CN112437197B - Abnormal call discovery method and device based on communication behavior information entropy - Google Patents
Abnormal call discovery method and device based on communication behavior information entropy Download PDFInfo
- Publication number
- CN112437197B CN112437197B CN202011185447.2A CN202011185447A CN112437197B CN 112437197 B CN112437197 B CN 112437197B CN 202011185447 A CN202011185447 A CN 202011185447A CN 112437197 B CN112437197 B CN 112437197B
- Authority
- CN
- China
- Prior art keywords
- call session
- abnormal
- behavior
- behaviors
- information entropy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/2281—Call monitoring, e.g. for law enforcement purposes; Call tracing; Detection or prevention of malicious calls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M2203/00—Aspects of automatic or semi-automatic exchanges
- H04M2203/60—Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
- H04M2203/6027—Fraud preventions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Technology Law (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention belongs to the technical field of communication network safety protection, and discloses an abnormal call discovery method and device based on communication behavior information entropy, wherein the method takes the change of multivariate attribute information of a call session as a data source and calculates the abnormal behavior probability increment of each type of behavior; then, quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; further calculating the communication behavior information entropy of the behavior event on each dimension and calculating the joint communication behavior information entropy of the call session; and finally, calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session. The method can be used for rapidly discovering the abnormal communication behaviors such as telecommunication fraud and the like, and has better discovery effect and practical value.
Description
Technical Field
The invention belongs to the technical field of communication network safety protection, and particularly relates to an abnormal call discovery method and device based on communication behavior information entropy, which mainly aims at analyzing and detecting abnormal behaviors of signaling and ticket data in telecommunication network calls.
Background
With the rapid development and continuous application of communication technology, the business with mobile terminals as the center goes deep into various aspects of social life. At present, telecommunication services are gradually and closely combined with social life, industrial control, intelligent traffic and the like, and the importance of the telecommunication services in the aspects of social life, industrial production and national safety is more prominent. The end-to-end multi-service communication is carried out by depending on the telecommunication network infrastructure, which provides great support for the convenience and quality of life of people, and simultaneously provides a chance for various lawbreakers, and a large number of malicious communication modes such as abnormal calls are generated, for example: telecom fraud, advertising marketing, malicious harassment, etc. (including but not limited to the above-mentioned abnormal calls).
Call sessions are the most common service types in telecommunication networks, wherein a large amount of data such as core network signaling and call tickets are involved, and various behavior changes and rules in calls are reflected from different dimensions. Call sessions in telecommunications networks are, in a general sense, the primary means of carrying out illegal acts of telecommunications fraud, advertising marketing, malicious disturbance, etc. for specific or large numbers of target users. The invention provides an abnormal call discovery method and device according to ubiquitous abnormal communication behaviors in order to discover abnormal calls in mass call sessions of a telecommunication network and aim at abnormal calls such as telecommunication fraud, advertising marketing, malicious disturbance and the like.
The traditional abnormal calling discovery realizes detection discovery by mostly utilizing characteristic combinations (Chenrui, Houjunfeng, a harassing call analysis model, information communication, 2019) or state transfer (Heepi, Song Minxing, a telephone network illegal calling screening model research and application, telecommunication science, 2013), has the phenomena of low accuracy and misjudgment, and continuously re-excavates diversified characteristics according to different targets; some methods utilize outlier (application of Liangvanty parallel outlier detection in abnormal telephone detection, computer application, 2012) and machine learning (design and implementation of Zhangjie, Lishuang. telephone fraud recognition system, software, 2020) methods for detection, but require a large number of samples and test parameters, and have great difficulty in practical application.
Disclosure of Invention
The invention aims at the phenomena of low accuracy and misjudgment existing in the traditional abnormal call discovery, and continuously re-excavates diversified characteristics aiming at different targets; the method and the device for finding the abnormal Call based on the communication behavior information entropy are provided, starting from multi-dimensional behaviors, the communication behavior information entropy is formed by quantizing the Call behavior, the abnormal Call is judged, the method and the device can not be limited by CDR (Call Detail Record) and signaling, the problem of finding the abnormal Call is solved from the aspect of the behavior entropy, and the method and the device have good finding effect and practical value.
In order to achieve the purpose, the invention adopts the following technical scheme:
an abnormal call discovery method based on communication behavior information entropy comprises the following steps:
step 1: calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source;
step 2: quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
and step 3: calculating the communication behavior information entropy of the behavior event on each dimension by using the multi-dimensional behavior abnormal probability quantization result of the call session, and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension;
and 4, step 4: and calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session.
Further, the step 1 comprises:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;are respectively x,y,z's influence parameter vector;respectively representing the average values of the multi-dimensional values of A, B and C.
Further, the step 2 comprises:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1), Z (t-1) are shown in the tableShowing various multidimensional behaviors of the t-1 call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabAnd (4) increasing the probability.
Further, the step 3 comprises:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Respectively representing the multidimensional behaviors X (t), Y (t), Z of the t call session(t) normal probability, and p (x (t) ═ xnor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
h (q) (t), H (x (t), y (t), z (t)), and the joint communication behavior information entropy of the t-th call session, x (t), y (t), and z (t), are shown.
Further, the step 4 comprises:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t)>wuWhen wuAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
An abnormal call discovery device based on communication behavior information entropy comprises:
the abnormal behavior probability increment calculation module is used for calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source;
the abnormal probability quantization module is used for quantizing the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
the joint communication behavior information entropy calculation module is used for calculating the communication behavior information entropy of the behavior event on each dimension by utilizing the multi-dimensional behavior abnormal probability quantization result of the call session and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension;
and the change rate calculation module is used for calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, the corresponding call session is considered to be an abnormal call session.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides an abnormal call discovery method and device based on communication behavior information entropy, which takes the change of multivariate attribute information of a call session as a data source and calculates the probability increment of abnormal behavior of each type of behavior; then, quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; further calculating the communication behavior information entropy of the behavior event on each dimension and calculating the joint communication behavior information entropy of the call session; and finally, calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session. The invention starts from multidimensional behaviors, forms communication behavior information entropy by call behavior quantification, judges abnormal calls, can solve the problem of abnormal call discovery from the aspect of behavior entropy without being limited by CDR and signaling, can be used for rapidly discovering abnormal communication behaviors such as telecommunication fraud and the like, and has better discovery effect and practical value.
Drawings
Fig. 1 is a basic flowchart of an abnormal call discovery method based on communication behavior information entropy according to an embodiment of the present invention;
fig. 2 is an exemplary diagram of a communication behavior information entropy anomaly determination result of an abnormal call discovery method based on communication behavior information entropy according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an abnormal call discovery apparatus based on entropy of communication behavior information according to an embodiment of the present invention;
fig. 4 is a schematic deployment diagram of an abnormal call discovery apparatus based on entropy of communication behavior information according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
as shown in fig. 1, an abnormal call discovery method based on communication behavior information entropy includes:
step S101: calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source;
further, the step S101 includes:
for a multi-attribute { a, B, C } of a call session, corresponding to a multi-dimensional behavior { x, y, z } of the call session (each type of attribute corresponds to a type 1 behavior), the multi-attribute corresponding to each type of behavior may have a plurality of attribute values, which are respectively expressed as: { A1,A2,A3...,Amx},{B1,B2,B3...,Bmy},{C1,C2,C3...,Cmz}; time offset quantization value delta A based on various attribute valuesi1,ΔBi2,ΔCi3As input (i.e., the difference between the multivariate attributes of the current call and the last call);
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;are respectively x,y,z's influence parameter vector;respectively representing the average values of the multi-dimensional values of A, B and C.
It should be noted that although a, B, and C are used to represent various types of multiple attributes corresponding to a call session in the present invention, it is not shown that there are only three types of multiple attributes corresponding to a call session.
It is worth mentioning that, before step S101, the method further includes extracting the multiple attribute information of the call session in the signaling or CDR; the obtaining of the multiple attribute information for the current call session can be realized by the existing method, is not the inventive point of the present invention, and is not detailed herein.
Specifically, the multiple attribute information corresponding to one call session is shown in table 1, where there are four multiple attribute types corresponding to one call session, which are respectively routing attribute information, session attribute information, communications attribute information, and user terminal information, and can be correspondingly represented as A, B, C, D, where the routing attribute information includes cross-domain ratio, cross-network ratio, path complexity, and home location change timesThe number of cross-border calls can be correspondingly expressed as A1、A2、A3、A4、A5Other multivariate properties can be similarly expressed:
table 1 examples of multi-attribute content
Step S102: quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
further, the step S102 includes:
assuming that the current call is the t-th call, the abnormal probability of the multidimensional behavior event (corresponding to the multivariate attribute) q (t) ═ x (t), y (t), z (t) } is represented as the sum of the t-1-th behavior abnormal probability and the current abnormal probability increment;
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Multidimensional representation of t-1 call sessions, respectivelyAbnormal probabilities of behaviors X (t-1), Y (t-1), Z (t-1); x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabAnd (4) increasing the probability.
Step S103: calculating the communication behavior information entropy of the behavior event on each dimension by using the multi-dimensional behavior abnormal probability quantization result of the call session, and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension;
further, the step S103 includes:
assuming that the call is the t-th call, the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing the abnormal probabilities of the multidimensional behaviors X (t), Y (t), Z (t) of the t call session;p(X(t)=xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
h (q) (t), H (x (t), y (t), z (t)), and the joint communication behavior information entropy of the t-th call session, x (t), y (t), and z (t), are shown.
Step S104: and calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session.
Further, the step S104 includes:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t)>wuWhen wuAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
As shown in fig. 2, which is an example of abnormal determination of joint communication behavior information entropy when the sliding window T is 10 (times), it can be seen from fig. 2 that the rate of change of the joint communication behavior information entropy of an abnormal call session is significantly higher than that of the joint communication behavior information entropy of a normal call session, so that the present invention can be used for rapidly discovering abnormal communication behaviors such as telecom fraud.
On the basis of the above embodiments, as shown in fig. 3, the present invention further discloses an abnormal call discovery apparatus based on communication behavior information entropy, including:
an abnormal behavior probability increment calculation module 201, configured to calculate an abnormal behavior probability increment of each type of behavior by using a change of the multi-element attribute information of the call session as a data source;
an abnormal probability quantization module 202, configured to quantize the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
the joint communication behavior information entropy calculation module 203 is configured to calculate a communication behavior information entropy of a behavior event in each dimension by using a multi-dimensional behavior anomaly probability quantization result of the call session, and calculate a joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event in each dimension;
the change rate calculation module 204 is configured to calculate a change rate of joint communication behavior information entropy of the call session within the sliding window T, and when the change rate is greater than a set threshold, consider the corresponding call session as an abnormal call session.
Further, the abnormal behavior probability increment calculation module 201 is configured to:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;are respectively x,y,z's influence parameter vector;respectively representing the average values of the multi-dimensional values of A, B and C.
Further, the anomaly probability quantification module 202 is configured to:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
whereinX (t), y (t), z (t) respectively represent various multidimensional behaviors of the tth call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabAnd (4) increasing the probability.
Further, the joint communication behavior information entropy calculation module 203 is configured to:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behavior of classes of behavior x, y, z of a call session;p(X(t)=xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
h (q) (t), H (x (t), y (t), z (t)), and the joint communication behavior information entropy of the t-th call session, x (t), y (t), and z (t), are shown.
Further, the change rate calculation module 204 is configured to:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t)>wuWhen wuAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
Specifically, as shown in fig. 4, the device may be specifically deployed between network element devices of a telecommunication network or behind a communication ticket device, and performs abnormal call discovery after extracting multivariate attribute information (behavior) of a call session related in signaling or CDR.
In summary, the invention provides an abnormal call discovery method and device based on communication behavior information entropy, which takes the change of multivariate attribute information of a call session as a data source and calculates the abnormal behavior probability increment of each type of behavior; then, quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; further calculating the communication behavior information entropy of the behavior event on each dimension and calculating the joint communication behavior information entropy of the call session; and finally, calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session. The invention starts from multidimensional behaviors, forms communication behavior information entropy by call behavior quantification, judges abnormal calls, can solve the problem of abnormal call discovery from the aspect of behavior entropy without being limited by CDR and signaling, can be used for rapidly discovering abnormal communication behaviors such as telecommunication fraud and the like, and has better discovery effect and practical value.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.
Claims (2)
1. An abnormal call discovery method based on communication behavior information entropy is characterized by comprising the following steps:
step 1: calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source; the step 1 comprises the following steps:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;influence parameter vectors of x, y and z respectively;respectively representing the multi-dimensional value average values of A, B and C;
step 2: quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; the step 2 comprises the following steps:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabA probability increment;
and step 3: calculating the communication behavior information entropy of the behavior event on each dimension by using the multi-dimensional behavior abnormal probability quantization result of the call session, and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension; the step 3 comprises the following steps:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
wherein, H (q (t) ═ H (x (t), y (t), z (t)), denotes the joint communication behavior information entropy of the t-th call session, x (t), y (t), z (t);
and 4, step 4: calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session; the step 4 comprises the following steps:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t) > omegauTime, omegauAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
2. An abnormal call discovery device based on communication behavior information entropy, comprising:
the abnormal behavior probability increment calculation module is used for calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source; the abnormal behavior probability increment calculation module is specifically configured to:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;influence parameter vectors of x, y and z respectively;respectively representing the multi-dimensional value average values of A, B and C;
the abnormal probability quantization module is used for quantizing the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; the anomaly probability quantification module is specifically configured to:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Individual watchShowing the abnormal probabilities of the multidimensional behaviors X (t), Y (t), Z (t) of the t-th call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabA probability increment;
the joint communication behavior information entropy calculation module is used for calculating the communication behavior information entropy of the behavior event on each dimension by utilizing the multi-dimensional behavior abnormal probability quantization result of the call session and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension; the joint communication behavior information entropy calculation module is specifically configured to:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing each of the call sessionsAbnormal behavior of class behavior { x, y, z }; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
wherein, H (q (t) ═ H (x (t), y (t), z (t)), denotes the joint communication behavior information entropy of the t-th call session, x (t), y (t), z (t);
the change rate calculation module is used for calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, the corresponding call session is considered to be an abnormal call session; the change rate calculation module is specifically configured to:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t) > omegauTime, omegauAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011185447.2A CN112437197B (en) | 2020-10-30 | 2020-10-30 | Abnormal call discovery method and device based on communication behavior information entropy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011185447.2A CN112437197B (en) | 2020-10-30 | 2020-10-30 | Abnormal call discovery method and device based on communication behavior information entropy |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112437197A CN112437197A (en) | 2021-03-02 |
CN112437197B true CN112437197B (en) | 2021-06-18 |
Family
ID=74696525
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011185447.2A Active CN112437197B (en) | 2020-10-30 | 2020-10-30 | Abnormal call discovery method and device based on communication behavior information entropy |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112437197B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103297956A (en) * | 2013-05-06 | 2013-09-11 | 北京航空航天大学 | Dynamic lightweight class trust evaluation method based on Bayesian theory and entropy theory |
CN104244216A (en) * | 2014-09-29 | 2014-12-24 | 中国移动通信集团浙江有限公司 | Method and system for intercepting fraud phones in real time during calling |
CN105808639A (en) * | 2016-02-24 | 2016-07-27 | 平安科技(深圳)有限公司 | Network access behavior recognizing method and device |
CN108833720A (en) * | 2018-05-04 | 2018-11-16 | 北京邮电大学 | Fraudulent call number identification method and system |
CN110210653A (en) * | 2019-05-15 | 2019-09-06 | 中国移动通信集团内蒙古有限公司 | Telecommunication fraud evolution analysis prediction technique, device, equipment and medium |
CN110430224A (en) * | 2019-09-12 | 2019-11-08 | 贵州电网有限责任公司 | A kind of communication network anomaly detection method based on random block models |
US10785369B1 (en) * | 2019-09-26 | 2020-09-22 | T-Mobile Usa, Inc. | Multi-factor scam call detection and alerting |
CN111726460A (en) * | 2020-06-15 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Fraud number identification method based on space-time diagram |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10043035B2 (en) * | 2013-11-01 | 2018-08-07 | Anonos Inc. | Systems and methods for enhancing data protection by anonosizing structured and unstructured data and incorporating machine learning and artificial intelligence in classical and quantum computing environments |
CN109300029A (en) * | 2018-10-25 | 2019-02-01 | 北京芯盾时代科技有限公司 | Borrow or lend money fraud detection model training method, debt-credit fraud detection method and device |
CN109753801B (en) * | 2019-01-29 | 2022-04-22 | 重庆邮电大学 | Intelligent terminal malicious software dynamic detection method based on system call |
-
2020
- 2020-10-30 CN CN202011185447.2A patent/CN112437197B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103297956A (en) * | 2013-05-06 | 2013-09-11 | 北京航空航天大学 | Dynamic lightweight class trust evaluation method based on Bayesian theory and entropy theory |
CN104244216A (en) * | 2014-09-29 | 2014-12-24 | 中国移动通信集团浙江有限公司 | Method and system for intercepting fraud phones in real time during calling |
CN105808639A (en) * | 2016-02-24 | 2016-07-27 | 平安科技(深圳)有限公司 | Network access behavior recognizing method and device |
CN108833720A (en) * | 2018-05-04 | 2018-11-16 | 北京邮电大学 | Fraudulent call number identification method and system |
CN110210653A (en) * | 2019-05-15 | 2019-09-06 | 中国移动通信集团内蒙古有限公司 | Telecommunication fraud evolution analysis prediction technique, device, equipment and medium |
CN110430224A (en) * | 2019-09-12 | 2019-11-08 | 贵州电网有限责任公司 | A kind of communication network anomaly detection method based on random block models |
US10785369B1 (en) * | 2019-09-26 | 2020-09-22 | T-Mobile Usa, Inc. | Multi-factor scam call detection and alerting |
CN111726460A (en) * | 2020-06-15 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Fraud number identification method based on space-time diagram |
Also Published As
Publication number | Publication date |
---|---|
CN112437197A (en) | 2021-03-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109615116B (en) | Telecommunication fraud event detection method and system | |
EP2591573A1 (en) | Method and apparatus for traffic classification | |
US20070030842A1 (en) | System for the analysis and monitoring of ip communications | |
US11870932B2 (en) | Systems and methods of gateway detection in a telephone network | |
CN113821793B (en) | Multi-stage attack scene construction method and system based on graph convolution neural network | |
CN102083010A (en) | Method and equipment for screening user information | |
CN115086055B (en) | Detection device and method for encrypting malicious traffic of android mobile device | |
Hu et al. | BTG: A Bridge to Graph machine learning in telecommunications fraud detection | |
CN116320139A (en) | Method and device for analyzing wind control management of conversation, electronic equipment and storage medium | |
CN112437197B (en) | Abnormal call discovery method and device based on communication behavior information entropy | |
US8284764B1 (en) | VoIP traffic behavior profiling method | |
CN111062422B (en) | Method and device for identifying set-way loan system | |
CN109951451A (en) | A kind of spoof attack detection method based on intensified learning in mist calculating | |
CN107222319B (en) | Communication operation analysis method and device | |
CN112559899A (en) | User portrait generation method | |
CN113052198B (en) | Data processing method, device, equipment and storage medium | |
CN111368858B (en) | User satisfaction evaluation method and device | |
WO2015189380A1 (en) | Method and apparatus for detecting and filtering undesirable phone calls | |
CN111291078A (en) | Domain name matching detection method and device | |
Sagar et al. | Security measurement in LTE/LTE-A network based on zs-lr feature selection technique and um-tgan attack detection technique | |
CN112906831A (en) | Communication network user classification method combining network structure and attribute characteristics | |
Lei et al. | Can Wavelet Transform Detect LDDoS Abnormal Traffic in Multipath TCP Transmission System? | |
KR101095878B1 (en) | SIP DoS Attack Detection and Prevention System and Method using Hidden Markov Model | |
CN107592214B (en) | Method for identifying login user name of internet application system | |
CN114666071A (en) | Botnet identification method and device and terminal equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |