US 12,130,928 B2
Method and system for anamoly detection in the banking system with graph neural networks (GNNs)
Sankalp Pandey, Pune (IN); Chandrakant Sharma, Gwalior (IN); and Aliaksei Bobryk, Malmö (SE)
Assigned to BINARYFLUX PTE. LTD., Singapore (SG)
Filed by BINARYFLUX PTE. LTD., Singapore (SG)
Filed on Nov. 9, 2021, as Appl. No. 17/522,666.
Claims priority of provisional application 63/187,310, filed on May 11, 2021.
Prior Publication US 2022/0374524 A1, Nov. 24, 2022
Int. Cl. G06F 21/57 (2013.01); G06F 21/55 (2013.01); G06N 3/04 (2023.01)
CPC G06F 21/577 (2013.01) [G06F 21/552 (2013.01); G06F 21/554 (2013.01); G06N 3/04 (2013.01)] 11 Claims
OG exemplary drawing
 
1. A system for anomaly detection in the banking system with graph network of a plurality of interconnected gateways, the system comprising:
a processor, and
a memory storing one or more computer-executable machine learning instructions or data structures, and
where the processor and the memory, are communicatively coupled with each other;
wherein upon execution of the one or more computer-executable machine learning instructions or data structures, by the processor, causes the system to:
continuously monitor a plurality of gateways, data flows related to and executed at a first gateway of the plurality of gateways, the gateway data flows including at least one or more of gateways in a network, either individually or in combination;
one or more activities performed at or between any two or more gateways within the network, activities performed at or between any two or more gateway within the network or an activity performed between any gateway residing in the network and an external gateway outside the network, and where at least one activity in the one or more activities includes one or more sub-events;
relational information between the gateways in the network;
determine a gateway state score, related to the first gateway, representing a threshold for an allowable activity pattern in the network;
connect one or more sub-events, that are included in performing a first activity from among the one or more activities, where the operations of the first gateway enables recognizing of the patterns of activity in the network;
record and classify the network activity pattern at the first gateway;
assign a first gateway state score for the first activity pattern, where the first gateway state score represents an allowable behaviour pattern in the classified first type of pattern for the first gateway;
learn and classify, in real time, a plurality of gateway patterns, related to one or more activities in the network, into a plurality of type of patterns, by monitoring and processing the gateway data information from one or more historical activities till ongoing one or more activities in real time;
assign a gateway state score to each of the plurality of gateway patterns, where each of the gateway state score represents an allowable behaviour pattern in each of the plurality of type of patterns for the network of gateways;
identify a new gateway pattern, for the network of gateways, by determining a deviation from the first gateway state score or the gateway state score for each of the plurality of gateway patterns or both;
generate an alert indicating the new gateway pattern as a potential anomaly behaviour for the first gateway; and
wherein, by learning and classifying the gateway patterns for the gateways and assigning a gateway state score to the types of patterns for the gateways, the system is configurable to create a baseline of an allowable behaviour pattern for each gateway to indicate a normal operating state for the gateway and to learn allowable behaviour patterns and detect behaviour anomalies while minimizing false positives.