Method for classifying user action sequence

Description

CROSS-REFERENCE

The present application claims convention priority to Russian Utility Patent Application No. 2017140501, filed on Nov. 21, 2017, entitled “METHOD FOR CLASSIFYING USER ACTION SEQUENCE”, the entirety of which is incorporated herein by reference.

FIELD OF THE TECHNOLOGY

The present invention relates to the methods for detecting fraud, particularly for training a Machine Learning Algorithm (MLA) to detect fraudulent user actions executed in a computer system.

BACKGROUND

In the recent years, Internet has grown to be a platform where users execute a plethora of actions—from browsing digital content, searching for information, and executing financial transaction with banks and other financial institutions. With the growth of legitimate Internet use, the fraudulent activity using the Internet has also grown. Anti-fraud, or fraud monitoring systems are used to assess financial transactions executed by users using the Internet that may be suspected of fraud. These known systems are also configured to generate recommendations on further processing of the transactions suspected of being fraudulent. Such anti-fraud services are based on pre-determined sets of rules, filters and lists, both standard and custom-built, such that each monitored transaction is checked against them.

Some examples of such used rules include:

- A limit of the number of purchases using the same bank card of by the same user during a specified period of time;
- A limit of the maximum sum of money involved in a single transaction (such as a value of the purchase or a transfer, for example) using a single bank card or by the same user during a specified period of time;
- A limit of the number of bank cards used by the same user during a specified period of time;
- A limit of the number of users using the same bank card;
- An indication and analysis of the purchase histories for each bank card or user (so-called blacklists or whitelists).

A problem with such approach is that it may fail to determine whether an operation is legitimate or fraudulent. For example, a given user may legitimately perform multiple transaction over the pre-determined triggering the rule of the maximum number of transaction within the pre-determined period of time.

Another conventional solution involves use and verification of patterns (also called “signatures”). Such signatures have to be updated regularly in order to allow determining whether an operation is legitimate or fraudulent. Such signatures are generated by a human analyst who analyzes action sequences for fraudulent features and determines their characteristics, which is labor intensive and is susceptible to errors as it may depend on the analyst's competence as well.

SUMMARY

The non-limiting embodiments of the present technology are aimed eliminating the drawbacks of the known solutions. As such, at least some non-limiting embodiments of the present technology allow to automatically and accurately determine features associated with specific operation classes.

Non-limiting embodiments of the present technology have been developed based on developers' appreciation that there exist a marked difference between “user behavior pattern” difference between a legitimate user and a fraudulent user. Taking an example of a web site that provides a banking service (such as an Internet banking portal for a bank). A typical user may have a “legitimate pattern of behavior” when performing Internet banking, for example, access the web banking portal (by typing in or using “complete function” of the browser the user credentials), view some targeted promotions, pay bills, view spending history, review credit card balance, etc. A typical fraudulent behavior of a malicious individual may have a very different pattern—enter the web site by using a complete function of the browser, and enters the transfer page and transfers users fund in order to steal them, and then exists the web service.

By collecting information about past fraudulent events (as well as legitimate user patterns), it is possible to generate a training set to train a Machine Learning Algorithm (MLA) to analyze a user's behavior and determine when the user's behavior pattern changes form legitimate to potential fraudulent to flag the user's generated transaction for review by an administrator (such as a fraud department employee). Non-limiting embodiments of the present technology are based on training the MLA based on those sub-portions of the behavior patterns that are most indicative of fraudulent behavior (i.e. the ones that correlate most strongly to fraudulent behavior).

In some non-limiting embodiments of the present technology the number of most information subsequences (N) can be in a range of between about 500 and about 700 subsequences. It should be noted that this number is not limited and is selected for each specific electronic service to maximize the likelihood of an accurate prediction, in use. The number (N) can be selected on those sub-sequences that are most frequently associated with a given class to be predicted as opposed class to be predicted.

As such, in a accordance with a first broad aspect of the present technology, there is provided a method for training a Machine Learning Algorithm (MLA), the MLA executed by a server, the MLA for classifying a user action sequence that is performed by a user with an electronic service using a computer device, the method executable by the server. The method comprises: receiving an indication of interface elements of the electronic service and events associated with the interface elements to be monitored; receiving a plurality of indications of the user action sequence, the user action sequence including occurrence of at least one of: (i) events associated with the interface elements and (ii) user interactions with the interface elements; and associated timestamps, the plurality of indications being of at least two different types of classes, for which the MLA is to be trained for classifying user actions into; generating a training set comprising user action sequences belonging to the at least two different types of classes; the generating a given training set having a given user action sequence including: subdividing the given user action sequence into subsequences, the subdividing being based on a pre-determined set of: max subsequence length, min subsequence length; determining a frequency of each subsequence appearing in the user action sequences belonging to a given one of the at least two different types of classes; scoring each subsequence based on the frequency; selecting n most informative subsequences indicative at the probability of the associated given user action sequence belonging to the given one of the at least two different types of classes; using the training set to train the MLA to classify an in-use user action sequence into one of the at least two types of classes.

In some implementations of the method, the sub-dividing of the given user sequence into subsequences is further based on a number of the most informative features (n).

In some implementations of the method, the subdividing the given user action sequence into subsequences further comprises: in each user action sequence in the training set, searching for n most informative subsequences to generate a set of Boolean features, where each Boolean feature is indicative of whether its corresponding subsequence is present in the given action sequence; and wherein the Boolean feature is used as part of the training set.

In some implementations of the method, the receiving the plurality of indications of the user action sequence comprises receiving the plurality of indications of past user actions that have been marked as belonging to at least two types of classes.

In some implementations of the method, the at least two types of classes comprise one of a legitimate transaction class and a fraudulent transaction class.

In some implementations of the method, the number of the most informative features (n) is pre-defined.

In some implementations of the method, the method further comprises pre-defining the number (n).

In some implementations of the method, the pre-defining the number (n) using a scoring function.

In some implementations of the method, scoring comprises applying a scored using Gini index (1−Σ_i=1^kp_i², where k is the number of classes, and pi is the share of the [i] class.

In some implementations of the method, the MLA is a classifier.

In some implementations of the method, the classifier is based on a decision tree model.

In accordance with another broad aspect of the present technology there is provided a method for classifying a user action sequence that is performed by a user on a computer device in association with an electronic service, the method being executed by a trained Machine Learning Algorithm (MLA), the MLA executed by an electronic device. The method comprises: obtaining a user action sequence, the user action sequence defined by at least one event associated with the user interaction with interface elements of the electronic service; assigning the user action sequence a default class; analyzing the user action sequence by: subdividing the given user action sequence into subsequences, the subdividing being based on a pre-determined set of: max subsequence length, min subsequence length, a number of the most informative features (n); submitting the generated subsequence to the MLA to be used by the MLA to predict a predicted class associated with the user action sequence; in response to the predicted class being different from the default class, generating a trigger indicative of the user action sequence requiring a remedial action.

In some implementations of the method, in response to the predicted class being the same as the default class, repeating the method with a next indication of the user action.

In some implementations of the method, the method further comprises training the MLA using the method of claim 1.

In some implementations of the method, the electronic device is one of a user electronic device used for executing the user action sequence and a server executing the electronic service.

In some implementations of the method, the electronic service is an on-line banking application and wherein the method is executable while the user is performing user interactions with the on-line banking application.

In accordance with yet further non-limiting embodiments of the present technology, there is provided a method for classifying user action sequence that is performed on a computer device. The comprises the following steps:

setting triggers on interface elements and events associated with those elements and other user actions;

recording a user action sequence with accompanying events, along with the timestamps of said actions or events, and assigning a default class to the sequence;

obtaining time data, user data, and the actual class the given sequence of user actions at the given time belongs to, and replacing its default class with the actual class;

generating a training set comprising user action sequences belonging to different classes;

subdividing the user action sequences in the training set into subsequences, based on the following parameters: max subsequence length, min subsequence length, number of the most informative features (n);

for each subsequence, determining the frequency of it belonging to each of the classes;

scoring each subsequence based on the frequency of it belonging to each of the classes and selecting n most informative subsequences pointing at the probability of a given user action sequence belonging to a specified class;

in each user action sequence in the training set, searching for n most informative subsequences to generate a set of Boolean features, where each feature shows whether its corresponding subsequence is present in the given action sequence; and

submitting the generated set of Boolean features as a training set for the classification algorithm.

In accordance with another broad aspect of the present technology, there is provided a method for classifying user action sequence that is performed on a computer device. The method comprises the following steps:

obtaining a user action sequence with accompanying events, along with the timestamps of said actions or events;

assigning a default class to the action sequence;

obtaining time data, user data, and the actual class the given sequence of user actions at the given time belongs to, and replacing its default class with the actual class;

generating a training set comprising user action sequences belonging to different classes;

for each subsequence, determining the frequency of it belonging to each of the classes;

submitting the generated set of Boolean features as a training set for the classification algorithm.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a schematic representation of system implemented according to non-limiting embodiments of the present technology.

FIG. 2 depicts a block diagram of a flowchart of a method according to some non-limiting embodiments of the present technology, the method executable by the system of FIG. 1.

FIG. 3 depicts a block diagram of a flowchart of a method according to some other non-limiting embodiments of the present technology, the method executable by the system of FIG. 1.

DETAILED DESCRIPTION OF THE NON-LIMITING EMBODIMENTS OF THE TECHNOLOGY

With reference to FIG. 1, there is depicted a system (not separately numbered) implemented in accordance to the non-limiting embodiments of the present technology. The system includes a server 110 that can host a bank web site 105. The bank web site 105 is configured to allow a user (not depicted) to access a personal account (such as a bank account) using an electronic device 120, which electronic device 120 is configured to execute an application 130. The application 130 can be a browser or a dedicated app for allowing the user to access the bank web site 105. In other words, users can view website pages hosted by the server 130 using personal devices 120 via the application 130, e.g. a web browser or a mobile banking app. In accordance with the non-limiting embodiments of the present technology, the system of FIG. 1 is configured to analyze user actions have to determine if they are legitimate or fraudulence.

In some embodiments, personal devices 120 may be implemented (but are not so limited), a smartphone, a tablet, a PDA, a laptop, or a desktop PC.

In order to enable the system of FIG. 1 to determine whether a user action is legitimate or fraudulent, for each website page (or screen in the mobile application), the system of FIG. 1 can receive an indication of user interface elements and events to be tracked. These elements can be defined, for example, by an operator of the system of FIG. 1. The identification of these elements and events, in a sense, flags to the system of FIG. 1 which interface elements and events track based on at least some of: triggers for user interactions with said elements and/or for occurrence of said events.

As an example, where a given bank web site, the so-determined events may include (but are not limited to):

User entering a registration page;

User executing a registration using the registration page;

The registration page providing a registration confirmation;

The registration page providing a registration error;

A registration timeout;

User entering a main (landing) page;

User executing a transfer to another client of the bank;

User executing a transfer to a client of another bank;

User executing a transfer to an organization having a pre-determined <Name>;

User executing a payments to mobile providers;

The system providing a money transfer confirmation;

The system executing a check issue;

User entering a wrong password;

The system providing a timeout error;

User viewing settings of the account/web access;

User viewing information about an insurance policy;

User viewing a card activity;

User viewing an account activity;

User viewing a deposit activity;

User viewing a credit card activity;

User exiting the on-line banking system;

User executing a phone credit recharge.

User actions may include the following:

User selecting an interface element;

User clicking a left/right mouse button;

User browsing through website pages or application screens (e.g. pages of remote banking);

User switching between browser frames or application tabs;

User clicking a button;

User clicking a check button or radio button element;

User editing an input field, or selecting a list item;

User pressing a pre-defined (i.e. any) key.

The system of FIG. 1 is configured, in response to any of the above triggers (i.e. actions or events) being set off in the application 130, the system of FIG. 1 (whether the application 130 or a server 110) stores the data that are associated with that user action or event on the server 110. An example of the data entry: <event_MouseClick>, <01/09/2017 17:53>, <29073>, i.e. a mouse click event occurred at 17:53 on 01/09/2017 in the session of the user 29073.

In some alternative embodiments, the trigger can cause storing the data that is associated with the user action or event on the user device 120.

In some embodiments, events and user actions have codes (e.g. symbols or numbers) associated with them. For instance, the <event_MouseClick> event may be stored as a number, or as a sequence of digits and/or letters.

User ID or other identification data are sent from the server 110 or other servers/systems that identify users (indirectly, as well) to the user device 120.

Interacting with a website, users utilize various interface elements and perform various actions that set off triggers, and their action sequences are recorded along with the events accompanying them.

For example, a user 34029 (a non-limiting example of a user ID) may have the following action sequence when interacting with a website on their device 120:

Such user action sequences are stored on the server 110, or, in some embodiments, on the user device 120, and also have a default class (e.g. legitimate action class (G)) assigned to them.

The number of classes depends on the task to be addressed by the trained MLA. In some embodiments, the following classes are contemplated: F—fraudulent actions, and G—legitimate actions; or, e.g. actions of the user under analysis and actions of all other users; or human actions and bot actions; etc.

In some embodiments of the present technology, at least two (i.e. two or more; three or more, etc.) classes can be defined. For example, a class may comprise the actions of each user, or it may comprise the actions of a group of users, such as children, adults, the elderly. In some non-limiting embodiments of the present classes the default class is assigned based on historical statistical data. As an example only, for a given banking/financial service, the historical data may indicate that 99.95% of users are legitimate users and only 0.05% of users are fraudulent transaction generators. In this example, the default class can be defined as the “legitimate user” (or class G in this example).

If, at some point, it is determined that a user was compromised, i.e. an action or a sequence of actions were performed by a non-authorized third party or a bot, then the server 110 (or, in some embodiments, the user device 120) can determine the compromised action sequence and assign it to the class of fraudulent actions (F).

The sequences comprising user actions of different classes make up a training set that is then used to train the MLA to automatically detect fraudulent actions.

In order to automatically detect fraudulent actions, the following steps are executed within the framework of the system of FIG. 1:

User action sequences are subdivided into subsequences. In some embodiments of the present technology, subdivision can be based on the following parameters: max subsequence length (max_subsequence_length), min subsequence length (min_subsequence_length), number of the most informative features (n). At this step, the classes, to which each subsequence belongs, have already been identified/selected.

It should be noted that the parameters above may be set directly by the administrator of the server 110, e.g. based on their past experience, using A/B experiments, using other known factors.

In those embodiments where the method is implemented on the user device 120, the parameters above may be set by developers or they may be obtained from a settings server (not depicted).

For instance, in some-non limiting embodiments of the present technology, the parameters may be empirically set (particularly, defined). An example of such approach would be to try every reasonable value, wherein the final result is the proof of reasonableness of the output. For instance, the administrator may set max and min values for each parameter and then choose the best ones.

In some embodiments of the present technology, the following non-limiting examples for dividing the action sequence may be used:

- max_subsequence_length = 6, i.e. max length of a

subsequence is 6 in this example;

- min_subsequence_length = 3, i.e. min length of a

subsequence is 3 in this example;

- n = 400, i.e. the number of features is 400 in this example.

Let's assume that there is a coded action sequence (s)=ABFDSAAADOO, wherein each symbol represents a users action or an accompanying event (other attributes, such as timestamps, or user ID, are not taken into account for the purposes of this illustration). This sequence is subdivided into subsequences that have a maximum length of max_subsequence_length=6, which results in the following set: {ABFDSA, BFDSAA, FDSAAA, DSAAAD, SAAADO, AAADOO}.

Each element of this set is then also subdivided in all possible variations of subsequences that have a minimum length of not less than min_subsequence_length, starting from the beginning of the coded user action sequence:

ABFDSA --> {ABF, ABFD, ABFDS, ABFDSA}

BPDSAA --> {BFD, BFDS, BFDSA, BFDSAA}

...

AAADOO --> {AAA, AAAD, AAADO, AAADOO}.

For the last subsequence AAADOO, its endings {AADOO, ADOO, DOO} will also be generated

Then, a general set may be selected, particularly, an ordered set (A) that combines every other set ({ABF, ABFD, ABFDS, ABFDSA}, {BFD, BFDS, BFDSA, BFDSAA}, . . . {AAA, AAAD, AAADO, AAADOO}, {AADOO, ADOO, DOO}) into one, wherein the general set (A) comprises the elements a(1), a(2), . . . , a(U), where U is the power (number of elements) of the general set (A). Please note that each user action sequence will have its own general set (A).

The server 110 (or, in some embodiments, the user device 120) determines the frequency of each element in the set (A) appearing in a specific class (e.g. the legitimate action class or the fraudulent action class, in case these two classes are used). For instance, the sequence ABFDS may appear 500 times among fraudulent sequences, and just 10 times among legitimate ones.

In some non-limiting embodiments of the present technology, the server analyzes the frequency of appearance of each element in a body of past observed fraudulent and legitimate transactions. In other words, the server 110 may have access to a body of past observed interactions, where the interactions were marked as actually fraudulent (for example by a fraud department of a financial institution) or legitimate. This step allows the server 110 to determine (broadly speaking) of the given element in the set (A) is more likely to be associated with fraudulent transaction or a legitimate one.

Then, the server 110 (or, in some embodiments, the user device 120) scores each element in the set (A) taking into account its frequency of appearing in each of the classes, selecting a pre-determined number of N most informative elements that are indicative of the probability of the element in the set (user action subsequence) belonging to the given class. In accordance with the non-limiting embodiments the most informative are those elements that are better correlated to the determination of the nature of the given transaction (fraudulent or legitimate, as an example). How the N-most informative element is selected will be described in greater detail herein below.

In some embodiments, the elements are scored using Gini index (1−Σ_i=1^kp_i²), where k is the number of classes (e.g. two classes: legitimate actions and fraudulent actions), and pi is the share of the [i] class.

In other embodiments, elements are scored using the number of fraudulent sequences.

In yet other embodiments, elements are scored using the number of legitimate sequences.

Then, the server 110 (or, in some embodiments, the user device 120) searches for n most indicative elements that have been selected earlier in the set (A) for each user action sequence in the training set, thus generating a set of boolean features (a set of n-sized vectors), where each vector element (feature) marks that this element (subsequence) is a part of a given action sequence.

For the illustration to be presented herein below, let it be assume that the resultant training set can contain, for example, the following user action sequence (A): ABFFAADOSDOOG. Using this as a non-limiting example, an illustration of various routines of the non-limiting embodiments of the present technology will now be presented.

An example of feature generation: there are three subsequences (elements in the set A) that are the most indicative ones: DOO, BFDSA, AAD (at n=3). There will be n selected features.

For this action sequence, the server 110 (or, in some embodiments, the user device 120) conducts a search for DOO, BFDSA, and AAD subsequences, thus generating a set (vector) of n (three, in this example) Boolean features {1, 0, 1}, where 1 means that the given subsequence is present in the sequence, and 0 means it does not.

In some embodiments, in order to improve efficiency, a unique Boolean function (f1, f2, . . . fn) is generated for each selected indicative feature, the function determining whether the given feature is present in the user action sequence or not.

The generated set of feature vectors, together with the vector classes, is then inputted into the classification algorithm (machine learning algorithm) as a training set.

The training set can contain sets of features that were reliably identified as belonging to different classes, i.e. feature vectors of legitimate action sequences and feature vectors of fraudulent action sequences.

Machine learning algorithms may include, but are not limited to, the Random Forest algorithm, the Support Vector Machine (SVM), or any other classification algorithm, including classifier ensembles.

After the classifier (classifier ensemble) has been trained, the server 110 (or, in some embodiments, the user device 120) can be considered to be trained to be able to use this classifier to determine whether user actions are legitimate or not. In case user actions have been identified as not legitimate (fraudulent), the server 110 is configured to take corresponding measures, such as to block the user, cancel an operation, etc., whatever is appropriate in a given situation.

As a rule, after the classifier (classifier ensemble) has been trained, the server 110 determines the class the in-use user action sequence belongs to, as follows:

recording the user action sequence; determining the vector of Boolean features using n informative features of the sequence in question, selected before; passing the vector over to the trained classifier, which then returns a priori probabilities of the sequence in question belonging to each of the classes.

It should be noted that, in a non-limiting embodiment, a training set of no less than 2000 fraud facts over the recent days (e.g. 90 days) should be used in order to reliably detect fraudulent actions.

For instance, the training set may be created using data collected over the past several days, e.g. days 85-90. Such data are used to train the classifier, particularly by means of machine learning. Then, the training results are applied to the data from days 1st-5th of the exemplary range in order to test the classifier. Please note that the training may be repeated regularly, e.g. once a week.

Reliability of scoring (particularly, the scoring function) may be increased by creating an ensemble made up of several classifiers, e.g. three classifiers. In this case, for example, the first classifier is trained using the data from days (−90)-(−5); the second classifier is trained using the data from days (−97)-(−13); and the third classifier is trained using the data from days (−104)-(−19)/The final scoring or a classifier ensemble may be calculated using the Kolmogorov mean (see en.wikipedia.org/wiki/Quasi-arithmetic_mean). For instance, an arithmetic mean can be calculated.

We will now turn our attention to the non-limiting examples of implementation of how the most informative feature can be selected. It should be noted that the scoring function (used for scoring calculations) is an example of a function for determining informativity. This can be illustrated by the calc_score function (shown below) that is written in Python:

{grave over ( )}{grave over ( )}{grave over ( )}python

def calc_score(g_count, f_count, ratio):

“““

Scoring function

:param g_count: legal number

:param f_count: fraudulent number

:param ratio: the ratio between the total number of legitimate

actions and the total number of fraudulent actions

:return: number

0 -- equivocal

>0 -- likely fraudulent

<0 -- likely legitimate

The farther the value is from zero, the likelier its classification is.

”””

if g_count == 0 and f_count == 0:

return 0

if g_count == 0:

return +1.0

if f_count == 0:

return −1.0

return (float(2*f_count*ratio)/(f_count*ratio+g_count) − 1.0)

{grave over ( )}{grave over ( )}{grave over ( )}

In some non-limiting embodiments of the present technology, the calc_score function operates as follows: if the input of the module is a positive number, then the module returns the same number; if the input of the module is a negative number, then the module returns the number multiplied by (−1).

Also note that the calc_score function (or a similar one) may depend on two or more parameters, particularly, on three parameters. In this case, the function may return the informativity number that is directly proportionate to the informativity of a feature. For instance, for three equicardinal classes, the following function (example 3), written in Python, may be used to calculate informativity:

{grave over ( )}{grave over ( )}{grave over ( )}python

def example3(a1_count, a2_count, a3_count):

b1 = a1_count / a2_count if a1_count > a2_count else a2_count /

a1_count

b2 = a2_count / a3_count if a2_count > a3_count else a3_count /

a2_count

b3 = a1_count / a3_count if a1_count > a3_count else a3_count /

a1_count

return min([b1, b2, b3])

{grave over ( )}{grave over ( )}{grave over ( )}

In some non-limiting embodiments of the present technology, classes are considered equicardinal for a certain set (e.g. a training set), if the set contains equal number of elements (chains) of these classes. For instance, in an equicardinal set with two classes—fraudulent action class and legal action class—the number of fraudulent chains is equal to the number of legal chains.

Also, in some non-limiting embodiments of the present technology, for non-equicardinal classes, there may be added at least three values, e.g. ratio1, ratio2, ratio3, which reflect the ratio between the number of elements of each individual class and the number of elements in the largest class. In some non-limiting embodiments of the present technology, one of these three values is always a 1 (one class is the largest, so its ratio to itself is 1), wherein the following function can be defined, which is a correction to example 3 taking into account ratio1, ratio2, and ratio3:

{grave over ( )}{grave over ( )}{grave over ( )}python

def example3_ratio(a1_count, a2_count, a3_count):

return example3(a1_count / ratio 1, a2_count/ ratio2, a3_count / ratio3)

{grave over ( )}{grave over ( )}’

Using the informativity function (example 3_ratio) n most informative subsequences may be determined (see above).

In some non-limiting embodiments of the present technology, sequence informativity may be determined using another approach. This approach may be illustrated as follows.

A directed forest (gB) is built. Initially, it is empty, i.e. contains no vertices and no trees. Every edge of every tree has two weights corresponding to two classes—F and G: w(F) and w(G). Each vertex is marked with a letter.

A sequence (s)=ABFDSAAADOO is divided into all sorts of subsequences, wherein each subsequence is (max_subsequence_length) long.

For each subsequence, the determination of the most indicative/illustrative features may include:

- traversing all vertices of the graph (gB) in the given subsequence. For instance, for ABFDSAAA there will be a subgraph (gi): A→B→F→D→S→A.
- adding a vertex with weights w(F)=0, w(G)=0, if there is none. Then, depending on the class, the corresponding weight is increased by 1. For a fraudulent subsequence (F), w(F):=w(F)+1; and for a legitimate subsequence (G), w(G):=w(G)+1. Moving on to the next subsequence. After a subsequence is traversed, the algorithm proceeds to the next subsequence.

It results in a graph (gB). Then, a plurality of edges is built, so that the paths to the root are not shorter than min_subsequence_length. Each edge is then scored (see above) using the weights w(F) and w(G). Then, n most probable edges (equal to the number of most indicative features) are selected. Then, for each such edge, a single sequence is built as follows: both vertices or the edge are selected, along with its antecedents. The vertices thus selected are placed in the edge order, where each subsequence refers to an individual feature.

In conclusion, it should be noted that the details given in the description are examples that do not limit the scope of the present technology as defined by the claims. It is clear to a person skilled in the art that there may be other embodiments that are consistent with the spirit and scope of the present invention.

Claims

1. A method for training a Machine Learning Algorithm (MLA), the MLA executed by a server, the MLA for classifying a user action sequence that is performed by a user with an electronic service using a computer device, the method executable by the server, the method comprising: receiving an indication of interface elements of the electronic service and events associated with the interface elements to be monitored;receiving an indication of a given training user action sequence of a plurality of training user action sequences, the given training user action sequence including user interactions with the interface elements and associated timestampsreceiving an indication of sets of past user action sequences, a given set of past user action sequences is assigned with a respective class of user action sequences of at least two different classes, for which the MLA is to be trained for classifying in-use user actions into;generating a training set comprising a plurality of training objects, a given training object of the plurality of training objects being generated based on a respective training user action sequence of the plurality of training user actions sequences, generating the given training object including: subdividing the respective training user action sequence into subsequences, by: obtaining a max subsequence length to divide the respective training user action into a plurality of sets of the max subsequence length each; andobtaining a min subsequence length to divide each one of the plurality of sets into the subsequences so as to define, within a given one of the plurality of sets, for a given subsequence length from the min subsequence length to the max subsequence length, a respective plurality of sub sequences;determining, for a given subsequence of the plurality of training user action sequences, a respective frequency value of the given subsequence appearing in each of the sets of past user action sequences associated with the respective class of the at least two different classes;determining, for the given subsequence, a respective class as being the respective class associated with that set of past user action sequences in which the given subsequence most frequently appeared;selecting, for a given class of the at least two different classes, based on respective frequency values of the subsequences, at least one most informative subsequence indicative of a probability of an in-use user action sequence including the at least one most informative subsequence being of the given class of the at least two different classes; andgenerating, for the respective training user action sequence, a respective vector, a given vector element of which is indicative of whether the respective training user action sequence includes a respective one of the at least one most informative subsequence; andusing the training set to train the MLA to classify the in-use user action sequence into one of the at least two classes.
2. The method of claim 1, wherein the subdividing the respective training user sequence into the subsequences is further based on the number of most informative subsequences.
3. The method of claim 1, wherein the given vector element comprises a respective Boolean feature indicative of whether the respective training user action sequence includes the respective one of the at least one most informative subsequence.
4. The method of claim 1, wherein the given training user action sequence comprises a given one of a plurality past user actions that have been marked as belonging to the at least two different classes.
5. The method of claim 1, wherein the at least two different classes comprise one of a legitimate transaction class and a fraudulent transaction class.
6. The method of claim 1, wherein a number of the at least one most informative subsequence is pre-defined.
7. The method of claim 6, wherein the method further comprises pre-defining the number of the at least one most informative subsequence.
8. The method of claim 7, wherein the pre-defining comprises using a scoring function.
9. The method of claim 1, wherein the selecting the at least one most informative subsequence comprises scoring each one of the subsequences based on the respective frequency values associated therewith, the scoring comprises applying a Gini index (1−Σi=1kpi2), where k is a number of classes, andpi is a share of an ith class.
10. The method of claim 1, wherein the MLA is a classifier.
11. The method of claim 10, wherein the classifier is based on a decision tree model.
12. A method for classifying a user action sequence that is performed by a user on a computer device in association with an electronic service, the method being executed by a trained Machine Learning Algorithm (MLA), the MLA executed by an electronic device; the method comprising: obtaining the user action sequence, the user action sequence defined by at least one event associated with a respective user interaction with interface elements of the electronic service;assigning the user action sequence a default class;identifying, within the user action sequence, a plurality of subsequences by subdividing the user action sequence, the subdividing comprising: obtaining a max subsequence length to divide the user action into a plurality of sets of the max subsequence length each;obtaining a min subsequence length to divide each one of the plurality of sets into subsequences so as to define, within a given one of the plurality of sets, for a given subsequence length from the min subsequence length to the max subsequence length, a respective sub-plurality of subsequences; andobtaining a number of most informative subsequences;generating, for the user action sequence, a respective vector, a given vector element of which is indicative of whether the plurality of subsequences of the user actions sequence includes a respective one of the number of most informative subsequences; andfeeding the respective vector to the MLA to determine a predicted class associated with the user action sequence; andin response to the predicted class being different from the default class, generating a trigger indicative of the user action sequence requiring a remedial action.
13. The method of claim 12, wherein in response to the predicted class being same as the default class, the method further comprises receiving a next user action sequence for determining a respective predicted class thereof.
14. The method of claim 12, wherein the method further comprises training the MLA based on a training set, the trainings set composing a plurality of training objects, each of which has been generated based on a respective training user action sequence of a plurality of training user actions sequences.
15. The method of claim 12, wherein the electronic device is one of the computer device used by the user for executing the user action sequence and a server executing the electronic service.
16. The method of claim 12, wherein the electronic service is an on-line banking application and wherein the method is executable while the user is performing user interactions with the on-line banking application.

Priority Claims (1)

Number	Date	Country	Kind
RU2017140501	Nov 2017	RU	national

US Referenced Citations (157)

Number	Name	Date	Kind
7225343	Honig et al.	May 2007	B1
7496628	Arnold et al.	Feb 2009	B2
7631362	Ramsey	Dec 2009	B2
7712136	Sprosts et al.	May 2010	B2
7730040	Reasor et al.	Jun 2010	B2
7865953	Hsieh et al.	Jan 2011	B1
7958555	Chen et al.	Jun 2011	B1
7984500	Khanna et al.	Jul 2011	B1
8132250	Judge et al.	Mar 2012	B2
8151341	Gudov	Apr 2012	B1
8255532	Smith-Mickelson et al.	Aug 2012	B2
8260914	Ranjan	Sep 2012	B1
8285830	Stout et al.	Oct 2012	B1
8402543	Ranjan et al.	Mar 2013	B1
8448245	Banerjee et al.	May 2013	B2
8532382	Ioffe	Sep 2013	B1
8539582	Aziz et al.	Sep 2013	B1
8555388	Wang et al.	Oct 2013	B1
8561177	Aziz et al.	Oct 2013	B1
8600993	Gupta et al.	Dec 2013	B1
8606725	Agichtein et al.	Dec 2013	B1
8612463	Brdiczka et al.	Dec 2013	B2
8625033	Marwood et al.	Jan 2014	B1
8635696	Aziz	Jan 2014	B1
8650080	O'Connell et al.	Feb 2014	B2
8660296	Ioffe	Feb 2014	B1
8677472	Dotan et al.	Mar 2014	B1
8776229	Aziz	Jul 2014	B1
8850571	Staniford et al.	Sep 2014	B2
8856937	Wüest et al.	Oct 2014	B1
8972412	Christian et al.	Mar 2015	B1
8984640	Emigh et al.	Mar 2015	B1
9026840	Kim	May 2015	B1
9060018	Yu et al.	Jun 2015	B1
9185095	Moritz et al.	Nov 2015	B1
9210111	Chasin et al.	Dec 2015	B2
9215239	Wang et al.	Dec 2015	B1
9253208	Koshelev	Feb 2016	B1
9330258	Satish et al.	May 2016	B1
9338181	Burns et al.	May 2016	B1
9357469	Smith et al.	May 2016	B2
9456000	Spiro et al.	Sep 2016	B1
9590986	Zizi et al.	Mar 2017	B2
9654593	Parg et al.	May 2017	B2
9723344	Granström et al.	Aug 2017	B1
9736178	Ashley	Aug 2017	B1
9917852	Xu et al.	Mar 2018	B1
9934376	Ismael	Apr 2018	B1
20020112048	Gruyer et al.	Aug 2002	A1
20020161862	Horvitz	Oct 2002	A1
20030009696	Bunker et al.	Jan 2003	A1
20060074858	Etzold et al.	Apr 2006	A1
20060107321	Tzadikario	May 2006	A1
20060224898	Ahmed	Oct 2006	A1
20060253582	Dixon et al.	Nov 2006	A1
20070019543	Wei et al.	Jan 2007	A1
20070101155	Hoghaug et al.	May 2007	A1
20070239999	Honig et al.	Oct 2007	A1
20080222712	O'Connell et al.	Sep 2008	A1
20090138342	Otto et al.	May 2009	A1
20090281852	Abhari et al.	Nov 2009	A1
20090292925	Meisel	Nov 2009	A1
20100011124	Wei et al.	Jan 2010	A1
20100037314	Perdisci et al.	Feb 2010	A1
20100076857	Deo et al.	Mar 2010	A1
20100115620	Alme	May 2010	A1
20100115621	Staniford et al.	May 2010	A1
20100191737	Friedman et al.	Jul 2010	A1
20100205665	Komili et al.	Aug 2010	A1
20100235918	Mizrahi et al.	Sep 2010	A1
20110222787	Thiemert et al.	Sep 2011	A1
20120030293	Bobotek	Feb 2012	A1
20120079596	Thomas et al.	Mar 2012	A1
20120087583	Yang et al.	Apr 2012	A1
20120158626	Zhu et al.	Jun 2012	A1
20120233656	Rieschick et al.	Sep 2012	A1
20120291125	Maria	Nov 2012	A1
20130086677	Ma et al.	Apr 2013	A1
20130103666	Sandberg et al.	Apr 2013	A1
20130111591	Topan et al.	May 2013	A1
20130117848	Golshan et al.	May 2013	A1
20130191364	Kamel et al.	Jul 2013	A1
20130263264	Klein et al.	Oct 2013	A1
20130297619	Chandrasekaran et al.	Nov 2013	A1
20130340080	Gostev et al.	Dec 2013	A1
20130343616	Forero et al.	Dec 2013	A1
20140033307	Schmidtler	Jan 2014	A1
20140058854	Ranganath et al.	Feb 2014	A1
20140082730	Vashist et al.	Mar 2014	A1
20140173287	Mizunuma	Jun 2014	A1
20140310811	Hentunen	Oct 2014	A1
20150007250	Dicato, Jr. et al.	Jan 2015	A1
20150049547	Kim	Feb 2015	A1
20150067839	Wardman et al.	Mar 2015	A1
20150163242	Laidlaw et al.	Jun 2015	A1
20150169854	Chang et al.	Jun 2015	A1
20150170312	Mehta et al.	Jun 2015	A1
20150200963	Geng et al.	Jul 2015	A1
20150220735	Paithane et al.	Aug 2015	A1
20150295945	Canzanese et al.	Oct 2015	A1
20150310196	Turgeman	Oct 2015	A1
20150363791	Raz et al.	Dec 2015	A1
20150381654	Wang et al.	Dec 2015	A1
20160036837	Jain et al.	Feb 2016	A1
20160036838	Jain et al.	Feb 2016	A1
20160044054	Stiansen et al.	Feb 2016	A1
20160055490	Keren et al.	Feb 2016	A1
20160065595	Kim et al.	Mar 2016	A1
20160112445	Abramowitz	Apr 2016	A1
20160127907	Baxley et al.	May 2016	A1
20160149943	Kaloroumakis et al.	May 2016	A1
20160171197	Song et al.	Jun 2016	A1
20160191243	Manning	Jun 2016	A1
20160205122	Bassett	Jul 2016	A1
20160205123	Almurayh et al.	Jul 2016	A1
20160226894	Lee et al.	Aug 2016	A1
20160253679	Venkatraman et al.	Sep 2016	A1
20160261628	Doron et al.	Sep 2016	A1
20160267179	Mei et al.	Sep 2016	A1
20160285907	Nguyen et al.	Sep 2016	A1
20160306974	Turgeman	Oct 2016	A1
20160307201	Turgeman	Oct 2016	A1
20160359679	Parandehgheibi et al.	Dec 2016	A1
20170032250	Chang	Feb 2017	A1
20170034211	Buergi et al.	Feb 2017	A1
20170111377	Park et al.	Apr 2017	A1
20170134401	Medvedovsky et al.	May 2017	A1
20170140279	Turgeman	May 2017	A1
20170142144	Weinberger et al.	May 2017	A1
20170149813	Wright et al.	May 2017	A1
20170200457	Chai et al.	Jul 2017	A1
20170221064	Turgeman et al.	Aug 2017	A1
20170230401	Ahmed et al.	Aug 2017	A1
20170244735	Visbal et al.	Aug 2017	A1
20170250972	Ronda et al.	Aug 2017	A1
20170272471	Veeramachaneni et al.	Sep 2017	A1
20170279818	Milazzo et al.	Sep 2017	A1
20170286544	Hunt et al.	Oct 2017	A1
20170289187	Noel et al.	Oct 2017	A1
20170295157	Chavez et al.	Oct 2017	A1
20170295187	Havelka et al.	Oct 2017	A1
20170324738	Hari et al.	Nov 2017	A1
20170346839	Peppe et al.	Nov 2017	A1
20180012021	Volkov	Jan 2018	A1
20180012144	Ding et al.	Jan 2018	A1
20180034779	Ahuja et al.	Feb 2018	A1
20180063190	Wright et al.	Mar 2018	A1
20180096153	Dewitte et al.	Apr 2018	A1
20180115573	Kuo et al.	Apr 2018	A1
20180268464	Li	Sep 2018	A1
20180307832	Ijiro et al.	Oct 2018	A1
20180309787	Evron et al.	Oct 2018	A1
20180322287	Zhao	Nov 2018	A1
20190089737	Shayevitz et al.	Mar 2019	A1
20190207973	Peng	Jul 2019	A1
20190373005	Bassett	Dec 2019	A1
20200134702	Li	Apr 2020	A1

Foreign Referenced Citations (60)

Number	Date	Country
2606326	Nov 2006	CA
103491205	Jan 2014	CN
104504307	Apr 2015	CN
105429956	Mar 2016	CN
105897714	Aug 2016	CN
106131016	Nov 2016	CN
106202482	Dec 2016	CN
106355450	Jan 2017	CN
106506435	Mar 2017	CN
106713312	May 2017	CN
107392456	Nov 2017	CN
1160646	Dec 2001	EP
2410452	Jan 2016	EP
2477136	Apr 2018	EP
2437100	Oct 2007	GB
2470579	Dec 2010	GB
2493514	Feb 2013	GB
10-2007-0049514	May 2007	KR
20090022682	Mar 2009	KR
100923179	Oct 2009	KR
10-1514984	Apr 2015	KR
20190018197	Feb 2019	KR
2333532	Sep 2008	RU
2382400	Feb 2010	RU
107616	Aug 2011	RU
2446459	Mar 2012	RU
129279	Jun 2013	RU
2487406	Jul 2013	RU
2488880	Jul 2013	RU
2495486	Oct 2013	RU
2522019	Jul 2014	RU
2523114	Jul 2014	RU
2530210	Oct 2014	RU
2536664	Dec 2014	RU
2538292	Jan 2015	RU
2543564	Mar 2015	RU
2566329	Oct 2015	RU
2571594	Dec 2015	RU
2589310	Jul 2016	RU
164629	Sep 2016	RU
2607231	Jan 2017	RU
2610586	Feb 2017	RU
2613535	Mar 2017	RU
2622870	Jun 2017	RU
172497	Jul 2017	RU
2625050	Jul 2017	RU
2628192	Aug 2017	RU
2636702	Nov 2017	RU
2649793	Apr 2018	RU
2670030	Oct 2018	RU
2670906	Dec 2018	RU
2681699	Mar 2019	RU
0245380	Jun 2002	WO
2009026564	Feb 2009	WO
2011045424	Apr 2011	WO
2011039371	Apr 2011	WO
2012015171	Feb 2012	WO
2017070600	Apr 2017	WO
2019010182	Jan 2019	WO
2019035491	Feb 2019	WO

Non-Patent Literature Citations (65)

Entry
Brownlee, Jason How To Implement The Decision Tree Algorithm From Scratch In Python (all pages) (Year: 2016).
Office Action received with regard to the counterpart U.S. Appl. No. 15/858,032 dated Apr. 6, 2020.
Office Action with regard to the counterpart U.S. Appl. No. 15/707,641 dated Apr. 25, 2019.
Search Report with regard to the counterpart SG Patent Application No. 10201900062S dated Dec. 5, 2019.
Search Report with regard to the counterpart SG Patent Application No. 10201900060Y dated Dec. 5, 2019.
English Abstract for CN 105429956 retrieved on Espacenet on Jan. 7, 2020.
English Abstract for CN 104504307 retrieved on Espacenet on Jan. 7, 2020.
Search Report with regard to the counterpart RU Patent Application No. 2018144708 dated Aug. 16, 2019.
Search Report with regard to the counterpart RU Patent Application No. 2018147431 dated Aug. 15, 2019.
English Translation of KR10-2007-0049514 (Description, Claims) retrieved on Espacenet on Oct. 15, 2019.
English Abstract of KR10-1514984 retrieved on Espacenet on Oct. 15, 2019.
Notice of Allowance with regard to the counterpart U.S. Appl. No. 15/707,641 dated Oct. 30, 2019.
Whyte, “DNS-based Detection of Scanning Worms in an Enterprise Network”, Aug. 2004, NOSS, pp. 1-17 (Year: 2005)—cited by Examiner in the Notice of Allowance with regard to the counterpart U.S. Appl. No. 15/707,641.
English Abstract of RU 107616 retrieved on Espacenet on Jul. 3, 2017.
European Search Report with regard to EP17180099 dated Nov. 28, 2017.
European Search Report with regard to EP17191900 dated Jan. 11, 2018.
Yoshioka et al., “Sandbox Analysis with Controlled Internet Connection for Observing Temporal Changes of Malware Behavior”, https://www.researchgate.net/publication/254198606, 15 pages.
Yoshioka et al., “Multi-Pass Malware Sandbox Analysis with Controlled Internet Connection”, IEICE Transactions On Fundamentals of Electronics, Communications and Computer Sciences, Engineering Sciences Society, Tokyo, 2010, vol. E93A, No. 1, p.p. 210-218.
Wikipedia, “Blockchain”, https://en.wikipedia.org/wiki/Blockchain, pdf document, 18 pages.
Search Report with regard to the counterpart RU Patent Application No. 2018101764 dated Jun. 29, 2018.
Search Report with regard to the counterpart RU Patent Application No. 2018101761 dated Jun. 20, 2018.
International Search Report with regard to the counterpart Patent Application No. PCT/RU2016/000526 dated Jun. 1, 2017.
Search Report with regard to the counterpart RU Patent Application No. 2018101760 dated Jun. 22, 2018.
Search Report with regard to the counterpart RU Patent Application No. 2018101759 dated Sep. 7, 2018.
English Abstract of RU129279 retrieved on Espacenet on Sep. 11, 2017.
English Abstract of RU 164629 retrieved on Espacenet on Sep. 11, 2017.
English Abstract of RU2538292 retrieved on Espacenet on Sep. 11, 2017.
Prakash et al., “PhishNet: Predictive Blacklisting to Detect Phishing Attacks”, INFOCON, 2010 Proceedings IEEE, USA, 2010, ISBN: 978-1-4244-5836-3, doc. 22 pages.
Search Report with regard to the counterpart Patent Application No. RU2018105377 dated Oct. 15, 2018.
Search Report with regard to the counterpart RU Patent Application No. 2018101763 dated Jan. 11, 2019.
Search Report with regard to the counterpart RU Patent Application No. 2016137336 dated Jun. 6, 2017.
English Abstract of RU2522019 retrieved on Espacenet on Jan. 25, 2019.
Search Report with regard to the counterpart RU Patent Application No. 2017140501 dated Jul. 11, 2018.
European Search Report with regard to the counterpart EP Patent Application No. EP17210904 dated May 16, 2018.
Notice of Allowance with regard to the counterpart U.S. Appl. No. 15/858,013 dated Jun. 10, 2020.
Office Action with regard to the counterpart U.S. Appl. No. 15/858,013 dated Nov. 22, 2019.
Office Action with regard to the counterpart U.S. Appl. No. 16/261,854 dated Oct. 21, 2019.
Notice of Allowance with regard to the counterpart U.S. Appl. No. 15/858,013 dated May 8, 2020.
Office Action with regard to the counterpart U.S. Appl. No. 16/270,341 dated May 27, 2020.
International Search Report with regard to the counterpart Patent Application No. PCT/RU2019/000232 dated Jan. 9, 2020.
English Abstract for CN 106355450 retrieved on Espacenet on Jan. 4, 2021.
English Abstract for CN 106202482 retrieved on Espacenet on Jan. 4, 2021.
Wikipedia, “Focus (computing)”, https://en.wikipedia org/wiki/Focus_(computing), accessed on Jan. 4, 2021, pdf 5 pages.
Wikipedia, “Collaborative software”, https://en.wikipedia.org/wiki/Collaborative_software, accessed on Jan. 4, 2021, pdf 11 pages.
International Search Report with regard to the Patent Application No. PCT/RU2019/000169 dated Dec. 5, 2019.
International Search Report and Written Opinion with regard to the counterpart Patent Application No. PCT/RU2019/000126 dated Nov. 28, 2019.
English Abstract for KR100923179 retrieved on Espacenet on Dec. 3, 2020.
English Abstract for KR20090022682 retrieved on Espacenet on Dec. 3, 2020.
English Abstract for KR20190018197 retrieved on Espacenet on Dec. 3, 2020.
Wikipedia, “Keystroke dynamics”, https://en.wikipedia.org/wiki/Keystroke_dynamics, accessed on Jan. 4, 2021, pdf 3 pages.
Wikipedia, “Feature extraction”, https://en.wikipedia.org/wiki/Feature_extraction, accessed on Jan. 4, 2021, pdf 7 pages.
Wikipedia, “Scancode”, ru.wikipedia.org/w/index.php?title=%D0%A1%D0%BA%D0%B0%D0%BD-%D0%BA%D0%BE%D0%B4&oldid=98124315, accessed on Feb. 8, 2021, pdf 9 pages.
English Translation of CN106713312, ©Questel—FAMPAT, Jul. 17, 2019.
English Translation of CN105897714, ©Questel—FAMPAT, Jul. 17, 2019.
English Translation of CN106506435, ©Questel—FAMPAT, Jul. 26, 2019.
English Translation of CN107392456, ©Questel—FAMPAT, Jul. 29, 2019.
English Translation of CN103491205, ©Questel—FAMPAT, Jul. 29, 2019.
English Translation of CN106131016, ©Questel—FAMPAT, Jul. 17, 2019.
Invitation to Respond to Written Opinion dated Aug. 5, 2019 with regard to the counterpart SG Patent Application No. 10201900339Q.
Invitation to Respond to Written Opinion dated Aug. 5, 2019 with regard to the counterpart SG Patent Application No. 10201901079U.
Invitation to Respond to Written Opinion datedd Jul. 31, 2019 with regard to the counterpart SG Patent Application No. 10201900335P.
Search Report with regard to RU Patent Application No. 2019107535 dated Dec. 13, 2022.
English Description and Claims for RU2333532 retrieved on Espacenet on Dec. 28, 2022.
English Abstract for RU172497 retrieved on Espacenet on Dec. 28, 2022.
Russian Search Report dated Mar. 2, 2023 issued in respect of the counterpart Russian Patent Application No. RU 2019111675.

Related Publications (1)

	Number	Date	Country
	20190156160 A1	May 2019	US

Method for classifying user action sequence

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

CPC

International Classifications

Term Extension