	US 11,699,160 B2
	Method, use thereof, computer program product and system for fraud detection
Tomás Matyska, Hlubocepy (CZ); Omkar Kulkarni, Heverlee (BE); Tien Le, Kraainem (BE); Barak Chizi, Woluwe (BE); Vasileios Stathokostopoulos, Athens (GR); Frans Thierens, Hamme (BE); Shahul Hameed, Tienen (BE); Bartel Puelinckx, Roosdaal (BE); Johan Thijs, Betekom (BE); and Kevin Vanderspikken, Schaerbeek (BE)
Filed by KBC Groep NV, Brussels (BE)
Filed on Feb. 12, 2021, as Appl. No. 17/175,055.
Claims priority of application No. 20157029 (EP), filed on Feb. 12, 2020; and application No. 20187612 (EP), filed on Jul. 24, 2020.
Prior Publication US 2021/0248611 A1, Aug. 12, 2021
Int. Cl. G06Q 20/40 (2012.01); G06F 16/9035 (2019.01); G06N 3/08 (2023.01); G06Q 20/02 (2012.01)

CPC G06Q 20/4016 (2013.01) [G06F 16/9035 (2019.01); G06N 3/08 (2013.01); G06Q 20/027 (2013.01)]

20 Claims

1. A computer-implemented method for determining a potential for anomalous activity by a suspect user, comprising the steps of:

a) receiving a plurality of user profiles at a processing unit, each of the user profiles associated with a user and comprising a plurality of transactions associated with the user, each of the transactions comprising a plurality of transaction attributes;

b) calculating, using the processing unit, an anomaly score for each of the received user profiles to determine the potential for anomalous activity by the suspect user by means of an anomaly detection algorithm which is trained based on one or more of the transaction attributes of the transactions of the plurality of user profiles, wherein the trained anomaly detection algorithm is an unsupervised anomaly detection algorithm;

characterized in that the method further comprises the steps of:

c) determining a community structure for the received plurality of user profiles based at least in part on the transactions of the user profiles, wherein the determined community structure comprises a plurality of nodes interconnected via weighted edges, wherein each of the nodes represents an individual, entity, or organization associated with one of the user profiles, wherein the nodes are directly interconnected with each other based on relationships or exchanges in the community structure, wherein each of the nodes is associated with one of the user profiles and the calculated anomaly score for said user profile, wherein the weight of each of the edges interconnecting two or more of the nodes is at least based in part on a number of the transactions between the user profiles associated with the two or more of the nodes that are interconnected;

d) calculating a network anomaly score for a user profile associated with the suspect user, wherein said user profile associated with the suspect user is part of the received plurality user profiles, wherein the network anomaly score for said user profile associated with the suspect user is based at least in part on the anomaly score calculated for one or more of the user profiles associated with the nodes in the determined community structure which are interconnected via the edge to the node of said user profile associated with the suspect user and the weight of each respective interconnecting edge; and

e) calculating the potential for anomalous activity by the suspect user by combining the calculated anomaly score and the network anomaly score of the user profile associated to said suspect user.