CN112437197B - Abnormal call discovery method and device based on communication behavior information entropy - Google Patents

Abnormal call discovery method and device based on communication behavior information entropy Download PDF

Info

Publication number
CN112437197B
CN112437197B CN202011185447.2A CN202011185447A CN112437197B CN 112437197 B CN112437197 B CN 112437197B CN 202011185447 A CN202011185447 A CN 202011185447A CN 112437197 B CN112437197 B CN 112437197B
Authority
CN
China
Prior art keywords
call session
abnormal
behavior
behaviors
information entropy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011185447.2A
Other languages
Chinese (zh)
Other versions
CN112437197A (en
Inventor
陈鸿昶
刘树新
王凯
李星
马宏
吉立新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202011185447.2A priority Critical patent/CN112437197B/en
Publication of CN112437197A publication Critical patent/CN112437197A/en
Application granted granted Critical
Publication of CN112437197B publication Critical patent/CN112437197B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/2281Call monitoring, e.g. for law enforcement purposes; Call tracing; Detection or prevention of malicious calls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2203/00Aspects of automatic or semi-automatic exchanges
    • H04M2203/60Aspects of automatic or semi-automatic exchanges related to security aspects in telephonic communication systems
    • H04M2203/6027Fraud preventions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Technology Law (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention belongs to the technical field of communication network safety protection, and discloses an abnormal call discovery method and device based on communication behavior information entropy, wherein the method takes the change of multivariate attribute information of a call session as a data source and calculates the abnormal behavior probability increment of each type of behavior; then, quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; further calculating the communication behavior information entropy of the behavior event on each dimension and calculating the joint communication behavior information entropy of the call session; and finally, calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session. The method can be used for rapidly discovering the abnormal communication behaviors such as telecommunication fraud and the like, and has better discovery effect and practical value.

Description

Abnormal call discovery method and device based on communication behavior information entropy
Technical Field
The invention belongs to the technical field of communication network safety protection, and particularly relates to an abnormal call discovery method and device based on communication behavior information entropy, which mainly aims at analyzing and detecting abnormal behaviors of signaling and ticket data in telecommunication network calls.
Background
With the rapid development and continuous application of communication technology, the business with mobile terminals as the center goes deep into various aspects of social life. At present, telecommunication services are gradually and closely combined with social life, industrial control, intelligent traffic and the like, and the importance of the telecommunication services in the aspects of social life, industrial production and national safety is more prominent. The end-to-end multi-service communication is carried out by depending on the telecommunication network infrastructure, which provides great support for the convenience and quality of life of people, and simultaneously provides a chance for various lawbreakers, and a large number of malicious communication modes such as abnormal calls are generated, for example: telecom fraud, advertising marketing, malicious harassment, etc. (including but not limited to the above-mentioned abnormal calls).
Call sessions are the most common service types in telecommunication networks, wherein a large amount of data such as core network signaling and call tickets are involved, and various behavior changes and rules in calls are reflected from different dimensions. Call sessions in telecommunications networks are, in a general sense, the primary means of carrying out illegal acts of telecommunications fraud, advertising marketing, malicious disturbance, etc. for specific or large numbers of target users. The invention provides an abnormal call discovery method and device according to ubiquitous abnormal communication behaviors in order to discover abnormal calls in mass call sessions of a telecommunication network and aim at abnormal calls such as telecommunication fraud, advertising marketing, malicious disturbance and the like.
The traditional abnormal calling discovery realizes detection discovery by mostly utilizing characteristic combinations (Chenrui, Houjunfeng, a harassing call analysis model, information communication, 2019) or state transfer (Heepi, Song Minxing, a telephone network illegal calling screening model research and application, telecommunication science, 2013), has the phenomena of low accuracy and misjudgment, and continuously re-excavates diversified characteristics according to different targets; some methods utilize outlier (application of Liangvanty parallel outlier detection in abnormal telephone detection, computer application, 2012) and machine learning (design and implementation of Zhangjie, Lishuang. telephone fraud recognition system, software, 2020) methods for detection, but require a large number of samples and test parameters, and have great difficulty in practical application.
Disclosure of Invention
The invention aims at the phenomena of low accuracy and misjudgment existing in the traditional abnormal call discovery, and continuously re-excavates diversified characteristics aiming at different targets; the method and the device for finding the abnormal Call based on the communication behavior information entropy are provided, starting from multi-dimensional behaviors, the communication behavior information entropy is formed by quantizing the Call behavior, the abnormal Call is judged, the method and the device can not be limited by CDR (Call Detail Record) and signaling, the problem of finding the abnormal Call is solved from the aspect of the behavior entropy, and the method and the device have good finding effect and practical value.
In order to achieve the purpose, the invention adopts the following technical scheme:
an abnormal call discovery method based on communication behavior information entropy comprises the following steps:
step 1: calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source;
step 2: quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
and step 3: calculating the communication behavior information entropy of the behavior event on each dimension by using the multi-dimensional behavior abnormal probability quantization result of the call session, and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension;
and 4, step 4: and calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session.
Further, the step 1 comprises:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Figure BDA0002751304640000021
Figure BDA0002751304640000022
Figure BDA0002751304640000023
Figure BDA0002751304640000024
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;
Figure BDA0002751304640000031
are respectively x,y,z's influence parameter vector;
Figure BDA0002751304640000032
respectively representing the average values of the multi-dimensional values of A, B and C.
Further, the step 2 comprises:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
Figure BDA0002751304640000036
Figure BDA0002751304640000037
Figure BDA0002751304640000038
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1), Z (t-1) are shown in the tableShowing various multidimensional behaviors of the t-1 call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;
Figure BDA0002751304640000039
abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabAnd (4) increasing the probability.
Further, the step 3 comprises:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
Figure BDA0002751304640000033
Figure BDA0002751304640000034
Figure BDA0002751304640000035
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Respectively representing the multidimensional behaviors X (t), Y (t), Z of the t call session(t) normal probability, and p (x (t) ═ xnor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
h (q) (t), H (x (t), y (t), z (t)), and the joint communication behavior information entropy of the t-th call session, x (t), y (t), and z (t), are shown.
Further, the step 4 comprises:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
Figure BDA0002751304640000041
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t)>wuWhen wuAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
An abnormal call discovery device based on communication behavior information entropy comprises:
the abnormal behavior probability increment calculation module is used for calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source;
the abnormal probability quantization module is used for quantizing the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
the joint communication behavior information entropy calculation module is used for calculating the communication behavior information entropy of the behavior event on each dimension by utilizing the multi-dimensional behavior abnormal probability quantization result of the call session and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension;
and the change rate calculation module is used for calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, the corresponding call session is considered to be an abnormal call session.
Compared with the prior art, the invention has the following beneficial effects:
the invention provides an abnormal call discovery method and device based on communication behavior information entropy, which takes the change of multivariate attribute information of a call session as a data source and calculates the probability increment of abnormal behavior of each type of behavior; then, quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; further calculating the communication behavior information entropy of the behavior event on each dimension and calculating the joint communication behavior information entropy of the call session; and finally, calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session. The invention starts from multidimensional behaviors, forms communication behavior information entropy by call behavior quantification, judges abnormal calls, can solve the problem of abnormal call discovery from the aspect of behavior entropy without being limited by CDR and signaling, can be used for rapidly discovering abnormal communication behaviors such as telecommunication fraud and the like, and has better discovery effect and practical value.
Drawings
Fig. 1 is a basic flowchart of an abnormal call discovery method based on communication behavior information entropy according to an embodiment of the present invention;
fig. 2 is an exemplary diagram of a communication behavior information entropy anomaly determination result of an abnormal call discovery method based on communication behavior information entropy according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an abnormal call discovery apparatus based on entropy of communication behavior information according to an embodiment of the present invention;
fig. 4 is a schematic deployment diagram of an abnormal call discovery apparatus based on entropy of communication behavior information according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated by the following examples in conjunction with the accompanying drawings:
as shown in fig. 1, an abnormal call discovery method based on communication behavior information entropy includes:
step S101: calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source;
further, the step S101 includes:
for a multi-attribute { a, B, C } of a call session, corresponding to a multi-dimensional behavior { x, y, z } of the call session (each type of attribute corresponds to a type 1 behavior), the multi-attribute corresponding to each type of behavior may have a plurality of attribute values, which are respectively expressed as: { A1,A2,A3...,Amx},{B1,B2,B3...,Bmy},{C1,C2,C3...,Cmz}; time offset quantization value delta A based on various attribute valuesi1,ΔBi2,ΔCi3As input (i.e., the difference between the multivariate attributes of the current call and the last call);
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Figure BDA0002751304640000061
Figure BDA0002751304640000062
Figure BDA0002751304640000063
Figure BDA0002751304640000064
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;
Figure BDA0002751304640000065
are respectively x,y,z's influence parameter vector;
Figure BDA0002751304640000066
respectively representing the average values of the multi-dimensional values of A, B and C.
It should be noted that although a, B, and C are used to represent various types of multiple attributes corresponding to a call session in the present invention, it is not shown that there are only three types of multiple attributes corresponding to a call session.
It is worth mentioning that, before step S101, the method further includes extracting the multiple attribute information of the call session in the signaling or CDR; the obtaining of the multiple attribute information for the current call session can be realized by the existing method, is not the inventive point of the present invention, and is not detailed herein.
Specifically, the multiple attribute information corresponding to one call session is shown in table 1, where there are four multiple attribute types corresponding to one call session, which are respectively routing attribute information, session attribute information, communications attribute information, and user terminal information, and can be correspondingly represented as A, B, C, D, where the routing attribute information includes cross-domain ratio, cross-network ratio, path complexity, and home location change timesThe number of cross-border calls can be correspondingly expressed as A1、A2、A3、A4、A5Other multivariate properties can be similarly expressed:
table 1 examples of multi-attribute content
Figure BDA0002751304640000071
Step S102: quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
further, the step S102 includes:
assuming that the current call is the t-th call, the abnormal probability of the multidimensional behavior event (corresponding to the multivariate attribute) q (t) ═ x (t), y (t), z (t) } is represented as the sum of the t-1-th behavior abnormal probability and the current abnormal probability increment;
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
Figure BDA0002751304640000073
Figure BDA0002751304640000074
Figure BDA0002751304640000075
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Multidimensional representation of t-1 call sessions, respectivelyAbnormal probabilities of behaviors X (t-1), Y (t-1), Z (t-1); x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;
Figure BDA0002751304640000076
abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabAnd (4) increasing the probability.
Step S103: calculating the communication behavior information entropy of the behavior event on each dimension by using the multi-dimensional behavior abnormal probability quantization result of the call session, and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension;
further, the step S103 includes:
assuming that the call is the t-th call, the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
Figure BDA0002751304640000081
Figure BDA0002751304640000082
Figure BDA0002751304640000083
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing the abnormal probabilities of the multidimensional behaviors X (t), Y (t), Z (t) of the t call session;p(X(t)=xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
h (q) (t), H (x (t), y (t), z (t)), and the joint communication behavior information entropy of the t-th call session, x (t), y (t), and z (t), are shown.
Step S104: and calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session.
Further, the step S104 includes:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
Figure BDA0002751304640000091
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t)>wuWhen wuAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
As shown in fig. 2, which is an example of abnormal determination of joint communication behavior information entropy when the sliding window T is 10 (times), it can be seen from fig. 2 that the rate of change of the joint communication behavior information entropy of an abnormal call session is significantly higher than that of the joint communication behavior information entropy of a normal call session, so that the present invention can be used for rapidly discovering abnormal communication behaviors such as telecom fraud.
On the basis of the above embodiments, as shown in fig. 3, the present invention further discloses an abnormal call discovery apparatus based on communication behavior information entropy, including:
an abnormal behavior probability increment calculation module 201, configured to calculate an abnormal behavior probability increment of each type of behavior by using a change of the multi-element attribute information of the call session as a data source;
an abnormal probability quantization module 202, configured to quantize the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior;
the joint communication behavior information entropy calculation module 203 is configured to calculate a communication behavior information entropy of a behavior event in each dimension by using a multi-dimensional behavior anomaly probability quantization result of the call session, and calculate a joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event in each dimension;
the change rate calculation module 204 is configured to calculate a change rate of joint communication behavior information entropy of the call session within the sliding window T, and when the change rate is greater than a set threshold, consider the corresponding call session as an abnormal call session.
Further, the abnormal behavior probability increment calculation module 201 is configured to:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Figure BDA0002751304640000101
Figure BDA0002751304640000102
Figure BDA0002751304640000103
Figure BDA0002751304640000104
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;
Figure BDA0002751304640000105
are respectively x,y,z's influence parameter vector;
Figure BDA0002751304640000106
respectively representing the average values of the multi-dimensional values of A, B and C.
Further, the anomaly probability quantification module 202 is configured to:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
Figure BDA0002751304640000107
Figure BDA0002751304640000108
Figure BDA0002751304640000109
whereinX (t), y (t), z (t) respectively represent various multidimensional behaviors of the tth call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;
Figure BDA00027513046400001010
abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabAnd (4) increasing the probability.
Further, the joint communication behavior information entropy calculation module 203 is configured to:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
Figure BDA0002751304640000111
Figure BDA0002751304640000112
Figure BDA0002751304640000113
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behavior of classes of behavior x, y, z of a call session;p(X(t)=xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
h (q) (t), H (x (t), y (t), z (t)), and the joint communication behavior information entropy of the t-th call session, x (t), y (t), and z (t), are shown.
Further, the change rate calculation module 204 is configured to:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
Figure BDA0002751304640000114
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t)>wuWhen wuAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
Specifically, as shown in fig. 4, the device may be specifically deployed between network element devices of a telecommunication network or behind a communication ticket device, and performs abnormal call discovery after extracting multivariate attribute information (behavior) of a call session related in signaling or CDR.
In summary, the invention provides an abnormal call discovery method and device based on communication behavior information entropy, which takes the change of multivariate attribute information of a call session as a data source and calculates the abnormal behavior probability increment of each type of behavior; then, quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; further calculating the communication behavior information entropy of the behavior event on each dimension and calculating the joint communication behavior information entropy of the call session; and finally, calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session. The invention starts from multidimensional behaviors, forms communication behavior information entropy by call behavior quantification, judges abnormal calls, can solve the problem of abnormal call discovery from the aspect of behavior entropy without being limited by CDR and signaling, can be used for rapidly discovering abnormal communication behaviors such as telecommunication fraud and the like, and has better discovery effect and practical value.
The above shows only the preferred embodiments of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (2)

1. An abnormal call discovery method based on communication behavior information entropy is characterized by comprising the following steps:
step 1: calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source; the step 1 comprises the following steps:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Figure FDA0003021462820000011
Figure FDA0003021462820000012
Figure FDA0003021462820000013
Figure FDA0003021462820000014
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;
Figure FDA0003021462820000015
influence parameter vectors of x, y and z respectively;
Figure FDA0003021462820000016
respectively representing the multi-dimensional value average values of A, B and C;
step 2: quantifying the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; the step 2 comprises the following steps:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
Figure FDA0003021462820000017
Figure FDA0003021462820000018
Figure FDA0003021462820000019
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;
Figure FDA0003021462820000021
abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabA probability increment;
and step 3: calculating the communication behavior information entropy of the behavior event on each dimension by using the multi-dimensional behavior abnormal probability quantization result of the call session, and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension; the step 3 comprises the following steps:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
Figure FDA0003021462820000022
Figure FDA0003021462820000023
Figure FDA0003021462820000024
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
wherein, H (q (t) ═ H (x (t), y (t), z (t)), denotes the joint communication behavior information entropy of the t-th call session, x (t), y (t), z (t);
and 4, step 4: calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, considering the corresponding call session as an abnormal call session; the step 4 comprises the following steps:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
Figure FDA0003021462820000031
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t) > omegauTime, omegauAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
2. An abnormal call discovery device based on communication behavior information entropy, comprising:
the abnormal behavior probability increment calculation module is used for calculating the abnormal behavior probability increment of each type of behavior by taking the change of the multi-element attribute information of the call session as a data source; the abnormal behavior probability increment calculation module is specifically configured to:
according to the attribute values of the multivariate attributes { A, B, C } of the call session, calculating the abnormal behavior x of various types of behaviors { x, y, z } of the current call sessionab,yab,zabIncrement of probability
Figure FDA0003021462820000032
Figure FDA0003021462820000033
Figure FDA0003021462820000034
Figure FDA0003021462820000035
Wherein, A, B and C represent various multi-element attributes corresponding to a call session, and respectively correspond to various multi-dimensional behaviors x, y, z and delta A of the call sessioni1、ΔBi2、ΔCi3Respectively representing the time offset quantization values of various attribute values; i1 ═ 1,2.. mx,i2=1,2...my,i3=1,2...mzRespectively representing the multidimensional value numbers of the attributes A, B and C, mx,my,mzRespectively representing the total dimensionality of the multivariate attributes A, B and C corresponding to the behaviors x, y and z;
Figure FDA0003021462820000036
influence parameter vectors of x, y and z respectively;
Figure FDA0003021462820000037
respectively representing the multi-dimensional value average values of A, B and C;
the abnormal probability quantization module is used for quantizing the abnormal probability of the multidimensional behavior of the call session according to the abnormal behavior probability increment of each type of behavior; the anomaly probability quantification module is specifically configured to:
the probability of anomaly of the multidimensional behavior of the call session is quantified as follows:
Figure FDA0003021462820000041
Figure FDA0003021462820000042
Figure FDA0003021462820000043
wherein, X (t), Y (t), Z (t) respectively represent various multidimensional behaviors of the t call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Individual watchShowing the abnormal probabilities of the multidimensional behaviors X (t), Y (t), Z (t) of the t-th call session; x (t-1), Y (t-1) and Z (t-1) respectively represent various multidimensional behaviors of the t-1 th call session; p (X (t-1) ═ Xab),p(Y(t-1)=yab),p(Z(t-1)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t-1), Y (t-1) and Z (t-1) of the t-1 th call session; x is the number ofab,yab,zabRespectively representing abnormal behaviors of various types of behaviors { x, y, z } of the call session;
Figure FDA0003021462820000044
abnormal behavior x representing various types of behavior { x, y, z } of a call session, respectivelyab,yab,zabA probability increment;
the joint communication behavior information entropy calculation module is used for calculating the communication behavior information entropy of the behavior event on each dimension by utilizing the multi-dimensional behavior abnormal probability quantization result of the call session and calculating the joint communication behavior information entropy of the call session according to the communication behavior information entropy of the behavior event on each dimension; the joint communication behavior information entropy calculation module is specifically configured to:
the communication behavior information entropy of the behavior event on each dimension is calculated according to the following mode:
Figure FDA0003021462820000045
Figure FDA0003021462820000046
Figure FDA0003021462820000047
h (X (t)), H (Y (t)), H (Z (t)) respectively represent the communication behavior information entropies of the t-th call session, namely X (t), Y (t), Z (t); when j is ab, xab,yab,zabRespectively representing each of the call sessionsAbnormal behavior of class behavior { x, y, z }; when j is nor, xnor,ynor,znorRespectively representing normal behaviors of various types of behaviors { x, y, z } of the call session; p (x (t) ═ xab),p(Y(t)=yab),p(Z(t)=zab) Respectively representing abnormal probabilities of multidimensional behaviors X (t), Y (t), Z (t) of the t call session; p (x (t) ═ xnor),p(Y(t)=ynor),p(Z(t)=znor) Denotes the normal probability of multidimensional behavior x (t), y (t), z (t), and p (x (t) ═ x for the tth call session, respectivelynor)=1-p(X(t)=xab),p(Y(t)=ynor)=1-p(Y(t)=yab),p(Z(t)=znor)=1-p(Z(t)=zab);
Joint communication behavior information entropy of the call session is calculated as follows:
H(Q(t))=H(X(t),Y(t),Z(t))=H(X(t))+H(Y(t))+H(Z(t))
wherein, H (q (t) ═ H (x (t), y (t), z (t)), denotes the joint communication behavior information entropy of the t-th call session, x (t), y (t), z (t);
the change rate calculation module is used for calculating the change rate of the joint communication behavior information entropy of the call session in the sliding window T, and when the change rate is greater than a set threshold value, the corresponding call session is considered to be an abnormal call session; the change rate calculation module is specifically configured to:
calculating the change rate of joint communication behavior information entropy of the call session in the sliding window T according to the following mode:
Figure FDA0003021462820000051
wherein, U (T) is the change rate of joint communication behavior information entropy of the call session in a sliding window T at a time point corresponding to the tth call session; j is the number of the call session times corresponding to each time point in the sliding window T; h (Q (j-1) represents the joint communication behavior information entropy of multidimensional behaviors X (j-1), Y (j-1) and Z (j-1) of the j-1 th call session, H (Q (j) ═ H (X (j), Y (j), Z (j)) represents the joint communication behavior information entropy of multidimensional behaviors X (j), Y (j) and Z (j) of the j-th call session;
when U (t) > omegauTime, omegauAnd judging the call session to be an abnormal call session at the moment for a set threshold value.
CN202011185447.2A 2020-10-30 2020-10-30 Abnormal call discovery method and device based on communication behavior information entropy Active CN112437197B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011185447.2A CN112437197B (en) 2020-10-30 2020-10-30 Abnormal call discovery method and device based on communication behavior information entropy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011185447.2A CN112437197B (en) 2020-10-30 2020-10-30 Abnormal call discovery method and device based on communication behavior information entropy

Publications (2)

Publication Number Publication Date
CN112437197A CN112437197A (en) 2021-03-02
CN112437197B true CN112437197B (en) 2021-06-18

Family

ID=74696525

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011185447.2A Active CN112437197B (en) 2020-10-30 2020-10-30 Abnormal call discovery method and device based on communication behavior information entropy

Country Status (1)

Country Link
CN (1) CN112437197B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297956A (en) * 2013-05-06 2013-09-11 北京航空航天大学 Dynamic lightweight class trust evaluation method based on Bayesian theory and entropy theory
CN104244216A (en) * 2014-09-29 2014-12-24 中国移动通信集团浙江有限公司 Method and system for intercepting fraud phones in real time during calling
CN105808639A (en) * 2016-02-24 2016-07-27 平安科技(深圳)有限公司 Network access behavior recognizing method and device
CN108833720A (en) * 2018-05-04 2018-11-16 北京邮电大学 Fraudulent call number identification method and system
CN110210653A (en) * 2019-05-15 2019-09-06 中国移动通信集团内蒙古有限公司 Telecommunication fraud evolution analysis prediction technique, device, equipment and medium
CN110430224A (en) * 2019-09-12 2019-11-08 贵州电网有限责任公司 A kind of communication network anomaly detection method based on random block models
US10785369B1 (en) * 2019-09-26 2020-09-22 T-Mobile Usa, Inc. Multi-factor scam call detection and alerting
CN111726460A (en) * 2020-06-15 2020-09-29 国家计算机网络与信息安全管理中心 Fraud number identification method based on space-time diagram

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10043035B2 (en) * 2013-11-01 2018-08-07 Anonos Inc. Systems and methods for enhancing data protection by anonosizing structured and unstructured data and incorporating machine learning and artificial intelligence in classical and quantum computing environments
CN109300029A (en) * 2018-10-25 2019-02-01 北京芯盾时代科技有限公司 Borrow or lend money fraud detection model training method, debt-credit fraud detection method and device
CN109753801B (en) * 2019-01-29 2022-04-22 重庆邮电大学 Intelligent terminal malicious software dynamic detection method based on system call

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103297956A (en) * 2013-05-06 2013-09-11 北京航空航天大学 Dynamic lightweight class trust evaluation method based on Bayesian theory and entropy theory
CN104244216A (en) * 2014-09-29 2014-12-24 中国移动通信集团浙江有限公司 Method and system for intercepting fraud phones in real time during calling
CN105808639A (en) * 2016-02-24 2016-07-27 平安科技(深圳)有限公司 Network access behavior recognizing method and device
CN108833720A (en) * 2018-05-04 2018-11-16 北京邮电大学 Fraudulent call number identification method and system
CN110210653A (en) * 2019-05-15 2019-09-06 中国移动通信集团内蒙古有限公司 Telecommunication fraud evolution analysis prediction technique, device, equipment and medium
CN110430224A (en) * 2019-09-12 2019-11-08 贵州电网有限责任公司 A kind of communication network anomaly detection method based on random block models
US10785369B1 (en) * 2019-09-26 2020-09-22 T-Mobile Usa, Inc. Multi-factor scam call detection and alerting
CN111726460A (en) * 2020-06-15 2020-09-29 国家计算机网络与信息安全管理中心 Fraud number identification method based on space-time diagram

Also Published As

Publication number Publication date
CN112437197A (en) 2021-03-02

Similar Documents

Publication Publication Date Title
CN109615116B (en) Telecommunication fraud event detection method and system
EP2591573A1 (en) Method and apparatus for traffic classification
US20070030842A1 (en) System for the analysis and monitoring of ip communications
US11870932B2 (en) Systems and methods of gateway detection in a telephone network
CN113821793B (en) Multi-stage attack scene construction method and system based on graph convolution neural network
CN102083010A (en) Method and equipment for screening user information
CN115086055B (en) Detection device and method for encrypting malicious traffic of android mobile device
Hu et al. BTG: A Bridge to Graph machine learning in telecommunications fraud detection
CN116320139A (en) Method and device for analyzing wind control management of conversation, electronic equipment and storage medium
CN112437197B (en) Abnormal call discovery method and device based on communication behavior information entropy
US8284764B1 (en) VoIP traffic behavior profiling method
CN111062422B (en) Method and device for identifying set-way loan system
CN109951451A (en) A kind of spoof attack detection method based on intensified learning in mist calculating
CN107222319B (en) Communication operation analysis method and device
CN112559899A (en) User portrait generation method
CN113052198B (en) Data processing method, device, equipment and storage medium
CN111368858B (en) User satisfaction evaluation method and device
WO2015189380A1 (en) Method and apparatus for detecting and filtering undesirable phone calls
CN111291078A (en) Domain name matching detection method and device
Sagar et al. Security measurement in LTE/LTE-A network based on zs-lr feature selection technique and um-tgan attack detection technique
CN112906831A (en) Communication network user classification method combining network structure and attribute characteristics
Lei et al. Can Wavelet Transform Detect LDDoS Abnormal Traffic in Multipath TCP Transmission System?
KR101095878B1 (en) SIP DoS Attack Detection and Prevention System and Method using Hidden Markov Model
CN107592214B (en) Method for identifying login user name of internet application system
CN114666071A (en) Botnet identification method and device and terminal equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant