lfm2-transaction-encoder / encoder /data /fraud_pattern_cast.json
cdotsanghvi's picture
initial transaction co-pilot deployment
b3112c7
Raw
History Blame Contribute Delete
5.37 kB
{
"version": 1,
"seed": 42,
"histories_path": "data/synthetic/token_ids.npy",
"stage_names": [
"pre_attack",
"probing",
"monetization",
"exfiltration",
"dormant"
],
"type_names": [
"victim_fraud",
"account_takeover",
"scam_redirected",
"declined_legit"
],
"cast": [
{
"pattern": "probing_then_takeover",
"display_name": "Customer A \u2014 card just got tested",
"customer_idx": 16,
"flagged_idx": 39,
"stage_label": 1,
"stage_label_name": "probing",
"type_label": 1,
"type_label_name": "account_takeover",
"description": "3+ small-amount CNP transactions in the 6-tx window before tx39, and the flagged transaction uses a device that appears nowhere else in the history. Probing in progress on a compromised card.",
"context_text": "Upstream fraud detector escalated transaction 39 at score 0.84. Assess pattern stage and type.",
"diagnostics": {
"probe_density": 5,
"post_attack_density": 0,
"novel_device": true,
"signature_clean": false,
"recent_authorize_density": 7
},
"original_customer_idx": 147105
},
{
"pattern": "exfiltration_takeover",
"display_name": "Customer B \u2014 full attack chain",
"customer_idx": 6,
"flagged_idx": 11,
"stage_label": 3,
"stage_label_name": "exfiltration",
"type_label": 1,
"type_label_name": "account_takeover",
"description": "Probing cluster preceding the flag AND multiple large unfamiliar-merchant charges around tx11. Novel device. Mature account takeover, attacker is harvesting.",
"context_text": "URGENT: tx 11 flagged at 0.92. Pre-decline window closing \u2014 classify now.",
"diagnostics": {
"probe_density": 0,
"post_attack_density": 3,
"novel_device": true,
"signature_clean": false,
"recent_authorize_density": 0
},
"original_customer_idx": 34242
},
{
"pattern": "monetization_victim",
"display_name": "Customer C \u2014 handed over card info",
"customer_idx": 0,
"flagged_idx": 22,
"stage_label": 2,
"stage_label_name": "monetization",
"type_label": 0,
"type_label_name": "victim_fraud",
"description": "Probing-then-big-purchase pattern at tx22, but the device fingerprint matches the customer's normal devices. Customer likely shared credentials under social engineering.",
"context_text": "Investigation requested for transaction 22. Upstream model score 0.78. Stage + type?",
"diagnostics": {
"probe_density": 3,
"post_attack_density": 1,
"novel_device": false,
"signature_clean": false,
"recent_authorize_density": 0
},
"original_customer_idx": 7105
},
{
"pattern": "scam_redirected",
"display_name": "Customer D \u2014 romance scam pattern",
"customer_idx": 7,
"flagged_idx": 22,
"stage_label": 1,
"stage_label_name": "probing",
"type_label": 2,
"type_label_name": "scam_redirected",
"description": "Customer's last 16 transactions show 5+ CNP charges to unfamiliar merchants on the customer's own device. Pattern consistent with customer-authorized scam payments.",
"context_text": "Hey, tx 22 pinged the fraud detector at 0.66. What's going on?",
"diagnostics": {
"probe_density": 4,
"post_attack_density": 0,
"novel_device": false,
"signature_clean": false,
"recent_authorize_density": 5
},
"original_customer_idx": 44699
},
{
"pattern": "dormant_false_positive",
"display_name": "Customer E \u2014 false alarm",
"customer_idx": 10,
"flagged_idx": 28,
"stage_label": 4,
"stage_label_name": "dormant",
"type_label": 3,
"type_label_name": "declined_legit",
"description": "Flagged transaction matches the customer's normal signature: home country, CVV match, AVS match, familiar merchant, no probe cluster, no exfil density. Likely an upstream rules false-positive.",
"context_text": "Investigator review on tx 28 (detector 0.61). Need stage + type.",
"diagnostics": {
"probe_density": 0,
"post_attack_density": 0,
"novel_device": false,
"signature_clean": true,
"recent_authorize_density": 0
},
"original_customer_idx": 75149
},
{
"pattern": "pre_attack_signal",
"display_name": "Customer F \u2014 early warning",
"customer_idx": 13,
"flagged_idx": 25,
"stage_label": 0,
"stage_label_name": "pre_attack",
"type_label": 1,
"type_label_name": "account_takeover",
"description": "Single anomalous transaction at tx25 with no chain evidence yet (no probe cluster, no exfil density). Device is novel. Step-up auth + watch.",
"context_text": "tx25 flagged @ 0.71. Classify.",
"diagnostics": {
"probe_density": 0,
"post_attack_density": 0,
"novel_device": true,
"signature_clean": false,
"recent_authorize_density": 3
},
"original_customer_idx": 96744
}
],
"subset_note": "customer_idx values have been remapped to [0, N) for HF Space deployment. original_customer_idx preserves the source pool index."
}