CN115208979A - GoIP equipment fraud identification and positioning method, system, device and storage medium - Google Patents

GoIP equipment fraud identification and positioning method, system, device and storage medium Download PDF

Info

Publication number
CN115208979A
CN115208979A CN202210814238.2A CN202210814238A CN115208979A CN 115208979 A CN115208979 A CN 115208979A CN 202210814238 A CN202210814238 A CN 202210814238A CN 115208979 A CN115208979 A CN 115208979A
Authority
CN
China
Prior art keywords
goip
equipment
determining
abnormal
numbers
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210814238.2A
Other languages
Chinese (zh)
Inventor
钟盛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Sendi Computer System Co ltd
Original Assignee
Guangzhou Sendi Computer System Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Sendi Computer System Co ltd filed Critical Guangzhou Sendi Computer System Co ltd
Priority to CN202210814238.2A priority Critical patent/CN115208979A/en
Publication of CN115208979A publication Critical patent/CN115208979A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/2281Call monitoring, e.g. for law enforcement purposes; Call tracing; Detection or prevention of malicious calls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • H04W24/10Scheduling measurement reports ; Arrangements for measurement reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/025Services making use of location information using location based information parameters

Abstract

The invention discloses a method, a system, a device and a storage medium for identifying and positioning fraud of GoIP equipment, and relates to the technical field of computers. The method comprises the steps of analyzing equipment characteristics and number behavior characteristics recorded by number interaction in a network, inputting the equipment characteristics and the number behavior characteristics into a GoIP equipment identification model to determine abnormal GoIP equipment, further acquiring a measurement report of the abnormal GoIP equipment, determining number signal strength from the abnormal GoIP equipment to an adjacent base station according to the measurement report, and determining the geographic position of the abnormal GoIP equipment according to the number signal strength. The position of the GoIP equipment with the fraud behaviors is determined based on the measurement report mode of the abnormal GoIP equipment, so that the fraud places can be accurately positioned.

Description

GoIP equipment fraud identification and positioning method, system, device and storage medium
Technical Field
The invention relates to the technical field of computers, in particular to a method, a system, a device and a storage medium for identifying and positioning fraud of GoIP equipment.
Background
The GoIP device is a virtual dialing device for network communication, can switch an outbound number into a local mobile phone number, and is often used for implementing telecommunication phishing. The GoIP equipment is usually erected in the environment, and fraud is implemented by dialing the Intranet telephone through the GoIP equipment in the overseas remote control environment. Dozens of or even hundreds of telephone cards can be inserted into virtual dialing equipment such as GoIP equipment to make a call at the same time, man-machine separation can be realized through the GoIP equipment, the position of a dialing person is hidden, and attack is avoided. At present, fraud activities are usually prevented by identifying and locating GoIP-involved devices, and the GoIP-involved device monitoring mode mainly identifies the GoIP-involved devices based on data such as call tickets, call records, traffic and the like, and then determines the positions of the GoIP-involved devices according to base stations where the GoIP-involved devices are matched with the work participation table. However, the base stations matched according to the work parameter table have a large position range, generally, the coverage radius of the 2G base station is about 5-10 km, the coverage radius of the 3G base station is about 2-5 km, the coverage radius of the 4G base station is about 1-3 km, and even the coverage radius of the 5G base station is about 100-300 m, which is difficult to accurately position the GoIP device and inconvenient for subsequent work.
Disclosure of Invention
The present invention is directed to solving at least one of the problems of the prior art. Therefore, the invention provides a GoIP equipment fraud identification and positioning method, system, device and storage medium, which can identify GoIP equipment with fraud behaviors and accurately position the GoIP equipment.
In one aspect, an embodiment of the present invention provides a method for identifying and locating fraud of GoIP devices, including the following steps:
acquiring a number interaction record in a network;
determining equipment characteristics and number behavior characteristics according to the number interaction records;
inputting the device characteristics and the number behavior characteristics into a GoIP device identification model to determine abnormal GoIP devices;
acquiring a measurement report of the abnormal GoIP equipment;
determining the number signal strength of the abnormal GoIP equipment according to the measurement report;
and determining the geographic position of the abnormal GoIP equipment according to the number signal strength.
According to some embodiments of the invention, the device characteristics comprise TAC codes, and determining device characteristics and number behavior characteristics from the number interaction records comprises the following steps:
identifying international mobile equipment identification code information in the number interaction record;
and extracting the TAC code from the international mobile equipment identification code information.
According to some embodiments of the present invention, the device characteristics further include number group behavior characteristics, and the determining the device characteristics and the number behavior characteristics according to the number interaction record further includes the steps of:
dividing the number interaction records into a plurality of base station interaction data according to the same base station;
counting a plurality of numbers of the outbound frequency in the base station interactive data within a frequency interval to obtain the number group outbound behavior characteristics;
counting a plurality of numbers which are simultaneously subjected to power-on registration or power-off registration in the base station interactive data to obtain the power-on and power-off behavior characteristics of the number groups;
counting a plurality of numbers with the same accompanying track in the base station interactive data to obtain the movement behavior characteristics of the number group;
and counting a plurality of numbers of the call interval in the base station interactive data in the interval to obtain the call interval time characteristics of the number group.
According to some embodiments of the present invention, the number behavior characteristics include a calling characteristic, a talk time characteristic, and a called number overlapping rate, and determining the device characteristics and the number behavior characteristics according to the number interaction record includes the following steps:
counting the calling quantity, the calling and called proportion, the calling hang-up rate and the calling intensity of each number in each time interval from the number interaction records to obtain the calling characteristics of each number;
counting the average call duration and the call duration distribution ratio of each number from the number interaction records to obtain the call time characteristics of each number;
and acquiring a plurality of called numbers of each number in a historical time period from the number interaction records, and determining the called number overlapping rate of each number according to the called numbers.
According to some embodiments of the invention, the number behavior feature further comprises a dialing behavior feature, and the determining the device feature and the number behavior feature according to the number interaction record further comprises the steps of:
obtaining the historical dialing number of each number from the number interaction record;
determining a first identifier of the number according to whether the number of the directory enquiry station exists in the historical dialing number;
determining a second identifier of the number according to whether different operator numbers exist in the historical dialing number;
and determining the dialing behavior characteristics of each number according to the first identification and the second identification of each number.
According to some embodiments of the invention, the GoIP device identification model is constructed by:
acquiring a training data set, wherein the training data set comprises number behavior characteristics of a plurality of historical numbers, equipment characteristics of equipment where the plurality of historical numbers are located and fraud labels of the historical numbers;
and inputting the training data set into a LightGBM model for training to obtain the GoIP equipment identification model.
According to some embodiments of the invention, the determining the geographical location of the abnormal GoIP device according to the number signal strength comprises the following steps:
determining a first distance, a second distance and a third distance between the abnormal GoIP equipment and the three base stations according to the number signal strength and the corresponding path loss between the abnormal GoIP equipment and the three base stations respectively;
and determining the geographic position of the abnormal GoIP equipment according to the first distance, the second distance, the third distance and the positions of the three base stations.
On the other hand, an embodiment of the present invention further provides a GoIP device fraud identification and location system, including:
the first module is used for acquiring number interaction records in a network;
the second module is used for determining the equipment characteristics and the number behavior characteristics according to the number interaction records;
the third module is used for inputting the equipment characteristics and the number behavior characteristics into a GoIP equipment identification model to determine abnormal GoIP equipment;
a fourth module, configured to obtain a measurement report of the abnormal GoIP device;
a fifth module, configured to determine, according to the measurement report, a number signal strength of the abnormal GoIP device;
and the sixth module is used for determining the geographic position of the abnormal GoIP equipment according to the number signal strength.
On the other hand, an embodiment of the present invention further provides a GoIP device fraud identification and location apparatus, including:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement the GoIP device fraud identification and location method as described above.
In another aspect, the present invention also provides a computer-readable storage medium storing computer-executable instructions for causing a computer to perform the GoIP device fraud identification and location method as described above.
The technical scheme of the invention at least has one of the following advantages or beneficial effects: analyzing the device characteristics and the number behavior characteristics recorded by number interaction in the network, inputting the device characteristics and the number behavior characteristics into a GoIP device identification model to determine an abnormal GoIP device, further acquiring a measurement report of the abnormal GoIP device, determining the number signal strength from the abnormal GoIP device to an adjacent base station according to the measurement report, and determining the geographic position of the abnormal GoIP device according to the number signal strength. The position of the GoIP equipment with fraud behaviors is determined based on the mode of the measurement report of the abnormal GoIP equipment, so that the accurate positioning of fraud places is realized.
Drawings
FIG. 1 is a flow chart of a GoIP device fraud identification and location method provided by an embodiment of the present invention;
FIG. 2 is a schematic diagram of a GoIP equipment fraud identification and location system provided by an embodiment of the present invention;
FIG. 3 is a schematic diagram of a GoIP equipment fraud identification and location apparatus provided by an embodiment of the present invention;
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or components having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention.
In the description of the present invention, it should be understood that the orientation or positional relationship referred to in the description of the orientation, such as the upper, lower, left, right, etc., is based on the orientation or positional relationship shown in the drawings, and is only for convenience of description and simplicity of description, and does not indicate or imply that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention.
In the description of the present invention, if there are first, second, etc. described, they are only used for distinguishing technical features, but they are not interpreted as indicating or implying relative importance or implicitly indicating the number of indicated technical features or implicitly indicating the precedence of the indicated technical features.
Referring to fig. 1, the GoIP device fraud identification and location method of the embodiment of the present invention includes, but is not limited to, step S110, step S120, step S130, step S140, step S150, and step S160:
step S110, acquiring number interaction records in a network;
step S120, determining the equipment characteristics and the number behavior characteristics according to the number interaction records;
step S130, inputting the device characteristics and the number behavior characteristics into a GoIP device identification model to determine abnormal GoIP devices;
step S140, obtaining a measurement report of the abnormal GoIP equipment;
s150, determining the number signal strength of the abnormal GoIP equipment according to the measurement report;
and step S160, determining the geographic position of the abnormal GoIP equipment according to the number signal strength.
In some embodiments, the GoIP device fraud identification and location method may be applied to operator networks in various regions, such as a telecommunications network, a mobile network, or a connectivity network in a province, where interaction records of various historical numbers, such as outgoing call records, called records, call duration records, home locations, etc., of various numbers are recorded in each operator network.
In some embodiments, virtual dialing devices such as GoIP devices are mostly adopted for fraud behaviors, one GoIP device can be inserted into dozens or even hundreds of telephone cards to make calls at the same time, and the GoIP device has a higher fraud probability compared with a common telephone or a mobile phone, so that the device characteristics are determined by statistically analyzing number interaction records, and the accuracy of fraud behavior identification can be improved. The device characteristics are not limited to TAC codes, number group behavior characteristics and the like, wherein the number group behavior characteristics include number group outbound behavior characteristics, number group on-off behavior characteristics, number group motion behavior characteristics, number group call interval time characteristics and the like. In addition to identifying device characteristics based on a number group, it is also necessary to identify number behavior characteristics of each number to determine the probability of fraud of the number, where the number behavior characteristics may include calling characteristics, talk time characteristics, called number overlapping rate, dialing behavior characteristics, and the like. In the embodiment, the fraud behavior is identified through the number behavior characteristics and the equipment characteristics, so that the accuracy of fraud identification can be improved.
In some embodiments, after the abnormal GoIP device with the fraudulent behavior is identified, the position of the abnormal GoIP device is determined through a measurement report reported by the abnormal GoIP device, so that the accuracy of device positioning can be improved. MR (Measurement Report) is network raw data measured by a user terminal, and the Measurement Report carries information related to uplink and downlink radio links, including RSCP (signal strength), ISCP (interference signal code power), BLER (received signal strength indicator), transmission power, and the like. The measurement report mainly comes from the physical layer and RLC layer of UE and Node B, and the measurement report generated by RNC in the radio resource management process. Original measurement data is directly sent to the OMC-R to be stored in a sample data mode, or data after RNC or OMC-R statistical calculation is sent to the OMC-R to be stored in a statistical data mode. It can be understood that the measurement report is realized by depending on a mobile phone signal in a wireless network signal, so the embodiment of the invention is suitable for equipment needing to communicate through a wireless network, such as small GoIP equipment like a Rongbao, a Multi-card treasure, apple peel and the like, the equipment needs to establish a remote control channel with overseas fraud molecules through 4G internet traffic, and the equipment is suitable for accurate positioning by adopting an MR (magnetic resonance) mode.
According to some embodiments of the present invention, step S120 further includes, but is not limited to, the following steps:
international mobile equipment identification code information in the identification number interaction record;
and extracting the TAC code from the international mobile equipment identification code information.
In some embodiments, most of the GoIP devices currently support only 2G voice calls, i.e., GSM, CDMA, and WCDMA three network systems, where GSM is a mobile 2G voice network, CDMA is a telecommunication 2G voice network, and WCDMA is a connected 2G voice network. GSM and WCDMA systems carry IMEI (international mobile equipment identity information), CDMA does not.
For a mobile and a network of an operator with connectivity, the brand model of a terminal device can be known by the TAC code of 8 bits before the IMEI carried in a network signaling, for example, the brand of the current terminal can be directly judged to be the brands of a conventional apple, huachi and the like according to the TAC code of 8 bits before the IMEI, so that the possibility that the terminal is a GoIP device is eliminated, and the probability that the terminal is a GoIP device is higher when the terminal is a GoIP device such as a "find", "SIMCOM", "ROAMBOX" and the like.
Because the signaling of the CDMA network does not carry the IMEI information, the IMEI information can be acquired according to the LTE network for the telecommunication operator network, so as to judge the equipment model. Small GoIP equipment such as a Rongbao device, a multi-card device and an apple peel generally needs to realize 4G internet surfing through a mobile phone card so as to realize remote control with remote fraud molecules, so that the number signaling data can be acquired based on a 4G S1MME interface, the number signaling data comprise number information and equipment IMEI information, and the GoIP equipment can be accurately identified by combining a mobile phone terminal brand model library and known TAC codes of the GoIP equipment caught by historical accumulation. In addition, for small GoIP devices such as a comic treasure, a multi-card treasure and an apple peel using 4G internet traffic, since remote control needs to be performed through a 4G network channel, the internet traffic of a corresponding number card is significantly increased in a time period when such GoIP devices centrally call, generally, the traffic is proportional to the number call duration, and the traffic can also be used as a feature of the GoIP device to construct a GoIP device identification model as an influence factor.
According to some embodiments of the present invention, step S120 further includes, but is not limited to, the following steps:
dividing the number interaction records into a plurality of base station interaction data according to the same base station;
counting a plurality of numbers of the outbound frequency in the frequency interval in the base station interactive data to obtain the number group outbound behavior characteristics;
counting a plurality of numbers which are simultaneously subjected to power-on registration or power-off registration in the base station interactive data to obtain the power-on and power-off behavior characteristics of the number groups;
counting a plurality of numbers with the same track in the base station interactive data to obtain the movement behavior characteristics of the number group;
and counting a plurality of numbers of the call interval in the base station interactive data in the interval to obtain the call interval time characteristics of the number group.
In some embodiments, some conventional GoIP devices are remotely controlled by accessing a home broadband, do not have a 4G internet access signaling trace, and do not carry IMEI information, so that whether the GoIP devices are the GoIP devices cannot be judged from the IMEI. Because the GoIP equipment is inserted with a plurality of telephone cards, whether a plurality of numbers exist under a base station or not can be analyzed to determine whether the GoIP equipment exists under the base station or not. The number group behavior characteristics under the same base station comprise the following characteristics:
number group outbound behavior characteristics: generally, because the GoIP device has a plurality of card slots (generally supporting 128 card slots), a plurality of numbers in the same base station are often called out simultaneously in high intensity, and therefore, a plurality of numbers of the outgoing call frequency in the frequency interval in the interactive data of the base station are counted to obtain the outgoing call behavior characteristics of the number group.
The number group on-off behavior characteristics are as follows: generally, a plurality of numbers are started up at the same time in the power-on process of the GoIP equipment, and a plurality of numbers are shut down at the same time in the power-off process, so that a plurality of numbers which are simultaneously registered for starting up or shutting down in the base station interactive data are counted to obtain the on-off behavior characteristics of the number group.
Group sports behavior characteristics: for the vehicle-mounted GoIP-like device, the GoIP device is placed on an automobile to move fraudulently, a plurality of numbers pass through a plurality of base stations, and the tracks of the base stations are identical, so that the base stations in the base station interaction data are counted along with the numbers with identical tracks, and the movement behavior characteristics of the number group are obtained.
Number group call interval time characteristic: the normal user calling-out process usually needs to manually input the called number or search the contact person in the address list, and the time consumption is large. Because the GoIP equipment automatically dials the number according to the set setting, the external intervals of a plurality of numbers of the GoIP equipment are short, and the calling intervals of each time are similar, therefore, the numbers of the calling intervals in the interval in the base station interactive data are counted, and the calling interval time characteristics of the number group are obtained.
According to some embodiments of the invention, step S120 further includes, but is not limited to, the following steps:
counting the calling quantity, the calling and called proportion, the calling hang-up rate and the calling intensity of each number in each time interval from the number interaction records to obtain the calling characteristics of each number;
counting the average call duration and the call duration distribution ratio of each number from the number interaction records to obtain the call time characteristics of each number;
and acquiring a plurality of called numbers of each number in a historical time period from the number interaction records, and determining the called number overlapping rate of each number according to the plurality of called numbers.
In some embodiments, advertising promotion or takeout by using the GoIP device exists at present, and is mixed with the GoIP device fraud, so that the fraud behavior characteristics of various numbers are combined to eliminate normal services such as advertising promotion or takeout by using the GoIP device, and accurate fraud probability prediction is realized. Based on behavioral analysis of past fraud numbers, the following number behavior characteristics are selected as influencing factors to identify fraud:
calling feature: the calling features include the calling volume of each number, the calling to called ratio, the hang-up rate of the calling and the calling intensity in each time interval. The calling quantity is higher than the number of the normal value, and the fraud probability is higher. The ratio of calling to called, i.e. the ratio of the number of times each number calls the calling party to the number of times the number of calling and called parties, is higher, the probability of fraud is higher. The hang-up rate of the caller is the proportion of the dialed call that is hung up, the higher the proportion, the greater the fraud probability. The calling intensity in each time interval, namely the number of calling numbers in each time interval, generally, the fraud phone is centrally dialed in the time interval from 9 to 18, the dialing intensity in the noon break time from 12 to 14 is also high, and the calling intensity in the time between 19 and the next day of 9 is basically zero, so that the calling intensity of the number in each time interval can be used as one of the influence factors to carry out fraud model construction.
The call time characteristic is as follows: the talk time characteristic includes an average talk time and a talk time distribution ratio. The average call duration is the average of the call durations of the numbers when the numbers are making calls. The distribution ratio of the call duration refers to dividing the call duration into several sections, such as 0s,0-10s,10-30s, etc., and counting the ratio of the call duration of the call made by the user in each section. In addition, the talk time characteristic may further include a standard deviation of talk time, i.e., a standard deviation of talk time when the user makes a call.
Called number overlapping rate: the overlap ratio of the multiple called numbers over the user number history time, e.g., 7 days, tends to be close to 0 for fraudulent numbers.
In addition, the number behavior features may also include the following:
average ringing duration: the average value of the ringing time of the user's telephone call.
Standard deviation of ringing duration: standard deviation of ringing time for a user to make a call.
Dispersion of called number: for normal users, the dispersion of the called numbers is not very high, while the fraud telephone has the characteristic of wide-spread network, and the dispersion of the called numbers is usually higher.
Calling number roaming in different places: the fraud number usually has a higher proportion of fraud to be executed in other places, and when the calling number is roaming in other places, the fraud probability is higher.
The home location of the called number is the proportion of the local calling of the user: compared with numbers such as express takeout and the like with high call volume and large called dispersion, the called place of the fraud phone is mostly not a calling place, and the fraud probability is higher as the occupation ratio of the called number belonging place to the calling place of the user is lower.
According to some embodiments of the present invention, step S120 further includes, but is not limited to, the following steps:
obtaining the historical dialing number of each number from the number interaction records;
determining a first identifier of the number according to whether the number of the directory enquiry station exists in the historical dialing number;
determining a second identifier of the number according to whether different operator numbers exist in the historical dialing number;
and determining the dialing behavior characteristics of each number according to the first identification and the second identification of each number.
In some embodiments, the number behavior characteristics further include a dialing behavior characteristic, where the dialing behavior characteristic is to count whether a historical dialed number of each number dials a special number, and to mark the number correspondingly to a trajectory of dialing the special number, so as to determine the dialing behavior characteristic, and specifically, the following is performed:
and determining a first identifier of the number according to whether the directory number exists in the historical dialing numbers of each number, wherein if the number dials 114 the directory number, the first identifier is yes, otherwise, the first identifier is no. It is statistically found that current fraud phones utilize human trust in 114 directory enquiries to register a counterfeit financial institution's telephone number at 114 directory enquiries to create bank remittance artifacts and to perform fraudulent shopping practices. Thus, the first identification is a yes number, which is the higher probability of being a fraudulent call.
And determining a second identifier of the number according to whether different operator numbers exist in the historical dialing number, wherein if the number dials different operator numbers, the second identifier is yes, otherwise, the second identifier is no. Statistics shows that most fraud numbers need to test cards, determine the operators to which the phone numbers belong, and the numbers can be tested by dialing 10086 or inquiring the balance of the call fee, at this time, the 10086 automatic customer service prompts 'you use a non-Chinese mobile number to make a call …', and then the numbers can be further dialed to China Unicom customer service. Thus, the second identification is a yes number, which is the higher probability of being a fraudulent call.
In addition, whether other special numbers exist in the historical dialing numbers can be checked to further identify the user number, for example, whether the user number dials a bank short number or not.
According to some embodiments of the invention, the number behavior feature further comprises:
number of active days: the fraud numbers in general are protected from being identified and their active time is usually short.
Called number attribution province/city number: the number of the called number belonging to province/city is higher than the normal number.
According to some embodiments of the present invention, the GoIP device identification model in step S130 is constructed by:
acquiring a training data set, wherein the training data set comprises number behavior characteristics of a plurality of historical numbers, equipment characteristics of equipment where the plurality of historical numbers are located, and whether the historical numbers are fraudulent labels;
and inputting the training data set into a LightGBM model for training to obtain the GoIP equipment identification model.
In some embodiments, the training data set is obtained by obtaining a large number of historical numbers, performing statistical analysis on the historical numbers, determining the number behavior characteristics of the historical numbers and the device characteristics of the devices in which the historical numbers are located, and identifying the historical numbers as normal tags or fraud tags. And (3) the training data set is sent to a LightGBM model to train weight proportions of TAC (contact terminal) codes, number group behavior characteristics, number group outbound behavior characteristics, number group startup and shutdown behavior characteristics, number group motion behavior characteristics, number group call interval time characteristics, calling characteristics, conversation time characteristics, called number overlapping rate, dialing behavior characteristics and other characteristics, so as to obtain the GoIP equipment identification model. LightGBM is a gradient Boosting framework that uses a decision tree based learning algorithm. The method has the advantages of higher training efficiency, low memory use, higher accuracy, support of parallelization learning, capability of processing large-scale data and the like.
According to some embodiments of the invention, step S150 includes, but is not limited to, the following steps:
determining a first distance, a second distance and a third distance between the abnormal GoIP equipment and the three base stations respectively according to the number signal strength and the corresponding path loss between the abnormal GoIP equipment and the three base stations respectively;
and determining the geographic position of the abnormal GoIP equipment according to the first distance, the second distance, the third distance and the positions of the three base stations.
In some embodiments, after the abnormal GoIP device with fraud is determined, when the abnormal GoIP device has 4G internet access behavior, the number signal strength of the 4G internet access wireless MR with the number under 3 4G base stations can be obtained, and the distance d between transmission and reception can be determined by using a path loss model of a wireless signal according to the number signal strength 1 、d 2 、d 3 Namely, the first distance, the second distance and the third distance between the abnormal GoIP device and the three base stations, and then calculating the specific location of the abnormal GoIP device by obtaining the following three equations:
(x 1 -x) 2 +(y 1 -y) 2 =d 1 2
(x 2 -x) 2 +(y 2 -y) 2 =d 2 2
(x 3 -x) 2 +(y 3 -y) 2 =d 3 2
wherein, (x, y) represents abnormal GoIP device location, (x) 1 ,y 1 ) Denotes the first base station location, (x) 2 ,y 2 ) Indicating the second base station location, (x) 3 ,y 3 ) Indicating a third base station location.
On the other hand, an embodiment of the present invention further provides a system for identifying and locating fraud of GoIP devices, referring to fig. 2, including:
the first module is used for acquiring number interaction records in a network;
the second module is used for determining the equipment characteristics and the number behavior characteristics according to the number interaction records;
the third module is used for inputting the device characteristics and the number behavior characteristics into the GoIP device identification model to determine abnormal GoIP devices;
the fourth module is used for acquiring a measurement report of the abnormal GoIP equipment;
a fifth module, configured to determine, according to the measurement report, the number signal strength of the abnormal GoIP device;
and the sixth module is used for determining the geographic position of the abnormal GoIP equipment according to the number signal strength.
It can be understood that the contents in the embodiments of the GoIP device fraud identification and location method are all applicable to the embodiments of the system, the functions implemented by the embodiments of the system are the same as the embodiments of the GoIP device fraud identification and location method, and the beneficial effects achieved by the embodiments of the GoIP device fraud identification and location method are also the same as the beneficial effects achieved by the embodiments of the GoIP device fraud identification and location method.
Referring to fig. 3, fig. 3 is a schematic diagram of a GoIP equipment fraud identification and location apparatus according to an embodiment of the present invention. The GoIP equipment fraud identification and location device of the embodiment of the invention comprises one or more control processors and memories, and one control processor and one memory are taken as an example in FIG. 3.
The control processor and the memory may be connected by a bus or other means, as exemplified by the bus connection in fig. 3.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory may optionally include memory located remotely with respect to the control processor, which may be connected to the GoIP device fraud identification and location apparatus over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Those skilled in the art will appreciate that the apparatus architecture shown in fig. 3 does not constitute a limitation of the GoIP equipment fraud identification and location apparatus, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
The non-transitory software programs and instructions required to implement the GoIP equipment fraud identification and location method applied to the GoIP equipment fraud identification and location device in the above embodiments are stored in a memory, and when executed by a control processor, perform the GoIP equipment fraud identification and location method applied to the GoIP equipment fraud identification and location device in the above embodiments.
Furthermore, an embodiment of the present invention also provides a computer-readable storage medium storing computer-executable instructions, which are executed by one or more control processors, and can cause the one or more control processors to execute the GoIP device fraud identification and location method in the above method embodiment.
One of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as is well known to those skilled in the art.
The embodiments of the present invention have been described in detail with reference to the accompanying drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.

Claims (10)

1. A GoIP equipment fraud identification and location method is characterized by comprising the following steps:
acquiring a number interaction record in a network;
determining equipment characteristics and number behavior characteristics according to the number interaction records;
inputting the device characteristics and the number behavior characteristics into a GoIP device identification model to determine abnormal GoIP devices;
acquiring a measurement report of the abnormal GoIP equipment;
determining the number signal strength of the abnormal GoIP equipment according to the measurement report;
and determining the geographical position of the abnormal GoIP equipment according to the number signal strength.
2. The GoIP device fraud identification and location method of claim 1, wherein the device features comprise TAC codes, said determining device features and number behavior features from the number interaction records comprising the steps of:
identifying international mobile equipment identification code information in the number interaction record;
and extracting the TAC code from the international mobile equipment identification code information.
3. The GoIP device fraud identification and location method of claim 2, wherein the device characteristics further include a number group behavior characteristic, said determining device characteristics and number behavior characteristics from the number interaction records further comprising the steps of:
dividing the number interaction records into a plurality of base station interaction data according to the same base station;
counting a plurality of numbers of the outbound frequency in the base station interactive data within a frequency interval to obtain the number group outbound behavior characteristics;
counting a plurality of numbers which are simultaneously subjected to power-on registration or power-off registration in the base station interactive data to obtain the power-on and power-off behavior characteristics of the number groups;
counting a plurality of numbers with the same accompanying track in the base station interactive data to obtain the movement behavior characteristics of the number group;
and counting a plurality of numbers of the call interval in the base station interactive data in the interval to obtain the call interval time characteristics of the number group.
4. The GoIP device fraud identification and location method of claim 1, wherein the number behavior characteristics comprise a calling characteristic, a talk time characteristic, and a called number overlap rate, and the determining of the device characteristic and the number behavior characteristic from the number interaction record comprises the steps of:
counting the calling quantity, the calling and called proportion, the calling hang-up rate and the calling strength in each time interval of each number from the number interaction records to obtain the calling characteristics of each number;
counting the average call duration and the call duration distribution ratio of each number from the number interaction records to obtain the call time characteristics of each number;
and acquiring a plurality of called numbers of each number in a historical time period from the number interaction records, and determining the called number overlapping rate of each number according to the plurality of called numbers.
5. The GoIP device fraud identification and location method of claim 4, wherein the number behavior feature further comprises a dialing behavior feature, said determining a device feature and a number behavior feature from the number interaction record further comprising the steps of:
obtaining the historical dialing number of each number from the number interaction records;
determining a first identifier of the number according to whether the number of the directory enquiry station exists in the historical dialing number;
determining a second identifier of the number according to whether different operator numbers exist in the historical dialing number;
and determining the dialing behavior characteristics of each number according to the first identification and the second identification of each number.
6. The GoIP device fraud identification and location method of claim 1, wherein the GoIP device identification model is constructed by:
acquiring a training data set, wherein the training data set comprises number behavior characteristics of a plurality of historical numbers, equipment characteristics of equipment where the plurality of historical numbers are located and fraud labels of the historical numbers;
and inputting the training data set into a LightGBM model for training to obtain the GoIP equipment identification model.
7. The GoIP device fraud identification and location method of claim 1, wherein the determining the geographic location of the abnormal GoIP device according to the number signal strength comprises the steps of:
determining a first distance, a second distance and a third distance between the abnormal GoIP equipment and the three base stations according to the number signal strength and the corresponding path loss between the abnormal GoIP equipment and the three base stations respectively;
and determining the geographic position of the abnormal GoIP equipment according to the first distance, the second distance, the third distance and the positions of the three base stations.
8. A GoIP device fraud identification and location system, comprising:
the first module is used for acquiring number interaction records in a network;
the second module is used for determining the equipment characteristics and the number behavior characteristics according to the number interaction records;
the third module is used for inputting the equipment characteristics and the number behavior characteristics into a GoIP equipment identification model to determine abnormal GoIP equipment;
a fourth module, configured to obtain a measurement report of the abnormal GoIP device;
a fifth module, configured to determine, according to the measurement report, a number signal strength of the abnormal GoIP device;
and the sixth module is used for determining the geographic position of the abnormal GoIP equipment according to the number signal strength.
9. A GoIP equipment fraud identification and location apparatus, comprising:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement the GoIP device fraud identification and location method of any of claims 1-7.
10. A computer readable storage medium, having stored therein a processor-executable program, wherein the processor-executable program, when executed by the processor, is for implementing the GoIP device fraud identification and location method of any one of claims 1 to 7.
CN202210814238.2A 2022-07-12 2022-07-12 GoIP equipment fraud identification and positioning method, system, device and storage medium Pending CN115208979A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210814238.2A CN115208979A (en) 2022-07-12 2022-07-12 GoIP equipment fraud identification and positioning method, system, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210814238.2A CN115208979A (en) 2022-07-12 2022-07-12 GoIP equipment fraud identification and positioning method, system, device and storage medium

Publications (1)

Publication Number Publication Date
CN115208979A true CN115208979A (en) 2022-10-18

Family

ID=83580030

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210814238.2A Pending CN115208979A (en) 2022-07-12 2022-07-12 GoIP equipment fraud identification and positioning method, system, device and storage medium

Country Status (1)

Country Link
CN (1) CN115208979A (en)

Similar Documents

Publication Publication Date Title
CN102668528B (en) Communication device and method for a mobile communication network
EP3214861B1 (en) Method, device and system for detecting fraudulent user
EP1754390B1 (en) Method and radio communication network for detecting the presence of fraudulent subscriber identity modules
CN107948943B (en) Method for identifying different network cards in double-card terminal and server
CN110337059B (en) Analysis algorithm, server and network system for family relationship of user
CN100546406C (en) Detect the method and the device of same wireless terminal
CN103796241A (en) Method for judging and positioning pseudo base station based on reported information of terminal
CA2481203A1 (en) Method and apparatus for measuring communication market statistics
WO1997028638A1 (en) System and method for real-time billing in a radio telecommunications network
CN112866192B (en) Method and device for identifying abnormal aggregation behaviors
CN103987023A (en) Method of handling minimization of drive tests measurement and related communication device
CN108513301B (en) Illegal user identification method and device
US10819845B2 (en) Country-specific telephone number system analysis system using machine learning technique, and telephone connection method using same
CN106060847B (en) The determination method and system of signal blind zone
CN114169438A (en) Telecommunication network fraud identification method, device, equipment and storage medium
US20110086633A1 (en) Method and apparatus for positioning subscriber zone
CN111629334A (en) Method for supporting epidemic prevention and control in mobile communication
CN107071778A (en) Pseudo-base station recognition methods and data analysing method
CN115208979A (en) GoIP equipment fraud identification and positioning method, system, device and storage medium
CN109121137B (en) Method and device for identifying user number use type of double-card terminal
CN102074054B (en) Checking-in method and system
CN110611923B (en) Method and device for determining communication blind area
CN114205820A (en) Method, device and computer equipment for detecting suspicious user carrying pseudo base station
CN109362079B (en) Data processing method and device
CN103168481B (en) The operational administrative of call center

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination