	US 11,777,962 B2
	Systems and methods for machine learning-based detection of an automated fraud attack or an automated abuse attack
Kostyantyn Gurnov, San Francisco, CA (US); Wei Liu, San Francisco, CA (US); Nicholas Benavides, San Francisco, CA (US); Volha Leusha, San Francisco, CA (US); Yanqing Bao, San Francisco, CA (US); Louie Zhang, San Francisco, CA (US); Irving Chen, San Francisco, CA (US); Logan Davis, San Francisco, CA (US); and Andy Cai, San Francisco, CA (US)
Assigned to Sift Science, Inc., San Francisco, CA (US)
Filed by Sift Science, Inc., San Francisco, CA (US)
Filed on Dec. 18, 2022, as Appl. No. 18/83,562.
Claims priority of provisional application 63/316,703, filed on Mar. 4, 2022.
Claims priority of provisional application 63/291,336, filed on Dec. 17, 2021.
Prior Publication US 2023/0199006 A1, Jun. 22, 2023
Int. Cl. H04L 9/40 (2022.01); G06N 20/20 (2019.01)

CPC H04L 63/1416 (2013.01) [G06N 20/20 (2019.01); H04L 63/1425 (2013.01)]

20 Claims

1. A method for machine learning-based detection of an automated fraud or abuse attack, the method comprising:

identifying, via one or more computers, a digital event associated with a suspected automated fraud or abuse attack;

deriving a corpus of feature data based on data associated with the digital event;

composing, via the one or more computers, a digital activity signature of the suspected automated fraud or abuse attack based at least on the corpus of feature data, wherein the digital activity signature comprises a graphical, time-based representation of digital activity associated with the suspected automated fraud or abuse attack wherein:

the graphical, time-based representation includes a digital activity sequence graph,

each distinct location on the digital activity sequence graph corresponds to (i) a target digital event associated with the suspected automated fraud or abuse attack and (ii) a subject digital event feature, and

each distinct location on the digital activity sequence graph visually indicates a value of the subject digital event feature for the target digital event;

computing, via one or more machine learning models, an encoded representation of the digital activity signature based on providing the digital activity signature, as input, to the one or more machine learning models;

searching, via the one or more computers, an automated fraud or abuse signature registry based on the encoded representation of the digital activity signature, wherein searching the automated fraud or abuse signature registry includes searching for labeled digital fraud or abuse clusters that are within a threshold distance of the encoded representation of the digital activity signature, wherein the searching includes:

calculating a distance between the encoded representation of the digital activity signature and a centroid of each of a plurality of distinct digital fraud or abuse clusters; and

identifying digital fraud or abuse clusters whose centroid is within the threshold distance of the encoded representation of the digital activity signature;

determining whether the digital event is associated with an automated fraud attack or an automated abuse attack based on the searching of the automated fraud or abuse signature registry; and

selectively implementing one or more automated threat mitigation actions if the digital event is determined to be associated with the automated fraud attack or the automated abuse attack.