Signal Detection

Kora Sentinel detects elder financial exploitation signals by comparing real-time events against each enrolled profile's behavioral baseline. Signals are organized into 7 detection categories, each targeting a distinct exploitation pattern.

The 7 detection categories

1. Gradual Draining (GRADUAL_DRAINING)

Detects slow, systematic depletion of funds that may go unnoticed over weeks or months.

Signal Code	Detection	Example
DRAIN_BALANCE_DECLINE	Balance declining beyond baseline trend	Account balance dropped 40% over 60 days with no corresponding income change
DRAIN_VELOCITY_INCREASE	Transaction frequency or volume spikes	Monthly debit volume increased 3x above the 90-day average

2. New Relationship Exploitation (NEW_RELATIONSHIP)

Identifies exploitation by recently introduced contacts — romance scams, new "friends," or sudden caregivers.

Signal Code	Detection	Example
NEWREL_BENEFICIARY_BURST	Multiple new beneficiaries added in a short window	5 new beneficiaries added in 7 days versus baseline of 0.3/month
NEWREL_LARGE_FIRST_TRANSFER	Large transfer to a newly added beneficiary	First transfer of 2M NGN to a beneficiary added 2 days ago

3. POA Access Anomaly (POA_ACCESS_ANOMALY)

Monitors power-of-attorney holders for unusual activity patterns that may indicate abuse of their authority.

Signal Code	Detection	Example
POA_LARGE_WITHDRAWAL	Large withdrawal initiated by POA holder	POA holder withdrew 5M NGN — 10x the elder's typical maximum transaction

4. Scam Signatures (SCAM_SIGNATURE)

Detects transaction patterns consistent with known scam typologies.

Signal Code	Detection	Example
SCAM_ROMANCE	Pattern matches romance scam indicators	Regular transfers to a single new counterparty with increasing amounts over 30 days

5. Lifestyle Inconsistency (LIFESTYLE_INCONSISTENCY)

Identifies changes in recurring payments and spending patterns that may indicate someone else controlling the elder's finances.

Signal Code	Detection	Example
LIFESTYLE_UTILITY_DROP	Recurring utility or essential payments stop	Electricity and water payments missed for 2 consecutive months

6. Cognitive Decline (COGNITIVE_DECLINE)

Detects behavioral indicators that may suggest diminished capacity to manage finances.

Signal Code	Detection	Example
COGNITIVE_FAILED_AUTH	Repeated authentication failures	12 failed login attempts in 24 hours versus baseline of 0-1

7. Isolation (ISOLATION)

Identifies patterns suggesting the elder is being isolated from normal social or financial contacts.

Signal Code	Detection	Example
ISOLATION_SINGLE_DEPENDENCY	All transactions flow to/from a single counterparty	95% of outgoing transfers go to one beneficiary over 30 days

How baselines work

When a profile is enrolled, Sentinel begins building a behavioral baseline from historical transaction and account data. The baseline captures normal patterns across multiple dimensions:

• Transaction baselines — Average monthly debit/credit amounts, transaction counts, typical transaction sizes
• Balance baselines — Average balance, minimum balance, balance trend direction
• Beneficiary baselines — Known beneficiary count, rate of new beneficiary additions, top counterparties
• Channel baselines — Distribution across mobile, web, branch, ATM, and POS channels
• Temporal baselines — Typical transaction hours and days of the week
• Device baselines — Known devices, IP ranges, and geographic locations
• Lifestyle markers — Recurring payments, utility patterns, unique counterparty count

The baseline period is configurable per tenant (default: 90 days). Once the baseline is established, every incoming event is compared against it. Deviations beyond configured thresholds generate signals.

Deviation scoring

Each signal receives a confidence score (0.0-1.0) and a severity-weighted score that feeds into the overall ERS calculation:

signal_score = confidence * severity_weight * rule_weight

Severity weights:

Severity	Weight	Typical signals
CRITICAL	1.0	POA large withdrawal, balance decline > 50%
HIGH	0.75	Beneficiary burst, large first transfer to new contact
MEDIUM	0.5	Velocity increase, device change
LOW	0.25	Minor lifestyle changes, single failed auth

Detection methods

Signals can be generated by three methods:

Method	Description
RULE	Deterministic threshold and pattern rules
ML	Machine learning model predictions
HYBRID	Combined rule + ML ensemble

The detection method is configurable per tenant via the configuration endpoint.

Configuring detection rules

Create custom rules or modify built-in rules using the Rules API:

curl -X POST https://api.korastratum.com/sentinel/api/v1/elder/rules \
  -H "Authorization: Bearer $SENTINEL_API_KEY" \
  -H "X-Tenant-ID: $SENTINEL_TENANT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "CUSTOM_LARGE_TRANSFER",
    "name": "Large Transfer Alert",
    "signal_category": "GRADUAL_DRAINING",
    "rule_type": "THRESHOLD",
    "severity": "HIGH",
    "weight": 0.8,
    "parameters": {
      "threshold_amount": 1000000,
      "currency": "NGN",
      "lookback_hours": 24
    }
  }'

Rules support 6 types:

Rule Type	Use case
THRESHOLD	Trigger when a value exceeds a fixed threshold
VELOCITY	Trigger when event frequency exceeds a rate
PATTERN	Match a sequence of events
BEHAVIORAL	Compare against the profile's behavioral baseline
NETWORK	Analyze relationships between counterparties
CUSTOM	Custom logic with arbitrary parameters

Exploitation Risk Score (ERS)

All active signals for a profile are aggregated into a single Exploitation Risk Score (0-100) that maps to five risk tiers:

Tier	ERS Range	Description
NORMAL	0-20	No significant exploitation indicators
WATCH	21-40	Minor anomalies detected — passive monitoring
ELEVATED	41-60	Multiple signals — enhanced monitoring recommended
HIGH	61-80	Significant exploitation risk — investigation recommended
CRITICAL	81-100	Urgent exploitation risk — immediate action required

The ERS is recalculated whenever a new signal is generated or a signal is reviewed. You can also trigger an on-demand recalculation via the scoring endpoint.