Network neighborhood topology as a predictor for fraud and anomaly detection

What is claimed is: 1. A computer-based method of verifying whether transactions are fraudulent, the method comprising: receiving, by a risk analysis server computer, transaction data that contains information about users who initiate transactions and transaction devices used to carry out the transactions, including information about cookies stored on the transaction devices, each cookie containing information about a website accessed by the transaction device on which that cookie is stored; generating, by the risk analysis server computer from the transaction data, a relational graph that represents connections between the users and the transaction devices; and performing a risk analysis operation, by the risk analysis server computer on the relational graph, the risk analysis operation being configured to provide, as output, a likelihood of fraud for the transactions; wherein performing the risk analysis operation includes: identifying vertices of the relational graph representing users and transaction devices involved in a requested transaction with an institutional server computer; identifying edges of the relational graph representing connections between the users and the transaction devices involved in the requested transaction; generating the likelihood of fraud for the requested transaction based on the identified edges and vertices, wherein generating the likelihood of fraud for the requested transaction includes providing, as output from a risk engine, a risk score indicative of the likelihood of fraud of the requested transaction, the risk score being based on the identified edges and vertices, a high risk score indicating a high level of risk of fraud for the requested transaction being generated in response to the identified edges and vertices forming a topology corresponding to a cookie hijack attack, wherein the topology corresponding to a cookie hijack attack includes a single vertex representing a transaction device that is connected to multiple vertices representing cookies used by the transaction device, and a low risk score indicating a low level of risk of fraud for the requested transaction; and in response to a high risk score generated in response to the identified edges and vertices forming the topology corresponding to a cookie hijack attack exceeding a predetermined threshold indicating likely fraud, denying the requested transaction with the institutional server. 2. A method as in claim 1 , wherein providing the risk score includes: for a particular vertex of the relational graph representing one of a user and a transaction device of the requested transaction, identifying a neighborhood of vertices and edges about the particular vertex, the neighborhood of vertices and edges including a set of vertices that are less a given number of edges away from the particular vertex, and producing the risk score according to the identified neighborhood of vertices and edges. 3. A method as in claim 2 , wherein producing the risk score according to the identified neighborhood of vertices includes: performing a matching operation on the identified neighborhood and a set of predefined neighborhoods of vertices and edges, the matching operation being configured to produce a matching predefined neighborhood of vertices and edges having a set of vertices and edges that matches the vertices and edges of the identified neighborhood, and generating the risk score according to the matching predefined neighborhood of vertices and edges. 4. A method as in claim 3 , wherein each of the set of predefined neighborhood of vertices and edges further includes a neighborhood identifier that identifies that predefined neighborhood of vertices and edges; and wherein generating the risk score according to the matching predefined neighborhood of vertices and edges includes: inputting the neighborhood identifier of the matching predefined neighborhood of vertices and edges into a risk engine configured to produce the risk score, and receiving the risk score from the risk engine. 5. A method as in claim 4 , wherein the risk engine includes a risk model by which the risk score is produced, the risk model including a set of Bayesian weights, each of the set of Bayesian weights corresponding to a parameter of the requested transaction; and wherein generating the risk score according to the matching predefined neighborhood of vertices and edges further includes: providing a command to the risk engine to add, to a nominal risk score that does not depend on the value of the neighborhood identifier of the matching predefined neighborhood of vertices and edges, a product of a Bayesian weight corresponding to the neighborhood identifier of the matching predefined neighborhood of vertices and edges and a value of a risk metric assigned to the value of the neighborhood identifier. 6. A method as in claim 5 , further comprising: receiving results of external fraud analysis of transactions having a high risk score based on the value of the neighborhood identifier of matching predefined neighborhoods of vertices and edges for the transactions; performing a comparison operation on the results of the external fraud analysis and corresponding risk scores produced by the risk model, the comparison operation producing a comparison result; and adjusting the Bayesian weights of the risk model corresponding to the neighborhood identifier of matching predefined neighborhoods of vertices and edges for the transactions based on the comparison result. 7. A method as in claim 1 : wherein performing the risk analysis operation on the relational graph includes: outputting a likelihood that the transactions exhibit anomalies. 8. A method as in claim 1 , wherein generating the relational graph from the transaction data further includes producing the relational graph based on the information about the users, the transaction devices, and the cookies. 9. A method as in claim 8 , wherein the relational graph includes a set of vertices and edges, each of the set of vertices representing one of a user, a transaction device, and a cookie, each of the set of edges representing a connection between the users, the transaction devices, and the cookies; wherein performing the risk analysis operation includes, for a set of transactions: identifying vertices of the relational graph representing users, transaction devices, and cookies involved in the set of transactions, identifying edges of the relational graph representing connections between the users, the transaction devices, and the cookies involved in the set of transactions, and generating the likelihood of a cookie hijack attack within the set of transactions based on the identified edges and vertices. 10. A method as in claim 1 , further comprising: wherein receiving the transaction data by the risk analysis computer includes issuing a request for the transaction data from the risk analysis computer to a remote database, and receiving the transaction data by the risk analysis computer as transmitted from the remote transaction database responsive to receipt of the request for the transaction data by the remote database; wherein the transaction devices include a user computer used to initiate the transaction, a cookie that contains login information, and a payee account, and wherein the transaction data used to generate the relational graph includes information regarding a user, the user computer used to initiate the transaction, the cookie that contains login information, and the payee account; and wherein generating the relational graph that represents connections between the users and the transaction devices is performed by the risk analysis computer and includes locating,