Search

US-12619935-B2 - Systems and methods for system collusion detection

US12619935B2US 12619935 B2US12619935 B2US 12619935B2US-12619935-B2

Abstract

Systems and methods of generating fraud detection models and controlling network permissions of one or more systems within a network environment are disclosed. A network activity dataset comprising data representative of network activity within a network environment is received and at least one co-controlled system in the network activity dataset is identified by implementing a trained fraud detection model configured to receive the network activity dataset and output a fraud determination for each system having at least a first role in the network activity data. The fraud determination represents a likelihood of a system having the first role engaging in a co-controlled network activity. In response to identifying the at least one co-controlled system, one or more permissions of the at least one co-controlled system for operating within the network environment are modified.

Inventors

  • Kirti PANDE
  • Jing Xia

Assignees

  • WALMART APOLLO, LLC

Dates

Publication Date
20260505
Application Date
20240131

Claims (20)

  1. 1 . A system, comprising: a processor; and a non-transitory memory storing instructions that, when executed, cause the processor to: receive a network activity dataset comprising data representative of network activity within a network environment that includes transactional behaviors for one or more interactions or operations within the network environment or time features representative of a time period for a corresponding interaction or operation; identify at least one co-controlled system in the network activity dataset by implementing a trained fraud detection model that receives the network activity dataset and output a fraud determination for each system having at least a first role in the network activity data, wherein the fraud determination represents a likelihood of a system having the first role engaging in a co-controlled network activity; and in response to identifying the at least one co-controlled system, modify one or more permissions of the at least one co-controlled system for operating within the network environment by limiting the at least one co-controlled system from performing one or more network activities in the network activity dataset.
  2. 2 . The system of claim 1 , wherein the trained fraud detection model is generated by an iterative training process that receives a model framework and a training dataset.
  3. 3 . The system of claim 2 , wherein the training dataset comprises a labeled dataset generated by applying one of a plurality of labels to one or more activities represented in the training dataset.
  4. 4 . The system of claim 1 , wherein the trained fraud detection model comprises a multiclass classification model.
  5. 5 . The system of claim 4 , wherein the multiclass classification model comprises an XGBoost framework.
  6. 6 . The system of claim 1 , wherein the network activity dataset includes at least one feature representative of a time period for one or more corresponding activities, and wherein the trained fraud detection model applies a first threshold for classification of the at least one co-controlled system for a first time period and a second threshold for classification of the at least one co-controlled system for a second time period.
  7. 7 . The system of claim 1 , wherein the output of the trained fraud detection model is representative of a predicted likelihood of each system engaging in one of a plurality of co-controlled activities.
  8. 8 . The system of claim 1 , wherein the output of the trained fraud detection model includes at least one reason code.
  9. 9 . The system of claim 8 , wherein the at least one reason code comprises a Shapley Additive explanations (SHAP) value.
  10. 10 . A computer-implemented method, comprising: receiving a network activity dataset comprising data representative of network activity within a network environment that includes transactional behaviors for one or more interactions or operations within the network environment or time features representative of a time period for a corresponding interaction or operation; identifying at least one co-controlled system in the network activity dataset by implementing a trained fraud detection model configured to receive the network activity dataset and output a fraud determination for each system having at least a first role in the network activity data, wherein the fraud determination represents a likelihood of a system having the first role engaging in a co-controlled network activity; and in response to identifying the at least one co-controlled system, modifying one or more permissions of the at least one co-controlled system for operating within the network environment by limiting the at least one co-controlled system from performing one or more network activities in the network activity dataset.
  11. 11 . The computer-implemented method of claim 10 , wherein the trained fraud detection model is generated by an iterative training process configured to receive a model framework and a training dataset.
  12. 12 . The computer-implemented method of claim 11 , wherein the training dataset comprises a labeled dataset generated by applying one of a plurality of labels to one or more activities represented in the training dataset.
  13. 13 . The computer-implemented method of claim 10 , wherein the trained fraud detection model comprises a multiclass classification model.
  14. 14 . The computer-implemented method of claim 13 , wherein the multiclass classification model comprises an XGBoost framework.
  15. 15 . The computer-implemented method of claim 10 , wherein the network activity dataset includes at least one feature representative of a time period for one or more corresponding activities, and wherein the trained fraud detection model is configured to apply a first threshold for classification of each system for a first time period and a second threshold for classification of each system for a second time period.
  16. 16 . The computer-implemented method of claim 10 , wherein the output of the trained fraud detection model is representative of a predicted likelihood of each system engaging in one of a plurality of co-controlled activities.
  17. 17 . The computer-implemented method of claim 10 , wherein the output of the trained fraud detection model includes at least one reason code.
  18. 18 . The computer-implemented method of claim 17 , wherein the at least one reason code comprises a Shapley Additive explanations (SHAP) value.
  19. 19 . A non-transitory computer readable medium having instructions stored thereon, wherein the instructions, when executed by at least one processor, cause at least one device to perform operations comprising: training a fraud detection model to receive an input dataset representative of network activity and output a fraud determination for each system having at least a first role in the input dataset representative of network activity, wherein the input dataset includes transactional behaviors for one or more interactions or operations within a network environment or at least one feature representative of a time period for one or more corresponding interactions or operations, and wherein the trained fraud detection model that applies a first threshold for classification of each system for a first time period and a second threshold for classification of each system for a second time period, wherein the output of the trained fraud detection model is representative of a predicted likelihood of each system engaging in one of a plurality of co-controlled activities; receiving a network activity dataset for the network environment; identifying at least one co-controlled system in the network activity dataset by providing the network activity dataset to the trained fraud detection model, wherein the trained fraud detection model that generates the fraud determination for each system in the network activity dataset; and in response to identifying the at least one co-controlled system, modifying one or more permissions of the at least one co-controlled system for operating within the network environment by limiting the at least one co-controlled system from performing one or more network activities in the network activity dataset.
  20. 20 . The non-transitory computer readable medium of claim 19 , wherein the output of the trained fraud detection model includes at least one reason code.

Description

TECHNICAL FIELD This application relates generally to detecting co-controlled systems in network environments, and more particularly, to detecting co-controlled systems engaging in fraudulent behavior within a monitored network environment. BACKGROUND Operation of some network environments is based on, or assumes, that certain network users are unrelated. For example, certain network operations that organize or present content, such as content in response to search queries or other browsing, assume that network activity being used to drive such organization is based on unrelated parties operating within the network environment. When related actors (e.g., same entity operating as a first user and a second user, two communicating entities operating within the network environment, etc.) operate within a network environment, the co-controlled operations can intentionally or accidentally cause incorrect operation of other network systems or processes. Co-controlled network interactions can also result in fraudulent operation of a network environment. For example, when related actors attempt to game a system, the related operations may result in fraud such as, in the context of an ecommerce network environment, payment fraud, return abuse, fake reviews, price gauging, etc. Current systems are not capable of adequately detecting co-controlled operation of third-party systems. SUMMARY In various embodiments, a system include a non-transitory memory and a processor communicatively coupled to the non-transitory memory is disclosed. The processor is configured to read a set of instructions to receive a network activity dataset including data representative of network activity within a network environment, identify at least one co-controlled system in the network activity dataset by implementing a trained fraud detection model configured to receive the network activity dataset and output a fraud determination for each system having at least a first role in the network activity data, and, in response to identifying the at least one co-controlled system, modify one or more permissions of the at least one co-controlled system for operating within the network environment. In various embodiments, a computer-implemented method is disclosed. The computer-implemented method includes steps of receiving a network activity dataset comprising data representative of network activity within a network environment, identifying at least one co-controlled system in the network activity dataset by implementing a trained fraud detection model configured to receive the network activity dataset and output a fraud determination for each system having at least a first role in the network activity data, and, in response to identifying the at least one co-controlled system, modifying one or more permissions of the at least one co-controlled system for operating within the network environment. In various embodiments, a non-transitory computer readable medium having instructions stored thereon is disclosed. The instructions, when executed by at least one processor, cause at least one device to perform operations including training a fraud detection model to receive an input dataset representative of network activity and output a fraud determination for each system having at least a first role in the network activity data, receiving a network activity dataset for a network environment, identifying at least one co-controlled system in the network activity dataset by providing network activity dataset to the trained fraud detection model and generating the fraud determination for each system in the network activity dataset, and, in response to identifying the at least one co-controlled system, modifying one or more permissions of the at least one co-controlled system for operating within the network environment. The network activity dataset includes at least one feature representative of a time period for one or more corresponding activities. The trained fraud detection model is configured to apply a first threshold for classification of each system for a first time period and a second threshold for classification of each system for a second time period. The output of the trained fraud detection model is representative of a predicted likelihood of each system engaging in one of a plurality of co-controlled activities. BRIEF DESCRIPTION OF THE DRAWINGS The features and advantages of the present invention will be more fully disclosed in, or rendered obvious by the following detailed description of the preferred embodiments, which are to be considered together with the accompanying drawings wherein like numbers refer to like parts and further wherein: FIG. 1 illustrates a network environment configured to provide network fraud detection, in accordance with some embodiments; FIG. 2 illustrates a computer system configured to implement one or more processes, in accordance with some embodiments; FIG. 3 illustrates an artificial neural network, in accordan