CN109698884B - Fraud call identification method and system - Google Patents
Fraud call identification method and system Download PDFInfo
- Publication number
- CN109698884B CN109698884B CN201710996388.9A CN201710996388A CN109698884B CN 109698884 B CN109698884 B CN 109698884B CN 201710996388 A CN201710996388 A CN 201710996388A CN 109698884 B CN109698884 B CN 109698884B
- Authority
- CN
- China
- Prior art keywords
- calling
- called
- abnormal
- call
- fraud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/2281—Call monitoring, e.g. for law enforcement purposes; Call tracing; Detection or prevention of malicious calls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/42—Systems providing special services or facilities to subscribers
- H04M3/436—Arrangements for screening incoming calls, i.e. evaluating the characteristics of a call before deciding whether to answer it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2203/00—Aspects of automatic or semi-automatic exchanges
- H04M2203/60—Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
- H04M2203/6027—Fraud preventions
Abstract
The present disclosure provides a fraud phone identification method and system. The method comprises the following steps: acquiring a local real-time ticket of an operator, encrypting a telephone number in the local real-time ticket, and acquiring a corresponding desensitization ticket; extracting a calling number, a called number, a call duration and a call starting time in the desensitization call ticket; analyzing the calling number and screening out abnormal numbers; analyzing the called number corresponding to the abnormal number, and judging whether the user of the called number is a suspected victim user; analyzing the specific call process of the abnormal number and the called number corresponding to the abnormal number, judging whether the abnormal number meets fraud conformity, if so, decrypting the abnormal number and the called number, and determining that the decrypted abnormal number and the decrypted called number are a fraud number and a victim user number respectively; and outputting the fraud number and the victim user number. The present disclosure enables identification of fraudulent calls.
Description
Technical Field
The present disclosure relates to the field of information security, and in particular, to a fraud telephone identification method and system.
Background
Traditional fraud phone detection methods are generally implemented based on blacklist comparison. However, the detection method of comparing the blacklist has a limited detection effect because the fraud number changes rapidly, the real-time update of the blacklist cannot keep up with the fraud number, and the fraud number processed by the number-changing software cannot be identified.
In response to these limitations, fraudulent call detection methods based on call behavior have emerged. However, the current technology processes the whole call ticket because the local call ticket data volume of the operator is too large, the detection speed is slow, and the performance is relatively low. And a single-stage behavior matching model is adopted, so that the accuracy is relatively low. In addition, the technology also has the risk of user information leakage.
Disclosure of Invention
The inventors of the present disclosure have found that there are problems in the above-mentioned prior art, and thus have proposed a new technical solution to at least one of the problems.
According to an aspect of the present disclosure, there is provided a fraudulent call identification method, including: acquiring a local real-time ticket of an operator, encrypting a telephone number in the local real-time ticket, and acquiring a corresponding desensitization ticket; extracting a calling number, a called number, a call duration and a call starting time in the desensitization call ticket; analyzing the calling number in the desensitization call ticket, and screening out abnormal numbers; analyzing the called number corresponding to the abnormal number, and judging whether the user of the called number is a suspected victim user; after the user of the called number is determined to be a suspected victim user, analyzing the specific call process of the abnormal number and the called number corresponding to the abnormal number, judging whether the abnormal number meets fraud conformity, if so, decrypting the abnormal number and the called number, and determining that the decrypted abnormal number and the decrypted called number are respectively a fraud number and a victim user number; and outputting the fraud number and the victim user number.
Optionally, the step of analyzing the calling number in the desensitization call ticket and screening out an abnormal number includes: determining the calling frequency and the calling interval of the calling number according to the call starting time of the calling number; determining the calling and called occupation ratio, called dispersion and number type of the calling number according to the calling number and the called number corresponding to the calling number; and carrying out multidimensional analysis on the calling frequency, the calling and called proportion, the calling interval, the called dispersion and the number type of the calling number to screen out abnormal numbers.
Optionally, the step of analyzing the called number corresponding to the abnormal number and determining whether the user of the called number is a suspected victim user includes: determining the calling frequency and the calling interval of the called number according to the communication starting time of the called number corresponding to the abnormal number; determining the calling and called occupation ratio and the number relation network of the called number according to the called number; comprehensively analyzing the calling frequency, calling and called proportion, calling duration and number relation network of the called number, and judging whether the user of the called number is a suspected victim user; and under the condition that the analysis results of the calling frequency, the calling-called ratio, the calling duration and the number relation network of the called number meet suspected victim conditions, determining that the user of the called number is a suspected victim user.
Optionally, analyzing a specific call process of the abnormal number and the called number corresponding to the abnormal number, and determining whether the abnormal number satisfies a fraud compliance degree includes: and comprehensively analyzing the call interaction dialing sequence of the abnormal number and the called number corresponding to the abnormal number, the call duration and whether the special service number is involved in the call process, and judging whether the abnormal number meets the fraud conformity.
Optionally, the step of encrypting the phone number in the local real-time ticket includes: and encrypting the latter bits of the telephone numbers in the local real-time telephone bill.
According to another aspect of the present disclosure, there is provided a fraud phone identification system, including: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a local real-time ticket of an operator, encrypting a telephone number in the local real-time ticket and acquiring a corresponding desensitization ticket; the extraction module is used for extracting the calling number, the called number, the call duration and the call starting time in the desensitization call ticket; the first analysis module is used for analyzing the calling number in the desensitization call ticket and screening out abnormal numbers; the second analysis module is used for analyzing the called number corresponding to the abnormal number and judging whether the user of the called number is a suspected victim user; a third analysis module, configured to, after determining that the user of the called number is a suspected victim user, analyze a specific call process of the abnormal number and the called number corresponding to the abnormal number, determine whether the abnormal number meets fraud conformity, if yes, perform decryption on the abnormal number and the called number, and determine that the decrypted abnormal number and the called number are a fraud number and a victim user number, respectively; and an output module for outputting the fraud number and the victim user number.
Optionally, the first analysis module is configured to determine a call frequency and a call interval of the calling number according to the call start time of the calling number; determining the calling and called occupation ratio, called dispersion and number type of the calling number according to the calling number and the called number corresponding to the calling number; and carrying out multidimensional analysis on the calling frequency, the calling and called proportion, the calling interval, the called dispersion and the number type of the calling number to screen out abnormal numbers.
Optionally, the second analysis module is configured to determine a call frequency and a call interval of the called number according to a call start time of the called number corresponding to the abnormal number; determining the calling and called occupation ratio and the number relation network of the called number according to the called number; comprehensively analyzing the calling frequency, calling and called proportion, calling duration and number relation network of the called number, and judging whether the user of the called number is a suspected victim user; and the second analysis module determines that the user of the called number is a suspected victim user when the analysis results of the calling frequency, the calling-called ratio, the calling duration and the number relation network of the called number meet the suspected victim condition.
Optionally, the third analysis module is configured to perform comprehensive analysis on the call interaction dialing sequence of the abnormal number and the called number corresponding to the abnormal number, the call duration, and whether a special service number is involved in the call process, so as to determine whether the abnormal number meets fraud compliance.
Optionally, the obtaining module is configured to encrypt the last several digits of the telephone number in the local real-time ticket.
According to another aspect of the present disclosure, there is provided a fraud phone identification system, including: a memory; and a processor coupled to the memory, the processor configured to perform the method as previously described based on instructions stored in the memory.
According to another aspect of the present disclosure, a computer-readable storage medium is provided, having stored thereon computer program instructions, which when executed by a processor, implement the steps of the method as previously described.
In the above embodiment of the present disclosure, desensitization processing is performed on an operator real-time ticket, and then four bytes of the desensitization ticket are extracted as input, that is: calling number, called number, call duration and call start time; and then, after three-level multidimensional behavior portrait analysis model, namely abnormal number behavior analysis, behavior analysis on the called number corresponding to the abnormal number, conversation interaction behavior analysis, accurate positioning of the fraud phone through three-level multidimensional portraits, and then output of the fraud number and the victim user number through decryption, the recognition of the fraud phone is realized. Compared with the prior art, the method disclosed by the embodiment of the invention uses less ticket bytes, the detection efficiency is greatly improved, and the identification accuracy is effectively improved by adopting a three-level multi-dimensional behavior portrait method. Moreover, the embodiment of the disclosure processes the desensitized call ticket, effectively solves the problem of user information confidentiality, and has strong practicability.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
FIG. 1 is a flow chart illustrating a fraudulent call identification method according to some embodiments of the present disclosure.
FIG. 2 is a block diagram schematically illustrating a fraud telephone identification system according to some embodiments of the present disclosure.
FIG. 3 is a block diagram schematically illustrating a fraud telephone identification system according to further embodiments of the present disclosure.
FIG. 4 is a block diagram schematically illustrating a fraud telephone identification system according to further embodiments of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
FIG. 1 is a flow chart illustrating a fraudulent call identification method according to some embodiments of the present disclosure.
In step S102, a local real-time ticket of the operator is obtained, and the telephone number in the local real-time ticket is encrypted to obtain a corresponding desensitization ticket.
For example, all or part of the real-time call detail list (call ticket for short) of the local user may be derived from equipment such as an operator switch, a local end office, a long distance office, or other network interworking gateways.
In some embodiments, the step of encrypting the telephone number in the local real-time ticket may include: and encrypting the latter bits of the telephone number in the local real-time ticket. For example, the last 4 digits of the telephone number in the local real-time ticket are encrypted, or the last 5 digits of the telephone number are encrypted, and the like. The last several digits in the telephone number may be encrypted using known encryption algorithms. In this embodiment, the corresponding desensitization ticket is obtained by encrypting the telephone number.
In step S104, the calling number, the called number, the call duration and the call start time in the desensitization call ticket are extracted. Here, the call duration may include: the call duration of the calling number and the call duration of the called number. The call start time may include: the call start time of the calling number and the call start time of the called number.
And step S106, analyzing the calling number in the desensitization call ticket, and screening out abnormal numbers.
Optionally, the step S106 may include: and determining the calling frequency and the calling interval of the calling number according to the call starting time of the calling number. For example, if the start time of the calling number occurs N times per unit time, the frequency of calls is N. For another example, the time intervals between two adjacent calls of all calls of the calling number may be counted, and the average of the time intervals is obtained as the call interval of the calling number.
Optionally, the step S106 may further include: and determining the calling and called occupation ratio, the called dispersion and the number type of the calling number according to the calling number and the called number corresponding to the calling number.
In some embodiments, the calling-to-called ratio of the calling number is obtained according to the number of times the calling number appears as a calling party and a called party in a call respectively. For example, the ratio of calling to called is the number of times the calling number is used as the caller: the calling number is used as the number of called parties.
In some embodiments, the called dispersion of the calling number is determined according to the calling number and the called number corresponding to the calling number. Here, the called dispersion means a dispersion degree of the called number corresponding to the calling number. Different statistical methods may be employed to determine the callee dispersion. For example, the more the serial numbers of all called numbers corresponding to the calling number are, the more the called numbers are concentrated, and the smaller the called dispersion is; conversely, the larger the called dispersion. For another example, the more all the called numbers corresponding to the calling number appear in the same region (e.g., the same province), the more the called numbers are concentrated, and the smaller the called dispersion is; conversely, the larger the called dispersion.
In some embodiments, the type of calling number may be determined from the first few digits or all digits of the calling number. For example, whether the calling number is a special service number of the type of public security, banking or aviation may be determined from the first few digits or all digits of the number.
Optionally, the step S106 may further include: abnormal numbers are screened out by carrying out multidimensional analysis on the calling frequency, the calling and called proportion, the calling interval, the called dispersion and the number type of the calling number.
In step S106, the first-level analysis (i.e., abnormal number behavior analysis) is implemented, the calling number in the desensitization ticket is analyzed, and abnormal numbers are screened out by performing multidimensional analysis on the calling frequency, the calling-called duty ratio, the calling interval, the called dispersion, the number type, and the like, and the abnormal numbers are used as suspected fraud numbers.
For example, the calling number has a relatively high calling frequency, a relatively high calling-called ratio (i.e., a call is mainly made as a calling party), a relatively small calling interval, a relatively small called dispersion, and a number type of special service numbers such as public security, bank, or aviation, the calling number can be used as an abnormal number, i.e., a suspected fraud number.
It should be noted that although the multi-dimensional analysis of the calling frequency, the ratio of calling to called, the calling interval, the called dispersion and the number type of the calling number is described above, the scope of the present disclosure is not limited thereto. For example, the calling number may be analyzed for the calling time period and number normalization.
In step S108, the called number corresponding to the abnormal number is analyzed, and it is determined whether the user of the called number is a suspected victim user.
Optionally, the step S108 may include: and determining the calling frequency and the calling interval of the called number according to the call starting time of the called number corresponding to the abnormal number. Here, the manner of determining the call frequency and the call interval is similar to that described above and will not be described in detail.
Optionally, the step S108 may further include: and determining the calling and called occupation ratio and the number relation network of the called number according to the called number. For example, the calling and called party ratios of the called number are obtained according to the times that the called number corresponding to the abnormal number appears as a calling party and a called party in a call respectively, and the number relation network of the called number is confirmed according to the address book of the called number. Whether the called number is a number of a normal user or not and whether a number for calling the user has some strange numbers (namely strange numbers which are not in an address book) which can be fraudulent calls or not appear in the number for calling the user can be analyzed through the calling and called proportion and number relation network.
Optionally, the step S108 may further include: comprehensively analyzing the calling frequency, calling and called proportion, calling duration and number relation network of the called number (namely the called number corresponding to the abnormal number), and judging whether the user of the called number is a suspected victim user; and under the condition that the analysis results of the calling frequency, the calling-called ratio, the calling duration and the number relation network of the called number meet suspected victim conditions, determining that the user of the called number is a suspected victim user.
For example, the called number has a relatively high calling frequency, a relatively small calling-called percentage (i.e., it is mainly called to make a call), a relatively long call duration, and some strange numbers with suspected fraud numbers in the number relationship network, it may be determined that the called number is a suspected victim user number, i.e., the user of the called number is a suspected victim user.
It should be noted that, although the above describes the comprehensive analysis of the call frequency, the calling/called percentage, the call duration and the number relation network of the called number, the scope of the present disclosure is not limited thereto, and for example, the number type of the called number may be analyzed.
In step S108, the second-level analysis (i.e., the behavior analysis of the called number corresponding to the abnormal number) is implemented, and whether the user of the called number is a suspected victim user is determined by comprehensively analyzing the dimensions of the calling frequency, the calling-called percentage, the call duration, the number relation network, and the like of the called number corresponding to the abnormal number screened in step S106.
In step S110, after the user of the called number is determined to be a suspected victim user, a specific call process between the abnormal number and the called number corresponding to the abnormal number is analyzed, whether the abnormal number meets the fraud conformity is determined, if yes, the abnormal number and the called number are decrypted, and it is determined that the decrypted abnormal number and the called number are respectively a fraud number and a victim user number.
In some embodiments, analyzing the specific call process of the abnormal number and the called number corresponding to the abnormal number, and determining whether the abnormal number satisfies the fraud compliance may include: and comprehensively analyzing the call interaction dialing sequence of the abnormal number and the called number corresponding to the abnormal number, the call duration and whether the special service number is involved in the call process, and judging whether the abnormal number meets fraud conformity.
Here, the fraud compliance may be a predetermined threshold. For example, the step S110 is fraud conversation matching, and the abnormal number and the called number are analyzed in a specific conversation process, each type of fraud has a certain conversation, and the conversation interaction is regularly repeatable, so that the dimensions of the conversation interaction dialing sequence of the abnormal number and the called number corresponding to the abnormal number, the conversation duration, and whether special service numbers (such as 114, special service numbers for public security, bank or aviation) are involved in the conversation process can be comprehensively analyzed to obtain an analysis value which reviews the abnormal number, and if the analysis value exceeds the fraud coincidence degree, the abnormal number is determined to be a fraud number.
It should be noted that the method for obtaining the analysis value can be determined as needed. For example, the three dimensions of the call interaction dialing sequence, the call duration and whether the special service number is involved in the call process are respectively obtained according to big data analysis, the probability of the possible fraud condition is respectively obtained, the weights are respectively set for the three dimensions, and the probability of the possible fraud condition of the three dimensions is obtained according to the respective probabilities and the respective weights of the three dimensions, so that the analysis value is obtained. Of course, it will be understood by those skilled in the art that the method of obtaining the analysis values herein is merely exemplary and the scope of the present disclosure is not limited thereto.
In some embodiments, the step of decrypting the exception number and the called number may include: and respectively carrying out decryption processing on the abnormal number and the last bits of the called number. For example, the last 4 bits (or the last 5 bits) of the exception number and the called number are decrypted, respectively.
In the step S110, a third-level analysis (i.e., a call interaction behavior analysis) is implemented, and a specific call process analysis is performed on the abnormal number and the called number, each type of fraud has a certain call technology, the call interaction can be regularly followed, and by performing a comprehensive analysis on dimensions such as a call interaction dialing sequence, a call duration, whether special service numbers such as 114, public security, bank, aviation and the like are involved in the process, if a fraud compliance is satisfied, the abnormal number and the called number are decrypted, and it is determined that the decrypted abnormal number and the decrypted called number are a fraud number and a victim user number, respectively.
At step S112, the fraud number and the victim user number are output.
In the fraud call identification method of the embodiment, firstly, desensitization treatment is carried out on the real-time call bill of an operator; then extracting four bytes of the desensitized call ticket as input, namely: calling number, called number, call duration and call start time; and then, a fraud phone is accurately positioned through three-level multidimensional behavior portrait analysis models, namely abnormal number behavior analysis, behavior analysis on a called number corresponding to the abnormal number, conversation interaction behavior analysis, and then the fraud number and a victim user number are output through decryption, so that the identification of the fraud phone is realized. Compared with the prior art, the identification method disclosed by the embodiment of the invention uses less ticket bytes, the detection efficiency is greatly improved, and the identification accuracy is effectively improved by adopting a three-level multi-dimensional behavior portrait method. Moreover, the embodiment of the disclosure processes the desensitized call ticket, effectively solves the problem of user information confidentiality, and has strong practicability.
For example, a certain user receives an unfamiliar phone call, and after the user hangs up after interacting with the unfamiliar phone call, the telecom operator can analyze the unfamiliar phone call by using the fraud phone call identification method of the embodiment of the disclosure, and determine whether the unfamiliar phone call is a fraud phone call according to the analysis result. In the case of fraudulent calls, the telecommunications carrier notifies the user (e.g. within minutes of the user hanging up) to prevent the user from being deceived. The fraud call identification method has the advantages that the detection efficiency is greatly improved, the highest accuracy can reach 99%, the occurrence rate of fraud events is effectively reduced through cooperation with public security departments, and the fraud call identification method has very important practical significance for ensuring the stability of the society and the property safety of people.
In the embodiment of the disclosure, after determining that the decrypted abnormal number and the decrypted called number are a fraud number and a victim user number, respectively, the fraud number can be stored in a blacklist, so as to prevent the fraud from being discovered in time when the fraud number is defrauded again, and prevent the user from being defrauded.
FIG. 2 is a block diagram schematically illustrating a fraud telephone identification system according to some embodiments of the present disclosure. As shown in fig. 2, the system may include: an acquisition module 202, an extraction module 204, a first analysis module 206, a second analysis module 208, a third analysis module 210, and an output module 212.
The obtaining module 202 may be configured to obtain a local real-time ticket of an operator, encrypt a number in the local real-time ticket, and obtain a corresponding desensitization ticket.
The extraction module 204 may be configured to extract a calling number, a called number, a call duration, and a call start time in the desensitization ticket.
The first analysis module 206 may be configured to analyze the calling number in the desensitization ticket, and screen out an abnormal number.
The second analysis module 208 may be configured to analyze the called number corresponding to the abnormal number, and determine whether the user of the called number is a suspected victim user.
The third analyzing module 210 can be configured to, after determining that the user of the called number is a suspected victim user, analyze a specific call process of the abnormal number and the called number corresponding to the abnormal number, determine whether the abnormal number meets fraud compliance, if yes, decrypt the abnormal number and the called number, and determine that the decrypted abnormal number and the decrypted called number are a fraud number and a victim user number, respectively.
The output module 212 can be used to output the fraud number and the victim user number.
In the fraud telephone recognition system of the embodiment, the operator real-time telephone bill is desensitized, bytes such as a calling number, a called number, a call duration and a call start time of the desensitized telephone bill are extracted to serve as original input, three-level multidimensional portrait analysis including abnormal number behavior analysis, called number behavior analysis corresponding to the abnormal number and call interaction behavior analysis is performed, a fraud telephone is accurately positioned, the analyzed telephone bill is decrypted, a fraud number and a victim user number are output, and recognition of the fraud telephone is achieved. Compared with the prior art, the identification method disclosed by the invention uses less ticket bytes, the detection efficiency is greatly improved, and the identification accuracy is effectively improved by adopting a three-level multi-dimensional behavior portrait method. Moreover, the embodiment of the disclosure processes the desensitized call ticket, effectively solves the problem of user information confidentiality, and has strong practicability.
In addition, because the embodiments of the present disclosure analyze the desensitized call ticket, the present disclosure is not limited by the requirement of confidentiality, and the deployment mode is flexible and various, for example, the fraud telephone identification system may be deployed in a telecommunication room or may be deployed at a remote end.
In some embodiments, the first analysis module 206 may be configured to determine the call frequency and the call interval of the calling number according to the call start time of the calling number; determining the calling and called occupation ratio, called dispersion and number type of the calling number according to the calling number and the called number corresponding to the calling number; and carrying out multidimensional analysis on the calling frequency, the calling and called proportion, the calling interval, the called dispersion and the number type of the calling number to screen out abnormal numbers.
In some embodiments, the second analysis module 208 may be configured to determine the call frequency and the call interval of the called number according to the call start time of the called number corresponding to the abnormal number; determining the calling and called occupation ratio and the number relation network of the called number according to the called number; comprehensively analyzing the calling frequency, calling and called proportion, calling duration and number relation network of the called number, and judging whether the user of the called number is a suspected victim user; the second analysis module 208 determines that the user of the called number is a suspected victim user when the analysis result of the call frequency, the calling-called ratio, the call duration and the number relation network of the called number satisfies the suspected victim condition.
In some embodiments, the third analysis module 210 can be configured to comprehensively analyze the call interaction dialing sequence of the abnormal number and the called number corresponding to the abnormal number, the call duration, and whether the special service number is involved in the call process, so as to determine whether the abnormal number satisfies the fraud compliance.
In some embodiments, the obtaining module 202 may be configured to encrypt the last several digits of the phone number in the local real-time ticket.
FIG. 3 is a block diagram schematically illustrating a fraud telephone identification system according to further embodiments of the present disclosure. The fraudulent telephone identification system includes a memory 310 and a processor 320. Wherein:
the memory 310 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is used for storing instructions in the embodiment corresponding to fig. 1.
In some embodiments, as also shown in FIG. 4, the fraudulent telephone identification system 400 includes a memory 410 and a processor 420. Processor 420 is coupled to memory 410 by a BUS 430. The fraud telephone identification system 400 may also be connected to an external storage device 450 via storage interface 440 for invoking external data, and may also be connected to a network or another computer system (not shown) via network interface 460, which will not be described in detail herein.
In the embodiment, the data instruction is stored in the memory, the instruction is processed by the processor, the operator real-time call bill is desensitized, bytes such as a calling number, a called number, call duration and call starting time of the desensitized call bill are extracted to serve as original input, three-level multidimensional portrait analysis including abnormal number behavior analysis, called number behavior analysis corresponding to the abnormal number and call interaction behavior analysis is performed, a fraud phone is accurately positioned, the analyzed call bill is decrypted, a fraud number and a victim user number are output, and identification of the fraud phone is achieved.
In other embodiments, the present disclosure also provides a computer-readable storage medium on which computer program instructions are stored, which instructions, when executed by a processor, implement the steps of the method in the corresponding embodiment of fig. 1. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. In addition to this, the present invention is,
although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (10)
1. A fraud telephone identification method, comprising:
acquiring a local real-time ticket of an operator, encrypting a telephone number in the local real-time ticket, and acquiring a corresponding desensitization ticket;
extracting a calling number, a called number, a call duration and a call starting time in the desensitization call ticket;
analyzing the calling number in the desensitization call ticket, and screening out abnormal numbers;
analyzing the called number corresponding to the abnormal number, and judging whether the user of the called number is a suspected victim user;
after the user of the called number is determined to be a suspected victim user, analyzing the specific call process of the abnormal number and the called number corresponding to the abnormal number, judging whether the abnormal number meets fraud conformity, if so, decrypting the abnormal number and the called number, and determining that the decrypted abnormal number and the decrypted called number are respectively a fraud number and a victim user number; and
outputting the fraud number and the victim user number;
the step of analyzing the called number corresponding to the abnormal number and judging whether the user of the called number is a suspected victim user comprises the following steps: determining the calling frequency and the calling interval of the called number according to the communication starting time of the called number corresponding to the abnormal number; determining the calling and called occupation ratio and the number relation network of the called number according to the called number; comprehensively analyzing the calling frequency, calling and called proportion, calling duration and number relation network of the called number, and judging whether the user of the called number is a suspected victim user; and under the condition that the analysis results of the calling frequency, the calling-called ratio, the calling duration and the number relation network of the called number meet suspected victim conditions, determining that the user of the called number is a suspected victim user.
2. The fraud telephone identification method of claim 1, wherein the step of analyzing the calling numbers in the desensitized call ticket and screening out abnormal numbers comprises:
determining the calling frequency and the calling interval of the calling number according to the call starting time of the calling number;
determining the calling and called occupation ratio, called dispersion and number type of the calling number according to the calling number and the called number corresponding to the calling number; and
and carrying out multidimensional analysis on the calling frequency, the calling and called proportion, the calling interval, the called dispersion and the number type of the calling number to screen out abnormal numbers.
3. The fraud phone identification method of claim 1, wherein the specific conversation process of the abnormal number and the called number corresponding to the abnormal number is analyzed, and the step of determining whether the abnormal number satisfies fraud compliance comprises:
and comprehensively analyzing the call interaction dialing sequence of the abnormal number and the called number corresponding to the abnormal number, the call duration and whether the special service number is involved in the call process, and judging whether the abnormal number meets the fraud conformity.
4. The fraud telephone identification method of claim 1, wherein,
the step of encrypting the telephone number in the local real-time ticket comprises the following steps: and encrypting the latter bits of the telephone numbers in the local real-time telephone bill.
5. A fraud telephone identification system, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a local real-time ticket of an operator, encrypting a telephone number in the local real-time ticket and acquiring a corresponding desensitization ticket;
the extraction module is used for extracting the calling number, the called number, the call duration and the call starting time in the desensitization call ticket;
the first analysis module is used for analyzing the calling number in the desensitization call ticket and screening out abnormal numbers;
the second analysis module is used for analyzing the called number corresponding to the abnormal number and judging whether the user of the called number is a suspected victim user;
a third analysis module, configured to, after determining that the user of the called number is a suspected victim user, analyze a specific call process of the abnormal number and the called number corresponding to the abnormal number, determine whether the abnormal number meets fraud conformity, if yes, perform decryption on the abnormal number and the called number, and determine that the decrypted abnormal number and the called number are a fraud number and a victim user number, respectively; and
an output module for outputting the fraud number and the victim user number;
the second analysis module is used for determining the calling frequency and the calling interval of the called number according to the call starting time of the called number corresponding to the abnormal number; determining the calling and called occupation ratio and the number relation network of the called number according to the called number; comprehensively analyzing the calling frequency, calling and called proportion, calling duration and number relation network of the called number, and judging whether the user of the called number is a suspected victim user; and the second analysis module determines that the user of the called number is a suspected victim user when the analysis results of the calling frequency, the calling-called ratio, the calling duration and the number relation network of the called number meet the suspected victim condition.
6. The fraud telephone identification system of claim 5, wherein,
the first analysis module is used for determining the calling frequency and the calling interval of the calling number according to the call starting time of the calling number; determining the calling and called occupation ratio, called dispersion and number type of the calling number according to the calling number and the called number corresponding to the calling number; and carrying out multidimensional analysis on the calling frequency, the calling and called proportion, the calling interval, the called dispersion and the number type of the calling number to screen out abnormal numbers.
7. The fraud telephone identification system of claim 5, wherein,
the third analysis module is used for comprehensively analyzing the call interaction dialing sequence, the call duration and whether the special service number is involved in the call process of the abnormal number and the called number corresponding to the abnormal number, and judging whether the abnormal number meets the fraud conformity degree.
8. The fraud telephone identification system of claim 5, wherein,
the acquisition module is used for encrypting a plurality of latter digits in the telephone number in the local real-time ticket.
9. A fraud telephone identification system, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of any of claims 1-4 based on instructions stored in the memory.
10. A computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710996388.9A CN109698884B (en) | 2017-10-24 | 2017-10-24 | Fraud call identification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710996388.9A CN109698884B (en) | 2017-10-24 | 2017-10-24 | Fraud call identification method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109698884A CN109698884A (en) | 2019-04-30 |
| CN109698884B true CN109698884B (en) | 2021-04-23 |
Family
ID=66226840
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710996388.9A Active CN109698884B (en) | 2017-10-24 | 2017-10-24 | Fraud call identification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109698884B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112399013B (en) * | 2019-08-15 | 2021-12-03 | 中国电信股份有限公司 | Abnormal telephone traffic identification method and device |
| CN112565525A (en) * | 2019-09-26 | 2021-03-26 | 中国电信股份有限公司 | Anti-fraud early warning method and device |
| CN110719592B (en) * | 2019-10-18 | 2023-01-31 | 国家计算机网络与信息安全管理中心 | System and method for preventing fraud telephone compatible with 4G and 5G networks |
| CN110830999B (en) * | 2019-10-18 | 2023-04-07 | 国家计算机网络与信息安全管理中心 | Encryption method of call handling strategy |
| CN112839335A (en) * | 2019-11-25 | 2021-05-25 | 中移动信息技术有限公司 | Number identification method, device, equipment and medium |
| CN113596260B (en) * | 2020-04-30 | 2022-12-16 | 中国移动通信集团广东有限公司 | Abnormal telephone number detection method and electronic equipment |
| CN114302398B (en) * | 2020-09-23 | 2023-11-21 | 中国移动通信集团重庆有限公司 | Big data-based reserved fraud number identification method and device and computing equipment |
| CN113067947A (en) * | 2021-03-16 | 2021-07-02 | 浙江百应科技有限公司 | Anti-fraud solution method and system based on intelligent outbound |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243727A (en) * | 2014-10-15 | 2014-12-24 | 上海欣方智能系统有限公司 | System and method for performing big data analysis confirmation and interception on phone scams |
| CN104639770A (en) * | 2014-12-25 | 2015-05-20 | 北京奇虎科技有限公司 | Telephone reporting method, device and system based on mobile terminal |
| CN105100363A (en) * | 2015-06-29 | 2015-11-25 | 小米科技有限责任公司 | Information processing method, information processing device and terminal |
| CN105516989A (en) * | 2015-11-27 | 2016-04-20 | 努比亚技术有限公司 | Method and device for identifying bad conversation |
| CN106550155A (en) * | 2016-11-25 | 2017-03-29 | 上海欣方智能系统有限公司 | Suspicious number is carried out swindling the method and system that sample screens classification and interception |
-
2017
- 2017-10-24 CN CN201710996388.9A patent/CN109698884B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243727A (en) * | 2014-10-15 | 2014-12-24 | 上海欣方智能系统有限公司 | System and method for performing big data analysis confirmation and interception on phone scams |
| CN104639770A (en) * | 2014-12-25 | 2015-05-20 | 北京奇虎科技有限公司 | Telephone reporting method, device and system based on mobile terminal |
| CN105100363A (en) * | 2015-06-29 | 2015-11-25 | 小米科技有限责任公司 | Information processing method, information processing device and terminal |
| CN105516989A (en) * | 2015-11-27 | 2016-04-20 | 努比亚技术有限公司 | Method and device for identifying bad conversation |
| CN106550155A (en) * | 2016-11-25 | 2017-03-29 | 上海欣方智能系统有限公司 | Suspicious number is carried out swindling the method and system that sample screens classification and interception |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109698884A (en) | 2019-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109698884B (en) | Fraud call identification method and system | |
| WO2021121244A1 (en) | Alarm information generation method and apparatus, electronic device, and storage medium | |
| CN109766479B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN106534463B (en) | Strange call processing method and device, terminal and server | |
| CN110933063B (en) | Data encryption method, data decryption method and equipment | |
| CN108989581B (en) | User risk identification method, device and system | |
| EP3048539A1 (en) | Method and apparatus for recognizing junk messages | |
| CN106911675B (en) | A kind of mobile phone Malware method for early warning and device | |
| CN104639770A (en) | Telephone reporting method, device and system based on mobile terminal | |
| CN110493476A (en) | A kind of detection method, device, server and storage medium | |
| US11870932B2 (en) | Systems and methods of gateway detection in a telephone network | |
| CN108540591B (en) | Address book management method, address book management device and electronic equipment | |
| CN107705126B (en) | Transaction instruction processing method and device | |
| CN106657545A (en) | Method and device for intercepting push information, and terminal | |
| US10231129B2 (en) | Malicious text message identification | |
| CN107465842B (en) | Calling-out method of call center and terminal equipment | |
| CN114155880A (en) | Illegal voice recognition method and system based on GBDT algorithm model | |
| EP2723036A1 (en) | System and method for user-privacy-aware communication monitoring and analysis | |
| US9374474B1 (en) | System, method, and computer program for detecting duplicated telecommunications events in a consumer telecommunications network | |
| CN114168423A (en) | Abnormal number calling monitoring method, device, equipment and storage medium | |
| CN115130577A (en) | Method and device for identifying fraudulent number and electronic equipment | |
| CN113452847A (en) | Crank call identification method and related device | |
| CN108769434A (en) | Call processing method, apparatus and system | |
| KR101792203B1 (en) | Apparatus and method for determining voice phishing using distance between voice phishing keyword | |
| CN109104702B (en) | Information interception method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |