Connect public, paid and private patent data with Google Patents Public Datasets

Real-time fraud monitoring system

Info

Publication number
CA2114155C
CA2114155C CA 2114155 CA2114155A CA2114155C CA 2114155 C CA2114155 C CA 2114155C CA 2114155 CA2114155 CA 2114155 CA 2114155 A CA2114155 A CA 2114155A CA 2114155 C CA2114155 C CA 2114155C
Authority
CA
Grant status
Grant
Patent type
Prior art keywords
call
network
usage
code
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CA 2114155
Other languages
French (fr)
Other versions
CA2114155A1 (en )
Inventor
Wayne E. Relyea
Suzanne E. Ronca
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AT&T Corp
Original Assignee
AT&T Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/47Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Supervisory, monitoring, management, i.e. operation, administration, maintenance or testing arrangements
    • H04M3/36Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/38Graded-service arrangements, i.e. some subscribers prevented from establishing certain connections
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/42Systems providing special services or facilities to subscribers
    • H04M3/4228Systems providing special services or facilities to subscribers in networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q3/00Selecting arrangements
    • H04Q3/0016Arrangements providing connection between exchanges
    • H04Q3/0029Provisions for intelligent networking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q3/00Selecting arrangements
    • H04Q3/58Arrangements providing connection between main exchange and sub-exchange or satellite
    • H04Q3/62Arrangements providing connection between main exchange and sub-exchange or satellite for connecting to private branch exchanges
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2203/00Aspects of automatic or semi-automatic exchanges
    • H04M2203/60Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
    • H04M2203/6027Fraud preventions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/01Details of billing arrangements
    • H04M2215/0148Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13092Scanning of subscriber lines, monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13093Personal computer, PC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13095PIN / Access code, authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13097Numbering, addressing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13103Memory
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/1313Metering, billing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13139Fraud detection/prevention
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13179Fax, still picture
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13204Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13216Code signals, frame structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/1322PBX
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13284Call tracing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13383Hierarchy of switches, main and subexchange, e.g. satellite exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13512800 - freefone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13515Indexing scheme relating to selecting arrangements in general and for multiplex systems authentication, authorisation - fraud prevention
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q2213/00Indexing scheme relating to selecting arrangements in general and for multiplex systems
    • H04Q2213/13545Indexing scheme relating to selecting arrangements in general and for multiplex systems monitoring of signaling messages, intelligent network

Abstract

Increased network security is provided by monitoring in real time one or more characteristics or attributes of telephone calls that are placed through the network and notifying the network customer, in real time, when the attributes are indicative of abnormal or fraudulent network usage. The subscriber, once notified of the abnormal usage, is in a position to take steps to minimize unauthorized network usage. For example, the subscriber can selectively block network usage, deny access to the network on a call-by-call basis, or trace the call to catch the unauthorized user while the call is still in progress.

Description

2~1415~

REAL-TIME FRAUD MONITORING SYSTEM

Technical Field This ~ ' relates to systems for ~ usage on a teleconh ' -network and, more pardcularly, to systems for monitoring network usage in real dme.

S ''~ "~.Jundof the Invendon There are cmrently many situations in which telecommunications ~c~ . ~c are usedby indi~ls without authorization. This unauthorized use places a large financial burden on the endq which owns the network or pays for use of the network. Certain telecommu - - - - o h. ' , such as those n~ ~. J~k.~t which allow access to network fi~ s 10 through the use of an authorizadon code or toll-free ~ one number ("800 number"), are pardcularly suscepdble to such unauthorized use. A Software Defined N ~.J.k (SDN) is one examp!e of such a t~c~o----wnicadons netvork. A SDN is a network in which sharedtransmission and i,.. ' ~ lE facilides are configured under son~ control through the use of a database to provide a network customer (hereafter referred to as "the ' ' sr") with the IS capabilities of a private network. SDNs having a "remote access" capability allow access to the software-defined private network facilides from off ~ .J.I~ ~an;c - This feature is usefuL for exa nple, for allowing a busin~ r - - t~A~ " g outside c~ ~F ~y p~ es to gain access to the company's private network. Though useful and convenient, this remote access capability may present a security ris',c to the ne~vork customer (hereafter refer ed to as "the 20 subssriber") who is responsible for paying for network usage. In pardcular, the same authonzadon code that gives the businessperson access to the network can be used by unauth~ized users to gain access to the network.
Cu~rent methods for detecdng and prevendng unauthorized use of a con ' '~
network have not adoquately addressed the ~ For example, systems which detect fraud 2S based on data obtained at the end of the billing cycle do not provide i Jfr- - Iy timely information. By the dme the in~ ~ - bcco--~s a. ' b!c to the owner of the private network, large amounts of fraudulent usage could already have o.,c~-~d. Other methods for daling with the problem of unauthoriLed use involve automadcally denying or ~ ring access to the network when abnonna1 use is i~ A Systems which use this technique may 30 annoy vAlid users of the network whose authorized calls are blosked inadvertently. Also, ystems which automadcally deny acsess encourage ..&L.~" seeking access to the network ~ ~ t ~ ' - -r; ~ }

2 2 1 ~
o try other authorizadon codes or points of entry to the network. Such systems do not provide a means for catching unauthorized users.

Summarv of the Invention Inawed networlc security is p.u.id~d in accordance with the invendon by i g S in real dme one or more chalacterisdcs or attdbutes of telephone calls that are placed through the network and nodfying the subscriber, in real dme, when the attdbutes are indicadve of r~ r-~~ fraudulentnetworlcusage. The ~ ,oncenodfiedofthe~ mlusage, is in a posidon to take steps to minimize unauthorized networlc usage. For example, the ~ I ~iter can selc~el~ block network usage, deny access to the network on a call-by-call 10 basis, ~ trace the call to catch the unauthorized user while the call is sdll in progress.
In an e%emplary embodiment of the invendon, thresholds indicadve of a~ r -' network usage are established by: t rihe-5 Calls placed in the network chargeable to a subscriber are m~nitored on an ongoing basis. In particular, selected attributes of a call in-progress are obtained or dGdved from data ~ v.;~xl in real dme from the billing record for 15 the call. The attdbutes of the call are ~,.~sscd to determine whether those attributes exceed one or more of the established thresholds set by the s~Jbs- ~ il~. . If a threshold is e ccr~-~
the ~ er is immediately nodfied so that the: b~ ikr can authorize and direct ~ ~ -prevendve action with respect to the call or othenvise modify access to the s~bs--i~,. s network Alt~ ly, some pre-authorized acdon, such as blccLing b~ . calls, can 20 be talcen automadcally and without ~: ~ e the br~ ' when a threshold is e-c~

Brief Desc'r~ - of the Drawinoc In the drawings~
FIG. 1 is a simplified blocl~ diagram of an illustradve e---bc~ nt of a comm - ~netwadc which includes a networlc usage monitoring system coa~ .t~d in accordance with 25 the principles of the invendon;
FIG. 2 is a bloclt diagram of the format of a typical record stored in the fraudmonitoring ~ ss~ of FIG. l; and FIGs. 3 and 4 are flow charts of an exemplary process for determining in real dme whether the atlributes of a call indicate abnormal network usage.

Detailed r~e--'Pq :;
Referring now to the J~,g~, FIG. 1 shows a cr 1~ network 10 which illustradvely is an SDN configured for a ~,bs(-i~,. C~mm~lnications network 10 includes ' ' 3 2 1 ~
' hree ~' ~e~c - custoiner p.~ s which belong to the ' ~brr, namely, subscriber locations 12, 14, and 16. Sl~b ' ~c - Y 12, 14, and 16 are interc- ~stP~ through an int~ gc (IXC) netwo~ic 18. IXC netwodc 18 includes IXC ~ s 20, 22, and 24, a ~ - ~ 25 f~ implementing the SDN, a processing rneans 26 for collecting billing (referred 5 to ~ as "billing data CQ~ 26"), and a processing means 28 for analyz~ng aspects of the billing data to detect z ' ~cr--~ ~' netwarlc usage (h( _d~. referrcd to as "fraud - - ~1 g p~.~s~r 28").
The principles of the ~ ~ - - will be illustrated by d~ibing the process by which the attributes of a i l~p~ - - call, placed by a calling party at b~ r-her locadon 12 to a called 10 party at subscriber locadon 14, are monitoled to detect abnonnal usage of network 10. In this exampb, a call placed from a telephone stadon 30 at subscriber locadon 12 is e-b-~d through a private branch exchange (PBX) 32 and routed through IXC switches 20 and 22 of IXC network 18 to subscriber locadon 14. At ~S~ibçr location 14, the call passes via a PBX 34 to the called party at i l ~h~ ~ stadon 36. Remote access to network 10 is plo.idcd lS to callers outside of the nctwork, for exarnple, at a l~:h~' ~ne stadon 37, via PBX 32. - ;-Billing data C~ ~tl~r 26 collects from IXC switch 20 data that will be used for purpose of billing the call placed from t~'e~ e stadon 30. Billing data cQIlect~r 26 receives the data from IXC switch 20 and generates a call detail record which contains all or some pordon of the data ~ce;~ from IXC switch 20. A ~' ~e - call detail record is 8 ~ for each and -20 every billed call. Billing data coll~b,, 26 g a~cs the call detail record in real dme. As used herein, a record is said to be generated in "real dme" if the record is generated either soon after the call has terminated or whilc the call is in-progress. (A call is said to be "terminated" when the c; ~ between the calling and called pardes is broken.) Billing data co~ 26 can be any suitable or convenient ~ e~ g means which collects 2S informadon about a call in real dme. One suitable embodiment of billing data coll~r~or 26 is d~,-;~d in commody-owned, copending U.S. patent a~ r Serial No.
f~ed February 23, 1993, entitbd "Telecommunicadon I'~IT_~.J~I~ Arrangement For Providing Real rlme Access To Call Records," which is hereby incorporated by ,ef~
In ~nce with the ~ fraud monitoring l, ~c,sso~ 28 is p.~.idcd to receive 30 call detail roc~ds, in ceal time, from billing data colL~r~r 26. Fraud ~ _ In~essor can be embodied as a resident application on billing data cQll~r~or 26 or, in the al~.,...at;~
as a separate l>.u~o downstream from billing data cQllect~r 26 (or several billing data CQIl~ Fraud monitoring ~ c 28 uses the call attributes that are stored in a call detail ~ecord as ~ below to derive various indices (e.g., average call duradon for calls 3S made using a selected authorizadon code). Fraud monitoring p.~CSS~l then compares thé call attributes and/orderived indices with ~ thresholds which the: bs iher (perhaps with 4 2~141~;~
he assistance of the t~!~r~ ~ne service p,o.i~.) has previously selected orestablished as being indicative of abno mal network usage. The thresholds are established by the ~.~I,s~ in view of the sl ~ ~ikr's panicular needs or p,~f~ -~ nces When the att~ibutes of a caU being analyzed indicate that the caU , s~ ts an S abnormd use ~ potentially unauthorized use of the networlc (f~ example, an attribute exce,eds a ~ r~d threshold), fraud monitoring processor 28 communicates with: bs ih~r ~ ~ ~e s 16 to alert the - ~s ~ ibCr of the abnormal use. Fraud monitoring I ,- 28id~ ~;rirs to the subscriber premises that the caU is abnormd by communicating direcdy with a bs: iher worlcstation 38. ~Iternatively, fraud monitoring ~ u~,~S3~ 28 ~ ~ through IXC
networlc 18 via interexchange switches 20 and 24, and through a PBX 40 at - bs~
premises 16. PBX 40 then communicates with customer premise equipment, such as a fax machine 42 ~ a printer 44, to give the subscriber nodce in rea1 dme of the a~ r---~ use.
Alternadvely, the ~ - rih~r could be nodfied of abnorrnal use by a tel~ call. The ~k ~ can ~l~ti~ block network usage, deny access to the network on a call-by-call lS basis, trace the caU to catch the unauthorized user while the call is sdll in progress, or take other ar, ~op ~ acdon, such as by nodfying the ~ r - service ~ u.id~. or modifying the SDN database.
In another preferred e_-bs'- ~. the l_~r~ ~~ service l,.u.;der, such as the interexchange carrier, automadcally takes some pre-authori sd action in ~--r~~~ to a threshold being e~rcç~d For example, the s ~ may pre: -' i7P the l I ph~
~e~vice provider to interrupt calls in-prûgress when it is determined (in real dme) that a threshold indicadve of abnormal network usage has been e~ ed~1 Such pre-a ti-ori7~d acdon can be talcen autornadcally, without nodfying or ec ~ m~raneously with notifying the subscriber that a threshold has been e~ce<~kd 2S Once a caU detail record for a call has been ~,.u,e;,~d and it is determined that none of the predetermined thresholds have been e-e~d~, fraud monitoring p u~sso~ 28 will preferably discard its copy of the caU detail record. Discarding reco~ds in this manner minimi_es the storage capacity required within fraud monitoring p ~essûr 28. While the aetual da~ eontained in the record are not necessarily retained, sebcted indices that are affeeted by ~ ealeulated from the data arc maintained. For example, informadon such as the average eaU duradon. the number of calls placed under each authc - ~r code, or other such information is maintained as a "running total."
As mendoned abo~ve, a call detail record is e - ~ either during a call or after the call has terminated. A call detail record that is g ~r -~ after the caU is terminated typically 3S eontains more informadon than a record that is generated while a call is in progress. For exampb, in the former case, the call detail record may include informadon specifying the total 5 211415~
~uration of the call, while in the lat~ case, such information is unavailable. Nevertheless, records formed while a call is in-progress can be analyzed and the information utilized while the caUer is stiU on the line. Such information can be advantageously used, for example, in fraud ~t--- and tracing.
FIG. 2 shows the structure of an exemplary call detail record S0 received by fraud monitonng ~ ~ 28. Call detail record S0 includes one or more key data fields S2 (the contents of which are shown in the drawing as "Record i"), which I c, ~!~ identify the record. Attribute data in each record are designated 54-1 through S4-N, where N indicates the number of different attributes or cha~ 5 of the call which the record ~< 5~ dk 5 In the context of long distance calling, these attributes may include the calling number (54-1), the time of access (54-2), the terrninating (called) number (54-3), the call duradon (54-4), an indication of whether the call was c~ t or incomplete (54-5), the authorization code or 800 number used to gain acc-ss to the network (54-6), the type of ~ g --- lg station (e.g., a pay phone, ordinary ~ e, etc.) (54-7), or other ~ - b~. (54-N) which idendfy the call lS and may be useful in determining whether the call l.r-- an a' .~1 use of the communication network for the subscriber.
The networlc usage monitoring c~. N ~ s of the in~enlion are a~ '~le to several different types of communicadons ~ ~. J~I~S. For example, all calls made from a ~ub ' 's p.~ s can be monitored to detect abnormal usage. Alternadvely, tnonitoring can be limited to situations in which access to r~.~h;~ ,d network f~ es is granted, for example, on the basis of an authorizadon code l,.u.;d~d by the calling party, the calling party's i ':ph~
number, or by dialing an 800 number.
FlGs. 3 and 4 show flow charts of an exemplary method for monitoring network usage in real dme to detect P~ ~- ~~ ~' usage. The process begins on FIG. 3 at step 100, where a real 2S dme call detail record, such as the call detail record of FIG. 2, is received by fraud ;ng .ccs3~r 28. Fraud monitoring p.~c< ~cor 28 first t~ s the call type from the attributes in the call detail record (step 102). For example, the call detail record indicates whether the call is an SDN cellular call, an SDN or remote network access call (e.g., from an off n( ~. J~l!.
location swh as b~:kp' - ~ stadon 37 of FIG. 1) requiring an aulh.,.;~io~ code, or a remote network access call through an 800 number access.
Once the call type is identified, fraud monitodng &.u~e~ 28 detern~ines from the call detail record the calling number, authorizadon code, or originadng 800 number ~ appropriate f~ the call type (step 104). For the purpose of this ill r~ - ~ and the l~-n~ er of FIGs.

3 and 4, it will be assumed that the call was placed using an aulh~ ~ P~q code, and that fraud 3S monitoring processor 28 has obtained that authorizadon code from the call detail record.
Fraud monitoring processor 28 then determines from the call detail record the terminadng 6 2 1 1 ~
~, ' number (or terminating NPA/country code) of thc call (step 106).
At this point in the process, fraud ~ O~;-lg p vcessol 28 begins to analyze the call attributes. For cxampb, the ~ Ol d~te- - - - s. in step 108, whether thc call is a c~ . ' call, that is, whether the call has been answered If the call has been complcted, fraud monitonng ~ ~ 28 ~ . ts a counter which maintains a count of ,~: d calls for the particular authorization code under which the call was placed (step 110). If the call is incomplete, that is, the call is l n._ x' by the called party, f~ e ~ C~SSol 28 increments a counter which maintains a count of ~ - - l~lc ~ calls for the auth ~ - - code under which the call was placed (step 112). Fraud monitonng ~ 28 also derives for the authorization code the percentage of incomplete calls (stcp 118). The incomplete call percentage is calculated using information held by counters and obtained in steps 110 and 112.
Assuming the call detail record was generated after termination of a call, the call detail r?~ will include the call duradon (also referred to herein as the "holding dme"). In this case, fraud monitoring ~ ,cessol 28 will ~ ~ a counter which maintains a record of the total call duradon, i.e., the total usage, for the au~ code under which the call was inidated (step 114). Fraud monitoring l,.~ss~ 28 also will derive the average holding time for calls placed using the authorization code (step 116).
Referring now to FIG. 4, fraud monitoring l, ~es~. 28 then ~ s, from infonnation contained in thc call detail record, the ~ _ ~ e NPA or country code of the call (step 120). The ~ esY,- deterrnincs whetha this is the first appearance of this NPA or country code for this authorization code (step 122). If it is the first appearance, the ~).~ess~r increments a counter (step 124) that tracks the number of ~ '~c~e ~ NPAs and country codes from which calls have been made using the authorization code. If instead it is the second or later appearance of an NPA/country code, processing continues to step 126.
2S Having obtained or derived the various stadsdcal values for a caJI, fraud ~ ring processor 28 compares the stadsdcal values with thresholds ~ -?~ sly established by the ?i bscr~?t~ f~theauthorizadoncode(step126). AblC~--'netwo*usageis~~ if any of the stadsdcal values e~coed one or more of the p~ thresholds. As shown in step 128, for e~mp1e, if the total number of calls, total number of minutes of call duration, the number of incomplete calls, or the number of ~;ff~.~,-'l NPAs/country codes exceed the prodetermined thresholds established by the L ~~ for that auth~ ~ --- code, the subscriber is nodfied of the ?~ ~amq1 network usage (step 130). Similarly, as shown in step 132, fraud monitoring p ~ 28 can determine whether the average holding dme is above or bebw the bounds of the threshold for average holding dme for the pardcular au~
3S code. If so, the subscriber is nodfied (step 134).
It is to be un~.~l~od that although various indices and calculadons have been 7 2II~Ir~5 L~.i~d above as being calculated for a given authodzadon code, the indices couldalternatively be calculated based on the calling number (e.g., calculate average holding time f~ calls placed from a particular calling number), the 800 number used to gain access to the n~ ~.J~ or the subscdber's calls as a whole. Similarly, the thtesholds set by the: kcrikr S to indicate abnormal network usage can be s,~if;cd individually for each autho~izadon code, calling number, ~ 800 number used to access the networL or can be "~;f~d by the ' s ~- in a mcre universal manner. It also is vithin the ssope of the invention to derive and, ~ separate indices and thresholds f~ calls placed to selected h ~ ' _ Ir - lS
As used herein, Nterminating locations" ~ ' ' s, for example, ~ ~ ;ng '-rs 10 ter g NPAs and terminating country codes.
Of course, one skilled in the art will al r ~ ~I that criteria other than those d< ~ - ik~
in FlGs. 3 and 4 could be used to detetmine whether there is abnotmal net~vork usage without depardng from the scope or spirit of the ~ ._ - For . ' . fraud monitonng ~, .ce;.~
28 could be corllfigured to nodfy the b ~-~r in real dme ~ ~ a call is placed to a 15 country code that is on a list of prohibited country codes.
In accordance with another feature of the Invendon, eash of the stadsdcal values and counted values A~ 5~ .ikd above can be cbared or reset after a y~,A~ uined period of time as selected by the subscriber. This enables the s '~ sc~ to monitor the network usage for a patticular calling number or access code on any ~ 1-_ - - basis. For ~ 'e. the calls 20 made under a selected access code can be monitored on a daily basis if a 2~hour period would provide useful il r ~ -_ tO the bs~ ly, the calls made under that access code could be monitored on a weekly or monthly basis.
It will be understood that the foregoing is merely illustradve of the principles of the invendon, and that various modificadons can be made by those skilled in the art without 2S depardng from the ssope and spi it of the invention.

Claims (9)

1. A method for monitoring usage of a communications network to detect abnormal usage thereof, the method comprising the steps of:
receiving in real time a plurality of predetermined attributes of a telephone call;
processing the plurality of attributes to identify abnormal usage; and notifying a subscriber in real time of the occurrence of the abnormal usage.
2. The invention as described in claim 1 wherein the plurality of predetermined attributes are received while the call is in-progress.
3. The invention as described in claim 1 wherein the processing step comprises:
comparing selected ones of the plurality of attributes with corresponding predetermined thresholds, the predetermined thresholds being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if any of the selected ones of the plurality of attributes exceeds its corresponding predetermined threshold.
4. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls originating from a predetermined originating telephone number.
5. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed using a predetermined authorization code.
6. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed using a predetermined 800 number.
7. The invention as described in claim 3 wherein the plurality of predetermined thresholds are indicative of abnormal usage for calls placed to a predetermined termination location.
8. The invention as described in claim 1 wherein the processing step comprises:
processing at least one of the attributes to derive at least one additional value indicative of a pattern of network usage;
comparing the additional value with a predetermined threshold, the predeterminedthreshold being indicative of abnormal network usage; and returning an indication that the call represents an abnormal use of the network if the additional value exceeds the predetermined threshold.
9. The invention as described in claim 1 further comprising the step of modifying, in real time, access to the network in response to feedback from the subscriber.10. The invention as described in claim 9 wherein the modifying step comprises automatically blocking a subsequent telephone call having predetermined attributes specified by the subscriber.
CA 2114155 1993-03-31 1994-01-25 Real-time fraud monitoring system Expired - Lifetime CA2114155C (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US4078593 true 1993-03-31 1993-03-31
US040,785 1993-03-31

Publications (2)

Publication Number Publication Date
CA2114155A1 true CA2114155A1 (en) 1994-10-01
CA2114155C true CA2114155C (en) 1998-01-27

Family

ID=21912936

Family Applications (1)

Application Number Title Priority Date Filing Date
CA 2114155 Expired - Lifetime CA2114155C (en) 1993-03-31 1994-01-25 Real-time fraud monitoring system

Country Status (5)

Country Link
US (1) US5706338A (en)
JP (1) JP3723235B2 (en)
CA (1) CA2114155C (en)
DE (2) DE69427317T2 (en)
EP (1) EP0618713B1 (en)

Families Citing this family (65)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5420910B1 (en) * 1993-06-29 1998-02-17 Airtouch Communications Inc Method and apparatus for fraud control in cellular telephone systems utilizing rf signature comparison
JPH11502982A (en) * 1995-03-30 1999-03-09 ブリティッシュ・テレコミュニケーションズ・パブリック・リミテッド・カンパニー Detection of unauthorized use of communication services
US6643362B2 (en) * 1998-11-19 2003-11-04 Global Crossing, Ltd. Call-processing system and method
US7369650B1 (en) 1995-05-16 2008-05-06 At&T Corp. Service and information management system for a telecommunications network
US6430286B1 (en) * 1997-04-22 2002-08-06 At&T Corp Service and information management system for a telecommunications network
DE19521484A1 (en) 1995-06-13 1996-12-19 Deutsche Telekom Ag Method and apparatus for authentication of subscribers over digital exchanges
DE19521485A1 (en) 1995-06-13 1996-12-19 Deutsche Telekom Ag Method and apparatus for transmitting confidential connection setup and service information between subscriber side terminal equipment and one or more digital exchanges
US5875236A (en) * 1995-11-21 1999-02-23 At&T Corp Call handling method for credit and fraud management
US5805686A (en) * 1995-12-22 1998-09-08 Mci Corporation Telephone fraud detection system
US5815807A (en) * 1996-01-31 1998-09-29 Motorola, Inc. Disposable wireless communication device adapted to prevent fraud
NL1002269C2 (en) * 1996-02-07 1997-08-08 Nederland Ptt Telecommunication system, fraud signaling device and method.
NL1002543C2 (en) * 1996-03-06 1997-03-21 Nederland Ptt Usage Monitor for communication.
US20030206102A1 (en) * 2002-05-01 2003-11-06 Joao Raymond Anthony Control, monitoring and/or security apparatus and method
US6377672B1 (en) 1996-03-29 2002-04-23 British Telecommunications Public Limited Company Fraud monitoring in a telecommunications network
GB9606792D0 (en) * 1996-03-29 1996-06-05 British Telecomm A telecommunications network
US5903831A (en) * 1996-06-07 1999-05-11 Telefonaktiebolaget Lm Ericsson (Publ) System and method of preventing fraudulent call transfers in a radio telecommunications network
US20040185830A1 (en) * 1996-08-08 2004-09-23 Joao Raymond Anthony Apparatus and method for providing account security
GB9620082D0 (en) * 1996-09-26 1996-11-13 Eyretel Ltd Signal monitoring apparatus
FI103847B1 (en) * 1996-10-10 1999-09-30 Nokia Telecommunications Oy prevention of diversion of a call transfer service
US5937043A (en) * 1996-11-27 1999-08-10 Mciworldcom, Inc. Mechanism for a system and method for detecting fraudulent use of collect calls
US5953653A (en) * 1997-01-28 1999-09-14 Mediaone Group, Inc. Method and system for preventing mobile roaming fraud
US6327352B1 (en) * 1997-02-24 2001-12-04 Ameritech Corporation System and method for real-time fraud detection within a telecommunications system
US6393113B1 (en) * 1997-06-20 2002-05-21 Tekno Industries, Inc. Means for and methods of detecting fraud, lack of credit, and the like from the SS# 7 system network
GB9714787D0 (en) * 1997-07-14 1997-09-17 Ericsson Telefon Ab L M Telecommunications systems
GB9715497D0 (en) 1997-07-22 1997-10-01 British Telecomm A telecommunications network
US6226364B1 (en) * 1997-12-08 2001-05-01 Bellsouth Intellectual Property Management Corporation Method and system for providing prepaid and credit-limited telephone services
JP3335898B2 (en) * 1998-01-08 2002-10-21 東芝デジタルメディアエンジニアリング株式会社 Private branch exchange system and its private branch exchange equipment
US6163604A (en) * 1998-04-03 2000-12-19 Lucent Technologies Automated fraud management in transaction-based networks
US6157707A (en) * 1998-04-03 2000-12-05 Lucent Technologies Inc. Automated and selective intervention in transaction-based networks
US6763098B1 (en) * 1998-06-01 2004-07-13 Mci Communications Corporation Call blocking based on call properties
EP1149339A1 (en) * 1998-12-09 2001-10-31 Network Ice Corporation A method and apparatus for providing network and computer system security
US6226372B1 (en) 1998-12-11 2001-05-01 Securelogix Corporation Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities
US6249575B1 (en) * 1998-12-11 2001-06-19 Securelogix Corporation Telephony security system
US6687353B1 (en) 1998-12-11 2004-02-03 Securelogix Corporation System and method for bringing an in-line device on-line and assuming control of calls
US7133511B2 (en) * 1998-12-11 2006-11-07 Securelogix Corporation Telephony security system
US8150013B2 (en) * 2000-11-10 2012-04-03 Securelogix Corporation Telephony security system
US6760420B2 (en) * 2000-06-14 2004-07-06 Securelogix Corporation Telephony security system
US6735291B1 (en) * 1998-12-11 2004-05-11 Securelogix Corporation Virtual private switched telephone network
FI107983B (en) 1998-12-23 2001-10-31 Nokia Networks Oy detection and prevention of fraudulent use of a communications network
DE50012418D1 (en) * 1999-01-25 2006-05-11 Siemens Ag A method for realizing a feature control in a communications data network
US6873617B1 (en) * 1999-02-03 2005-03-29 Tekno Industries, Inc. Means for and methods of “in-progress” fraud, billing and maintenance in a SS#7 network of high speed data links
US6526389B1 (en) * 1999-04-20 2003-02-25 Amdocs Software Systems Limited Telecommunications system for generating a three-level customer behavior profile and for detecting deviation from the profile to identify fraud
US6442265B1 (en) * 1999-05-06 2002-08-27 At&T Corp Method for detecting and reducing fraudulent telephone calls
JP3584838B2 (en) * 2000-02-22 2004-11-04 日本電気株式会社 Packet monitoring system, a recording medium recording a packet monitoring method and program
FI109259B (en) * 2000-03-17 2002-06-14 Nokia Corp Tracing a malicious call
US7236954B1 (en) 2000-05-22 2007-06-26 Verizon Business Global Llc Fraud detection based on call attempt velocity on terminating number
US6947532B1 (en) 2000-05-22 2005-09-20 Mci, Inc. Fraud detection based on call attempt velocity on originating number
US6850606B2 (en) * 2001-09-25 2005-02-01 Fair Isaac Corporation Self-learning real-time prioritization of telecommunication fraud control actions
US6597775B2 (en) * 2000-09-29 2003-07-22 Fair Isaac Corporation Self-learning real-time prioritization of telecommunication fraud control actions
US8200577B2 (en) * 2001-03-20 2012-06-12 Verizon Business Global Llc Systems and methods for retrieving and modifying data records for rating and billing purposes
US20020161711A1 (en) * 2001-04-30 2002-10-31 Sartor Karalyn K. Fraud detection method
WO2003010946A1 (en) * 2001-07-23 2003-02-06 Securelogix Corporation Encapsulation, compression and encryption of pcm data
US7302250B2 (en) * 2003-01-13 2007-11-27 Lucent Technologies Inc. Method of recognizing fraudulent wireless emergency service calls
US7971237B2 (en) * 2003-05-15 2011-06-28 Verizon Business Global Llc Method and system for providing fraud detection for remote access services
US7817791B2 (en) * 2003-05-15 2010-10-19 Verizon Business Global Llc Method and apparatus for providing fraud detection using hot or cold originating attributes
US7774842B2 (en) * 2003-05-15 2010-08-10 Verizon Business Global Llc Method and system for prioritizing cases for fraud detection
US7783019B2 (en) * 2003-05-15 2010-08-24 Verizon Business Global Llc Method and apparatus for providing fraud detection using geographically differentiated connection duration thresholds
US7035387B2 (en) * 2004-02-24 2006-04-25 Tekelec Methods and systems for detecting and mitigating intrusion events in a communications network
KR100643281B1 (en) * 2004-10-09 2006-11-10 삼성전자주식회사 Apparatus, system and method for security service in home network
GB0524399D0 (en) * 2005-12-01 2006-01-04 Marconi Comm Ltd Combating fraud in telecommunication systems
US8160218B2 (en) * 2006-09-22 2012-04-17 Alcatel Lucent Event driven call generation
US9167471B2 (en) * 2009-05-07 2015-10-20 Jasper Technologies, Inc. System and method for responding to aggressive behavior associated with wireless devices
US20160366062A1 (en) * 2014-04-03 2016-12-15 Hewlett-Packard Development Company, L.P. Prioritizing at least one flow class for an application on a software defined networking controller
US20160150414A1 (en) * 2014-11-21 2016-05-26 Marchex, Inc. Identifying call characteristics to detect fraudulent call activity and take corrective action without using recording, transcription or caller id
JP6032774B1 (en) 2015-12-21 2016-11-30 Necプラットフォームズ株式会社 Telephone switching system, telephone exchange method, and a telephone exchange program, and the telephone exchange, the management terminal

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4182934A (en) * 1978-09-26 1980-01-08 Bell Telephone Laboratories, Incorporated Method and apparatus for detecting irregular telephone calls
US4811378A (en) * 1986-08-29 1989-03-07 American Telephone And Telegraph Company, At&T Bell Laboratories Toll fraud control
US4799255A (en) * 1987-01-30 1989-01-17 American Telephone And Telegraph Company - At&T Information Systems Communication facilities access control arrangement
US4761808A (en) * 1987-03-18 1988-08-02 Sheldon Howard Time code telephone security access system
US5144649A (en) * 1990-10-24 1992-09-01 Gte Mobile Communications Service Corporation Cellular radiotelephone credit card paystation method
US5223699A (en) * 1990-11-05 1993-06-29 At&T Bell Laboratories Recording and billing system
US5163086A (en) * 1990-12-31 1992-11-10 At&T Bell Laboratories Telephone network credit card calling apparatus and method of operation to determine validation and fraudulent use of credit cards in placing telephone calls
US5353335A (en) * 1992-08-03 1994-10-04 At&T Bell Laboratories Multilingual prepaid telephone system
US5357564A (en) * 1992-08-12 1994-10-18 At&T Bell Laboratories Intelligent call screening in a virtual communications network
US5345595A (en) * 1992-11-12 1994-09-06 Coral Systems, Inc. Apparatus and method for detecting fraudulent telecommunication activity

Also Published As

Publication number Publication date Type
EP0618713A3 (en) 1998-07-29 application
EP0618713B1 (en) 2001-05-30 grant
DE69427317D1 (en) 2001-07-05 grant
DE69427317T2 (en) 2001-10-31 grant
JP3723235B2 (en) 2005-12-07 grant
US5706338A (en) 1998-01-06 grant
EP0618713A2 (en) 1994-10-05 application
CA2114155A1 (en) 1994-10-01 application
JPH06350698A (en) 1994-12-22 application

Similar Documents

Publication Publication Date Title
US5416833A (en) Method and apparatus for provisioning a public switched telephone network
US6233313B1 (en) Call detail reporting for lawful surveillance
US6018737A (en) Universal personal telecommunications service for an advanced intelligent network
US6263057B1 (en) Automatic telecommunications provider selection system
US5883964A (en) Interactive telephone system for optimizing service economy
US6044264A (en) Method for activating intelligent network services in a mobile communication system, and a mobile communication system
US5907602A (en) Detecting possible fraudulent communication usage
US4899373A (en) Method and apparatus for providing personalized telephone subscriber features at remote locations
US5586175A (en) Call-processing system and method
US5974128A (en) Method and system for providing calling name identification requery
US5701301A (en) Mediation of open advanced intelligent network in SS7 protocol open access environment
US6430276B1 (en) Telecommunications system and method providing generic network access service
US5311582A (en) Integrated cocot and regulated paystation telephone system
US7167551B2 (en) Intermediary device based callee identification
US6333976B2 (en) Method and apparatus for providing prepaid telecommunications services
US7212620B1 (en) System and method for providing an anti-telemarketing feature in a telephony network
US6353663B1 (en) Method and apparatus for screening telephone calls
US6567514B2 (en) Method and system for processing telephone calls via a remote tie-line
EP1455511A1 (en) Method and apparatus means for charging a telephone call by undertaking charging fees by a not involved third party
US6324269B1 (en) Method and system for billing remote calls as if made from a primary line
US5479494A (en) Virtual calling card system
US5805680A (en) Method and apparatus for telephone call sub-billing
US5566234A (en) Method for controlling fraudulent telephone calls
US6947532B1 (en) Fraud detection based on call attempt velocity on originating number
US5504810A (en) Telecommunications fraud detection scheme

Legal Events

Date Code Title Description
EEER Examination request
MKEX Expiry

Effective date: 20140127