CN106686264B - Fraud telephone screening and analyzing method and system - Google Patents

Abstract

The invention belongs to the technical field of monitoring of harmful telephones in telecommunication, and particularly relates to a fraud telephone screening and analyzing method and system. The system analyzes historical data by utilizing a fraud telephone analysis model, and determines each characteristic weight value of the model; and analyzing and detecting the real-time data, and comparing the detection result with a set threshold value to give the confidence level of the fraud call. The whole system consists of a data query management system, a real-time detection system, a model self-learning system, a trend prediction system and a data storage system. The data query management system provides functions of whole ticket query, fraud ticket query, model parameter management, self-learning management and trend prediction analysis. The real-time detection system analyzes and detects the ticket data in real time through a fraud call discovery model to discover fraud calls. The model self-learning system analyzes the historical ticket data and continuously optimizes the model parameters through a self-learning algorithm. The trend prediction system provides prediction of future fraud phone trends and changes. The data storage system adopts a distributed storage system, and the big data analysis processing engine provides the functions of fast data capture, data distribution and data query for the whole system.

Description

Fraud telephone screening and analyzing method and system

Technical Field

The invention belongs to the technical field of monitoring of harmful telephones in telecommunication, and particularly relates to a fraud telephone screening and analyzing method and system.

Background

At present, the fraud telephone discovery of the telecommunication network mainly depends on the analysis of typical call patterns, such as 'one sound', 'you killed', 'counterfeit numbers', and the like, and the classification comparison analysis is carried out on specific call patterns. The analysis technology can only aim at specific typical call modes, but the harmful call types of the current telecommunication network are endless, the means are continuously updated and changed, and automatic analysis and identification cannot be realized.

Disclosure of Invention

Aiming at the characteristic that the harmful calling means are continuously changed, the invention provides a fraud telephone screening and analyzing method and system in order to make up for the defect that the harmful telephone cannot be automatically identified.

A fraud telephone screening and analyzing method comprises primary screening and secondary screening, wherein suspected numbers of fraud telephones are obtained through the primary screening and the secondary screening;

the preliminary screening includes the steps of,

obtaining the calling history of at least one analyzed number in time T from a communication server;

calculating calling frequency parameters M1 and calling time interval parameters M2 of each analyzed number within time t; calling call duration parameter M3, counterfeit times parameter M4 and calling number feature M5;

a calling frequency weight Q1, a calling time interval weight Q2; calling call duration weight Q3, mock times weight Q4, calling number feature weight Q5, the calling frequency parameter M1 and the calling time interval parameter M2; combining the calling call duration parameter M3, the counterfeit times parameter M4 and the calling number feature M5 to generate a primary screening analysis model M of each telephone, which is M1Q1+ M2Q2+ M3Q3+ M4Q4+ M5Q 5;

comparing the primary screening analysis model with a primary comparison value K, marking the telephone as a primary suspicious telephone number when M is larger than K, and marking the telephone as a common telephone number when M is less than or equal to K;

the secondary screening step comprises the steps of,

acquiring the called history of the suspicious number within the time T from a communication server;

extracting called number characteristic parameters M6, called relation network characteristic parameters M7 and called type characteristic parameters M8 of the suspicious telephone numbers screened out primarily;

substituting called number feature weight Q6, called number relational network analysis feature weight Q7 and called type feature weight Q8 into the called number feature weight M6, called relational network feature weight M7 and called type feature weight M8 to obtain a secondary screening analysis model M which is M6Q6+ M7Q7+ M8Q 8;

and comparing the secondary analysis model m with a secondary comparison value k, marking as a fraud call when m is larger than k, and re-acquiring the call records of the number in other time periods as a key monitoring number when m is less than or equal to k, and repeating the screening steps.

Further, in the above-mentioned case,

the calculation method of the calling frequency parameter M1 is that the analyzed number multiplies the frequency parameter T1 by all the calling times R1 within the time T, that is, M1 is R1T 1;

the calling time interval parameter M2 is calculated by multiplying the sum of all calling time intervals R2 of analyzed numbers in time T by an interval parameter T2, namely M2-R2T 2;

the calculation method of the calling call duration parameter M3 is that the sum of all calling call times of the analyzed number within the time T is R3 times the call parameter T3, that is, M3 is R3T 3;

the calculation method of the calling counterfeit times parameter M4 is that the counterfeit times R4 of all calling users of the analyzed number in the time T multiply the interval parameter T4, namely M4 is R4T 4;

further, the method for obtaining the weight comprises the following steps:

and (3) assuming a blacklist set B in a data set E and a whitelist set W in the set E, respectively calculating the set B and the set W by using each model, and obtaining the proportion of the number conforming to a model MX in the list, wherein X is {1,2,3,4,5 }. The ratio BX of the number corresponding to the model MX in the set B, the ratio WX of the number corresponding to the model MX in the set W, and the respective model weights QX — WX.

Further, K ═ Σ BX- Σ WX.

Further, the method for acquiring the calling number features M5 includes classifying calling numbers according to number lengths, assuming that a number length set L is { L1, L2 … … LN }, Li belongs to L, obtaining nm 'from the front Li-2 bits of the number nm, classifying the numbers with different calling numbers nm and the same nm' into hundred-segment numbers, and so on, classifying the numbers with the same front Li-3 bits into thousand-segment numbers, and classifying the numbers with the same front Li-4 bits into ten thousand-segment numbers.

An apparatus adopting the above fraud call screening method, the apparatus comprising:

the acquisition module is used for acquiring data of number call times and time records from an operator server;

the storage module is used for storing the call records of the obtained numbers and the data of the call times;

the extraction module is used for extracting calling frequency parameters M1 and calling time interval parameters M2 from the stored data; a calling call duration parameter M3, a counterfeit number parameter M4, a calling number feature M5, a called number feature weight Q6, a called number relational network analysis feature weight Q7 and a called type feature weight Q8;

a primary calculation module for calculating M ═ M1Q1+ M2Q2+ M3Q3+ M4Q4+ M5Q 5;

the primary comparison module is used for comparing the values of M and K to obtain a primary suspicious telephone number;

a secondary calculation module for calculating M ═ M6Q6+ M7Q7+ M8Q 8;

and the secondary comparison module is used for comparing the values of m and k to obtain the suspicious telephone number.

The system analyzes historical data by utilizing a fraud telephone analysis model, and determines each characteristic weight value of the model; and analyzing and detecting the real-time data, and comparing the detection result with a set threshold value to give the confidence level of the fraud call. The whole system consists of a data query management system, a real-time detection system, a model self-learning system, a trend prediction system and a data storage system. The data query management system provides functions of whole ticket query, fraud ticket query, model parameter management, self-learning management and trend prediction analysis. The real-time detection system analyzes and detects the ticket data in real time through a fraud call discovery model to discover fraud calls. The model self-learning system analyzes the historical ticket data and continuously optimizes the model parameters through a self-learning algorithm. The trend prediction system provides prediction of future fraud phone trends and changes. The data storage system adopts a distributed storage system, and the big data analysis processing engine provides the functions of fast data capture, data distribution and data query for the whole system.

Detailed Description

The technical solutions of the present invention will be described clearly and completely below, and it should be apparent that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

In the description of the present invention, it should be noted that the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc., indicate orientations and positional relationships shown, are merely used for convenience in describing the present invention and simplifying the description, and do not indicate or imply that the system or element referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.

In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.

An embodiment of the present invention.

A fraud telephone screening and analyzing method comprises primary screening and secondary screening, wherein suspected numbers of fraud telephones are obtained through the primary screening and the secondary screening;

the preliminary screening includes the steps of,

obtaining the calling history of at least one analyzed number in time T from a communication server;

calculating calling frequency parameters M1 and calling time interval parameters M2 of each analyzed number within time t; calling call duration parameter M3, counterfeit times parameter M4 and calling number feature M5;

a calling frequency weight Q1, a calling time interval weight Q2; calling call duration weight Q3, mock times weight Q4, calling number feature weight Q5, the calling frequency parameter M1 and the calling time interval parameter M2; combining the calling call duration parameter M3, the counterfeit times parameter M4 and the calling number feature M5 to generate a primary screening analysis model M of each telephone, which is M1Q1+ M2Q2+ M3Q3+ M4Q4+ M5Q 5;

comparing the primary screening analysis model with a primary comparison value K, marking the telephone as a primary suspicious telephone number when M is larger than K, and marking the telephone as a common telephone number when M is less than or equal to K;

the secondary screening step comprises the steps of,

acquiring the called history of the suspicious number within the time T from a communication server;

extracting called number characteristic parameters M6, called relation network characteristic parameters M7 and called type characteristic parameters M8 of the suspicious telephone numbers screened out primarily;

substituting called number feature weight Q6, called number relational network analysis feature weight Q7 and called type feature weight Q8 into the called number feature weight M6, called relational network feature weight M7 and called type feature weight M8 to obtain a secondary screening analysis model M which is M6Q6+ M7Q7+ M8Q 8;

and comparing the secondary analysis model m with a secondary comparison value k, marking as a fraud call when m is larger than k, and re-acquiring the call records of the number in other time periods as a key monitoring number when m is less than or equal to k, and repeating the screening steps.

Further, in the above-mentioned case,

the calculation method of the calling frequency parameter M1 is that the analyzed number multiplies the frequency parameter T1 by all the calling times R1 within the time T, that is, M1 is R1T 1;

the calling time interval parameter M2 is calculated by multiplying the sum of all calling time intervals R2 of analyzed numbers in time T by an interval parameter T2, namely M2-R2T 2;

the calculation method of the calling call duration parameter M3 is that the sum of all calling call times of the analyzed number within the time T is R3 times the call parameter T3, that is, M3 is R3T 3;

the calculation method of the calling counterfeit times parameter M4 is that the counterfeit times R4 of all calling users of the analyzed number in the time T multiply the interval parameter T4, namely M4 is R4T 4;

further, the method for obtaining the weight comprises the following steps:

and (3) assuming a data set E, a blacklist set B in the set E and a white list set W in the set E, and respectively calculating the set B and the set W by using each model to obtain the proportion of the number conforming to a model MX in the list, wherein X is {1,2,3,4,5 }. The ratio BX of the number corresponding to the model MX in the set B, the ratio WX of the number corresponding to the model MX in the set W, and the respective model weights QX — WX.

Further, K ═ Σ B_X-∑W_X。

Further, the method for acquiring the calling number features M5 includes classifying calling numbers according to number lengths, assuming that a number length set L is { L1, L2 … … LN }, Li belongs to L, obtaining nm 'from the front Li-2 bits of the number nm, classifying the numbers with different calling numbers nm and the same nm' into hundred-segment numbers, and so on, classifying the numbers with the same front Li-3 bits into thousand-segment numbers, and classifying the numbers with the same front Li-4 bits into ten thousand-segment numbers.

An apparatus adopting the above fraud call screening method, the apparatus comprising:

the acquisition module is used for acquiring data of number call times and time records from an operator server;

the storage module is used for storing the call records of the obtained numbers and the data of the call times;

the extraction module is used for extracting calling frequency parameters M1 and calling time interval parameters M2 from the stored data; a calling call duration parameter M3, a counterfeit number parameter M4, a calling number feature M5, a called number feature weight Q6, a called number relational network analysis feature weight Q7 and a called type feature weight Q8;

a primary calculation module for calculating M ═ M1Q1+ M2Q2+ M3Q3+ M4Q4+ M5Q 5;

the primary comparison module is used for comparing the values of M and K to obtain a primary suspicious telephone number;

a secondary calculation module for calculating M ═ M6Q6+ M7Q7+ M8Q 8;

and the secondary comparison module is used for comparing the values of m and k to obtain the suspicious telephone number.

The system analyzes historical data by utilizing a fraud telephone analysis model, and determines each characteristic weight value of the model; and analyzing and detecting the real-time data, and comparing the detection result with a set threshold value to give the confidence level of the fraud call. The whole system consists of a data query management system, a real-time detection system, a model self-learning system, a trend prediction system and a data storage system. The data query management system provides functions of whole ticket query, fraud ticket query, model parameter management, self-learning management and trend prediction analysis. The real-time detection system analyzes and detects the ticket data in real time through a fraud call discovery model to discover fraud calls. The model self-learning system analyzes the historical ticket data and continuously optimizes the model parameters through a self-learning algorithm. The trend prediction system provides prediction of future fraud phone trends and changes. The data storage system adopts a distributed storage system, and the big data analysis processing engine provides the functions of fast data capture, data distribution and data query for the whole system.

The technical solutions described above only represent the preferred technical solutions of the present invention, and some possible modifications to some parts of the technical solutions by those skilled in the art all represent the principles of the present invention, and fall within the protection scope of the present invention.

Claims (4)

1. A fraud telephone screening and analyzing method is characterized by comprising primary screening and secondary screening, wherein suspected numbers of fraud telephones are obtained through the primary screening and the secondary screening;

the preliminary screening includes the steps of,

obtaining the calling history of at least one analyzed number in time T from a communication server;

calculating a calling frequency parameter M1, a calling time interval parameter M2, a calling call duration parameter M3, a counterfeit number parameter M4 and calling number characteristics M5 of each analyzed number within the time T;

combining the calling frequency weight Q1, the calling time interval weight Q2, the calling call duration weight Q3, the mock frequency weight Q4 and the calling number feature weight Q5 with the calling frequency parameter M1, the calling time interval parameter M2, the calling call duration parameter M3, the mock frequency parameter M4 and the calling number feature M5 to generate a primary screening analysis model M of each telephone number, which is M1Q1+ M2Q2+ M3Q3+ M4Q4+ M5Q 5;

comparing the primary screening analysis model with a primary comparison value K, marking the telephone number as a primary suspicious telephone number when M is larger than K, and marking the telephone number as a common telephone number when M is smaller than or equal to K;

the secondary screening step comprises the steps of,

acquiring the called history of the suspicious telephone numbers within the time T from the communication server;

extracting called number characteristic parameters M6, called relation network characteristic parameters M7 and called type characteristic parameters M8 of the suspicious telephone numbers screened out primarily;

substituting called number feature weight Q6, called number relational network analysis feature weight Q7 and called type feature weight Q8 into the called number feature weight M6, called relational network feature weight M7 and called type feature weight M8 to obtain a secondary screening analysis model M which is M6Q6+ M7Q7+ M8Q 8;

comparing the secondary analysis model m with a secondary comparison value k, marking as a fraud phone when m is larger than k, and re-acquiring call records of the phone number in other time periods as a key monitoring number when m is less than or equal to k, and repeating the screening steps;

the calculation method of the calling frequency parameter M1 is that the analyzed number multiplies the frequency parameter T1 by all the calling times R1 within the time T, that is, M1 is R1T 1;

the calling time interval parameter M2 is calculated by multiplying the sum of all calling time intervals R2 of analyzed numbers in time T by an interval parameter T2, namely M2-R2T 2;

the calculation method of the calling call duration parameter M3 is that the sum of all calling call times of the analyzed number within the time T is R3 times the call parameter T3, that is, M3 is R3T 3;

the calculation method of the counterfeit times parameter M4 is that the counterfeit times R4 of all calling parties of the analyzed number in the time T multiply the interval parameter T4, namely M4 is R4T 4;

the method for acquiring the weight of each model comprises the following steps:

assuming a data set E, a blacklist set B in the set E and a white list set W in the set E, respectively calculating the set B and the set W by using each model, and obtaining the proportion of numbers conforming to a model MX in a list, wherein X is {1,2,3,4,5 }; the ratio BX of the number corresponding to the model MX in the set B, the ratio WX of the number corresponding to the model MX in the set W, and the respective model weights QX — WX.

2. The fraud phone screening analysis method of claim 1, wherein the K ═ Σ BX- Σ WX.

3. The fraud phone screening analysis method of claim 2, wherein the calling number feature M5 obtaining method comprises classifying calling numbers by number length, assuming that the number length set L is { L1, L2 … … LN }, Li ∈ L, i is 1-N; the first Li-2 bits of the number nm are taken to obtain nm ', the numbers with different calling numbers nm and the same nm' are classified into hundreds of numbers, and so on, the numbers with the same first Li-3 bits are classified into thousands of numbers, and the numbers with the same first Li-4 bits are classified into thousands of numbers.

4. A system employing the fraud phone screening analysis method of claim 1, wherein the system comprises:

the acquisition module is used for acquiring data of number call times and time records from an operator server;

the storage module is used for storing the call records of the obtained numbers and the data of the call times;

the extraction module is used for extracting a calling frequency parameter M1, a calling time interval parameter M2, a calling call duration parameter M3, a counterfeit times parameter M4, a calling number feature M5, a called number feature weight Q6, a called number relational network analysis feature weight Q7 and a called type feature weight Q8 from the stored data;

a primary calculation module for calculating M ═ M1Q1+ M2Q2+ M3Q3+ M4Q4+ M5Q 5;

the primary comparison module is used for comparing the values of M and K to obtain a primary suspicious telephone number;

a secondary calculation module for calculating M ═ M6Q6+ M7Q7+ M8Q 8;

and the secondary comparison module is used for comparing the values of m and k to obtain the suspicious telephone number.