61% x 86% x 66% x 14% = 5%
Given the two records:
• 20, Saint Gerassimo Road, Petersfield, 7821865874
• 21, St. Grasimo Rd, Petterfeild, 7821868574
an any match without inferences will combine the results from the previous examples to give:
1 - (1 - 61%) x (1 - 86%) x (1 - 66%) x (1 -14%) = 1-39%X14%X34%X86% = 1-2% = 98%
The skilled addressee will appreciate the following advantages of the present invention:
• The DPD generates matches between input record and a fraud database through comparing that input record with every record of the fraud database;
• Each record match is given by one of a number of matching algorithms;
• Each record match returns a value to indicate the probability of a match;
• A matching algorithm may combine the results of one or more attached matching algorithms;
• Field matching algorithms compare values found in the corresponding fields in the records to be compared; and
• All operations are optimised by ceasing calculation as soon as a probability threshold is reached.
Modifications and variations may be made to the present invention without departing from the basic inventive concept. Modifications may include using alternative matching algorithms to the preferred ones described above. It is envisaged that the present invention may have application in areas outside of fraud detection, where it is desired to detect proximate data for other purposes.
In this case instead of records of know cases of fraud, records known to meet a certain condition are used. When the probability of a match exceeds the threshold, the condition is considered to be met.
Alternative applications of the present invention could include an identity checker that for use in situations where the details of a person or company may be entered multiple times into a computer system and data entry anomalies can result. Normally this would create multiple entries with minor differences all relating to the same person. The present invention could be employed to identify that the data entered relates to the same person. Thus a single consistent set of data could be kept on a person. A further example may be where an applicant applies for a credit facility and the background of the applicant is to be checked. Quite innocently the details may be incorrectly entered. The present invention could be employed to detect whether the new data is similar to an existing record and if sufficiently close be regarded as matching an existing record. A skilled addressee will readily be able to identify other applications of the present invention and will be able to apply the invention to such other applications.
Such modifications and variations are intended to fall within the scope of the present invention, the nature of which is to be determined from the foregoing description and appended claims.
1. A data proximity detector comprising:
a storage means for storing a database (36) of records known to satisfy a condition;
a processor (38) configured to check (14) a new record (32) against each record(12) in the database for a close match,
wherein the processor is configured to:
compute a probability of a match by: finding a distance measure between the new record and the respective database record, where the distance measure is a measurement of difference between the new record and the respective database record; and converting the distance measure into the probability of a match; and
compare the probability of a match to a threshold, wherein the detector further comprises an alert generator for outputting an alert signal indicative of an inference that the new record satisfies a condition in the event that the probability of a match exceeds the threshold.
2. A data proximity detector according to claim 1, which forms one part in an array of fraud detection components.
3. A detector as claimed in claim 1, wherein the processor is configured to check whether each new record is a close match by making a plurality of simple comparisons, where each simple comparison compares a field of the new record with a corresponding field in each respective database record.
4. A detector as claimed in claim 1, wherein the processor is configured to compute the probability of a match by aggregating a plurality of field specific probabilities, each field specific probability is determined by converting a distance measure of each simple matching comparison into one of the field specific probabilities.
5. A detector as claimed in claim 4, wherein the processor is configured to modify and combine the field specific probabilities.
6. A detector as claimed in claim 5, wherein the processor is configured to combine the field specific probabilities according to one of the following: seeking a
close match in all the fields; seeking a close match in any of the fields; or seeking for the fields to not match.
7. A detector as claimed in any one of claims 1 to 6, wherein the known condition is that the records are known to be fraudulent.
8. A detector as claimed in any one of the claims 1 to 6, wherein the known condition is that the records relate to known fraudsters.
9. A detector as claimed in any one of the claims 1 to 6, wherein the known condition is that the records relate to the details of a person or company known to be entered into a computer system.
10. A detector as claimed in any one of claims 1 to 6, wherein the known condition is that the records relate to the details of a person with a known credit background.
11. A detector as claimed in any one of claims 1 to 6, wherein the known condition is that the records relate to information which is known to be correct.
|Indian Patent Application Number||1317/DELNP/2005|
|PG Journal Number||08/2011|
|Date of Filing||01-Apr-2005|
|Name of Patentee||NEURAL TECHNOLOGIES LTD., a British company|
|Applicant Address||IDEAL HOUSE, BEDFORD ROAD, PETERSFIELD,HAMPSHIRE GU32 3QA, UNITED KINGDOM.|
|PCT International Classification Number||G06F 17/30|
|PCT International Application Number||PCT/AU2003/001145|
|PCT International Filing date||2003-09-04|