WO2019226129A2 - A system and a method that detect ott bypass fraud using network-data analysis - Google Patents

A system and a method that detect ott bypass fraud using network-data analysis Download PDF

Info

Publication number
WO2019226129A2
WO2019226129A2 PCT/TR2018/050770 TR2018050770W WO2019226129A2 WO 2019226129 A2 WO2019226129 A2 WO 2019226129A2 TR 2018050770 W TR2018050770 W TR 2018050770W WO 2019226129 A2 WO2019226129 A2 WO 2019226129A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
module
enables
mentioned
call
Prior art date
Application number
PCT/TR2018/050770
Other languages
French (fr)
Other versions
WO2019226129A3 (en
Inventor
Haci Hakan Kilinç
Original Assignee
Netaş Telekomüni̇kasyon Anoni̇m Şi̇rketi̇
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netaş Telekomüni̇kasyon Anoni̇m Şi̇rketi̇ filed Critical Netaş Telekomüni̇kasyon Anoni̇m Şi̇rketi̇
Publication of WO2019226129A2 publication Critical patent/WO2019226129A2/en
Publication of WO2019226129A3 publication Critical patent/WO2019226129A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/04Recording calls, or communications in printed, perforated or other permanent form
    • H04M15/06Recording class or number of calling, i.e. A-party or called party, i.e. B-party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/47Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/24Accounting or billing

Definitions

  • the present disclosure is related to a system and a method for use in the telecommunication sector that prevents fraud activities carried out by using OTT (Over The Top) Bypass method.
  • OTT Over The Top
  • the OTT Bypass method causes loss of income to telecom operators and customer dissatisfaction, through detection abnormal OTT call via analyzing the network data structures of the subscribers that receive data service.
  • the present disclosure is mainly related to the detection of OTT calls made by using internet infrastructure of terminated (bypassed) operators.
  • TCG Test Call Generators
  • TCG platforms provide call origination points from various networks in various countries.
  • An operator that uses a TCG platform can make a call to its network from various operators in the world.
  • These platforms show a bypass in incoming call routes.
  • a worldwide TCG platform is required. Also, it is required to do this over a sample space; therefore it cannot provide notification in the matter of the bypass ratio.
  • it is attempted to detect the users of SIM Box and OTT Bypass methods that realize the fraud type called“Interconnect Bypass”.
  • TCG Test Call Generators
  • TCG the method named as TCG is used for solving this problem and it solves this problem in a sample space but, it cannot provide an exact solution.
  • the interconnection operators that use this method also take measures and they make it difficult to detect by this method thereby carrying OTT Bypass Gateways to Amazon Web Services.
  • an illegal traffic detection system comprises: a traffic collecting unit for collecting call traffic from an exchange, and parsing a call detail record (CDR) from the call traffic; a pattern detection unit for detecting, from the call traffic, whether pre-defined patterns appearing in illegal traffic occur for each type of pattern, on the basis of the call detail record; and an illegal traffic detection unit for determining whether the call traffic is illegal traffic, on the basis of the result of the pattern detection for each type of pattern, and transmitting the determination result to the exchange, wherein the illegal traffic is traffic that is fed into the exchange via an illegal traffic path instead of via a normal traffic path provided by a communication service provider.
  • CDR call detail record
  • the method includes the following steps: gathering traffic packages transmitted between the internet exchange (IX) sections, ; producing a flow for the traffic package by realizing the flow process for the traffic packages and determining a VoIP traffic candidate by realizing a flow pattern analysis on the obtained flow (b); and in case the relation of VoIP traffic candidate with the one that passes through detour charging that charges the VoIP traffic via a traffic analysis, controlling whether the equipment belongs to IX section is an ID of a subscriber or not (c), via providing the following steps by module (SIM) box or relevant equipment.”.
  • IX internet exchange
  • the invention provides a method for facilitating roaming tests for a host network.
  • the method includes creating a fake profile via a gateway associated with the host network for a roaming subscriber at a Mobile Switching Center (MSC) / Visiting Location Register (VLR).
  • MSC Mobile Switching Center
  • VLR Visit Location Register
  • the MSC/VLR is associated with at least one of the host network and a roaming partner network of the host network.
  • the roaming subscriber is associated with both the host network and the roaming partner network.
  • the method further includes simulating via the gateway, transactions with a first network element associated with at least one of the host network and the roaming partner network to test at least one of the first network element's response for the simulated transactions, and network routing on the roaming subscriber to a second network element associated with at least one of the host network and the roaming partner network.”
  • the methods include generating one or more test calls from a remote agent to a local agent where the remote agent can be a roaming agent or a remote dialer.
  • a local agent is a subscriber number.
  • the methods further include facilitating call forwarding of the test calls from the local agent to a local number.
  • the methods include identifying the presence of bypass fraud by analyzing caller identification information of the test call received on the local number.
  • the methods include preventing future use of a detected SIM box.
  • the invention aims to solve the disadvantages mentioned above by being inspired by the current conditions.
  • the aim of the invention is to provide a system for use in the telecommunication system that prevents the fraud activities made by using OTT (Over The Top) Bypass method that causes loss of income to the telecom operators and customer dissatisfaction, by means of detecting abnormal OTT call via analyzing the network data structures of the subscribers that receive data service and a method thereof.
  • OTT Over The Top
  • Another aim of the invention is to reestablish the prestige of the telecom operators that encounters financial loss due to this fraud method and cannot provide a high-quality service to its customers.
  • the present disclosure comprises the following;
  • a Fraud Detection Unit that processes the data received from mentioned Deep Package Analysis Application, which enables to detect anomalies and fraud, comprises the following;
  • Preprocess and Enrichment Module which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator,
  • Profiling Module which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
  • Rule and Decision Engine that enables the constitution of analytical rules according to traffic, content and structural criteria and enables to take risks and decisions according to mentioned rules
  • Analytic Module that enables behavior analysis, anomaly detection and detection of fraud by means of machine learning algorithms
  • Alarm and Notification Module that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine and Analytic Module
  • a Firewall enables to enter the relevant rules in order to prevent suspected data reported by mentioned Alarm and Notification Module.
  • Figure-1 is a representative view of the system that determines the network-data analysis and OTT fraud subject of the present invention.
  • Figure-2 is an internal structure of the Fraud Detection Unit within the system that detects the network-data analysis and OTT fraud subject of the present invention.
  • Figure-3 is a flow scheme of the system that detects the network-data analysis and OTT fraud subject of the present invention.
  • the process start by receiving the incoming call packages from specific ports (UDP and TCP Ports: 5242, 4244, 5243, 9785, 8443, 4433, 31337,%) by means of a Deep Package Analysis Application (10), continue with transmitting the relevant information about suspected network data to be used by the applications used for OTT Bypass transiently to the Fraud Detection Unit (20).
  • the data transmitted into the Fraud Detection Unit (20) are gathered together for creating the call detail records.
  • the invention aim is to demonstrate the applications used for fraud, and the pattern and signature of OTT Bypass fraud. There is much statistical information in the call detail records, and the values of these parameters change in the flow data. There is information such as source and destination IP addresses of the package, port, protocol, payload size.
  • the first stage of OTT Bypass detection is to determine the call type (voice, video, instant messaging) of the incoming packages.
  • the size of the relevant packages of such call types differs and in an OTT Bypass call, there is only one call type as voice data.
  • the aim of the OTT Gateway that performs the bypass process is to terminate the sound calls.
  • the parameters such as the number of packages and arrival times of the packages after the determination of the package sizes, differences between it last arrival and current arrival, start and end time of the call are determined.
  • the rules are defined in Rule and Decision Engine (25).
  • the risk scores are defined according to created rules.
  • parameters detect the anomalies by means of machine learning based algorithms (decision tree and change point detection) within the Analytic Module (26) and detailed analysis of these anomalies obtain OTT Bypass suspicion ratio.
  • the warning and notifications relevant to the Alarm and Notification Module (27) according to the suspicion ratio with regard to the request of the operator are performed. If a Firewall (30) is used, the call is prevented by defining this notification on the Firewall (30). If the Firewall (30) provides an application programming interface (API) or web service, these notifications are sent automatically and prevention action is taken.
  • API application programming interface
  • the invention is adapted to perform by the following procedure steps;
  • the Deep Package Analysis Application (10) collects the network data determined by tapping to the ports used by the applications for OTT Bypass of the subscribers that receive data service by using the infrastructure of the bypassed operators and transmits (1001 ) to the Fraud Detection Unit (20),

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Monitoring And Testing Of Exchanges (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention is related to a system and a method for use in the telecommunication system that prevents the fraud activities made by using a method named as OTT (Over The Top) Bypass that causes loss of income to the telecom operators and customer dissatisfaction, by means of detecting abnormal OTT call via analyzing the network data structures of the subscribers that receive data service. The invention is particularly related to the determination of OTT calls made by using the internet infrastructure of the operators that are terminated (bypassed).

Description

A SYSTEM AND A METHOD THAT DETECT OTT BYPASS FRAUD USING NETWORK-
DATA ANALYSIS
Technical Field
The present disclosure is related to a system and a method for use in the telecommunication sector that prevents fraud activities carried out by using OTT (Over The Top) Bypass method. The OTT Bypass method causes loss of income to telecom operators and customer dissatisfaction, through detection abnormal OTT call via analyzing the network data structures of the subscribers that receive data service.
The present disclosure is mainly related to the detection of OTT calls made by using internet infrastructure of terminated (bypassed) operators.
Prior Art
According to the global fraud loss report published in the year 2015, the loss of the telecom due to fraud is 38,1 billion dollars ($). In addition to this, the quantity of the fraud that is not recorded is much higher than this amount. Six billion dollars ($) of this amount is named as “Interconnect Bypass” fraud.
International calls are transmitted to the customer by means of operators via legal channels and routes in connection with the contracts between countries and operators.
Nowadays, it is seen that this international route is deactivated, in other words bypassed. Different types of bypass systems have been available since the eighties. Particularly a phenomenon is encountered named with the GSM Gateway or the SIMBox that has intensely increased during the last ten years. To explain briefly; the calls started from one country are terminated with an illegal manner in another country by means of SIMBox however it seems to be legal, and this method decreases the income of the operators. Unfair revenues are acquired, and the taxes are evaded by using the infrastructure of the operators. During the last 5-6 years, because the messaging applications such as“Whatsapp, Viber, Tango, Skype” named as the OTT (Over the Top) become widespread, the route of calls changes and the process starts by the decrease of SMS revenues and continues with the decrease of sound revenues.
Besides the illegal call termination by means of SIMBox, the illegal termination by using these applications are occurred. Dramatic decreases are observed in the operator revenues by this method named as OTT Bypass fraud. If it is required to explain the subject clearly with an example; All’s calling to Ay§e’s Viber application in her phone via his Viber application in his phone is a regular OTT call. However when AN is in England and tries to call Ay§e who is in T urkey by making a GSM or VoIP call, and if this call seems to be a Viber call to Ay§e, this call is defined as“OTT Bypass fraud”.
Figure imgf000004_0001
Example OTT Bypass Scenario
Therefore, the telecom operators lose their potential call termination revenues and their prestige due to not set up a high-quality call. On the other hand, the customers encounter high bills due to the low-quality calls and long call set-up times and delays. On the side of the government, it encounters income tax loss and losses due to operator license violations.
The operators use Test Call Generators (TCG) platform and applications in order to detect such fraud activities and service quality within the interconnections. There are many commercial products in this respect. TCG platforms provide call origination points from various networks in various countries. An operator that uses a TCG platform can make a call to its network from various operators in the world. These platforms show a bypass in incoming call routes. In order to detect whether there is a bypass in outgoing calls or not, a worldwide TCG platform is required. Also, it is required to do this over a sample space; therefore it cannot provide notification in the matter of the bypass ratio. Together with these expensive and challenging applications, it is attempted to detect the users of SIM Box and OTT Bypass methods that realize the fraud type called“Interconnect Bypass”.
Test Call Generators (TCG) are the solutions of providing revenue that do the same activities (increase) on the telecom network, in order to determine the potential revenue loss and to provide its convenience to the legislation. Both the cellular and the fixed line telecom operator benefits from the test call generators, in order to measure the call origination time/period and to confirm the telecommunication rating for the call detail record (CDR) conformity. Some services provided by TCG’s are as follows:
• Real-time test realization for multiple calls and data service (e.g. sound, SMS, MMS, HTTP, mobile TV, video call, download (games, ringtones...))
• End-to-end call detail record (CDR),
· Confirmation test of new tariffs,
• CDR mapping conformity,
• Call rating confirmation for interconnection and retail invoicing,
• Legal conformity test,
• Network performance tests in order to confirm new network components,
An example process referred to a commercial product is as follows:
Figure imgf000005_0001
As a result, the method named as TCG is used for solving this problem and it solves this problem in a sample space but, it cannot provide an exact solution. The interconnection operators that use this method also take measures and they make it difficult to detect by this method thereby carrying OTT Bypass Gateways to Amazon Web Services.
In the summary of a PCT application No“WO2016195261” titled“Illegal traffic detection device and method” that is in the literature and found as a result of the research made, it is stated that “Disclosed are an illegal traffic detection device and a method therefor. Here, an illegal traffic detection system comprises: a traffic collecting unit for collecting call traffic from an exchange, and parsing a call detail record (CDR) from the call traffic; a pattern detection unit for detecting, from the call traffic, whether pre-defined patterns appearing in illegal traffic occur for each type of pattern, on the basis of the call detail record; and an illegal traffic detection unit for determining whether the call traffic is illegal traffic, on the basis of the result of the pattern detection for each type of pattern, and transmitting the determination result to the exchange, wherein the illegal traffic is traffic that is fed into the exchange via an illegal traffic path instead of via a normal traffic path provided by a communication service provider.
As a result of another research, in the summary of the Korean patent application No “KR101630838B1” titled“Method of detecting toll bypass fraud” it is stated that“The invention relates to a method for detecting illegal detour charging. The method includes the following steps: gathering traffic packages transmitted between the internet exchange (IX) sections, ; producing a flow for the traffic package by realizing the flow process for the traffic packages and determining a VoIP traffic candidate by realizing a flow pattern analysis on the obtained flow (b); and in case the relation of VoIP traffic candidate with the one that passes through detour charging that charges the VoIP traffic via a traffic analysis, controlling whether the equipment belongs to IX section is an ID of a subscriber or not (c), via providing the following steps by module (SIM) box or relevant equipment.”.
As a result of another research in the literature, in the summary of the application No “W02009015273” titled“The invention provides a method for facilitating roaming tests for a host network. The method includes creating a fake profile via a gateway associated with the host network for a roaming subscriber at a Mobile Switching Center (MSC) / Visiting Location Register (VLR). The MSC/VLR is associated with at least one of the host network and a roaming partner network of the host network. The roaming subscriber is associated with both the host network and the roaming partner network. The method further includes simulating via the gateway, transactions with a first network element associated with at least one of the host network and the roaming partner network to test at least one of the first network element's response for the simulated transactions, and network routing on the roaming subscriber to a second network element associated with at least one of the host network and the roaming partner network.”
As a result of another research in the literature, in the summary of the application No “US9002320” titled “Advanced predictive intelligence for termination bypass detection and prevention” it is stated that;“Provided are methods and systems for detecting and preventing bypass fraud in telecommunication networks, primarily for detecting and preventing SIM box fraud in telecommunication networks. The methods include generating one or more test calls from a remote agent to a local agent where the remote agent can be a roaming agent or a remote dialer. A local agent is a subscriber number. The methods further include facilitating call forwarding of the test calls from the local agent to a local number. The methods include identifying the presence of bypass fraud by analyzing caller identification information of the test call received on the local number. Finally, the methods include preventing future use of a detected SIM box.
As a result, due to the disadvantages mentioned above and the inability of current solutions, it is required development in the relevant technical field in terms of this issue.
The aim of the Invention
The invention aims to solve the disadvantages mentioned above by being inspired by the current conditions.
The aim of the invention is to provide a system for use in the telecommunication system that prevents the fraud activities made by using OTT (Over The Top) Bypass method that causes loss of income to the telecom operators and customer dissatisfaction, by means of detecting abnormal OTT call via analyzing the network data structures of the subscribers that receive data service and a method thereof.
Another aim of the invention is to reestablish the prestige of the telecom operators that encounters financial loss due to this fraud method and cannot provide a high-quality service to its customers. In order to realize the aims as mentioned above, the present disclosure comprises the following;
> a Deep Package Analysis Application that provides type information in the matter of source and destination IPs, port numbers and packages by analyzing payloads and enables to transmit the packages of the applications used for OTT bypass,
> a Fraud Detection Unit that processes the data received from mentioned Deep Package Analysis Application, which enables to detect anomalies and fraud, comprises the following;
• a Data Collection and Distribution Manager that enables to collect and distribute the packages that belong to the network data received through mentioned Deep Package Analysis Application,
• Preprocess and Enrichment Module which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator,
• Enriched Data Module wherein the data that is preprocessed and enriched by means of mentioned Preprocess and Enrichment Module are stored,
• Profiling Module which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
• Rule and Decision Engine that enables the constitution of analytical rules according to traffic, content and structural criteria and enables to take risks and decisions according to mentioned rules,
• Analytic Module that enables behavior analysis, anomaly detection and detection of fraud by means of machine learning algorithms,
• Alarm and Notification Module that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine and Analytic Module,
> A Firewall enables to enter the relevant rules in order to prevent suspected data reported by mentioned Alarm and Notification Module. Figures
Figure-1 : is a representative view of the system that determines the network-data analysis and OTT fraud subject of the present invention.
Figure-2: is an internal structure of the Fraud Detection Unit within the system that detects the network-data analysis and OTT fraud subject of the present invention.
Figure-3: is a flow scheme of the system that detects the network-data analysis and OTT fraud subject of the present invention.
Description of the Reference Numbers of the Parts
10. Deep Package Analysis Application
20. Fraud Detection Unit
21 . Data Collection and Distribution Manager
22. Preprocess and Enrichment Module
23. Enriched Data Module
24. Profiling Module
25. Rule and Decision Engine
26. Analytic Module
27. Alarm and Notification Module
30. Firewall
Detailed Description of the Invention
In this detailed description, preferred embodiments of the invention are described for understanding the subject better and do not have a limiting effect.
The process start by receiving the incoming call packages from specific ports (UDP and TCP Ports: 5242, 4244, 5243, 9785, 8443, 4433, 31337,...) by means of a Deep Package Analysis Application (10), continue with transmitting the relevant information about suspected network data to be used by the applications used for OTT Bypass transiently to the Fraud Detection Unit (20). The data transmitted into the Fraud Detection Unit (20) are gathered together for creating the call detail records. The invention aim is to demonstrate the applications used for fraud, and the pattern and signature of OTT Bypass fraud. There is much statistical information in the call detail records, and the values of these parameters change in the flow data. There is information such as source and destination IP addresses of the package, port, protocol, payload size. Since the packages are encrypted, there is no opportunity to analyze the section wherein there are portable data information called payload. The first stage of OTT Bypass detection is to determine the call type (voice, video, instant messaging) of the incoming packages. The size of the relevant packages of such call types differs and in an OTT Bypass call, there is only one call type as voice data. The aim of the OTT Gateway that performs the bypass process is to terminate the sound calls. In order to determine the call types exactly, the parameters such as the number of packages and arrival times of the packages after the determination of the package sizes, differences between it last arrival and current arrival, start and end time of the call are determined. In order to create rules according to average values by taking the regular call as a reference and to detect the calls are not according with these parameters, the rules are defined in Rule and Decision Engine (25). The risk scores are defined according to created rules. Also, parameters detect the anomalies by means of machine learning based algorithms (decision tree and change point detection) within the Analytic Module (26) and detailed analysis of these anomalies obtain OTT Bypass suspicion ratio. The warning and notifications relevant to the Alarm and Notification Module (27) according to the suspicion ratio with regard to the request of the operator are performed. If a Firewall (30) is used, the call is prevented by defining this notification on the Firewall (30). If the Firewall (30) provides an application programming interface (API) or web service, these notifications are sent automatically and prevention action is taken.
Operating Principle of the Invention
The invention is adapted to perform by the following procedure steps;
• The Deep Package Analysis Application (10) collects the network data determined by tapping to the ports used by the applications for OTT Bypass of the subscribers that receive data service by using the infrastructure of the bypassed operators and transmits (1001 ) to the Fraud Detection Unit (20),
• collecting the suspected network data received from the Deep Package Analysis Application (10) transiently by means of the collection and distribution manager (21 ) within the Fraud Detection Unit (20), converting it to a common format for the call record and after the call record is created transmitting (1002) these to the Preprocess and Enrichment Module (22),
• transmitting (1003) the data to the Enriched Data Module (23) by determining -the country, city or operator of the data from the IP address information- in order to perform normalization and enrichment processes interested in the received call by means of Preprocess and Enrichment Module (22),
• transmitting the final formed data in the Enriched Data Module (23) to the Profiling Module (24) and profiling and indexing (1004) the call, the user, the group, the region, the data, the customers and groups by means of mentioned Profiling Module (24) according to the criteria, (The operations in this module are significant for high-speed operation of the Rule and Decision Engine (25). At the same time, they are also used for the visualization of the data. The outputs of the Profiling Module (24) are used in the Rule and Decision Module (25) and Analytic Module (26).)
• defining the rules of the call and call packages of by means of the Rule and Decision Engine (25) for determining OTT Bypass by using parameters that are defined in mentioned Rule and Decision Engine (25) and defining a risk score for each mentioned rule, transmitting (1005) the obtained outputs directly to the Alarm and Notification Module (27) according to the level of the risk score and user definition, at the same time transmitting mentioned outputs to the Analytic Module (26) independent from the risk score,
• detecting the anomalies that could not be determined by means of mentioned Rule and Decision Engine (25) in the Analytic Module (26), by means of using machine learning algorithms and transmitting (1006) the suspected cases obtained by means of the Analytic Module (26) to mentioned Alarm and Notification Module (27),
• creating and transmitting alarm and notification data of all suspected cases received by the Alarm and Notification Module (27), if a Firewall (30) is used, providing prevention (1007) on the Firewall (30) in order to prevent the suspected cases.

Claims

1. A system for use in the telecommunication sector that prevents fraud activities carried out by using a method named as OTT (Over The Top) Bypass which causes loss of income to telecom operators and customer dissatisfaction, by means of determining abnormal OTT call via analyzing network data structures of subscribers that receive data services, characterized in that it comprises the following;
> A Deep Package Analysis Application (10) that provides type information in the matter of source and destination IPs, port numbers and payloads by analyzing packets and enables to transmit the packages of the applications used for OTT bypass,
> a Fraud Detection Unit (20) that processes the data received from mentioned Deep Package Analysis Application (10), which enables to detect anomalies and fraud, comprises the following;
• a Data Collection and Distribution Manager (21 ) that enables to collect and distribute the packages that belong to the network data received through mentioned Deep Package Analysis Application (10),
• Preprocess and Enrichment Module (22) which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager (21 ) and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator,
• Enriched Data Module (23) wherein the data that is preprocessed and enriched by means of mentioned Preprocess and Enrichment Module (22) are stored,
• Profiling Module (24) which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
• Rule and Decision Engine (25) that enables the constitution of analytical rules according to traffic, content and structural criteria and enables to take risks and decisions according to mentioned rules,
• Analytic Module (26) that enables behavior analysis, anomaly determination and determination of fraud by means of machine learning algorithms,
• Alarm and Notification Module (27) that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine (25) and Analytic Module (26),
> Firewall (30) that enables to enter the relevant rules in order to prevent suspected data from mentioned Alarm and Notification Module (27) and to call abandonment.
2. A method for use in the telecommunication sector which prevents fraud activities carried out by using a method named as OTT (Over The Top) Bypass that causes loss of income to telecom operators and customer dissatisfaction, by means of determining abnormal OTT call via analyzing the network data structures of subscribers that receive data service which comprises;
> a Deep Package Analysis Application (10) that provides type information in the matter of source and destination IPs, port numbers and payload by analyzing packets and enables to transmit the packages of the applications used for OTT bypass
> a Fraud Detection Unit (20) that processes the data received from mentioned Deep Package Analysis Application (10), which enables to detect anomalies and fraud, comprises the following;
• a Data Collection and Distribution Manager (21 ) that enables to collect and distribute the packages that belong to the network data received through mentioned Deep Package Analysis Application (10),
• Preprocess and Enrichment Module (22) which enables to preprocess data distributed to itself by means of mentioned Data Collection and Distribution Manager (21 ) and enables the enrichment of the received data with reference to the data received from the IP address, country, city or operator, • Enriched Data Module (23) wherein the data that is preprocessed and enriched by means of mentioned Preprocess and Enrichment Module (22) are stored,
• Profiling Module (24) which enables profiling and indexing the call, the user, the group, the region, the data, the customers and the groups,
• Rule and Decision Engine (25) that enables the constitution of analytical rules according to traffic, content and structural criteria and enables to take risks and decisions according to mentioned rules,
• Analytic Module (26) that enables behavior analysis, anomaly determination and determination of fraud by means of machine learning algorithms,
• Alarm and Notification Module (27) that produces an appropriate alarm and notification data appropriate to the data in terms of the availability of the fraud determination received from mentioned Rule and Decision Engine (25) and Analytic Module (26),
> Firewall (30) that enables to enter the relevant rules in order to prevent suspected data from mentioned Alarm and Notification Module (27) and to call abandonment. characterized in that the method comprises the following procedure steps;
• the Deep Package Analysis Application (10) collects the network data determined by tapping to the ports used by the applications for OTT Bypass of the subscribers that receive data service by using the infrastructure of the bypassed operators and transmits (1001 ) to the Fraud Detection Unit (20),
• collecting the suspected network data received from the Deep Package Analysis Application (10) transiently by means of the Data Collection and Distribution Manager (21 ) within the Fraud Detection Unit (20), converting it to a common format for the call record and after the call record is created transmitting (1002) these to the Preprocess and Enrichment Module (22),
• transmitting (1003) the data to the Enriched Data Module (23) by determining -the country, city or operator of the data from the IP address information- in order to perform normalization and enrichment processes interested in the received call by means of Preprocess and Enrichment Module (22),
• transmitting the final formed data in the Enriched Data Module (23) to the Profiling Module (24) and profiling and indexing (1004) the call, the user, the group, the region, the data, the customers and groups by means of mentioned Profiling Module (24) according to the criteria,
• defining the rules of the call and call packages of by means of the Rule and Decision Engine (25) for determining OTT Bypass by using parameters that are defined in mentioned Rule and Decision Engine (25) and defining a risk score for each mentioned rule, transmitting (1005) the obtained outputs directly to the Alarm and Notification
Module (27) according to the level of the risk score and user definition, at the same time transmitting mentioned outputs to the Analytic Module (26) independent from the risk score,
• detecting the anomalies that could not be determined by means of mentioned Rule and Decision Engine (25) in the Analytic Module (26), by means of using machine learning algorithms and transmitting (1006) the suspected cases obtained by means of mentioned Analytic Module (26) to the Alarm and Notification Module (27),
• creating and transmitting alarm and notification data of all suspected cases received by the Alarm and Notification Module (27), if a Firewall (30) is used, providing prevention (1007) on the Firewall (30) in order to prevent the suspected cases.
PCT/TR2018/050770 2017-12-27 2018-12-06 A system and a method that detect ott bypass fraud using network-data analysis WO2019226129A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TR201722247 2017-12-27
TR2017/22247 2017-12-27

Publications (2)

Publication Number Publication Date
WO2019226129A2 true WO2019226129A2 (en) 2019-11-28
WO2019226129A3 WO2019226129A3 (en) 2020-01-02

Family

ID=68615796

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/TR2018/050770 WO2019226129A2 (en) 2017-12-27 2018-12-06 A system and a method that detect ott bypass fraud using network-data analysis

Country Status (1)

Country Link
WO (1) WO2019226129A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022173409A1 (en) * 2021-02-15 2022-08-18 Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi A method and system for preventing ott bypass fraud
WO2022173408A3 (en) * 2021-02-15 2022-09-09 Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi A method and system for preventing network originated fraud

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL2509294T3 (en) * 2011-04-08 2013-09-30 Meucci Solutions Nv A telecommunication network bypass detection system with reduced counter detection risk
EP3226528A1 (en) * 2016-03-31 2017-10-04 Sigos NV Method and system for detection of interconnect bypass using test calls to real subscribers

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022173409A1 (en) * 2021-02-15 2022-08-18 Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi A method and system for preventing ott bypass fraud
WO2022173408A3 (en) * 2021-02-15 2022-09-09 Turkcell Teknoloji Arastirma Ve Gelistirme Anonim Sirketi A method and system for preventing network originated fraud

Also Published As

Publication number Publication date
WO2019226129A3 (en) 2020-01-02

Similar Documents

Publication Publication Date Title
US20090069047A1 (en) Methods, systems, and computer program products for detecting wireless bypass in a communications network
EP3577886B1 (en) Detection and prevention of unwanted calls in a telecommunications system
KR101218253B1 (en) Fraud security detection system and method
US8095109B2 (en) Charging of GPRS traffic for roaming mobiles by performing traffic counting at the user terminal
US10582043B1 (en) Method of identifying instances of international call interconnect bypass telecommunications fraud
US9191351B2 (en) Real-time fraudulent traffic security for telecommunication systems
US11395147B2 (en) System and method for real time fraud analysis of communications data
US7453997B2 (en) Wireless internet services billing
Sahin et al. Over-the-top bypass: Study of a recent telephony fraud
WO2019226129A2 (en) A system and a method that detect ott bypass fraud using network-data analysis
US10917442B2 (en) System and method for secure billing for IMS-based VoIP networks
Kouam et al. SIMBox bypass frauds in cellular networks: Strategies, evolution, detection, and future directions
WO2012136285A1 (en) A bypass detection system with number masking
Sahin et al. Understanding and Detecting International Revenue Share Fraud.
US20070127647A1 (en) Methods, systems, and computer program products for collecting messages associated with providing prepaid communications services in a communications network
WO2019190438A2 (en) Ott bypass fraud detection by using call detail record and voice quality analytics
Airn Analysis and detection of SIM box
Khan et al. Automatic Monitoring & Detection System (AMDS) for Grey Traffic
US8107459B1 (en) Method and apparatus for executing a call blocking function
KR101630838B1 (en) Method of detecting toll bypass fraud
Kehelwala et al. Real-time grey call detection system using complex event processing
Sahin et al. IRSF: a Billion $ Fraud Abusing International Premium Rate Numbers
KR20160086547A (en) APPARATUS OF DETECTING Toll Bypass Fraud
WO2012057601A1 (en) Voice over internet protocol monitoring system and method
Adnan et al. Illegal VoIP: How to Detect and Counter

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18920008

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18920008

Country of ref document: EP

Kind code of ref document: A2