MXPA98007768A

MXPA98007768A - Fraud prevention in a telecommunication network

Info

Publication number: MXPA98007768A
Application number: MXPA/A/1998/007768A
Authority: MX
Inventors: Nicolae Busuioc Marius
Original assignee: British Telecommunications Public Limited Company
Priority date: 1996-03-29
Filing date: 1998-09-23
Publication date: 1999-02-24

Abstract

The present invention relates to a method and system for detecting fraud in a telecommunications network by matching the information in individual calls with a series of rules (18). For each rule (f), a threshold (Tr) is defined, and if the adequacy of an individual call to the rule is better than that of Tf, an alarm is generated. All resulting call records in alarm are stored in a positive match file. Likewise, calls which have just been carved to meet the criteria within the given tolerance level are stored in a separate negative match file. The accesses in the negative and positive concordance files are then reviewed by experienced operators to determine which in fact represent a true fraud. At the base of these validations, a decision module within the system automatically calculates and implements the necessary changes to the thresholds (Tr) by means of a feedback loop.

Description

FRAUD PREVENTION IN A TELECOMMUNICATIONS NETWORK DESCRIPTION OF THE INVENTION The present invention relates to a telecommunications network and more particularly to a method of, and a system for improving the detection of fraud within a telecommunications network. Fraud detection systems based on rules that seek to detect fraudulent use by comparing the details of an individual call in the telecommunication network with a series of one or more rules of communication. If a particular use of the network (will be referred to through this specification as "call record") activates one or more of the pre-defined rules, an alarm is generated, allowing a human operator to take the necessary action. While such systems have had some success in combating fraud it tends to be labor intensive since the rules tend to be specific to a particular area, and need to be established and continuously maintained by trained personnel. A set of rules, for example, need to be established and maintained in order to deal with telephone fraud, or a joint one for a credit card or telephone card, another set for the PSTN. Oti serious misfortune, is that over time, fraudsters get to know (deduce) the rules and / or thresholds that are being applied, and can modify their behavior accordingly (for example, "sailing under the thresholds"). For example, if a fraudster knows that it will be detected if he makes a fraudulent international phone call to a particular number that will last more than thirty minutes, he may begin to ensure that his calls last less than that. Conventional systems have difficulty in dealing with this, since the rules need to be changed by trained personnel who often do not have enough information to determine what the effect will be on the system, if for example, they had to establish a limited time limit of, for example, twenty minutes. It is an object of the present invention, at least to improve these problems of the prior art.

It is another object to propose a method and system for improving the detection of noise within a telecommunication network, which can be applied to a variety of specific areas and the one that requires the least use of trained personnel. keep the rules in force. According to a first aspect of the invention, a system for improving the detection of fraud within a telecommunications network is provided, the system comprises: (a) means for receiving call records representative of calls in the network; (b) rule matching means, arranged to compare each call record against the alarm rule and, (i) determine a match if the alarm rule matches the call record; (ii) determine an approximate match if the alarm rule only fails to match the call record; - ** »- (c) validation means to validate individual match records and approximate match records with an expected fraud indication; and (d) rule enforcement means arranged to alter such an alarm rule depending on the validated approximate concordance records and the validated match regions. The preference system aims to detect fraudulent use by measuring and. comparing the parameter values of individual calls in the telecommunications network against the pre-established thresholds within the defined detection rules. Preferably, the rule matching means is arranged to calculate a rule matching value that depends on the closeness of the matching of the call record parameters to the alarm rule, the rule matching means determines a match if the rule match value exceeds a first threshold parameter of the alarm rule. It will be understood of course that the first threshold parameter barely acts as a limit value, which will be exceeded in an upward direction if the rule match ratio increases with the accuracy of the match, and will be exceeded in an opposite downward direction, but not in an alternative equivalent in which the value The concordance of egla dis inuye with the accuracy of concordance. Normally, the matching records will be stored in a positive match file and the matching records approximately in a n-match concordance file. The accesses are stored within a positive match file if the first threshold parameter is exceeded by a call record parameter and in the negative match file if a second threshold parameter is exceeded but the first is not. The second threshold parameter can be defined by the first threshold parameter set by a tolerance value, for example 10%. In this way, the records stored within the negative match files are representative of calls, which almost, but did not properly result in alarm. In a practical arrangement, the system can include a variety of different rules, each having its first threshold and tolerance value. The rules can be enforced individually, each individual rule enforced depends on the confirmed agreement records and the confirmed registries that correspond to that rule. According to the second aspect of the invention, a method is provided for improving the detection of fraud with a telecommunications network, the method comprising: (a) receiving call records representative of calls in the network; (b) compare each call record against the alarm rule, and (i) clear a match if the alarm rule matches the call record; (ii) determine an approximate match if the alarm rule only fails to match the call record; (c) alidation of individual match records and approximate match records with an expected fraud indication; and (d) altering such an alarm rule depending on the validated approximate match records and the validated match records. The invention can be carried out in several ways and a specific method and system will now be described by means of the axis with reference to Figure 1, which is a block diagram showing the preferred embodiment. The fraud detection system may be typically exemplified in a computer program that runs on a dedicated server, which is set up in a telecommunications network to be monitored. Depending on the size of the network, there may be only one server, or the system may be duplicated on several servers, spaced across the network. All or part of the system can be alternatively coded, instead of being exemplified by a computer program; preferably, the encoded modules would be those that do not need to be enforced The system receives information from external sources Yes, S through the network. In the Figure, reference is made to external sources by the number 10, with the interrupted line 12 indicating that these sources supply information outside of the idor in which the system is operating. The external sources 10 provide information on calls that are being made in the telecommunications network by means of an individual call record for each call.

Each call record has a key field number, for example (among others) the called number, the calling number, the duration of the call, and the number of the credit card or telephone card. Depending on the parameters to be monitored, other key fields can be provided as necessary. The call records are supplied to a data management module 14, which normalizes the incoming information and supplies the resulting normalized call records C, (i being an identification index, of individual calls) to a detection match module alarm 16. In the detection and alarm matching module 16, each of the call records Ci is compared against a series of pre-defined rules, within a set of rules 18. The individual rules within the set of rules they are chosen in such a way that the concordance of a rule by a call register Ci provides * an indication (au not being absolute proof) that the fraud is taking place. For example, a rule may state that fraud is a possibility if the call is an international call made from a public telephone to a country known as supplied d < drugs and legajes. You may also suspect if the call has been paid for a debit card and does not match the call history in that account; A rule may suggest that fraud is being carried out for example if a customer with a low-usage debit card suddenly starts making a long series of international calls to different country * is from a pay phone. Additional information from an internal or external database 20 can be accessed in order to obtain information necessary to apply the rules, such as a client's charge history, the credit limit of the customer's debit card (which may vary from day to day or from one hour to another), etc. Each rule r within the rule set is associated with its corresponding threshold value T > , and the call record C x is tested against the rule in such a way that it can * m provide an indication of "degree of agreement" V,. If the rule closely matches the call record, the value of V x will be high, and if it agrees poorly, the value of Va will be low. The value of V j is then tested against the threshold of rules Tr, and an alarm is gen or id if V, os greater than Tj. In the prior art systems, the value of T would correspond to the threshold level above which the alarms are presented to the human operator for further review. It will be appreciated that there are several ways in which the "degree of agreement" different from that indicated by V can be determined. A simplistic approach could be to establish V, to 1 if one of the parameters in the rule being tested is satisfactory, to 2 if two of the parameters are satisfactory, etc. In such a system the parameters may consist of several "true or false" statements within the rule, for example, that the call is international and that it has lasted more than a certain period, that it has exceeded the cost, or that it is related to a call or private address. Since some of the parameters will be more indicative of fraud than others, a more sophisticated approach could be that applied to evaluations appropriate to each of the parameters and to calculate Vx on that basis. Other more complex arrangements could, of course, be provided, subject only to module 16 producing a value of Vj as co or output, which gives some indication of the possibility that the call may be fraudulent, based on the egia in pai ti cular being pro a a. Cadd • * i- * z that a alai nid is generated, a tupie (C!, R, Qi) is stored on a disk 26 within a "positive match file" 22. These can be called "concordant records" " In this tupi e: C i is the call record (it consists of a number of key fields), r is the index of the rule that generated the wing, and Q is the "proportion of positive agreement" specifically the proportion by which the requirements of the rule (example exceeding the threshold rule) have been exceeded. This is defined as ABS (Tr-V x) / Tr, where ABS (X) represents the absolute value of X. Also associated with each rule r is an additional parameter Tr, which can be defined as a margin of tolerance to the value of T Tr can be, for example, 0.1 or 10%. Module 16 uses this value of T, to keep the record of those C2 calls when it fails to trigger the alarm in rule ¡. For many cases in which V ,. is less than T,, a "negative agreement portion" Q is determined using Ja f «emulates ABS (T, -V,) / T. If Q X is racn i to Ta then t J -module determines that call C represents an "approximate fault alarm". For all these calls, for example, the tupie (Cj, P., Q? +) Is stored in a negative matching file 24. Here, C and r as before, as Qx "are representing the proportion of the record of which The call has failed to activate the alarm in rule r (for example, the proportion by which the rule threshold has barely failed.) This can be called "rough match records." Both positive match files 22 and the negative match file 24 are sorted according to their proportions Q- + and d ". Accordingly, the positive match file 22 can be considered as a series of records giving rise to fraud alarms, while the negative match file represents those records that have almost not fully activated the alarms. In each case, the files are ordered in such a way that the most possibly fraudulent cases are at the beginning.

While the whole ositive matching file is preferable pre-entailed, to enable the analysis of alarms, not every negative match file needs to be presented. For example, presenting only those records that are grouped around the main value of Q + that will improve efficiency. Alternatively, only call records that carry significant cost values can be presented. Both positive and negative agreement files are passed (as indicated by number 1 circulated) to a fraud operator support module 30, allowing the files to be viewed and analyzed by human operators 32. Operators 32 use their fraud detection experience to validate the accesses in the files of negative and positive agreement 22, 24, to each access is given a code of agreement .. with, if it is considered by the operator to represent a true fraud or not. Ideally, all accesses in the positive match file 22 should represent fraudulent calls, and all accesses in the negative match file should represent non-fraudulent calls, but in practice, both fraudulent and non-fraudulent entries will exist within both given files. the inaccuracies of the set of regl 18. With < In order to help your analysis of what is and what is not fraud, operators 32 may call additional information provided from external or internal sources 34. This may include, for example, the name and address of the client, the history of charge, account history, pattern of fraud that has been seen in the past, etc. The support fraud operator 30 may include a number of graphical analysis tools that allow operators to view alarms and files 22, 24 in a variety of useful ways. It could also include an expert system and / or core networks to help the operators to do their analysis; The fraud operator support can also operate without the intervention of the user, simply by being programmed to confirm the records for example on the bases of central network analysis. The comments / confirmations of the files 22, 24 are returned to the alarm analysis module 28, the main purpose of this is to provide automatic feedback to adjust the rule set 18. The analysis module of J weapon calculates two proportions XM Y,?;? i < ? each reg, where: X, - the ratio of the number of frauds with the positive match file to the total number of alarms generated by a rule r in the positive match file, and Y = the proportion of the number of frauds confirmed in the negative match file to the total number of alarms generated by rule r in the positive match file. The value of Xr represents a performance measure of the rule r, in which the higher the Xr the better. The value of Y is another measure of the performance of rule r, but here the lower the value of Y, the better. It will be understood that in order to improve (increase) the value of Xr, the value of Tr needs to be increased: to improve (decrease) the value of Yr, the threshold T needs to be decreased. The values Xr, Yr are then applied to a decision module 35, which uses the values within a function f which automatically increases or decreases the threshold Tr for the rule r as follows: dTx = i (X,, Y1 ( cost) where "cost" represents the cost of undetected fraud The appropriate change to Tr is made by an adjustment module of rule 36, which alters the setting of rule 18, thereby improving detection and concordance of alarm within the module 16. It will be understood by the person skilled in the art, that it is not essential for the operation of this invention in its broadest form, that the function f be exactly as described. files 22, 24 and the validated records within them, other than the Xr and Yr values described above. In an alternative modality, Xr could represent the proportion of the number of validated alarms to the number of false positives, where Y,. could represent the proportion of the number of tupies stored in a negative match file where they are true indications of fraud, to the total number of tupies in the negative match file. Alternatively, completely different parameters may be constructed that may include information from external or internal sources such as the database 29.

Evaluations Wv, Wy may be associated with X ,, Yr i cspocti vamenti. If Jd cost information or use. As part of the function, it can be calculated by looking at the individual costs for each separate record (for example, the cost of each individual call). A convenient cost parameter that can be included in f is the speed at which the potential losses given to fraud increase. If the losses increase rapidly, the parameter needs to be more drastic than the parameter that could otherwise be changed in the rule thresholds. A convenient way to do this could be to plot a moving average over the time of the total confirmed frauds, which the system is detecting. The first derivative of this graph can be incorporated as a parameter within f, ensuring that the thresholds change more aggressively when losses au more quickly. In other instances, costs do not need to be a feature of function f, but other practical considerations could be included, for example, the ease with which a particular fraud could be dealt with. The person skilled in the art could decide many appropriate junctions, by trial and error, curve fitting or the contour to provide adequate feedback for the adjustment module of leq 36: normally, the function f will be designed so that the threshold values Tj, are more aggressively changed by potentially expensive frauds. In one embodiment, the decision module 35 may receive information from the rules directly from the current set of rules 18, therefore, providing an additional level of feedback. In one form of the invention, the function f does not automatically increase or decrease the threshold Tr, but recommends to the operators the changes that must be made. In a preferred embodiment, the recommendations can be presented to fraud analysts (having greater responsibility than fraud operators). If the analyst accepts the appropriate recommendation, then the change to Tr is made by edio of the rule tuning module 36, which alters the rule set 18 and therefore improves the detection and generation of alarm within module 16. An option for function f is as follows: (a) if X, is > 80 l: Then DO NOTHING - good performance (and check the evaluation W:: ***** 0) ANOTHER RECOMMENDATION T, which is inclement (b) If Y is < 20%: Then DO NOTHING - good performance (and set the evaluation Wy = 0) OTHER RECOMMENDATION T r be diminished. Where W. W, are the evaluations set respectively to Xr and Y, Evaluations W;. and W. can be fixed by monitoring and plotting Xr and Yr values with time and periodically calculating the proportions dX / dt and dY / dt for each time interval. These proportions will be called a and b respectively. Then, a method for setting W ::, Wy assessments can be carried out as follows: For W :. : (a) low (0.1-0.3) YES a (t2) > a (11) > 0: 12 > you; - indication of good performance, therefore weak support to increase Tr; (b) high (0.8-0.9) YES to (2) < 0 and a (11) > 0; t 2 C 1; - indication of poor performance, therefore strong support to increase T, and in the same way for W and: (a) garlic (0.1-0.3) S 1 b (t 2) < 0 and h (tJ) > 0; t - 'ti; - indication of good pawn or so weak support to decrease Tr (b) to Jto (0.8-0.9) YES b (12) > b (t 1) > 0; t2 ti; - indication of poor performance therefore support strong fiara decrease T¡. In addition one can think about the dynamics of the joint effect of Xr and Yr to be captured as follows: IF [(a = 0) or (a is decreasing)] and [b is increasing] THEN a very strong support to lower the threshold Tr or SI [a is increasing] and [(b = 0) or (b is decreasing)] THEN a very strong support to increase e 1 umbr to 1 T,. The outputs of the decision module 35 are passed to the rule adjustment module 36, which causes the rule changes in the rule set 18. The information of the decision module 35 and the rule setting module 36 is provided to the module Operator of fr iidt 30 for fritiral;, operators 2 v i r the current system c. Precautionary measures are also provided for the fraud analysis or for the operators, for directly intervening in the decisions of the decision module 35, or in the rule adjustment module 36, for example, by altering some definable user parameters within the function f. Operators can, for example, find it convenient for the system, by operating slightly different on weekends, when the volume of calls is possibly lower than during the week. - Also, certain types of fraud may be more prevalent at certain times of the week or at certain times of the day, and changing user parameters or automatic changing parameters may be provided within the function f to allow this. Also, precautionary measures can be made for the fraud operator support module to have direct access to rule set 18, thus allowing operators and / or analysts to see exactly which rules are currently being applied and change them ally , if required.

In a version of the system, the feedback loop, can be completely automated with the rule set 18 continuously being set < n vi (.jen cia c result of the decisions of the decision module 35. Depending on the computational complexity, which of course depends on the number of call records, and on the number and complexity of the rules, the rules , they can either be continuously adjusted in real time or they can alternatively be enforced on a "batch" basis In another version of the system, the set of rules is enforced only when required by a signal sent by an operator human 32 to the rule adjustment module 36 or by a signal automatically generated by the fraud operator support module 30. More information may be obtained by considering the distribution of several individual values of Q1 + for the fraud records confirmed within the Negative agreement files These represent calls that the operators consider fraudulent, but which are not currently and correctly trapped by the system. topic and placed in the positive match file. If 1 finds that most of the values of Q1'1 are much smaller than the values of Tr, it is likely that the tolerance value ((-),) is too large. The value could then be reduced by reducing the number of hits in the negative match file, but without losing many really fraudulent accesses. On the other hand, if the Q values of the validated fraudulent accesses are equally distributed across the range of 0 to Tr, or if they tend to increase when one approaches T;, it can be concluded that a substantial number of fraudulent calls are falling outside the limit of the Tr sign and therefore are not being caught either within the negative or positive concordance file. This may suggest that the value of T needs to be increased. In this way, the tolerance value Tr can be altered, either automatically or as required by an operator to provide more tuning to the system. As well as alterations to T, the value of 0r can be changed according to c-o i. a function which depends on the approximate match records and the confirmed concordance records. The decision module 35 can determine the amount and direction of the change necessary by providing instructions to the rule adjustment module 36. It is 111, or of course, that it: *. Several modules shown in Figure 1 are fully exemplified and in other modalities, some of these modules can be combined with others or arranged in a different way.

Claims

1. A system for improving fraud detection in a telecommunications network of the system includes: (a) means for receiving call records representative of calls in the network; (b) means for rule matching arranged to compare each call record with the alarm rule, and (i) determining a match if the alarm rule matches the call record; (ii) determine an approximate match if the alarm rule just fails to match the call record; (c) validation means to validate the individual concordant records and the approximate concordant records with an indication of the expected fraud; and (d) rule enforcement means arranged to alter such an alarm rule depending on the validated approximate match records and validated match records.

2. The system as claimed in claim 1, in which the rule matching means is arranged to calculate a rule matching value that depends on the closeness of the match of the call record to the rule alarm, the Rule matching means determines a match if the rule match value exceeds a first threshold parameter of the alarm rule.

3. The system as claimed in claim 2, wherein the rule matching means determines an approximate match if the rule match value e yields a second threshold parameter of the wing rule.

4. The system as claimed in claim 3, wherein the second threshold parameter is defined by the first threshold parameter to be used by a tolerance value.

5. The system as claimed in any of claims 2 to 4, wherein the rule enforcement means are arranged to alter the first threshold parameter of the alarm rule.

6. The s i s t e as claimed in claim 3, or claim 4, in which the rule enforcement means are arranged to alter the second threshold parameter of the alarm rule.

7. The system as claimed in claim 6, wherein the rule enforcement means is arranged to alter the second threshold parameter, depending on the distribution of the rule matching values of the approximate match records.

8. The system as claimed in any of the preceding claims, wherein the means of enforcement of the rule are arranged to alter the alarm rule and the estimated fraud cost.

9. The system as claimed in claim 8, wherein the rule enforcement means are arranged to alter the alarm rule depending on the proportion in which the estimated fraud cost is changing.

10. The system as claimed in any of the preceding claims, wherein the rule enforcement means are automatically arranged to alter the alarm rule.

11. The system as claimed in any of Claims 1 to 9, wherein the means of enforcement of the rule are arranged to alter only the alarm rule upon receiving a requirement of validity of the user.

12. The system as claimed in any of the preceding claims, in which the match records are stored in a positive match file and the approximate match records are stored in a negative match file.

13. The system as claimed in any of the preceding claims, when dependent on claim 2, wherein the positive and negative agreement registers are arranged according to the rule matching values of the respective register.

14. The system as claimed in any of the preceding claims, wherein the rule matching means is arranged to compare each call with the alarm rule depending on the external information of the database.

15. The system as claimed in any of the preceding claims, wherein the validation means includes means for automatically providing an expected fraud indication for each record.

16. The system as claimed in any of claims 1 to 14, wherein the validation means includes the input validation means for receiving the user validation of each record.

17. The system as claimed in any of the preceding claims, in which the rule matching means is arranged to compare each call record with a plurality of alarm rules, the rule enforcement means are arranged to alter each rule of alarm individually.

18. The system as claimed in claim 17, wherein the rule enforcement means are arranged to alter each individual alarm rule depending on the confirmed agreement and the approximate match records which correspond to the individual alarm rule.

19. A telecommunications network, which includes a system as claimed in any of the preceding claims.

20. A method for improving raude detection within a telecommunication network, the method comprises: (a) receiving all call records representative of calls in the network; (b) co-stop each call record with the alarm rule, and (i) determine a match if the alarm rule matches the call record; (ii) determine an approximate match if the alarm rule just fails to match the call record; (c) validate the individual concordant records and the approximate concordant records with an indication of the expected fraud; and (d) alter the alarm rule depending on the validated approximate match records and the validated records.

21. A method as claimed in claim 20, which includes calculating a rule match value depending on the closeness of the call record match to the alarm rule, and determining a match if the rule match value exceeds a first threshold parameter of the alarm rule.

22. The method as claimed in claim 21, including determining an approximate match if the rule match value exceeds a second threshold parameter of the alarm rule.

23. F, J method as t - claimed in the i i vindication 22, in which c 1 second threshold parameter is defined by the first threshold parameter set by the tolerance value.

24. The method as claimed in any of claims 21 to 23, which includes altering the first threshold parameter of the alarm rule.

25. The method as claimed in rei indication 22 or claim 23, which includes altering the second threshold parameter of the alarm rule.

26. The method as claimed in claim 25, which includes altering the second threshold parameter depending on the distribution of the rule match values of the approximate match records.

27. The method as claimed in any of claims 20 to 26, which includes altering the rma rule depending on the cost of the estimated fraud.

28. F.1 method as claimed in claim 27, which includes altering the alarm rule depending on the degree to which the estimated fraud cost is changing.

29. The method as claimed in any of claims 20 to 28, which includes automatically altering the alarm rule.

30. The method as claimed in any of claims 20 to 28, which includes altering the alarm rule, only upon receipt of the user's validity requirement.

31. The method as claimed in any of claims 20 to 30, which includes storing the match records in a positive match file and the approximate match records in a negative match file.

32. The method as claimed in any of claims 22 to 31, as in claim 21, which includes ordering the positive and negative agreement files according to the regulatory agreement values of the prospective registers.

33. F, 1 method as claimed in any of claims 20 to 32, which includes comparing each call with the alarm rule, depending on the external information of the database.

34. The method as claimed in any of claims 20 to 33, which includes automatically providing the expected fraud indication for each record.

35. The method as claimed in any of claims 20 to 33, which includes providing the user validation of each record.

36. The method as claimed in any of claims 20 to 35, which includes comparing each call record with a plurality of alarm rules and altering each alarm rule individually.

37. EJ method as sc claimed in claim 36, which includes altering each individual alarm rule depending on the validated match and the approximate match records which correspond to the individual alarm rule.