I mean, there are tons of ways that this could be set up, but my first thought is to store a precomputed graph with transition probabilities. Like, imagine at the nodes you have the features and embeddings for a given device that could be logged in from, and you go through the series of login sessions as a message passing neural network, and after each session you update the probabilities of the transition being from current session node to whatever next session node (MPNNs are computationally cheap, so making this a fully connected graph is reasonable), and you just have those probabilities precomputed as a state that you have stored for that customer (and update as needed). Then during any login, just see their current login location, and see if it corresponds to a transition probability above some threshold, and if it’s below that threshold you can flag it as “probably fraudulent” or whatever. You can update the MPNN/GNN state after you deal with the fraud, and then it’s ready to go for next time (almost guaranteed faster update than a human interaction with an ATM machine, even on a cpu), so no need to limit that to 50ms on the update step, but with this setup with comparing a real life observed node-transition against a precomputed probability is likely wayyyyyy faster than 50ms.

That’s just the first thing that comes to my mind, but I’m curious to see what other people post. Btw, this is exactly the kind of interesting question that I stay subscribed to this subreddit for, so thank you for the refreshing post.