CN106686264A - Method and system for fraud call screening and analyzing - Google Patents

Abstract

The invention belongs to the technical field of harmful call monitoring, and particularly relates to a method and system for fraud call screening and analyzing. According to the system, historical data is analyzed with a fraud call analysis model, and all feature weight values of the model are determined; real-time data is analyzed and detected, and a detection result is compared with a set threshold value to provide the confidence degree of a fraud call. The overall system is composed of a data query and management system, a real-time detection system, a model self-learning system, a trend prediction system and a data storage system. The data query and management system provides a full-amount call list query function, a fraud call list query function, a model parameter management function, a self-learning management function and a trend prediction analyzing function; the real-time detection system analyzes and detects call list data in real time through a fraud call discovery model to discover the fraud call; the model self-learning system analyzes historical call list data and continuously optimizes model parameters through a self-learning algorithm; the trend prediction system is used for predicting the future fraud call trend and change; the data storage system provides a quick data capturing function, a data distribution function and a data query function for the overall system by adopting a distributed storage system and a big data analysis processing engine.

Description

A kind of fraudulent call screening assays and system

Technical field

The invention belongs to be harmful to phone-monitoring technical field in telecommunications, more particularly, to a kind of fraudulent call analysis side is screened Method and system.

Background technology

At present telecommunications network fraudulent call finds to rely primarily on to exemplary call pattern analysis, such as " rings a sound ", " exhale dead you ", " counterfeit number " etc., for specific call pattern comparison of classification analysis is carried out.This analytical technology can only be exhaled for specific typical case Pattern is, and the harmful KOC kind of call of current telecommunications net emerges in an endless stream, means constantly update change, it is impossible to which realization automatically analyzes knowledge Not.

The content of the invention

The characteristics of being continually changing for above-mentioned harmful calling means, cannot automatic identification in order to make up above-mentioned harmful phone Defect, the present invention proposes a kind of fraudulent call screening assays and system.

A kind of fraudulent call screening assays, including preliminary screening and postsearch screening, by first screening and secondary sieve Choosing obtains the doubtful number of fraudulent call；

The preliminary screening includes,

The Calling history of at least one analyzed number in time T is obtained from communication server；

Caller frequency parameter M1, the caller time interval parameter M2 of each analyzed number in calculating time t；Caller is conversed Duration parameters M3, by counterfeit count parameter M4, calling number feature M5；

By caller frequency weight Q1, caller time interval weight Q2；Caller duration of call weight Q3, by counterfeit number of times weight Q4, calling number feature weight Q5 and above-mentioned caller frequency parameter M1, caller time interval parameter M2；Caller duration of call parameter M3, by counterfeit count parameter M4, calling number feature M5 combine, generate primary screener analysis model M=M1Q1+ of each phone M2Q2+M3Q3+M4Q4+M5Q5；

Primary screener analysis model is compared with primary fiducial value K, when M ＞ K, marks the phone can for primary Doubtful telephone number, as M≤K, is then labeled as regular phone number；

The postsearch screening step includes,

The called history of the suspicious number in time T is obtained from communication server；

Extract called number characteristic parameter M6, the called network of personal connections characteristic parameter of the suspicious call number that primary screener goes out M7, called type feature parameter M8；

By called number feature weight Q6, called number network of personal connections analysis feature weight Q7, called type feature weight Q8 Above-mentioned called number feature weight M6, called network of personal connections feature weight M7, called type feature weight M8 are substituted into, secondary sieve is obtained Select analysis model m=M6Q6+M7Q7+M8Q8；

Secondary analysis model m is compared with secondary fiducial value k, as m ＞ k, then fraudulent call is labeled as, as m≤k When, then number is monitored for emphasis, the message registration of the number other times section is reacquired, repeat screening step above.

Further,

The computational methods of the caller frequency parameter M1 take advantage of frequency for analyzed number all caller number of times R1 in time T Parameter T1, i.e. M1=R1T1；

The caller time interval parameter M2 computational methods are that analyzed number all caller interval times in time T are total Spacing parameter T2, i.e. M2=R2T2 are taken advantage of with R2；

The caller duration of call parameter M3 computational methods are that analyzed number all caller air times in time T are total Session parameter T3, i.e. M3=R3T3 are taken advantage of with R3；

The caller by counterfeit count parameter M4 computational methods be analyzed number in time T all callers by counterfeit time Number R4 takes advantage of spacing parameter T4, i.e. M4=R4T4；

Further, the acquisition methods of the weight are：

It is assumed that the white list set W in data acquisition system E set E in blacklist set B, set E, respectively using each model pair Set B and set W are calculated, and acquisition meets ratio of the number of model M X in list, wherein X={ 1,2,3,4,5 }.Symbol The number of matched moulds type MX meets ratio WX of the number of model M X in set W, each Model Weight QX in ratio BX of set B =BX-WX.

Further, the K=∑s BX- ∑ WX.

Further, the calling number feature M5 acquisition methods include that according to number length is classified to calling number, It is assumed that number length set L is { L1, L2 ... LN }, Li ∈ L, the front Li-2 positions for taking number nm obtain nm ', by calling number nm Difference, but nm ' identical numbers are classified as hundred segment number codes, and by that analogy, front Li-3 positions identical number is classified as kilosegment number, front Li-4 positions identical number is classified as ten thousand segment number codes.

A kind of equipment using above-mentioned fraudulent call screening technique, the equipment includes：

Acquisition module, for obtaining the data of number talk times, time record from carrier server；

Storage module, the message registration of the number obtained for storage, the data of talk times；

Extraction module, for going out to cry frequency parameter M1, caller time interval parameter M2 from the extracting data of storage；Caller Duration of call parameter M3, by counterfeit count parameter M4, calling number feature M5, called number feature weight Q6, called number close System net analysis feature weight Q7 and called type feature weight Q8；

Primary calculations module, for calculating M=M1Q1+M2Q2+M3Q3+M4Q4+M5Q5；

Primary comparison module, for comparing with the value of K by M primary suspicious call number is drawn；

Secondary computing module, for calculating m=M6Q6+M7Q7+M8Q8；

Secondary comparison module, for comparing with the value of k by m suspicious call number is drawn.

The system of the present invention is analyzed using fraudulent call analysis model to historical data, determines each feature weight of model Value；Detection is analyzed to real time data, testing result compares the confidence level for providing fraudulent call with given threshold.Whole system It is made up of data query management system, real-time detecting system, Model Self-Learning system, trend predicting system, data-storage system. Data query management system offer full dose CDR inquiry, swindle CDR inquiry, model parameter management, self study management, trend are pre- Survey analytic function.Real-time detecting system is analyzed in real time by fraudulent call discovery model, detection ticket data, finds swindle electricity Words.Model Self-Learning system is analyzed history call bill data, and by self-learning algorithm model parameter is continued to optimize.Trend prediction system System provides and following fraudulent call trend and change is predicted.Data-storage system adopts distributed memory system, big data Analyzing and processing engine provides rapid data crawl, data distribution, data query function for whole system.

Specific embodiment

Technical scheme will be clearly and completely described below, it is clear that described embodiment is this Bright a part of embodiment, rather than the embodiment of whole.Based on the embodiment in the present invention, those of ordinary skill in the art are not having Have and make the every other embodiment obtained under the premise of creative work, belong to the scope of protection of the invention.

In describing the invention, it should be noted that term " " center ", " on ", D score, "left", "right", " vertical ", The orientation or position relationship of the instruction such as " level ", " interior ", " outward " be shown in orientation or position relationship, be for only for ease of description The present invention is described with simplifying, rather than is indicated or implied that the device or element of indication must be with specific orientation, with specific Azimuth configuration and operation, therefore be not considered as limiting the invention.Additionally, term " first ", " second ", " the 3rd " are only used In description purpose, and it is not intended that indicating or implying relative importance.

In describing the invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase Company ", " connection " should be interpreted broadly, for example, it may be being fixedly connected, or being detachably connected, or be integrally connected；Can Being to be mechanically connected, or electrically connect；Can be joined directly together, it is also possible to be indirectly connected to by intermediary, Ke Yishi The connection of two element internals.For the ordinary skill in the art, with concrete condition above-mentioned term can be understood at this Concrete meaning in invention.

One embodiment of the present invention.

A kind of fraudulent call screening assays, including preliminary screening and postsearch screening, by first screening and secondary sieve Choosing obtains the doubtful number of fraudulent call；

The preliminary screening includes,

The Calling history of at least one analyzed number in time T is obtained from communication server；

Caller frequency parameter M1, the caller time interval parameter M2 of each analyzed number in calculating time t；Caller is conversed Duration parameters M3, by counterfeit count parameter M4, calling number feature M5；

By caller frequency weight Q1, caller time interval weight Q2；Caller duration of call weight Q3, by counterfeit number of times weight Q4, calling number feature weight Q5 and above-mentioned caller frequency parameter M1, caller time interval parameter M2；Caller duration of call parameter M3, by counterfeit count parameter M4, calling number feature M5 combine, generate primary screener analysis model M=M1Q1+ of each phone M2Q2+M3Q3+M4Q4+M5Q5；

Primary screener analysis model is compared with primary fiducial value K, when M ＞ K, marks the phone can for primary Doubtful telephone number, as M≤K, is then labeled as regular phone number；

The postsearch screening step includes,

The called history of the suspicious number in time T is obtained from communication server；

Extract called number characteristic parameter M6, the called network of personal connections characteristic parameter of the suspicious call number that primary screener goes out M7, called type feature parameter M8；

By called number feature weight Q6, called number network of personal connections analysis feature weight Q7, called type feature weight Q8 Above-mentioned called number feature weight M6, called network of personal connections feature weight M7, called type feature weight M8 are substituted into, secondary sieve is obtained Select analysis model m=M6Q6+M7Q7+M8Q8；

Secondary analysis model m is compared with secondary fiducial value k, as m ＞ k, then fraudulent call is labeled as, as m≤k When, then number is monitored for emphasis, the message registration of the number other times section is reacquired, repeat screening step above.

Further,

The computational methods of the caller frequency parameter M1 take advantage of frequency for analyzed number all caller number of times R1 in time T Parameter T1, i.e. M1=R1T1；

The caller time interval parameter M2 computational methods are that analyzed number all caller interval times in time T are total Spacing parameter T2, i.e. M2=R2T2 are taken advantage of with R2；

The caller duration of call parameter M3 computational methods are that analyzed number all caller air times in time T are total Session parameter T3, i.e. M3=R3T3 are taken advantage of with R3；

The caller by counterfeit count parameter M4 computational methods be analyzed number in time T all callers by counterfeit time Number R4 takes advantage of spacing parameter T4, i.e. M4=R4T4；

Further, the acquisition methods of the weight are：

It is assumed that the white list set W in data acquisition system E, set E in blacklist set B, set E, respectively using each model Set B and set W are calculated, acquisition meets ratio of the number of model M X in list, wherein X={ 1,2,3,4,5 }. Meet ratio BX of the number in set B of model M X, meet ratio WX of the number of model M X in set W, each Model Weight QX=BX-WX.

Further, the K=∑s B_X-∑W_X。

Further, the calling number feature M5 acquisition methods include that according to number length is classified to calling number, It is assumed that number length set L is { L1, L2 ... LN }, Li ∈ L, the front Li-2 positions for taking number nm obtain nm ', by calling number nm Difference, but nm ' identical numbers are classified as hundred segment number codes, and by that analogy, front Li-3 positions identical number is classified as kilosegment number, front Li-4 positions identical number is classified as ten thousand segment number codes.

A kind of equipment using above-mentioned fraudulent call screening technique, the equipment includes：

Acquisition module, for obtaining the data of number talk times, time record from carrier server；

Storage module, the message registration of the number obtained for storage, the data of talk times；

Extraction module, for going out to cry frequency parameter M1, caller time interval parameter M2 from the extracting data of storage；Caller Duration of call parameter M3, by counterfeit count parameter M4, calling number feature M5, called number feature weight Q6, called number close System net analysis feature weight Q7 and called type feature weight Q8；

Primary calculations module, for calculating M=M1Q1+M2Q2+M3Q3+M4Q4+M5Q5；

Primary comparison module, for comparing with the value of K by M primary suspicious call number is drawn；

Secondary computing module, for calculating m=M6Q6+M7Q7+M8Q8；

Secondary comparison module, for comparing with the value of k by m suspicious call number is drawn.

The system of the present invention is analyzed using fraudulent call analysis model to historical data, determines each feature weight of model Value；Detection is analyzed to real time data, testing result compares the confidence level for providing fraudulent call with given threshold.Whole system It is made up of data query management system, real-time detecting system, Model Self-Learning system, trend predicting system, data-storage system. Data query management system offer full dose CDR inquiry, swindle CDR inquiry, model parameter management, self study management, trend are pre- Survey analytic function.Real-time detecting system is analyzed in real time by fraudulent call discovery model, detection ticket data, finds swindle electricity Words.Model Self-Learning system is analyzed history call bill data, and by self-learning algorithm model parameter is continued to optimize.Trend prediction system System provides and following fraudulent call trend and change is predicted.Data-storage system adopts distributed memory system, big data Analyzing and processing engine provides rapid data crawl, data distribution, data query function for whole system.

Above-mentioned technical proposal only embodies the optimal technical scheme of technical solution of the present invention, those skilled in the art Some of which part is made some variation embody the present invention principle, belong to protection scope of the present invention it It is interior.

Claims (6)

1. a kind of fraudulent call screening assays, it is characterised in that including preliminary screening and postsearch screening, by first screening With the doubtful number that postsearch screening obtains fraudulent call；

The preliminary screening includes,

The Calling history of at least one analyzed number in time T is obtained from communication server；

Caller frequency parameter M1, the caller time interval parameter M2 of each analyzed number in calculating time t；The caller duration of call Parameter M3, by counterfeit count parameter M4, calling number feature M5；

By caller frequency weight Q1, caller time interval weight Q2；Caller duration of call weight Q3, by counterfeit number of times weight Q4, Calling number feature weight Q5 and above-mentioned caller frequency parameter M1, caller time interval parameter M2；Caller duration of call parameter M3, Combined by counterfeit count parameter M4, calling number feature M5, generate primary screener analysis model M=M1Q1+ of each phone M2Q2+M3Q3+M4Q4+M5Q5；

Primary screener analysis model is compared with primary fiducial value K, when M ＞ K, marks the phone to be primary suspicious electricity Words number, as M≤K, is then labeled as regular phone number；

The postsearch screening step includes,

The called history of the suspicious number in time T is obtained from communication server；

Extract called number characteristic parameter M6, called network of personal connections characteristic parameter M7, the quilt of the suspicious call number that primary screener goes out It is type feature parameter M8；

Called number feature weight Q6, called number network of personal connections analysis feature weight Q7, called type feature weight Q8 are substituted into Above-mentioned called number feature weight M6, called network of personal connections feature weight M7, called type feature weight M8, obtain postsearch screening point Analysis model m=M6Q6+M7Q7+M8Q8；

Secondary analysis model m is compared with secondary fiducial value k, as m ＞ k, then fraudulent call is labeled as, as m≤k, Then number is monitored for emphasis, reacquire the message registration of the number other times section, repeat screening step above.

2. fraudulent call screening assays according to claim 1, it is characterised in that

The computational methods of the caller frequency parameter M1 take advantage of frequency parameter for analyzed number all caller number of times R1 in time T T1, i.e. M1=R1T1；

The caller time interval parameter M2 computational methods are analyzed number all caller interval time summations R2 in time T Take advantage of spacing parameter T2, i.e. M2=R2T2；

The caller duration of call parameter M3 computational methods are analyzed number all caller air time summations R3 in time T Take advantage of session parameter T3, i.e. M3=R3T3；

The caller by counterfeit count parameter M4 computational methods be analyzed number in time T all callers by counterfeit number of times R4 Take advantage of spacing parameter T4, i.e. M4=R4T4.

3. fraudulent call screening assays according to claim 2, it is characterised in that the acquisition methods of the weight For：

It is assumed that the white list set W in data acquisition system E, set E in blacklist set B, set E, respectively using each model to collection Close B and set W is calculated, acquisition meets ratio of the number of model M X in list, wherein X={ 1,2,3,4,5 }.Meet The number of model M X meets ratio WX of the number of model M X in set W, each Model Weight QX=in ratio BX of set B BX-WX。

4. fraudulent call screening assays according to claim 3, it is characterised in that the K=∑s BX- ∑ WX.

5. fraudulent call screening assays according to claim 4, it is characterised in that calling number feature M5 is obtained The method of taking includes that according to number length is classified to calling number, it is assumed that number length set L be { L1, L2 ... LN }, Li ∈ L, the front Li-2 positions for taking number nm obtain nm ', and calling number nm is different, but nm ' identical numbers are classified as hundred segment number codes, with this Analogize, front Li-3 positions identical number is classified as kilosegment number, front Li-4 positions identical number is classified as ten thousand segment number codes.

6. the system of fraudulent call screening technique described in a kind of employing claim 1, it is characterised in that the system includes：

Acquisition module, for obtaining the data of number talk times, time record from carrier server；

Storage module, the message registration of the number obtained for storage, the data of talk times；

Extraction module, for going out to cry frequency parameter M1, caller time interval parameter M2 from the extracting data of storage；Caller is conversed Duration parameters M3, by counterfeit count parameter M4, calling number feature M5, called number feature weight Q6, called number network of personal connections Analysis feature weight Q7 and called type feature weight Q8；

Primary calculations module, for calculating M=M1Q1+M2Q2+M3Q3+M4Q4+M5Q5；

Primary comparison module, for comparing with the value of K by M primary suspicious call number is drawn；

Secondary computing module, for calculating m=M6Q6+M7Q7+M8Q8；

Secondary comparison module, for comparing with the value of k by m suspicious call number is drawn.