Sentinel Core

Manager Portal

M
AI Agents / Collusion Network Finder
AGT-BEH-001 Behavioural Analysis AI-based

Collusion Network Finder

AGT-BEH-001 employs Graph Neural Networks (GNN) and community detection algorithms to uncover hidden fraud rings operating across insurance claims. The agent models all actors in the claims ecosystem — policyholders, claimants, repair garages, medical clinics, tow truck operators, legal representatives, and assessors — as nodes in a graph, with claim co-appearances, shared contact information, social network connections, IP addresses, and referral chains as edges. The PyTorch Geometric GNN learns to identify subgraphs that exhibit the structural signatures of coordinated fraud: unusually dense interconnection, repeated co-occurrence across multiple claims, and role-based specialisation (one 'recruiter' node connected to many 'claimant' nodes). The Louvain community detection algorithm then partitions the graph into cohesive fraud ring clusters for investigator review.

Tech Stack

Python 3.11 Runtime
PyTorch Geometric 2.x Graph Neural Network training and inference
NetworkX 3.x Graph construction, traversal, and classical graph metrics
python-louvain Louvain community detection for fraud ring partitioning
Neo4j 5.x Persistent graph database for actor and claim relationship storage
py2neo Python Neo4j driver for Cypher queries
pandas 2.x Tabular data processing for feature engineering
scikit-learn 1.x Feature normalisation, anomaly detection baselines

Input

Claims data with actor identifiers and relationship metadata. Can be a single claim (to check for network context) or a batch of claims for ring discovery.

Accepted Formats

JSON

Fields

Name Type Req Description
claims array<object> Yes List of claims with actor IDs: [{claim_id, claimant_id, garage_id, doctor_id, assessor_id, legal_rep_id, ip_address, submission_date}]
social_links array<object> No Social/contact connections: [{actor_a, actor_b, relation_type}] — phone sharing, address co-habitation, FB friend etc.
lookback_days int No How many days of claim history to include in graph construction (default: 365)
target_claim_id string No If provided, focus analysis on the community containing this claim

Output

Detected fraud ring communities with risk scores, key node rankings, and the specific relationship patterns that triggered detection.

Format:

JSON

Fields

Name Type Description
total_actors_analysed int Total number of unique actors in the constructed graph
communities_detected int Number of distinct communities found by Louvain algorithm
suspicious_communities array<object> Communities with risk score ≥ 0.5: {community_id, size, risk_score, key_actors, claim_ids, ring_type, evidence_summary}
flagged_actors array<object> Individual high-risk actors: {actor_id, role, centrality_score, claim_count, flag_reasons}
ring_patterns array<string> Detected patterns: STAR_TOPOLOGY, CHAIN_REFERRAL, SHARED_CONTACT_HUB, ROTATING_GARAGE_RING
graph_metrics object {modularity, avg_clustering_coefficient, suspicious_density_ratio}
flags array<string> FLAG_FRAUD_RING, FLAG_SUSPICIOUS_CLUSTER, FLAG_HIGH_CENTRALITY_ACTOR
risk_score float Normalised risk contribution 0.0–1.0
verdict string PASS | FLAG | INCONCLUSIVE

Example Response

{
  "total_actors_analysed": 847,
  "communities_detected": 34,
  "suspicious_communities": [
    {
      "community_id": "C-12",
      "size": 23,
      "risk_score": 0.91,
      "key_actors": ["CLMT-0481", "GAR-0022", "DOC-0017"],
      "claim_ids": ["CLM-MT-0081", "CLM-MT-0093", "CLM-TRV-0044"],
      "ring_type": "STAR_TOPOLOGY",
      "evidence_summary": "CLMT-0481 acted as recruiter: connected to 14 claimants who all used GAR-0022 exclusively"
    }
  ],
  "flags": ["FLAG_FRAUD_RING"],
  "risk_score": 0.91,
  "verdict": "FLAG"
}

How It Works

Organised insurance fraud rings are fundamentally a network phenomenon. Individual fraudulent claims may appear plausible in isolation, but the social and operational connections between participants reveal the underlying conspiracy.

AGT-BEH-001 models this insight as a graph problem. Every actor in the insurance ecosystem — claimants, repair shops, doctors, lawyers, assessors — is a node. Every meaningful relationship between them — sharing a claim, sharing a phone number, appearing on the same street address, referring each other, or appearing together on social media — is an edge.

In a legitimate insurance market, this graph has low density: most claimants interact with a repair shop once and never again, and there is no systematic pattern connecting claimants to specific service providers. In a fraud ring, the graph looks very different: the same small set of service providers appears in claim after claim, connected through a hub-and-spoke or chain network.

The Graph Attention Network learns these structural signatures from labelled historical data. Unlike rule-based systems that check specific patterns, the GNN generalises to new ring structures it has never seen before, because it learns the abstract topological features that are common across all ring types.

The Louvain community detection algorithm then groups the graph into cohesive clusters, allowing the agent to identify not just individual suspicious actors but entire fraud organisations — including peripheral members who may have only participated in one or two claims but are structurally connected to the ring's core.

The output is actionable: specific actor IDs, their roles within the ring, the claims connecting them, and human-readable evidence summaries that investigators can use to build a case.

Thinking Steps

1

Graph Construction

Build a heterogeneous graph from claim data. Create nodes for each unique actor (claimant, garage, doctor, assessor, etc.). Create edges from: claim co-participation (two actors share a claim), shared contact info (same phone, address, IP), social network connections, and referral chains (B was referred by A).

Edge weights reflect connection strength: a shared claim creates weight 1.0, a shared IP address creates weight 0.8, a Facebook friendship creates weight 0.3.

2

Feature Engineering

For each node, compute graph features: degree (number of connections), betweenness centrality (how many shortest paths pass through this node), claim frequency (claims per month), geographic dispersion (how widely spread are this actor's claims), role consistency (does this doctor appear in non-medical claims?).

High betweenness centrality in a fraud ring identifies the 'coordinator' node — the person connecting recruiters to service providers.

3

GNN Fraud Node Classification

Pass the graph through a 3-layer Graph Attention Network (GAT) from PyTorch Geometric. The GAT was trained on a labelled dataset of 12,000 confirmed fraud and legitimate actor records. Each node receives a fraud probability score that incorporates both its own features and the features of its neighbourhood.

The attention mechanism lets the GNN weight different neighbours differently — a claimant connected to a known-fraudulent garage gets a higher risk score than one connected to a legitimate garage.

4

Community Detection (Louvain Algorithm)

Run the Louvain modularity optimisation algorithm on the full graph to partition it into communities — groups of nodes that are more densely connected to each other than to the rest of the graph. Compute a community risk score as the weighted average of member node fraud probabilities.

Louvain is O(n log n) and scales to graphs with millions of nodes, unlike spectral clustering approaches.

5

Ring Topology Classification

For communities with risk score ≥ 0.50, classify the ring topology from the subgraph structure: STAR (one high-degree hub), CHAIN (linear referral chain), CLIQUE (dense all-pairs connection), BIPARTITE (split between claimants and service providers). Each topology corresponds to a different fraud operation model.

Bipartite rings with split claimant/provider groups are the most common professional fraud ring structure.

6

Evidence Chain Generation

For each flagged community, extract the 3–5 most suspicious edges (highest weight, most anomalous) and format them as human-readable evidence statements: 'CLMT-0481 referred 14 claimants who all used GAR-0022, an unusually high exclusivity ratio of 0.93.'

Evidence statements are designed to be presented directly to investigators and claims managers without requiring graph expertise.

Thinking Tree

  • Root Question: Are the actors in this claim part of an organised fraud ring?
    • Graph construction and feature engineering
      • Actor degree and centrality computed
      • Community structure analysed
    • GNN fraud probability scoring
      • All actors have low fraud probability → PASS
      • Some actors have high fraud probability → check community
    • Community risk assessment
      • Community risk score < 0.5 → benign cluster
      • Community risk score ≥ 0.5 → suspicious
        • Ring topology classification
        • Evidence chain generation → FLAG_FRAUD_RING

Decision Tree

Does the claim graph have at least 3 actors with prior claim history?

Yes → d2 No → inconclusive
d1

Any actor has GNN fraud probability > 0.70?

Yes → d3 No → d4
d2

High-risk actor is part of a community with risk score ≥ 0.5?

Yes → flag_ring No → flag_actor
d3

Community risk score ≥ 0.5 despite no individual high-risk actor?

Yes → flag_cluster No → pass
d4

FLAG — FRAUD_RING: Organised fraud network detected; multiple actors coordinating

flag_ring

FLAG — HIGH_CENTRALITY_ACTOR: Individual actor exhibits fraud ring coordinator behaviour

flag_actor

FLAG — SUSPICIOUS_CLUSTER: Statistically anomalous co-occurrence pattern across claims

flag_cluster

INCONCLUSIVE — Insufficient historical data to construct meaningful graph

inconclusive

PASS — No significant fraud ring indicators detected in claim network

pass

Technical Design

Architecture

AGT-BEH-001 is an async FastAPI microservice backed by a Neo4j graph database for persistent actor-claim storage. The GNN inference uses PyTorch Geometric with a pre-trained GAT model loaded at startup. Community detection runs on an in-memory NetworkX graph built from the Neo4j query results for the relevant time window. Full ring detection on 1,000 actors takes approximately 2–4 seconds.

Components

Component Role Technology
GraphBuilder Constructs heterogeneous graph from claims and social data NetworkX 3.x + py2neo
FeatureEngineer Computes per-node graph features (degree, centrality, frequency) NetworkX centrality algorithms + pandas
GATClassifier Graph Attention Network for per-node fraud probability PyTorch Geometric GAT
LouvainDetector Community partitioning via modularity optimisation python-louvain
TopologyClassifier Classifies ring structure type from community subgraph NetworkX subgraph analysis + rule engine
EvidenceExtractor Generates human-readable evidence statements from top edges Python f-strings + edge ranking
Neo4jPersister Stores flagged rings and actor scores in Neo4j py2neo Cypher MERGE operations

Architecture Diagram

┌──────────────────────────────────┐
│  POST /analyze                   │
│  (claims[] + social_links[])     │
└──────────────┬───────────────────┘
               │
               ▼
┌──────────────────────────────────┐
│       GraphBuilder               │
│  + Neo4j historical data load    │
└──────────────┬───────────────────┘
               │
               ▼
┌──────────────────────────────────┐
│       FeatureEngineer            │
│  (degree, centrality, frequency) │
└──────────────┬───────────────────┘
               │
        ┌──────┴──────┐
        ▼             ▼
┌──────────────┐ ┌────────────────┐
│ GAT          │ │    Louvain     │
│ Classifier   │ │   Detector     │
│ (per-node    │ │ (communities)  │
│  fraud prob) │ └──────┬─────────┘
└──────┬───────┘        │
       └────────┬────────┘
                │
                ▼
  ┌──────────────────────────┐
  │    TopologyClassifier    │
  └──────────┬───────────────┘
             │
             ▼
  ┌──────────────────────────┐
  │    EvidenceExtractor     │
  └──────────┬───────────────┘
             │
             ▼
  ┌──────────────────────────┐
  │    Neo4jPersister        │
  └──────────────────────────┘

Data Flow

API Gateway GraphBuilder | Claims list + social links + Neo4j historical actors
GraphBuilder FeatureEngineer | NetworkX heterogeneous graph
FeatureEngineer GATClassifier | Node feature matrix + edge index
FeatureEngineer LouvainDetector | NetworkX graph with edge weights
GATClassifier TopologyClassifier | Per-node fraud probabilities
LouvainDetector TopologyClassifier | Community assignments
TopologyClassifier EvidenceExtractor | Suspicious community subgraphs
EvidenceExtractor Neo4jPersister | Flagged ring records
EvidenceExtractor API Gateway | Full JSON verdict + community report
Back to AI Agents AGT-BEH-001