WO2019226129A2 - A system and a method that detect ott bypass fraud using network-data analysis - Google Patents
A system and a method that detect ott bypass fraud using network-data analysis Download PDFInfo
- Publication number
- WO2019226129A2 WO2019226129A2 PCT/TR2018/050770 TR2018050770W WO2019226129A2 WO 2019226129 A2 WO2019226129 A2 WO 2019226129A2 TR 2018050770 W TR2018050770 W TR 2018050770W WO 2019226129 A2 WO2019226129 A2 WO 2019226129A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- module
- enables
- mentioned
- call
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/14—Charging, metering or billing arrangements for data wireline or wireless communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/04—Recording calls, or communications in printed, perforated or other permanent form
- H04M15/06—Recording class or number of calling, i.e. A-party or called party, i.e. B-party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
- H04M15/47—Fraud detection or prevention means
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/24—Accounting or billing
Definitions
- the present disclosure is related to a system and a method for use in the telecommunication sector that prevents fraud activities carried out by using OTT (Over The Top) Bypass method.
- OTT Over The Top
- the OTT Bypass method causes loss of income to telecom operators and customer dissatisfaction, through detection abnormal OTT call via analyzing the network data structures of the subscribers that receive data service.
- the present disclosure is mainly related to the detection of OTT calls made by using internet infrastructure of terminated (bypassed) operators.
- TCG Test Call Generators
- TCG platforms provide call origination points from various networks in various countries.
- An operator that uses a TCG platform can make a call to its network from various operators in the world.
- These platforms show a bypass in incoming call routes.
- a worldwide TCG platform is required. Also, it is required to do this over a sample space; therefore it cannot provide notification in the matter of the bypass ratio.
- it is attempted to detect the users of SIM Box and OTT Bypass methods that realize the fraud type called“Interconnect Bypass”.
- TCG Test Call Generators
- TCG the method named as TCG is used for solving this problem and it solves this problem in a sample space but, it cannot provide an exact solution.
- the interconnection operators that use this method also take measures and they make it difficult to detect by this method thereby carrying OTT Bypass Gateways to Amazon Web Services.
- an illegal traffic detection system comprises: a traffic collecting unit for collecting call traffic from an exchange, and parsing a call detail record (CDR) from the call traffic; a pattern detection unit for detecting, from the call traffic, whether pre-defined patterns appearing in illegal traffic occur for each type of pattern, on the basis of the call detail record; and an illegal traffic detection unit for determining whether the call traffic is illegal traffic, on the basis of the result of the pattern detection for each type of pattern, and transmitting the determination result to the exchange, wherein the illegal traffic is traffic that is fed into the exchange via an illegal traffic path instead of via a normal traffic path provided by a communication service provider.
- CDR call detail record
- the method includes the following steps: gathering traffic packages transmitted between the internet exchange (IX) sections, ; producing a flow for the traffic package by realizing the flow process for the traffic packages and determining a VoIP traffic candidate by realizing a flow pattern analysis on the obtained flow (b); and in case the relation of VoIP traffic candidate with the one that passes through detour charging that charges the VoIP traffic via a traffic analysis, controlling whether the equipment belongs to IX section is an ID of a subscriber or not (c), via providing the following steps by module (SIM) box or relevant equipment.”.
- IX internet exchange
- the invention provides a method for facilitating roaming tests for a host network.
- the method includes creating a fake profile via a gateway associated with the host network for a roaming subscriber at a Mobile Switching Center (MSC) / Visiting Location Register (VLR).
- MSC Mobile Switching Center
- VLR Visit Location Register
- the MSC/VLR is associated with at least one of the host network and a roaming partner network of the host network.
- the roaming subscriber is associated with both the host network and the roaming partner network.
- the method further includes simulating via the gateway, transactions with a first network element associated with at least one of the host network and the roaming partner network to test at least one of the first network element's response for the simulated transactions, and network routing on the roaming subscriber to a second network element associated with at least one of the host network and the roaming partner network.”
- the methods include generating one or more test calls from a remote agent to a local agent where the remote agent can be a roaming agent or a remote dialer.
- a local agent is a subscriber number.
- the methods further include facilitating call forwarding of the test calls from the local agent to a local number.
- the methods include identifying the presence of bypass fraud by analyzing caller identification information of the test call received on the local number.
- the methods include preventing future use of a detected SIM box.
- the invention aims to solve the disadvantages mentioned above by being inspired by the current conditions.
- the aim of the invention is to provide a system for use in the telecommunication system that prevents the fraud activities made by using OTT (Over The Top) Bypass method that causes loss of income to the telecom operators and customer dissatisfaction, by means of detecting abnormal OTT call via analyzing the network data structures of the subscribers that receive data service and a method thereof.
- OTT Over The Top
- Another aim of the invention is to reestablish the prestige of the telecom operators that encounters financial loss due to this fraud method and cannot provide a high-quality service to its customers.
- the present disclosure comprises the following;
- a Fraud Detection Unit that processes the data received from mentioned Deep Package Analysis Application, which enables to detect anomalies and fraud, comprises the following;
- Preprocess and Enrichment Module which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator,
- Profiling Module which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
- Rule and Decision Engine that enables the constitution of analytical rules according to traffic, content and structural criteria and enables to take risks and decisions according to mentioned rules
- Analytic Module that enables behavior analysis, anomaly detection and detection of fraud by means of machine learning algorithms
- Alarm and Notification Module that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine and Analytic Module
- a Firewall enables to enter the relevant rules in order to prevent suspected data reported by mentioned Alarm and Notification Module.
- Figure-1 is a representative view of the system that determines the network-data analysis and OTT fraud subject of the present invention.
- Figure-2 is an internal structure of the Fraud Detection Unit within the system that detects the network-data analysis and OTT fraud subject of the present invention.
- Figure-3 is a flow scheme of the system that detects the network-data analysis and OTT fraud subject of the present invention.
- the process start by receiving the incoming call packages from specific ports (UDP and TCP Ports: 5242, 4244, 5243, 9785, 8443, 4433, 31337,%) by means of a Deep Package Analysis Application (10), continue with transmitting the relevant information about suspected network data to be used by the applications used for OTT Bypass transiently to the Fraud Detection Unit (20).
- the data transmitted into the Fraud Detection Unit (20) are gathered together for creating the call detail records.
- the invention aim is to demonstrate the applications used for fraud, and the pattern and signature of OTT Bypass fraud. There is much statistical information in the call detail records, and the values of these parameters change in the flow data. There is information such as source and destination IP addresses of the package, port, protocol, payload size.
- the first stage of OTT Bypass detection is to determine the call type (voice, video, instant messaging) of the incoming packages.
- the size of the relevant packages of such call types differs and in an OTT Bypass call, there is only one call type as voice data.
- the aim of the OTT Gateway that performs the bypass process is to terminate the sound calls.
- the parameters such as the number of packages and arrival times of the packages after the determination of the package sizes, differences between it last arrival and current arrival, start and end time of the call are determined.
- the rules are defined in Rule and Decision Engine (25).
- the risk scores are defined according to created rules.
- parameters detect the anomalies by means of machine learning based algorithms (decision tree and change point detection) within the Analytic Module (26) and detailed analysis of these anomalies obtain OTT Bypass suspicion ratio.
- the warning and notifications relevant to the Alarm and Notification Module (27) according to the suspicion ratio with regard to the request of the operator are performed. If a Firewall (30) is used, the call is prevented by defining this notification on the Firewall (30). If the Firewall (30) provides an application programming interface (API) or web service, these notifications are sent automatically and prevention action is taken.
- API application programming interface
- the invention is adapted to perform by the following procedure steps;
- the Deep Package Analysis Application (10) collects the network data determined by tapping to the ports used by the applications for OTT Bypass of the subscribers that receive data service by using the infrastructure of the bypassed operators and transmits (1001 ) to the Fraud Detection Unit (20),
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Computer Security & Cryptography (AREA)
- Monitoring And Testing Of Exchanges (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention is related to a system and a method for use in the telecommunication system that prevents the fraud activities made by using a method named as OTT (Over The Top) Bypass that causes loss of income to the telecom operators and customer dissatisfaction, by means of detecting abnormal OTT call via analyzing the network data structures of the subscribers that receive data service. The invention is particularly related to the determination of OTT calls made by using the internet infrastructure of the operators that are terminated (bypassed).
Description
A SYSTEM AND A METHOD THAT DETECT OTT BYPASS FRAUD USING NETWORK-
DATA ANALYSIS
Technical Field
The present disclosure is related to a system and a method for use in the telecommunication sector that prevents fraud activities carried out by using OTT (Over The Top) Bypass method. The OTT Bypass method causes loss of income to telecom operators and customer dissatisfaction, through detection abnormal OTT call via analyzing the network data structures of the subscribers that receive data service.
The present disclosure is mainly related to the detection of OTT calls made by using internet infrastructure of terminated (bypassed) operators.
Prior Art
According to the global fraud loss report published in the year 2015, the loss of the telecom due to fraud is 38,1 billion dollars ($). In addition to this, the quantity of the fraud that is not recorded is much higher than this amount. Six billion dollars ($) of this amount is named as “Interconnect Bypass” fraud.
International calls are transmitted to the customer by means of operators via legal channels and routes in connection with the contracts between countries and operators.
Nowadays, it is seen that this international route is deactivated, in other words bypassed. Different types of bypass systems have been available since the eighties. Particularly a phenomenon is encountered named with the GSM Gateway or the SIMBox that has intensely increased during the last ten years. To explain briefly; the calls started from one country are terminated with an illegal manner in another country by means of SIMBox however it seems to be legal, and this method decreases the income of the operators. Unfair revenues are acquired, and the taxes are evaded by using the infrastructure of the operators. During the last 5-6 years, because the messaging applications such as“Whatsapp, Viber, Tango, Skype” named as the OTT (Over the Top) become widespread, the route of calls changes and the
process starts by the decrease of SMS revenues and continues with the decrease of sound revenues.
Besides the illegal call termination by means of SIMBox, the illegal termination by using these applications are occurred. Dramatic decreases are observed in the operator revenues by this method named as OTT Bypass fraud. If it is required to explain the subject clearly with an example; All’s calling to Ay§e’s Viber application in her phone via his Viber application in his phone is a regular OTT call. However when AN is in England and tries to call Ay§e who is in T urkey by making a GSM or VoIP call, and if this call seems to be a Viber call to Ay§e, this call is defined as“OTT Bypass fraud”.
Example OTT Bypass Scenario
Therefore, the telecom operators lose their potential call termination revenues and their prestige due to not set up a high-quality call. On the other hand, the customers encounter high bills due to the low-quality calls and long call set-up times and delays. On the side of the government, it encounters income tax loss and losses due to operator license violations.
The operators use Test Call Generators (TCG) platform and applications in order to detect such fraud activities and service quality within the interconnections. There are many commercial products in this respect. TCG platforms provide call origination points from various networks in various countries. An operator that uses a TCG platform can make a call to its network from various operators in the world. These platforms show a bypass in incoming call routes. In order to detect whether there is a bypass in outgoing calls or not, a worldwide TCG platform is required. Also, it is required to do this over a sample space; therefore it cannot provide notification in the matter of the bypass ratio. Together with these expensive and
challenging applications, it is attempted to detect the users of SIM Box and OTT Bypass methods that realize the fraud type called“Interconnect Bypass”.
Test Call Generators (TCG) are the solutions of providing revenue that do the same activities (increase) on the telecom network, in order to determine the potential revenue loss and to provide its convenience to the legislation. Both the cellular and the fixed line telecom operator benefits from the test call generators, in order to measure the call origination time/period and to confirm the telecommunication rating for the call detail record (CDR) conformity. Some services provided by TCG’s are as follows:
• Real-time test realization for multiple calls and data service (e.g. sound, SMS, MMS, HTTP, mobile TV, video call, download (games, ringtones...))
• End-to-end call detail record (CDR),
· Confirmation test of new tariffs,
• CDR mapping conformity,
• Call rating confirmation for interconnection and retail invoicing,
• Legal conformity test,
• Network performance tests in order to confirm new network components,
An example process referred to a commercial product is as follows:
As a result, the method named as TCG is used for solving this problem and it solves this problem in a sample space but, it cannot provide an exact solution. The interconnection operators that use this method also take measures and they make it difficult to detect by this method thereby carrying OTT Bypass Gateways to Amazon Web Services.
In the summary of a PCT application No“WO2016195261” titled“Illegal traffic detection device and method” that is in the literature and found as a result of the research made, it is stated that “Disclosed are an illegal traffic detection device and a method therefor. Here, an illegal traffic detection system comprises: a traffic collecting unit for collecting call traffic from an exchange, and parsing a call detail record (CDR) from the call traffic; a pattern detection unit for detecting, from the call traffic, whether pre-defined patterns appearing in illegal traffic occur for each type of pattern, on the basis of the call detail record; and an illegal traffic detection unit for determining whether the call traffic is illegal traffic, on the basis of the result of the pattern detection for each type of pattern, and transmitting the determination result to the exchange, wherein the illegal traffic is traffic that is fed into the exchange via an illegal traffic path instead of via a normal traffic path provided by a communication service provider.
As a result of another research, in the summary of the Korean patent application No “KR101630838B1” titled“Method of detecting toll bypass fraud” it is stated that“The invention relates to a method for detecting illegal detour charging. The method includes the following steps: gathering traffic packages transmitted between the internet exchange (IX) sections, ; producing a flow for the traffic package by realizing the flow process for the traffic packages and determining a VoIP traffic candidate by realizing a flow pattern analysis on the obtained flow (b); and in case the relation of VoIP traffic candidate with the one that passes through detour charging that charges the VoIP traffic via a traffic analysis, controlling whether the equipment belongs to IX section is an ID of a subscriber or not (c), via providing the following steps by module (SIM) box or relevant equipment.”.
As a result of another research in the literature, in the summary of the application No “W02009015273” titled“The invention provides a method for facilitating roaming tests for a host network. The method includes creating a fake profile via a gateway associated with the host network for a roaming subscriber at a Mobile Switching Center (MSC) / Visiting Location Register (VLR). The MSC/VLR is associated with at least one of the host network and a roaming partner network of the host network. The roaming subscriber is associated with both the host network and the roaming partner network. The method further includes simulating via the gateway, transactions with a first network element associated with at least one of the host
network and the roaming partner network to test at least one of the first network element's response for the simulated transactions, and network routing on the roaming subscriber to a second network element associated with at least one of the host network and the roaming partner network.”
As a result of another research in the literature, in the summary of the application No “US9002320” titled “Advanced predictive intelligence for termination bypass detection and prevention” it is stated that;“Provided are methods and systems for detecting and preventing bypass fraud in telecommunication networks, primarily for detecting and preventing SIM box fraud in telecommunication networks. The methods include generating one or more test calls from a remote agent to a local agent where the remote agent can be a roaming agent or a remote dialer. A local agent is a subscriber number. The methods further include facilitating call forwarding of the test calls from the local agent to a local number. The methods include identifying the presence of bypass fraud by analyzing caller identification information of the test call received on the local number. Finally, the methods include preventing future use of a detected SIM box.
As a result, due to the disadvantages mentioned above and the inability of current solutions, it is required development in the relevant technical field in terms of this issue.
The aim of the Invention
The invention aims to solve the disadvantages mentioned above by being inspired by the current conditions.
The aim of the invention is to provide a system for use in the telecommunication system that prevents the fraud activities made by using OTT (Over The Top) Bypass method that causes loss of income to the telecom operators and customer dissatisfaction, by means of detecting abnormal OTT call via analyzing the network data structures of the subscribers that receive data service and a method thereof.
Another aim of the invention is to reestablish the prestige of the telecom operators that encounters financial loss due to this fraud method and cannot provide a high-quality service to its customers.
In order to realize the aims as mentioned above, the present disclosure comprises the following;
> a Deep Package Analysis Application that provides type information in the matter of source and destination IPs, port numbers and packages by analyzing payloads and enables to transmit the packages of the applications used for OTT bypass,
> a Fraud Detection Unit that processes the data received from mentioned Deep Package Analysis Application, which enables to detect anomalies and fraud, comprises the following;
• a Data Collection and Distribution Manager that enables to collect and distribute the packages that belong to the network data received through mentioned Deep Package Analysis Application,
• Preprocess and Enrichment Module which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator,
• Enriched Data Module wherein the data that is preprocessed and enriched by means of mentioned Preprocess and Enrichment Module are stored,
• Profiling Module which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
• Rule and Decision Engine that enables the constitution of analytical rules according to traffic, content and structural criteria and enables to take risks and decisions according to mentioned rules,
• Analytic Module that enables behavior analysis, anomaly detection and detection of fraud by means of machine learning algorithms,
• Alarm and Notification Module that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine and Analytic Module,
> A Firewall enables to enter the relevant rules in order to prevent suspected data reported by mentioned Alarm and Notification Module.
Figures
Figure-1 : is a representative view of the system that determines the network-data analysis and OTT fraud subject of the present invention.
Figure-2: is an internal structure of the Fraud Detection Unit within the system that detects the network-data analysis and OTT fraud subject of the present invention.
Figure-3: is a flow scheme of the system that detects the network-data analysis and OTT fraud subject of the present invention.
Description of the Reference Numbers of the Parts
10. Deep Package Analysis Application
20. Fraud Detection Unit
21 . Data Collection and Distribution Manager
22. Preprocess and Enrichment Module
23. Enriched Data Module
24. Profiling Module
25. Rule and Decision Engine
26. Analytic Module
27. Alarm and Notification Module
30. Firewall
Detailed Description of the Invention
In this detailed description, preferred embodiments of the invention are described for understanding the subject better and do not have a limiting effect.
The process start by receiving the incoming call packages from specific ports (UDP and TCP Ports: 5242, 4244, 5243, 9785, 8443, 4433, 31337,...) by means of a Deep Package Analysis Application (10), continue with transmitting the relevant information about suspected network data to be used by the applications used for OTT Bypass transiently to the Fraud Detection Unit (20). The data transmitted into the Fraud Detection Unit (20) are gathered together for creating the call detail records.
The invention aim is to demonstrate the applications used for fraud, and the pattern and signature of OTT Bypass fraud. There is much statistical information in the call detail records, and the values of these parameters change in the flow data. There is information such as source and destination IP addresses of the package, port, protocol, payload size. Since the packages are encrypted, there is no opportunity to analyze the section wherein there are portable data information called payload. The first stage of OTT Bypass detection is to determine the call type (voice, video, instant messaging) of the incoming packages. The size of the relevant packages of such call types differs and in an OTT Bypass call, there is only one call type as voice data. The aim of the OTT Gateway that performs the bypass process is to terminate the sound calls. In order to determine the call types exactly, the parameters such as the number of packages and arrival times of the packages after the determination of the package sizes, differences between it last arrival and current arrival, start and end time of the call are determined. In order to create rules according to average values by taking the regular call as a reference and to detect the calls are not according with these parameters, the rules are defined in Rule and Decision Engine (25). The risk scores are defined according to created rules. Also, parameters detect the anomalies by means of machine learning based algorithms (decision tree and change point detection) within the Analytic Module (26) and detailed analysis of these anomalies obtain OTT Bypass suspicion ratio. The warning and notifications relevant to the Alarm and Notification Module (27) according to the suspicion ratio with regard to the request of the operator are performed. If a Firewall (30) is used, the call is prevented by defining this notification on the Firewall (30). If the Firewall (30) provides an application programming interface (API) or web service, these notifications are sent automatically and prevention action is taken.
Operating Principle of the Invention
The invention is adapted to perform by the following procedure steps;
• The Deep Package Analysis Application (10) collects the network data determined by tapping to the ports used by the applications for OTT Bypass of the subscribers that receive data service by using the infrastructure of the bypassed operators and transmits (1001 ) to the Fraud Detection Unit (20),
• collecting the suspected network data received from the Deep Package Analysis Application (10) transiently by means of the collection and distribution manager (21 ) within the Fraud Detection Unit (20), converting it to a common format for the call record
and after the call record is created transmitting (1002) these to the Preprocess and Enrichment Module (22),
• transmitting (1003) the data to the Enriched Data Module (23) by determining -the country, city or operator of the data from the IP address information- in order to perform normalization and enrichment processes interested in the received call by means of Preprocess and Enrichment Module (22),
• transmitting the final formed data in the Enriched Data Module (23) to the Profiling Module (24) and profiling and indexing (1004) the call, the user, the group, the region, the data, the customers and groups by means of mentioned Profiling Module (24) according to the criteria, (The operations in this module are significant for high-speed operation of the Rule and Decision Engine (25). At the same time, they are also used for the visualization of the data. The outputs of the Profiling Module (24) are used in the Rule and Decision Module (25) and Analytic Module (26).)
• defining the rules of the call and call packages of by means of the Rule and Decision Engine (25) for determining OTT Bypass by using parameters that are defined in mentioned Rule and Decision Engine (25) and defining a risk score for each mentioned rule, transmitting (1005) the obtained outputs directly to the Alarm and Notification Module (27) according to the level of the risk score and user definition, at the same time transmitting mentioned outputs to the Analytic Module (26) independent from the risk score,
• detecting the anomalies that could not be determined by means of mentioned Rule and Decision Engine (25) in the Analytic Module (26), by means of using machine learning algorithms and transmitting (1006) the suspected cases obtained by means of the Analytic Module (26) to mentioned Alarm and Notification Module (27),
• creating and transmitting alarm and notification data of all suspected cases received by the Alarm and Notification Module (27), if a Firewall (30) is used, providing prevention (1007) on the Firewall (30) in order to prevent the suspected cases.
Claims
1. A system for use in the telecommunication sector that prevents fraud activities carried out by using a method named as OTT (Over The Top) Bypass which causes loss of income to telecom operators and customer dissatisfaction, by means of determining abnormal OTT call via analyzing network data structures of subscribers that receive data services, characterized in that it comprises the following;
> A Deep Package Analysis Application (10) that provides type information in the matter of source and destination IPs, port numbers and payloads by analyzing packets and enables to transmit the packages of the applications used for OTT bypass,
> a Fraud Detection Unit (20) that processes the data received from mentioned Deep Package Analysis Application (10), which enables to detect anomalies and fraud, comprises the following;
• a Data Collection and Distribution Manager (21 ) that enables to collect and distribute the packages that belong to the network data received through mentioned Deep Package Analysis Application (10),
• Preprocess and Enrichment Module (22) which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager (21 ) and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator,
• Enriched Data Module (23) wherein the data that is preprocessed and enriched by means of mentioned Preprocess and Enrichment Module (22) are stored,
• Profiling Module (24) which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
• Rule and Decision Engine (25) that enables the constitution of analytical rules according to traffic, content and structural criteria
and enables to take risks and decisions according to mentioned rules,
• Analytic Module (26) that enables behavior analysis, anomaly determination and determination of fraud by means of machine learning algorithms,
• Alarm and Notification Module (27) that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine (25) and Analytic Module (26),
> Firewall (30) that enables to enter the relevant rules in order to prevent suspected data from mentioned Alarm and Notification Module (27) and to call abandonment.
2. A method for use in the telecommunication sector which prevents fraud activities carried out by using a method named as OTT (Over The Top) Bypass that causes loss of income to telecom operators and customer dissatisfaction, by means of determining abnormal OTT call via analyzing the network data structures of subscribers that receive data service which comprises;
> a Deep Package Analysis Application (10) that provides type information in the matter of source and destination IPs, port numbers and payload by analyzing packets and enables to transmit the packages of the applications used for OTT bypass
> a Fraud Detection Unit (20) that processes the data received from mentioned Deep Package Analysis Application (10), which enables to detect anomalies and fraud, comprises the following;
• a Data Collection and Distribution Manager (21 ) that enables to collect and distribute the packages that belong to the network data received through mentioned Deep Package Analysis Application (10),
• Preprocess and Enrichment Module (22) which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager (21 ) and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator,
• Enriched Data Module (23) wherein the data that is preprocessed and enriched by means of mentioned Preprocess and Enrichment Module (22) are stored,
• Profiling Module (24) which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
• Rule and Decision Engine (25) that enables the constitution of analytical rules according to traffic, content and structural criteria and enables to take risks and decisions according to mentioned rules,
• Analytic Module (26) that enables behavior analysis, anomaly determination and determination of fraud by means of machine learning algorithms,
• Alarm and Notification Module (27) that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine (25) and Analytic Module (26),
> Firewall (30) that enables to enter the relevant rules in order to prevent suspected data from mentioned Alarm and Notification Module (27) and to call abandonment. characterized in that the method comprises the following procedure steps;
• the Deep Package Analysis Application (10) collects the network data determined by tapping to the ports used by the applications for OTT Bypass of the subscribers that receive data service by using the infrastructure of the bypassed operators and transmits (1001 ) to the Fraud Detection Unit (20),
• collecting the suspected network data received from the Deep Package Analysis Application (10) transiently by means of the Data Collection and Distribution Manager (21 ) within the Fraud Detection Unit (20), converting it to a common format for the call record and after the call record is created transmitting (1002) these to the Preprocess and Enrichment Module (22),
• transmitting (1003) the data to the Enriched Data Module (23) by determining -the country, city or operator of the data from the IP address information- in order to perform
normalization and enrichment processes interested in the received call by means of Preprocess and Enrichment Module (22),
• transmitting the final formed data in the Enriched Data Module (23) to the Profiling Module (24) and profiling and indexing (1004) the call, the user, the group, the region, the data, the customers and groups by means of mentioned Profiling Module (24) according to the criteria,
• defining the rules of the call and call packages of by means of the Rule and Decision Engine (25) for determining OTT Bypass by using parameters that are defined in mentioned Rule and Decision Engine (25) and defining a risk score for each mentioned rule, transmitting (1005) the obtained outputs directly to the Alarm and Notification
Module (27) according to the level of the risk score and user definition, at the same time transmitting mentioned outputs to the Analytic Module (26) independent from the risk score,
• detecting the anomalies that could not be determined by means of mentioned Rule and Decision Engine (25) in the Analytic Module (26), by means of using machine learning algorithms and transmitting (1006) the suspected cases obtained by means of mentioned Analytic Module (26) to the Alarm and Notification Module (27),
• creating and transmitting alarm and notification data of all suspected cases received by the Alarm and Notification Module (27), if a Firewall (30) is used, providing prevention (1007) on the Firewall (30) in order to prevent the suspected cases.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TR201722247 | 2017-12-27 | ||
TR2017/22247 | 2017-12-27 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2019226129A2 true WO2019226129A2 (en) | 2019-11-28 |
WO2019226129A3 WO2019226129A3 (en) | 2020-01-02 |
Family
ID=68615796
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/TR2018/050770 WO2019226129A2 (en) | 2017-12-27 | 2018-12-06 | A system and a method that detect ott bypass fraud using network-data analysis |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2019226129A2 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022173409A1 (en) * | 2021-02-15 | 2022-08-18 | Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi | A method and system for preventing ott bypass fraud |
WO2022173408A3 (en) * | 2021-02-15 | 2022-09-09 | Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi | A method and system for preventing network originated fraud |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
PL2509294T3 (en) * | 2011-04-08 | 2013-09-30 | Meucci Solutions Nv | A telecommunication network bypass detection system with reduced counter detection risk |
EP3226528A1 (en) * | 2016-03-31 | 2017-10-04 | Sigos NV | Method and system for detection of interconnect bypass using test calls to real subscribers |
-
2018
- 2018-12-06 WO PCT/TR2018/050770 patent/WO2019226129A2/en active Application Filing
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2022173409A1 (en) * | 2021-02-15 | 2022-08-18 | Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi | A method and system for preventing ott bypass fraud |
WO2022173408A3 (en) * | 2021-02-15 | 2022-09-09 | Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi | A method and system for preventing network originated fraud |
Also Published As
Publication number | Publication date |
---|---|
WO2019226129A3 (en) | 2020-01-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20090069047A1 (en) | Methods, systems, and computer program products for detecting wireless bypass in a communications network | |
EP3577886B1 (en) | Detection and prevention of unwanted calls in a telecommunications system | |
KR101218253B1 (en) | Fraud security detection system and method | |
US8095109B2 (en) | Charging of GPRS traffic for roaming mobiles by performing traffic counting at the user terminal | |
US10582043B1 (en) | Method of identifying instances of international call interconnect bypass telecommunications fraud | |
US9191351B2 (en) | Real-time fraudulent traffic security for telecommunication systems | |
US11395147B2 (en) | System and method for real time fraud analysis of communications data | |
US7453997B2 (en) | Wireless internet services billing | |
Sahin et al. | Over-the-top bypass: Study of a recent telephony fraud | |
WO2019226129A2 (en) | A system and a method that detect ott bypass fraud using network-data analysis | |
US10917442B2 (en) | System and method for secure billing for IMS-based VoIP networks | |
Kouam et al. | SIMBox bypass frauds in cellular networks: Strategies, evolution, detection, and future directions | |
WO2012136285A1 (en) | A bypass detection system with number masking | |
Sahin et al. | Understanding and Detecting International Revenue Share Fraud. | |
US20070127647A1 (en) | Methods, systems, and computer program products for collecting messages associated with providing prepaid communications services in a communications network | |
WO2019190438A2 (en) | Ott bypass fraud detection by using call detail record and voice quality analytics | |
Airn | Analysis and detection of SIM box | |
Khan et al. | Automatic Monitoring & Detection System (AMDS) for Grey Traffic | |
US8107459B1 (en) | Method and apparatus for executing a call blocking function | |
KR101630838B1 (en) | Method of detecting toll bypass fraud | |
Kehelwala et al. | Real-time grey call detection system using complex event processing | |
Sahin et al. | IRSF: a Billion $ Fraud Abusing International Premium Rate Numbers | |
KR20160086547A (en) | APPARATUS OF DETECTING Toll Bypass Fraud | |
WO2012057601A1 (en) | Voice over internet protocol monitoring system and method | |
Adnan et al. | Illegal VoIP: How to Detect and Counter |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18920008 Country of ref document: EP Kind code of ref document: A2 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 18920008 Country of ref document: EP Kind code of ref document: A2 |